package org.opendaylight.netconf.transport.tls;

import com.google.common.collect.ImmutableList;
import com.google.common.collect.ImmutableMap;
import io.netty.channel.Channel;
import io.netty.handler.ssl.Ciphers;
import io.netty.handler.ssl.ClientAuth;
import io.netty.handler.ssl.SslContext;
import io.netty.handler.ssl.SslContextBuilder;
import io.netty.handler.ssl.SslHandler;
import java.net.SocketAddress;
import java.security.KeyStore;
import java.util.List;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.SSLException;
import javax.net.ssl.TrustManagerFactory;
import org.opendaylight.netconf.transport.api.UnsupportedConfigurationException;
import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.iana.tls.cipher.suite.algs.rev240208.CipherSuiteAlgBase;
import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.iana.tls.cipher.suite.algs.rev240208.TLSAES128CCMSHA256;
import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.iana.tls.cipher.suite.algs.rev240208.TLSAES128GCMSHA256;
import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.iana.tls.cipher.suite.algs.rev240208.TLSAES256GCMSHA384;
import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.iana.tls.cipher.suite.algs.rev240208.TLSCHACHA20POLY1305SHA256;
import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.iana.tls.cipher.suite.algs.rev240208.TLSDHEPSKWITHAES128CCM;
import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.iana.tls.cipher.suite.algs.rev240208.TLSDHEPSKWITHAES128GCMSHA256;
import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.iana.tls.cipher.suite.algs.rev240208.TLSDHEPSKWITHAES256CCM;
import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.iana.tls.cipher.suite.algs.rev240208.TLSDHEPSKWITHAES256GCMSHA384;
import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.iana.tls.cipher.suite.algs.rev240208.TLSDHEPSKWITHCHACHA20POLY1305SHA256;
import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.iana.tls.cipher.suite.algs.rev240208.TLSDHERSAWITHAES128CCM;
import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.iana.tls.cipher.suite.algs.rev240208.TLSDHERSAWITHAES128GCMSHA256;
import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.iana.tls.cipher.suite.algs.rev240208.TLSDHERSAWITHAES256CCM;
import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.iana.tls.cipher.suite.algs.rev240208.TLSDHERSAWITHAES256GCMSHA384;
import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.iana.tls.cipher.suite.algs.rev240208.TLSDHERSAWITHCHACHA20POLY1305SHA256;
import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.iana.tls.cipher.suite.algs.rev240208.TLSECDHEECDSAWITHAES128GCMSHA256;
import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.iana.tls.cipher.suite.algs.rev240208.TLSECDHEECDSAWITHAES256GCMSHA384;
import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.iana.tls.cipher.suite.algs.rev240208.TLSECDHEECDSAWITHCHACHA20POLY1305SHA256;
import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.iana.tls.cipher.suite.algs.rev240208.TLSECDHEPSKWITHAES128CCMSHA256;
import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.iana.tls.cipher.suite.algs.rev240208.TLSECDHEPSKWITHAES128GCMSHA256;
import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.iana.tls.cipher.suite.algs.rev240208.TLSECDHEPSKWITHAES256GCMSHA384;
import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.iana.tls.cipher.suite.algs.rev240208.TLSECDHEPSKWITHCHACHA20POLY1305SHA256;
import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.iana.tls.cipher.suite.algs.rev240208.TLSECDHERSAWITHAES128GCMSHA256;
import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.iana.tls.cipher.suite.algs.rev240208.TLSECDHERSAWITHAES256GCMSHA384;
import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.iana.tls.cipher.suite.algs.rev240208.TLSECDHERSAWITHCHACHA20POLY1305SHA256;
import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.keystore.rev240208.InlineOrKeystoreAsymmetricKeyGrouping;
import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.keystore.rev240208.InlineOrKeystoreEndEntityCertWithKeyGrouping;
import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.tls.client.rev240208.TlsClientGrouping;
import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.tls.client.rev240208.tls.client.grouping.ClientIdentity;
import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.tls.client.rev240208.tls.client.grouping.ServerAuthentication;
import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.tls.client.rev240208.tls.client.grouping.client.identity.AuthType;
import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.tls.client.rev240208.tls.client.grouping.client.identity.auth.type.Certificate;
import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.tls.client.rev240208.tls.client.grouping.client.identity.auth.type.RawPublicKey;
import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.tls.client.rev240208.tls.client.grouping.client.identity.auth.type.raw._public.key.RawPrivateKey;
import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.tls.common.rev240208.HelloParamsGrouping;
import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.tls.common.rev240208.TlsVersionBase;
import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.tls.common.rev240208.hello.params.grouping.CipherSuites;
import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.tls.common.rev240208.hello.params.grouping.TlsVersions;
import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.tls.server.rev240208.TlsServerGrouping;
import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.tls.server.rev240208.tls.server.grouping.ClientAuthentication;
import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.tls.server.rev240208.tls.server.grouping.ServerIdentity;
import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.truststore.rev240208.InlineOrTruststoreCertsGrouping;
import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.truststore.rev240208.InlineOrTruststorePublicKeysGrouping;

/* loaded from: input_file:org/opendaylight/netconf/transport/tls/SslHandlerFactory.class */
public abstract class SslHandlerFactory {
    private static final ImmutableMap<CipherSuiteAlgBase, String> CIPHER_SUITES = ImmutableMap.builder().put(TLSAES128CCMSHA256.VALUE, "TLS_AES_128_CCM_SHA256").put(TLSAES128GCMSHA256.VALUE, Ciphers.TLS_AES_128_GCM_SHA256).put(TLSAES256GCMSHA384.VALUE, Ciphers.TLS_AES_256_GCM_SHA384).put(TLSCHACHA20POLY1305SHA256.VALUE, Ciphers.TLS_CHACHA20_POLY1305_SHA256).put(TLSDHEPSKWITHAES128CCM.VALUE, "TLS_DHE_PSK_WITH_AES_128_CCM").put(TLSDHEPSKWITHAES128GCMSHA256.VALUE, Ciphers.TLS_DHE_PSK_WITH_AES_128_GCM_SHA256).put(TLSDHEPSKWITHAES256CCM.VALUE, "TLS_DHE_PSK_WITH_AES_256_CCM").put(TLSDHEPSKWITHAES256GCMSHA384.VALUE, Ciphers.TLS_DHE_PSK_WITH_AES_256_GCM_SHA384).put(TLSDHEPSKWITHCHACHA20POLY1305SHA256.VALUE, Ciphers.TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256).put(TLSDHERSAWITHAES128CCM.VALUE, "TLS_DHE_RSA_WITH_AES_128_CCM").put(TLSDHERSAWITHAES128GCMSHA256.VALUE, Ciphers.TLS_DHE_RSA_WITH_AES_128_GCM_SHA256).put(TLSDHERSAWITHAES256CCM.VALUE, "TLS_DHE_RSA_WITH_AES_256_CCM").put(TLSDHERSAWITHAES256GCMSHA384.VALUE, Ciphers.TLS_DHE_RSA_WITH_AES_256_GCM_SHA384).put(TLSDHERSAWITHCHACHA20POLY1305SHA256.VALUE, Ciphers.TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256).put(TLSECDHEECDSAWITHAES128GCMSHA256.VALUE, Ciphers.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256).put(TLSECDHEECDSAWITHAES256GCMSHA384.VALUE, Ciphers.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384).put(TLSECDHEECDSAWITHCHACHA20POLY1305SHA256.VALUE, Ciphers.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256).put(TLSECDHEPSKWITHAES128CCMSHA256.VALUE, "TLS_ECDHE_PSK_WITH_AES_128_CCM_SHA256").put(TLSECDHEPSKWITHAES128GCMSHA256.VALUE, "TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256").put(TLSECDHEPSKWITHAES256GCMSHA384.VALUE, "TLS_ECDHE_PSK_WITH_AES_256_GCM_SHA384").put(TLSECDHEPSKWITHCHACHA20POLY1305SHA256.VALUE, Ciphers.TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256).put(TLSECDHERSAWITHAES128GCMSHA256.VALUE, Ciphers.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256).put(TLSECDHERSAWITHAES256GCMSHA384.VALUE, Ciphers.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384).put(TLSECDHERSAWITHCHACHA20POLY1305SHA256.VALUE, Ciphers.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256).build();

    public final SslHandler createSslHandler(Channel channel) {
        SslContext sslContext = getSslContext(channel.remoteAddress());
        if (sslContext == null) {
            return null;
        }
        return sslContext.newHandler(channel.alloc());
    }

    protected abstract SslContext getSslContext(SocketAddress socketAddress);

    /* JADX INFO: Access modifiers changed from: protected */
    public static final SslContext createSslContext(TlsClientGrouping tlsClientGrouping) throws UnsupportedConfigurationException {
        SslContextBuilder forClient = SslContextBuilder.forClient();
        ClientIdentity clientIdentity = tlsClientGrouping.getClientIdentity();
        if (clientIdentity != null) {
            AuthType authType = clientIdentity.getAuthType();
            if (authType instanceof Certificate) {
                Certificate certificate = (Certificate) authType;
                org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.tls.client.rev240208.tls.client.grouping.client.identity.auth.type.certificate.Certificate certificate2 = certificate.getCertificate();
                if (certificate2 == null) {
                    throw new UnsupportedConfigurationException("Missing certificate in " + certificate);
                }
                forClient.keyManager(newKeyManager(certificate2));
            } else if (authType instanceof RawPublicKey) {
                RawPublicKey rawPublicKey = (RawPublicKey) authType;
                RawPrivateKey rawPrivateKey = rawPublicKey.getRawPrivateKey();
                if (rawPrivateKey == null) {
                    throw new UnsupportedConfigurationException("Missing key in " + rawPublicKey);
                }
                forClient.keyManager(newKeyManager(rawPrivateKey));
            } else if (authType != null) {
                throw new UnsupportedConfigurationException("Unsupported client authentication type " + authType);
            }
        }
        ServerAuthentication serverAuthentication = tlsClientGrouping.getServerAuthentication();
        if (serverAuthentication != null) {
            TrustManagerFactory newTrustManager = newTrustManager(serverAuthentication.getCaCerts(), serverAuthentication.getEeCerts(), serverAuthentication.getRawPublicKeys());
            if (newTrustManager == null) {
                throw new UnsupportedOperationException("No server authentication methods in " + serverAuthentication);
            }
            forClient.trustManager(newTrustManager);
        }
        return buildSslContext(forClient, tlsClientGrouping.getHelloParams());
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public static final SslContext createSslContext(TlsServerGrouping tlsServerGrouping) throws UnsupportedConfigurationException {
        SslContextBuilder forServer;
        ServerIdentity serverIdentity = tlsServerGrouping.getServerIdentity();
        if (serverIdentity == null) {
            throw new UnsupportedConfigurationException("Missing server identity");
        }
        org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.tls.server.rev240208.tls.server.grouping.server.identity.AuthType authType = serverIdentity.getAuthType();
        if (authType instanceof org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.tls.server.rev240208.tls.server.grouping.server.identity.auth.type.Certificate) {
            org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.tls.server.rev240208.tls.server.grouping.server.identity.auth.type.Certificate certificate = (org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.tls.server.rev240208.tls.server.grouping.server.identity.auth.type.Certificate) authType;
            org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.tls.server.rev240208.tls.server.grouping.server.identity.auth.type.certificate.Certificate certificate2 = certificate.getCertificate();
            if (certificate2 == null) {
                throw new UnsupportedConfigurationException("Missing certificate in " + certificate);
            }
            forServer = SslContextBuilder.forServer(newKeyManager(certificate2));
        } else {
            if (!(authType instanceof org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.tls.server.rev240208.tls.server.grouping.server.identity.auth.type.RawPrivateKey)) {
                if (authType != null) {
                    throw new UnsupportedConfigurationException("Unsupported server authentication type " + authType);
                }
                throw new UnsupportedConfigurationException("Missing server authentication type");
            }
            org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.tls.server.rev240208.tls.server.grouping.server.identity.auth.type.RawPrivateKey rawPrivateKey = (org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.tls.server.rev240208.tls.server.grouping.server.identity.auth.type.RawPrivateKey) authType;
            org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.tls.server.rev240208.tls.server.grouping.server.identity.auth.type.raw._private.key.RawPrivateKey rawPrivateKey2 = rawPrivateKey.getRawPrivateKey();
            if (rawPrivateKey2 == null) {
                throw new UnsupportedConfigurationException("Missing key in " + rawPrivateKey);
            }
            forServer = SslContextBuilder.forServer(newKeyManager(rawPrivateKey2));
        }
        ClientAuthentication clientAuthentication = tlsServerGrouping.getClientAuthentication();
        if (clientAuthentication != null) {
            TrustManagerFactory newTrustManager = newTrustManager(clientAuthentication.getCaCerts(), clientAuthentication.getEeCerts(), clientAuthentication.getRawPublicKeys());
            if (newTrustManager == null) {
                throw new UnsupportedOperationException("No client authentication methods in " + clientAuthentication);
            }
            forServer.clientAuth(ClientAuth.REQUIRE).trustManager(newTrustManager);
        } else {
            forServer.clientAuth(ClientAuth.NONE);
        }
        return buildSslContext(forServer, tlsServerGrouping.getHelloParams());
    }

    private static TrustManagerFactory newTrustManager(InlineOrTruststoreCertsGrouping inlineOrTruststoreCertsGrouping, InlineOrTruststoreCertsGrouping inlineOrTruststoreCertsGrouping2, InlineOrTruststorePublicKeysGrouping inlineOrTruststorePublicKeysGrouping) throws UnsupportedConfigurationException {
        if (inlineOrTruststorePublicKeysGrouping != null) {
            throw new UnsupportedConfigurationException("Public key authentication not implemented");
        }
        if (inlineOrTruststoreCertsGrouping == null && inlineOrTruststoreCertsGrouping2 == null) {
            return null;
        }
        KeyStore newKeyStore = KeyStoreUtils.newKeyStore();
        ConfigUtils.setX509Certificates(newKeyStore, inlineOrTruststoreCertsGrouping, inlineOrTruststoreCertsGrouping2);
        return KeyStoreUtils.buildTrustManagerFactory(newKeyStore);
    }

    private static KeyManagerFactory newKeyManager(InlineOrKeystoreEndEntityCertWithKeyGrouping inlineOrKeystoreEndEntityCertWithKeyGrouping) throws UnsupportedConfigurationException {
        KeyStore newKeyStore = KeyStoreUtils.newKeyStore();
        ConfigUtils.setEndEntityCertificateWithKey(newKeyStore, inlineOrKeystoreEndEntityCertWithKeyGrouping);
        return KeyStoreUtils.buildKeyManagerFactory(newKeyStore);
    }

    private static KeyManagerFactory newKeyManager(InlineOrKeystoreAsymmetricKeyGrouping inlineOrKeystoreAsymmetricKeyGrouping) throws UnsupportedConfigurationException {
        KeyStore newKeyStore = KeyStoreUtils.newKeyStore();
        ConfigUtils.setAsymmetricKey(newKeyStore, inlineOrKeystoreAsymmetricKeyGrouping);
        return KeyStoreUtils.buildKeyManagerFactory(newKeyStore);
    }

    private static SslContext buildSslContext(SslContextBuilder sslContextBuilder, HelloParamsGrouping helloParamsGrouping) throws UnsupportedConfigurationException {
        List<CipherSuiteAlgBase> cipherSuite;
        List<TlsVersionBase> tlsVersion;
        if (helloParamsGrouping != null) {
            TlsVersions tlsVersions = helloParamsGrouping.getTlsVersions();
            if (tlsVersions != null && (tlsVersion = tlsVersions.getTlsVersion()) != null && !tlsVersion.isEmpty()) {
                sslContextBuilder.protocols(createTlsStrings(tlsVersion));
            }
            CipherSuites cipherSuites = helloParamsGrouping.getCipherSuites();
            if (cipherSuites != null && (cipherSuite = cipherSuites.getCipherSuite()) != null && !cipherSuite.isEmpty()) {
                sslContextBuilder.ciphers(createCipherStrings(cipherSuite));
            }
        }
        try {
            return sslContextBuilder.build();
        } catch (SSLException e) {
            throw new UnsupportedConfigurationException("Cannot instantiate TLS context", e);
        }
    }

    private static String[] createTlsStrings(List<TlsVersionBase> list) throws UnsupportedConfigurationException {
        String[] strArr = new String[list.size()];
        int i = 0;
        for (TlsVersionBase tlsVersionBase : list) {
            String algorithmNameOf = IetfTlsCommonFeatureProvider.algorithmNameOf(tlsVersionBase);
            if (algorithmNameOf == null) {
                throw new UnsupportedConfigurationException("Unhandled TLS version " + tlsVersionBase);
            }
            int i2 = i;
            i++;
            strArr[i2] = algorithmNameOf;
        }
        return strArr;
    }

    private static ImmutableList<String> createCipherStrings(List<CipherSuiteAlgBase> list) throws UnsupportedConfigurationException {
        ImmutableList.Builder builderWithExpectedSize = ImmutableList.builderWithExpectedSize(list.size());
        for (CipherSuiteAlgBase cipherSuiteAlgBase : list) {
            String str = CIPHER_SUITES.get(cipherSuiteAlgBase);
            if (str == null) {
                throw new UnsupportedConfigurationException("Unhandled cipher suite " + cipherSuiteAlgBase);
            }
            builderWithExpectedSize.add((ImmutableList.Builder) str);
        }
        return builderWithExpectedSize.build();
    }
}
