package org.apache.hadoop.hdds.security.ssl;

import java.io.IOException;
import java.net.Socket;
import java.security.GeneralSecurityException;
import java.security.KeyStore;
import java.security.Principal;
import java.security.PrivateKey;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Iterator;
import java.util.List;
import java.util.Locale;
import java.util.concurrent.atomic.AtomicReference;
import javax.net.ssl.KeyManager;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.SSLEngine;
import javax.net.ssl.X509ExtendedKeyManager;
import org.apache.hadoop.hdds.annotation.InterfaceAudience;
import org.apache.hadoop.hdds.annotation.InterfaceStability;
import org.apache.hadoop.hdds.security.x509.certificate.client.CertificateClient;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@InterfaceStability.Evolving
@InterfaceAudience.Private
/* loaded from: input_file:org/apache/hadoop/hdds/security/ssl/ReloadingX509KeyManager.class */
public class ReloadingX509KeyManager extends X509ExtendedKeyManager {
    private final String type;
    private PrivateKey currentPrivateKey;
    private String alias;
    public static final Logger LOG = LoggerFactory.getLogger(ReloadingX509KeyManager.class);
    static final char[] EMPTY_PASSWORD = new char[0];
    private List<String> currentCertIdsList = new ArrayList();
    private final AtomicReference<X509ExtendedKeyManager> keyManagerRef = new AtomicReference<>();

    public ReloadingX509KeyManager(String str, CertificateClient certificateClient) throws GeneralSecurityException, IOException {
        this.type = str;
        this.keyManagerRef.set(loadKeyManager(certificateClient));
    }

    @Override // javax.net.ssl.X509ExtendedKeyManager
    public String chooseEngineClientAlias(String[] strArr, Principal[] principalArr, SSLEngine sSLEngine) {
        String chooseEngineClientAlias = this.keyManagerRef.get().chooseEngineClientAlias(strArr, principalArr, sSLEngine);
        if (chooseEngineClientAlias == null) {
            chooseEngineClientAlias = this.alias;
            Logger logger = LOG;
            Object[] objArr = new Object[4];
            objArr[0] = strArr == null ? "" : Arrays.toString(strArr);
            objArr[1] = principalArr == null ? "" : Arrays.toString(principalArr);
            objArr[2] = sSLEngine == null ? "" : sSLEngine;
            objArr[3] = chooseEngineClientAlias;
            logger.info("Engine client aliases for {}, {}, {} is returned as {}", objArr);
        }
        return chooseEngineClientAlias;
    }

    @Override // javax.net.ssl.X509ExtendedKeyManager
    public String chooseEngineServerAlias(String str, Principal[] principalArr, SSLEngine sSLEngine) {
        String chooseEngineServerAlias = this.keyManagerRef.get().chooseEngineServerAlias(str, principalArr, sSLEngine);
        if (chooseEngineServerAlias == null && LOG.isDebugEnabled()) {
            Logger logger = LOG;
            Object[] objArr = new Object[3];
            objArr[0] = str;
            objArr[1] = principalArr == null ? "" : Arrays.toString(principalArr);
            objArr[2] = sSLEngine == null ? "" : sSLEngine;
            logger.debug("Engine server aliases for {}, {}, {} is null", objArr);
        }
        return chooseEngineServerAlias;
    }

    @Override // javax.net.ssl.X509KeyManager
    public String[] getClientAliases(String str, Principal[] principalArr) {
        return this.keyManagerRef.get().getClientAliases(str, principalArr);
    }

    @Override // javax.net.ssl.X509KeyManager
    public String chooseClientAlias(String[] strArr, Principal[] principalArr, Socket socket) {
        return this.keyManagerRef.get().chooseClientAlias(strArr, principalArr, socket);
    }

    @Override // javax.net.ssl.X509KeyManager
    public String[] getServerAliases(String str, Principal[] principalArr) {
        return this.keyManagerRef.get().getServerAliases(str, principalArr);
    }

    @Override // javax.net.ssl.X509KeyManager
    public String chooseServerAlias(String str, Principal[] principalArr, Socket socket) {
        return this.keyManagerRef.get().chooseServerAlias(str, principalArr, socket);
    }

    @Override // javax.net.ssl.X509KeyManager
    public X509Certificate[] getCertificateChain(String str) {
        return this.keyManagerRef.get().getCertificateChain(str.toLowerCase(Locale.ROOT));
    }

    @Override // javax.net.ssl.X509KeyManager
    public PrivateKey getPrivateKey(String str) {
        return this.keyManagerRef.get().getPrivateKey(str.toLowerCase(Locale.ROOT));
    }

    public ReloadingX509KeyManager loadFrom(CertificateClient certificateClient) {
        try {
            X509ExtendedKeyManager loadKeyManager = loadKeyManager(certificateClient);
            if (loadKeyManager != null) {
                this.keyManagerRef.set(loadKeyManager);
                LOG.info("ReloadingX509KeyManager is reloaded");
            }
            return this;
        } catch (Exception e) {
            throw new RuntimeException(e);
        }
    }

    private X509ExtendedKeyManager loadKeyManager(CertificateClient certificateClient) throws GeneralSecurityException, IOException {
        PrivateKey privateKey = certificateClient.getPrivateKey();
        List<X509Certificate> trustChain = certificateClient.getTrustChain();
        if (this.currentPrivateKey != null && this.currentPrivateKey.equals(privateKey) && this.currentCertIdsList.size() > 0 && trustChain.size() == this.currentCertIdsList.size() && trustChain.stream().allMatch(x509Certificate -> {
            return this.currentCertIdsList.contains(x509Certificate.getSerialNumber().toString());
        })) {
            return null;
        }
        X509ExtendedKeyManager x509ExtendedKeyManager = null;
        KeyStore keyStore = KeyStore.getInstance(this.type);
        keyStore.load(null, null);
        this.alias = certificateClient.getComponentName() + "_key";
        keyStore.setKeyEntry(this.alias, privateKey, EMPTY_PASSWORD, (Certificate[]) trustChain.toArray(new X509Certificate[0]));
        LOG.info("Key manager is loaded with certificate chain");
        Iterator<X509Certificate> it = trustChain.iterator();
        while (it.hasNext()) {
            LOG.info(it.next().toString());
        }
        KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
        keyManagerFactory.init(keyStore, EMPTY_PASSWORD);
        KeyManager[] keyManagers = keyManagerFactory.getKeyManagers();
        int length = keyManagers.length;
        int i = 0;
        while (true) {
            if (i >= length) {
                break;
            }
            KeyManager keyManager = keyManagers[i];
            if (keyManager instanceof X509ExtendedKeyManager) {
                x509ExtendedKeyManager = (X509ExtendedKeyManager) keyManager;
                break;
            }
            i++;
        }
        this.currentPrivateKey = privateKey;
        this.currentCertIdsList.clear();
        Iterator<X509Certificate> it2 = trustChain.iterator();
        while (it2.hasNext()) {
            this.currentCertIdsList.add(it2.next().getSerialNumber().toString());
        }
        return x509ExtendedKeyManager;
    }
}
