package org.apache.hadoop.hdds.security.ssl;

import java.io.IOException;
import java.security.GeneralSecurityException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.List;
import java.util.Set;
import java.util.concurrent.atomic.AtomicReference;
import java.util.stream.Collectors;
import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory;
import javax.net.ssl.X509TrustManager;
import org.apache.hadoop.hdds.annotation.InterfaceAudience;
import org.apache.hadoop.hdds.annotation.InterfaceStability;
import org.apache.hadoop.hdds.security.x509.certificate.client.CertificateClient;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@InterfaceStability.Evolving
@InterfaceAudience.Private
/* loaded from: input_file:org/apache/hadoop/hdds/security/ssl/ReloadingX509TrustManager.class */
public final class ReloadingX509TrustManager implements X509TrustManager {
    static final String RELOAD_ERROR_MESSAGE = "Could not reload truststore (keep using existing one) : ";
    private final String type;
    public static final Logger LOG = LoggerFactory.getLogger(ReloadingX509TrustManager.class);
    private static final X509Certificate[] EMPTY = new X509Certificate[0];
    private List<String> currentRootCACertIds = new ArrayList();
    private final AtomicReference<X509TrustManager> trustManagerRef = new AtomicReference<>();

    public ReloadingX509TrustManager(String str, CertificateClient certificateClient) throws GeneralSecurityException, IOException {
        this.type = str;
        this.trustManagerRef.set(loadTrustManager(certificateClient));
    }

    @Override // javax.net.ssl.X509TrustManager
    public void checkClientTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
        X509TrustManager x509TrustManager = this.trustManagerRef.get();
        if (x509TrustManager == null) {
            throw new CertificateException("Unknown client chain certificate: " + x509CertificateArr[0].toString());
        }
        try {
            x509TrustManager.checkClientTrusted(x509CertificateArr, str);
        } catch (CertificateException e) {
            LOG.info("Client certificate chain {} for authType {} is not trusted", x509CertificateArr == null ? "" : Arrays.stream(x509CertificateArr).map((v0) -> {
                return v0.getSubjectX500Principal();
            }).map((v0) -> {
                return v0.toString();
            }).collect(Collectors.joining(",")), str);
            throw e;
        }
    }

    @Override // javax.net.ssl.X509TrustManager
    public void checkServerTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
        X509TrustManager x509TrustManager = this.trustManagerRef.get();
        if (x509TrustManager == null) {
            throw new CertificateException("Unknown server chain certificate: " + x509CertificateArr[0].toString());
        }
        try {
            x509TrustManager.checkServerTrusted(x509CertificateArr, str);
        } catch (CertificateException e) {
            LOG.info("Client certificate chain {} for authType {} is not trusted", x509CertificateArr == null ? "" : Arrays.stream(x509CertificateArr).map((v0) -> {
                return v0.getSubjectX500Principal();
            }).map((v0) -> {
                return v0.toString();
            }).collect(Collectors.joining(",")), str);
            throw e;
        }
    }

    @Override // javax.net.ssl.X509TrustManager
    public X509Certificate[] getAcceptedIssuers() {
        X509Certificate[] x509CertificateArr = EMPTY;
        X509TrustManager x509TrustManager = this.trustManagerRef.get();
        if (x509TrustManager != null) {
            x509CertificateArr = x509TrustManager.getAcceptedIssuers();
        }
        return x509CertificateArr;
    }

    public ReloadingX509TrustManager loadFrom(CertificateClient certificateClient) {
        try {
            X509TrustManager loadTrustManager = loadTrustManager(certificateClient);
            if (loadTrustManager != null) {
                this.trustManagerRef.set(loadTrustManager);
                LOG.info("ReloadingX509TrustManager is reloaded.");
            }
            return this;
        } catch (Exception e) {
            throw new RuntimeException(RELOAD_ERROR_MESSAGE, e);
        }
    }

    X509TrustManager loadTrustManager(CertificateClient certificateClient) throws GeneralSecurityException, IOException {
        Set<X509Certificate> allRootCaCerts = certificateClient.getAllRootCaCerts();
        Set<X509Certificate> allCaCerts = allRootCaCerts.isEmpty() ? certificateClient.getAllCaCerts() : allRootCaCerts;
        if (allCaCerts.size() > 0 && this.currentRootCACertIds.size() == allCaCerts.size() && allCaCerts.stream().allMatch(x509Certificate -> {
            return this.currentRootCACertIds.contains(x509Certificate.getSerialNumber().toString());
        })) {
            return null;
        }
        X509TrustManager x509TrustManager = null;
        KeyStore keyStore = KeyStore.getInstance(this.type);
        keyStore.load(null, null);
        insertCertsToKeystore(allCaCerts, keyStore);
        TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
        trustManagerFactory.init(keyStore);
        TrustManager[] trustManagers = trustManagerFactory.getTrustManagers();
        int length = trustManagers.length;
        int i = 0;
        while (true) {
            if (i >= length) {
                break;
            }
            TrustManager trustManager = trustManagers[i];
            if (trustManager instanceof X509TrustManager) {
                x509TrustManager = (X509TrustManager) trustManager;
                break;
            }
            i++;
        }
        this.currentRootCACertIds.clear();
        allCaCerts.forEach(x509Certificate2 -> {
            this.currentRootCACertIds.add(x509Certificate2.getSerialNumber().toString());
        });
        return x509TrustManager;
    }

    private void insertCertsToKeystore(Iterable<X509Certificate> iterable, KeyStore keyStore) throws KeyStoreException {
        LOG.info("Trust manager is loaded with certificates");
        for (X509Certificate x509Certificate : iterable) {
            keyStore.setCertificateEntry(x509Certificate.getSerialNumber().toString(), x509Certificate);
            LOG.info(x509Certificate.toString());
        }
    }
}
