package com.linkedin.venice.security;

import com.linkedin.venice.security.SSLConfig;
import io.grpc.netty.shaded.io.netty.handler.ssl.Ciphers;
import java.io.ByteArrayInputStream;
import java.io.File;
import java.io.IOException;
import java.io.InputStream;
import java.security.KeyStore;
import java.util.Base64;
import java.util.Collections;
import java.util.HashSet;
import java.util.Properties;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLParameters;
import javax.net.ssl.SSLProtocolException;
import javax.net.ssl.TrustManagerFactory;
import org.apache.commons.io.FileUtils;
import org.apache.commons.lang.StringUtils;

/* loaded from: input_file:com/linkedin/venice/security/DefaultSSLFactory.class */
public class DefaultSSLFactory implements SSLFactory {
    static final String[] CIPHER_SUITE_ALLOWLIST = {Ciphers.TLS_RSA_WITH_AES_128_CBC_SHA256, Ciphers.TLS_RSA_WITH_AES_128_GCM_SHA256, Ciphers.TLS_RSA_WITH_AES_128_CBC_SHA, "SSL_RSA_WITH_NULL_MD5", "SSL_RSA_WITH_NULL_SHA"};
    private SSLContext _context;
    private boolean _sslEnabled;
    private boolean _sslRequireClientCerts;
    private String _keyStoreFilePath;
    private String _trustStoreFilePath;

    @Deprecated
    private String _keyStoreData;
    private SSLParameters _parameters;
    private SSLConfig _sslConfig;

    /* loaded from: input_file:com/linkedin/venice/security/DefaultSSLFactory$SSLContextFactory.class */
    private static class SSLContextFactory {
        private SSLContext _secureContext;
        private static final String DEFAULT_ALGORITHM = "SunX509";
        private static final String DEFAULT_PROTOCOL = "TLS";
        private static final String JKS_STORE_TYPE_NAME = "JKS";
        private static final String P12_STORE_TYPE_NAME = "PKCS12";

        @Deprecated
        SSLContextFactory(String str, String str2) throws Exception {
            this._secureContext = null;
            KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
            keyStore.load(toInputStream(str), str2.toCharArray());
            KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(DEFAULT_ALGORITHM);
            keyManagerFactory.init(keyStore, str2.toCharArray());
            TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(DEFAULT_ALGORITHM);
            trustManagerFactory.init(keyStore);
            this._secureContext = SSLContext.getInstance("TLS");
            this._secureContext.init(keyManagerFactory.getKeyManagers(), trustManagerFactory.getTrustManagers(), null);
        }

        SSLContextFactory(File file, String str, String str2, File file2, String str3) throws Exception {
            this._secureContext = null;
            if (!str2.equalsIgnoreCase(P12_STORE_TYPE_NAME) && !str2.equalsIgnoreCase(JKS_STORE_TYPE_NAME)) {
                throw new Exception("Unsupported keyStoreType: " + str2);
            }
            KeyStore keyStore = KeyStore.getInstance(str2);
            keyStore.load(toInputStream(file), str.toCharArray());
            KeyStore keyStore2 = KeyStore.getInstance(JKS_STORE_TYPE_NAME);
            keyStore2.load(toInputStream(file2), str3.toCharArray());
            KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(DEFAULT_ALGORITHM);
            keyManagerFactory.init(keyStore, str.toCharArray());
            TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(DEFAULT_ALGORITHM);
            trustManagerFactory.init(keyStore2);
            this._secureContext = SSLContext.getInstance("TLS");
            this._secureContext.init(keyManagerFactory.getKeyManagers(), trustManagerFactory.getTrustManagers(), null);
        }

        private InputStream toInputStream(String str) {
            return new ByteArrayInputStream(Base64.getDecoder().decode(str));
        }

        private InputStream toInputStream(File file) throws IOException {
            return new ByteArrayInputStream(FileUtils.readFileToByteArray(file));
        }

        SSLContext getContext() {
            return this._secureContext;
        }
    }

    public DefaultSSLFactory(Properties properties) throws Exception {
        this(SSLConfig.buildConfig(properties));
    }

    public DefaultSSLFactory(SSLConfig sSLConfig) throws Exception {
        this._sslConfig = sSLConfig;
        this._sslEnabled = sSLConfig.getSslEnabled();
        if (!this._sslEnabled) {
            this._context = null;
            this._parameters = null;
            return;
        }
        this._keyStoreFilePath = sSLConfig.getKeyStoreFilePath();
        this._trustStoreFilePath = sSLConfig.getTrustStoreFilePath();
        this._keyStoreData = sSLConfig.getKeyStoreData();
        if (StringUtils.isNotBlank(this._keyStoreData)) {
            this._context = new SSLContextFactory(this._keyStoreData, sSLConfig.getKeyStorePassword()).getContext();
        } else {
            if (!StringUtils.isNotBlank(this._keyStoreFilePath) || !StringUtils.isNotBlank(this._trustStoreFilePath)) {
                throw new SSLConfig.ConfigHelper.MissingConfigParameterException("Either keyStoreData or (keyStoreFilePath and trustStoreFilePath) must be provided to operate in sslEnabled mode.");
            }
            this._context = new SSLContextFactory(new File(this._keyStoreFilePath), sSLConfig.getKeyStorePassword(), sSLConfig.getKeyStoreType(), new File(this._trustStoreFilePath), sSLConfig.getTrustStoreFilePassword()).getContext();
        }
        String[] filterDisallowedCiphersuites = filterDisallowedCiphersuites(this._context.getSocketFactory().getSupportedCipherSuites());
        this._parameters = this._context.getDefaultSSLParameters();
        this._parameters.setCipherSuites(filterDisallowedCiphersuites);
        if (sSLConfig.doesSslRequireClientCerts()) {
            this._parameters.setNeedClientAuth(true);
        } else {
            this._parameters.setWantClientAuth(true);
        }
    }

    public static String[] filterDisallowedCiphersuites(String[] strArr) throws SSLProtocolException {
        HashSet hashSet = new HashSet();
        Collections.addAll(hashSet, CIPHER_SUITE_ALLOWLIST);
        HashSet hashSet2 = new HashSet();
        Collections.addAll(hashSet2, strArr);
        hashSet2.retainAll(hashSet);
        String[] strArr2 = (String[]) hashSet2.toArray(new String[0]);
        if (strArr2 == null || strArr2.length == 0) {
            throw new SSLProtocolException("No Allowlisted SSL Ciphers Available.");
        }
        return strArr2;
    }

    @Override // com.linkedin.venice.security.SSLFactory
    public SSLConfig getSSLConfig() {
        return this._sslConfig;
    }

    @Override // com.linkedin.venice.security.SSLFactory
    public SSLContext getSSLContext() {
        return this._context;
    }

    @Override // com.linkedin.venice.security.SSLFactory
    public SSLParameters getSSLParameters() {
        return this._parameters;
    }

    @Override // com.linkedin.venice.security.SSLFactory
    public boolean isSslEnabled() {
        return this._sslEnabled;
    }

    public boolean isSslRequireClientCerts() {
        return this._sslRequireClientCerts;
    }

    public void setSslRequireClientCerts(boolean z) {
        this._sslRequireClientCerts = z;
    }
}
