package com.huawei.gauss.handler.inner;

import com.huawei.gauss.exception.ExceptionUtil;
import com.huawei.gauss.exception.JDBCException;
import com.huawei.gauss.exception.SQLErrorCode;
import com.huawei.gauss.om.ConfigManager;
import com.huawei.gauss.util.IOUtils;
import com.huawei.gauss.util.lang.StringUtils;
import java.io.BufferedOutputStream;
import java.io.Closeable;
import java.io.File;
import java.io.IOException;
import java.io.InputStream;
import java.net.MalformedURLException;
import java.net.URL;
import java.security.InvalidAlgorithmParameterException;
import java.security.KeyManagementException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.UnrecoverableKeyException;
import java.security.cert.CertPathValidator;
import java.security.cert.CertPathValidatorException;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.PKIXCertPathValidatorResult;
import java.security.cert.PKIXParameters;
import java.security.cert.TrustAnchor;
import java.security.cert.X509CertSelector;
import java.security.cert.X509Certificate;
import java.sql.SQLException;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.HashSet;
import javax.net.ssl.KeyManager;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLSocket;
import javax.net.ssl.SSLSocketFactory;
import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory;
import javax.net.ssl.X509TrustManager;

/* loaded from: input_file:com/huawei/gauss/handler/inner/IOClientSSL.class */
public class IOClientSSL {
    private static final String SQL_STATE_BAD_SSL_PARAMS = "08000";

    /* loaded from: input_file:com/huawei/gauss/handler/inner/IOClientSSL$GaussX509TrustManager.class */
    public static class GaussX509TrustManager implements X509TrustManager {
        private X509TrustManager origTm;
        private boolean verifyServerCert;
        private CertificateFactory certFactory;
        private PKIXParameters validatorParams;
        private CertPathValidator validator;

        public GaussX509TrustManager(X509TrustManager x509TrustManager, boolean z, IOClientImpl iOClientImpl) throws CertificateException {
            this.origTm = null;
            this.verifyServerCert = false;
            this.certFactory = null;
            this.validatorParams = null;
            this.validator = null;
            this.origTm = x509TrustManager;
            this.verifyServerCert = z;
            if (z) {
                try {
                    HashSet hashSet = new HashSet();
                    for (X509Certificate x509Certificate : x509TrustManager.getAcceptedIssuers()) {
                        hashSet.add(new TrustAnchor(x509Certificate, null));
                    }
                    this.validatorParams = new PKIXParameters(hashSet);
                    if (iOClientImpl.isRevocationEnabled()) {
                        this.validatorParams.setRevocationEnabled(true);
                    } else {
                        this.validatorParams.setRevocationEnabled(false);
                    }
                    this.validator = CertPathValidator.getInstance("PKIX");
                    this.certFactory = CertificateFactory.getInstance("X.509");
                } catch (Exception e) {
                    throw new CertificateException(e);
                }
            }
        }

        public GaussX509TrustManager() {
            this.origTm = null;
            this.verifyServerCert = false;
            this.certFactory = null;
            this.validatorParams = null;
            this.validator = null;
        }

        @Override // javax.net.ssl.X509TrustManager
        public void checkClientTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
            this.origTm.checkClientTrusted(x509CertificateArr, str);
        }

        @Override // javax.net.ssl.X509TrustManager
        public void checkServerTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
            for (X509Certificate x509Certificate : x509CertificateArr) {
                x509Certificate.checkValidity();
            }
            if (this.validatorParams != null) {
                new X509CertSelector().setSerialNumber(x509CertificateArr[0].getSerialNumber());
                try {
                    ((PKIXCertPathValidatorResult) this.validator.validate(this.certFactory.generateCertPath(Arrays.asList(x509CertificateArr)), this.validatorParams)).getTrustAnchor().getTrustedCert().checkValidity();
                } catch (InvalidAlgorithmParameterException e) {
                    throw new CertificateException(e);
                } catch (CertPathValidatorException e2) {
                    throw new CertificateException(e2);
                }
            }
            if (this.verifyServerCert) {
                this.origTm.checkServerTrusted(x509CertificateArr, str);
            }
        }

        @Override // javax.net.ssl.X509TrustManager
        public X509Certificate[] getAcceptedIssuers() {
            return this.origTm != null ? this.origTm.getAcceptedIssuers() : new X509Certificate[0];
        }
    }

    public static void convertSocketToSSLSocket(IOClientImpl iOClientImpl) throws SQLException {
        try {
            SSLSocket sSLSocket = (SSLSocket) getSSLSocketFactory(iOClientImpl).createSocket(iOClientImpl.getSocketChannel().socket(), iOClientImpl.getZenithIp(), iOClientImpl.getZenithPort(), true);
            sSLSocket.setEnabledProtocols(new String[]{"TLSv1.2"});
            String enabledSSLCipherSuites = iOClientImpl.getEnabledSSLCipherSuites();
            if (enabledSSLCipherSuites == null || enabledSSLCipherSuites.length() <= 0) {
                String[] enabledCipherSuites = sSLSocket.getEnabledCipherSuites();
                ArrayList arrayList = new ArrayList();
                for (String str : enabledCipherSuites) {
                    if (str.indexOf("_DHE_") <= -1 || str.indexOf("_DH_") > -1) {
                        arrayList.add(str);
                    }
                }
                sSLSocket.setEnabledCipherSuites((String[]) arrayList.toArray(new String[0]));
            } else {
                sSLSocket.setEnabledCipherSuites(enabledSSLCipherSuites.split(":"));
            }
            sSLSocket.setUseClientMode(true);
            sSLSocket.startHandshake();
            iOClientImpl.sslInput = sSLSocket.getInputStream();
            iOClientImpl.sslOutput = new BufferedOutputStream(sSLSocket.getOutputStream(), 65536);
            iOClientImpl.sslOutput.flush();
            iOClientImpl.sslSocket = sSLSocket;
        } catch (JDBCException e) {
            closeResources(iOClientImpl);
            e.setZenithServerIp(iOClientImpl.getZenithUrl());
            e.setSessionId(iOClientImpl.getSessionId());
            throw e;
        } catch (IOException e2) {
            closeResources(iOClientImpl);
            JDBCException processJDBCException = ExceptionUtil.processJDBCException(e2.getMessage(), SQL_STATE_BAD_SSL_PARAMS, SQLErrorCode.ZenithErrorCode.MULTIDB_ERROR_SSL_ERROR, e2);
            processJDBCException.setZenithServerIp(iOClientImpl.getZenithUrl());
            processJDBCException.setSessionId(iOClientImpl.getSessionId());
            throw processJDBCException;
        }
    }

    private static void closeResources(IOClientImpl iOClientImpl) {
        IOUtils.closeQuietly(iOClientImpl.getSocketChannel());
        IOUtils.closeQuietly(iOClientImpl.sslSocket);
        iOClientImpl.sslSocket = null;
        IOUtils.closeQuietly(iOClientImpl.sslInput);
        iOClientImpl.sslInput = null;
        IOUtils.closeQuietly(iOClientImpl.sslOutput);
        iOClientImpl.sslOutput = null;
    }

    private IOClientSSL() {
    }

    private static synchronized SSLSocketFactory getSSLSocketFactory(IOClientImpl iOClientImpl) throws SQLException {
        ConfigManager configManager = iOClientImpl.getConfigManager();
        String clientKeyStore = configManager.getClientKeyStore();
        String clientKeyStoreType = configManager.getClientKeyStoreType();
        String clientKeyStorePassword = configManager.getClientKeyStorePassword();
        String trustKeyStore = configManager.getTrustKeyStore();
        String trustKeyStoreType = configManager.getTrustKeyStoreType();
        String trustKeyStorePassword = configManager.getTrustKeyStorePassword();
        if (StringUtils.isEmpty(clientKeyStore)) {
            clientKeyStore = System.getProperty("javax.net.ssl.keyStore");
            clientKeyStoreType = System.getProperty("javax.net.ssl.keyStoreType", "JKS");
            clientKeyStorePassword = System.getProperty("javax.net.ssl.keyStorePassword");
            if (!StringUtils.isEmpty(clientKeyStore)) {
                try {
                    new URL(clientKeyStore);
                } catch (MalformedURLException e) {
                    clientKeyStore = "file:" + clientKeyStore;
                }
            }
        }
        if (StringUtils.isEmpty(trustKeyStore)) {
            trustKeyStore = System.getProperty("javax.net.ssl.trustStore");
            trustKeyStoreType = System.getProperty("javax.net.ssl.trustStoreType", "JKS");
            trustKeyStorePassword = System.getProperty("javax.net.ssl.trustStorePassword");
            if (!StringUtils.isEmpty(trustKeyStore)) {
                try {
                    new URL(trustKeyStore);
                } catch (MalformedURLException e2) {
                    trustKeyStore = "file:" + trustKeyStore;
                }
            }
        }
        KeyManager[] keyManagerArr = null;
        ArrayList arrayList = new ArrayList();
        try {
            TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
            KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
            try {
                KeyStore loadKeyStore = loadKeyStore(clientKeyStore, clientKeyStoreType, clientKeyStorePassword);
                if (loadKeyStore != null) {
                    keyManagerFactory.init(loadKeyStore, clientKeyStorePassword == null ? new char[0] : clientKeyStorePassword.toCharArray());
                    keyManagerArr = keyManagerFactory.getKeyManagers();
                }
                try {
                    trustManagerFactory.init(loadKeyStore(trustKeyStore, trustKeyStoreType, trustKeyStorePassword));
                    TrustManager[] trustManagers = trustManagerFactory.getTrustManagers();
                    boolean verifyServerCertificate = iOClientImpl.getVerifyServerCertificate();
                    for (TrustManager trustManager : trustManagers) {
                        arrayList.add(trustManager instanceof X509TrustManager ? new GaussX509TrustManager((X509TrustManager) trustManager, verifyServerCertificate, iOClientImpl) : trustManager);
                    }
                    if (arrayList.size() == 0) {
                        arrayList.add(new GaussX509TrustManager());
                    }
                    try {
                        SSLContext sSLContext = SSLContext.getInstance("TLS");
                        sSLContext.init(keyManagerArr, (TrustManager[]) arrayList.toArray(new TrustManager[arrayList.size()]), null);
                        return sSLContext.getSocketFactory();
                    } catch (KeyManagementException e3) {
                        throw ExceptionUtil.processJDBCException("KeyManagerException: " + e3.getMessage(), SQL_STATE_BAD_SSL_PARAMS, SQLErrorCode.ZenithErrorCode.MULTIDB_ERROR_SSL_ERROR, e3);
                    } catch (NoSuchAlgorithmException e4) {
                        throw ExceptionUtil.processJDBCException("TLS is not a valid SSL protocal", SQL_STATE_BAD_SSL_PARAMS, SQLErrorCode.ZenithErrorCode.MULTIDB_ERROR_SSL_ERROR, e4);
                    }
                } catch (KeyStoreException e5) {
                    throw ExceptionUtil.processJDBCException("Could not init TrustManagerFactory using KeyStore instance [" + e5.getMessage() + "]", SQL_STATE_BAD_SSL_PARAMS, SQLErrorCode.ZenithErrorCode.MULTIDB_ERROR_SSL_ERROR, e5);
                } catch (CertificateException e6) {
                    throw ExceptionUtil.processJDBCException(e6.getMessage(), SQL_STATE_BAD_SSL_PARAMS, SQLErrorCode.ZenithErrorCode.MULTIDB_ERROR_SSL_ERROR, e6);
                }
            } catch (KeyStoreException e7) {
                throw ExceptionUtil.processJDBCException("Could not init KeyManagerFactory using KeyStore instance [" + e7.getMessage() + "]", SQL_STATE_BAD_SSL_PARAMS, SQLErrorCode.ZenithErrorCode.MULTIDB_ERROR_SSL_ERROR, e7);
            } catch (NoSuchAlgorithmException e8) {
                throw ExceptionUtil.processJDBCException("Unsupported keystore algorithm [" + e8.getMessage() + "]", SQL_STATE_BAD_SSL_PARAMS, SQLErrorCode.ZenithErrorCode.MULTIDB_ERROR_SSL_ERROR, e8);
            } catch (UnrecoverableKeyException e9) {
                throw ExceptionUtil.processJDBCException("Could not recover keys from client keystore. The password may not be empty", SQL_STATE_BAD_SSL_PARAMS, SQLErrorCode.ZenithErrorCode.MULTIDB_ERROR_SSL_ERROR, e9);
            }
        } catch (NoSuchAlgorithmException e10) {
            throw ExceptionUtil.processJDBCException("Default algorithm definitions for TrustManager and/or KeyManager are invalid", SQL_STATE_BAD_SSL_PARAMS, SQLErrorCode.ZenithErrorCode.MULTIDB_ERROR_SSL_ERROR, e10);
        }
    }

    private static KeyStore loadKeyStore(String str, String str2, String str3) throws SQLException {
        InputStream inputStream = null;
        try {
            try {
                try {
                    try {
                        if (StringUtils.isEmpty(str) || StringUtils.isEmpty(str2)) {
                            IOUtils.closeQuietly((Closeable) null);
                            return null;
                        }
                        KeyStore keyStore = KeyStore.getInstance(str2);
                        URL url = new URL(str);
                        if (url.getProtocol().equalsIgnoreCase("file")) {
                            url = new URL("file:" + new File(str.substring(5)).getCanonicalPath());
                        }
                        inputStream = url.openStream();
                        keyStore.load(inputStream, str3 == null ? new char[0] : str3.toCharArray());
                        IOUtils.closeQuietly(inputStream);
                        return keyStore;
                    } catch (NoSuchAlgorithmException e) {
                        throw ExceptionUtil.processJDBCException("Unsupported keystore algorithm [" + e.getMessage() + "]", SQL_STATE_BAD_SSL_PARAMS, SQLErrorCode.ZenithErrorCode.MULTIDB_ERROR_SSL_ERROR, e);
                    }
                } catch (MalformedURLException e2) {
                    throw ExceptionUtil.processJDBCException(str + " does not appear to be a valid URL", SQL_STATE_BAD_SSL_PARAMS, SQLErrorCode.ZenithErrorCode.MULTIDB_ERROR_SSL_ERROR, e2);
                } catch (IOException e3) {
                    throw ExceptionUtil.processJDBCException("Cannot open " + str + " [" + e3.getMessage() + "]", SQL_STATE_BAD_SSL_PARAMS, SQLErrorCode.ZenithErrorCode.MULTIDB_ERROR_SSL_ERROR, e3);
                }
            } catch (KeyStoreException e4) {
                throw ExceptionUtil.processJDBCException("Could not create KeyStore instance [" + e4.getMessage() + "]", SQL_STATE_BAD_SSL_PARAMS, SQLErrorCode.ZenithErrorCode.MULTIDB_ERROR_SSL_ERROR, e4);
            } catch (CertificateException e5) {
                throw ExceptionUtil.processJDBCException("Could not load client or trust " + str2 + " keystore from " + str, SQL_STATE_BAD_SSL_PARAMS, SQLErrorCode.ZenithErrorCode.MULTIDB_ERROR_SSL_ERROR, e5);
            }
        } catch (Throwable th) {
            IOUtils.closeQuietly(inputStream);
            throw th;
        }
    }
}
