package io.openliberty.grpc.internal.client.security.ssl;

import com.ibm.websphere.ras.Tr;
import com.ibm.websphere.ras.TraceComponent;
import com.ibm.websphere.ras.annotation.TraceObjectField;
import com.ibm.websphere.ssl.JSSEHelper;
import com.ibm.websphere.ssl.SSLConfigChangeListener;
import com.ibm.ws.ffdc.FFDCFilter;
import com.ibm.ws.ras.instrument.annotation.InjectedFFDC;
import com.ibm.ws.ssl.KeyStoreService;
import com.ibm.wsspi.kernel.service.utils.AtomicServiceReference;
import io.grpc.netty.GrpcSslContexts;
import io.netty.handler.ssl.ClientAuth;
import io.netty.handler.ssl.SslContext;
import io.netty.handler.ssl.SslContextBuilder;
import io.openliberty.grpc.internal.client.GrpcSSLService;
import java.security.AccessController;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
import java.security.UnrecoverableKeyException;
import java.util.Arrays;
import java.util.HashMap;
import java.util.List;
import java.util.Properties;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.TrustManagerFactory;
import org.osgi.framework.ServiceReference;
import org.osgi.service.component.ComponentContext;
import org.osgi.service.component.annotations.Activate;
import org.osgi.service.component.annotations.Component;
import org.osgi.service.component.annotations.Deactivate;
import org.osgi.service.component.annotations.Reference;

@InjectedFFDC
@TraceObjectField(fieldName = "tc", fieldDesc = "Lcom/ibm/websphere/ras/TraceComponent;")
@Component(service = {GrpcSSLService.class}, property = {"service.vendor=IBM"})
/* loaded from: input_file:io/openliberty/grpc/internal/client/security/ssl/LibertyGrpcClientSSLSupport.class */
public class LibertyGrpcClientSSLSupport implements GrpcSSLService {
    private static final TraceComponent tc = Tr.register(LibertyGrpcClientSSLSupport.class, "GRPC", "io.openliberty.grpc.internal.client.security.resources.grpcclientsecuritymessages");
    static final String KEY_KEYSTORE_SERVICE_REF = "keyStoreService";
    private final AtomicServiceReference<KeyStoreService> keyStoreServiceRef = new AtomicServiceReference<>(KEY_KEYSTORE_SERVICE_REF);
    static final long serialVersionUID = -6156862733145694004L;

    @Activate
    protected void activate(ComponentContext componentContext) {
        this.keyStoreServiceRef.activate(componentContext);
    }

    @Deactivate
    protected void deactivate(ComponentContext componentContext) {
        this.keyStoreServiceRef.deactivate(componentContext);
    }

    @Reference(name = KEY_KEYSTORE_SERVICE_REF, service = KeyStoreService.class)
    protected void setKeyStoreService(ServiceReference<KeyStoreService> serviceReference) {
        this.keyStoreServiceRef.setReference(serviceReference);
    }

    protected void unsetKeyStoreService(ServiceReference<KeyStoreService> serviceReference) {
        this.keyStoreServiceRef.unsetReference(serviceReference);
    }

    public SslContext getOutboundClientSSLContext(String str, String str2, String str3) {
        SslContext sslContext = null;
        if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
            Tr.debug(tc, "getOutboundClientSSLContext ssl reference ID: {0}", new Object[]{str});
        }
        Properties sSLProps = getSSLProps(str, str2, str3);
        if (sSLProps != null) {
            if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                Tr.debug(tc, "attempting to build SslContext with props: {0}", new Object[]{sSLProps});
            }
            try {
                SslContextBuilder forClient = GrpcSslContexts.forClient();
                TrustManagerFactory trustManagerFactory = getTrustManagerFactory(sSLProps);
                if (trustManagerFactory != null) {
                    forClient.trustManager(trustManagerFactory);
                }
                KeyManagerFactory keyManagerFactory = getKeyManagerFactory(sSLProps);
                if (keyManagerFactory != null) {
                    forClient.keyManager(keyManagerFactory);
                }
                String sSLProtocol = getSSLProtocol(sSLProps);
                if (sSLProtocol != null) {
                    if (!sSLProtocol.equals("TLSv1.2") && !sSLProtocol.equals("TLSv1.3")) {
                        Tr.warning(tc, "invalid.ssl.protocol", new Object[]{sSLProtocol, getSSLAlias(sSLProps)});
                    }
                    forClient.protocols(new String[]{sSLProtocol});
                }
                List<String> ciphers = getCiphers(sSLProps);
                if (ciphers != null && !ciphers.isEmpty()) {
                    forClient.ciphers(ciphers);
                }
                forClient.clientAuth(ClientAuth.OPTIONAL);
                sslContext = forClient.build();
            } catch (Exception e) {
                FFDCFilter.processException(e, "io.openliberty.grpc.internal.client.security.ssl.LibertyGrpcClientSSLSupport", "127", this, new Object[]{str, str2, str3});
                Tr.warning(tc, "client.ssl.failed", new Object[]{getSSLAlias(sSLProps), e});
            }
        }
        return sslContext;
    }

    protected static Properties getSSLProps(final String str, String str2, String str3) {
        if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
            Tr.debug(tc, "getSSLProps for ssl reference ID: {0} host: {1} port: {2}", new Object[]{str, str2, str3});
        }
        final JSSEHelper jSSEHelper = JSSEHelper.getInstance();
        final HashMap hashMap = new HashMap();
        hashMap.put("com.ibm.ssl.direction", "outbound");
        hashMap.put("com.ibm.ssl.remoteHost", str2);
        hashMap.put("com.ibm.ssl.remotePort", str3);
        Properties properties = null;
        try {
            properties = (Properties) AccessController.doPrivileged(new PrivilegedExceptionAction<Properties>() { // from class: io.openliberty.grpc.internal.client.security.ssl.LibertyGrpcClientSSLSupport.1
                static final long serialVersionUID = 456991138651008198L;
                private static final /* synthetic */ TraceComponent $$$tc$$$ = Tr.register("io.openliberty.grpc.internal.client.security.ssl.LibertyGrpcClientSSLSupport$1", AnonymousClass1.class, (String) null, (String) null);

                /* JADX WARN: Can't rename method to resolve collision */
                @Override // java.security.PrivilegedExceptionAction
                public Properties run() throws Exception {
                    return jSSEHelper.getProperties(str, hashMap, (SSLConfigChangeListener) null, false);
                }
            });
        } catch (PrivilegedActionException e) {
            FFDCFilter.processException(e, "io.openliberty.grpc.internal.client.security.ssl.LibertyGrpcClientSSLSupport", "160", (Object) null, new Object[]{str, str2, str3});
            if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                Tr.debug(tc, "getSSLProps failed", new Object[]{e});
            }
        }
        return properties;
    }

    protected static String getSSLAlias(Properties properties) {
        return properties.getProperty("com.ibm.ssl.alias");
    }

    protected static String getSSLProtocol(Properties properties) {
        return properties.getProperty("com.ibm.ssl.protocol");
    }

    protected static List<String> getCiphers(Properties properties) {
        String property = properties.getProperty("com.ibm.ssl.enabledCipherSuites");
        if (property != null) {
            return Arrays.asList(property.split("[,\\s]+"));
        }
        return null;
    }

    protected KeyManagerFactory getKeyManagerFactory(Properties properties) {
        String property = properties.getProperty("com.ibm.ssl.keyStoreName");
        char[] charArray = properties.getProperty("com.ibm.ssl.keyStorePassword").toCharArray();
        KeyManagerFactory keyManagerFactory = null;
        try {
            keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
            keyManagerFactory.init(loadKeyStore(property), charArray);
        } catch (KeyStoreException | NoSuchAlgorithmException | UnrecoverableKeyException e) {
            FFDCFilter.processException(e, "io.openliberty.grpc.internal.client.security.ssl.LibertyGrpcClientSSLSupport", "198", this, new Object[]{properties});
            if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                Tr.debug(tc, "getKeyManagerFactory failed to load  factory for {0}", new Object[]{property});
            }
        }
        return keyManagerFactory;
    }

    protected TrustManagerFactory getTrustManagerFactory(Properties properties) {
        String property = properties.getProperty("com.ibm.ssl.trustStoreName");
        TrustManagerFactory trustManagerFactory = null;
        try {
            trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
            trustManagerFactory.init(loadKeyStore(property));
        } catch (KeyStoreException | NoSuchAlgorithmException e) {
            FFDCFilter.processException(e, "io.openliberty.grpc.internal.client.security.ssl.LibertyGrpcClientSSLSupport", "218", this, new Object[]{properties});
            if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                Tr.debug(tc, "getTrustManagerFactory failed to load  factory for {0}", new Object[]{property});
            }
        }
        return trustManagerFactory;
    }

    private KeyStore loadKeyStore(String str) throws KeyStoreException {
        KeyStoreService keyStoreService = (KeyStoreService) this.keyStoreServiceRef.getServiceWithException();
        KeyStore keyStore = null;
        if (keyStoreService != null) {
            keyStore = keyStoreService.getKeyStore(str);
        }
        return keyStore;
    }
}
