package org.thingsboard.server.transport.mqtt;

import com.google.common.io.Resources;
import io.netty.handler.ssl.SslHandler;
import java.io.File;
import java.io.FileInputStream;
import java.io.IOException;
import java.security.KeyStore;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.concurrent.CountDownLatch;
import java.util.concurrent.TimeUnit;
import javax.net.ssl.KeyManager;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLEngine;
import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory;
import javax.net.ssl.X509TrustManager;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.boot.autoconfigure.condition.ConditionalOnExpression;
import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
import org.springframework.stereotype.Component;
import org.springframework.util.StringUtils;
import org.thingsboard.server.common.msg.EncryptionUtil;
import org.thingsboard.server.common.transport.TransportService;
import org.thingsboard.server.common.transport.TransportServiceCallback;
import org.thingsboard.server.gen.transport.TransportProtos;
import org.thingsboard.server.transport.mqtt.util.SslUtil;

@ConditionalOnProperty(prefix = "transport.mqtt.ssl", value = {"enabled"}, havingValue = "true", matchIfMissing = false)
@Component("MqttSslHandlerProvider")
@ConditionalOnExpression("'${transport.type:null}'=='null' || ('${transport.type}'=='local' && '${transport.http.enabled}'=='true')")
/* loaded from: input_file:org/thingsboard/server/transport/mqtt/MqttSslHandlerProvider.class */
public class MqttSslHandlerProvider {
    private static final Logger log = LoggerFactory.getLogger(MqttSslHandlerProvider.class);

    @Value("${transport.mqtt.ssl.protocol}")
    private String sslProtocol;

    @Value("${transport.mqtt.ssl.key_store}")
    private String keyStoreFile;

    @Value("${transport.mqtt.ssl.key_store_password}")
    private String keyStorePassword;

    @Value("${transport.mqtt.ssl.key_password}")
    private String keyPassword;

    @Value("${transport.mqtt.ssl.key_store_type}")
    private String keyStoreType;

    @Autowired
    private TransportService transportService;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:org/thingsboard/server/transport/mqtt/MqttSslHandlerProvider$ThingsboardMqttX509TrustManager.class */
    public static class ThingsboardMqttX509TrustManager implements X509TrustManager {
        private final X509TrustManager trustManager;
        private TransportService transportService;

        ThingsboardMqttX509TrustManager(X509TrustManager x509TrustManager, TransportService transportService) {
            this.trustManager = x509TrustManager;
            this.transportService = transportService;
        }

        @Override // javax.net.ssl.X509TrustManager
        public X509Certificate[] getAcceptedIssuers() {
            return this.trustManager.getAcceptedIssuers();
        }

        @Override // javax.net.ssl.X509TrustManager
        public void checkServerTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
            this.trustManager.checkServerTrusted(x509CertificateArr, str);
        }

        @Override // javax.net.ssl.X509TrustManager
        public void checkClientTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
            String x509CertificateString;
            final String[] strArr;
            String str2 = null;
            for (X509Certificate x509Certificate : x509CertificateArr) {
                try {
                    x509CertificateString = SslUtil.getX509CertificateString(x509Certificate);
                    String sha3Hash = EncryptionUtil.getSha3Hash(x509CertificateString);
                    strArr = new String[1];
                    final CountDownLatch countDownLatch = new CountDownLatch(1);
                    this.transportService.process(TransportProtos.ValidateDeviceX509CertRequestMsg.newBuilder().setHash(sha3Hash).build(), new TransportServiceCallback<TransportProtos.ValidateDeviceCredentialsResponseMsg>() { // from class: org.thingsboard.server.transport.mqtt.MqttSslHandlerProvider.ThingsboardMqttX509TrustManager.1
                        public void onSuccess(TransportProtos.ValidateDeviceCredentialsResponseMsg validateDeviceCredentialsResponseMsg) {
                            if (!StringUtils.isEmpty(validateDeviceCredentialsResponseMsg.getCredentialsBody())) {
                                strArr[0] = validateDeviceCredentialsResponseMsg.getCredentialsBody();
                            }
                            countDownLatch.countDown();
                        }

                        public void onError(Throwable th) {
                            MqttSslHandlerProvider.log.error(th.getMessage(), th);
                            countDownLatch.countDown();
                        }
                    });
                    countDownLatch.await(10L, TimeUnit.SECONDS);
                } catch (IOException | InterruptedException e) {
                    MqttSslHandlerProvider.log.error(e.getMessage(), e);
                }
                if (x509CertificateString.equals(strArr[0])) {
                    str2 = strArr[0];
                    break;
                }
                continue;
            }
            if (str2 == null) {
                throw new CertificateException("Invalid Device Certificate");
            }
        }
    }

    public SslHandler getSslHandler() {
        KeyStore keyStore;
        Throwable th;
        try {
            File file = new File(Resources.getResource(this.keyStoreFile).toURI());
            File file2 = new File(Resources.getResource(this.keyStoreFile).toURI());
            TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
            KeyStore keyStore2 = KeyStore.getInstance(this.keyStoreType);
            FileInputStream fileInputStream = new FileInputStream(file2);
            Throwable th2 = null;
            try {
                try {
                    keyStore2.load(fileInputStream, this.keyStorePassword.toCharArray());
                    if (fileInputStream != null) {
                        if (0 != 0) {
                            try {
                                fileInputStream.close();
                            } catch (Throwable th3) {
                                th2.addSuppressed(th3);
                            }
                        } else {
                            fileInputStream.close();
                        }
                    }
                    trustManagerFactory.init(keyStore2);
                    keyStore = KeyStore.getInstance(this.keyStoreType);
                    fileInputStream = new FileInputStream(file);
                    th = null;
                } finally {
                }
                try {
                    try {
                        keyStore.load(fileInputStream, this.keyStorePassword.toCharArray());
                        if (fileInputStream != null) {
                            if (0 != 0) {
                                try {
                                    fileInputStream.close();
                                } catch (Throwable th4) {
                                    th.addSuppressed(th4);
                                }
                            } else {
                                fileInputStream.close();
                            }
                        }
                        KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
                        keyManagerFactory.init(keyStore, this.keyPassword.toCharArray());
                        KeyManager[] keyManagers = keyManagerFactory.getKeyManagers();
                        TrustManager[] trustManagerArr = {getX509TrustManager(trustManagerFactory)};
                        if (StringUtils.isEmpty(this.sslProtocol)) {
                            this.sslProtocol = "TLS";
                        }
                        SSLContext sSLContext = SSLContext.getInstance(this.sslProtocol);
                        sSLContext.init(keyManagers, trustManagerArr, null);
                        SSLEngine createSSLEngine = sSLContext.createSSLEngine();
                        createSSLEngine.setUseClientMode(false);
                        createSSLEngine.setNeedClientAuth(false);
                        createSSLEngine.setWantClientAuth(true);
                        createSSLEngine.setEnabledProtocols(createSSLEngine.getSupportedProtocols());
                        createSSLEngine.setEnabledCipherSuites(createSSLEngine.getSupportedCipherSuites());
                        createSSLEngine.setEnableSessionCreation(true);
                        return new SslHandler(createSSLEngine);
                    } finally {
                    }
                } finally {
                }
            } finally {
            }
        } catch (Exception e) {
            log.error("Unable to set up SSL context. Reason: " + e.getMessage(), e);
            throw new RuntimeException("Failed to get SSL handler", e);
        }
    }

    private TrustManager getX509TrustManager(TrustManagerFactory trustManagerFactory) throws Exception {
        X509TrustManager x509TrustManager = null;
        TrustManager[] trustManagers = trustManagerFactory.getTrustManagers();
        int length = trustManagers.length;
        int i = 0;
        while (true) {
            if (i >= length) {
                break;
            }
            TrustManager trustManager = trustManagers[i];
            if (trustManager instanceof X509TrustManager) {
                x509TrustManager = (X509TrustManager) trustManager;
                break;
            }
            i++;
        }
        return new ThingsboardMqttX509TrustManager(x509TrustManager, this.transportService);
    }
}
