package org.apache.hadoop.hdds.scm.client;

import java.io.IOException;
import java.net.Socket;
import java.security.GeneralSecurityException;
import java.security.KeyStore;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.List;
import javax.net.ssl.SSLEngine;
import javax.net.ssl.TrustManagerFactory;
import javax.net.ssl.X509ExtendedTrustManager;
import org.apache.hadoop.hdds.security.ssl.PemFileBasedKeyStoresFactory;
import org.apache.hadoop.hdds.security.x509.certificate.client.CACertificateProvider;
import org.apache.hadoop.ozone.shaded.com.google.common.base.Preconditions;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/hadoop/hdds/scm/client/ClientTrustManager.class */
public class ClientTrustManager extends X509ExtendedTrustManager {
    private static final Logger LOG = LoggerFactory.getLogger(ClientTrustManager.class);
    private final CACertificateProvider remoteProvider;
    private X509ExtendedTrustManager trustManager;

    public ClientTrustManager(CACertificateProvider cACertificateProvider, CACertificateProvider cACertificateProvider2) throws IOException {
        Preconditions.checkArgument((cACertificateProvider == null && cACertificateProvider2 == null) ? false : true, "Client trust configuration error, no mechanism present to find the rootCA certificate of the cluster.");
        this.remoteProvider = cACertificateProvider;
        try {
            initialize(loadCerts(cACertificateProvider2));
        } catch (CertificateException e) {
            throw new IOException(e);
        }
    }

    private void initialize(List<X509Certificate> list) throws CertificateException {
        try {
            KeyStore keyStore = KeyStore.getInstance(PemFileBasedKeyStoresFactory.DEFAULT_KEYSTORE_TYPE);
            keyStore.load(null);
            for (X509Certificate x509Certificate : list) {
                keyStore.setCertificateEntry(x509Certificate.getSerialNumber().toString(), x509Certificate);
            }
            TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
            trustManagerFactory.init(keyStore);
            this.trustManager = (X509ExtendedTrustManager) Arrays.stream(trustManagerFactory.getTrustManagers()).filter(trustManager -> {
                return trustManager instanceof X509ExtendedTrustManager;
            }).map(trustManager2 -> {
                return (X509ExtendedTrustManager) trustManager2;
            }).findFirst().orElse(null);
            if (this.trustManager == null) {
                throw new GeneralSecurityException("Could not load TrustManager.");
            }
        } catch (IOException | GeneralSecurityException e) {
            throw new CertificateException(e);
        }
    }

    private List<X509Certificate> loadCerts(CACertificateProvider cACertificateProvider) throws CertificateException {
        try {
            LOG.info("Loading certificates for client.");
            return cACertificateProvider == null ? this.remoteProvider.provideCACerts() : cACertificateProvider.provideCACerts();
        } catch (IOException e) {
            throw new CertificateException(e);
        }
    }

    @Override // javax.net.ssl.X509ExtendedTrustManager
    public void checkServerTrusted(X509Certificate[] x509CertificateArr, String str, Socket socket) throws CertificateException {
        try {
            this.trustManager.checkServerTrusted(x509CertificateArr, str, socket);
        } catch (CertificateException e) {
            LOG.info("CheckServerTrusted call failed, trying to re-fetch rootCA certificate", e);
            initialize(loadCerts(this.remoteProvider));
            this.trustManager.checkServerTrusted(x509CertificateArr, str, socket);
        }
    }

    @Override // javax.net.ssl.X509ExtendedTrustManager
    public void checkServerTrusted(X509Certificate[] x509CertificateArr, String str, SSLEngine sSLEngine) throws CertificateException {
        try {
            this.trustManager.checkServerTrusted(x509CertificateArr, str, sSLEngine);
        } catch (CertificateException e) {
            LOG.info("CheckServerTrusted call failed, trying to re-fetch rootCA certificate", e);
            initialize(loadCerts(this.remoteProvider));
            this.trustManager.checkServerTrusted(x509CertificateArr, str, sSLEngine);
        }
    }

    @Override // javax.net.ssl.X509TrustManager
    public void checkServerTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
        try {
            this.trustManager.checkServerTrusted(x509CertificateArr, str);
        } catch (CertificateException e) {
            LOG.info("CheckServerTrusted call failed, trying to re-fetch rootCA certificate", e);
            initialize(loadCerts(this.remoteProvider));
            this.trustManager.checkServerTrusted(x509CertificateArr, str);
        }
    }

    @Override // javax.net.ssl.X509TrustManager
    public X509Certificate[] getAcceptedIssuers() {
        return this.trustManager.getAcceptedIssuers();
    }

    @Override // javax.net.ssl.X509ExtendedTrustManager
    public void checkClientTrusted(X509Certificate[] x509CertificateArr, String str, Socket socket) throws CertificateException {
        throw new CertificateException(new UnsupportedOperationException("ClientTrustManager should not be used as a trust manager of a server socket."));
    }

    @Override // javax.net.ssl.X509ExtendedTrustManager
    public void checkClientTrusted(X509Certificate[] x509CertificateArr, String str, SSLEngine sSLEngine) throws CertificateException {
        throw new CertificateException(new UnsupportedOperationException("ClientTrustManager should not be used as a trust manager of a server socket."));
    }

    @Override // javax.net.ssl.X509TrustManager
    public void checkClientTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
        throw new CertificateException(new UnsupportedOperationException("ClientTrustManager should not be used as a trust manager of a server socket."));
    }
}
