package io.servicetalk.transport.netty.internal;

import io.netty.buffer.ByteBufAllocator;
import io.netty.handler.ssl.ApplicationProtocolConfig;
import io.netty.handler.ssl.OpenSsl;
import io.netty.handler.ssl.SslContext;
import io.netty.handler.ssl.SslHandler;
import io.netty.handler.ssl.SslProvider;
import io.netty.util.NetUtil;
import io.netty.util.ReferenceCountUtil;
import io.servicetalk.transport.api.SecurityConfigurator;
import java.util.Collections;
import java.util.List;
import javax.annotation.Nullable;
import javax.net.ssl.SNIHostName;
import javax.net.ssl.SSLEngine;
import javax.net.ssl.SSLParameters;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: input_file:io/servicetalk/transport/netty/internal/SslUtils.class */
public final class SslUtils {
    private SslUtils() {
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static SslHandler newHandler(SslContext sslContext, ByteBufAllocator byteBufAllocator, @Nullable String str, @Nullable String str2, int i) {
        if (str2 == null) {
            return newHandler(sslContext, byteBufAllocator);
        }
        SslHandler newHandler = sslContext.newHandler(byteBufAllocator, str2, i);
        SSLEngine engine = newHandler.engine();
        try {
            SSLParameters sSLParameters = engine.getSSLParameters();
            sSLParameters.setEndpointIdentificationAlgorithm(str);
            if (!NetUtil.isValidIpV4Address(str2) && !NetUtil.isValidIpV6Address(str2)) {
                sSLParameters.setServerNames(Collections.singletonList(new SNIHostName(str2)));
            }
            engine.setSSLParameters(sSLParameters);
            return newHandler;
        } catch (Throwable th) {
            ReferenceCountUtil.release(engine);
            throw th;
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static SslHandler newHandler(SslContext sslContext, ByteBufAllocator byteBufAllocator) {
        return sslContext.newHandler(byteBufAllocator);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static ApplicationProtocolConfig nettyApplicationProtocol(List<String> list) {
        return list.isEmpty() ? ApplicationProtocolConfig.DISABLED : new ApplicationProtocolConfig(ApplicationProtocolConfig.Protocol.ALPN, ApplicationProtocolConfig.SelectorFailureBehavior.NO_ADVERTISE, ApplicationProtocolConfig.SelectedListenerFailureBehavior.ACCEPT, (Iterable<String>) list);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    @Nullable
    public static SslProvider toNettySslProvider(SecurityConfigurator.SslProvider sslProvider, boolean z) {
        switch (sslProvider) {
            case AUTO:
                if (!z) {
                    return null;
                }
                if (SslProvider.isAlpnSupported(SslProvider.OPENSSL)) {
                    return SslProvider.OPENSSL;
                }
                if (SslProvider.isAlpnSupported(SslProvider.JDK)) {
                    return SslProvider.JDK;
                }
                throw new IllegalStateException("ALPN configured but not supported by the current classpath: add OPENSSL support (https://netty.io/wiki/forked-tomcat-native.html) or configure ALPN for JDK (https://www.eclipse.org/jetty/documentation/current/alpn-chapter.html)");
            case JDK:
                if (!z || SslProvider.isAlpnSupported(SslProvider.JDK)) {
                    return SslProvider.JDK;
                }
                throw new IllegalStateException("ALPN configured but not supported by the current classpath. For more information, see https://www.eclipse.org/jetty/documentation/current/alpn-chapter.html");
            case OPENSSL:
                OpenSsl.ensureAvailability();
                if (!z || SslProvider.isAlpnSupported(SslProvider.OPENSSL)) {
                    return SslProvider.OPENSSL;
                }
                throw new IllegalStateException("ALPN configured but not supported by installed version of OpenSSL");
            default:
                throw new Error("Unknown SSL provider specified: " + sslProvider);
        }
    }
}
