package com.dremio.jdbc.shaded.com.dremio.ssl;

import com.dremio.jdbc.shaded.com.dremio.common.VM;
import com.dremio.jdbc.shaded.com.dremio.ssl.CompositeTrustManagerFactory;
import com.dremio.jdbc.shaded.com.google.common.base.Strings;
import com.dremio.jdbc.shaded.com.google.common.collect.ImmutableList;
import com.dremio.jdbc.shaded.io.netty.buffer.ByteBufAllocator;
import com.dremio.jdbc.shaded.io.netty.handler.ssl.ClientAuth;
import com.dremio.jdbc.shaded.io.netty.handler.ssl.OpenSsl;
import com.dremio.jdbc.shaded.io.netty.handler.ssl.SslContextBuilder;
import com.dremio.jdbc.shaded.io.netty.handler.ssl.SslProvider;
import com.dremio.jdbc.shaded.io.netty.handler.ssl.util.InsecureTrustManagerFactory;
import com.dremio.jdbc.shaded.org.slf4j.Logger;
import com.dremio.jdbc.shaded.org.slf4j.LoggerFactory;
import java.io.FileInputStream;
import java.io.IOException;
import java.security.GeneralSecurityException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.cert.CertificateException;
import java.util.Collections;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.SNIHostName;
import javax.net.ssl.SSLEngine;
import javax.net.ssl.SSLException;
import javax.net.ssl.SSLParameters;
import javax.net.ssl.TrustManagerFactory;

/* loaded from: input_file:com/dremio/jdbc/shaded/com/dremio/ssl/SSLEngineFactoryImpl.class */
public class SSLEngineFactoryImpl implements SSLEngineFactory {
    private static final Logger logger = LoggerFactory.getLogger((Class<?>) SSLEngineFactoryImpl.class);
    private static final String SSL_PROVIDER_PROPERTY = "dremio.ssl.provider";
    private static final String DEFAULT_SSL_PROVIDER;
    private static final SslProvider SSL_PROVIDER;
    private static final String SSL_PROTOCOLS_PROPERTY = "dremio.ssl.protocols";
    private static final String DEFAULT_SSL_PROTOCOLS = "TLSv1.2";
    private static final String[] SSL_PROTOCOLS;
    private static final String SSL_CIPHERS_PROPERTY = "dremio.ssl.ciphers";
    private static final Iterable<String> SSL_CIPHERS;
    private final SSLConfig sslConfig;
    private final KeyManagerFactory keyManagerFactory;
    private final TrustManagerFactory trustManagerFactory;

    /* JADX INFO: Access modifiers changed from: package-private */
    public SSLEngineFactoryImpl(SSLConfig sSLConfig) throws SSLException {
        this.sslConfig = sSLConfig;
        try {
            this.keyManagerFactory = newKeyManagerFactory();
            this.trustManagerFactory = newTrustManagerFactory();
        } catch (IOException | GeneralSecurityException e) {
            throw new SSLException(e);
        }
    }

    private KeyManagerFactory newKeyManagerFactory() throws GeneralSecurityException, IOException {
        if (this.sslConfig.getKeyStorePath() == "") {
            return null;
        }
        KeyStore keyStore = KeyStore.getInstance(this.sslConfig.getKeyStoreType());
        FileInputStream fileInputStream = new FileInputStream(this.sslConfig.getKeyStorePath());
        try {
            keyStore.load(fileInputStream, this.sslConfig.getKeyStorePassword().toCharArray());
            fileInputStream.close();
            if (keyStore.size() == 0) {
                throw new IllegalArgumentException("Key store has no entries");
            }
            KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
            keyManagerFactory.init(keyStore, this.sslConfig.getKeyPassword().toCharArray());
            return keyManagerFactory;
        } catch (Throwable th) {
            try {
                fileInputStream.close();
            } catch (Throwable th2) {
                th.addSuppressed(th2);
            }
            throw th;
        }
    }

    private TrustManagerFactory newTrustManagerFactory() throws GeneralSecurityException, IOException {
        if (this.sslConfig.disablePeerVerification()) {
            return InsecureTrustManagerFactory.INSTANCE;
        }
        CompositeTrustManagerFactory.Builder newBuilder = CompositeTrustManagerFactory.newBuilder();
        if (this.sslConfig.useDefaultTrustStore()) {
            newBuilder.addDefaultTrustStore();
        } else {
            KeyStore keyStore = KeyStore.getInstance(this.sslConfig.getTrustStoreType());
            FileInputStream fileInputStream = !Strings.isNullOrEmpty(this.sslConfig.getTrustStorePath()) ? new FileInputStream(this.sslConfig.getTrustStorePath()) : null;
            try {
                keyStore.load(fileInputStream, this.sslConfig.getTrustStorePassword().toCharArray());
                if (fileInputStream != null) {
                    fileInputStream.close();
                }
                newBuilder.addTrustStore(keyStore);
            } catch (Throwable th) {
                if (fileInputStream != null) {
                    try {
                        fileInputStream.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                }
                throw th;
            }
        }
        if (this.sslConfig.useSystemTrustStore()) {
            if (VM.isWindowsHost()) {
                tryAddTrustStoreType(newBuilder, "Windows-ROOT");
                tryAddTrustStoreType(newBuilder, "Windows-MY");
            } else if (VM.isMacOSHost()) {
                tryAddTrustStoreType(newBuilder, "KeychainStore");
            }
        }
        return newBuilder.build();
    }

    private static void tryAddTrustStoreType(CompositeTrustManagerFactory.Builder builder, String str) {
        try {
            KeyStore keyStore = KeyStore.getInstance(str);
            keyStore.load(null, null);
            builder.addTrustStore(keyStore);
        } catch (IOException | KeyStoreException | NoSuchAlgorithmException | CertificateException e) {
            logger.warn("Unable to add trust store of type {}. Ignoring certificates.", str, e);
        }
    }

    @Override // com.dremio.jdbc.shaded.com.dremio.ssl.SSLEngineFactory
    public SslContextBuilder newServerContextBuilder() {
        return SslContextBuilder.forServer(this.keyManagerFactory).trustManager(this.trustManagerFactory).clientAuth(this.sslConfig.disablePeerVerification() ? ClientAuth.OPTIONAL : ClientAuth.REQUIRE).sslProvider(SSL_PROVIDER).protocols(SSL_PROTOCOLS).ciphers(SSL_CIPHERS);
    }

    @Override // com.dremio.jdbc.shaded.com.dremio.ssl.SSLEngineFactory
    public SSLEngine newServerEngine(ByteBufAllocator byteBufAllocator, String str, int i) throws SSLException {
        SSLEngine newEngine = newServerContextBuilder().build().newEngine(byteBufAllocator, str, i);
        try {
            newEngine.setEnableSessionCreation(true);
        } catch (UnsupportedOperationException e) {
            logger.trace("Session creation not enabled", (Throwable) e);
        }
        return newEngine;
    }

    @Override // com.dremio.jdbc.shaded.com.dremio.ssl.SSLEngineFactory
    public SslContextBuilder newClientContextBuilder() {
        return SslContextBuilder.forClient().keyManager(this.keyManagerFactory).trustManager(this.trustManagerFactory).sslProvider(SSL_PROVIDER).protocols(SSL_PROTOCOLS).ciphers(SSL_CIPHERS);
    }

    @Override // com.dremio.jdbc.shaded.com.dremio.ssl.SSLEngineFactory
    public SSLEngine newClientEngine(ByteBufAllocator byteBufAllocator, String str, int i) throws SSLException {
        SSLEngine newEngine = newClientContextBuilder().build().newEngine(byteBufAllocator, str, i);
        SSLParameters sSLParameters = newEngine.getSSLParameters();
        sSLParameters.setServerNames(Collections.singletonList(new SNIHostName(str)));
        if (!this.sslConfig.disableHostVerification()) {
            sSLParameters.setEndpointIdentificationAlgorithm("HTTPS");
        }
        newEngine.setSSLParameters(sSLParameters);
        try {
            newEngine.setEnableSessionCreation(true);
        } catch (UnsupportedOperationException e) {
            logger.trace("Session creation not enabled", (Throwable) e);
        }
        return newEngine;
    }

    static {
        DEFAULT_SSL_PROVIDER = OpenSsl.isAvailable() ? SslProvider.OPENSSL.name() : SslProvider.JDK.name();
        SSL_PROVIDER = SslProvider.valueOf(System.getProperty(SSL_PROVIDER_PROPERTY, DEFAULT_SSL_PROVIDER));
        SSL_PROTOCOLS = System.getProperty(SSL_PROTOCOLS_PROPERTY, "TLSv1.2").split(",");
        String property = System.getProperty(SSL_CIPHERS_PROPERTY);
        ImmutableList immutableList = null;
        if (property != null) {
            immutableList = ImmutableList.copyOf(property.split(","));
        }
        SSL_CIPHERS = immutableList;
    }
}
