package io.grpc.s2a.internal.handshaker;

import com.google.common.base.Preconditions;
import com.google.common.collect.ImmutableSet;
import io.grpc.netty.shaded.io.grpc.netty.GrpcSslContexts;
import io.grpc.netty.shaded.io.netty.handler.ssl.OpenSslContextOption;
import io.grpc.netty.shaded.io.netty.handler.ssl.OpenSslSessionContext;
import io.grpc.netty.shaded.io.netty.handler.ssl.OpenSslX509KeyManagerFactory;
import io.grpc.netty.shaded.io.netty.handler.ssl.SslContext;
import io.grpc.netty.shaded.io.netty.handler.ssl.SslContextBuilder;
import io.grpc.s2a.internal.handshaker.GetTlsConfigurationResp;
import io.grpc.s2a.internal.handshaker.SessionReq;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.nio.charset.StandardCharsets;
import java.security.GeneralSecurityException;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.UnrecoverableKeyException;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.util.Optional;
import javax.net.ssl.KeyManager;

/* loaded from: input_file:io/grpc/s2a/internal/handshaker/SslContextFactory.class */
final class SslContextFactory {
    /* JADX INFO: Access modifiers changed from: package-private */
    public static SslContext createForClient(S2AStub s2AStub, String str, Optional<S2AIdentity> optional) throws IOException, InterruptedException, CertificateException, KeyStoreException, NoSuchAlgorithmException, UnrecoverableKeyException, GeneralSecurityException {
        Preconditions.checkNotNull(s2AStub, "stub should not be null.");
        Preconditions.checkNotNull(str, "targetName should not be null on client side.");
        try {
            GetTlsConfigurationResp.ClientTlsConfiguration clientTlsConfigurationFromS2A = getClientTlsConfigurationFromS2A(s2AStub, optional);
            SslContextBuilder sessionTimeout = GrpcSslContexts.configure(SslContextBuilder.forClient()).sessionCacheSize(1L).sessionTimeout(0L);
            configureSslContextWithClientTlsConfiguration(clientTlsConfigurationFromS2A, sessionTimeout);
            sessionTimeout.trustManager(S2ATrustManager.createForClient(s2AStub, str, optional));
            sessionTimeout.option(OpenSslContextOption.PRIVATE_KEY_METHOD, S2APrivateKeyMethod.create(s2AStub, optional));
            SslContext build = sessionTimeout.build();
            OpenSslSessionContext sessionContext = build.sessionContext();
            if (sessionContext instanceof OpenSslSessionContext) {
                sessionContext.setSessionCacheEnabled(false);
            }
            return build;
        } catch (IOException | InterruptedException e) {
            throw new GeneralSecurityException("Failed to get client TLS configuration from S2A.", e);
        }
    }

    private static GetTlsConfigurationResp.ClientTlsConfiguration getClientTlsConfigurationFromS2A(S2AStub s2AStub, Optional<S2AIdentity> optional) throws IOException, InterruptedException {
        Preconditions.checkNotNull(s2AStub, "stub should not be null.");
        SessionReq.Builder newBuilder = SessionReq.newBuilder();
        if (optional.isPresent()) {
            newBuilder.setLocalIdentity(optional.get().getIdentity());
        }
        Optional<AuthenticationMechanism> authMechanism = GetAuthenticationMechanisms.getAuthMechanism(optional, GetAuthenticationMechanisms.TOKEN_MANAGER);
        if (authMechanism.isPresent()) {
            newBuilder.addAuthenticationMechanisms(authMechanism.get());
        }
        SessionResp send = s2AStub.send(newBuilder.setGetTlsConfigurationReq(GetTlsConfigurationReq.newBuilder().setConnectionSide(ConnectionSide.CONNECTION_SIDE_CLIENT)).m650build());
        if (send.hasStatus() && send.getStatus().getCode() != 0) {
            throw new S2AConnectionException(String.format("response from S2A server has ean error %d with error message %s.", Integer.valueOf(send.getStatus().getCode()), send.getStatus().getDetails()));
        }
        if (send.getGetTlsConfigurationResp().hasClientTlsConfiguration()) {
            return send.getGetTlsConfigurationResp().getClientTlsConfiguration();
        }
        throw new S2AConnectionException("Response from S2A server does NOT contain ClientTlsConfiguration.");
    }

    private static void configureSslContextWithClientTlsConfiguration(GetTlsConfigurationResp.ClientTlsConfiguration clientTlsConfiguration, SslContextBuilder sslContextBuilder) throws CertificateException, IOException, KeyStoreException, NoSuchAlgorithmException, UnrecoverableKeyException {
        sslContextBuilder.keyManager(createKeylessManager(clientTlsConfiguration));
        ImmutableSet<String> buildTlsProtocolVersionSet = ProtoUtil.buildTlsProtocolVersionSet(clientTlsConfiguration.getMinTlsVersion(), clientTlsConfiguration.getMaxTlsVersion());
        if (buildTlsProtocolVersionSet.isEmpty()) {
            throw new S2AConnectionException("Set of TLS versions received from S2A server is empty or not supported.");
        }
        sslContextBuilder.protocols(buildTlsProtocolVersionSet);
    }

    private static KeyManager createKeylessManager(GetTlsConfigurationResp.ClientTlsConfiguration clientTlsConfiguration) throws CertificateException, IOException, KeyStoreException, NoSuchAlgorithmException, UnrecoverableKeyException {
        X509Certificate[] x509CertificateArr = new X509Certificate[clientTlsConfiguration.getCertificateChainCount()];
        for (int i = 0; i < clientTlsConfiguration.getCertificateChainCount(); i++) {
            x509CertificateArr[i] = convertStringToX509Cert(clientTlsConfiguration.getCertificateChain(i));
        }
        KeyManager[] keyManagers = OpenSslX509KeyManagerFactory.newKeyless(x509CertificateArr).getKeyManagers();
        if (keyManagers == null || keyManagers.length == 0) {
            throw new IllegalStateException("No key managers created.");
        }
        return keyManagers[0];
    }

    private static X509Certificate convertStringToX509Cert(String str) throws CertificateException {
        return (X509Certificate) CertificateFactory.getInstance("X509").generateCertificate(new ByteArrayInputStream(str.getBytes(StandardCharsets.UTF_8)));
    }

    private SslContextFactory() {
    }
}
