package org.apache.cassandra.security;

import java.io.IOException;
import java.nio.file.Files;
import java.security.GeneralSecurityException;
import java.security.KeyStore;
import java.security.PrivateKey;
import java.security.cert.Certificate;
import java.util.ArrayList;
import java.util.Map;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.SSLException;
import javax.net.ssl.TrustManagerFactory;
import org.apache.cassandra.io.util.File;
import org.apache.cassandra.security.FileBasedSslContextFactory;
import org.apache.commons.lang3.StringUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/cassandra/security/PEMBasedSslContextFactory.class */
public final class PEMBasedSslContextFactory extends FileBasedSslContextFactory {
    public static final String DEFAULT_TARGET_STORETYPE = "PKCS12";
    private static final Logger logger = LoggerFactory.getLogger((Class<?>) PEMBasedSslContextFactory.class);
    private String pemEncodedKey;
    private String keyPassword;
    private String pemEncodedCertificates;
    private boolean maybeFileBasedPrivateKey;
    private boolean maybeFileBasedTrustedCertificates;

    /* loaded from: input_file:org/apache/cassandra/security/PEMBasedSslContextFactory$ConfigKey.class */
    public enum ConfigKey {
        ENCODED_KEY("private_key"),
        KEY_PASSWORD("private_key_password"),
        ENCODED_CERTIFICATES("trusted_certificates");

        final String keyName;

        ConfigKey(String str) {
            this.keyName = str;
        }

        String getKeyName() {
            return this.keyName;
        }
    }

    public PEMBasedSslContextFactory() {
    }

    public PEMBasedSslContextFactory(Map<String, Object> map) {
        super(map);
        this.pemEncodedKey = getString(ConfigKey.ENCODED_KEY.getKeyName());
        this.keyPassword = getString(ConfigKey.KEY_PASSWORD.getKeyName());
        if (StringUtils.isEmpty(this.keyPassword)) {
            this.keyPassword = this.keystore_password;
        } else if (!StringUtils.isEmpty(this.keystore_password) && !this.keyPassword.equals(this.keystore_password)) {
            throw new IllegalArgumentException("'keystore_password' and 'key_password' both configurations are given and the values do not match");
        }
        if (!StringUtils.isEmpty(this.truststore_password)) {
            logger.warn("PEM based truststore should not be using password. Ignoring the given value in 'truststore_password' configuration.");
        }
        this.pemEncodedCertificates = getString(ConfigKey.ENCODED_CERTIFICATES.getKeyName());
        this.maybeFileBasedPrivateKey = StringUtils.isEmpty(this.pemEncodedKey);
        this.maybeFileBasedTrustedCertificates = StringUtils.isEmpty(this.pemEncodedCertificates);
        enforceSinglePrivateKeySource();
        enforceSingleTurstedCertificatesSource();
    }

    @Override // org.apache.cassandra.security.FileBasedSslContextFactory, org.apache.cassandra.security.ISslContextFactory
    public boolean hasKeystore() {
        return this.maybeFileBasedPrivateKey ? keystoreFileExists() : !StringUtils.isEmpty(this.pemEncodedKey);
    }

    private boolean keystoreFileExists() {
        return this.keystore != null && new File(this.keystore).exists();
    }

    private boolean hasTruststore() {
        return this.maybeFileBasedTrustedCertificates ? truststoreFileExists() : !StringUtils.isEmpty(this.pemEncodedCertificates);
    }

    private boolean truststoreFileExists() {
        return this.truststore != null && new File(this.truststore).exists();
    }

    @Override // org.apache.cassandra.security.FileBasedSslContextFactory, org.apache.cassandra.security.ISslContextFactory
    public synchronized void initHotReloading() {
        ArrayList arrayList = new ArrayList();
        if (this.maybeFileBasedPrivateKey && hasKeystore()) {
            arrayList.add(new FileBasedSslContextFactory.HotReloadableFile(this.keystore));
        }
        if (this.maybeFileBasedTrustedCertificates && hasTruststore()) {
            arrayList.add(new FileBasedSslContextFactory.HotReloadableFile(this.truststore));
        }
        if (arrayList.isEmpty()) {
            return;
        }
        this.hotReloadableFiles = arrayList;
    }

    @Override // org.apache.cassandra.security.FileBasedSslContextFactory, org.apache.cassandra.security.AbstractSslContextFactory
    protected KeyManagerFactory buildKeyManagerFactory() throws SSLException {
        try {
            if (!hasKeystore()) {
                throw new SSLException("Must provide keystore or private_key in configuration for PEMBasedSSlContextFactory");
            }
            if (this.maybeFileBasedPrivateKey) {
                this.pemEncodedKey = readPEMFile(this.keystore);
            }
            KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(this.algorithm == null ? KeyManagerFactory.getDefaultAlgorithm() : this.algorithm);
            KeyStore buildKeyStore = buildKeyStore();
            if (!this.checkedExpiry) {
                checkExpiredCerts(buildKeyStore);
                this.checkedExpiry = true;
            }
            keyManagerFactory.init(buildKeyStore, this.keyPassword != null ? this.keyPassword.toCharArray() : null);
            return keyManagerFactory;
        } catch (Exception e) {
            throw new SSLException("Failed to build key manager store for secure connections", e);
        }
    }

    @Override // org.apache.cassandra.security.FileBasedSslContextFactory, org.apache.cassandra.security.AbstractSslContextFactory
    protected TrustManagerFactory buildTrustManagerFactory() throws SSLException {
        try {
            if (!hasTruststore()) {
                throw new SSLException("Must provide truststore or trusted_certificates in configuration for PEMBasedSSlContextFactory");
            }
            if (this.maybeFileBasedTrustedCertificates) {
                this.pemEncodedCertificates = readPEMFile(this.truststore);
            }
            TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(this.algorithm == null ? TrustManagerFactory.getDefaultAlgorithm() : this.algorithm);
            trustManagerFactory.init(buildTrustStore());
            return trustManagerFactory;
        } catch (Exception e) {
            throw new SSLException("Failed to build trust manager store for secure connections", e);
        }
    }

    private String readPEMFile(String str) throws IOException {
        return new String(Files.readAllBytes(File.getPath(str, new String[0])));
    }

    private KeyStore buildKeyStore() throws GeneralSecurityException, IOException {
        char[] charArray = this.keyPassword != null ? this.keyPassword.toCharArray() : null;
        PrivateKey extractPrivateKey = PEMReader.extractPrivateKey(this.pemEncodedKey, this.keyPassword);
        Certificate[] extractCertificates = PEMReader.extractCertificates(this.pemEncodedKey);
        if (extractCertificates == null || extractCertificates.length == 0) {
            throw new SSLException("Could not read any certificates for the certChain for the private key");
        }
        KeyStore keyStore = KeyStore.getInstance(DEFAULT_TARGET_STORETYPE);
        keyStore.load(null, null);
        keyStore.setKeyEntry("cassandra-ssl-keystore", extractPrivateKey, charArray, extractCertificates);
        return keyStore;
    }

    private KeyStore buildTrustStore() throws GeneralSecurityException, IOException {
        Certificate[] extractCertificates = PEMReader.extractCertificates(this.pemEncodedCertificates);
        if (extractCertificates == null || extractCertificates.length == 0) {
            throw new SSLException("Could not read any certificates from the given PEM");
        }
        KeyStore keyStore = KeyStore.getInstance(DEFAULT_TARGET_STORETYPE);
        keyStore.load(null, null);
        for (int i = 0; i < extractCertificates.length; i++) {
            keyStore.setCertificateEntry("cassandra-ssl-trusted-cert-" + (i + 1), extractCertificates[i]);
        }
        return keyStore;
    }

    private void enforceSinglePrivateKeySource() {
        if (keystoreFileExists() && !StringUtils.isEmpty(this.pemEncodedKey)) {
            throw new IllegalArgumentException("Configuration must specify value for either keystore or private_key, not both for PEMBasedSSlContextFactory");
        }
    }

    private void enforceSingleTurstedCertificatesSource() {
        if (truststoreFileExists() && !StringUtils.isEmpty(this.pemEncodedCertificates)) {
            throw new IllegalArgumentException("Configuration must specify value for either truststore or trusted_certificates, not both for PEMBasedSSlContextFactory");
        }
    }
}
