package org.apache.spark.network.ssl;

import io.netty.buffer.ByteBufAllocator;
import io.netty.handler.ssl.OpenSsl;
import io.netty.handler.ssl.SslContext;
import io.netty.handler.ssl.SslContextBuilder;
import io.netty.handler.ssl.SslProvider;
import java.io.File;
import java.io.FileInputStream;
import java.io.IOException;
import java.io.InputStream;
import java.security.GeneralSecurityException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.UnrecoverableKeyException;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.HashSet;
import java.util.List;
import javax.net.ssl.KeyManager;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLEngine;
import javax.net.ssl.SSLException;
import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory;
import javax.net.ssl.X509TrustManager;
import org.apache.spark.internal.SparkLogger;
import org.apache.spark.internal.SparkLoggerFactory;
import org.apache.spark.network.util.JavaUtils;
import org.sparkproject.guava.io.Files;

/* loaded from: input_file:org/apache/spark/network/ssl/SSLFactory.class */
public class SSLFactory {
    private static final SparkLogger logger = SparkLoggerFactory.getLogger(SSLFactory.class);
    private SSLContext jdkSslContext;
    private SslContext nettyClientSslContext;
    private SslContext nettyServerSslContext;
    private KeyManager[] keyManagers;
    private TrustManager[] trustManagers;
    private String requestedProtocol;
    private String[] requestedCiphers;

    /* loaded from: input_file:org/apache/spark/network/ssl/SSLFactory$Builder.class */
    public static class Builder {
        private String requestedProtocol;
        private String[] requestedCiphers;
        private File keyStore;
        private String keyStorePassword;
        private File privateKey;
        private String privateKeyPassword;
        private String keyPassword;
        private File certChain;
        private File trustStore;
        private String trustStorePassword;
        private boolean trustStoreReloadingEnabled;
        private int trustStoreReloadIntervalMs;
        private boolean openSslEnabled;

        public Builder requestedProtocol(String str) {
            this.requestedProtocol = str == null ? "TLSv1.3" : str;
            return this;
        }

        public Builder requestedCiphers(String[] strArr) {
            this.requestedCiphers = strArr;
            return this;
        }

        public Builder keyStore(File file, String str) {
            this.keyStore = file;
            this.keyStorePassword = str;
            return this;
        }

        public Builder privateKey(File file) {
            this.privateKey = file;
            return this;
        }

        public Builder keyPassword(String str) {
            this.keyPassword = str;
            return this;
        }

        public Builder privateKeyPassword(String str) {
            this.privateKeyPassword = str;
            return this;
        }

        public Builder certChain(File file) {
            this.certChain = file;
            return this;
        }

        public Builder openSslEnabled(boolean z) {
            this.openSslEnabled = z;
            return this;
        }

        public Builder trustStore(File file, String str, boolean z, int i) {
            this.trustStore = file;
            this.trustStorePassword = str;
            this.trustStoreReloadingEnabled = z;
            this.trustStoreReloadIntervalMs = i;
            return this;
        }

        public SSLFactory build() {
            return new SSLFactory(this);
        }
    }

    private SSLFactory(Builder builder) {
        this.requestedProtocol = builder.requestedProtocol;
        this.requestedCiphers = builder.requestedCiphers;
        try {
            if (builder.certChain == null || builder.privateKey == null) {
                initJdkSslContext(builder);
            } else {
                initNettySslContexts(builder);
            }
        } catch (Exception e) {
            throw new RuntimeException("SSLFactory creation failed", e);
        }
    }

    private void initJdkSslContext(Builder builder) throws IOException, GeneralSecurityException {
        this.keyManagers = keyManagers(builder.keyStore, builder.keyPassword, builder.keyStorePassword);
        this.trustManagers = trustStoreManagers(builder.trustStore, builder.trustStorePassword, builder.trustStoreReloadingEnabled, builder.trustStoreReloadIntervalMs);
        this.jdkSslContext = createSSLContext(this.requestedProtocol, this.keyManagers, this.trustManagers);
    }

    private void initNettySslContexts(Builder builder) throws SSLException {
        this.nettyClientSslContext = SslContextBuilder.forClient().sslProvider(getSslProvider(builder)).trustManager(builder.certChain).build();
        this.nettyServerSslContext = SslContextBuilder.forServer(builder.certChain, builder.privateKey, builder.privateKeyPassword).sslProvider(getSslProvider(builder)).build();
    }

    private SslProvider getSslProvider(Builder builder) {
        if (builder.openSslEnabled) {
            if (OpenSsl.isAvailable()) {
                return SslProvider.OPENSSL;
            }
            logger.warn("OpenSSL Provider requested but it is not available, using JDK SSL Provider");
        }
        return SslProvider.JDK;
    }

    public void destroy() {
        if (this.trustManagers != null) {
            for (int i = 0; i < this.trustManagers.length; i++) {
                TrustManager trustManager = this.trustManagers[i];
                if (trustManager instanceof ReloadingX509TrustManager) {
                    try {
                        ((ReloadingX509TrustManager) trustManager).destroy();
                    } catch (InterruptedException e) {
                        logger.info("Interrupted while destroying trust manager: ", e);
                    }
                }
            }
            this.trustManagers = null;
        }
        this.keyManagers = null;
        this.jdkSslContext = null;
        this.nettyClientSslContext = null;
        this.nettyServerSslContext = null;
        this.requestedProtocol = null;
        this.requestedCiphers = null;
    }

    private static SSLContext createSSLContext(String str, KeyManager[] keyManagerArr, TrustManager[] trustManagerArr) throws GeneralSecurityException {
        SSLContext sSLContext = SSLContext.getInstance(str);
        sSLContext.init(keyManagerArr, trustManagerArr, null);
        return sSLContext;
    }

    public SSLEngine createSSLEngine(boolean z, ByteBufAllocator byteBufAllocator) {
        SSLEngine createEngine = createEngine(z, byteBufAllocator);
        createEngine.setUseClientMode(z);
        createEngine.setNeedClientAuth(false);
        createEngine.setEnabledProtocols(enabledProtocols(createEngine, this.requestedProtocol));
        createEngine.setEnabledCipherSuites(enabledCipherSuites(createEngine, this.requestedCiphers));
        return createEngine;
    }

    private SSLEngine createEngine(boolean z, ByteBufAllocator byteBufAllocator) {
        return z ? this.nettyClientSslContext != null ? this.nettyClientSslContext.newEngine(byteBufAllocator) : this.jdkSslContext.createSSLEngine() : this.nettyServerSslContext != null ? this.nettyServerSslContext.newEngine(byteBufAllocator) : this.jdkSslContext.createSSLEngine();
    }

    private static TrustManager[] credulousTrustStoreManagers() {
        return new TrustManager[]{new X509TrustManager() { // from class: org.apache.spark.network.ssl.SSLFactory.1
            @Override // javax.net.ssl.X509TrustManager
            public void checkClientTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
            }

            @Override // javax.net.ssl.X509TrustManager
            public void checkServerTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
            }

            @Override // javax.net.ssl.X509TrustManager
            public X509Certificate[] getAcceptedIssuers() {
                return null;
            }
        }};
    }

    private static TrustManager[] trustStoreManagers(File file, String str, boolean z, int i) throws IOException, GeneralSecurityException {
        if (file == null || !file.exists()) {
            return credulousTrustStoreManagers();
        }
        if (!z) {
            return defaultTrustManagers(file, str);
        }
        ReloadingX509TrustManager reloadingX509TrustManager = new ReloadingX509TrustManager(KeyStore.getDefaultType(), file, str, i);
        reloadingX509TrustManager.init();
        return new TrustManager[]{reloadingX509TrustManager};
    }

    private static TrustManager[] defaultTrustManagers(File file, String str) throws IOException, KeyStoreException, CertificateException, NoSuchAlgorithmException {
        InputStream openStream = Files.asByteSource(file).openStream();
        try {
            KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
            keyStore.load(openStream, str != null ? str.toCharArray() : null);
            TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
            trustManagerFactory.init(keyStore);
            TrustManager[] trustManagers = trustManagerFactory.getTrustManagers();
            if (openStream != null) {
                openStream.close();
            }
            return trustManagers;
        } catch (Throwable th) {
            if (openStream != null) {
                try {
                    openStream.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    private static KeyManager[] keyManagers(File file, String str, String str2) throws NoSuchAlgorithmException, CertificateException, KeyStoreException, IOException, UnrecoverableKeyException {
        KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
        char[] charArray = str2 != null ? str2.toCharArray() : null;
        keyManagerFactory.init(loadKeyStore(file, charArray), str != null ? str.toCharArray() : charArray);
        return keyManagerFactory.getKeyManagers();
    }

    private static KeyStore loadKeyStore(File file, char[] cArr) throws KeyStoreException, IOException, CertificateException, NoSuchAlgorithmException {
        if (file == null) {
            throw new KeyStoreException("keyStore cannot be null. Please configure spark.ssl.rpc.keyStore");
        }
        KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
        FileInputStream fileInputStream = new FileInputStream(file);
        try {
            keyStore.load(fileInputStream, cArr);
            JavaUtils.closeQuietly(fileInputStream);
            return keyStore;
        } catch (Throwable th) {
            JavaUtils.closeQuietly(fileInputStream);
            throw th;
        }
    }

    private static String[] enabledProtocols(SSLEngine sSLEngine, String str) {
        String[] supportedProtocols = sSLEngine.getSupportedProtocols();
        List<String> addIfSupported = addIfSupported(supportedProtocols, (str == null || str.isEmpty()) ? new String[]{"TLSv1.3", "TLSv1.2"} : new String[]{str});
        return !addIfSupported.isEmpty() ? (String[]) addIfSupported.toArray(new String[addIfSupported.size()]) : supportedProtocols;
    }

    private static String[] enabledCipherSuites(String[] strArr, String[] strArr2, String[] strArr3) {
        List<String> addIfSupported = addIfSupported(strArr, (strArr3 == null || strArr3.length == 0) ? new String[]{"TLS_CHACHA20_POLY1305_SHA256", "TLS_AES_128_GCM_SHA256", "TLS_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256", "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256", "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256", "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384"} : strArr3);
        return !addIfSupported.isEmpty() ? (String[]) addIfSupported.toArray(new String[addIfSupported.size()]) : strArr2;
    }

    private static String[] enabledCipherSuites(SSLEngine sSLEngine, String[] strArr) {
        return enabledCipherSuites(sSLEngine.getSupportedCipherSuites(), sSLEngine.getEnabledCipherSuites(), strArr);
    }

    private static List<String> addIfSupported(String[] strArr, String... strArr2) {
        ArrayList arrayList = new ArrayList();
        HashSet hashSet = new HashSet(Arrays.asList(strArr));
        for (String str : strArr2) {
            if (hashSet.contains(str)) {
                arrayList.add(str);
            }
        }
        return arrayList;
    }
}
