package org.opendaylight.netconf.transport.tls;

import com.google.common.collect.ImmutableList;
import com.google.common.collect.ImmutableMap;
import io.netty.channel.Channel;
import io.netty.handler.ssl.Ciphers;
import io.netty.handler.ssl.SslContext;
import io.netty.handler.ssl.SslContextBuilder;
import io.netty.handler.ssl.SslHandler;
import java.security.KeyStore;
import java.util.List;
import java.util.Objects;
import java.util.Set;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.SSLException;
import javax.net.ssl.TrustManagerFactory;
import org.opendaylight.netconf.transport.api.AbstractOverlayTransportStack;
import org.opendaylight.netconf.transport.api.TransportChannel;
import org.opendaylight.netconf.transport.api.TransportChannelListener;
import org.opendaylight.netconf.transport.api.UnsupportedConfigurationException;
import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.iana.tls.cipher.suite.algs.rev220616.CipherSuiteAlgBase;
import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.iana.tls.cipher.suite.algs.rev220616.TlsAes128CcmSha256;
import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.iana.tls.cipher.suite.algs.rev220616.TlsAes128GcmSha256;
import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.iana.tls.cipher.suite.algs.rev220616.TlsAes256GcmSha384;
import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.iana.tls.cipher.suite.algs.rev220616.TlsChacha20Poly1305Sha256;
import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.iana.tls.cipher.suite.algs.rev220616.TlsDhePskWithAes128Ccm;
import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.iana.tls.cipher.suite.algs.rev220616.TlsDhePskWithAes128GcmSha256;
import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.iana.tls.cipher.suite.algs.rev220616.TlsDhePskWithAes256Ccm;
import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.iana.tls.cipher.suite.algs.rev220616.TlsDhePskWithAes256GcmSha384;
import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.iana.tls.cipher.suite.algs.rev220616.TlsDhePskWithChacha20Poly1305Sha256;
import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.iana.tls.cipher.suite.algs.rev220616.TlsDheRsaWithAes128Ccm;
import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.iana.tls.cipher.suite.algs.rev220616.TlsDheRsaWithAes128GcmSha256;
import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.iana.tls.cipher.suite.algs.rev220616.TlsDheRsaWithAes256Ccm;
import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.iana.tls.cipher.suite.algs.rev220616.TlsDheRsaWithAes256GcmSha384;
import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.iana.tls.cipher.suite.algs.rev220616.TlsDheRsaWithChacha20Poly1305Sha256;
import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.iana.tls.cipher.suite.algs.rev220616.TlsEcdheEcdsaWithAes128GcmSha256;
import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.iana.tls.cipher.suite.algs.rev220616.TlsEcdheEcdsaWithAes256GcmSha384;
import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.iana.tls.cipher.suite.algs.rev220616.TlsEcdheEcdsaWithChacha20Poly1305Sha256;
import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.iana.tls.cipher.suite.algs.rev220616.TlsEcdhePskWithAes128CcmSha256;
import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.iana.tls.cipher.suite.algs.rev220616.TlsEcdhePskWithAes128GcmSha256;
import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.iana.tls.cipher.suite.algs.rev220616.TlsEcdhePskWithAes256GcmSha384;
import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.iana.tls.cipher.suite.algs.rev220616.TlsEcdhePskWithChacha20Poly1305Sha256;
import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.iana.tls.cipher.suite.algs.rev220616.TlsEcdheRsaWithAes128GcmSha256;
import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.iana.tls.cipher.suite.algs.rev220616.TlsEcdheRsaWithAes256GcmSha384;
import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.iana.tls.cipher.suite.algs.rev220616.TlsEcdheRsaWithChacha20Poly1305Sha256;
import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.keystore.rev230417.InlineOrKeystoreAsymmetricKeyGrouping;
import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.keystore.rev230417.InlineOrKeystoreEndEntityCertWithKeyGrouping;
import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.tls.common.rev230417.HelloParamsGrouping;
import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.tls.common.rev230417.TlsVersionBase;
import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.tls.common.rev230417.hello.params.grouping.CipherSuites;
import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.tls.common.rev230417.hello.params.grouping.TlsVersions;
import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.truststore.rev230417.InlineOrTruststoreCertsGrouping;
import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.truststore.rev230417.InlineOrTruststorePublicKeysGrouping;

/* loaded from: input_file:org/opendaylight/netconf/transport/tls/TLSTransportStack.class */
public abstract class TLSTransportStack extends AbstractOverlayTransportStack<TLSTransportChannel> {
    private static final ImmutableMap<CipherSuiteAlgBase, String> CIPHER_SUITES = ImmutableMap.builder().put(TlsAes128CcmSha256.VALUE, "TLS_AES_128_CCM_SHA256").put(TlsAes128GcmSha256.VALUE, Ciphers.TLS_AES_128_GCM_SHA256).put(TlsAes256GcmSha384.VALUE, Ciphers.TLS_AES_256_GCM_SHA384).put(TlsChacha20Poly1305Sha256.VALUE, Ciphers.TLS_CHACHA20_POLY1305_SHA256).put(TlsDhePskWithAes128Ccm.VALUE, "TLS_DHE_PSK_WITH_AES_128_CCM").put(TlsDhePskWithAes128GcmSha256.VALUE, Ciphers.TLS_DHE_PSK_WITH_AES_128_GCM_SHA256).put(TlsDhePskWithAes256Ccm.VALUE, "TLS_DHE_PSK_WITH_AES_256_CCM").put(TlsDhePskWithAes256GcmSha384.VALUE, Ciphers.TLS_DHE_PSK_WITH_AES_256_GCM_SHA384).put(TlsDhePskWithChacha20Poly1305Sha256.VALUE, Ciphers.TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256).put(TlsDheRsaWithAes128Ccm.VALUE, "TLS_DHE_RSA_WITH_AES_128_CCM").put(TlsDheRsaWithAes128GcmSha256.VALUE, Ciphers.TLS_DHE_RSA_WITH_AES_128_GCM_SHA256).put(TlsDheRsaWithAes256Ccm.VALUE, "TLS_DHE_RSA_WITH_AES_256_CCM").put(TlsDheRsaWithAes256GcmSha384.VALUE, Ciphers.TLS_DHE_RSA_WITH_AES_256_GCM_SHA384).put(TlsDheRsaWithChacha20Poly1305Sha256.VALUE, Ciphers.TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256).put(TlsEcdheEcdsaWithAes128GcmSha256.VALUE, Ciphers.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256).put(TlsEcdheEcdsaWithAes256GcmSha384.VALUE, Ciphers.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384).put(TlsEcdheEcdsaWithChacha20Poly1305Sha256.VALUE, Ciphers.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256).put(TlsEcdhePskWithAes128CcmSha256.VALUE, "TLS_ECDHE_PSK_WITH_AES_128_CCM_SHA256").put(TlsEcdhePskWithAes128GcmSha256.VALUE, "TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256").put(TlsEcdhePskWithAes256GcmSha384.VALUE, "TLS_ECDHE_PSK_WITH_AES_256_GCM_SHA384").put(TlsEcdhePskWithChacha20Poly1305Sha256.VALUE, Ciphers.TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256).put(TlsEcdheRsaWithAes128GcmSha256.VALUE, Ciphers.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256).put(TlsEcdheRsaWithAes256GcmSha384.VALUE, Ciphers.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384).put(TlsEcdheRsaWithChacha20Poly1305Sha256.VALUE, Ciphers.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256).build();
    private volatile SslContext sslContext;

    /* JADX INFO: Access modifiers changed from: package-private */
    public TLSTransportStack(TransportChannelListener transportChannelListener, SslContext sslContext) {
        super(transportChannelListener);
        this.sslContext = (SslContext) Objects.requireNonNull(sslContext);
    }

    @Override // org.opendaylight.netconf.transport.api.AbstractOverlayTransportStack
    protected final void onUnderlayChannelEstablished(TransportChannel transportChannel) {
        Channel channel = transportChannel.channel();
        SslHandler newHandler = this.sslContext.newHandler(channel.alloc());
        channel.pipeline().addLast(newHandler);
        newHandler.handshakeFuture().addListener2(future -> {
            Throwable cause = future.cause();
            if (cause == null) {
                addTransportChannel(new TLSTransportChannel(transportChannel));
            } else {
                notifyTransportChannelFailed(cause);
                channel.close();
            }
        });
    }

    final void setSslContext(SslContext sslContext) {
        this.sslContext = (SslContext) Objects.requireNonNull(sslContext);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static KeyManagerFactory newKeyManager(InlineOrKeystoreEndEntityCertWithKeyGrouping inlineOrKeystoreEndEntityCertWithKeyGrouping) throws UnsupportedConfigurationException {
        KeyStore newKeyStore = KeyStoreUtils.newKeyStore();
        ConfigUtils.setEndEntityCertificateWithKey(newKeyStore, inlineOrKeystoreEndEntityCertWithKeyGrouping);
        return KeyStoreUtils.buildKeyManagerFactory(newKeyStore);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static KeyManagerFactory newKeyManager(InlineOrKeystoreAsymmetricKeyGrouping inlineOrKeystoreAsymmetricKeyGrouping) throws UnsupportedConfigurationException {
        KeyStore newKeyStore = KeyStoreUtils.newKeyStore();
        ConfigUtils.setAsymmetricKey(newKeyStore, inlineOrKeystoreAsymmetricKeyGrouping);
        return KeyStoreUtils.buildKeyManagerFactory(newKeyStore);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public static TrustManagerFactory newTrustManager(InlineOrTruststoreCertsGrouping inlineOrTruststoreCertsGrouping, InlineOrTruststoreCertsGrouping inlineOrTruststoreCertsGrouping2, InlineOrTruststorePublicKeysGrouping inlineOrTruststorePublicKeysGrouping) throws UnsupportedConfigurationException {
        if (inlineOrTruststorePublicKeysGrouping != null) {
            throw new UnsupportedConfigurationException("Public key authentication not implemented");
        }
        if (inlineOrTruststoreCertsGrouping == null && inlineOrTruststoreCertsGrouping2 == null) {
            return null;
        }
        KeyStore newKeyStore = KeyStoreUtils.newKeyStore();
        ConfigUtils.setX509Certificates(newKeyStore, inlineOrTruststoreCertsGrouping, inlineOrTruststoreCertsGrouping2);
        return KeyStoreUtils.buildTrustManagerFactory(newKeyStore);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static SslContext buildSslContext(SslContextBuilder sslContextBuilder, HelloParamsGrouping helloParamsGrouping) throws UnsupportedConfigurationException {
        List<CipherSuiteAlgBase> cipherSuite;
        Set<TlsVersionBase> tlsVersion;
        if (helloParamsGrouping != null) {
            TlsVersions tlsVersions = helloParamsGrouping.getTlsVersions();
            if (tlsVersions != null && (tlsVersion = tlsVersions.getTlsVersion()) != null && !tlsVersion.isEmpty()) {
                sslContextBuilder.protocols(createTlsStrings(tlsVersion));
            }
            CipherSuites cipherSuites = helloParamsGrouping.getCipherSuites();
            if (cipherSuites != null && (cipherSuite = cipherSuites.getCipherSuite()) != null && !cipherSuite.isEmpty()) {
                sslContextBuilder.ciphers(createCipherStrings(cipherSuite));
            }
        }
        try {
            return sslContextBuilder.build();
        } catch (SSLException e) {
            throw new UnsupportedConfigurationException("Cannot instantiate TLS context", e);
        }
    }

    private static String[] createTlsStrings(Set<TlsVersionBase> set) throws UnsupportedConfigurationException {
        String[] strArr = new String[set.size()];
        int i = 0;
        for (TlsVersionBase tlsVersionBase : set) {
            String algorithmNameOf = IetfTlsCommonFeatureProvider.algorithmNameOf(tlsVersionBase);
            if (algorithmNameOf == null) {
                throw new UnsupportedConfigurationException("Unhandled TLS version " + tlsVersionBase);
            }
            int i2 = i;
            i++;
            strArr[i2] = algorithmNameOf;
        }
        return strArr;
    }

    private static ImmutableList<String> createCipherStrings(List<CipherSuiteAlgBase> list) throws UnsupportedConfigurationException {
        ImmutableList.Builder builderWithExpectedSize = ImmutableList.builderWithExpectedSize(list.size());
        for (CipherSuiteAlgBase cipherSuiteAlgBase : list) {
            String str = CIPHER_SUITES.get(cipherSuiteAlgBase);
            if (str == null) {
                throw new UnsupportedConfigurationException("Unhandled cipher suite " + cipherSuiteAlgBase);
            }
            builderWithExpectedSize.add((ImmutableList.Builder) str);
        }
        return builderWithExpectedSize.build();
    }
}
