package org.apache.hadoop.hbase.io.crypto.tls;

import java.io.IOException;
import java.nio.file.Path;
import java.nio.file.Paths;
import java.nio.file.StandardWatchEventKinds;
import java.nio.file.WatchEvent;
import java.security.GeneralSecurityException;
import java.security.KeyStore;
import java.security.Security;
import java.security.cert.PKIXBuilderParameters;
import java.security.cert.X509CertSelector;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Objects;
import java.util.Set;
import java.util.concurrent.atomic.AtomicReference;
import java.util.stream.Stream;
import javax.net.ssl.CertPathTrustManagerParameters;
import javax.net.ssl.KeyManager;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory;
import javax.net.ssl.X509ExtendedTrustManager;
import javax.net.ssl.X509KeyManager;
import javax.net.ssl.X509TrustManager;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.hbase.exceptions.KeyManagerException;
import org.apache.hadoop.hbase.exceptions.SSLContextException;
import org.apache.hadoop.hbase.exceptions.TrustManagerException;
import org.apache.hadoop.hbase.exceptions.X509Exception;
import org.apache.hadoop.hbase.io.FileChangeWatcher;
import org.apache.hadoop.security.HttpCrossOriginFilterInitializer;
import org.apache.hbase.thirdparty.com.google.common.collect.ObjectArrays;
import org.apache.hbase.thirdparty.io.netty.handler.ssl.OpenSsl;
import org.apache.hbase.thirdparty.io.netty.handler.ssl.SslContext;
import org.apache.hbase.thirdparty.io.netty.handler.ssl.SslContextBuilder;
import org.apache.hbase.thirdparty.io.netty.handler.ssl.SslProvider;
import org.apache.phoenix.shaded.org.apache.yetus.audience.InterfaceAudience;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@InterfaceAudience.Private
/* loaded from: input_file:org/apache/hadoop/hbase/io/crypto/tls/X509Util.class */
public final class X509Util {
    static final String CONFIG_PREFIX = "hbase.rpc.tls.";
    public static final String TLS_CONFIG_PROTOCOL = "hbase.rpc.tls.protocol";
    public static final String TLS_CONFIG_KEYSTORE_LOCATION = "hbase.rpc.tls.keystore.location";
    public static final String TLS_CONFIG_KEYSTORE_TYPE = "hbase.rpc.tls.keystore.type";
    public static final String TLS_CONFIG_KEYSTORE_PASSWORD = "hbase.rpc.tls.keystore.password";
    public static final String TLS_CONFIG_TRUSTSTORE_LOCATION = "hbase.rpc.tls.truststore.location";
    public static final String TLS_CONFIG_TRUSTSTORE_TYPE = "hbase.rpc.tls.truststore.type";
    public static final String TLS_CONFIG_TRUSTSTORE_PASSWORD = "hbase.rpc.tls.truststore.password";
    public static final String TLS_CONFIG_CLR = "hbase.rpc.tls.clr";
    public static final String TLS_CONFIG_OCSP = "hbase.rpc.tls.ocsp";
    public static final String TLS_CONFIG_REVERSE_DNS_LOOKUP_ENABLED = "hbase.rpc.tls.host-verification.reverse-dns.enabled";
    public static final String TLS_ENABLED_PROTOCOLS = "hbase.rpc.tls.enabledProtocols";
    public static final String TLS_CIPHER_SUITES = "hbase.rpc.tls.ciphersuites";
    public static final String TLS_CERT_RELOAD = "hbase.rpc.tls.certReload";
    public static final String TLS_USE_OPENSSL = "hbase.rpc.tls.useOpenSsl";
    public static final String DEFAULT_PROTOCOL = "TLSv1.2";
    public static final String HBASE_SERVER_NETTY_TLS_ENABLED = "hbase.server.netty.tls.enabled";
    public static final String HBASE_SERVER_NETTY_TLS_CLIENT_AUTH_MODE = "hbase.server.netty.tls.client.auth.mode";
    public static final String HBASE_SERVER_NETTY_TLS_VERIFY_CLIENT_HOSTNAME = "hbase.server.netty.tls.verify.client.hostname";
    public static final String HBASE_SERVER_NETTY_TLS_SUPPORTPLAINTEXT = "hbase.server.netty.tls.supportplaintext";
    public static final String HBASE_SERVER_NETTY_TLS_WRAP_SIZE = "hbase.server.netty.tls.wrapSize";
    public static final int DEFAULT_HBASE_SERVER_NETTY_TLS_WRAP_SIZE = 1048576;
    public static final String HBASE_CLIENT_NETTY_TLS_ENABLED = "hbase.client.netty.tls.enabled";
    public static final String HBASE_CLIENT_NETTY_TLS_VERIFY_SERVER_HOSTNAME = "hbase.client.netty.tls.verify.server.hostname";
    public static final String HBASE_CLIENT_NETTY_TLS_HANDSHAKETIMEOUT = "hbase.client.netty.tls.handshaketimeout";
    public static final int DEFAULT_HANDSHAKE_DETECTION_TIMEOUT_MILLIS = 5000;
    private static final Logger LOG = LoggerFactory.getLogger((Class<?>) X509Util.class);
    private static final char[] EMPTY_CHAR_ARRAY = new char[0];
    private static final String[] DEFAULT_CIPHERS_JAVA8 = (String[]) ObjectArrays.concat(getCBCCiphers(), getGCMCiphers(), String.class);
    private static final String[] DEFAULT_CIPHERS_JAVA9 = (String[]) ObjectArrays.concat(getGCMCiphers(), getCBCCiphers(), String.class);
    private static final String[] DEFAULT_CIPHERS_JAVA11 = (String[]) ObjectArrays.concat(ObjectArrays.concat(getTls13Ciphers(), getGCMCiphers(), String.class), getCBCCiphers(), String.class);
    private static final String[] DEFAULT_CIPHERS_OPENSSL = getOpenSslFilteredDefaultCiphers();

    /* loaded from: input_file:org/apache/hadoop/hbase/io/crypto/tls/X509Util$ClientAuth.class */
    public enum ClientAuth {
        NONE(org.apache.hbase.thirdparty.io.netty.handler.ssl.ClientAuth.NONE),
        WANT(org.apache.hbase.thirdparty.io.netty.handler.ssl.ClientAuth.OPTIONAL),
        NEED(org.apache.hbase.thirdparty.io.netty.handler.ssl.ClientAuth.REQUIRE);

        private final org.apache.hbase.thirdparty.io.netty.handler.ssl.ClientAuth nettyAuth;

        ClientAuth(org.apache.hbase.thirdparty.io.netty.handler.ssl.ClientAuth clientAuth) {
            this.nettyAuth = clientAuth;
        }

        public static ClientAuth fromPropertyValue(String str) {
            return (str == null || str.length() == 0) ? NEED : valueOf(str.toUpperCase());
        }

        public org.apache.hbase.thirdparty.io.netty.handler.ssl.ClientAuth toNettyClientAuth() {
            return this.nettyAuth;
        }
    }

    private static String[] getTls13Ciphers() {
        return new String[]{"TLS_AES_128_GCM_SHA256", "TLS_AES_256_GCM_SHA384"};
    }

    private static String[] getGCMCiphers() {
        return new String[]{"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"};
    }

    private static String[] getCBCCiphers() {
        return new String[]{"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA", "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA", "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA"};
    }

    private static String[] getOpenSslFilteredDefaultCiphers() {
        if (!OpenSsl.isAvailable()) {
            return new String[0];
        }
        Set<String> availableJavaCipherSuites = OpenSsl.availableJavaCipherSuites();
        ArrayList arrayList = new ArrayList();
        Stream stream = Arrays.stream(getTls13Ciphers());
        availableJavaCipherSuites.getClass();
        Stream filter = stream.filter((v1) -> {
            return r1.contains(v1);
        });
        arrayList.getClass();
        filter.forEach((v1) -> {
            r1.add(v1);
        });
        Stream stream2 = Arrays.stream(getGCMCiphers());
        availableJavaCipherSuites.getClass();
        Stream filter2 = stream2.filter((v1) -> {
            return r1.contains(v1);
        });
        arrayList.getClass();
        filter2.forEach((v1) -> {
            r1.add(v1);
        });
        Stream stream3 = Arrays.stream(getCBCCiphers());
        availableJavaCipherSuites.getClass();
        Stream filter3 = stream3.filter((v1) -> {
            return r1.contains(v1);
        });
        arrayList.getClass();
        filter3.forEach((v1) -> {
            r1.add(v1);
        });
        return (String[]) arrayList.toArray(new String[0]);
    }

    private X509Util() {
    }

    static String[] getDefaultCipherSuites(boolean z) {
        return z ? DEFAULT_CIPHERS_OPENSSL : getDefaultCipherSuitesForJavaVersion(System.getProperty("java.specification.version"));
    }

    static String[] getDefaultCipherSuitesForJavaVersion(String str) {
        Objects.requireNonNull(str);
        if (str.matches("\\d+")) {
            if (Integer.parseInt(str) >= 11) {
                LOG.debug("Using Java11+ optimized cipher suites for Java version {}, including TLSv1.3 support", str);
                return DEFAULT_CIPHERS_JAVA11;
            }
            LOG.debug("Using Java9+ optimized cipher suites for Java version {}", str);
            return DEFAULT_CIPHERS_JAVA9;
        }
        if (str.startsWith("1.")) {
            LOG.debug("Using Java8 optimized cipher suites for Java version {}", str);
            return DEFAULT_CIPHERS_JAVA8;
        }
        LOG.debug("Could not parse java version {}, using Java8 optimized cipher suites", str);
        return DEFAULT_CIPHERS_JAVA8;
    }

    public static SslContext createSslContextForClient(Configuration configuration) throws X509Exception, IOException {
        SslContextBuilder forClient = SslContextBuilder.forClient();
        boolean configureOpenSslIfAvailable = configureOpenSslIfAvailable(forClient, configuration);
        String str = configuration.get(TLS_CONFIG_KEYSTORE_LOCATION, "");
        char[] password = configuration.getPassword(TLS_CONFIG_KEYSTORE_PASSWORD);
        String str2 = configuration.get(TLS_CONFIG_KEYSTORE_TYPE, "");
        if (str.isEmpty()) {
            LOG.warn("hbase.rpc.tls.keystore.location not specified");
        } else {
            forClient.keyManager(createKeyManager(str, password, str2));
        }
        String str3 = configuration.get(TLS_CONFIG_TRUSTSTORE_LOCATION, "");
        char[] password2 = configuration.getPassword(TLS_CONFIG_TRUSTSTORE_PASSWORD);
        String str4 = configuration.get(TLS_CONFIG_TRUSTSTORE_TYPE, "");
        boolean z = configuration.getBoolean(TLS_CONFIG_CLR, false);
        boolean z2 = configuration.getBoolean(TLS_CONFIG_OCSP, false);
        boolean z3 = configuration.getBoolean(HBASE_CLIENT_NETTY_TLS_VERIFY_SERVER_HOSTNAME, true);
        boolean z4 = configuration.getBoolean(TLS_CONFIG_REVERSE_DNS_LOOKUP_ENABLED, true);
        if (str3.isEmpty()) {
            LOG.warn("hbase.rpc.tls.truststore.location not specified");
        } else {
            forClient.trustManager(createTrustManager(str3, password2, str4, z, z2, z3, z4));
        }
        forClient.enableOcsp(z2);
        forClient.protocols(getEnabledProtocols(configuration));
        forClient.ciphers(Arrays.asList(getCipherSuites(configuration, configureOpenSslIfAvailable)));
        return forClient.build();
    }

    private static boolean configureOpenSslIfAvailable(SslContextBuilder sslContextBuilder, Configuration configuration) {
        if (OpenSsl.isAvailable() && configuration.getBoolean(TLS_USE_OPENSSL, true)) {
            LOG.debug("Using netty-tcnative to accelerate SSL handling");
            sslContextBuilder.sslProvider(SslProvider.OPENSSL);
            return true;
        }
        if (LOG.isDebugEnabled()) {
            LOG.debug("Using default JDK SSL provider because netty-tcnative is not {}", OpenSsl.isAvailable() ? HttpCrossOriginFilterInitializer.ENABLED_SUFFIX : "available");
        }
        sslContextBuilder.sslProvider(SslProvider.JDK);
        return false;
    }

    public static SslContext createSslContextForServer(Configuration configuration) throws X509Exception, IOException {
        String str = configuration.get(TLS_CONFIG_KEYSTORE_LOCATION, "");
        char[] password = configuration.getPassword(TLS_CONFIG_KEYSTORE_PASSWORD);
        String str2 = configuration.get(TLS_CONFIG_KEYSTORE_TYPE, "");
        if (str.isEmpty()) {
            throw new SSLContextException("Keystore is required for SSL server: hbase.rpc.tls.keystore.location");
        }
        SslContextBuilder forServer = SslContextBuilder.forServer(createKeyManager(str, password, str2));
        boolean configureOpenSslIfAvailable = configureOpenSslIfAvailable(forServer, configuration);
        String str3 = configuration.get(TLS_CONFIG_TRUSTSTORE_LOCATION, "");
        char[] password2 = configuration.getPassword(TLS_CONFIG_TRUSTSTORE_PASSWORD);
        String str4 = configuration.get(TLS_CONFIG_TRUSTSTORE_TYPE, "");
        boolean z = configuration.getBoolean(TLS_CONFIG_CLR, false);
        boolean z2 = configuration.getBoolean(TLS_CONFIG_OCSP, false);
        ClientAuth fromPropertyValue = ClientAuth.fromPropertyValue(configuration.get(HBASE_SERVER_NETTY_TLS_CLIENT_AUTH_MODE));
        boolean z3 = configuration.getBoolean(HBASE_SERVER_NETTY_TLS_VERIFY_CLIENT_HOSTNAME, true);
        boolean z4 = configuration.getBoolean(TLS_CONFIG_REVERSE_DNS_LOOKUP_ENABLED, true);
        if (str3.isEmpty()) {
            LOG.warn("hbase.rpc.tls.truststore.location not specified");
        } else {
            forServer.trustManager(createTrustManager(str3, password2, str4, z, z2, z3, z4));
        }
        forServer.enableOcsp(z2);
        forServer.protocols(getEnabledProtocols(configuration));
        forServer.ciphers(Arrays.asList(getCipherSuites(configuration, configureOpenSslIfAvailable)));
        forServer.clientAuth(fromPropertyValue.toNettyClientAuth());
        return forServer.build();
    }

    static X509KeyManager createKeyManager(String str, char[] cArr, String str2) throws KeyManagerException {
        if (cArr == null) {
            cArr = EMPTY_CHAR_ARRAY;
        }
        try {
            KeyStore loadKeyStore = FileKeyStoreLoaderBuilderProvider.getBuilderForKeyStoreFileType(KeyStoreFileType.fromPropertyValueOrFileName(str2, str)).setKeyStorePath(str).setKeyStorePassword(cArr).build().loadKeyStore();
            KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance("PKIX");
            keyManagerFactory.init(loadKeyStore, cArr);
            for (KeyManager keyManager : keyManagerFactory.getKeyManagers()) {
                if (keyManager instanceof X509KeyManager) {
                    return (X509KeyManager) keyManager;
                }
            }
            throw new KeyManagerException("Couldn't find X509KeyManager");
        } catch (IOException | IllegalArgumentException | GeneralSecurityException e) {
            throw new KeyManagerException(e);
        }
    }

    static X509TrustManager createTrustManager(String str, char[] cArr, String str2, boolean z, boolean z2, boolean z3, boolean z4) throws TrustManagerException {
        if (cArr == null) {
            cArr = EMPTY_CHAR_ARRAY;
        }
        try {
            PKIXBuilderParameters pKIXBuilderParameters = new PKIXBuilderParameters(FileKeyStoreLoaderBuilderProvider.getBuilderForKeyStoreFileType(KeyStoreFileType.fromPropertyValueOrFileName(str2, str)).setTrustStorePath(str).setTrustStorePassword(cArr).build().loadTrustStore(), new X509CertSelector());
            if (z || z2) {
                pKIXBuilderParameters.setRevocationEnabled(true);
                System.setProperty("org.apache.phoenix.shaded.com.sun.net.ssl.checkRevocation", "true");
                if (z) {
                    System.setProperty("com.sun.security.enableCRLDP", "true");
                }
                if (z2) {
                    Security.setProperty("ocsp.enable", "true");
                }
            } else {
                pKIXBuilderParameters.setRevocationEnabled(false);
            }
            TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance("PKIX");
            trustManagerFactory.init(new CertPathTrustManagerParameters(pKIXBuilderParameters));
            for (TrustManager trustManager : trustManagerFactory.getTrustManagers()) {
                if (trustManager instanceof X509ExtendedTrustManager) {
                    return new HBaseTrustManager((X509ExtendedTrustManager) trustManager, z3, z4);
                }
            }
            throw new TrustManagerException("Couldn't find X509TrustManager");
        } catch (IOException | IllegalArgumentException | GeneralSecurityException e) {
            throw new TrustManagerException(e);
        }
    }

    private static String[] getEnabledProtocols(Configuration configuration) {
        String str = configuration.get(TLS_ENABLED_PROTOCOLS);
        return str == null ? new String[]{configuration.get(TLS_CONFIG_PROTOCOL, "TLSv1.2")} : str.split(",");
    }

    private static String[] getCipherSuites(Configuration configuration, boolean z) {
        String str = configuration.get(TLS_CIPHER_SUITES);
        return str == null ? getDefaultCipherSuites(z) : str.split(",");
    }

    public static void enableCertFileReloading(Configuration configuration, AtomicReference<FileChangeWatcher> atomicReference, AtomicReference<FileChangeWatcher> atomicReference2, Runnable runnable) throws IOException {
        String str = configuration.get(TLS_CONFIG_KEYSTORE_LOCATION, "");
        atomicReference.set(newFileChangeWatcher(str, runnable));
        String str2 = configuration.get(TLS_CONFIG_TRUSTSTORE_LOCATION, "");
        if (str.equals(str2)) {
            return;
        }
        atomicReference2.set(newFileChangeWatcher(str2, runnable));
    }

    private static FileChangeWatcher newFileChangeWatcher(String str, Runnable runnable) throws IOException {
        if (str == null || str.isEmpty() || runnable == null) {
            return null;
        }
        Path absolutePath = Paths.get(str, new String[0]).toAbsolutePath();
        Path parent = absolutePath.getParent();
        if (parent == null) {
            throw new IOException("Key/trust store path does not have a parent: " + absolutePath);
        }
        FileChangeWatcher fileChangeWatcher = new FileChangeWatcher(parent, Objects.toString(absolutePath.getFileName()), watchEvent -> {
            handleWatchEvent(absolutePath, watchEvent, runnable);
        });
        fileChangeWatcher.start();
        return fileChangeWatcher;
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static void handleWatchEvent(Path path, WatchEvent<?> watchEvent, Runnable runnable) {
        boolean z = false;
        Path parent = path.getParent();
        if (watchEvent.kind().equals(StandardWatchEventKinds.OVERFLOW)) {
            z = true;
        } else if ((watchEvent.kind().equals(StandardWatchEventKinds.ENTRY_MODIFY) || watchEvent.kind().equals(StandardWatchEventKinds.ENTRY_CREATE)) && path.equals(parent.resolve((Path) watchEvent.context()))) {
            z = true;
        }
        if (z) {
            LOG.info("Attempting to reset default SSL context after receiving watch event: {} with context: {}", watchEvent.kind(), watchEvent.context());
            runnable.run();
        } else if (LOG.isDebugEnabled()) {
            LOG.debug("Ignoring watch event and keeping previous default SSL context. Event kind: {} with context: {}", watchEvent.kind(), watchEvent.context());
        }
    }
}
