package org.apache.doris.mysql;

import java.io.IOException;
import java.io.InputStream;
import java.nio.ByteBuffer;
import java.nio.file.Files;
import java.nio.file.OpenOption;
import java.nio.file.Paths;
import java.security.KeyManagementException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.UnrecoverableKeyException;
import java.security.cert.CertificateException;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLEngine;
import javax.net.ssl.SSLEngineResult;
import javax.net.ssl.SSLException;
import javax.net.ssl.TrustManagerFactory;
import org.apache.doris.common.Config;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;

/* loaded from: input_file:org/apache/doris/mysql/MysqlSslContext.class */
public class MysqlSslContext {
    private SSLEngine sslEngine;
    private SSLContext sslContext;
    private String protocol;
    private ByteBuffer serverAppData;
    private ByteBuffer serverNetData;
    private ByteBuffer clientAppData;
    private ByteBuffer clientNetData;
    private static final Logger LOG = LogManager.getLogger(MysqlSslContext.class);
    private static final String keyStoreFile = Config.mysql_ssl_default_server_certificate;
    private static final String trustStoreFile = Config.mysql_ssl_default_ca_certificate;
    private static final String caCertificatePassword = Config.mysql_ssl_default_ca_certificate_password;
    private static final String serverCertificatePassword = Config.mysql_ssl_default_server_certificate_password;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* renamed from: org.apache.doris.mysql.MysqlSslContext$1, reason: invalid class name */
    /* loaded from: input_file:org/apache/doris/mysql/MysqlSslContext$1.class */
    public static /* synthetic */ class AnonymousClass1 {
        static final /* synthetic */ int[] $SwitchMap$javax$net$ssl$SSLEngineResult$HandshakeStatus;
        static final /* synthetic */ int[] $SwitchMap$javax$net$ssl$SSLEngineResult$Status = new int[SSLEngineResult.Status.values().length];

        static {
            try {
                $SwitchMap$javax$net$ssl$SSLEngineResult$Status[SSLEngineResult.Status.OK.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$javax$net$ssl$SSLEngineResult$Status[SSLEngineResult.Status.CLOSED.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
            try {
                $SwitchMap$javax$net$ssl$SSLEngineResult$Status[SSLEngineResult.Status.BUFFER_OVERFLOW.ordinal()] = 3;
            } catch (NoSuchFieldError e3) {
            }
            try {
                $SwitchMap$javax$net$ssl$SSLEngineResult$Status[SSLEngineResult.Status.BUFFER_UNDERFLOW.ordinal()] = 4;
            } catch (NoSuchFieldError e4) {
            }
            $SwitchMap$javax$net$ssl$SSLEngineResult$HandshakeStatus = new int[SSLEngineResult.HandshakeStatus.values().length];
            try {
                $SwitchMap$javax$net$ssl$SSLEngineResult$HandshakeStatus[SSLEngineResult.HandshakeStatus.NEED_WRAP.ordinal()] = 1;
            } catch (NoSuchFieldError e5) {
            }
            try {
                $SwitchMap$javax$net$ssl$SSLEngineResult$HandshakeStatus[SSLEngineResult.HandshakeStatus.NEED_UNWRAP.ordinal()] = 2;
            } catch (NoSuchFieldError e6) {
            }
            try {
                $SwitchMap$javax$net$ssl$SSLEngineResult$HandshakeStatus[SSLEngineResult.HandshakeStatus.NEED_TASK.ordinal()] = 3;
            } catch (NoSuchFieldError e7) {
            }
            try {
                $SwitchMap$javax$net$ssl$SSLEngineResult$HandshakeStatus[SSLEngineResult.HandshakeStatus.NOT_HANDSHAKING.ordinal()] = 4;
            } catch (NoSuchFieldError e8) {
            }
            try {
                $SwitchMap$javax$net$ssl$SSLEngineResult$HandshakeStatus[SSLEngineResult.HandshakeStatus.FINISHED.ordinal()] = 5;
            } catch (NoSuchFieldError e9) {
            }
        }
    }

    public MysqlSslContext(String str) {
        this.protocol = str;
    }

    public void init() {
        initSslContext();
        initSslEngine();
    }

    private void initSslContext() {
        try {
            KeyStore keyStore = KeyStore.getInstance("PKCS12");
            KeyStore keyStore2 = KeyStore.getInstance("PKCS12");
            char[] charArray = serverCertificatePassword.toCharArray();
            char[] charArray2 = caCertificatePassword.toCharArray();
            InputStream newInputStream = Files.newInputStream(Paths.get(keyStoreFile, new String[0]), new OpenOption[0]);
            Throwable th = null;
            try {
                try {
                    keyStore.load(newInputStream, charArray);
                    if (newInputStream != null) {
                        if (0 != 0) {
                            try {
                                newInputStream.close();
                            } catch (Throwable th2) {
                                th.addSuppressed(th2);
                            }
                        } else {
                            newInputStream.close();
                        }
                    }
                    newInputStream = Files.newInputStream(Paths.get(trustStoreFile, new String[0]), new OpenOption[0]);
                    Throwable th3 = null;
                    try {
                        try {
                            keyStore2.load(newInputStream, charArray2);
                            if (newInputStream != null) {
                                if (0 != 0) {
                                    try {
                                        newInputStream.close();
                                    } catch (Throwable th4) {
                                        th3.addSuppressed(th4);
                                    }
                                } else {
                                    newInputStream.close();
                                }
                            }
                            KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
                            keyManagerFactory.init(keyStore, charArray);
                            TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
                            trustManagerFactory.init(keyStore2);
                            this.sslContext = SSLContext.getInstance(this.protocol);
                            this.sslContext.init(keyManagerFactory.getKeyManagers(), trustManagerFactory.getTrustManagers(), null);
                        } finally {
                            if (newInputStream != null) {
                                if (th3 != null) {
                                    try {
                                        newInputStream.close();
                                    } catch (Throwable th5) {
                                        th3.addSuppressed(th5);
                                    }
                                } else {
                                    newInputStream.close();
                                }
                            }
                        }
                    } catch (Throwable th6) {
                        th3 = th6;
                        throw th6;
                    }
                } finally {
                }
            } catch (Throwable th7) {
                th = th7;
                throw th7;
            }
        } catch (IOException | KeyManagementException | KeyStoreException | NoSuchAlgorithmException | UnrecoverableKeyException | CertificateException e) {
            LOG.fatal("Failed to initialize SSL because", e);
        }
    }

    private void initSslEngine() {
        this.sslEngine = this.sslContext.createSSLEngine();
        this.sslEngine.setUseClientMode(false);
        this.sslEngine.setEnabledCipherSuites(this.sslEngine.getSupportedCipherSuites());
        this.sslEngine.setWantClientAuth(true);
        if (Config.ssl_force_client_auth) {
            this.sslEngine.setNeedClientAuth(true);
        }
    }

    public SSLEngine getSslEngine() {
        return this.sslEngine;
    }

    public String getProtocol() {
        return this.protocol;
    }

    public boolean sslExchange(MysqlChannel mysqlChannel) throws Exception {
        initDataBuffer();
        mysqlChannel.setSslEngine(this.sslEngine);
        this.sslEngine.beginHandshake();
        while (this.sslEngine.getHandshakeStatus() != SSLEngineResult.HandshakeStatus.FINISHED && this.sslEngine.getHandshakeStatus() != SSLEngineResult.HandshakeStatus.NOT_HANDSHAKING) {
            switch (AnonymousClass1.$SwitchMap$javax$net$ssl$SSLEngineResult$HandshakeStatus[this.sslEngine.getHandshakeStatus().ordinal()]) {
                case 1:
                    handleNeedWrap(mysqlChannel);
                    break;
                case 2:
                    handleNeedUnwrap(mysqlChannel);
                    break;
                case 3:
                    handleNeedTask();
                    break;
                case 4:
                    throw new Exception("impossible HandshakeStatus: " + SSLEngineResult.HandshakeStatus.NOT_HANDSHAKING);
                case 5:
                    throw new Exception("impossible HandshakeStatus: " + SSLEngineResult.HandshakeStatus.FINISHED);
                default:
                    throw new IllegalStateException("invalid HandshakeStatus: " + this.sslEngine.getHandshakeStatus());
            }
        }
        return true;
    }

    private void initDataBuffer() {
        int applicationBufferSize = this.sslEngine.getSession().getApplicationBufferSize();
        int packetBufferSize = this.sslEngine.getSession().getPacketBufferSize();
        ByteBuffer allocate = ByteBuffer.allocate(applicationBufferSize);
        this.clientAppData = allocate;
        this.serverAppData = allocate;
        ByteBuffer allocate2 = ByteBuffer.allocate(packetBufferSize);
        this.clientNetData = allocate2;
        this.serverNetData = allocate2;
    }

    private void handleNeedTask() throws Exception {
        while (true) {
            Runnable delegatedTask = this.sslEngine.getDelegatedTask();
            if (delegatedTask == null) {
                break;
            } else {
                delegatedTask.run();
            }
        }
        if (this.sslEngine.getHandshakeStatus() == SSLEngineResult.HandshakeStatus.NEED_TASK) {
            throw new Exception("handshake shouldn't need additional tasks");
        }
    }

    private void handleNeedWrap(MysqlChannel mysqlChannel) {
        do {
            try {
            } catch (SSLException e) {
                this.sslEngine.closeOutbound();
                return;
            } catch (IOException e2) {
                throw new RuntimeException("send failed");
            }
        } while (!handleWrapResult(this.sslEngine.wrap(this.serverAppData, this.serverNetData)));
        this.serverNetData.flip();
        mysqlChannel.sendAndFlush(this.serverNetData);
        this.serverNetData.clear();
    }

    private void handleNeedUnwrap(MysqlChannel mysqlChannel) {
        try {
            this.clientNetData = mysqlChannel.fetchOnePacket();
            do {
            } while (!handleUnwrapResult(this.sslEngine.unwrap(this.clientNetData, this.clientAppData)));
            this.clientAppData.clear();
        } catch (IOException e) {
            throw new RuntimeException("send failed");
        }
    }

    private boolean handleWrapResult(SSLEngineResult sSLEngineResult) throws SSLException {
        switch (AnonymousClass1.$SwitchMap$javax$net$ssl$SSLEngineResult$Status[sSLEngineResult.getStatus().ordinal()]) {
            case 1:
                return true;
            case 2:
                this.sslEngine.closeOutbound();
                return true;
            case 3:
                ByteBuffer allocate = ByteBuffer.allocate(this.serverNetData.capacity() * 2);
                this.serverNetData.flip();
                allocate.put(this.serverNetData);
                this.serverNetData = allocate;
                return false;
            case 4:
            default:
                throw new IllegalStateException("invalid wrap status: " + sSLEngineResult.getStatus());
        }
    }

    private boolean handleUnwrapResult(SSLEngineResult sSLEngineResult) {
        switch (AnonymousClass1.$SwitchMap$javax$net$ssl$SSLEngineResult$Status[sSLEngineResult.getStatus().ordinal()]) {
            case 1:
                return true;
            case 2:
                this.sslEngine.closeOutbound();
                return true;
            case 3:
                ByteBuffer allocate = ByteBuffer.allocate(this.clientAppData.capacity() * 2);
                this.clientAppData.flip();
                allocate.put(this.clientAppData);
                this.clientAppData = allocate;
                return false;
            case 4:
                int packetBufferSize = this.sslEngine.getSession().getPacketBufferSize();
                if (packetBufferSize <= this.clientAppData.capacity()) {
                    return false;
                }
                ByteBuffer allocateDirect = ByteBuffer.allocateDirect(packetBufferSize);
                this.clientNetData.flip();
                allocateDirect.put(this.clientNetData);
                this.clientNetData = allocateDirect;
                return false;
            default:
                throw new IllegalStateException("invalid wrap status: " + sSLEngineResult.getStatus());
        }
    }
}
