package com.google.bigtable.repackaged.io.grpc.xds.internal.certprovider;

import com.google.bigtable.repackaged.com.google.common.annotations.VisibleForTesting;
import com.google.bigtable.repackaged.com.google.common.base.Preconditions;
import com.google.bigtable.repackaged.io.grpc.Internal;
import com.google.bigtable.repackaged.io.grpc.netty.GrpcSslContexts;
import com.google.bigtable.repackaged.io.grpc.netty.shaded.io.netty.handler.ssl.SslContextBuilder;
import com.google.bigtable.repackaged.io.grpc.xds.Bootstrapper;
import com.google.bigtable.repackaged.io.grpc.xds.EnvoyServerProtoData;
import com.google.bigtable.repackaged.io.grpc.xds.internal.sds.trust.SdsTrustManagerFactory;
import com.google.bigtable.repackaged.io.grpc.xds.shaded.io.envoyproxy.envoy.config.core.v3.Node;
import com.google.bigtable.repackaged.io.grpc.xds.shaded.io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CertificateValidationContext;
import com.google.bigtable.repackaged.io.grpc.xds.shaded.io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CommonTlsContext;
import java.security.cert.CertStoreException;
import java.security.cert.X509Certificate;
import java.util.Map;
import javax.annotation.Nullable;

@Internal
/* loaded from: input_file:com/google/bigtable/repackaged/io/grpc/xds/internal/certprovider/CertProviderClientSslContextProvider.class */
public final class CertProviderClientSslContextProvider extends CertProviderSslContextProvider {

    @Internal
    /* loaded from: input_file:com/google/bigtable/repackaged/io/grpc/xds/internal/certprovider/CertProviderClientSslContextProvider$Factory.class */
    public static final class Factory {
        private static final Factory DEFAULT_INSTANCE = new Factory(CertificateProviderStore.getInstance());
        private final CertificateProviderStore certificateProviderStore;

        @VisibleForTesting
        public Factory(CertificateProviderStore certificateProviderStore) {
            this.certificateProviderStore = certificateProviderStore;
        }

        public static Factory getInstance() {
            return DEFAULT_INSTANCE;
        }

        public CertProviderClientSslContextProvider getProvider(EnvoyServerProtoData.UpstreamTlsContext upstreamTlsContext, Node node, @Nullable Map<String, Bootstrapper.CertificateProviderInfo> map) {
            Preconditions.checkNotNull(upstreamTlsContext, "upstreamTlsContext");
            CommonTlsContext commonTlsContext = upstreamTlsContext.getCommonTlsContext();
            CertificateValidationContext staticValidationContext = CertProviderSslContextProvider.getStaticValidationContext(commonTlsContext);
            return new CertProviderClientSslContextProvider(node, map, CertProviderSslContextProvider.getCertProviderInstance(commonTlsContext), CertProviderSslContextProvider.getRootCertProviderInstance(commonTlsContext), staticValidationContext, upstreamTlsContext, this.certificateProviderStore);
        }
    }

    private CertProviderClientSslContextProvider(Node node, @Nullable Map<String, Bootstrapper.CertificateProviderInfo> map, CommonTlsContext.CertificateProviderInstance certificateProviderInstance, CommonTlsContext.CertificateProviderInstance certificateProviderInstance2, CertificateValidationContext certificateValidationContext, EnvoyServerProtoData.UpstreamTlsContext upstreamTlsContext, CertificateProviderStore certificateProviderStore) {
        super(node, map, certificateProviderInstance, (CommonTlsContext.CertificateProviderInstance) Preconditions.checkNotNull(certificateProviderInstance2, "Client SSL requires rootCertInstance"), certificateValidationContext, upstreamTlsContext, certificateProviderStore);
    }

    @Override // com.google.bigtable.repackaged.io.grpc.xds.internal.sds.DynamicSslContextProvider
    protected final SslContextBuilder getSslContextBuilder(CertificateValidationContext certificateValidationContext) throws CertStoreException {
        SslContextBuilder trustManager = GrpcSslContexts.forClient().trustManager(new SdsTrustManagerFactory((X509Certificate[]) this.savedTrustedRoots.toArray(new X509Certificate[0]), certificateValidationContext));
        if (isMtls()) {
            trustManager.keyManager(this.savedKey, this.savedCertChain);
        }
        return trustManager;
    }
}
