package org.apache.pekko.remote.artery.tcp;

import com.typesafe.config.Config;
import java.io.FileNotFoundException;
import java.io.IOException;
import java.io.InputStream;
import java.nio.file.Files;
import java.nio.file.OpenOption;
import java.nio.file.Paths;
import java.security.GeneralSecurityException;
import java.security.KeyStore;
import java.security.SecureRandom;
import javax.net.ssl.KeyManager;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLEngine;
import javax.net.ssl.SSLParameters;
import javax.net.ssl.SSLSession;
import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory;
import org.apache.pekko.actor.ActorSystem;
import org.apache.pekko.event.LogMarker$;
import org.apache.pekko.event.LogSource;
import org.apache.pekko.event.LogSource$;
import org.apache.pekko.event.Logging$;
import org.apache.pekko.event.MarkerLoggingAdapter;
import org.apache.pekko.remote.artery.tcp.ssl.SSLEngineConfig;
import org.apache.pekko.stream.Client$;
import org.apache.pekko.stream.Server$;
import org.apache.pekko.stream.TLSRole;
import scala.None$;
import scala.Option;
import scala.collection.immutable.Set;
import scala.reflect.ClassTag$;
import scala.reflect.ScalaSignature;
import scala.util.Try$;

/* compiled from: ConfigSSLEngineProvider.scala */
@ScalaSignature(bytes = "\u0006\u0001\u0005mh\u0001B\u0015+\u0001]B\u0001B\u0011\u0001\u0003\u0006\u0004%\tb\u0011\u0005\t\u001b\u0002\u0011\t\u0011)A\u0005\t\"Aa\n\u0001BC\u0002\u0013Eq\n\u0003\u0005W\u0001\t\u0005\t\u0015!\u0003Q\u0011\u00159\u0006\u0001\"\u0001Y\u0011\u00159\u0006\u0001\"\u0001]\u0011\u001d)\u0007A1A\u0005\n\u0019Da!\u001c\u0001!\u0002\u00139\u0007b\u00028\u0001\u0005\u0004%\ta\u001c\u0005\u0007w\u0002\u0001\u000b\u0011\u00029\t\u000fq\u0004!\u0019!C\u0001_\"1Q\u0010\u0001Q\u0001\nADqA \u0001C\u0002\u0013\u0005q\u000e\u0003\u0004��\u0001\u0001\u0006I\u0001\u001d\u0005\t\u0003\u0003\u0001!\u0019!C\u0001_\"9\u00111\u0001\u0001!\u0002\u0013\u0001\b\u0002CA\u0003\u0001\t\u0007I\u0011A8\t\u000f\u0005\u001d\u0001\u0001)A\u0005a\"I\u0011\u0011\u0002\u0001C\u0002\u0013\u0005\u00111\u0002\u0005\t\u0003'\u0001\u0001\u0015!\u0003\u0002\u000e!A\u0011Q\u0003\u0001C\u0002\u0013\u0005q\u000eC\u0004\u0002\u0018\u0001\u0001\u000b\u0011\u00029\t\u0011\u0005e\u0001A1A\u0005\u0002=Dq!a\u0007\u0001A\u0003%\u0001\u000fC\u0005\u0002\u001e\u0001\u0011\r\u0011\"\u0001\u0002 !A\u0011q\u0005\u0001!\u0002\u0013\t\t\u0003C\u0005\u0002*\u0001\u0011\r\u0011\"\u0001\u0002 !A\u00111\u0006\u0001!\u0002\u0013\t\t\u0003\u0003\u0006\u0002.\u0001A)\u0019!C\u0005\u0003_Aq!a\u0011\u0001\t\u0013\t)\u0005C\u0004\u0002H\u0001!\t\"!\u0013\t\u000f\u0005\r\u0004\u0001\"\u0005\u0002f!9\u00111\u000f\u0001\u0005\u0012\u0005U\u0004bBA@\u0001\u0011\u0005\u0011\u0011\u0011\u0005\b\u0003\u0013\u0003A\u0011IAF\u0011\u001d\t\t\u000b\u0001C!\u0003GCq!!+\u0001\t\u0013\tY\u000bC\u0004\u0002*\u0002!I!!1\t\u000f\u0005-\u0007\u0001\"\u0011\u0002N\"9\u00111\u001f\u0001\u0005B\u0005U(aF\"p]\u001aLwmU*M\u000b:<\u0017N\\3Qe>4\u0018\u000eZ3s\u0015\tYC&A\u0002uGBT!!\f\u0018\u0002\r\u0005\u0014H/\u001a:z\u0015\ty\u0003'\u0001\u0004sK6|G/\u001a\u0006\u0003cI\nQ\u0001]3lW>T!a\r\u001b\u0002\r\u0005\u0004\u0018m\u00195f\u0015\u0005)\u0014aA8sO\u000e\u00011c\u0001\u00019}A\u0011\u0011\bP\u0007\u0002u)\t1(A\u0003tG\u0006d\u0017-\u0003\u0002>u\t1\u0011I\\=SK\u001a\u0004\"a\u0010!\u000e\u0003)J!!\u0011\u0016\u0003#M\u001bF*\u00128hS:,\u0007K]8wS\u0012,'/\u0001\u0004d_:4\u0017nZ\u000b\u0002\tB\u0011QiS\u0007\u0002\r*\u0011!i\u0012\u0006\u0003\u0011&\u000b\u0001\u0002^=qKN\fg-\u001a\u0006\u0002\u0015\u0006\u00191m\\7\n\u000513%AB\"p]\u001aLw-A\u0004d_:4\u0017n\u001a\u0011\u0002\u00071|w-F\u0001Q!\t\tF+D\u0001S\u0015\t\u0019\u0006'A\u0003fm\u0016tG/\u0003\u0002V%\n!R*\u0019:lKJdunZ4j]\u001e\fE-\u00199uKJ\fA\u0001\\8hA\u00051A(\u001b8jiz\"2!\u0017.\\!\ty\u0004\u0001C\u0003C\u000b\u0001\u0007A\tC\u0003O\u000b\u0001\u0007\u0001\u000b\u0006\u0002Z;\")aL\u0002a\u0001?\u000611/_:uK6\u0004\"\u0001Y2\u000e\u0003\u0005T!A\u0019\u0019\u0002\u000b\u0005\u001cGo\u001c:\n\u0005\u0011\f'aC!di>\u00148+_:uK6\fqb]:m\u000b:<\u0017N\\3D_:4\u0017nZ\u000b\u0002OB\u0011\u0001n[\u0007\u0002S*\u0011!NK\u0001\u0004gNd\u0017B\u00017j\u0005=\u00196\u000bT#oO&tWmQ8oM&<\u0017\u0001E:tY\u0016sw-\u001b8f\u0007>tg-[4!\u0003-\u00196\u000bT&fsN#xN]3\u0016\u0003A\u0004\"!\u001d=\u000f\u0005I4\bCA:;\u001b\u0005!(BA;7\u0003\u0019a$o\\8u}%\u0011qOO\u0001\u0007!J,G-\u001a4\n\u0005eT(AB*ue&twM\u0003\u0002xu\u0005a1k\u0015'LKf\u001cFo\u001c:fA\u0005i1k\u0015'UeV\u001cHo\u0015;pe\u0016\fabU*M)J,8\u000f^*u_J,\u0007%A\nT'2[U-_*u_J,\u0007+Y:to>\u0014H-\u0001\u000bT'2[U-_*u_J,\u0007+Y:to>\u0014H\rI\u0001\u000f'Nc5*Z=QCN\u001cxo\u001c:e\u0003=\u00196\u000bT&fsB\u000b7o]<pe\u0012\u0004\u0013!F*T\u0019R\u0013Xo\u001d;Ti>\u0014X\rU1tg^|'\u000fZ\u0001\u0017'NcEK];tiN#xN]3QCN\u001cxo\u001c:eA\u0005!2k\u0015'F]\u0006\u0014G.\u001a3BY\u001e|'/\u001b;i[N,\"!!\u0004\u0011\tE\fy\u0001]\u0005\u0004\u0003#Q(aA*fi\u0006)2k\u0015'F]\u0006\u0014G.\u001a3BY\u001e|'/\u001b;i[N\u0004\u0013aC*T\u0019B\u0013x\u000e^8d_2\fAbU*M!J|Go\\2pY\u0002\n\u0001dU*M%\u0006tGm\\7Ok6\u0014WM]$f]\u0016\u0014\u0018\r^8s\u0003e\u00196\u000b\u0014*b]\u0012|WNT;nE\u0016\u0014x)\u001a8fe\u0006$xN\u001d\u0011\u0002=M\u001bFJU3rk&\u0014X-T;uk\u0006d\u0017)\u001e;iK:$\u0018nY1uS>tWCAA\u0011!\rI\u00141E\u0005\u0004\u0003KQ$a\u0002\"p_2,\u0017M\\\u0001 'Nc%+Z9vSJ,W*\u001e;vC2\fU\u000f\u001e5f]RL7-\u0019;j_:\u0004\u0013\u0001\u0006%pgRt\u0017-\\3WKJLg-[2bi&|g.A\u000bI_N$h.Y7f-\u0016\u0014\u0018NZ5dCRLwN\u001c\u0011\u0002\u0015M\u001cHnQ8oi\u0016DH/\u0006\u0002\u00022A!\u00111GA \u001b\t\t)DC\u0002k\u0003oQA!!\u000f\u0002<\u0005\u0019a.\u001a;\u000b\u0005\u0005u\u0012!\u00026bm\u0006D\u0018\u0002BA!\u0003k\u0011!bU*M\u0007>tG/\u001a=u\u0003A\u0019wN\\:ueV\u001cGoQ8oi\u0016DH\u000f\u0006\u0002\u00022\u0005aAn\\1e\u0017\u0016L8\u000f^8sKR1\u00111JA.\u0003?\u0002B!!\u0014\u0002X5\u0011\u0011q\n\u0006\u0005\u0003#\n\u0019&\u0001\u0005tK\u000e,(/\u001b;z\u0015\t\t)&\u0001\u0003kCZ\f\u0017\u0002BA-\u0003\u001f\u0012\u0001bS3z'R|'/\u001a\u0005\u0007\u0003;z\u0002\u0019\u00019\u0002\u0011\u0019LG.\u001a8b[\u0016Da!!\u0019 \u0001\u0004\u0001\u0018\u0001\u00039bgN<xN\u001d3\u0002\u0017-,\u00170T1oC\u001e,'o]\u000b\u0003\u0003O\u0002R!OA5\u0003[J1!a\u001b;\u0005\u0015\t%O]1z!\u0011\t\u0019$a\u001c\n\t\u0005E\u0014Q\u0007\u0002\u000b\u0017\u0016LX*\u00198bO\u0016\u0014\u0018!\u0004;skN$X*\u00198bO\u0016\u00148/\u0006\u0002\u0002xA)\u0011(!\u001b\u0002zA!\u00111GA>\u0013\u0011\ti(!\u000e\u0003\u0019Q\u0013Xo\u001d;NC:\fw-\u001a:\u0002%\r\u0014X-\u0019;f'\u0016\u001cWO]3SC:$w.\u001c\u000b\u0003\u0003\u0007\u0003B!!\u0014\u0002\u0006&!\u0011qQA(\u00051\u0019VmY;sKJ\u000bg\u000eZ8n\u0003U\u0019'/Z1uKN+'O^3s'NcUI\\4j]\u0016$b!!$\u0002\u0014\u0006]\u0005\u0003BA\u001a\u0003\u001fKA!!%\u00026\tI1k\u0015'F]\u001eLg.\u001a\u0005\u0007\u0003+\u001b\u0003\u0019\u00019\u0002\u0011!|7\u000f\u001e8b[\u0016Dq!!'$\u0001\u0004\tY*\u0001\u0003q_J$\bcA\u001d\u0002\u001e&\u0019\u0011q\u0014\u001e\u0003\u0007%sG/A\u000bde\u0016\fG/Z\"mS\u0016tGoU*M\u000b:<\u0017N\\3\u0015\r\u00055\u0015QUAT\u0011\u0019\t)\n\na\u0001a\"9\u0011\u0011\u0014\u0013A\u0002\u0005m\u0015aD2sK\u0006$XmU*M\u000b:<\u0017N\\3\u0015\u0011\u00055\u0015QVA_\u0003\u007fCq!a,&\u0001\u0004\t\t,\u0001\u0003s_2,\u0007\u0003BAZ\u0003sk!!!.\u000b\u0007\u0005]\u0006'\u0001\u0004tiJ,\u0017-\\\u0005\u0005\u0003w\u000b)LA\u0004U\u0019N\u0013v\u000e\\3\t\r\u0005UU\u00051\u0001q\u0011\u001d\tI*\na\u0001\u00037#\"\"!$\u0002D\u0006\u0015\u0017qYAe\u0011\u001d\tiC\na\u0001\u0003cAq!a,'\u0001\u0004\t\t\f\u0003\u0004\u0002\u0016\u001a\u0002\r\u0001\u001d\u0005\b\u000333\u0003\u0019AAN\u0003M1XM]5gs\u000ec\u0017.\u001a8u'\u0016\u001c8/[8o)\u0019\ty-a:\u0002jB)\u0011(!5\u0002V&\u0019\u00111\u001b\u001e\u0003\r=\u0003H/[8o!\u0011\t9.!9\u000f\t\u0005e\u0017Q\u001c\b\u0004g\u0006m\u0017\"A\u001e\n\u0007\u0005}'(A\u0004qC\u000e\\\u0017mZ3\n\t\u0005\r\u0018Q\u001d\u0002\n)\"\u0014xn^1cY\u0016T1!a8;\u0011\u0019\t)j\na\u0001a\"9\u00111^\u0014A\u0002\u00055\u0018aB:fgNLwN\u001c\t\u0005\u0003g\ty/\u0003\u0003\u0002r\u0006U\"AC*T\u0019N+7o]5p]\u0006\u0019b/\u001a:jMf\u001cVM\u001d<feN+7o]5p]R1\u0011qZA|\u0003sDa!!&)\u0001\u0004\u0001\bbBAvQ\u0001\u0007\u0011Q\u001e")
/* loaded from: input_file:flink-rpc-akka.jar:org/apache/pekko/remote/artery/tcp/ConfigSSLEngineProvider.class */
public class ConfigSSLEngineProvider implements SSLEngineProvider {
    private SSLContext sslContext;
    private final Config config;
    private final MarkerLoggingAdapter log;
    private final SSLEngineConfig sslEngineConfig;
    private final String SSLKeyStore;
    private final String SSLTrustStore;
    private final String SSLKeyStorePassword;
    private final String SSLKeyPassword;
    private final String SSLTrustStorePassword;
    private final Set<String> SSLEnabledAlgorithms;
    private final String SSLProtocol;
    private final String SSLRandomNumberGenerator;
    private final boolean SSLRequireMutualAuthentication;
    private final boolean HostnameVerification;
    private volatile boolean bitmap$0;

    public Config config() {
        return this.config;
    }

    public MarkerLoggingAdapter log() {
        return this.log;
    }

    private SSLEngineConfig sslEngineConfig() {
        return this.sslEngineConfig;
    }

    public String SSLKeyStore() {
        return this.SSLKeyStore;
    }

    public String SSLTrustStore() {
        return this.SSLTrustStore;
    }

    public String SSLKeyStorePassword() {
        return this.SSLKeyStorePassword;
    }

    public String SSLKeyPassword() {
        return this.SSLKeyPassword;
    }

    public String SSLTrustStorePassword() {
        return this.SSLTrustStorePassword;
    }

    public Set<String> SSLEnabledAlgorithms() {
        return this.SSLEnabledAlgorithms;
    }

    public String SSLProtocol() {
        return this.SSLProtocol;
    }

    public String SSLRandomNumberGenerator() {
        return this.SSLRandomNumberGenerator;
    }

    public boolean SSLRequireMutualAuthentication() {
        return this.SSLRequireMutualAuthentication;
    }

    public boolean HostnameVerification() {
        return this.HostnameVerification;
    }

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r0v0 */
    /* JADX WARN: Type inference failed for: r0v1, types: [java.lang.Throwable] */
    /* JADX WARN: Type inference failed for: r0v8, types: [org.apache.pekko.remote.artery.tcp.ConfigSSLEngineProvider] */
    private SSLContext sslContext$lzycompute() {
        ?? r0 = this;
        synchronized (r0) {
            if (!this.bitmap$0) {
                if (HostnameVerification()) {
                    log().debug("TLS/SSL hostname verification is enabled.");
                } else {
                    log().info(LogMarker$.MODULE$.Security(), "TLS/SSL hostname verification is disabled. See Pekko reference documentation for more information.");
                }
                this.sslContext = constructContext();
                r0 = this;
                r0.bitmap$0 = true;
            }
        }
        return this.sslContext;
    }

    private SSLContext sslContext() {
        return !this.bitmap$0 ? sslContext$lzycompute() : this.sslContext;
    }

    private SSLContext constructContext() {
        try {
            SecureRandom createSecureRandom = createSecureRandom();
            SSLContext sSLContext = SSLContext.getInstance(SSLProtocol());
            sSLContext.init(keyManagers(), trustManagers(), createSecureRandom);
            return sSLContext;
        } catch (FileNotFoundException e) {
            throw new SslTransportException("Server SSL connection could not be established because key store could not be loaded", e);
        } catch (IOException e2) {
            throw new SslTransportException(new StringBuilder(56).append("Server SSL connection could not be established because: ").append(e2.getMessage()).toString(), e2);
        } catch (GeneralSecurityException e3) {
            throw new SslTransportException("Server SSL connection could not be established because SSL context could not be constructed", e3);
        }
    }

    public KeyStore loadKeystore(String str, String str2) {
        KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
        InputStream newInputStream = Files.newInputStream(Paths.get(str, new String[0]), new OpenOption[0]);
        try {
            keyStore.load(newInputStream, str2.toCharArray());
            return keyStore;
        } finally {
            Try$.MODULE$.apply(() -> {
                newInputStream.close();
            });
        }
    }

    public KeyManager[] keyManagers() {
        KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
        keyManagerFactory.init(loadKeystore(SSLKeyStore(), SSLKeyStorePassword()), SSLKeyPassword().toCharArray());
        return keyManagerFactory.getKeyManagers();
    }

    public TrustManager[] trustManagers() {
        TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
        trustManagerFactory.init(loadKeystore(SSLTrustStore(), SSLTrustStorePassword()));
        return trustManagerFactory.getTrustManagers();
    }

    public SecureRandom createSecureRandom() {
        return SecureRandomFactory$.MODULE$.createSecureRandom(SSLRandomNumberGenerator(), log());
    }

    @Override // org.apache.pekko.remote.artery.tcp.SSLEngineProvider
    public SSLEngine createServerSSLEngine(String str, int i) {
        return createSSLEngine(Server$.MODULE$, str, i);
    }

    @Override // org.apache.pekko.remote.artery.tcp.SSLEngineProvider
    public SSLEngine createClientSSLEngine(String str, int i) {
        return createSSLEngine(Client$.MODULE$, str, i);
    }

    private SSLEngine createSSLEngine(TLSRole tLSRole, String str, int i) {
        return createSSLEngine(sslContext(), tLSRole, str, i);
    }

    private SSLEngine createSSLEngine(SSLContext sSLContext, TLSRole tLSRole, String str, int i) {
        SSLEngine createSSLEngine = sSLContext.createSSLEngine(str, i);
        if (HostnameVerification()) {
            Client$ client$ = Client$.MODULE$;
            if (tLSRole != null ? tLSRole.equals(client$) : client$ == null) {
                SSLParameters defaultSSLParameters = sSLContext.getDefaultSSLParameters();
                defaultSSLParameters.setEndpointIdentificationAlgorithm("HTTPS");
                createSSLEngine.setSSLParameters(defaultSSLParameters);
            }
        }
        Client$ client$2 = Client$.MODULE$;
        createSSLEngine.setUseClientMode(tLSRole != null ? tLSRole.equals(client$2) : client$2 == null);
        createSSLEngine.setEnabledCipherSuites((String[]) SSLEnabledAlgorithms().toArray(ClassTag$.MODULE$.apply(String.class)));
        createSSLEngine.setEnabledProtocols(new String[]{SSLProtocol()});
        Client$ client$3 = Client$.MODULE$;
        if (tLSRole != null ? !tLSRole.equals(client$3) : client$3 != null) {
            if (SSLRequireMutualAuthentication()) {
                createSSLEngine.setNeedClientAuth(true);
            }
        }
        return createSSLEngine;
    }

    @Override // org.apache.pekko.remote.artery.tcp.SSLEngineProvider
    public Option<Throwable> verifyClientSession(String str, SSLSession sSLSession) {
        return None$.MODULE$;
    }

    @Override // org.apache.pekko.remote.artery.tcp.SSLEngineProvider
    public Option<Throwable> verifyServerSession(String str, SSLSession sSLSession) {
        return None$.MODULE$;
    }

    public ConfigSSLEngineProvider(Config config, MarkerLoggingAdapter markerLoggingAdapter) {
        this.config = config;
        this.log = markerLoggingAdapter;
        this.sslEngineConfig = new SSLEngineConfig(config);
        this.SSLKeyStore = config.getString("key-store");
        this.SSLTrustStore = config.getString("trust-store");
        this.SSLKeyStorePassword = config.getString("key-store-password");
        this.SSLKeyPassword = config.getString("key-password");
        this.SSLTrustStorePassword = config.getString("trust-store-password");
        this.SSLEnabledAlgorithms = sslEngineConfig().SSLEnabledAlgorithms();
        this.SSLProtocol = sslEngineConfig().SSLProtocol();
        this.SSLRandomNumberGenerator = sslEngineConfig().SSLRandomNumberGenerator();
        this.SSLRequireMutualAuthentication = sslEngineConfig().SSLRequireMutualAuthentication();
        this.HostnameVerification = sslEngineConfig().HostnameVerification();
    }

    public ConfigSSLEngineProvider(ActorSystem actorSystem) {
        this(actorSystem.settings().config().getConfig("pekko.remote.artery.ssl.config-ssl-engine"), Logging$.MODULE$.withMarker(actorSystem, (ActorSystem) ConfigSSLEngineProvider.class.getName(), (LogSource<ActorSystem>) LogSource$.MODULE$.fromString()));
    }
}
