package io.temporal.serviceclient;

import io.grpc.netty.shaded.io.netty.handler.ssl.ApplicationProtocolConfig;
import io.grpc.netty.shaded.io.netty.handler.ssl.SslContext;
import io.grpc.netty.shaded.io.netty.handler.ssl.SslContextBuilder;
import io.grpc.netty.shaded.io.netty.handler.ssl.util.InsecureTrustManagerFactory;
import java.io.InputStream;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import javax.annotation.Nullable;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.SSLException;
import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory;
import javax.net.ssl.X509TrustManager;

/* loaded from: input_file:io/temporal/serviceclient/SimpleSslContextBuilder.class */
public class SimpleSslContextBuilder {
    private static final ApplicationProtocolConfig DEFAULT_APPLICATION_PROTOCOL_CONFIG = new ApplicationProtocolConfig(ApplicationProtocolConfig.Protocol.ALPN, ApplicationProtocolConfig.SelectorFailureBehavior.NO_ADVERTISE, ApplicationProtocolConfig.SelectedListenerFailureBehavior.ACCEPT, new String[]{"h2"});

    @Nullable
    private final PKCS pkcs;

    @Nullable
    private final InputStream keyCertChain;

    @Nullable
    private final InputStream key;
    private TrustManager trustManager;
    private boolean useInsecureTrustManager;
    private String keyPassword;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:io/temporal/serviceclient/SimpleSslContextBuilder$PKCS.class */
    public enum PKCS {
        PKCS_8,
        PKCS_12
    }

    /* loaded from: input_file:io/temporal/serviceclient/SimpleSslContextBuilder$UnknownDefaultTrustManagerException.class */
    public static final class UnknownDefaultTrustManagerException extends RuntimeException {
        public UnknownDefaultTrustManagerException(Throwable th) {
            super(th);
        }

        public UnknownDefaultTrustManagerException(String str) {
            super(str);
        }
    }

    @Deprecated
    public static SimpleSslContextBuilder newBuilder(InputStream inputStream, InputStream inputStream2) {
        return forPKCS8(inputStream, inputStream2);
    }

    public static SimpleSslContextBuilder noKeyOrCertChain() {
        return new SimpleSslContextBuilder(null, null, null);
    }

    public static SimpleSslContextBuilder forPKCS8(@Nullable InputStream inputStream, @Nullable InputStream inputStream2) {
        return new SimpleSslContextBuilder(PKCS.PKCS_8, inputStream, inputStream2);
    }

    public static SimpleSslContextBuilder forPKCS12(@Nullable InputStream inputStream) {
        return new SimpleSslContextBuilder(PKCS.PKCS_12, null, inputStream);
    }

    private SimpleSslContextBuilder(@Nullable PKCS pkcs, @Nullable InputStream inputStream, @Nullable InputStream inputStream2) {
        this.pkcs = pkcs;
        this.keyCertChain = inputStream;
        this.key = inputStream2;
    }

    public SslContext build() throws SSLException {
        if (this.trustManager != null && this.useInsecureTrustManager) {
            throw new IllegalArgumentException("Can not use insecure trust manager if custom trust manager is set.");
        }
        SslContextBuilder applicationProtocolConfig = SslContextBuilder.forClient().trustManager(this.trustManager != null ? this.trustManager : this.useInsecureTrustManager ? InsecureTrustManagerFactory.INSTANCE.getTrustManagers()[0] : getDefaultTrustManager()).applicationProtocolConfig(DEFAULT_APPLICATION_PROTOCOL_CONFIG);
        if (this.pkcs != null && (this.key != null || this.keyCertChain != null)) {
            switch (this.pkcs) {
                case PKCS_8:
                    applicationProtocolConfig.keyManager(this.keyCertChain, this.key, this.keyPassword);
                    break;
                case PKCS_12:
                    applicationProtocolConfig.keyManager(createPKCS12KeyManager());
                    break;
                default:
                    throw new IllegalArgumentException("PKCS " + this.pkcs + " is not implemented");
            }
        }
        return applicationProtocolConfig.build();
    }

    public SimpleSslContextBuilder setTrustManager(TrustManager trustManager) {
        this.trustManager = trustManager;
        return this;
    }

    public SimpleSslContextBuilder setUseInsecureTrustManager(boolean z) {
        this.useInsecureTrustManager = z;
        return this;
    }

    public SimpleSslContextBuilder setKeyPassword(String str) {
        this.keyPassword = str;
        return this;
    }

    private KeyManagerFactory createPKCS12KeyManager() {
        char[] charArray = this.keyPassword != null ? this.keyPassword.toCharArray() : null;
        try {
            KeyStore keyStore = KeyStore.getInstance("PKCS12");
            keyStore.load(this.key, charArray);
            KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
            keyManagerFactory.init(keyStore, charArray);
            return keyManagerFactory;
        } catch (Exception e) {
            throw new IllegalArgumentException("Input stream does not contain a valid PKCS12 key", e);
        }
    }

    private X509TrustManager getDefaultTrustManager() {
        try {
            TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
            trustManagerFactory.init((KeyStore) null);
            for (TrustManager trustManager : trustManagerFactory.getTrustManagers()) {
                if (trustManager instanceof X509TrustManager) {
                    return (X509TrustManager) trustManager;
                }
            }
            throw new UnknownDefaultTrustManagerException("Unable to find X509TrustManager in the list of default trust managers.");
        } catch (KeyStoreException | NoSuchAlgorithmException e) {
            throw new UnknownDefaultTrustManagerException(e);
        }
    }
}
