package org.apache.pinot.common.utils;

import java.io.File;
import java.io.FileInputStream;
import java.io.IOException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.util.Collections;
import java.util.Set;
import javax.net.ssl.KeyManager;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.SSLContext;
import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory;
import javax.net.ssl.X509TrustManager;
import org.apache.commons.configuration.Configuration;
import org.apache.pinot.common.Utils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/pinot/common/utils/ClientSSLContextGenerator.class */
public class ClientSSLContextGenerator {
    private static final String CONFIG_OF_SERVER_CA_CERT = "server.ca-cert";
    private static final String CONFIG_OF_CLIENT_PKCS12_FILE = "client.pkcs12.file";
    private static final String CONFIG_OF_CLIENT_PKCS12_PASSWORD = "client.pkcs12.password";
    private static final String CONFIG_OF_ENABLE_SERVER_VERIFICATION = "server.enable-verification";
    private static final String SECURITY_ALGORITHM = "TLS";
    private static final String CERTIFICATE_TYPE = "X509";
    private static final String KEYSTORE_TYPE = "PKCS12";
    private static final String KEYMANAGER_FACTORY_ALGORITHM = "SunX509";
    private static final Logger LOGGER = LoggerFactory.getLogger(ClientSSLContextGenerator.class);
    private final String _serverCACertFile;
    private final String _keyStoreFile;
    private final String _keyStorePassword;

    public static Set<String> getProtectedConfigKeys() {
        return Collections.singleton(CONFIG_OF_CLIENT_PKCS12_PASSWORD);
    }

    public ClientSSLContextGenerator(Configuration configuration) {
        if (configuration.getBoolean(CONFIG_OF_ENABLE_SERVER_VERIFICATION, true)) {
            this._serverCACertFile = configuration.getString(CONFIG_OF_SERVER_CA_CERT);
        } else {
            this._serverCACertFile = null;
            LOGGER.warn("Https Server CA file not configured.. All servers will be trusted!");
        }
        this._keyStoreFile = configuration.getString(CONFIG_OF_CLIENT_PKCS12_FILE);
        this._keyStorePassword = configuration.getString(CONFIG_OF_CLIENT_PKCS12_PASSWORD);
        if ((this._keyStorePassword == null && this._keyStoreFile != null) || (this._keyStorePassword != null && this._keyStoreFile == null)) {
            throw new IllegalArgumentException("Invalid configuration of keystore file and passowrd");
        }
    }

    public SSLContext generate() {
        SSLContext sSLContext = null;
        try {
            TrustManager[] trustManagerArr = setupTrustManagers();
            KeyManager[] keyManagerArr = setupKeyManagers();
            sSLContext = SSLContext.getInstance("TLS");
            sSLContext.init(keyManagerArr, trustManagerArr, null);
        } catch (Exception e) {
            Utils.rethrowException(e);
        }
        return sSLContext;
    }

    private TrustManager[] setupTrustManagers() throws CertificateException, KeyStoreException, IOException, NoSuchAlgorithmException {
        if (this._serverCACertFile == null) {
            return new TrustManager[]{new X509TrustManager() { // from class: org.apache.pinot.common.utils.ClientSSLContextGenerator.1
                @Override // javax.net.ssl.X509TrustManager
                public void checkClientTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
                }

                @Override // javax.net.ssl.X509TrustManager
                public void checkServerTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
                }

                @Override // javax.net.ssl.X509TrustManager
                public X509Certificate[] getAcceptedIssuers() {
                    return new X509Certificate[0];
                }
            }};
        }
        LOGGER.info("Initializing trust store from {}", this._serverCACertFile);
        FileInputStream fileInputStream = new FileInputStream(new File(this._serverCACertFile));
        KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
        keyStore.load(null);
        CertificateFactory certificateFactory = CertificateFactory.getInstance(CERTIFICATE_TYPE);
        int i = 0;
        while (fileInputStream.available() > 0) {
            X509Certificate x509Certificate = (X509Certificate) certificateFactory.generateCertificate(fileInputStream);
            LOGGER.info("Read certificate serial number {} by issuer {} ", x509Certificate.getSerialNumber().toString(16), x509Certificate.getIssuerDN().toString());
            keyStore.setCertificateEntry("https-server-" + i, x509Certificate);
            i++;
        }
        TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(CERTIFICATE_TYPE);
        trustManagerFactory.init(keyStore);
        LOGGER.info("Successfully initialized trust store");
        return trustManagerFactory.getTrustManagers();
    }

    private KeyManager[] setupKeyManagers() {
        if (this._keyStoreFile == null) {
            return null;
        }
        try {
            KeyStore keyStore = KeyStore.getInstance(KEYSTORE_TYPE);
            LOGGER.info("Setting up keystore with file {}", this._keyStoreFile);
            keyStore.load(new FileInputStream(new File(this._keyStoreFile)), this._keyStorePassword.toCharArray());
            KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(KEYMANAGER_FACTORY_ALGORITHM);
            keyManagerFactory.init(keyStore, this._keyStorePassword.toCharArray());
            LOGGER.info("Successfully initialized keystore");
            return keyManagerFactory.getKeyManagers();
        } catch (Exception e) {
            Utils.rethrowException(e);
            return null;
        }
    }
}
