package org.apache.pulsar.functions.runtime.shaded.org.apache.zookeeper.common;

import io.netty.handler.ssl.Ciphers;
import java.io.Closeable;
import java.io.IOException;
import java.net.Socket;
import java.nio.file.Path;
import java.nio.file.Paths;
import java.nio.file.StandardWatchEventKinds;
import java.nio.file.WatchEvent;
import java.security.GeneralSecurityException;
import java.security.KeyManagementException;
import java.security.KeyStore;
import java.security.NoSuchAlgorithmException;
import java.security.Security;
import java.security.cert.PKIXBuilderParameters;
import java.security.cert.X509CertSelector;
import java.util.Objects;
import java.util.concurrent.atomic.AtomicReference;
import javax.net.ssl.CertPathTrustManagerParameters;
import javax.net.ssl.KeyManager;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLServerSocket;
import javax.net.ssl.SSLSocket;
import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory;
import javax.net.ssl.X509ExtendedTrustManager;
import javax.net.ssl.X509KeyManager;
import javax.net.ssl.X509TrustManager;
import org.apache.pulsar.functions.runtime.shaded.org.apache.zookeeper.common.X509Exception;
import org.apache.pulsar.shade.org.asynchttpclient.config.AsyncHttpClientConfigDefaults;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/pulsar/functions/runtime/shaded/org/apache/zookeeper/common/X509Util.class */
public abstract class X509Util implements Closeable, AutoCloseable {
    private static final Logger LOG = LoggerFactory.getLogger((Class<?>) X509Util.class);
    private static final String REJECT_CLIENT_RENEGOTIATION_PROPERTY = "jdk.tls.rejectClientInitiatedRenegotiation";
    public static final String DEFAULT_PROTOCOL = "TLSv1.2";
    private static final String[] DEFAULT_CIPHERS_JAVA8;
    private static final String[] DEFAULT_CIPHERS_JAVA9;
    public static final int DEFAULT_HANDSHAKE_DETECTION_TIMEOUT_MILLIS = 5000;
    private String sslProtocolProperty;
    private String sslEnabledProtocolsProperty;
    private String cipherSuitesProperty;
    private String sslKeystoreLocationProperty;
    private String sslKeystorePasswdProperty;
    private String sslKeystoreTypeProperty;
    private String sslTruststoreLocationProperty;
    private String sslTruststorePasswdProperty;
    private String sslTruststoreTypeProperty;
    private String sslHostnameVerificationEnabledProperty;
    private String sslCrlEnabledProperty;
    private String sslOcspEnabledProperty;
    private String sslClientAuthProperty;
    private String sslHandshakeDetectionTimeoutMillisProperty;
    private ZKConfig zkConfig;
    private AtomicReference<SSLContextAndOptions> defaultSSLContextAndOptions;
    private FileChangeWatcher keyStoreFileWatcher;
    private FileChangeWatcher trustStoreFileWatcher;

    /* loaded from: input_file:org/apache/pulsar/functions/runtime/shaded/org/apache/zookeeper/common/X509Util$ClientAuth.class */
    public enum ClientAuth {
        NONE(io.netty.handler.ssl.ClientAuth.NONE),
        WANT(io.netty.handler.ssl.ClientAuth.OPTIONAL),
        NEED(io.netty.handler.ssl.ClientAuth.REQUIRE);

        private final io.netty.handler.ssl.ClientAuth nettyAuth;

        ClientAuth(io.netty.handler.ssl.ClientAuth clientAuth) {
            this.nettyAuth = clientAuth;
        }

        public static ClientAuth fromPropertyValue(String str) {
            return (str == null || str.length() == 0) ? NEED : valueOf(str.toUpperCase());
        }

        public io.netty.handler.ssl.ClientAuth toNettyClientAuth() {
            return this.nettyAuth;
        }
    }

    private static String[] getGCMCiphers() {
        return new String[]{Ciphers.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, Ciphers.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, Ciphers.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, Ciphers.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384};
    }

    private static String[] getCBCCiphers() {
        return new String[]{Ciphers.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, Ciphers.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, Ciphers.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, Ciphers.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, Ciphers.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, Ciphers.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, Ciphers.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, Ciphers.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA};
    }

    private static String[] concatArrays(String[] strArr, String[] strArr2) {
        String[] strArr3 = new String[strArr.length + strArr2.length];
        System.arraycopy(strArr, 0, strArr3, 0, strArr.length);
        System.arraycopy(strArr2, 0, strArr3, strArr.length, strArr2.length);
        return strArr3;
    }

    public X509Util() {
        this(null);
    }

    public X509Util(ZKConfig zKConfig) {
        this.sslProtocolProperty = getConfigPrefix() + "protocol";
        this.sslEnabledProtocolsProperty = getConfigPrefix() + AsyncHttpClientConfigDefaults.ENABLED_PROTOCOLS_CONFIG;
        this.cipherSuitesProperty = getConfigPrefix() + "ciphersuites";
        this.sslKeystoreLocationProperty = getConfigPrefix() + "keyStore.location";
        this.sslKeystorePasswdProperty = getConfigPrefix() + "keyStore.password";
        this.sslKeystoreTypeProperty = getConfigPrefix() + "keyStore.type";
        this.sslTruststoreLocationProperty = getConfigPrefix() + "trustStore.location";
        this.sslTruststorePasswdProperty = getConfigPrefix() + "trustStore.password";
        this.sslTruststoreTypeProperty = getConfigPrefix() + "trustStore.type";
        this.sslHostnameVerificationEnabledProperty = getConfigPrefix() + "hostnameVerification";
        this.sslCrlEnabledProperty = getConfigPrefix() + "crl";
        this.sslOcspEnabledProperty = getConfigPrefix() + "ocsp";
        this.sslClientAuthProperty = getConfigPrefix() + "clientAuth";
        this.sslHandshakeDetectionTimeoutMillisProperty = getConfigPrefix() + "handshakeDetectionTimeoutMillis";
        this.defaultSSLContextAndOptions = new AtomicReference<>(null);
        this.zkConfig = zKConfig;
        this.trustStoreFileWatcher = null;
        this.keyStoreFileWatcher = null;
    }

    protected abstract String getConfigPrefix();

    protected abstract boolean shouldVerifyClientHostname();

    public String getSslProtocolProperty() {
        return this.sslProtocolProperty;
    }

    public String getSslEnabledProtocolsProperty() {
        return this.sslEnabledProtocolsProperty;
    }

    public String getCipherSuitesProperty() {
        return this.cipherSuitesProperty;
    }

    public String getSslKeystoreLocationProperty() {
        return this.sslKeystoreLocationProperty;
    }

    public String getSslCipherSuitesProperty() {
        return this.cipherSuitesProperty;
    }

    public String getSslKeystorePasswdProperty() {
        return this.sslKeystorePasswdProperty;
    }

    public String getSslKeystoreTypeProperty() {
        return this.sslKeystoreTypeProperty;
    }

    public String getSslTruststoreLocationProperty() {
        return this.sslTruststoreLocationProperty;
    }

    public String getSslTruststorePasswdProperty() {
        return this.sslTruststorePasswdProperty;
    }

    public String getSslTruststoreTypeProperty() {
        return this.sslTruststoreTypeProperty;
    }

    public String getSslHostnameVerificationEnabledProperty() {
        return this.sslHostnameVerificationEnabledProperty;
    }

    public String getSslCrlEnabledProperty() {
        return this.sslCrlEnabledProperty;
    }

    public String getSslOcspEnabledProperty() {
        return this.sslOcspEnabledProperty;
    }

    public String getSslClientAuthProperty() {
        return this.sslClientAuthProperty;
    }

    public String getSslHandshakeDetectionTimeoutMillisProperty() {
        return this.sslHandshakeDetectionTimeoutMillisProperty;
    }

    public SSLContext getDefaultSSLContext() throws X509Exception.SSLContextException {
        return getDefaultSSLContextAndOptions().getSSLContext();
    }

    public SSLContext createSSLContext(ZKConfig zKConfig) throws X509Exception.SSLContextException {
        return createSSLContextAndOptions(zKConfig).getSSLContext();
    }

    public SSLContextAndOptions getDefaultSSLContextAndOptions() throws X509Exception.SSLContextException {
        SSLContextAndOptions sSLContextAndOptions = this.defaultSSLContextAndOptions.get();
        if (sSLContextAndOptions == null) {
            sSLContextAndOptions = createSSLContextAndOptions();
            if (!this.defaultSSLContextAndOptions.compareAndSet(null, sSLContextAndOptions)) {
                sSLContextAndOptions = this.defaultSSLContextAndOptions.get();
            }
        }
        return sSLContextAndOptions;
    }

    private void resetDefaultSSLContextAndOptions() throws X509Exception.SSLContextException {
        this.defaultSSLContextAndOptions.set(createSSLContextAndOptions());
    }

    private SSLContextAndOptions createSSLContextAndOptions() throws X509Exception.SSLContextException {
        return createSSLContextAndOptions(this.zkConfig == null ? new ZKConfig() : this.zkConfig);
    }

    public int getSslHandshakeTimeoutMillis() {
        try {
            return getDefaultSSLContextAndOptions().getHandshakeDetectionTimeoutMillis();
        } catch (X509Exception.SSLContextException e) {
            LOG.error("Error creating SSL context and options", (Throwable) e);
            return 5000;
        } catch (Exception e2) {
            LOG.error("Error parsing config property " + getSslHandshakeDetectionTimeoutMillisProperty(), (Throwable) e2);
            return 5000;
        }
    }

    public SSLContextAndOptions createSSLContextAndOptions(ZKConfig zKConfig) throws X509Exception.SSLContextException {
        KeyManager[] keyManagerArr = null;
        TrustManager[] trustManagerArr = null;
        String property = zKConfig.getProperty(this.sslKeystoreLocationProperty, "");
        String property2 = zKConfig.getProperty(this.sslKeystorePasswdProperty, "");
        String property3 = zKConfig.getProperty(this.sslKeystoreTypeProperty);
        if (property.isEmpty()) {
            LOG.warn(getSslKeystoreLocationProperty() + " not specified");
        } else {
            try {
                keyManagerArr = new KeyManager[]{createKeyManager(property, property2, property3)};
            } catch (IllegalArgumentException e) {
                throw new X509Exception.SSLContextException("Bad value for " + this.sslKeystoreTypeProperty + ": " + property3, e);
            } catch (X509Exception.KeyManagerException e2) {
                throw new X509Exception.SSLContextException("Failed to create KeyManager", e2);
            }
        }
        String property4 = zKConfig.getProperty(this.sslTruststoreLocationProperty, "");
        String property5 = zKConfig.getProperty(this.sslTruststorePasswdProperty, "");
        String property6 = zKConfig.getProperty(this.sslTruststoreTypeProperty);
        boolean z = zKConfig.getBoolean(this.sslCrlEnabledProperty);
        boolean z2 = zKConfig.getBoolean(this.sslOcspEnabledProperty);
        boolean z3 = zKConfig.getBoolean(getSslHostnameVerificationEnabledProperty(), true);
        boolean z4 = z3 && shouldVerifyClientHostname();
        if (property4.isEmpty()) {
            LOG.warn(getSslTruststoreLocationProperty() + " not specified");
        } else {
            try {
                trustManagerArr = new TrustManager[]{createTrustManager(property4, property5, property6, z, z2, z3, z4)};
            } catch (IllegalArgumentException e3) {
                throw new X509Exception.SSLContextException("Bad value for " + this.sslTruststoreTypeProperty + ": " + property6, e3);
            } catch (X509Exception.TrustManagerException e4) {
                throw new X509Exception.SSLContextException("Failed to create TrustManager", e4);
            }
        }
        try {
            SSLContext sSLContext = SSLContext.getInstance(zKConfig.getProperty(this.sslProtocolProperty, "TLSv1.2"));
            sSLContext.init(keyManagerArr, trustManagerArr, null);
            return new SSLContextAndOptions(this, zKConfig, sSLContext);
        } catch (KeyManagementException | NoSuchAlgorithmException e5) {
            throw new X509Exception.SSLContextException(e5);
        }
    }

    public static X509KeyManager createKeyManager(String str, String str2, String str3) throws X509Exception.KeyManagerException {
        if (str2 == null) {
            str2 = "";
        }
        try {
            KeyStore loadKeyStore = FileKeyStoreLoaderBuilderProvider.getBuilderForKeyStoreFileType(KeyStoreFileType.fromPropertyValueOrFileName(str3, str)).setKeyStorePath(str).setKeyStorePassword(str2).build().loadKeyStore();
            KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance("PKIX");
            keyManagerFactory.init(loadKeyStore, str2.toCharArray());
            for (KeyManager keyManager : keyManagerFactory.getKeyManagers()) {
                if (keyManager instanceof X509KeyManager) {
                    return (X509KeyManager) keyManager;
                }
            }
            throw new X509Exception.KeyManagerException("Couldn't find X509KeyManager");
        } catch (IOException | IllegalArgumentException | GeneralSecurityException e) {
            throw new X509Exception.KeyManagerException(e);
        }
    }

    public static X509TrustManager createTrustManager(String str, String str2, String str3, boolean z, boolean z2, boolean z3, boolean z4) throws X509Exception.TrustManagerException {
        if (str2 == null) {
            str2 = "";
        }
        try {
            PKIXBuilderParameters pKIXBuilderParameters = new PKIXBuilderParameters(FileKeyStoreLoaderBuilderProvider.getBuilderForKeyStoreFileType(KeyStoreFileType.fromPropertyValueOrFileName(str3, str)).setTrustStorePath(str).setTrustStorePassword(str2).build().loadTrustStore(), new X509CertSelector());
            if (z || z2) {
                pKIXBuilderParameters.setRevocationEnabled(true);
                System.setProperty("com.sun.net.ssl.checkRevocation", "true");
                System.setProperty("com.sun.security.enableCRLDP", "true");
                if (z2) {
                    Security.setProperty("ocsp.enable", "true");
                }
            } else {
                pKIXBuilderParameters.setRevocationEnabled(false);
            }
            TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance("PKIX");
            trustManagerFactory.init(new CertPathTrustManagerParameters(pKIXBuilderParameters));
            for (TrustManager trustManager : trustManagerFactory.getTrustManagers()) {
                if (trustManager instanceof X509ExtendedTrustManager) {
                    return new ZKTrustManager((X509ExtendedTrustManager) trustManager, z3, z4);
                }
            }
            throw new X509Exception.TrustManagerException("Couldn't find X509TrustManager");
        } catch (IOException | IllegalArgumentException | GeneralSecurityException e) {
            throw new X509Exception.TrustManagerException(e);
        }
    }

    public SSLSocket createSSLSocket() throws X509Exception, IOException {
        return getDefaultSSLContextAndOptions().createSSLSocket();
    }

    public SSLSocket createSSLSocket(Socket socket, byte[] bArr) throws X509Exception, IOException {
        return getDefaultSSLContextAndOptions().createSSLSocket(socket, bArr);
    }

    public SSLServerSocket createSSLServerSocket() throws X509Exception, IOException {
        return getDefaultSSLContextAndOptions().createSSLServerSocket();
    }

    public SSLServerSocket createSSLServerSocket(int i) throws X509Exception, IOException {
        return getDefaultSSLContextAndOptions().createSSLServerSocket(i);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static String[] getDefaultCipherSuites() {
        return getDefaultCipherSuitesForJavaVersion(System.getProperty("java.specification.version"));
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static String[] getDefaultCipherSuitesForJavaVersion(String str) {
        Objects.requireNonNull(str);
        if (str.matches("\\d+")) {
            LOG.debug("Using Java9+ optimized cipher suites for Java version {}", str);
            return DEFAULT_CIPHERS_JAVA9;
        }
        if (str.startsWith("1.")) {
            LOG.debug("Using Java8 optimized cipher suites for Java version {}", str);
            return DEFAULT_CIPHERS_JAVA8;
        }
        LOG.debug("Could not parse java version {}, using Java8 optimized cipher suites", str);
        return DEFAULT_CIPHERS_JAVA8;
    }

    private FileChangeWatcher newFileChangeWatcher(String str) throws IOException {
        if (str == null || str.isEmpty()) {
            return null;
        }
        Path absolutePath = Paths.get(str, new String[0]).toAbsolutePath();
        Path parent = absolutePath.getParent();
        if (parent == null) {
            throw new IOException("Key/trust store path does not have a parent: " + absolutePath);
        }
        return new FileChangeWatcher(parent, watchEvent -> {
            handleWatchEvent(absolutePath, watchEvent);
        });
    }

    public void enableCertFileReloading() throws IOException {
        LOG.info("enabling cert file reloading");
        ZKConfig zKConfig = this.zkConfig == null ? new ZKConfig() : this.zkConfig;
        FileChangeWatcher newFileChangeWatcher = newFileChangeWatcher(zKConfig.getProperty(this.sslKeystoreLocationProperty));
        if (newFileChangeWatcher != null) {
            if (this.keyStoreFileWatcher != null) {
                this.keyStoreFileWatcher.stop();
            }
            this.keyStoreFileWatcher = newFileChangeWatcher;
            this.keyStoreFileWatcher.start();
        }
        FileChangeWatcher newFileChangeWatcher2 = newFileChangeWatcher(zKConfig.getProperty(this.sslTruststoreLocationProperty));
        if (newFileChangeWatcher2 != null) {
            if (this.trustStoreFileWatcher != null) {
                this.trustStoreFileWatcher.stop();
            }
            this.trustStoreFileWatcher = newFileChangeWatcher2;
            this.trustStoreFileWatcher.start();
        }
    }

    @Override // java.io.Closeable, java.lang.AutoCloseable
    public void close() {
        if (this.keyStoreFileWatcher != null) {
            this.keyStoreFileWatcher.stop();
            this.keyStoreFileWatcher = null;
        }
        if (this.trustStoreFileWatcher != null) {
            this.trustStoreFileWatcher.stop();
            this.trustStoreFileWatcher = null;
        }
    }

    private void handleWatchEvent(Path path, WatchEvent<?> watchEvent) {
        boolean z = false;
        Path parent = path.getParent();
        if (watchEvent.kind().equals(StandardWatchEventKinds.OVERFLOW)) {
            z = true;
        } else if ((watchEvent.kind().equals(StandardWatchEventKinds.ENTRY_MODIFY) || watchEvent.kind().equals(StandardWatchEventKinds.ENTRY_CREATE)) && path.equals(parent.resolve((Path) watchEvent.context()))) {
            z = true;
        }
        if (!z) {
            if (LOG.isDebugEnabled()) {
                LOG.debug("Ignoring watch event and keeping previous default SSL context. Event kind: " + watchEvent.kind() + " with context: " + watchEvent.context());
            }
        } else {
            if (LOG.isDebugEnabled()) {
                LOG.debug("Attempting to reset default SSL context after receiving watch event: " + watchEvent.kind() + " with context: " + watchEvent.context());
            }
            try {
                resetDefaultSSLContextAndOptions();
            } catch (X509Exception.SSLContextException e) {
                throw new RuntimeException(e);
            }
        }
    }

    static {
        if (System.getProperty(REJECT_CLIENT_RENEGOTIATION_PROPERTY) == null) {
            LOG.info("Setting -D {}=true to disable client-initiated TLS renegotiation", REJECT_CLIENT_RENEGOTIATION_PROPERTY);
            System.setProperty(REJECT_CLIENT_RENEGOTIATION_PROPERTY, Boolean.TRUE.toString());
        }
        DEFAULT_CIPHERS_JAVA8 = concatArrays(getCBCCiphers(), getGCMCiphers());
        DEFAULT_CIPHERS_JAVA9 = concatArrays(getGCMCiphers(), getCBCCiphers());
    }
}
