package io.grpc.xds.internal.sds;

import com.google.common.base.Preconditions;
import io.grpc.netty.shaded.io.grpc.netty.GrpcSslContexts;
import io.grpc.netty.shaded.io.netty.handler.ssl.SslContextBuilder;
import io.grpc.xds.EnvoyServerProtoData;
import io.grpc.xds.internal.sds.trust.SdsTrustManagerFactory;
import io.grpc.xds.shaded.io.envoyproxy.envoy.api.v2.core.Node;
import io.grpc.xds.shaded.io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CertificateValidationContext;
import io.grpc.xds.shaded.io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CommonTlsContext;
import io.grpc.xds.shaded.io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.SdsSecretConfig;
import java.io.IOException;
import java.security.cert.CertStoreException;
import java.security.cert.CertificateException;
import java.util.concurrent.Executor;

/* loaded from: input_file:META-INF/bundled-dependencies/grpc-xds-1.33.0.jar:io/grpc/xds/internal/sds/SdsClientSslContextProvider.class */
final class SdsClientSslContextProvider extends SdsSslContextProvider {
    private SdsClientSslContextProvider(Node node, SdsSecretConfig sdsSecretConfig, SdsSecretConfig sdsSecretConfig2, CertificateValidationContext certificateValidationContext, Executor executor, Executor executor2, EnvoyServerProtoData.UpstreamTlsContext upstreamTlsContext) {
        super(node, sdsSecretConfig, sdsSecretConfig2, certificateValidationContext, executor, executor2, upstreamTlsContext);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static SdsClientSslContextProvider getProvider(EnvoyServerProtoData.UpstreamTlsContext upstreamTlsContext, Node node, Executor executor, Executor executor2) {
        Preconditions.checkNotNull(upstreamTlsContext, "upstreamTlsContext");
        CommonTlsContext commonTlsContext = upstreamTlsContext.getCommonTlsContext();
        SdsSecretConfig sdsSecretConfig = null;
        CertificateValidationContext certificateValidationContext = null;
        if (commonTlsContext.hasCombinedValidationContext()) {
            CommonTlsContext.CombinedCertificateValidationContext combinedValidationContext = commonTlsContext.getCombinedValidationContext();
            if (combinedValidationContext.hasValidationContextSdsSecretConfig()) {
                sdsSecretConfig = combinedValidationContext.getValidationContextSdsSecretConfig();
            }
            if (combinedValidationContext.hasDefaultValidationContext()) {
                certificateValidationContext = combinedValidationContext.getDefaultValidationContext();
            }
        } else if (commonTlsContext.hasValidationContextSdsSecretConfig()) {
            sdsSecretConfig = commonTlsContext.getValidationContextSdsSecretConfig();
        } else if (commonTlsContext.hasValidationContext()) {
            certificateValidationContext = commonTlsContext.getValidationContext();
        }
        SdsSecretConfig sdsSecretConfig2 = null;
        if (commonTlsContext.getTlsCertificateSdsSecretConfigsCount() > 0) {
            sdsSecretConfig2 = commonTlsContext.getTlsCertificateSdsSecretConfigs(0);
        }
        return new SdsClientSslContextProvider(node, sdsSecretConfig2, sdsSecretConfig, certificateValidationContext, executor, executor2, upstreamTlsContext);
    }

    @Override // io.grpc.xds.internal.sds.DynamicSslContextProvider
    protected final SslContextBuilder getSslContextBuilder(CertificateValidationContext certificateValidationContext) throws CertificateException, IOException, CertStoreException {
        SslContextBuilder trustManager = GrpcSslContexts.forClient().trustManager(new SdsTrustManagerFactory(certificateValidationContext));
        if (this.tlsCertificate != null) {
            trustManager.keyManager(this.tlsCertificate.getCertificateChain().getInlineBytes().newInput(), this.tlsCertificate.getPrivateKey().getInlineBytes().newInput(), this.tlsCertificate.hasPassword() ? this.tlsCertificate.getPassword().getInlineString() : null);
        }
        return trustManager;
    }
}
