package com.zegelin.cassandra.exporter.netty.ssl;

import com.google.common.base.Preconditions;
import com.google.common.collect.Iterables;
import com.google.common.io.Files;
import com.zegelin.cassandra.exporter.cli.HttpServerOptions;
import io.netty.handler.ssl.SslContext;
import io.netty.handler.ssl.SslContextBuilder;
import io.netty.handler.ssl.util.SelfSignedCertificate;
import java.io.IOException;
import java.nio.charset.StandardCharsets;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import javax.net.ssl.SSLException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/zegelin/cassandra/exporter/netty/ssl/SslContextFactory.class */
public class SslContextFactory {
    private static final Logger logger = LoggerFactory.getLogger(SslContextFactory.class);
    private final HttpServerOptions httpServerOptions;

    public SslContextFactory(HttpServerOptions httpServerOptions) {
        this.httpServerOptions = httpServerOptions;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public SslContext createSslContext() {
        SslContextBuilder contextBuilder = getContextBuilder();
        contextBuilder.sslProvider(this.httpServerOptions.sslImplementation.getProvider());
        if (this.httpServerOptions.sslProtocols != null) {
            contextBuilder.protocols((String[]) Iterables.toArray(this.httpServerOptions.sslProtocols, String.class));
        }
        contextBuilder.clientAuth(this.httpServerOptions.sslClientAuthentication.getClientAuth());
        contextBuilder.trustManager(this.httpServerOptions.sslTrustedCertificateFile);
        contextBuilder.ciphers(this.httpServerOptions.sslCiphers);
        try {
            return contextBuilder.build();
        } catch (SSLException e) {
            throw new IllegalArgumentException("Failed to initialize an SSL context for the exporter.", e);
        }
    }

    private SslContextBuilder getContextBuilder() {
        return hasServerKeyAndCert() ? SslContextBuilder.forServer(this.httpServerOptions.sslServerCertificateFile, this.httpServerOptions.sslServerKeyFile, getKeyPassword()) : getSelfSignedContextBuilder();
    }

    private boolean hasServerKeyAndCert() {
        if (this.httpServerOptions.sslServerKeyFile != null) {
            Preconditions.checkArgument(this.httpServerOptions.sslServerCertificateFile != null, "A server certificate must be specified together with the server key for the exporter.");
            return true;
        }
        Preconditions.checkArgument(this.httpServerOptions.sslServerCertificateFile == null, "A server key must be specified together with the server certificate for the exporter.");
        return false;
    }

    private String getKeyPassword() {
        if (this.httpServerOptions.sslServerKeyPasswordFile == null) {
            return null;
        }
        try {
            return Files.toString(this.httpServerOptions.sslServerKeyPasswordFile, StandardCharsets.UTF_8);
        } catch (IOException e) {
            throw new IllegalArgumentException("Unable to read SSL server key password file for the exporter.", e);
        }
    }

    private SslContextBuilder getSelfSignedContextBuilder() {
        logger.warn("Running exporter in SSL mode with insecure self-signed certificate");
        try {
            SelfSignedCertificate selfSignedCertificate = new SelfSignedCertificate();
            return SslContextBuilder.forServer(selfSignedCertificate.key(), new X509Certificate[]{selfSignedCertificate.cert()});
        } catch (CertificateException e) {
            throw new IllegalArgumentException("Failed to create self-signed certificate for the exporter.", e);
        }
    }
}
