package org.thingsboard.server.transport.mqtt;

import io.netty.handler.ssl.SslHandler;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.concurrent.CountDownLatch;
import java.util.concurrent.TimeUnit;
import javax.net.ssl.KeyManager;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLEngine;
import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory;
import javax.net.ssl.X509TrustManager;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
import org.springframework.boot.context.properties.ConfigurationProperties;
import org.springframework.context.annotation.Bean;
import org.springframework.stereotype.Component;
import org.thingsboard.server.common.data.DeviceTransportType;
import org.thingsboard.server.common.data.StringUtils;
import org.thingsboard.server.common.transport.TransportService;
import org.thingsboard.server.common.transport.TransportServiceCallback;
import org.thingsboard.server.common.transport.auth.ValidateDeviceCredentialsResponse;
import org.thingsboard.server.common.transport.config.ssl.SslCredentials;
import org.thingsboard.server.common.transport.config.ssl.SslCredentialsConfig;
import org.thingsboard.server.common.transport.util.SslUtil;
import org.thingsboard.server.gen.transport.TransportProtos;

@ConditionalOnProperty(prefix = "transport.mqtt.ssl", value = {"enabled"}, havingValue = "true", matchIfMissing = false)
@Component("MqttSslHandlerProvider")
/* loaded from: input_file:org/thingsboard/server/transport/mqtt/MqttSslHandlerProvider.class */
public class MqttSslHandlerProvider {
    private static final Logger log = LoggerFactory.getLogger(MqttSslHandlerProvider.class);

    @Value("${transport.mqtt.ssl.protocol}")
    private String sslProtocol;

    @Autowired
    private TransportService transportService;

    @Autowired
    @Qualifier("mqttSslCredentials")
    private SslCredentialsConfig mqttSslCredentialsConfig;
    private SSLContext sslContext;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:org/thingsboard/server/transport/mqtt/MqttSslHandlerProvider$ThingsboardMqttX509TrustManager.class */
    public static class ThingsboardMqttX509TrustManager implements X509TrustManager {
        private final X509TrustManager trustManager;
        private final TransportService transportService;

        ThingsboardMqttX509TrustManager(X509TrustManager x509TrustManager, TransportService transportService) {
            this.trustManager = x509TrustManager;
            this.transportService = transportService;
        }

        @Override // javax.net.ssl.X509TrustManager
        public X509Certificate[] getAcceptedIssuers() {
            return this.trustManager.getAcceptedIssuers();
        }

        @Override // javax.net.ssl.X509TrustManager
        public void checkServerTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
            this.trustManager.checkServerTrusted(x509CertificateArr, str);
        }

        @Override // javax.net.ssl.X509TrustManager
        public void checkClientTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
            if (!validateCertificateChain(x509CertificateArr)) {
                throw new CertificateException("Invalid Chain of X509 Certificates. ");
            }
            String certificateString = SslUtil.getCertificateString(x509CertificateArr[0]);
            final String[] strArr = new String[1];
            final CountDownLatch countDownLatch = new CountDownLatch(1);
            try {
                final String certificateChainString = SslUtil.getCertificateChainString(x509CertificateArr);
                this.transportService.process(DeviceTransportType.MQTT, TransportProtos.ValidateOrCreateDeviceX509CertRequestMsg.newBuilder().setCertificateChain(certificateChainString).build(), new TransportServiceCallback<ValidateDeviceCredentialsResponse>() { // from class: org.thingsboard.server.transport.mqtt.MqttSslHandlerProvider.ThingsboardMqttX509TrustManager.1
                    public void onSuccess(ValidateDeviceCredentialsResponse validateDeviceCredentialsResponse) {
                        if (!StringUtils.isEmpty(validateDeviceCredentialsResponse.getCredentials())) {
                            strArr[0] = validateDeviceCredentialsResponse.getCredentials();
                        }
                        countDownLatch.countDown();
                    }

                    public void onError(Throwable th) {
                        MqttSslHandlerProvider.log.trace("Failed to process certificate chain: {}", certificateChainString, th);
                        countDownLatch.countDown();
                    }
                });
                countDownLatch.await(10L, TimeUnit.SECONDS);
                if (certificateString.equals(strArr[0])) {
                    return;
                }
                MqttSslHandlerProvider.log.debug("Failed to find credentials for device certificate chain: {}", x509CertificateArr);
                if (x509CertificateArr.length != 1) {
                    throw new CertificateException("Invalid Chain of X509 Certificates");
                }
                throw new CertificateException("Invalid Device Certificate");
            } catch (Exception e) {
                MqttSslHandlerProvider.log.error(e.getMessage(), e);
            }
        }

        private boolean validateCertificateChain(X509Certificate[] x509CertificateArr) {
            try {
                if (x509CertificateArr.length <= 1) {
                    return true;
                }
                X509Certificate x509Certificate = x509CertificateArr[0];
                for (int i = 1; i < x509CertificateArr.length; i++) {
                    X509Certificate x509Certificate2 = x509CertificateArr[i];
                    x509Certificate.verify(x509Certificate2.getPublicKey());
                    x509Certificate = x509Certificate2;
                }
                return true;
            } catch (Exception e) {
                return false;
            }
        }
    }

    @ConfigurationProperties(prefix = "transport.mqtt.ssl.credentials")
    @Bean
    public SslCredentialsConfig mqttSslCredentials() {
        return new SslCredentialsConfig("MQTT SSL Credentials", false);
    }

    public SslHandler getSslHandler() {
        if (this.sslContext == null) {
            this.sslContext = createSslContext();
        }
        SSLEngine createSSLEngine = this.sslContext.createSSLEngine();
        createSSLEngine.setUseClientMode(false);
        createSSLEngine.setNeedClientAuth(false);
        createSSLEngine.setWantClientAuth(true);
        createSSLEngine.setEnabledProtocols(createSSLEngine.getSupportedProtocols());
        createSSLEngine.setEnabledCipherSuites(createSSLEngine.getSupportedCipherSuites());
        createSSLEngine.setEnableSessionCreation(true);
        return new SslHandler(createSSLEngine);
    }

    private SSLContext createSslContext() {
        try {
            SslCredentials credentials = this.mqttSslCredentialsConfig.getCredentials();
            TrustManagerFactory createTrustManagerFactory = credentials.createTrustManagerFactory();
            KeyManager[] keyManagers = credentials.createKeyManagerFactory().getKeyManagers();
            TrustManager[] trustManagerArr = {getX509TrustManager(createTrustManagerFactory)};
            if (StringUtils.isEmpty(this.sslProtocol)) {
                this.sslProtocol = "TLS";
            }
            SSLContext sSLContext = SSLContext.getInstance(this.sslProtocol);
            sSLContext.init(keyManagers, trustManagerArr, null);
            return sSLContext;
        } catch (Exception e) {
            log.error("Unable to set up SSL context. Reason: " + e.getMessage(), e);
            throw new RuntimeException("Failed to get SSL context", e);
        }
    }

    private TrustManager getX509TrustManager(TrustManagerFactory trustManagerFactory) throws Exception {
        X509TrustManager x509TrustManager = null;
        TrustManager[] trustManagers = trustManagerFactory.getTrustManagers();
        int length = trustManagers.length;
        int i = 0;
        while (true) {
            if (i >= length) {
                break;
            }
            TrustManager trustManager = trustManagers[i];
            if (trustManager instanceof X509TrustManager) {
                x509TrustManager = (X509TrustManager) trustManager;
                break;
            }
            i++;
        }
        return new ThingsboardMqttX509TrustManager(x509TrustManager, this.transportService);
    }
}
