package com.datastax.oss.driver.internal.core.ssl;

import com.datastax.oss.driver.shaded.guava.common.annotations.VisibleForTesting;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.io.InputStream;
import java.net.Socket;
import java.nio.file.Files;
import java.nio.file.OpenOption;
import java.nio.file.Path;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.Principal;
import java.security.PrivateKey;
import java.security.Provider;
import java.security.UnrecoverableKeyException;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.time.Duration;
import java.util.Arrays;
import java.util.Optional;
import java.util.concurrent.Executors;
import java.util.concurrent.ScheduledExecutorService;
import java.util.concurrent.TimeUnit;
import java.util.concurrent.atomic.AtomicReference;
import javax.net.ssl.KeyManager;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.KeyManagerFactorySpi;
import javax.net.ssl.ManagerFactoryParameters;
import javax.net.ssl.SSLEngine;
import javax.net.ssl.X509ExtendedKeyManager;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:lib/java-driver-core-4.18.1.jar:com/datastax/oss/driver/internal/core/ssl/ReloadingKeyManagerFactory.class */
public class ReloadingKeyManagerFactory extends KeyManagerFactory implements AutoCloseable {
    private static final Logger logger = LoggerFactory.getLogger(ReloadingKeyManagerFactory.class);
    private static final String KEYSTORE_TYPE = "JKS";
    private Path keystorePath;
    private String keystorePassword;
    private ScheduledExecutorService executor;
    private final Spi spi;
    private volatile byte[] lastDigest;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:lib/java-driver-core-4.18.1.jar:com/datastax/oss/driver/internal/core/ssl/ReloadingKeyManagerFactory$DelegatingKeyManager.class */
    public static class DelegatingKeyManager extends X509ExtendedKeyManager {
        AtomicReference<X509ExtendedKeyManager> delegate;

        DelegatingKeyManager(X509ExtendedKeyManager x509ExtendedKeyManager) {
            this.delegate = new AtomicReference<>(x509ExtendedKeyManager);
        }

        void set(X509ExtendedKeyManager x509ExtendedKeyManager) {
            this.delegate.set(x509ExtendedKeyManager);
        }

        @Override // javax.net.ssl.X509ExtendedKeyManager
        public String chooseEngineClientAlias(String[] strArr, Principal[] principalArr, SSLEngine sSLEngine) {
            return this.delegate.get().chooseEngineClientAlias(strArr, principalArr, sSLEngine);
        }

        @Override // javax.net.ssl.X509ExtendedKeyManager
        public String chooseEngineServerAlias(String str, Principal[] principalArr, SSLEngine sSLEngine) {
            return this.delegate.get().chooseEngineServerAlias(str, principalArr, sSLEngine);
        }

        @Override // javax.net.ssl.X509KeyManager
        public String[] getClientAliases(String str, Principal[] principalArr) {
            return this.delegate.get().getClientAliases(str, principalArr);
        }

        @Override // javax.net.ssl.X509KeyManager
        public String chooseClientAlias(String[] strArr, Principal[] principalArr, Socket socket) {
            return this.delegate.get().chooseClientAlias(strArr, principalArr, socket);
        }

        @Override // javax.net.ssl.X509KeyManager
        public String[] getServerAliases(String str, Principal[] principalArr) {
            return this.delegate.get().getServerAliases(str, principalArr);
        }

        @Override // javax.net.ssl.X509KeyManager
        public String chooseServerAlias(String str, Principal[] principalArr, Socket socket) {
            return this.delegate.get().chooseServerAlias(str, principalArr, socket);
        }

        @Override // javax.net.ssl.X509KeyManager
        public X509Certificate[] getCertificateChain(String str) {
            return this.delegate.get().getCertificateChain(str);
        }

        @Override // javax.net.ssl.X509KeyManager
        public PrivateKey getPrivateKey(String str) {
            return this.delegate.get().getPrivateKey(str);
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:lib/java-driver-core-4.18.1.jar:com/datastax/oss/driver/internal/core/ssl/ReloadingKeyManagerFactory$Spi.class */
    public static class Spi extends KeyManagerFactorySpi {
        DelegatingKeyManager keyManager;

        Spi(X509ExtendedKeyManager x509ExtendedKeyManager) {
            this.keyManager = new DelegatingKeyManager(x509ExtendedKeyManager);
        }

        @Override // javax.net.ssl.KeyManagerFactorySpi
        protected void engineInit(KeyStore keyStore, char[] cArr) {
            throw new UnsupportedOperationException();
        }

        @Override // javax.net.ssl.KeyManagerFactorySpi
        protected void engineInit(ManagerFactoryParameters managerFactoryParameters) {
            throw new UnsupportedOperationException();
        }

        @Override // javax.net.ssl.KeyManagerFactorySpi
        protected KeyManager[] engineGetKeyManagers() {
            return new KeyManager[]{this.keyManager};
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static ReloadingKeyManagerFactory create(Path path, String str, Optional<Duration> optional) throws UnrecoverableKeyException, KeyStoreException, NoSuchAlgorithmException, CertificateException, IOException {
        KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
        InputStream newInputStream = Files.newInputStream(path, new OpenOption[0]);
        Throwable th = null;
        try {
            try {
                KeyStore keyStore = KeyStore.getInstance(KEYSTORE_TYPE);
                keyStore.load(newInputStream, str.toCharArray());
                if (newInputStream != null) {
                    $closeResource(null, newInputStream);
                }
                keyManagerFactory.init(keyStore, str.toCharArray());
                ReloadingKeyManagerFactory reloadingKeyManagerFactory = new ReloadingKeyManagerFactory(keyManagerFactory);
                reloadingKeyManagerFactory.start(path, str, optional);
                return reloadingKeyManagerFactory;
            } finally {
            }
        } catch (Throwable th2) {
            if (newInputStream != null) {
                $closeResource(th, newInputStream);
            }
            throw th2;
        }
    }

    @VisibleForTesting
    protected ReloadingKeyManagerFactory(KeyManagerFactory keyManagerFactory) {
        this(new Spi((X509ExtendedKeyManager) keyManagerFactory.getKeyManagers()[0]), keyManagerFactory.getProvider(), keyManagerFactory.getAlgorithm());
    }

    private ReloadingKeyManagerFactory(Spi spi, Provider provider, String str) {
        super(spi, provider, str);
        this.spi = spi;
    }

    private void start(Path path, String str, Optional<Duration> optional) {
        this.keystorePath = path;
        this.keystorePassword = str;
        reload();
        if (!optional.isPresent() || optional.get().isZero()) {
            logger.info("KeyStore reloading is disabled. If your Cassandra cluster requires client certificates, client application restarts are infrequent, and client certificates have short lifetimes, then your client may fail to re-establish connections to Cassandra hosts. To enable KeyStore reloading, see `advanced.ssl-engine-factory.keystore-reload-interval` in reference.conf.");
            return;
        }
        logger.info("KeyStore reloading is enabled with interval {}", optional.get());
        this.executor = Executors.newScheduledThreadPool(1, runnable -> {
            Thread newThread = Executors.defaultThreadFactory().newThread(runnable);
            newThread.setName(String.format("%s-%%d", getClass().getSimpleName()));
            newThread.setDaemon(true);
            return newThread;
        });
        this.executor.scheduleWithFixedDelay(this::reload, optional.get().toMillis(), optional.get().toMillis(), TimeUnit.MILLISECONDS);
    }

    @VisibleForTesting
    void reload() {
        try {
            reload0();
        } catch (Exception e) {
            logger.warn("Failed to reload KeyStore. If this continues to happen, your client may use stale identity certificates and fail to re-establish connections to Cassandra hosts.", e);
        }
    }

    private synchronized void reload0() throws NoSuchAlgorithmException, IOException, KeyStoreException, CertificateException, UnrecoverableKeyException {
        logger.debug("Checking KeyStore file {} for updates", this.keystorePath);
        byte[] readAllBytes = Files.readAllBytes(this.keystorePath);
        byte[] digest = digest(readAllBytes);
        if (this.lastDigest != null && Arrays.equals(this.lastDigest, digest(readAllBytes))) {
            logger.debug("KeyStore file content has not changed; skipping update");
            return;
        }
        KeyStore keyStore = KeyStore.getInstance(KEYSTORE_TYPE);
        ByteArrayInputStream byteArrayInputStream = new ByteArrayInputStream(readAllBytes);
        Throwable th = null;
        try {
            try {
                keyStore.load(byteArrayInputStream, this.keystorePassword.toCharArray());
                $closeResource(null, byteArrayInputStream);
                KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
                keyManagerFactory.init(keyStore, this.keystorePassword.toCharArray());
                logger.info("Detected updates to KeyStore file {}", this.keystorePath);
                this.spi.keyManager.set((X509ExtendedKeyManager) keyManagerFactory.getKeyManagers()[0]);
                this.lastDigest = digest;
            } finally {
            }
        } catch (Throwable th2) {
            $closeResource(th, byteArrayInputStream);
            throw th2;
        }
    }

    @Override // java.lang.AutoCloseable
    public void close() throws Exception {
        if (this.executor != null) {
            this.executor.shutdown();
        }
    }

    private static byte[] digest(byte[] bArr) throws NoSuchAlgorithmException {
        return MessageDigest.getInstance("SHA-256").digest(bArr);
    }

    private static /* synthetic */ void $closeResource(Throwable th, AutoCloseable autoCloseable) {
        if (th == null) {
            autoCloseable.close();
            return;
        }
        try {
            autoCloseable.close();
        } catch (Throwable th2) {
            th.addSuppressed(th2);
        }
    }
}
