package com.yahoo.security;

import java.io.IOException;
import java.io.UncheckedIOException;
import java.net.Socket;
import java.nio.charset.StandardCharsets;
import java.nio.file.Files;
import java.nio.file.Path;
import java.security.KeyStore;
import java.security.Principal;
import java.security.PrivateKey;
import java.security.cert.X509Certificate;
import java.time.Duration;
import java.util.Arrays;
import java.util.List;
import java.util.concurrent.Executors;
import java.util.concurrent.ScheduledExecutorService;
import java.util.concurrent.TimeUnit;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.net.ssl.SSLEngine;
import javax.net.ssl.X509ExtendedKeyManager;

/* loaded from: input_file:com/yahoo/security/AutoReloadingX509KeyManager.class */
public class AutoReloadingX509KeyManager extends X509ExtendedKeyManager implements AutoCloseable {
    public static final String CERTIFICATE_ALIAS = "default";
    private static final Duration UPDATE_PERIOD = Duration.ofHours(1);
    private static final Logger log = Logger.getLogger(AutoReloadingX509KeyManager.class.getName());
    private final MutableX509KeyManager mutableX509KeyManager;
    private final ScheduledExecutorService scheduler;
    private final Path privateKeyFile;
    private final Path certificatesFile;

    /* loaded from: input_file:com/yahoo/security/AutoReloadingX509KeyManager$KeyManagerReloader.class */
    private class KeyManagerReloader implements Runnable {
        private KeyManagerReloader() {
        }

        @Override // java.lang.Runnable
        public void run() {
            try {
                AutoReloadingX509KeyManager.log.log(Level.FINE, () -> {
                    return String.format("Reloading key and certificate chain (private-key='%s', certificates='%s')", AutoReloadingX509KeyManager.this.privateKeyFile, AutoReloadingX509KeyManager.this.certificatesFile);
                });
                AutoReloadingX509KeyManager.this.mutableX509KeyManager.updateKeystore(AutoReloadingX509KeyManager.createKeystore(AutoReloadingX509KeyManager.this.privateKeyFile, AutoReloadingX509KeyManager.this.certificatesFile), new char[0]);
            } catch (Throwable th) {
                AutoReloadingX509KeyManager.log.log(Level.SEVERE, String.format("Failed to load X509 key manager (private-key='%s', certificates='%s'): %s", AutoReloadingX509KeyManager.this.privateKeyFile, AutoReloadingX509KeyManager.this.certificatesFile, th.getMessage()), th);
            }
        }
    }

    private AutoReloadingX509KeyManager(Path path, Path path2) {
        this(path, path2, createDefaultScheduler());
    }

    AutoReloadingX509KeyManager(Path path, Path path2, ScheduledExecutorService scheduledExecutorService) {
        this.privateKeyFile = path;
        this.certificatesFile = path2;
        this.scheduler = scheduledExecutorService;
        this.mutableX509KeyManager = new MutableX509KeyManager(createKeystore(path, path2), new char[0]);
        scheduledExecutorService.scheduleAtFixedRate(new KeyManagerReloader(), UPDATE_PERIOD.getSeconds(), UPDATE_PERIOD.getSeconds(), TimeUnit.SECONDS);
    }

    public static AutoReloadingX509KeyManager fromPemFiles(Path path, Path path2) {
        return new AutoReloadingX509KeyManager(path, path2);
    }

    public X509CertificateWithKey getCurrentCertificateWithKey() {
        X509ExtendedKeyManager currentManager = this.mutableX509KeyManager.currentManager();
        X509Certificate[] certificateChain = currentManager.getCertificateChain(CERTIFICATE_ALIAS);
        return new X509CertificateWithKey((List<X509Certificate>) Arrays.asList(certificateChain), currentManager.getPrivateKey(CERTIFICATE_ALIAS));
    }

    private static KeyStore createKeystore(Path path, Path path2) {
        try {
            return KeyStoreBuilder.withType(KeyStoreType.PKCS12).withKeyEntry(CERTIFICATE_ALIAS, KeyUtils.fromPemEncodedPrivateKey(new String(Files.readAllBytes(path), StandardCharsets.UTF_8)), X509CertificateUtils.certificateListFromPem(new String(Files.readAllBytes(path2), StandardCharsets.UTF_8))).build();
        } catch (IOException e) {
            throw new UncheckedIOException(e);
        }
    }

    private static ScheduledExecutorService createDefaultScheduler() {
        return Executors.newSingleThreadScheduledExecutor(runnable -> {
            Thread thread = new Thread(runnable, "auto-reloading-x509-key-manager");
            thread.setDaemon(true);
            return thread;
        });
    }

    @Override // java.lang.AutoCloseable
    public void close() {
        try {
            this.scheduler.shutdownNow();
            this.scheduler.awaitTermination(5L, TimeUnit.SECONDS);
        } catch (InterruptedException e) {
            throw new RuntimeException(e);
        }
    }

    @Override // javax.net.ssl.X509KeyManager
    public String[] getServerAliases(String str, Principal[] principalArr) {
        return this.mutableX509KeyManager.getServerAliases(str, principalArr);
    }

    @Override // javax.net.ssl.X509KeyManager
    public String[] getClientAliases(String str, Principal[] principalArr) {
        return this.mutableX509KeyManager.getClientAliases(str, principalArr);
    }

    @Override // javax.net.ssl.X509KeyManager
    public String chooseServerAlias(String str, Principal[] principalArr, Socket socket) {
        return this.mutableX509KeyManager.chooseServerAlias(str, principalArr, socket);
    }

    @Override // javax.net.ssl.X509KeyManager
    public String chooseClientAlias(String[] strArr, Principal[] principalArr, Socket socket) {
        return this.mutableX509KeyManager.chooseClientAlias(strArr, principalArr, socket);
    }

    @Override // javax.net.ssl.X509ExtendedKeyManager
    public String chooseEngineServerAlias(String str, Principal[] principalArr, SSLEngine sSLEngine) {
        return this.mutableX509KeyManager.chooseEngineServerAlias(str, principalArr, sSLEngine);
    }

    @Override // javax.net.ssl.X509ExtendedKeyManager
    public String chooseEngineClientAlias(String[] strArr, Principal[] principalArr, SSLEngine sSLEngine) {
        return this.mutableX509KeyManager.chooseEngineClientAlias(strArr, principalArr, sSLEngine);
    }

    @Override // javax.net.ssl.X509KeyManager
    public X509Certificate[] getCertificateChain(String str) {
        return this.mutableX509KeyManager.getCertificateChain(str);
    }

    @Override // javax.net.ssl.X509KeyManager
    public PrivateKey getPrivateKey(String str) {
        return this.mutableX509KeyManager.getPrivateKey(str);
    }
}
