package com.facebook.nifty.ssl;

import com.facebook.nifty.ssl.OpenSslServerConfiguration;
import com.google.common.collect.ImmutableList;
import java.io.File;
import java.util.Collection;
import java.util.Collections;
import java.util.Iterator;
import java.util.List;
import javax.net.ssl.SSLEngine;
import javax.net.ssl.SSLException;
import org.apache.tomcat.jni.Pool;
import org.apache.tomcat.jni.SSL;
import org.apache.tomcat.jni.SSLContext;
import org.apache.tomcat.jni.SessionTicketKey;
import org.jboss.netty.handler.ssl.OpenSslEngine;
import org.jboss.netty.handler.ssl.SslBufferPool;
import org.jboss.netty.handler.ssl.SslHandler;

/* loaded from: input_file:BOOT-INF/lib/nifty-ssl-0.23.0.jar:com/facebook/nifty/ssl/NiftyOpenSslServerContext.class */
public final class NiftyOpenSslServerContext implements SslHandlerFactory {
    private static final String IGNORABLE_ERROR_PREFIX = "error:00000000:";
    private static final int DEFAULT_CERT_DEPTH = 3;
    private final long aprPool;
    private final List<String> ciphers;
    private final long sessionCacheSize;
    private final long sessionTimeout;
    private final List<String> nextProtocols;
    private final OpenSslServerConfiguration sslServerConfiguration;
    private final SslBufferPool bufferPool;
    private final long ctx;

    public NiftyOpenSslServerContext(OpenSslServerConfiguration openSslServerConfiguration) throws Exception {
        this.sslServerConfiguration = openSslServerConfiguration;
        int value = this.sslServerConfiguration.sslVersion.getValue();
        File file = openSslServerConfiguration.certFile;
        File file2 = openSslServerConfiguration.keyFile;
        File file3 = openSslServerConfiguration.clientCAFile;
        OpenSslServerConfiguration.SSLVerification sSLVerification = openSslServerConfiguration.sslVerification;
        if (file == null) {
            throw new NullPointerException("certChainFile");
        }
        if (!file.isFile()) {
            throw new IllegalArgumentException("certChainFile is not a file: " + file);
        }
        if (file2 == null) {
            throw new NullPointerException("keyPath");
        }
        if (!file2.isFile()) {
            throw new IllegalArgumentException("keyPath is not a file: " + file2);
        }
        if (file3 != null && !file3.isFile()) {
            throw new IllegalArgumentException("clientCAFile is not a file " + file3);
        }
        if (openSslServerConfiguration.ciphers == null) {
            this.ciphers = SslDefaults.SERVER_DEFAULTS;
        } else {
            this.ciphers = ImmutableList.copyOf(openSslServerConfiguration.ciphers);
        }
        String str = openSslServerConfiguration.keyPassword == null ? "" : openSslServerConfiguration.keyPassword;
        if (openSslServerConfiguration.nextProtocols == null) {
            this.nextProtocols = Collections.emptyList();
        } else {
            this.nextProtocols = ImmutableList.copyOf(openSslServerConfiguration.nextProtocols);
        }
        this.aprPool = Pool.create(0L);
        int i = openSslServerConfiguration.maxSslBufferBytes;
        boolean z = openSslServerConfiguration.preallocateSslBuffer;
        if (openSslServerConfiguration.threadLocalSslBuffer) {
            this.bufferPool = new ThreadLocalSslBufferPool(i, z, true);
        } else {
            this.bufferPool = new SslBufferPool(i, z, true);
        }
        try {
            synchronized (NiftyOpenSslServerContext.class) {
                try {
                    this.ctx = SSLContext.make(this.aprPool, value, 1);
                    SSLContext.setOptions(this.ctx, 4095);
                    SSLContext.setOptions(this.ctx, 16777216);
                    SSLContext.setOptions(this.ctx, 33554432);
                    SSLContext.setOptions(this.ctx, 4194304);
                    SSLContext.setOptions(this.ctx, 524288);
                    SSLContext.setOptions(this.ctx, 1048576);
                    SSLContext.setOptions(this.ctx, 65536);
                    SSLContext.setOptions(this.ctx, 131072);
                    if (!this.sslServerConfiguration.enableStatefulSessionCache) {
                        SSLContext.setSessionCacheMode(this.ctx, 768L);
                    }
                    SSLContext.setMode(this.ctx, SSLContext.getMode(this.ctx) | 2);
                    try {
                        StringBuilder sb = new StringBuilder();
                        Iterator<String> it = this.ciphers.iterator();
                        while (it.hasNext()) {
                            sb.append(it.next());
                            sb.append(':');
                        }
                        sb.setLength(sb.length() - 1);
                        SSLContext.setCipherSuite(this.ctx, sb.toString());
                        try {
                            if (!SSLContext.setCertificate(this.ctx, file.getPath(), file2.getPath(), str, 0)) {
                                throw new SSLException("failed to set certificate: " + file + " and " + file2 + " (" + SSL.getLastError() + ')');
                            }
                            if (!SSLContext.setCertificateChainFile(this.ctx, file.getPath(), true) && !SSL.getLastError().startsWith(IGNORABLE_ERROR_PREFIX)) {
                                throw new SSLException("failed to set certificate chain: " + file + " (" + SSL.getLastError() + ')');
                            }
                            if (file3 != null && !SSLContext.setCACertificate(this.ctx, file3.getPath(), null) && !SSL.getLastError().startsWith(IGNORABLE_ERROR_PREFIX)) {
                                throw new SSLException("failed to set ca cert: " + file3 + " (" + SSL.getLastError() + ')');
                            }
                            SSLContext.setVerify(this.ctx, sSLVerification.getValue(), 3);
                            if (!this.nextProtocols.isEmpty()) {
                                StringBuilder sb2 = new StringBuilder();
                                Iterator<String> it2 = this.nextProtocols.iterator();
                                while (it2.hasNext()) {
                                    sb2.append(it2.next());
                                    sb2.append(',');
                                }
                                sb2.setLength(sb2.length() - 1);
                                SSLContext.setNextProtos(this.ctx, sb2.toString());
                            }
                            if (this.nextProtocols != null && !this.nextProtocols.isEmpty()) {
                                SSLContext.setAlpnProtos(this.ctx, (String[]) this.nextProtocols.toArray(new String[0]), 1);
                            }
                            if (openSslServerConfiguration.sessionCacheSize > 0) {
                                this.sessionCacheSize = openSslServerConfiguration.sessionCacheSize;
                                SSLContext.setSessionCacheSize(this.ctx, this.sessionCacheSize);
                            } else {
                                this.sessionCacheSize = SSLContext.setSessionCacheSize(this.ctx, 20480L);
                                SSLContext.setSessionCacheSize(this.ctx, this.sessionCacheSize);
                            }
                            if (openSslServerConfiguration.sessionTimeoutSeconds > 0) {
                                this.sessionTimeout = openSslServerConfiguration.sessionTimeoutSeconds;
                                SSLContext.setSessionCacheTimeout(this.ctx, openSslServerConfiguration.sessionTimeoutSeconds);
                            } else {
                                this.sessionTimeout = SSLContext.setSessionCacheTimeout(this.ctx, 300L);
                                SSLContext.setSessionCacheTimeout(this.ctx, this.sessionTimeout);
                            }
                        } catch (SSLException e) {
                            throw e;
                        } catch (Exception e2) {
                            throw new SSLException("failed to set certificate: " + file + " and " + file2, e2);
                        }
                    } catch (SSLException e3) {
                        throw e3;
                    } catch (Exception e4) {
                        throw new SSLException("failed to set cipher suite: " + this.ciphers, e4);
                    }
                } catch (Exception e5) {
                    throw new SSLException("failed to create an SSL_CTX", e5);
                }
            }
            if (1 == 0) {
                destroyPools();
            }
        } catch (Throwable th) {
            if (0 == 0) {
                destroyPools();
            }
            throw th;
        }
    }

    public List<String> cipherSuites() {
        return ImmutableList.copyOf((Collection) this.ciphers);
    }

    public long sessionCacheSize() {
        return this.sessionCacheSize;
    }

    public long sessionTimeout() {
        return this.sessionTimeout;
    }

    public List<String> nextProtocols() {
        return this.nextProtocols;
    }

    public long context() {
        return this.ctx;
    }

    public SSLEngine newEngine() {
        return this.nextProtocols.isEmpty() ? new OpenSslEngine(this.ctx, this.bufferPool, null) : new OpenSslEngine(this.ctx, this.bufferPool, this.nextProtocols.get(this.nextProtocols.size() - 1));
    }

    public void setTicketKeys(SessionTicketKey[] sessionTicketKeyArr) {
        if (sessionTicketKeyArr == null) {
            throw new NullPointerException("keys");
        }
        SSLContext.setSessionTicketKeys(this.ctx, sessionTicketKeyArr);
    }

    public void setSessionIdContext(byte[] bArr) {
        SSLContext.setSessionIdContext(this.ctx, bArr);
    }

    public void setSessionCacheTimeout(long j) {
        SSLContext.setSessionCacheTimeout(this.ctx, j);
    }

    @Override // com.facebook.nifty.ssl.SslHandlerFactory
    public SslHandler newHandler() {
        BetterSslHandler betterSslHandler = new BetterSslHandler(newEngine(), this.bufferPool, this.sslServerConfiguration);
        betterSslHandler.setCloseOnSSLException(true);
        return betterSslHandler;
    }

    protected void finalize() throws Throwable {
        super.finalize();
        synchronized (NiftyOpenSslServerContext.class) {
            if (this.ctx != 0) {
                SSLContext.free(this.ctx);
            }
        }
        destroyPools();
    }

    private void destroyPools() {
        if (this.aprPool != 0) {
            Pool.destroy(this.aprPool);
        }
    }
}
