package org.apache.cassandra.security;

import com.google.common.annotations.VisibleForTesting;
import com.google.common.collect.ImmutableList;
import io.netty.buffer.ByteBufAllocator;
import io.netty.handler.ssl.CipherSuiteFilter;
import io.netty.handler.ssl.ClientAuth;
import io.netty.handler.ssl.OpenSsl;
import io.netty.handler.ssl.SslContext;
import io.netty.handler.ssl.SslContextBuilder;
import io.netty.handler.ssl.SslProvider;
import io.netty.util.ReferenceCountUtil;
import java.io.File;
import java.io.IOException;
import java.io.InputStream;
import java.nio.file.Files;
import java.nio.file.OpenOption;
import java.nio.file.Paths;
import java.security.KeyStore;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Date;
import java.util.Enumeration;
import java.util.Iterator;
import java.util.List;
import java.util.Objects;
import java.util.Set;
import java.util.concurrent.ConcurrentHashMap;
import java.util.concurrent.TimeUnit;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLEngine;
import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory;
import org.apache.cassandra.concurrent.ScheduledExecutors;
import org.apache.cassandra.config.DatabaseDescriptor;
import org.apache.cassandra.config.EncryptionOptions;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:cassandra-all-4.0-beta4.jar:org/apache/cassandra/security/SSLFactory.class */
public final class SSLFactory {
    private static final Logger logger = LoggerFactory.getLogger((Class<?>) SSLFactory.class);

    @VisibleForTesting
    static volatile boolean checkedExpiry = false;
    private static final boolean openSslIsAvailable;
    private static final ConcurrentHashMap<CacheKey, SslContext> cachedSslContexts;
    private static volatile List<HotReloadableFile> hotReloadableFiles;
    public static final int DEFAULT_HOT_RELOAD_INITIAL_DELAY_SEC = 600;
    public static final int DEFAULT_HOT_RELOAD_PERIOD_SEC = 600;
    private static boolean isHotReloadingInitialized;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:cassandra-all-4.0-beta4.jar:org/apache/cassandra/security/SSLFactory$CacheKey.class */
    public static class CacheKey {
        private final EncryptionOptions encryptionOptions;
        private final SocketType socketType;
        private final boolean useOpenSSL;

        public CacheKey(EncryptionOptions encryptionOptions, SocketType socketType, boolean z) {
            this.encryptionOptions = encryptionOptions;
            this.socketType = socketType;
            this.useOpenSSL = z;
        }

        public boolean equals(Object obj) {
            if (this == obj) {
                return true;
            }
            if (obj == null || getClass() != obj.getClass()) {
                return false;
            }
            CacheKey cacheKey = (CacheKey) obj;
            return this.socketType == cacheKey.socketType && this.useOpenSSL == cacheKey.useOpenSSL && Objects.equals(this.encryptionOptions, cacheKey.encryptionOptions);
        }

        public int hashCode() {
            return 0 + (31 * this.socketType.hashCode()) + (31 * this.encryptionOptions.hashCode()) + (31 * Boolean.hashCode(this.useOpenSSL));
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:cassandra-all-4.0-beta4.jar:org/apache/cassandra/security/SSLFactory$HotReloadableFile.class */
    public static class HotReloadableFile {
        private final File file;
        private volatile long lastModTime;

        HotReloadableFile(String str) {
            this.file = new File(str);
            this.lastModTime = this.file.lastModified();
        }

        boolean shouldReload() {
            long lastModified = this.file.lastModified();
            boolean z = lastModified != this.lastModTime;
            this.lastModTime = lastModified;
            return z;
        }

        public String toString() {
            return "HotReloadableFile{file=" + this.file + ", lastModTime=" + this.lastModTime + '}';
        }
    }

    /* loaded from: input_file:cassandra-all-4.0-beta4.jar:org/apache/cassandra/security/SSLFactory$LoggingCipherSuiteFilter.class */
    public static final class LoggingCipherSuiteFilter implements CipherSuiteFilter {
        public static final CipherSuiteFilter QUIET_FILTER = new LoggingCipherSuiteFilter();
        final String settingDescription;

        private LoggingCipherSuiteFilter() {
            this.settingDescription = null;
        }

        public LoggingCipherSuiteFilter(String str) {
            this.settingDescription = str;
        }

        @Override // io.netty.handler.ssl.CipherSuiteFilter
        public String[] filterCipherSuites(Iterable<String> iterable, List<String> list, Set<String> set) {
            ArrayList arrayList;
            String next;
            Objects.requireNonNull(list, "defaultCiphers");
            Objects.requireNonNull(set, "supportedCiphers");
            if (iterable == null) {
                arrayList = new ArrayList(list.size());
                iterable = list;
            } else {
                arrayList = new ArrayList(set.size());
            }
            Iterator<String> it2 = iterable.iterator();
            while (it2.hasNext() && (next = it2.next()) != null) {
                if (set.contains(next)) {
                    arrayList.add(next);
                } else if (this.settingDescription != null) {
                    SSLFactory.logger.warn("Dropping unsupported cipher_suite {} from {} configuration", next, this.settingDescription.toLowerCase());
                }
            }
            if (arrayList.isEmpty()) {
                throw new IllegalStateException("No ciphers left after filtering supported cipher suite");
            }
            return (String[]) arrayList.toArray(new String[0]);
        }
    }

    /* loaded from: input_file:cassandra-all-4.0-beta4.jar:org/apache/cassandra/security/SSLFactory$SocketType.class */
    public enum SocketType {
        SERVER,
        CLIENT
    }

    public static boolean openSslIsAvailable() {
        return openSslIsAvailable;
    }

    public static SSLContext createSSLContext(EncryptionOptions encryptionOptions, boolean z) throws IOException {
        TrustManager[] trustManagerArr = null;
        if (z) {
            trustManagerArr = buildTrustManagerFactory(encryptionOptions).getTrustManagers();
        }
        KeyManagerFactory buildKeyManagerFactory = buildKeyManagerFactory(encryptionOptions);
        try {
            SSLContext sSLContext = SSLContext.getInstance("TLS");
            sSLContext.getDefaultSSLParameters().setProtocols(encryptionOptions.acceptedProtocolsArray());
            sSLContext.init(buildKeyManagerFactory.getKeyManagers(), trustManagerArr, null);
            return sSLContext;
        } catch (Exception e) {
            throw new IOException("Error creating/initializing the SSL Context", e);
        }
    }

    static TrustManagerFactory buildTrustManagerFactory(EncryptionOptions encryptionOptions) throws IOException {
        try {
            InputStream newInputStream = Files.newInputStream(Paths.get(encryptionOptions.truststore, new String[0]), new OpenOption[0]);
            Throwable th = null;
            try {
                try {
                    TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(encryptionOptions.algorithm == null ? TrustManagerFactory.getDefaultAlgorithm() : encryptionOptions.algorithm);
                    KeyStore keyStore = KeyStore.getInstance(encryptionOptions.store_type);
                    keyStore.load(newInputStream, encryptionOptions.truststore_password.toCharArray());
                    trustManagerFactory.init(keyStore);
                    if (newInputStream != null) {
                        if (0 != 0) {
                            try {
                                newInputStream.close();
                            } catch (Throwable th2) {
                                th.addSuppressed(th2);
                            }
                        } else {
                            newInputStream.close();
                        }
                    }
                    return trustManagerFactory;
                } finally {
                }
            } finally {
            }
        } catch (Exception e) {
            throw new IOException("failed to build trust manager store for secure connections", e);
        }
    }

    static KeyManagerFactory buildKeyManagerFactory(EncryptionOptions encryptionOptions) throws IOException {
        try {
            InputStream newInputStream = Files.newInputStream(Paths.get(encryptionOptions.keystore, new String[0]), new OpenOption[0]);
            Throwable th = null;
            try {
                KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(encryptionOptions.algorithm == null ? KeyManagerFactory.getDefaultAlgorithm() : encryptionOptions.algorithm);
                KeyStore keyStore = KeyStore.getInstance(encryptionOptions.store_type);
                keyStore.load(newInputStream, encryptionOptions.keystore_password.toCharArray());
                if (!checkedExpiry) {
                    Enumeration<String> aliases = keyStore.aliases();
                    while (aliases.hasMoreElements()) {
                        String nextElement = aliases.nextElement();
                        if (keyStore.getCertificate(nextElement).getType().equals("X.509")) {
                            Date notAfter = ((X509Certificate) keyStore.getCertificate(nextElement)).getNotAfter();
                            if (notAfter.before(new Date())) {
                                logger.warn("Certificate for {} expired on {}", nextElement, notAfter);
                            }
                        }
                    }
                    checkedExpiry = true;
                }
                keyManagerFactory.init(keyStore, encryptionOptions.keystore_password.toCharArray());
                if (newInputStream != null) {
                    if (0 != 0) {
                        try {
                            newInputStream.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    } else {
                        newInputStream.close();
                    }
                }
                return keyManagerFactory;
            } finally {
            }
        } catch (Exception e) {
            throw new IOException("failed to build key manager store for secure connections", e);
        }
    }

    public static SslContext getOrCreateSslContext(EncryptionOptions encryptionOptions, boolean z, SocketType socketType) throws IOException {
        return getOrCreateSslContext(encryptionOptions, z, socketType, openSslIsAvailable());
    }

    @VisibleForTesting
    static SslContext getOrCreateSslContext(EncryptionOptions encryptionOptions, boolean z, SocketType socketType, boolean z2) throws IOException {
        CacheKey cacheKey = new CacheKey(encryptionOptions, socketType, z2);
        SslContext sslContext = cachedSslContexts.get(cacheKey);
        if (sslContext != null) {
            return sslContext;
        }
        SslContext createNettySslContext = createNettySslContext(encryptionOptions, z, socketType, z2);
        SslContext putIfAbsent = cachedSslContexts.putIfAbsent(cacheKey, createNettySslContext);
        if (putIfAbsent == null) {
            return createNettySslContext;
        }
        ReferenceCountUtil.release(createNettySslContext);
        return putIfAbsent;
    }

    static SslContext createNettySslContext(EncryptionOptions encryptionOptions, boolean z, SocketType socketType, boolean z2) throws IOException {
        return createNettySslContext(encryptionOptions, z, socketType, z2, LoggingCipherSuiteFilter.QUIET_FILTER);
    }

    static SslContext createNettySslContext(EncryptionOptions encryptionOptions, boolean z, SocketType socketType, boolean z2, CipherSuiteFilter cipherSuiteFilter) throws IOException {
        SslContextBuilder keyManager;
        KeyManagerFactory buildKeyManagerFactory = buildKeyManagerFactory(encryptionOptions);
        if (socketType == SocketType.SERVER) {
            keyManager = SslContextBuilder.forServer(buildKeyManagerFactory);
            keyManager.clientAuth(encryptionOptions.require_client_auth ? ClientAuth.REQUIRE : ClientAuth.NONE);
        } else {
            keyManager = SslContextBuilder.forClient().keyManager(buildKeyManagerFactory);
        }
        keyManager.sslProvider(z2 ? SslProvider.OPENSSL : SslProvider.JDK);
        keyManager.protocols(encryptionOptions.acceptedProtocols());
        if (encryptionOptions.cipher_suites != null && !encryptionOptions.cipher_suites.isEmpty()) {
            keyManager.ciphers(encryptionOptions.cipher_suites, cipherSuiteFilter);
        }
        if (z) {
            keyManager.trustManager(buildTrustManagerFactory(encryptionOptions));
        }
        return keyManager.build();
    }

    public static void checkCertFilesForHotReloading(EncryptionOptions.ServerEncryptionOptions serverEncryptionOptions, EncryptionOptions encryptionOptions) {
        if (!isHotReloadingInitialized) {
            throw new IllegalStateException("Hot reloading functionality has not been initialized.");
        }
        logger.debug("Checking whether certificates have been updated {}", hotReloadableFiles);
        if (hotReloadableFiles.stream().anyMatch((v0) -> {
            return v0.shouldReload();
        })) {
            logger.info("SSL certificates have been updated. Reseting the ssl contexts for new connections.");
            try {
                validateSslCerts(serverEncryptionOptions, encryptionOptions);
                cachedSslContexts.clear();
            } catch (Exception e) {
                logger.error("Failed to hot reload the SSL Certificates! Please check the certificate files.", (Throwable) e);
            }
        }
    }

    public static synchronized void initHotReloading(EncryptionOptions.ServerEncryptionOptions serverEncryptionOptions, EncryptionOptions encryptionOptions, boolean z) throws IOException {
        if (!isHotReloadingInitialized || z) {
            logger.debug("Initializing hot reloading SSLContext");
            ArrayList arrayList = new ArrayList();
            if (serverEncryptionOptions != null && serverEncryptionOptions.tlsEncryptionPolicy() != EncryptionOptions.TlsEncryptionPolicy.UNENCRYPTED) {
                arrayList.add(new HotReloadableFile(serverEncryptionOptions.keystore));
                arrayList.add(new HotReloadableFile(serverEncryptionOptions.truststore));
            }
            if (encryptionOptions != null && encryptionOptions.tlsEncryptionPolicy() != EncryptionOptions.TlsEncryptionPolicy.UNENCRYPTED) {
                arrayList.add(new HotReloadableFile(encryptionOptions.keystore));
                arrayList.add(new HotReloadableFile(encryptionOptions.truststore));
            }
            hotReloadableFiles = ImmutableList.copyOf((Collection) arrayList);
            if (!isHotReloadingInitialized) {
                ScheduledExecutors.scheduledTasks.scheduleWithFixedDelay(() -> {
                    checkCertFilesForHotReloading(DatabaseDescriptor.getInternodeMessagingEncyptionOptions(), DatabaseDescriptor.getNativeProtocolEncryptionOptions());
                }, 600L, 600L, TimeUnit.SECONDS);
            }
            isHotReloadingInitialized = true;
        }
    }

    /* JADX WARN: Finally extract failed */
    public static void validateSslContext(String str, EncryptionOptions encryptionOptions, boolean z, boolean z2) throws IOException {
        if (encryptionOptions == null || encryptionOptions.tlsEncryptionPolicy() == EncryptionOptions.TlsEncryptionPolicy.UNENCRYPTED) {
            return;
        }
        try {
            SslContext createNettySslContext = createNettySslContext(encryptionOptions, z, SocketType.SERVER, openSslIsAvailable(), z2 ? new LoggingCipherSuiteFilter(str) : LoggingCipherSuiteFilter.QUIET_FILTER);
            try {
                SSLEngine newEngine = createNettySslContext.newEngine(ByteBufAllocator.DEFAULT);
                if (z2) {
                    try {
                        String[] supportedProtocols = newEngine.getSupportedProtocols();
                        String[] supportedCipherSuites = newEngine.getSupportedCipherSuites();
                        String[] enabledProtocols = newEngine.getEnabledProtocols();
                        String[] enabledCipherSuites = newEngine.getEnabledCipherSuites();
                        logger.debug("{} supported TLS protocols: {}", str, supportedProtocols == null ? "system default" : String.join(", ", supportedProtocols));
                        logger.info("{} enabled TLS protocols: {}", str, enabledProtocols == null ? "system default" : String.join(", ", enabledProtocols));
                        logger.debug("{} supported cipher suites: {}", str, supportedCipherSuites == null ? "system default" : String.join(", ", supportedCipherSuites));
                        logger.info("{} enabled cipher suites: {}", str, enabledCipherSuites == null ? "system default" : String.join(", ", enabledCipherSuites));
                    } catch (Throwable th) {
                        newEngine.closeInbound();
                        newEngine.closeOutbound();
                        ReferenceCountUtil.release(newEngine);
                        throw th;
                    }
                }
                newEngine.closeInbound();
                newEngine.closeOutbound();
                ReferenceCountUtil.release(newEngine);
                ReferenceCountUtil.release(createNettySslContext);
                ReferenceCountUtil.release(createNettySslContext(encryptionOptions, z, SocketType.CLIENT, openSslIsAvailable()));
            } catch (Throwable th2) {
                ReferenceCountUtil.release(createNettySslContext);
                throw th2;
            }
        } catch (Exception e) {
            throw new IOException("Failed to create SSL context using " + str, e);
        }
    }

    public static void validateSslCerts(EncryptionOptions.ServerEncryptionOptions serverEncryptionOptions, EncryptionOptions encryptionOptions) throws IOException {
        validateSslContext("server_encryption_options", serverEncryptionOptions, true, false);
        validateSslContext("client_encryption_options", encryptionOptions, encryptionOptions.require_client_auth, false);
    }

    static {
        if (Boolean.getBoolean("cassandra.disable_tcactive_openssl")) {
            openSslIsAvailable = false;
        } else {
            openSslIsAvailable = OpenSsl.isAvailable();
        }
        cachedSslContexts = new ConcurrentHashMap<>();
        hotReloadableFiles = ImmutableList.of();
        isHotReloadingInitialized = false;
    }
}
