package org.apache.kafka.common.security.ssl;

import java.nio.ByteBuffer;
import java.security.GeneralSecurityException;
import java.security.KeyStore;
import java.security.Principal;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
import java.util.Enumeration;
import java.util.HashMap;
import java.util.HashSet;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Set;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLEngine;
import javax.net.ssl.SSLEngineResult;
import javax.net.ssl.SSLException;
import org.apache.kafka.common.KafkaException;
import org.apache.kafka.common.Reconfigurable;
import org.apache.kafka.common.config.ConfigException;
import org.apache.kafka.common.config.SslConfigs;
import org.apache.kafka.common.network.Mode;
import org.apache.kafka.common.utils.Utils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* JADX WARN: Classes with same name are omitted:
  input_file:META-INF/bundled-dependencies/pulsar-io-kafka-connect-adaptor-2.7.4.8.jar:META-INF/bundled-dependencies/kafka-clients-2.3.0.jar:org/apache/kafka/common/security/ssl/SslFactory.class
 */
/* loaded from: input_file:META-INF/bundled-dependencies/kafka-clients-2.3.0.jar:org/apache/kafka/common/security/ssl/SslFactory.class */
public class SslFactory implements Reconfigurable {
    private static final Logger log = LoggerFactory.getLogger((Class<?>) SslFactory.class);
    private final Mode mode;
    private final String clientAuthConfigOverride;
    private final boolean keystoreVerifiableUsingTruststore;
    private String endpointIdentification;
    private SslEngineBuilder sslEngineBuilder;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* JADX WARN: Classes with same name are omitted:
      input_file:META-INF/bundled-dependencies/pulsar-io-kafka-connect-adaptor-2.7.4.8.jar:META-INF/bundled-dependencies/kafka-clients-2.3.0.jar:org/apache/kafka/common/security/ssl/SslFactory$1.class
     */
    /* renamed from: org.apache.kafka.common.security.ssl.SslFactory$1, reason: invalid class name */
    /* loaded from: input_file:META-INF/bundled-dependencies/kafka-clients-2.3.0.jar:org/apache/kafka/common/security/ssl/SslFactory$1.class */
    public static /* synthetic */ class AnonymousClass1 {
        static final /* synthetic */ int[] $SwitchMap$javax$net$ssl$SSLEngineResult$Status;
        static final /* synthetic */ int[] $SwitchMap$javax$net$ssl$SSLEngineResult$HandshakeStatus = new int[SSLEngineResult.HandshakeStatus.values().length];

        static {
            try {
                $SwitchMap$javax$net$ssl$SSLEngineResult$HandshakeStatus[SSLEngineResult.HandshakeStatus.NEED_WRAP.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$javax$net$ssl$SSLEngineResult$HandshakeStatus[SSLEngineResult.HandshakeStatus.NEED_UNWRAP.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
            try {
                $SwitchMap$javax$net$ssl$SSLEngineResult$HandshakeStatus[SSLEngineResult.HandshakeStatus.NEED_TASK.ordinal()] = 3;
            } catch (NoSuchFieldError e3) {
            }
            try {
                $SwitchMap$javax$net$ssl$SSLEngineResult$HandshakeStatus[SSLEngineResult.HandshakeStatus.FINISHED.ordinal()] = 4;
            } catch (NoSuchFieldError e4) {
            }
            try {
                $SwitchMap$javax$net$ssl$SSLEngineResult$HandshakeStatus[SSLEngineResult.HandshakeStatus.NOT_HANDSHAKING.ordinal()] = 5;
            } catch (NoSuchFieldError e5) {
            }
            $SwitchMap$javax$net$ssl$SSLEngineResult$Status = new int[SSLEngineResult.Status.values().length];
            try {
                $SwitchMap$javax$net$ssl$SSLEngineResult$Status[SSLEngineResult.Status.OK.ordinal()] = 1;
            } catch (NoSuchFieldError e6) {
            }
            try {
                $SwitchMap$javax$net$ssl$SSLEngineResult$Status[SSLEngineResult.Status.BUFFER_OVERFLOW.ordinal()] = 2;
            } catch (NoSuchFieldError e7) {
            }
            try {
                $SwitchMap$javax$net$ssl$SSLEngineResult$Status[SSLEngineResult.Status.BUFFER_UNDERFLOW.ordinal()] = 3;
            } catch (NoSuchFieldError e8) {
            }
            try {
                $SwitchMap$javax$net$ssl$SSLEngineResult$Status[SSLEngineResult.Status.CLOSED.ordinal()] = 4;
            } catch (NoSuchFieldError e9) {
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* JADX WARN: Classes with same name are omitted:
      input_file:META-INF/bundled-dependencies/pulsar-io-kafka-connect-adaptor-2.7.4.8.jar:META-INF/bundled-dependencies/kafka-clients-2.3.0.jar:org/apache/kafka/common/security/ssl/SslFactory$CertificateEntries.class
     */
    /* loaded from: input_file:META-INF/bundled-dependencies/kafka-clients-2.3.0.jar:org/apache/kafka/common/security/ssl/SslFactory$CertificateEntries.class */
    public static class CertificateEntries {
        private final Principal subjectPrincipal;
        private final Set<List<?>> subjectAltNames;

        static List<CertificateEntries> create(KeyStore keyStore) throws GeneralSecurityException {
            Enumeration<String> aliases = keyStore.aliases();
            ArrayList arrayList = new ArrayList();
            while (aliases.hasMoreElements()) {
                Certificate certificate = keyStore.getCertificate(aliases.nextElement());
                if (certificate instanceof X509Certificate) {
                    arrayList.add(new CertificateEntries((X509Certificate) certificate));
                }
            }
            return arrayList;
        }

        CertificateEntries(X509Certificate x509Certificate) throws GeneralSecurityException {
            this.subjectPrincipal = x509Certificate.getSubjectX500Principal();
            Collection<List<?>> subjectAlternativeNames = x509Certificate.getSubjectAlternativeNames();
            this.subjectAltNames = subjectAlternativeNames != null ? new HashSet<>(subjectAlternativeNames) : Collections.emptySet();
        }

        public int hashCode() {
            return Objects.hash(this.subjectPrincipal, this.subjectAltNames);
        }

        public boolean equals(Object obj) {
            if (!(obj instanceof CertificateEntries)) {
                return false;
            }
            CertificateEntries certificateEntries = (CertificateEntries) obj;
            return Objects.equals(this.subjectPrincipal, certificateEntries.subjectPrincipal) && Objects.equals(this.subjectAltNames, certificateEntries.subjectAltNames);
        }

        public String toString() {
            return "subjectPrincipal=" + this.subjectPrincipal + ", subjectAltNames=" + this.subjectAltNames;
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* JADX WARN: Classes with same name are omitted:
      input_file:META-INF/bundled-dependencies/pulsar-io-kafka-connect-adaptor-2.7.4.8.jar:META-INF/bundled-dependencies/kafka-clients-2.3.0.jar:org/apache/kafka/common/security/ssl/SslFactory$SslEngineValidator.class
     */
    /* loaded from: input_file:META-INF/bundled-dependencies/kafka-clients-2.3.0.jar:org/apache/kafka/common/security/ssl/SslFactory$SslEngineValidator.class */
    public static class SslEngineValidator {
        private static final ByteBuffer EMPTY_BUF = ByteBuffer.allocate(0);
        private final SSLEngine sslEngine;
        private SSLEngineResult handshakeResult;
        private ByteBuffer appBuffer;
        private ByteBuffer netBuffer;

        static void validate(SslEngineBuilder sslEngineBuilder, SslEngineBuilder sslEngineBuilder2) throws SSLException {
            validate(createSslEngineForValidation(sslEngineBuilder, Mode.SERVER), createSslEngineForValidation(sslEngineBuilder2, Mode.CLIENT));
            validate(createSslEngineForValidation(sslEngineBuilder2, Mode.SERVER), createSslEngineForValidation(sslEngineBuilder, Mode.CLIENT));
        }

        private static SSLEngine createSslEngineForValidation(SslEngineBuilder sslEngineBuilder, Mode mode) {
            return sslEngineBuilder.createSslEngine(mode, "", 0, "");
        }

        static void validate(SSLEngine sSLEngine, SSLEngine sSLEngine2) throws SSLException {
            SslEngineValidator sslEngineValidator = new SslEngineValidator(sSLEngine);
            SslEngineValidator sslEngineValidator2 = new SslEngineValidator(sSLEngine2);
            try {
                sslEngineValidator.beginHandshake();
                sslEngineValidator2.beginHandshake();
                while (true) {
                    if (sslEngineValidator2.complete() && sslEngineValidator.complete()) {
                        return;
                    }
                    sslEngineValidator.handshake(sslEngineValidator2);
                    sslEngineValidator2.handshake(sslEngineValidator);
                }
            } finally {
                sslEngineValidator.close();
                sslEngineValidator2.close();
            }
        }

        private SslEngineValidator(SSLEngine sSLEngine) {
            this.sslEngine = sSLEngine;
            this.appBuffer = ByteBuffer.allocate(this.sslEngine.getSession().getApplicationBufferSize());
            this.netBuffer = ByteBuffer.allocate(this.sslEngine.getSession().getPacketBufferSize());
        }

        void beginHandshake() throws SSLException {
            this.sslEngine.beginHandshake();
        }

        void handshake(SslEngineValidator sslEngineValidator) throws SSLException {
            SSLEngineResult.HandshakeStatus handshakeStatus = this.sslEngine.getHandshakeStatus();
            while (true) {
                switch (AnonymousClass1.$SwitchMap$javax$net$ssl$SSLEngineResult$HandshakeStatus[handshakeStatus.ordinal()]) {
                    case 1:
                        this.handshakeResult = this.sslEngine.wrap(EMPTY_BUF, this.netBuffer);
                        switch (AnonymousClass1.$SwitchMap$javax$net$ssl$SSLEngineResult$Status[this.handshakeResult.getStatus().ordinal()]) {
                            case 1:
                                return;
                            case 2:
                                this.netBuffer.compact();
                                this.netBuffer = Utils.ensureCapacity(this.netBuffer, this.sslEngine.getSession().getPacketBufferSize());
                                this.netBuffer.flip();
                                return;
                            case 3:
                            case 4:
                            default:
                                throw new SSLException("Unexpected handshake status: " + this.handshakeResult.getStatus());
                        }
                    case 2:
                        if (sslEngineValidator.netBuffer.position() == 0) {
                            return;
                        }
                        sslEngineValidator.netBuffer.flip();
                        this.handshakeResult = this.sslEngine.unwrap(sslEngineValidator.netBuffer, this.appBuffer);
                        sslEngineValidator.netBuffer.compact();
                        handshakeStatus = this.handshakeResult.getHandshakeStatus();
                        switch (AnonymousClass1.$SwitchMap$javax$net$ssl$SSLEngineResult$Status[this.handshakeResult.getStatus().ordinal()]) {
                            case 1:
                                break;
                            case 2:
                                this.appBuffer = Utils.ensureCapacity(this.appBuffer, this.sslEngine.getSession().getApplicationBufferSize());
                                break;
                            case 3:
                                this.netBuffer = Utils.ensureCapacity(this.netBuffer, this.sslEngine.getSession().getPacketBufferSize());
                                break;
                            case 4:
                            default:
                                throw new SSLException("Unexpected handshake status: " + this.handshakeResult.getStatus());
                        }
                    case 3:
                        this.sslEngine.getDelegatedTask().run();
                        handshakeStatus = this.sslEngine.getHandshakeStatus();
                        break;
                    case 4:
                        return;
                    case 5:
                        if (this.handshakeResult.getHandshakeStatus() != SSLEngineResult.HandshakeStatus.FINISHED) {
                            throw new SSLException("Did not finish handshake");
                        }
                        return;
                    default:
                        throw new IllegalStateException("Unexpected handshake status " + handshakeStatus);
                }
            }
        }

        boolean complete() {
            return this.sslEngine.getHandshakeStatus() == SSLEngineResult.HandshakeStatus.FINISHED || this.sslEngine.getHandshakeStatus() == SSLEngineResult.HandshakeStatus.NOT_HANDSHAKING;
        }

        void close() {
            this.sslEngine.closeOutbound();
            try {
                this.sslEngine.closeInbound();
            } catch (Exception e) {
            }
        }
    }

    public SslFactory(Mode mode) {
        this(mode, null, false);
    }

    public SslFactory(Mode mode, String str, boolean z) {
        this.mode = mode;
        this.clientAuthConfigOverride = str;
        this.keystoreVerifiableUsingTruststore = z;
    }

    @Override // org.apache.kafka.common.Configurable
    public void configure(Map<String, ?> map) throws KafkaException {
        if (this.sslEngineBuilder != null) {
            throw new IllegalStateException("SslFactory was already configured.");
        }
        this.endpointIdentification = (String) map.get(SslConfigs.SSL_ENDPOINT_IDENTIFICATION_ALGORITHM_CONFIG);
        HashMap hashMap = new HashMap();
        copyMapEntries(hashMap, map, SslConfigs.NON_RECONFIGURABLE_CONFIGS);
        copyMapEntries(hashMap, map, SslConfigs.RECONFIGURABLE_CONFIGS);
        if (this.clientAuthConfigOverride != null) {
            hashMap.put("ssl.client.auth", this.clientAuthConfigOverride);
        }
        SslEngineBuilder sslEngineBuilder = new SslEngineBuilder(hashMap);
        if (this.keystoreVerifiableUsingTruststore) {
            try {
                SslEngineValidator.validate(sslEngineBuilder, sslEngineBuilder);
            } catch (Exception e) {
                throw new ConfigException("A client SSLEngine created with the provided settings can't connect to a server SSLEngine created with those settings.", e);
            }
        }
        this.sslEngineBuilder = sslEngineBuilder;
    }

    @Override // org.apache.kafka.common.Reconfigurable
    public Set<String> reconfigurableConfigs() {
        return SslConfigs.RECONFIGURABLE_CONFIGS;
    }

    @Override // org.apache.kafka.common.Reconfigurable
    public void validateReconfiguration(Map<String, ?> map) {
        createNewSslEngineBuilder(map);
    }

    @Override // org.apache.kafka.common.Reconfigurable
    public void reconfigure(Map<String, ?> map) throws KafkaException {
        this.sslEngineBuilder = createNewSslEngineBuilder(map);
    }

    private SslEngineBuilder createNewSslEngineBuilder(Map<String, ?> map) {
        if (this.sslEngineBuilder == null) {
            throw new IllegalStateException("SslFactory has not been configured.");
        }
        HashMap hashMap = new HashMap(this.sslEngineBuilder.configs());
        copyMapEntries(hashMap, map, SslConfigs.RECONFIGURABLE_CONFIGS);
        if (this.clientAuthConfigOverride != null) {
            hashMap.put("ssl.client.auth", this.clientAuthConfigOverride);
        }
        if (!this.sslEngineBuilder.shouldBeRebuilt(hashMap)) {
            return this.sslEngineBuilder;
        }
        try {
            SslEngineBuilder sslEngineBuilder = new SslEngineBuilder(hashMap);
            if (this.sslEngineBuilder.keystore() == null) {
                if (sslEngineBuilder.keystore() != null) {
                    throw new ConfigException("Cannot add SSL keystore to an existing listener for which no keystore was configured.");
                }
            } else {
                if (sslEngineBuilder.keystore() == null) {
                    throw new ConfigException("Cannot remove the SSL keystore from an existing listener for which a keystore was configured.");
                }
                if (!CertificateEntries.create(this.sslEngineBuilder.keystore().load()).equals(CertificateEntries.create(sslEngineBuilder.keystore().load()))) {
                    throw new ConfigException("Keystore DistinguishedName or SubjectAltNames do not match");
                }
            }
            if (this.sslEngineBuilder.truststore() == null && sslEngineBuilder.truststore() != null) {
                throw new ConfigException("Cannot add SSL truststore to an existing listener for which no truststore was configured.");
            }
            if (this.keystoreVerifiableUsingTruststore && (this.sslEngineBuilder.truststore() != null || this.sslEngineBuilder.keystore() != null)) {
                SslEngineValidator.validate(this.sslEngineBuilder, sslEngineBuilder);
            }
            return sslEngineBuilder;
        } catch (Exception e) {
            log.debug("Validation of dynamic config update of SSLFactory failed.", (Throwable) e);
            throw new ConfigException("Validation of dynamic config update of SSLFactory failed: " + e);
        }
    }

    public SSLEngine createSslEngine(String str, int i) {
        if (this.sslEngineBuilder == null) {
            throw new IllegalStateException("SslFactory has not been configured.");
        }
        return this.sslEngineBuilder.createSslEngine(this.mode, str, i, this.endpointIdentification);
    }

    @Deprecated
    public SSLContext sslContext() {
        return this.sslEngineBuilder.sslContext();
    }

    public SslEngineBuilder sslEngineBuilder() {
        return this.sslEngineBuilder;
    }

    private static <K, V> void copyMapEntries(Map<K, V> map, Map<K, ? extends V> map2, Set<K> set) {
        for (K k : set) {
            if (map2.containsKey(k)) {
                map.put(k, map2.get(k));
            }
        }
    }
}
