package org.apache.hadoop.hdds.security.ssl;

import java.io.IOException;
import java.security.GeneralSecurityException;
import java.security.KeyStore;
import javax.net.ssl.KeyManager;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.TrustManager;
import org.apache.hadoop.hdds.annotation.InterfaceAudience;
import org.apache.hadoop.hdds.annotation.InterfaceStability;
import org.apache.hadoop.hdds.security.SecurityConfig;
import org.apache.hadoop.hdds.security.ssl.KeyStoresFactory;
import org.apache.hadoop.hdds.security.x509.certificate.client.CertificateClient;
import org.apache.hadoop.hdds.security.x509.certificate.client.CertificateNotification;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@InterfaceStability.Evolving
@InterfaceAudience.Private
/* loaded from: input_file:org/apache/hadoop/hdds/security/ssl/PemFileBasedKeyStoresFactory.class */
public class PemFileBasedKeyStoresFactory implements KeyStoresFactory, CertificateNotification {
    private static final Logger LOG = LoggerFactory.getLogger(PemFileBasedKeyStoresFactory.class);
    public static final String DEFAULT_KEYSTORE_TYPE = "jks";
    private KeyManager[] keyManagers;
    private TrustManager[] trustManagers;
    private final CertificateClient caClient;

    public PemFileBasedKeyStoresFactory(SecurityConfig securityConfig, CertificateClient certificateClient) {
        this.caClient = certificateClient;
    }

    private void createTrustManagers() throws GeneralSecurityException, IOException {
        this.trustManagers = new TrustManager[]{new ReloadingX509TrustManager(DEFAULT_KEYSTORE_TYPE, this.caClient)};
    }

    private void createKeyManagers() throws GeneralSecurityException, IOException {
        this.keyManagers = new KeyManager[]{new ReloadingX509KeyManager(DEFAULT_KEYSTORE_TYPE, this.caClient)};
    }

    @Override // org.apache.hadoop.hdds.security.ssl.KeyStoresFactory
    public synchronized void init(KeyStoresFactory.Mode mode, boolean z) throws IOException, GeneralSecurityException {
        if (z || mode == KeyStoresFactory.Mode.SERVER) {
            createKeyManagers();
        } else {
            KeyStore keyStore = KeyStore.getInstance(DEFAULT_KEYSTORE_TYPE);
            keyStore.load(null, null);
            KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
            keyManagerFactory.init(keyStore, null);
            this.keyManagers = keyManagerFactory.getKeyManagers();
        }
        createTrustManagers();
        this.caClient.registerNotificationReceiver(this);
    }

    @Override // org.apache.hadoop.hdds.security.ssl.KeyStoresFactory
    public synchronized void destroy() {
        if (this.keyManagers != null) {
            this.keyManagers = null;
        }
        if (this.trustManagers != null) {
            this.trustManagers = null;
        }
    }

    @Override // org.apache.hadoop.hdds.security.ssl.KeyStoresFactory
    public synchronized KeyManager[] getKeyManagers() {
        KeyManager[] keyManagerArr = new KeyManager[this.keyManagers.length];
        System.arraycopy(this.keyManagers, 0, keyManagerArr, 0, this.keyManagers.length);
        return keyManagerArr;
    }

    @Override // org.apache.hadoop.hdds.security.ssl.KeyStoresFactory
    public synchronized TrustManager[] getTrustManagers() {
        TrustManager[] trustManagerArr = new TrustManager[this.trustManagers.length];
        System.arraycopy(this.trustManagers, 0, trustManagerArr, 0, this.trustManagers.length);
        return trustManagerArr;
    }

    @Override // org.apache.hadoop.hdds.security.x509.certificate.client.CertificateNotification
    public synchronized void notifyCertificateRenewed(CertificateClient certificateClient, String str, String str2) {
        LOG.info("{} notify certificate renewed", certificateClient.getComponentName());
        if (this.keyManagers != null) {
            for (KeyManager keyManager : this.keyManagers) {
                if (keyManager instanceof ReloadingX509KeyManager) {
                    ((ReloadingX509KeyManager) keyManager).loadFrom(certificateClient);
                }
            }
        }
        if (this.trustManagers != null) {
            for (TrustManager trustManager : this.trustManagers) {
                if (trustManager instanceof ReloadingX509TrustManager) {
                    ((ReloadingX509TrustManager) trustManager).loadFrom(certificateClient);
                }
            }
        }
    }
}
