package org.elasticsearch.xpack.security.transport;

import io.netty.channel.Channel;
import io.netty.channel.ChannelException;
import io.netty.handler.ssl.SslHandler;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import javax.net.ssl.SSLEngine;
import javax.net.ssl.SSLPeerUnverifiedException;
import org.apache.logging.log4j.Logger;
import org.apache.logging.log4j.message.ParameterizedMessage;
import org.elasticsearch.common.util.concurrent.ThreadContext;
import org.elasticsearch.http.HttpChannel;
import org.elasticsearch.http.netty4.Netty4HttpChannel;
import org.elasticsearch.http.nio.NioHttpChannel;
import org.elasticsearch.nio.SocketChannelContext;
import org.elasticsearch.transport.TcpChannel;
import org.elasticsearch.transport.netty4.Netty4TcpChannel;
import org.elasticsearch.transport.nio.NioTcpChannel;
import org.elasticsearch.xpack.security.authc.pki.PkiRealm;
import org.elasticsearch.xpack.security.transport.nio.SSLChannelContext;

/* loaded from: input_file:org/elasticsearch/xpack/security/transport/SSLEngineUtils.class */
public class SSLEngineUtils {
    static final /* synthetic */ boolean $assertionsDisabled;

    private SSLEngineUtils() {
    }

    public static void extractClientCertificates(Logger logger, ThreadContext threadContext, HttpChannel httpChannel) {
        extract(logger, threadContext, getSSLEngine(httpChannel), httpChannel);
    }

    public static void extractClientCertificates(Logger logger, ThreadContext threadContext, TcpChannel tcpChannel) {
        extract(logger, threadContext, getSSLEngine(tcpChannel), tcpChannel);
    }

    public static SSLEngine getSSLEngine(HttpChannel httpChannel) {
        if (httpChannel instanceof Netty4HttpChannel) {
            SslHandler sslHandler = ((Netty4HttpChannel) httpChannel).getNettyChannel().pipeline().get(SslHandler.class);
            if ($assertionsDisabled || sslHandler != null) {
                return sslHandler.engine();
            }
            throw new AssertionError("Must have SslHandler");
        }
        if (!(httpChannel instanceof NioHttpChannel)) {
            throw new AssertionError("Unknown channel class type: " + httpChannel.getClass());
        }
        SocketChannelContext context = ((NioHttpChannel) httpChannel).getContext();
        if ($assertionsDisabled || (context instanceof SSLChannelContext)) {
            return ((SSLChannelContext) context).getSSLEngine();
        }
        throw new AssertionError("Must be SSLChannelContext.class, found:  " + context.getClass());
    }

    public static SSLEngine getSSLEngine(TcpChannel tcpChannel) {
        if (!(tcpChannel instanceof Netty4TcpChannel)) {
            if (!(tcpChannel instanceof NioTcpChannel)) {
                throw new AssertionError("Unknown channel class type: " + tcpChannel.getClass());
            }
            SocketChannelContext context = ((NioTcpChannel) tcpChannel).getContext();
            if ($assertionsDisabled || (context instanceof SSLChannelContext)) {
                return ((SSLChannelContext) context).getSSLEngine();
            }
            throw new AssertionError("Must be SSLChannelContext.class, found:  " + context.getClass());
        }
        Channel nettyChannel = ((Netty4TcpChannel) tcpChannel).getNettyChannel();
        SslHandler sslHandler = nettyChannel.pipeline().get(SslHandler.class);
        if (sslHandler == null) {
            if (!nettyChannel.isOpen()) {
                throw new ChannelException("Channel is closed.");
            }
            if (!$assertionsDisabled) {
                throw new AssertionError("Must have SslHandler");
            }
        }
        return sslHandler.engine();
    }

    private static void extract(Logger logger, ThreadContext threadContext, SSLEngine sSLEngine, Object obj) {
        try {
            Certificate[] peerCertificates = sSLEngine.getSession().getPeerCertificates();
            if (peerCertificates instanceof X509Certificate[]) {
                threadContext.putTransient(PkiRealm.PKI_CERT_HEADER_NAME, peerCertificates);
            }
        } catch (SSLPeerUnverifiedException e) {
            if (!$assertionsDisabled && sSLEngine.getNeedClientAuth()) {
                throw new AssertionError();
            }
            if (!$assertionsDisabled && !sSLEngine.getWantClientAuth()) {
                throw new AssertionError();
            }
            if (logger.isTraceEnabled()) {
                logger.trace(() -> {
                    return new ParameterizedMessage("SSL Peer did not present a certificate on channel [{}]", obj);
                }, e);
            } else if (logger.isDebugEnabled()) {
                logger.debug("SSL Peer did not present a certificate on channel [{}]", obj);
            }
        }
    }

    static {
        $assertionsDisabled = !SSLEngineUtils.class.desiredAssertionStatus();
    }
}
