package org.apache.cassandra.security;

import com.google.common.annotations.VisibleForTesting;
import java.io.InputStream;
import java.nio.file.Files;
import java.nio.file.OpenOption;
import java.nio.file.Paths;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Date;
import java.util.Enumeration;
import java.util.List;
import java.util.Map;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.SSLException;
import javax.net.ssl.TrustManagerFactory;
import org.apache.cassandra.io.util.File;
import org.apache.cassandra.tools.LoaderOptions;
import org.apache.cassandra.utils.Clock;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/cassandra/security/FileBasedSslContextFactory.class */
public abstract class FileBasedSslContextFactory extends AbstractSslContextFactory {
    private static final Logger logger = LoggerFactory.getLogger(FileBasedSslContextFactory.class);

    @VisibleForTesting
    protected volatile boolean checkedExpiry;
    protected volatile List<HotReloadableFile> hotReloadableFiles;
    protected String keystore;
    protected String keystore_password;
    protected String truststore;
    protected String truststore_password;

    /* loaded from: input_file:org/apache/cassandra/security/FileBasedSslContextFactory$HotReloadableFile.class */
    protected static class HotReloadableFile {
        private final File file;
        private volatile long lastModTime;

        /* JADX INFO: Access modifiers changed from: package-private */
        public HotReloadableFile(String str) {
            this.file = new File(str);
            this.lastModTime = this.file.lastModified();
        }

        boolean shouldReload() {
            long lastModified = this.file.lastModified();
            boolean z = lastModified != this.lastModTime;
            this.lastModTime = lastModified;
            return z;
        }

        public String toString() {
            return "HotReloadableFile{file=" + this.file + ", lastModTime=" + this.lastModTime + '}';
        }
    }

    public FileBasedSslContextFactory() {
        this.checkedExpiry = false;
        this.hotReloadableFiles = new ArrayList();
        this.keystore = "conf/.keystore";
        this.keystore_password = "cassandra";
        this.truststore = "conf/.truststore";
        this.truststore_password = "cassandra";
    }

    public FileBasedSslContextFactory(Map<String, Object> map) {
        super(map);
        this.checkedExpiry = false;
        this.hotReloadableFiles = new ArrayList();
        this.keystore = getString(LoaderOptions.SSL_KEYSTORE);
        this.keystore_password = getString("keystore_password");
        this.truststore = getString(LoaderOptions.SSL_TRUSTSTORE);
        this.truststore_password = getString("truststore_password");
    }

    @Override // org.apache.cassandra.security.ISslContextFactory
    public boolean shouldReload() {
        return this.hotReloadableFiles.stream().anyMatch((v0) -> {
            return v0.shouldReload();
        });
    }

    @Override // org.apache.cassandra.security.ISslContextFactory
    public boolean hasKeystore() {
        return this.keystore != null && new File(this.keystore).exists();
    }

    private boolean hasTruststore() {
        return this.truststore != null && new File(this.truststore).exists();
    }

    @Override // org.apache.cassandra.security.ISslContextFactory
    public synchronized void initHotReloading() {
        boolean hasKeystore = hasKeystore();
        boolean hasTruststore = hasTruststore();
        if (hasKeystore || hasTruststore) {
            ArrayList arrayList = new ArrayList();
            if (hasKeystore) {
                arrayList.add(new HotReloadableFile(this.keystore));
            }
            if (hasTruststore) {
                arrayList.add(new HotReloadableFile(this.truststore));
            }
            this.hotReloadableFiles = arrayList;
        }
    }

    @Override // org.apache.cassandra.security.AbstractSslContextFactory
    protected KeyManagerFactory buildKeyManagerFactory() throws SSLException {
        try {
            InputStream newInputStream = Files.newInputStream(Paths.get(this.keystore, new String[0]), new OpenOption[0]);
            Throwable th = null;
            try {
                KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(this.algorithm == null ? KeyManagerFactory.getDefaultAlgorithm() : this.algorithm);
                KeyStore keyStore = KeyStore.getInstance(this.store_type);
                keyStore.load(newInputStream, this.keystore_password.toCharArray());
                if (!this.checkedExpiry) {
                    checkExpiredCerts(keyStore);
                    this.checkedExpiry = true;
                }
                keyManagerFactory.init(keyStore, this.keystore_password.toCharArray());
                if (newInputStream != null) {
                    if (0 != 0) {
                        try {
                            newInputStream.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    } else {
                        newInputStream.close();
                    }
                }
                return keyManagerFactory;
            } finally {
            }
        } catch (Exception e) {
            throw new SSLException("failed to build key manager store for secure connections", e);
        }
    }

    @Override // org.apache.cassandra.security.AbstractSslContextFactory
    protected TrustManagerFactory buildTrustManagerFactory() throws SSLException {
        try {
            InputStream newInputStream = Files.newInputStream(Paths.get(this.truststore, new String[0]), new OpenOption[0]);
            Throwable th = null;
            try {
                TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(this.algorithm == null ? TrustManagerFactory.getDefaultAlgorithm() : this.algorithm);
                KeyStore keyStore = KeyStore.getInstance(this.store_type);
                keyStore.load(newInputStream, this.truststore_password.toCharArray());
                trustManagerFactory.init(keyStore);
                if (newInputStream != null) {
                    if (0 != 0) {
                        try {
                            newInputStream.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    } else {
                        newInputStream.close();
                    }
                }
                return trustManagerFactory;
            } finally {
            }
        } catch (Exception e) {
            throw new SSLException("failed to build trust manager store for secure connections", e);
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public boolean checkExpiredCerts(KeyStore keyStore) throws KeyStoreException {
        boolean z = false;
        Date date = new Date(Clock.Global.currentTimeMillis());
        Enumeration<String> aliases = keyStore.aliases();
        while (aliases.hasMoreElements()) {
            String nextElement = aliases.nextElement();
            if (keyStore.getCertificate(nextElement).getType().equals("X.509")) {
                Date notAfter = ((X509Certificate) keyStore.getCertificate(nextElement)).getNotAfter();
                if (notAfter.before(date)) {
                    z = true;
                    logger.warn("Certificate for {} expired on {}", nextElement, notAfter);
                }
            }
        }
        return z;
    }
}
