package com.clickhouse.client.config;

import com.clickhouse.client.ClickHouseConfig;
import com.clickhouse.client.ClickHouseSslContextProvider;
import com.clickhouse.data.ClickHouseUtils;
import java.io.BufferedReader;
import java.io.IOException;
import java.io.InputStream;
import java.io.InputStreamReader;
import java.security.KeyFactory;
import java.security.KeyManagementException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.SecureRandom;
import java.security.UnrecoverableKeyException;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.security.spec.InvalidKeySpecException;
import java.security.spec.PKCS8EncodedKeySpec;
import java.util.Base64;
import java.util.Iterator;
import java.util.Optional;
import javax.net.ssl.KeyManager;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLException;
import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory;
import javax.net.ssl.X509TrustManager;
import org.apache.pulsar.client.api.TypedMessageBuilder;

/* loaded from: input_file:META-INF/bundled-dependencies/clickhouse-jdbc-0.4.6-all.jar:com/clickhouse/client/config/ClickHouseDefaultSslContextProvider.class */
public class ClickHouseDefaultSslContextProvider implements ClickHouseSslContextProvider {
    static final String PEM_HEADER_PREFIX = "---BEGIN ";
    static final String PEM_HEADER_SUFFIX = " PRIVATE KEY---";
    static final String PEM_FOOTER_PREFIX = "---END ";

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:META-INF/bundled-dependencies/clickhouse-jdbc-0.4.6-all.jar:com/clickhouse/client/config/ClickHouseDefaultSslContextProvider$NonValidatingTrustManager.class */
    public static class NonValidatingTrustManager implements X509TrustManager {
        NonValidatingTrustManager() {
        }

        @Override // javax.net.ssl.X509TrustManager
        public X509Certificate[] getAcceptedIssuers() {
            return new X509Certificate[0];
        }

        @Override // javax.net.ssl.X509TrustManager
        public void checkClientTrusted(X509Certificate[] x509CertificateArr, String str) {
        }

        @Override // javax.net.ssl.X509TrustManager
        public void checkServerTrusted(X509Certificate[] x509CertificateArr, String str) {
        }
    }

    static String getAlgorithm(String str, String str2) {
        int indexOf;
        int indexOf2 = str.indexOf(PEM_HEADER_PREFIX);
        if (indexOf2 < 0) {
            indexOf = indexOf2;
        } else {
            int length = indexOf2 + PEM_HEADER_PREFIX.length();
            indexOf2 = length;
            indexOf = str.indexOf(PEM_HEADER_SUFFIX, length);
        }
        int i = indexOf;
        return indexOf2 < i ? str.substring(indexOf2, i) : str2;
    }

    static PrivateKey getPrivateKey(String str) throws NoSuchAlgorithmException, InvalidKeySpecException, IOException {
        String str2 = (String) ClickHouseDefaults.SSL_KEY_ALGORITHM.getEffectiveDefaultValue();
        StringBuilder sb = new StringBuilder();
        BufferedReader bufferedReader = new BufferedReader(new InputStreamReader(ClickHouseUtils.getFileInputStream(str)));
        try {
            String readLine = bufferedReader.readLine();
            if (readLine != null) {
                str2 = getAlgorithm(readLine, str2);
                while (true) {
                    String readLine2 = bufferedReader.readLine();
                    if (readLine2 == null || readLine2.indexOf(PEM_FOOTER_PREFIX) >= 0) {
                        break;
                    }
                    sb.append(readLine2);
                }
            }
            bufferedReader.close();
            return KeyFactory.getInstance(str2).generatePrivate(new PKCS8EncodedKeySpec(Base64.getDecoder().decode(sb.toString())));
        } catch (Throwable th) {
            try {
                bufferedReader.close();
            } catch (Throwable th2) {
                th.addSuppressed(th2);
            }
            throw th;
        }
    }

    protected KeyStore getKeyStore(String str, String str2) throws NoSuchAlgorithmException, InvalidKeySpecException, IOException, CertificateException, KeyStoreException {
        try {
            KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
            keyStore.load(null, null);
            InputStream fileInputStream = ClickHouseUtils.getFileInputStream(str);
            try {
                CertificateFactory certificateFactory = CertificateFactory.getInstance((String) ClickHouseDefaults.SSL_CERTIFICATE_TYPE.getEffectiveDefaultValue());
                if (str2 == null || str2.isEmpty()) {
                    int i = 1;
                    Iterator<? extends Certificate> it = certificateFactory.generateCertificates(fileInputStream).iterator();
                    while (it.hasNext()) {
                        int i2 = i;
                        i++;
                        keyStore.setCertificateEntry("cert" + i2, it.next());
                    }
                } else {
                    keyStore.setKeyEntry(TypedMessageBuilder.CONF_KEY, getPrivateKey(str2), null, (Certificate[]) certificateFactory.generateCertificates(fileInputStream).toArray(new Certificate[0]));
                }
                if (fileInputStream != null) {
                    fileInputStream.close();
                }
                return keyStore;
            } catch (Throwable th) {
                if (fileInputStream != null) {
                    try {
                        fileInputStream.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                }
                throw th;
            }
        } catch (KeyStoreException e) {
            throw new NoSuchAlgorithmException(ClickHouseUtils.format("%s KeyStore not available", KeyStore.getDefaultType()));
        }
    }

    protected SSLContext getJavaSslContext(ClickHouseConfig clickHouseConfig) throws SSLException {
        SecureRandom secureRandom;
        ClickHouseSslMode sslMode = clickHouseConfig.getSslMode();
        String sslCert = clickHouseConfig.getSslCert();
        String sslKey = clickHouseConfig.getSslKey();
        String sslRootCert = clickHouseConfig.getSslRootCert();
        try {
            SSLContext sSLContext = SSLContext.getInstance((String) ClickHouseDefaults.SSL_PROTOCOL.getEffectiveDefaultValue());
            TrustManager[] trustManagerArr = null;
            KeyManager[] keyManagerArr = null;
            if (sslMode == ClickHouseSslMode.NONE) {
                trustManagerArr = new TrustManager[]{new NonValidatingTrustManager()};
                keyManagerArr = new KeyManager[0];
                secureRandom = new SecureRandom();
            } else {
                if (sslMode != ClickHouseSslMode.STRICT) {
                    throw new IllegalArgumentException(ClickHouseUtils.format("unspported ssl mode '%s'", sslMode));
                }
                if (sslCert != null && !sslCert.isEmpty()) {
                    KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
                    keyManagerFactory.init(getKeyStore(sslCert, sslKey), null);
                    keyManagerArr = keyManagerFactory.getKeyManagers();
                }
                if (sslRootCert != null && !sslRootCert.isEmpty()) {
                    TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
                    trustManagerFactory.init(getKeyStore(sslRootCert, null));
                    trustManagerArr = trustManagerFactory.getTrustManagers();
                }
                secureRandom = new SecureRandom();
            }
            sSLContext.init(keyManagerArr, trustManagerArr, secureRandom);
            return sSLContext;
        } catch (IOException | KeyManagementException | KeyStoreException | NoSuchAlgorithmException | UnrecoverableKeyException | CertificateException | InvalidKeySpecException e) {
            throw new SSLException("Failed to get SSL context", e);
        }
    }

    @Override // com.clickhouse.client.ClickHouseSslContextProvider
    public <T> Optional<T> getSslContext(Class<? extends T> cls, ClickHouseConfig clickHouseConfig) throws SSLException {
        return SSLContext.class == cls ? Optional.of(getJavaSslContext(clickHouseConfig)) : Optional.empty();
    }
}
