package io.grpc.xds.internal.security.certprovider;

import io.grpc.xds.EnvoyServerProtoData;
import io.grpc.xds.client.Bootstrapper;
import io.grpc.xds.internal.security.CommonTlsContextUtil;
import io.grpc.xds.internal.security.DynamicSslContextProvider;
import io.grpc.xds.internal.security.certprovider.CertificateProvider;
import io.grpc.xds.internal.security.certprovider.CertificateProviderStore;
import io.grpc.xds.shaded.io.envoyproxy.envoy.config.core.v3.Node;
import io.grpc.xds.shaded.io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CertificateValidationContext;
import io.grpc.xds.shaded.io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CommonTlsContext;
import java.security.PrivateKey;
import java.security.cert.X509Certificate;
import java.util.List;
import java.util.Map;
import javax.annotation.Nullable;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: classes6.dex */
public abstract class CertProviderSslContextProvider extends DynamicSslContextProvider implements CertificateProvider.Watcher {

    @Nullable
    private final CertificateProviderStore.Handle certHandle;

    @Nullable
    private final CommonTlsContext.CertificateProviderInstance certInstance;

    @Nullable
    private final CertificateProviderStore.Handle rootCertHandle;

    @Nullable
    private final CommonTlsContext.CertificateProviderInstance rootCertInstance;

    @Nullable
    protected List<X509Certificate> savedCertChain;

    @Nullable
    protected PrivateKey savedKey;

    @Nullable
    protected List<X509Certificate> savedTrustedRoots;

    /* JADX INFO: Access modifiers changed from: protected */
    public CertProviderSslContextProvider(Node node, @Nullable Map<String, Bootstrapper.CertificateProviderInfo> map, CommonTlsContext.CertificateProviderInstance certificateProviderInstance, CommonTlsContext.CertificateProviderInstance certificateProviderInstance2, CertificateValidationContext certificateValidationContext, EnvoyServerProtoData.BaseTlsContext baseTlsContext, CertificateProviderStore certificateProviderStore) {
        super(baseTlsContext, certificateValidationContext);
        String str;
        this.certInstance = certificateProviderInstance;
        this.rootCertInstance = certificateProviderInstance2;
        if (certificateProviderInstance == null || !certificateProviderInstance.isInitialized()) {
            this.certHandle = null;
            str = null;
        } else {
            str = certificateProviderInstance.getInstanceName();
            Bootstrapper.CertificateProviderInfo certProviderConfig = getCertProviderConfig(map, str);
            this.certHandle = certProviderConfig == null ? null : certificateProviderStore.createOrGetProvider(certificateProviderInstance.getCertificateName(), certProviderConfig.pluginName(), certProviderConfig.config(), this, true);
        }
        if (certificateProviderInstance2 == null || !certificateProviderInstance2.isInitialized() || certificateProviderInstance2.getInstanceName().equals(str)) {
            this.rootCertHandle = null;
        } else {
            Bootstrapper.CertificateProviderInfo certProviderConfig2 = getCertProviderConfig(map, certificateProviderInstance2.getInstanceName());
            this.rootCertHandle = certProviderConfig2 != null ? certificateProviderStore.createOrGetProvider(certificateProviderInstance2.getCertificateName(), certProviderConfig2.pluginName(), certProviderConfig2.config(), this, true) : null;
        }
    }

    private void clearKeysAndCerts() {
        this.savedKey = null;
        this.savedTrustedRoots = null;
        this.savedCertChain = null;
    }

    private static Bootstrapper.CertificateProviderInfo getCertProviderConfig(@Nullable Map<String, Bootstrapper.CertificateProviderInfo> map, String str) {
        if (map != null) {
            return map.get(str);
        }
        return null;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Nullable
    public static CommonTlsContext.CertificateProviderInstance getCertProviderInstance(CommonTlsContext commonTlsContext) {
        if (commonTlsContext.hasTlsCertificateProviderInstance()) {
            return CommonTlsContextUtil.convert(commonTlsContext.getTlsCertificateProviderInstance());
        }
        if (commonTlsContext.hasTlsCertificateCertificateProviderInstance()) {
            return commonTlsContext.getTlsCertificateCertificateProviderInstance();
        }
        return null;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Nullable
    public static CommonTlsContext.CertificateProviderInstance getRootCertProviderInstance(CommonTlsContext commonTlsContext) {
        CertificateValidationContext staticValidationContext = getStaticValidationContext(commonTlsContext);
        if (staticValidationContext != null && staticValidationContext.hasCaCertificateProviderInstance()) {
            return CommonTlsContextUtil.convert(staticValidationContext.getCaCertificateProviderInstance());
        }
        if (!commonTlsContext.hasCombinedValidationContext()) {
            if (commonTlsContext.hasValidationContextCertificateProviderInstance()) {
                return commonTlsContext.getValidationContextCertificateProviderInstance();
            }
            return null;
        }
        CommonTlsContext.CombinedCertificateValidationContext combinedValidationContext = commonTlsContext.getCombinedValidationContext();
        if (combinedValidationContext.hasValidationContextCertificateProviderInstance()) {
            return combinedValidationContext.getValidationContextCertificateProviderInstance();
        }
        return null;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Nullable
    public static CertificateValidationContext getStaticValidationContext(CommonTlsContext commonTlsContext) {
        if (commonTlsContext.hasValidationContext()) {
            return commonTlsContext.getValidationContext();
        }
        if (!commonTlsContext.hasCombinedValidationContext()) {
            return null;
        }
        CommonTlsContext.CombinedCertificateValidationContext combinedValidationContext = commonTlsContext.getCombinedValidationContext();
        if (combinedValidationContext.hasDefaultValidationContext()) {
            return combinedValidationContext.getDefaultValidationContext();
        }
        return null;
    }

    private void updateSslContextWhenReady() {
        if (isMtls()) {
            if (this.savedKey == null || this.savedTrustedRoots == null) {
                return;
            }
            updateSslContext();
            clearKeysAndCerts();
            return;
        }
        if (isClientSideTls()) {
            if (this.savedTrustedRoots != null) {
                updateSslContext();
                clearKeysAndCerts();
                return;
            }
            return;
        }
        if (!isServerSideTls() || this.savedKey == null) {
            return;
        }
        updateSslContext();
        clearKeysAndCerts();
    }

    @Override // io.grpc.xds.internal.security.SslContextProvider, io.grpc.xds.internal.security.Closeable, java.io.Closeable, java.lang.AutoCloseable
    public final void close() {
        CertificateProviderStore.Handle handle = this.certHandle;
        if (handle != null) {
            handle.close();
        }
        CertificateProviderStore.Handle handle2 = this.rootCertHandle;
        if (handle2 != null) {
            handle2.close();
        }
    }

    @Override // io.grpc.xds.internal.security.DynamicSslContextProvider
    protected final CertificateValidationContext generateCertificateValidationContext() {
        return this.staticCertificateValidationContext;
    }

    protected final boolean isClientSideTls() {
        return this.rootCertInstance != null && this.certInstance == null;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public final boolean isMtls() {
        return (this.certInstance == null || this.rootCertInstance == null) ? false : true;
    }

    protected final boolean isServerSideTls() {
        return this.certInstance != null && this.rootCertInstance == null;
    }

    @Override // io.grpc.xds.internal.security.certprovider.CertificateProvider.Watcher
    public final void updateCertificate(PrivateKey privateKey, List<X509Certificate> list) {
        this.savedKey = privateKey;
        this.savedCertChain = list;
        updateSslContextWhenReady();
    }

    @Override // io.grpc.xds.internal.security.certprovider.CertificateProvider.Watcher
    public final void updateTrustedRoots(List<X509Certificate> list) {
        this.savedTrustedRoots = list;
        updateSslContextWhenReady();
    }
}
