package com.alibaba.nacos.core.remote.grpc.negotiator.tls;

import com.alibaba.nacos.api.exception.runtime.NacosRuntimeException;
import com.alibaba.nacos.common.packagescan.resource.DefaultResourceLoader;
import com.alibaba.nacos.common.packagescan.resource.ResourceLoader;
import com.alibaba.nacos.common.utils.JacksonUtils;
import com.alibaba.nacos.common.utils.StringUtils;
import com.alibaba.nacos.common.utils.TlsTypeResolve;
import com.alibaba.nacos.core.remote.tls.RpcServerTlsConfig;
import com.alibaba.nacos.core.utils.Loggers;
import io.grpc.netty.shaded.io.grpc.netty.GrpcSslContexts;
import io.grpc.netty.shaded.io.netty.handler.ssl.ClientAuth;
import io.grpc.netty.shaded.io.netty.handler.ssl.SslContext;
import io.grpc.netty.shaded.io.netty.handler.ssl.SslContextBuilder;
import io.grpc.netty.shaded.io.netty.handler.ssl.util.InsecureTrustManagerFactory;
import java.io.IOException;
import java.io.InputStream;
import java.util.Arrays;
import javax.net.ssl.SSLException;

/* loaded from: input_file:com/alibaba/nacos/core/remote/grpc/negotiator/tls/DefaultTlsContextBuilder.class */
public class DefaultTlsContextBuilder {
    private static final ResourceLoader RESOURCE_LOADER = new DefaultResourceLoader();

    /* JADX INFO: Access modifiers changed from: package-private */
    public static SslContext getSslContext(RpcServerTlsConfig rpcServerTlsConfig) {
        try {
            if (StringUtils.isBlank(rpcServerTlsConfig.getCertChainFile()) || StringUtils.isBlank(rpcServerTlsConfig.getCertPrivateKey())) {
                throw new IllegalArgumentException("Server certChainFile or certPrivateKey must be not null");
            }
            SslContextBuilder forServer = SslContextBuilder.forServer(getInputStream(rpcServerTlsConfig.getCertChainFile(), "certChainFile"), getInputStream(rpcServerTlsConfig.getCertPrivateKey(), "certPrivateKey"), rpcServerTlsConfig.getCertPrivateKeyPassword());
            if (StringUtils.isNotBlank(rpcServerTlsConfig.getProtocols())) {
                forServer.protocols(rpcServerTlsConfig.getProtocols().split(","));
            }
            if (StringUtils.isNotBlank(rpcServerTlsConfig.getCiphers())) {
                forServer.ciphers(Arrays.asList(rpcServerTlsConfig.getCiphers().split(",")));
            }
            if (rpcServerTlsConfig.getMutualAuthEnable().booleanValue()) {
                if (rpcServerTlsConfig.getTrustAll().booleanValue()) {
                    forServer.trustManager(InsecureTrustManagerFactory.INSTANCE);
                } else {
                    if (StringUtils.isBlank(rpcServerTlsConfig.getTrustCollectionCertFile())) {
                        throw new IllegalArgumentException("enable mutual auth,trustCollectionCertFile must be not null");
                    }
                    forServer.trustManager(getInputStream(rpcServerTlsConfig.getTrustCollectionCertFile(), "trustCollectionCertFile"));
                }
                forServer.clientAuth(ClientAuth.REQUIRE);
            }
            return GrpcSslContexts.configure(forServer, TlsTypeResolve.getSslProvider(rpcServerTlsConfig.getSslProvider())).build();
        } catch (SSLException e) {
            Loggers.REMOTE.info("Nacos Rpc server reload ssl context fail tls config:{}", JacksonUtils.toJson(rpcServerTlsConfig));
            throw new NacosRuntimeException(500, e);
        }
    }

    private static InputStream getInputStream(String str, String str2) {
        try {
            return RESOURCE_LOADER.getResource(str).getInputStream();
        } catch (IOException e) {
            throw new NacosRuntimeException(500, str2 + " load fail", e);
        }
    }
}
