package org.apache.omid.tls;

import java.io.File;
import java.io.IOException;
import java.io.InputStream;
import java.nio.file.Files;
import java.nio.file.OpenOption;
import java.security.GeneralSecurityException;
import java.security.KeyStore;
import java.security.Security;
import java.security.cert.PKIXBuilderParameters;
import java.security.cert.X509CertSelector;
import java.util.Arrays;
import java.util.Objects;
import javax.net.ssl.CertPathTrustManagerParameters;
import javax.net.ssl.KeyManager;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory;
import javax.net.ssl.X509ExtendedTrustManager;
import javax.net.ssl.X509KeyManager;
import javax.net.ssl.X509TrustManager;
import org.apache.omid.tls.X509Exception;
import org.apache.phoenix.mapreduce.RegexToKeyValueMapper;
import org.apache.phoenix.shaded.io.netty.handler.ssl.Ciphers;
import org.apache.phoenix.shaded.io.netty.handler.ssl.SslContext;
import org.apache.phoenix.shaded.io.netty.handler.ssl.SslContextBuilder;
import org.apache.phoenix.thirdparty.com.google.common.collect.ObjectArrays;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/omid/tls/X509Util.class */
public final class X509Util {
    public static final int DEFAULT_HANDSHAKE_DETECTION_TIMEOUT_MILLIS = 5000;
    public static final String DEFAULT_PROTOCOL = "TLSv1.2";
    private static final Logger LOG = LoggerFactory.getLogger(X509Util.class);
    private static final char[] EMPTY_CHAR_ARRAY = new char[0];
    private static final String[] DEFAULT_CIPHERS_JAVA8 = (String[]) ObjectArrays.concat(getCBCCiphers(), getGCMCiphers(), String.class);
    private static final String[] DEFAULT_CIPHERS_JAVA9 = (String[]) ObjectArrays.concat(getGCMCiphers(), getCBCCiphers(), String.class);

    private static String[] getGCMCiphers() {
        return new String[]{Ciphers.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, Ciphers.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, Ciphers.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, Ciphers.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384};
    }

    private static String[] getCBCCiphers() {
        return new String[]{Ciphers.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, Ciphers.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, Ciphers.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, Ciphers.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, Ciphers.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, Ciphers.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, Ciphers.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, Ciphers.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA};
    }

    private X509Util() {
    }

    static String[] getDefaultCipherSuites() {
        return getDefaultCipherSuitesForJavaVersion(System.getProperty("java.specification.version"));
    }

    static String[] getDefaultCipherSuitesForJavaVersion(String str) {
        Objects.requireNonNull(str);
        if (str.matches("\\d+")) {
            LOG.debug("Using Java9+ optimized cipher suites for Java version {}", str);
            return DEFAULT_CIPHERS_JAVA9;
        }
        if (str.startsWith("1.")) {
            LOG.debug("Using Java8 optimized cipher suites for Java version {}", str);
            return DEFAULT_CIPHERS_JAVA8;
        }
        LOG.debug("Could not parse java version {}, using Java8 optimized cipher suites", str);
        return DEFAULT_CIPHERS_JAVA8;
    }

    public static SslContext createSslContextForClient(String str, char[] cArr, String str2, String str3, char[] cArr2, String str4, boolean z, boolean z2, String str5, String str6, String str7) throws X509Exception, IOException {
        SslContextBuilder forClient = SslContextBuilder.forClient();
        if (str.isEmpty()) {
            LOG.warn("keyStoreLocation is not specified");
        } else {
            forClient.keyManager(createKeyManager(str, cArr, str2));
        }
        if (str3.isEmpty()) {
            LOG.warn("trustStoreLocation is not specified");
        } else {
            forClient.trustManager(createTrustManager(str3, cArr2, str4, z, z2));
        }
        forClient.enableOcsp(z2);
        forClient.protocols(getEnabledProtocols(str5, str7));
        forClient.ciphers(Arrays.asList(getCipherSuites(str6)));
        return forClient.build();
    }

    public static SslContext createSslContextForServer(String str, char[] cArr, String str2, String str3, char[] cArr2, String str4, boolean z, boolean z2, String str5, String str6, String str7) throws X509Exception, IOException {
        if (str.isEmpty()) {
            throw new X509Exception.SSLContextException("keyStoreLocation is required for SSL server: ");
        }
        SslContextBuilder forServer = SslContextBuilder.forServer(createKeyManager(str, cArr, str2));
        if (str3.isEmpty()) {
            LOG.warn("trustStoreLocation is not specified");
        } else {
            forServer.trustManager(createTrustManager(str3, cArr2, str4, z, z2));
        }
        forServer.enableOcsp(z2);
        forServer.protocols(getEnabledProtocols(str5, str7));
        forServer.ciphers(Arrays.asList(getCipherSuites(str6)));
        return forServer.build();
    }

    static X509KeyManager createKeyManager(String str, char[] cArr, String str2) throws X509Exception.KeyManagerException {
        if (str2 == null) {
            str2 = "jks";
        }
        if (cArr == null) {
            cArr = EMPTY_CHAR_ARRAY;
        }
        try {
            KeyStore keyStore = KeyStore.getInstance(str2);
            InputStream newInputStream = Files.newInputStream(new File(str).toPath(), new OpenOption[0]);
            Throwable th = null;
            try {
                keyStore.load(newInputStream, cArr);
                if (newInputStream != null) {
                    if (0 != 0) {
                        try {
                            newInputStream.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    } else {
                        newInputStream.close();
                    }
                }
                KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance("PKIX");
                keyManagerFactory.init(keyStore, cArr);
                for (KeyManager keyManager : keyManagerFactory.getKeyManagers()) {
                    if (keyManager instanceof X509KeyManager) {
                        return (X509KeyManager) keyManager;
                    }
                }
                throw new X509Exception.KeyManagerException("Couldn't find X509KeyManager");
            } finally {
            }
        } catch (IOException | IllegalArgumentException | GeneralSecurityException e) {
            throw new X509Exception.KeyManagerException(e);
        }
    }

    static X509TrustManager createTrustManager(String str, char[] cArr, String str2, boolean z, boolean z2) throws X509Exception.TrustManagerException {
        if (str2 == null) {
            str2 = "jks";
        }
        if (cArr == null) {
            cArr = EMPTY_CHAR_ARRAY;
        }
        try {
            KeyStore keyStore = KeyStore.getInstance(str2);
            InputStream newInputStream = Files.newInputStream(new File(str).toPath(), new OpenOption[0]);
            Throwable th = null;
            try {
                try {
                    keyStore.load(newInputStream, cArr);
                    if (newInputStream != null) {
                        if (0 != 0) {
                            try {
                                newInputStream.close();
                            } catch (Throwable th2) {
                                th.addSuppressed(th2);
                            }
                        } else {
                            newInputStream.close();
                        }
                    }
                    PKIXBuilderParameters pKIXBuilderParameters = new PKIXBuilderParameters(keyStore, new X509CertSelector());
                    if (z || z2) {
                        pKIXBuilderParameters.setRevocationEnabled(true);
                        System.setProperty("org.apache.phoenix.shaded.com.sun.net.ssl.checkRevocation", "true");
                        if (z) {
                            System.setProperty("com.sun.security.enableCRLDP", "true");
                        }
                        if (z2) {
                            Security.setProperty("ocsp.enable", "true");
                        }
                    } else {
                        pKIXBuilderParameters.setRevocationEnabled(false);
                    }
                    TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance("PKIX");
                    trustManagerFactory.init(new CertPathTrustManagerParameters(pKIXBuilderParameters));
                    for (TrustManager trustManager : trustManagerFactory.getTrustManagers()) {
                        if (trustManager instanceof X509ExtendedTrustManager) {
                            return (X509ExtendedTrustManager) trustManager;
                        }
                    }
                    throw new X509Exception.TrustManagerException("Couldn't find X509TrustManager");
                } finally {
                }
            } finally {
            }
        } catch (IOException | IllegalArgumentException | GeneralSecurityException e) {
            throw new X509Exception.TrustManagerException(e);
        }
    }

    private static String[] getEnabledProtocols(String str, String str2) {
        return str == null ? new String[]{str2} : str.split(RegexToKeyValueMapper.ARRAY_DELIMITER_DEFAULT);
    }

    private static String[] getCipherSuites(String str) {
        return str == null ? getDefaultCipherSuites() : str.split(RegexToKeyValueMapper.ARRAY_DELIMITER_DEFAULT);
    }
}
