void logSslErrorChain() {

  while (uint64_t err = ERR_get_error()) {

    ENVOY_LOG_MISC(debug, "SSL error: {}:{}:{}:{}", err,

                   absl::NullSafeStringView(ERR_lib_error_string(err)),

                   absl::NullSafeStringView(ERR_func_error_string(err)), ERR_GET_REASON(err),

                   absl::NullSafeStringView(ERR_reason_error_string(err)));

  }

}

int ContextImpl::sslExtendedSocketInfoIndex() {

  CONSTRUCT_ON_FIRST_USE(int, []() -> int {

    int ssl_context_index = SSL_get_ex_new_index(0, nullptr, nullptr, nullptr, nullptr);

    RELEASE_ASSERT(ssl_context_index >= 0, "");

    return ssl_context_index;

  }());

}

    : scope_(scope), stats_(generateSslStats(scope)), factory_context_(factory_context),

      tls_max_version_(config.maxProtocolVersion()),

      stat_name_set_(scope.symbolTable().makeSet("TransportSockets::Tls")),

      unknown_ssl_cipher_(stat_name_set_->add("unknown_ssl_cipher")),

      unknown_ssl_curve_(stat_name_set_->add("unknown_ssl_curve")),

      unknown_ssl_algorithm_(stat_name_set_->add("unknown_ssl_algorithm")),

      unknown_ssl_version_(stat_name_set_->add("unknown_ssl_version")),

      ssl_ciphers_(stat_name_set_->add("ssl.ciphers")),

      ssl_versions_(stat_name_set_->add("ssl.versions")),

      ssl_curves_(stat_name_set_->add("ssl.curves")),

      ssl_sigalgs_(stat_name_set_->add("ssl.sigalgs")), capabilities_(config.capabilities()),

      tls_keylog_local_(config.tlsKeyLogLocal()), tls_keylog_remote_(config.tlsKeyLogRemote()) {

  auto cert_validator_name = getCertValidatorName(config.certificateValidationContext());

  auto cert_validator_factory =

      Registry::FactoryRegistry<CertValidatorFactory>::getFactory(cert_validator_name);

  if (!cert_validator_factory) {

    creation_status = absl::InvalidArgumentError(

        absl::StrCat("Failed to get certificate validator factory for ", cert_validator_name));

    return;

  }

  auto validator_or_error = cert_validator_factory->createCertValidator(

      config.certificateValidationContext(), stats_, factory_context_, scope);

  SET_AND_RETURN_IF_NOT_OK(validator_or_error.status(), creation_status);

  cert_validator_ = std::move(*validator_or_error);

  tls_contexts_.resize(std::max(static_cast<size_t>(1), tls_certificates.size()));

  std::vector<SSL_CTX*> ssl_contexts(tls_contexts_.size());

  for (size_t i = 0; i < tls_contexts_.size(); i++) {

    auto& ctx = tls_contexts_[i];

    ctx.ssl_ctx_.reset(SSL_CTX_new(TLS_method()));

    ssl_contexts[i] = ctx.ssl_ctx_.get();

    int rc = SSL_CTX_set_app_data(ctx.ssl_ctx_.get(), this);

    RELEASE_ASSERT(rc == 1, Utility::getLastCryptoError().value_or(""));

    rc = SSL_CTX_set_min_proto_version(ctx.ssl_ctx_.get(), config.minProtocolVersion());

    RELEASE_ASSERT(rc == 1, Utility::getLastCryptoError().value_or(""));

    rc = SSL_CTX_set_max_proto_version(ctx.ssl_ctx_.get(), config.maxProtocolVersion());

    RELEASE_ASSERT(rc == 1, Utility::getLastCryptoError().value_or(""));

    if (!capabilities_.provides_ciphers_and_curves &&

        !SSL_CTX_set_strict_cipher_list(ctx.ssl_ctx_.get(), config.cipherSuites().c_str())) {

      std::vector<absl::string_view> ciphers =

          StringUtil::splitToken(config.cipherSuites(), ":+![|]", false);

      std::vector<std::string> bad_ciphers;

      for (const auto& cipher : ciphers) {

        std::string cipher_str(cipher);

        if (absl::StartsWith(cipher_str, "-")) {

          cipher_str.erase(cipher_str.begin());

        }

        if (!SSL_CTX_set_strict_cipher_list(ctx.ssl_ctx_.get(), cipher_str.c_str())) {

          bad_ciphers.push_back(cipher_str);

        }

      }

      creation_status = absl::InvalidArgumentError(

          fmt::format("Failed to initialize cipher suites {}. The following "

                      "ciphers were rejected when tried individually: {}",

                      config.cipherSuites(), absl::StrJoin(bad_ciphers, ", ")));

      return;

    }

    if (!capabilities_.provides_ciphers_and_curves &&

        !SSL_CTX_set1_curves_list(ctx.ssl_ctx_.get(), config.ecdhCurves().c_str())) {

      creation_status = absl::InvalidArgumentError(

          absl::StrCat("Failed to initialize ECDH curves ", config.ecdhCurves()));

      return;

    }

    if (!capabilities_.provides_sigalgs && !config.signatureAlgorithms().empty()) {

      if (!SSL_CTX_set1_sigalgs_list(ctx.ssl_ctx_.get(), config.signatureAlgorithms().c_str())) {

        creation_status = absl::InvalidArgumentError(absl::StrCat(

            "Failed to initialize TLS signature algorithms ", config.signatureAlgorithms()));

        return;

      }

    }

    if (Runtime::runtimeFeatureEnabled(

            "envoy.reloadable_features.tls_certificate_compression_brotli")) {

      CertCompression::registerBrotli(ctx.ssl_ctx_.get());

      CertCompression::registerZlib(ctx.ssl_ctx_.get());

    }

  }

  auto verify_mode_or_error = cert_validator_->initializeSslContexts(

      ssl_contexts, config.capabilities().provides_certificates, scope);

  SET_AND_RETURN_IF_NOT_OK(verify_mode_or_error.status(), creation_status);

  auto verify_mode = verify_mode_or_error.value();

  if (!capabilities_.verifies_peer_certificates) {

    for (auto ctx : ssl_contexts) {

      if (verify_mode != SSL_VERIFY_NONE) {

        SSL_CTX_set_custom_verify(ctx, verify_mode, customVerifyCallback);

        SSL_CTX_set_reverify_on_resume(ctx, /*reverify_on_resume_enabled)=*/1);

      }

    }

  }

  const bool fips_mode = FIPS_mode();

  if (fips_mode) {

  if (!capabilities_.provides_certificates) {

    for (uint32_t i = 0; i < tls_certificates.size(); ++i) {

      auto& ctx = tls_contexts_[i];

      const auto& tls_certificate = tls_certificates[i].get();

      if (!tls_certificate.pkcs12().empty()) {

        creation_status = ctx.loadPkcs12(tls_certificate.pkcs12(), tls_certificate.pkcs12Path(),

                                         tls_certificate.password(), fips_mode);

      } else {

        creation_status = ctx.loadCertificateChain(tls_certificate.certificateChain(),

                                                   tls_certificate.certificateChainPath());

      }

      if (!creation_status.ok()) {

        return;

      }

      Stats::Gauge& expiration_gauge =

          Extensions::TransportSockets::Tls::createCertificateExpirationGauge(

              scope, tls_certificate.certificateName());

      expiration_gauge.set(Utility::getExpirationUnixTime(ctx.cert_chain_.get()).count());

      constexpr absl::string_view tls_feature_ext = "1.3.6.1.5.5.7.1.24";

      constexpr absl::string_view must_staple_ext_value = "\x30\x3\x02\x01\x05";

      auto must_staple = Utility::getCertificateExtensionValue(*ctx.cert_chain_, tls_feature_ext);

      if (must_staple == must_staple_ext_value) {

        ctx.is_must_staple_ = true;

      }

      bssl::UniquePtr<EVP_PKEY> public_key(X509_get_pubkey(ctx.cert_chain_.get()));

      const int pkey_id = EVP_PKEY_id(public_key.get());

      switch (pkey_id) {

      case EVP_PKEY_EC: {

        const EC_KEY* ecdsa_public_key = EVP_PKEY_get0_EC_KEY(public_key.get());

        ASSERT(ecdsa_public_key != nullptr);

        const EC_GROUP* ecdsa_group = EC_KEY_get0_group(ecdsa_public_key);

        const int ec_group_curve_name = EC_GROUP_get_curve_name(ecdsa_group);

        if (ecdsa_group == nullptr ||

            (ec_group_curve_name != NID_X9_62_prime256v1 && ec_group_curve_name != NID_secp384r1 &&

             ec_group_curve_name != NID_secp521r1)) {

        ctx.ec_group_curve_name_ = ec_group_curve_name;

      } break;

      case EVP_PKEY_RSA: {

        const RSA* rsa_public_key = EVP_PKEY_get0_RSA(public_key.get());

        ASSERT(rsa_public_key != nullptr);

        const unsigned rsa_key_length = RSA_bits(rsa_public_key);

        if (fips_mode) {

        } else {

          if (rsa_key_length < 2048) {

            creation_status = absl::InvalidArgumentError(

                fmt::format("Failed to load certificate chain from {}, only RSA "

                            "certificates with 2048-bit or larger keys are supported",

                            ctx.cert_chain_file_path_));

            return;

          }

        }

      } break;

      default:

      }

      Envoy::Ssl::PrivateKeyMethodProviderSharedPtr private_key_method_provider =

          tls_certificate.privateKeyMethod();

      if (private_key_method_provider) {

        ctx.private_key_method_provider_ = private_key_method_provider;

        Ssl::BoringSslPrivateKeyMethodSharedPtr private_key_method =

            private_key_method_provider->getBoringSslPrivateKeyMethod();

        if (private_key_method == nullptr) {

          creation_status = absl::InvalidArgumentError(

              fmt::format("Failed to get BoringSSL private key method from provider"));

          return;

        }

        if (fips_mode) {

        SSL_CTX_set_private_key_method(ctx.ssl_ctx_.get(), private_key_method.get());

      } else if (!tls_certificate.privateKey().empty()) {

        creation_status =

            ctx.loadPrivateKey(tls_certificate.privateKey(), tls_certificate.privateKeyPath(),

                               tls_certificate.password(), fips_mode);

        if (!creation_status.ok()) {

          return;

        }

      }

      if (additional_init != nullptr) {

        absl::Status init_status = additional_init(ctx, tls_certificate);

        SET_AND_RETURN_IF_NOT_OK(creation_status, init_status);

      }

    }

  }

  parsed_alpn_protocols_ = parseAlpnProtocols(config.alpnProtocols(), creation_status);

  SET_AND_RETURN_IF_NOT_OK(creation_status, creation_status);

  std::vector<const char*> list(SSL_get_all_cipher_names(nullptr, 0));

  SSL_get_all_cipher_names(list.data(), list.size());

  stat_name_set_->rememberBuiltins(list);

  list.resize(SSL_get_all_curve_names(nullptr, 0));

  SSL_get_all_curve_names(list.data(), list.size());

  stat_name_set_->rememberBuiltins(list);

  list.resize(SSL_get_all_signature_algorithm_names(nullptr, 0));

  SSL_get_all_signature_algorithm_names(list.data(), list.size());

  stat_name_set_->rememberBuiltins(list);

  list.resize(SSL_get_all_version_names(nullptr, 0));

  SSL_get_all_version_names(list.data(), list.size());

  stat_name_set_->rememberBuiltins(list);

  if (auto sslctx_cb = config.sslctxCb(); sslctx_cb) {

    for (Ssl::TlsContext& ctx : tls_contexts_) {

      sslctx_cb(ctx.ssl_ctx_.get());

    }

  }

  if (!config.tlsKeyLogPath().empty()) {

    ENVOY_LOG(debug, "Enable tls key log");

    auto file_or_error = config.accessLogManager().createAccessLog(

        Filesystem::FilePathAndType{Filesystem::DestinationType::File, config.tlsKeyLogPath()});

    SET_AND_RETURN_IF_NOT_OK(file_or_error.status(), creation_status);

    tls_keylog_file_ = file_or_error.value();

    for (auto& context : tls_contexts_) {

      SSL_CTX* ctx = context.ssl_ctx_.get();

      ASSERT(ctx != nullptr);

      SSL_CTX_set_keylog_callback(ctx, keylogCallback);

    }

  }

  if (const auto policy = config.compliancePolicy(); policy.has_value()) {

    switch (policy.value()) {

    case ProtoPolicy::FIPS_202205:

      if (!fips_mode) {

        ENVOY_LOG(warn, "FIPS conformance policy applied on a non-FIPS build");

      }

      for (auto& tls_context : tls_contexts_) {

        int rc = SSL_CTX_set_compliance_policy(tls_context.ssl_ctx_.get(),

                                               ssl_compliance_policy_fips_202205);

        if (rc != 1) {

      }

      break;

    default:

    }

  }

}

void ContextImpl::keylogCallback(const SSL* ssl, const char* line) {

  ASSERT(ssl != nullptr);

  auto callbacks =

      static_cast<Network::TransportSocketCallbacks*>(SSL_get_ex_data(ssl, sslSocketIndex()));

  auto ctx = static_cast<ContextImpl*>(SSL_CTX_get_app_data(SSL_get_SSL_CTX(ssl)));

  ASSERT(callbacks != nullptr);

  ASSERT(ctx != nullptr);

  if ((ctx->tls_keylog_local_.getIpListSize() == 0 ||

       ctx->tls_keylog_local_.contains(

           *(callbacks->connection().connectionInfoProvider().localAddress()))) &&

      (ctx->tls_keylog_remote_.getIpListSize() == 0 ||

       ctx->tls_keylog_remote_.contains(

           *(callbacks->connection().connectionInfoProvider().remoteAddress())))) {

    ctx->tls_keylog_file_->write(absl::StrCat(line, "\n"));

  }

}

int ContextImpl::sslSocketIndex() {

  CONSTRUCT_ON_FIRST_USE(int, []() -> int {

    int ssl_socket_index = SSL_get_ex_new_index(0, nullptr, nullptr, nullptr, nullptr);

    RELEASE_ASSERT(ssl_socket_index >= 0, "");

    return ssl_socket_index;

  }());

}

                                                     absl::Status& parse_status) {

  if (alpn_protocols.empty()) {

    return {};

  }

  if (alpn_protocols.size() >= 65535) {

    parse_status = absl::InvalidArgumentError("Invalid ALPN protocol string");

    return {};

  }

  std::vector<uint8_t> out(alpn_protocols.size() + 1);

  size_t start = 0;

  for (size_t i = 0; i <= alpn_protocols.size(); i++) {

    if (i == alpn_protocols.size() || alpn_protocols[i] == ',') {

      if (i - start > 255) {

      out[start] = i - start;

      start = i + 1;

    } else {

      out[i + 1] = alpn_protocols[i];

    }

  }

  return out;

}

                    Upstream::HostDescriptionConstSharedPtr) {

  auto ssl_con = bssl::UniquePtr<SSL>(SSL_new(tls_contexts_[0].ssl_ctx_.get()));

  SSL_set_app_data(ssl_con.get(), &options);

  return ssl_con;

}

enum ssl_verify_result_t ContextImpl::customVerifyCallback(SSL* ssl, uint8_t* out_alert) {

  auto* extended_socket_info = reinterpret_cast<Envoy::Ssl::SslExtendedSocketInfo*>(

      SSL_get_ex_data(ssl, ContextImpl::sslExtendedSocketInfoIndex()));

  if (extended_socket_info->certificateValidationResult() != Ssl::ValidateStatus::NotStarted) {

    if (extended_socket_info->certificateValidationResult() == Ssl::ValidateStatus::Pending) {

      return ssl_verify_retry;

    }

    ENVOY_LOG(trace, "Already has a result: {}",

              static_cast<int>(extended_socket_info->certificateValidationStatus()));

    *out_alert = extended_socket_info->certificateValidationAlert();

    return extended_socket_info->certificateValidationResult() == Ssl::ValidateStatus::Successful

               ? ssl_verify_ok

               : ssl_verify_invalid;

  }

  SSL_CTX* ssl_ctx = SSL_get_SSL_CTX(ssl);

  ContextImpl* context_impl = static_cast<ContextImpl*>(SSL_CTX_get_app_data(ssl_ctx));

  auto transport_socket_options_shared_ptr_ptr =

      static_cast<const Network::TransportSocketOptionsConstSharedPtr*>(SSL_get_app_data(ssl));

  ASSERT(transport_socket_options_shared_ptr_ptr);

  ValidationResults result = context_impl->customVerifyCertChain(

      extended_socket_info, *transport_socket_options_shared_ptr_ptr, ssl);

  switch (result.status) {

  case ValidationResults::ValidationStatus::Successful:

    return ssl_verify_ok;

  case ValidationResults::ValidationStatus::Pending:

    return ssl_verify_retry;

  case ValidationResults::ValidationStatus::Failed: {

    if (result.tls_alert.has_value() && out_alert) {

      *out_alert = result.tls_alert.value();

    }

    if (result.error_details.has_value()) {

      extended_socket_info->setCertificateValidationError(result.error_details.value());

    }

    return ssl_verify_invalid;

  }

    const Network::TransportSocketOptionsConstSharedPtr& transport_socket_options, SSL* ssl) {

  ASSERT(extended_socket_info);

  STACK_OF(X509)* cert_chain = SSL_get_peer_full_cert_chain(ssl);

  if (cert_chain == nullptr) {

  ASSERT(cert_validator_);

  const char* host_name = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name);

  CertValidator::ExtraValidationContext validation_ctx;

  validation_ctx.callbacks =

      static_cast<Network::TransportSocketCallbacks*>(SSL_get_ex_data(ssl, sslSocketIndex()));

  ValidationResults result = cert_validator_->doVerifyCertChain(

      *cert_chain, extended_socket_info->createValidateResultCallback(), transport_socket_options,

      *SSL_get_SSL_CTX(ssl), validation_ctx, SSL_is_server(ssl),

      absl::NullSafeStringView(host_name));

  if (result.status != ValidationResults::ValidationStatus::Pending) {

    extended_socket_info->setCertificateValidationStatus(result.detailed_status);

    extended_socket_info->onCertificateValidationCompleted(

        result.status == ValidationResults::ValidationStatus::Successful, false);

  }

  return result;

}

                             const Stats::StatName fallback) const {

  const Stats::StatName value_stat_name = stat_name_set_->getBuiltin(value, fallback);

  ENVOY_BUG(value_stat_name != fallback,

            absl::StrCat("Unexpected ", scope_.symbolTable().toString(name), " value: ", value));

  Stats::Utility::counterFromElements(scope_, {name, value_stat_name}).inc();

}

void ContextImpl::logHandshake(SSL* ssl) const {

  stats_.handshake_.inc();

  if (SSL_session_reused(ssl)) {

    stats_.session_reused_.inc();

  }

  incCounter(ssl_ciphers_, SSL_get_cipher_name(ssl), unknown_ssl_cipher_);

  incCounter(ssl_versions_, SSL_get_version(ssl), unknown_ssl_version_);

  const uint16_t curve_id = SSL_get_curve_id(ssl);

  if (curve_id) {

    incCounter(ssl_curves_, SSL_get_curve_name(curve_id), unknown_ssl_curve_);

  }

  const uint16_t sigalg_id = SSL_get_peer_signature_algorithm(ssl);

  if (sigalg_id) {

    const char* sigalg = SSL_get_signature_algorithm_name(sigalg_id, 1 /* include curve */);

    incCounter(ssl_sigalgs_, sigalg, unknown_ssl_algorithm_);

  }

  bssl::UniquePtr<X509> cert(SSL_get_peer_certificate(ssl));

  if (!cert.get()) {

    stats_.no_certificate_.inc();

  }

  if (SSL_was_key_usage_invalid(ssl)) {

    stats_.was_key_usage_invalid_.inc();

  }

}

std::vector<Ssl::PrivateKeyMethodProviderSharedPtr> ContextImpl::getPrivateKeyMethodProviders() {

  std::vector<Envoy::Ssl::PrivateKeyMethodProviderSharedPtr> providers;

  for (auto& tls_context : tls_contexts_) {

    Envoy::Ssl::PrivateKeyMethodProviderSharedPtr provider =

        tls_context.getPrivateKeyMethodProvider();

    if (provider) {

      providers.push_back(provider);

    }

  }

  return providers;

}

absl::optional<uint32_t> ContextImpl::daysUntilFirstCertExpires() const {

  absl::optional<uint32_t> daysUntilExpiration = cert_validator_->daysUntilFirstCertExpires();

  if (!daysUntilExpiration.has_value()) {

  for (auto& ctx : tls_contexts_) {

    const absl::optional<uint32_t> tmp =

        Utility::getDaysUntilExpiration(ctx.cert_chain_.get(), factory_context_.timeSource());

    if (!tmp.has_value()) {

      return absl::nullopt;

    }

    daysUntilExpiration = std::min<uint32_t>(tmp.value(), daysUntilExpiration.value());

  }

  return daysUntilExpiration;

}

absl::optional<uint64_t> ContextImpl::secondsUntilFirstOcspResponseExpires() const {

  absl::optional<uint64_t> secs_until_expiration;

  for (auto& ctx : tls_contexts_) {

    if (ctx.ocsp_response_) {

      uint64_t next_expiration = ctx.ocsp_response_->secondsUntilExpiration();

      secs_until_expiration = std::min<uint64_t>(

          next_expiration, secs_until_expiration.value_or(std::numeric_limits<uint64_t>::max()));

    }

  }

  return secs_until_expiration;

}

Envoy::Ssl::CertificateDetailsPtr ContextImpl::getCaCertInformation() const {

  return cert_validator_->getCaCertInformation();

}

std::vector<Envoy::Ssl::CertificateDetailsPtr> ContextImpl::getCertChainInformation() const {

  std::vector<Envoy::Ssl::CertificateDetailsPtr> cert_details;

  for (const auto& ctx : tls_contexts_) {

    if (ctx.cert_chain_ == nullptr) {

      continue;

    }

    auto detail = Utility::certificateDetails(ctx.cert_chain_.get(), ctx.getCertChainFileName(),

                                              factory_context_.timeSource());

    auto ocsp_resp = ctx.ocsp_response_.get();

    if (ocsp_resp) {

      auto* ocsp_details = detail->mutable_ocsp_details();

      Protobuf::Timestamp* valid_from = ocsp_details->mutable_valid_from();

      TimestampUtil::systemClockToTimestamp(ocsp_resp->getThisUpdate(), *valid_from);

      Protobuf::Timestamp* expiration = ocsp_details->mutable_expiration();

      TimestampUtil::systemClockToTimestamp(ocsp_resp->getNextUpdate(), *expiration);

    }

    cert_details.push_back(std::move(detail));

  }

  return cert_details;

}

                                  absl::Status& parse_status) {

  std::vector<uint8_t> parsed_alpn = parseAlpnProtocols(absl::StrJoin(alpn, ","), parse_status);

  if (!parse_status.ok()) {

  if (!parsed_alpn.empty()) {

    const int rc = SSL_set_alpn_protos(&ssl, parsed_alpn.data(), parsed_alpn.size());

    RELEASE_ASSERT(rc == 0, Utility::getLastCryptoError().value_or(""));

    return true;

  }

  return false;

}

    const CertValidator::ExtraValidationContext& validation_context, const std::string& host_name) {

  ASSERT(!tls_contexts_.empty());

  SSL_CTX* ssl_ctx = tls_contexts_[0].ssl_ctx_.get();

  if (SSL_CTX_get_verify_mode(ssl_ctx) == SSL_VERIFY_NONE) {

    return {ValidationResults::ValidationStatus::Successful,

            Envoy::Ssl::ClientValidationStatus::NotValidated, absl::nullopt, absl::nullopt};

  }

  ValidationResults result =

      cert_validator_->doVerifyCertChain(cert_chain, std::move(callback), transport_socket_options,

                                         *ssl_ctx, validation_context, is_server, host_name);

  return result;

}

bool TlsContext::isCipherEnabled(uint16_t cipher_id, uint16_t client_version) const {

  const SSL_CIPHER* c = SSL_get_cipher_by_value(cipher_id);

  if (c == nullptr) {

  if (SSL_CIPHER_get_min_version(c) > client_version) {

    return false;

  }

  if (SSL_CIPHER_get_auth_nid(c) != NID_auth_ecdsa) {

    return false;

  }

  for (const SSL_CIPHER* our_c : SSL_CTX_get_ciphers(ssl_ctx_.get())) {

    if (SSL_CIPHER_get_id(our_c) == SSL_CIPHER_get_id(c)) {

      return true;

    }

  }

  return false;

}

                                              const std::string& data_path) {

  cert_chain_file_path_ = data_path;

  bssl::UniquePtr<BIO> bio(BIO_new_mem_buf(const_cast<char*>(data.data()), data.size()));

  RELEASE_ASSERT(bio != nullptr, "");

  cert_chain_.reset(PEM_read_bio_X509_AUX(bio.get(), nullptr, nullptr, nullptr));

  if (cert_chain_ == nullptr || !SSL_CTX_use_certificate(ssl_ctx_.get(), cert_chain_.get())) {

    logSslErrorChain();

    return absl::InvalidArgumentError(

        absl::StrCat("Failed to load certificate chain from ", cert_chain_file_path_));

  }

  while (true) {

    bssl::UniquePtr<X509> cert(PEM_read_bio_X509(bio.get(), nullptr, nullptr, nullptr));

    if (cert == nullptr) {

      break;

    }

    if (!SSL_CTX_add_extra_chain_cert(ssl_ctx_.get(), cert.get())) {

    cert.release();

  }

  const uint32_t err = ERR_peek_last_error();

  if (ERR_GET_LIB(err) == ERR_LIB_PEM && ERR_GET_REASON(err) == PEM_R_NO_START_LINE) {

    ERR_clear_error();

  } else {

    return absl::InvalidArgumentError(

        absl::StrCat("Failed to load certificate chain from ", cert_chain_file_path_));

  }

  return absl::OkStatus();

}

                                        const std::string& password, bool fips_mode) {

  bssl::UniquePtr<BIO> bio(BIO_new_mem_buf(const_cast<char*>(data.data()), data.size()));

  RELEASE_ASSERT(bio != nullptr, "");

  bssl::UniquePtr<EVP_PKEY> pkey(

      PEM_read_bio_PrivateKey(bio.get(), nullptr, nullptr,

                              !password.empty() ? const_cast<char*>(password.c_str()) : nullptr));

  if (pkey == nullptr || !SSL_CTX_use_PrivateKey(ssl_ctx_.get(), pkey.get())) {

    return absl::InvalidArgumentError(fmt::format(

        "Failed to load private key from {}, Cause: {}", data_path,

        Extensions::TransportSockets::Tls::Utility::getLastCryptoError().value_or("unknown")));

  }

  return checkPrivateKey(pkey, data_path, fips_mode);

}

                                    const std::string& password, bool fips_mode) {

  cert_chain_file_path_ = data_path;

  bssl::UniquePtr<BIO> bio(BIO_new_mem_buf(const_cast<char*>(data.data()), data.size()));

  RELEASE_ASSERT(bio != nullptr, "");

  bssl::UniquePtr<PKCS12> pkcs12(d2i_PKCS12_bio(bio.get(), nullptr));

  EVP_PKEY* temp_private_key = nullptr;

  X509* temp_cert = nullptr;

  STACK_OF(X509)* temp_ca_certs = nullptr;

  if (pkcs12 == nullptr ||

      !PKCS12_parse(pkcs12.get(), !password.empty() ? const_cast<char*>(password.c_str()) : nullptr,

                    &temp_private_key, &temp_cert, &temp_ca_certs)) {

    logSslErrorChain();

    return absl::InvalidArgumentError(absl::StrCat("Failed to load pkcs12 from ", data_path));

  }

  cert_chain_.reset(temp_cert);

  bssl::UniquePtr<EVP_PKEY> pkey(temp_private_key);

  bssl::UniquePtr<STACK_OF(X509)> ca_certificates(temp_ca_certs);

  if (ca_certificates != nullptr) {

    X509* ca_cert = nullptr;

    while ((ca_cert = sk_X509_pop(ca_certificates.get())) != nullptr) {

      SSL_CTX_add_extra_chain_cert(ssl_ctx_.get(), ca_cert);

    }

  }

  if (!SSL_CTX_use_certificate(ssl_ctx_.get(), cert_chain_.get())) {

  if (temp_private_key == nullptr || !SSL_CTX_use_PrivateKey(ssl_ctx_.get(), pkey.get())) {

  return checkPrivateKey(pkey, data_path, fips_mode);

}

                                         const std::string& key_path, bool fips_mode) {

  if (fips_mode) {

  return absl::OkStatus();

}