package io.grpc.xds.internal.security.trust;

import com.google.common.annotations.VisibleForTesting;
import com.google.common.base.Preconditions;
import com.google.common.base.Strings;
import io.grpc.netty.shaded.io.netty.handler.ssl.util.SimpleTrustManagerFactory;
import io.grpc.xds.shaded.io.envoyproxy.envoy.config.core.v3.DataSource;
import io.grpc.xds.shaded.io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CertificateValidationContext;
import java.io.File;
import java.io.IOException;
import java.io.InputStream;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.cert.CertStoreException;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.net.ssl.ManagerFactoryParameters;
import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory;
import javax.net.ssl.X509ExtendedTrustManager;
import net.snowflake.client.jdbc.internal.apache.tika.mime.MimeTypesReaderMetKeys;

/* loaded from: input_file:io/grpc/xds/internal/security/trust/XdsTrustManagerFactory.class */
public final class XdsTrustManagerFactory extends SimpleTrustManagerFactory {
    private static final Logger logger = Logger.getLogger(XdsTrustManagerFactory.class.getName());
    private XdsX509TrustManager xdsX509TrustManager;

    public XdsTrustManagerFactory(CertificateValidationContext certificateValidationContext) throws CertificateException, IOException, CertStoreException {
        this(getTrustedCaFromCertContext(certificateValidationContext), certificateValidationContext, false);
    }

    public XdsTrustManagerFactory(X509Certificate[] x509CertificateArr, CertificateValidationContext certificateValidationContext) throws CertStoreException {
        this(x509CertificateArr, certificateValidationContext, true);
    }

    private XdsTrustManagerFactory(X509Certificate[] x509CertificateArr, CertificateValidationContext certificateValidationContext, boolean z) throws CertStoreException {
        if (z) {
            Preconditions.checkArgument(certificateValidationContext == null || !certificateValidationContext.hasTrustedCa(), "only static certificateValidationContext expected");
        }
        this.xdsX509TrustManager = createX509TrustManager(x509CertificateArr, certificateValidationContext);
    }

    private static X509Certificate[] getTrustedCaFromCertContext(CertificateValidationContext certificateValidationContext) throws CertificateException, IOException {
        DataSource.SpecifierCase specifierCase = certificateValidationContext.getTrustedCa().getSpecifierCase();
        if (specifierCase == DataSource.SpecifierCase.FILENAME) {
            String filename = certificateValidationContext.getTrustedCa().getFilename();
            Preconditions.checkState(!Strings.isNullOrEmpty(filename), "trustedCa.file-name in certificateValidationContext cannot be empty");
            return CertificateUtils.toX509Certificates(new File(filename));
        }
        if (specifierCase != DataSource.SpecifierCase.INLINE_BYTES) {
            throw new IllegalArgumentException("Not supported: " + specifierCase);
        }
        InputStream newInput = certificateValidationContext.getTrustedCa().getInlineBytes().newInput();
        try {
            X509Certificate[] x509Certificates = CertificateUtils.toX509Certificates(newInput);
            if (newInput != null) {
                newInput.close();
            }
            return x509Certificates;
        } catch (Throwable th) {
            if (newInput != null) {
                try {
                    newInput.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    @VisibleForTesting
    static XdsX509TrustManager createX509TrustManager(X509Certificate[] x509CertificateArr, CertificateValidationContext certificateValidationContext) throws CertStoreException {
        try {
            TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
            KeyStore keyStore = KeyStore.getInstance("PKCS12");
            keyStore.load(null, null);
            int i = 1;
            for (X509Certificate x509Certificate : x509CertificateArr) {
                keyStore.setCertificateEntry(MimeTypesReaderMetKeys.ALIAS_TAG + i, x509Certificate);
                i++;
            }
            trustManagerFactory.init(keyStore);
            TrustManager[] trustManagers = trustManagerFactory.getTrustManagers();
            X509ExtendedTrustManager x509ExtendedTrustManager = null;
            if (trustManagers != null) {
                int length = trustManagers.length;
                int i2 = 0;
                while (true) {
                    if (i2 >= length) {
                        break;
                    }
                    TrustManager trustManager = trustManagers[i2];
                    if (trustManager instanceof X509ExtendedTrustManager) {
                        x509ExtendedTrustManager = (X509ExtendedTrustManager) trustManager;
                        break;
                    }
                    i2++;
                }
            }
            if (x509ExtendedTrustManager == null) {
                throw new CertStoreException("Native X509 TrustManager not found.");
            }
            return new XdsX509TrustManager(certificateValidationContext, x509ExtendedTrustManager);
        } catch (IOException | KeyStoreException | NoSuchAlgorithmException | CertificateException e) {
            logger.log(Level.SEVERE, "createX509TrustManager", e);
            throw new CertStoreException(e);
        }
    }

    @Override // io.grpc.netty.shaded.io.netty.handler.ssl.util.SimpleTrustManagerFactory
    protected void engineInit(KeyStore keyStore) throws Exception {
        throw new UnsupportedOperationException();
    }

    @Override // io.grpc.netty.shaded.io.netty.handler.ssl.util.SimpleTrustManagerFactory
    protected void engineInit(ManagerFactoryParameters managerFactoryParameters) throws Exception {
        throw new UnsupportedOperationException();
    }

    @Override // io.grpc.netty.shaded.io.netty.handler.ssl.util.SimpleTrustManagerFactory
    protected TrustManager[] engineGetTrustManagers() {
        return new TrustManager[]{this.xdsX509TrustManager};
    }
}
