package io.hetu.core.security.networking.ssl;

import io.airlift.security.pem.PemReader;
import java.io.File;
import java.io.FileInputStream;
import java.io.IOException;
import java.security.GeneralSecurityException;
import java.security.KeyStore;
import java.security.cert.Certificate;
import java.security.cert.CertificateExpiredException;
import java.security.cert.CertificateNotYetValidException;
import java.security.cert.X509Certificate;
import java.util.Collections;
import java.util.Iterator;
import java.util.List;
import java.util.Optional;
import javax.net.ssl.KeyManager;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLEngine;
import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory;
import javax.net.ssl.X509TrustManager;

/* loaded from: input_file:io/hetu/core/security/networking/ssl/SslContextBuilder.class */
public final class SslContextBuilder {
    private final boolean forClient;
    private boolean startTls;
    private long sessionTimeout = 10000;
    private SSLEngine engine;

    private SslContextBuilder(boolean z) {
        this.forClient = z;
    }

    public static SslContextBuilder forClient() {
        return new SslContextBuilder(true);
    }

    public static SslContextBuilder forServer() {
        return new SslContextBuilder(false);
    }

    public SslContextBuilder startTls(boolean z) {
        this.startTls = z;
        return this;
    }

    public SslContextBuilder sessionTimeout(long j) {
        this.sessionTimeout = j;
        return this;
    }

    private static void validateCertificates(KeyStore keyStore) throws GeneralSecurityException {
        Iterator it = Collections.list(keyStore.aliases()).iterator();
        while (it.hasNext()) {
            String str = (String) it.next();
            if (keyStore.isKeyEntry(str)) {
                Certificate certificate = keyStore.getCertificate(str);
                if (certificate instanceof X509Certificate) {
                    try {
                        ((X509Certificate) certificate).checkValidity();
                    } catch (CertificateExpiredException e) {
                        throw new CertificateExpiredException("KeyStore certificate is expired: " + e.getMessage());
                    } catch (CertificateNotYetValidException e2) {
                        throw new CertificateNotYetValidException("KeyStore certificate is not yet valid: " + e2.getMessage());
                    }
                } else {
                    continue;
                }
            }
        }
    }

    private static KeyStore loadTrustStore(File file, Optional<String> optional) throws IOException, GeneralSecurityException {
        KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
        try {
            List<X509Certificate> readCertificateChain = PemReader.readCertificateChain(file);
            if (!readCertificateChain.isEmpty()) {
                keyStore.load(null, null);
                for (X509Certificate x509Certificate : readCertificateChain) {
                    keyStore.setCertificateEntry(x509Certificate.getSubjectX500Principal().getName(), x509Certificate);
                }
                return keyStore;
            }
        } catch (IOException | GeneralSecurityException unused) {
        }
        Throwable th = null;
        try {
            FileInputStream fileInputStream = new FileInputStream(file);
            try {
                keyStore.load(fileInputStream, (char[]) optional.map((v0) -> {
                    return v0.toCharArray();
                }).orElse(null));
                if (fileInputStream != null) {
                    fileInputStream.close();
                }
                return keyStore;
            } catch (Throwable th2) {
                if (fileInputStream != null) {
                    fileInputStream.close();
                }
                throw th2;
            }
        } catch (Throwable th3) {
            if (0 == 0) {
                th = th3;
            } else if (null != th3) {
                th.addSuppressed(th3);
            }
            throw th;
        }
    }

    public SslContextBuilder setupSsl() {
        char[] cArr;
        Optional<String> keyStorePath = SslConfig.getKeyStorePath();
        Optional<String> keyStorePassword = SslConfig.getKeyStorePassword();
        Optional<String> trustStorePath = SslConfig.getTrustStorePath();
        Optional<String> trustStorePassword = SslConfig.getTrustStorePassword();
        if (!keyStorePath.isPresent() && !trustStorePath.isPresent()) {
            return this;
        }
        try {
            KeyStore keyStore = null;
            KeyManager[] keyManagerArr = null;
            if (keyStorePath.isPresent()) {
                try {
                    keyStore = PemReader.loadKeyStore(new File(keyStorePath.get()), new File(keyStorePath.get()), keyStorePassword);
                    cArr = new char[0];
                } catch (IOException | GeneralSecurityException unused) {
                    cArr = (char[]) keyStorePassword.map((v0) -> {
                        return v0.toCharArray();
                    }).orElse(null);
                    keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
                    Throwable th = null;
                    try {
                        FileInputStream fileInputStream = new FileInputStream(keyStorePath.get());
                        try {
                            keyStore.load(fileInputStream, cArr);
                            if (fileInputStream != null) {
                                fileInputStream.close();
                            }
                        } catch (Throwable th2) {
                            if (fileInputStream != null) {
                                fileInputStream.close();
                            }
                            throw th2;
                        }
                    } catch (Throwable th3) {
                        if (0 == 0) {
                            th = th3;
                        } else if (null != th3) {
                            th.addSuppressed(th3);
                        }
                        throw th;
                    }
                }
                validateCertificates(keyStore);
                KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
                keyManagerFactory.init(keyStore, cArr);
                keyManagerArr = keyManagerFactory.getKeyManagers();
            }
            KeyStore keyStore2 = keyStore;
            if (trustStorePath.isPresent()) {
                keyStore2 = loadTrustStore(new File(trustStorePath.get()), trustStorePassword);
            }
            TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
            trustManagerFactory.init(keyStore2);
            TrustManager[] trustManagers = trustManagerFactory.getTrustManagers();
            if (trustManagers.length != 1 || !(trustManagers[0] instanceof X509TrustManager)) {
                throw new RuntimeException("Unexpected default trust managers");
            }
            X509TrustManager x509TrustManager = (X509TrustManager) trustManagers[0];
            SSLContext sSLContext = SSLContext.getInstance("TLS");
            sSLContext.init(keyManagerArr, new TrustManager[]{x509TrustManager}, null);
            this.engine = sSLContext.createSSLEngine();
            this.engine.setUseClientMode(this.forClient);
            Optional<String> cipherSuites = SslConfig.getCipherSuites();
            Optional<String> sslProtocols = SslConfig.getSslProtocols();
            this.engine.setEnabledCipherSuites(cipherSuites.get().split(","));
            this.engine.setEnabledProtocols(sslProtocols.get().split(","));
            return this;
        } catch (IOException | GeneralSecurityException e) {
            throw new RuntimeException("Setup ssl failed, cause by " + e.getCause());
        }
    }

    public SslContext build() {
        return new SslContext(this.engine, this.startTls, this.sessionTimeout);
    }
}
