package software.amazon.awssdk.http.nio.netty.internal;

import io.netty.handler.codec.http2.Http2SecurityUtil;
import io.netty.handler.ssl.ApplicationProtocolConfig;
import io.netty.handler.ssl.ApplicationProtocolNames;
import io.netty.handler.ssl.SslContext;
import io.netty.handler.ssl.SslContextBuilder;
import io.netty.handler.ssl.SslProvider;
import io.netty.handler.ssl.SupportedCipherSuiteFilter;
import io.netty.handler.ssl.util.InsecureTrustManagerFactory;
import java.util.List;
import javax.net.ssl.KeyManager;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.SSLException;
import javax.net.ssl.TrustManagerFactory;
import software.amazon.awssdk.annotations.SdkInternalApi;
import software.amazon.awssdk.http.Protocol;
import software.amazon.awssdk.http.ProtocolNegotiation;
import software.amazon.awssdk.http.SystemPropertyTlsKeyManagersProvider;
import software.amazon.awssdk.http.TlsTrustManagersProvider;
import software.amazon.awssdk.http.nio.netty.internal.utils.NettyClientLogger;
import software.amazon.awssdk.utils.Validate;

@SdkInternalApi
/* loaded from: input_file:WEB-INF/lib/netty-nio-client-2.31.59.jar:software/amazon/awssdk/http/nio/netty/internal/SslContextProvider.class */
public final class SslContextProvider {
    private static final NettyClientLogger log = NettyClientLogger.getLogger(SslContextProvider.class);
    private final Protocol protocol;
    private final ProtocolNegotiation protocolNegotiation;
    private final SslProvider sslProvider;
    private final TrustManagerFactory trustManagerFactory;
    private final KeyManagerFactory keyManagerFactory;

    public SslContextProvider(NettyConfiguration nettyConfiguration, Protocol protocol, ProtocolNegotiation protocolNegotiation, SslProvider sslProvider) {
        this.protocol = protocol;
        this.protocolNegotiation = protocolNegotiation;
        this.sslProvider = sslProvider;
        this.trustManagerFactory = getTrustManager(nettyConfiguration);
        this.keyManagerFactory = getKeyManager(nettyConfiguration);
    }

    public SslContext sslContext() {
        try {
            SslContextBuilder keyManager = SslContextBuilder.forClient().sslProvider(this.sslProvider).ciphers(getCiphers(), SupportedCipherSuiteFilter.INSTANCE).trustManager(this.trustManagerFactory).keyManager(this.keyManagerFactory);
            addAlpnConfigIfEnabled(keyManager);
            return keyManager.build();
        } catch (SSLException e) {
            throw new RuntimeException(e);
        }
    }

    private SslContextBuilder addAlpnConfigIfEnabled(SslContextBuilder sslContextBuilder) {
        ApplicationProtocolConfig.SelectorFailureBehavior selectorFailureBehavior;
        ApplicationProtocolConfig.SelectedListenerFailureBehavior selectedListenerFailureBehavior;
        if (this.protocolNegotiation != ProtocolNegotiation.ALPN) {
            return sslContextBuilder;
        }
        if (this.sslProvider == SslProvider.OPENSSL || this.sslProvider == SslProvider.OPENSSL_REFCNT) {
            selectorFailureBehavior = ApplicationProtocolConfig.SelectorFailureBehavior.NO_ADVERTISE;
            selectedListenerFailureBehavior = ApplicationProtocolConfig.SelectedListenerFailureBehavior.ACCEPT;
        } else {
            selectorFailureBehavior = ApplicationProtocolConfig.SelectorFailureBehavior.FATAL_ALERT;
            selectedListenerFailureBehavior = ApplicationProtocolConfig.SelectedListenerFailureBehavior.FATAL_ALERT;
        }
        return sslContextBuilder.applicationProtocolConfig(new ApplicationProtocolConfig(ApplicationProtocolConfig.Protocol.ALPN, selectorFailureBehavior, selectedListenerFailureBehavior, resolveNettyProtocol(this.protocol)));
    }

    private String resolveNettyProtocol(Protocol protocol) {
        return protocol == Protocol.HTTP2 ? ApplicationProtocolNames.HTTP_2 : ApplicationProtocolNames.HTTP_1_1;
    }

    private List<String> getCiphers() {
        if (this.protocol == Protocol.HTTP2) {
            return Http2SecurityUtil.CIPHERS;
        }
        return null;
    }

    private TrustManagerFactory getTrustManager(NettyConfiguration nettyConfiguration) {
        TlsTrustManagersProvider tlsTrustManagersProvider = nettyConfiguration.tlsTrustManagersProvider();
        Validate.isTrue(tlsTrustManagersProvider == null || !nettyConfiguration.trustAllCertificates(), "A TlsTrustManagerProvider can't be provided if TrustAllCertificates is also set", new Object[0]);
        if (tlsTrustManagersProvider != null) {
            return StaticTrustManagerFactory.create(tlsTrustManagersProvider.trustManagers());
        }
        if (!nettyConfiguration.trustAllCertificates()) {
            return null;
        }
        log.warn(null, () -> {
            return "SSL Certificate verification is disabled. This is not a safe setting and should only be used for testing.";
        });
        return InsecureTrustManagerFactory.INSTANCE;
    }

    private KeyManagerFactory getKeyManager(NettyConfiguration nettyConfiguration) {
        KeyManager[] keyManagers;
        if (nettyConfiguration.tlsKeyManagersProvider() != null && (keyManagers = nettyConfiguration.tlsKeyManagersProvider().keyManagers()) != null) {
            return StaticKeyManagerFactory.create(keyManagers);
        }
        KeyManager[] keyManagers2 = SystemPropertyTlsKeyManagersProvider.create().keyManagers();
        if (keyManagers2 == null) {
            return null;
        }
        return StaticKeyManagerFactory.create(keyManagers2);
    }
}
