package org.elasticsearch.xpack.core.ssl;

import com.unboundid.util.BouncyCastleFIPSHelper;
import com.unboundid.util.CryptoHelper;
import java.io.IOException;
import java.io.InputStream;
import java.nio.file.Files;
import java.nio.file.OpenOption;
import java.nio.file.Path;
import java.security.Key;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.UnrecoverableKeyException;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Collections;
import java.util.Enumeration;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.function.Function;
import java.util.stream.Collectors;
import javax.net.ssl.KeyManager;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory;
import javax.net.ssl.X509ExtendedKeyManager;
import javax.net.ssl.X509ExtendedTrustManager;
import org.elasticsearch.common.settings.SecureString;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.core.Nullable;
import org.elasticsearch.core.PathUtils;
import org.elasticsearch.core.SuppressForbidden;
import org.elasticsearch.env.Environment;

/* loaded from: input_file:ingrid-ibus-7.1.0-RC1/lib/x-pack-core-7.17.15.jar:org/elasticsearch/xpack/core/ssl/CertParsingUtils.class */
public class CertParsingUtils {
    static final /* synthetic */ boolean $assertionsDisabled;

    private CertParsingUtils() {
        throw new IllegalStateException("Utility class should not be instantiated");
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    @SuppressForbidden(reason = "we don't have the environment to resolve files from when running in a transport client")
    public static Path resolvePath(String str, @Nullable Environment environment) {
        return environment != null ? environment.configFile().resolve(str) : PathUtils.get(str, new String[0]).normalize();
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static List<Path> resolvePaths(List<String> list, @Nullable Environment environment) {
        return (List) list.stream().map(str -> {
            return resolvePath(str, environment);
        }).collect(Collectors.toList());
    }

    public static KeyStore readKeyStore(Path path, String str, char[] cArr) throws IOException, KeyStoreException, CertificateException, NoSuchAlgorithmException {
        InputStream newInputStream = Files.newInputStream(path, new OpenOption[0]);
        try {
            KeyStore keyStore = KeyStore.getInstance(str);
            if (!$assertionsDisabled && cArr == null) {
                throw new AssertionError();
            }
            keyStore.load(newInputStream, cArr);
            if (newInputStream != null) {
                newInputStream.close();
            }
            return keyStore;
        } catch (Throwable th) {
            if (newInputStream != null) {
                try {
                    newInputStream.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    public static Certificate[] readCertificates(List<String> list, @Nullable Environment environment) throws CertificateException, IOException {
        return readCertificates(resolvePaths(list, environment));
    }

    public static Certificate[] readCertificates(List<Path> list) throws CertificateException, IOException {
        ArrayList arrayList = new ArrayList();
        CertificateFactory certificateFactory = CertificateFactory.getInstance(BouncyCastleFIPSHelper.DEFAULT_KEY_MANAGER_FACTORY_ALGORITHM);
        for (Path path : list) {
            InputStream newInputStream = Files.newInputStream(path, new OpenOption[0]);
            try {
                arrayList.addAll(certificateFactory.generateCertificates(newInputStream));
                if (arrayList.isEmpty()) {
                    throw new CertificateException("failed to parse any certificates from [" + path.toAbsolutePath() + "]");
                }
                if (newInputStream != null) {
                    newInputStream.close();
                }
            } catch (Throwable th) {
                if (newInputStream != null) {
                    try {
                        newInputStream.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                }
                throw th;
            }
        }
        return (Certificate[]) arrayList.toArray(new Certificate[0]);
    }

    public static X509Certificate[] readX509Certificates(List<Path> list) throws CertificateException, IOException {
        ArrayList arrayList = new ArrayList();
        CertificateFactory certificateFactory = CertificateFactory.getInstance(BouncyCastleFIPSHelper.DEFAULT_KEY_MANAGER_FACTORY_ALGORITHM);
        Iterator<Path> it = list.iterator();
        while (it.hasNext()) {
            InputStream newInputStream = Files.newInputStream(it.next(), new OpenOption[0]);
            try {
                arrayList.addAll(certificateFactory.generateCertificates(newInputStream));
                if (newInputStream != null) {
                    newInputStream.close();
                }
            } catch (Throwable th) {
                if (newInputStream != null) {
                    try {
                        newInputStream.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                }
                throw th;
            }
        }
        return (X509Certificate[]) arrayList.toArray(new X509Certificate[0]);
    }

    public static List<Certificate> readCertificates(InputStream inputStream) throws CertificateException, IOException {
        return new ArrayList(CertificateFactory.getInstance(BouncyCastleFIPSHelper.DEFAULT_KEY_MANAGER_FACTORY_ALGORITHM).generateCertificates(inputStream));
    }

    public static Map<Certificate, Key> readPkcs12KeyPairs(Path path, char[] cArr, Function<String, char[]> function) throws CertificateException, NoSuchAlgorithmException, KeyStoreException, IOException, UnrecoverableKeyException {
        return readKeyPairsFromKeystore(path, CryptoHelper.KEY_STORE_TYPE_PKCS_12, cArr, function);
    }

    public static Map<Certificate, Key> readKeyPairsFromKeystore(Path path, String str, char[] cArr, Function<String, char[]> function) throws IOException, KeyStoreException, CertificateException, NoSuchAlgorithmException, UnrecoverableKeyException {
        return readKeyPairsFromKeystore(readKeyStore(path, str, cArr), function);
    }

    static Map<Certificate, Key> readKeyPairsFromKeystore(KeyStore keyStore, Function<String, char[]> function) throws KeyStoreException, NoSuchAlgorithmException, UnrecoverableKeyException {
        Enumeration<String> aliases = keyStore.aliases();
        HashMap hashMap = new HashMap(keyStore.size());
        while (aliases.hasMoreElements()) {
            String nextElement = aliases.nextElement();
            if (keyStore.isKeyEntry(nextElement)) {
                hashMap.put(keyStore.getCertificate(nextElement), keyStore.getKey(nextElement, function.apply(nextElement)));
            }
        }
        return hashMap;
    }

    public static KeyStore getKeyStoreFromPEM(Path path, Path path2, char[] cArr) throws IOException, CertificateException, KeyStoreException, NoSuchAlgorithmException {
        return getKeyStore(readCertificates((List<Path>) Collections.singletonList(path)), PemUtils.readPrivateKey(path2, () -> {
            return cArr;
        }), cArr);
    }

    public static X509ExtendedKeyManager keyManager(Certificate[] certificateArr, PrivateKey privateKey, char[] cArr) throws NoSuchAlgorithmException, UnrecoverableKeyException, KeyStoreException, IOException, CertificateException {
        return keyManager(getKeyStore(certificateArr, privateKey, cArr), cArr, KeyManagerFactory.getDefaultAlgorithm());
    }

    private static KeyStore getKeyStore(Certificate[] certificateArr, PrivateKey privateKey, char[] cArr) throws KeyStoreException, IOException, NoSuchAlgorithmException, CertificateException {
        KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
        keyStore.load(null, null);
        keyStore.setKeyEntry("key", privateKey, cArr, certificateArr);
        return keyStore;
    }

    public static X509ExtendedKeyManager keyManager(KeyStore keyStore, char[] cArr, String str) throws NoSuchAlgorithmException, UnrecoverableKeyException, KeyStoreException {
        KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(str);
        keyManagerFactory.init(keyStore, cArr);
        for (KeyManager keyManager : keyManagerFactory.getKeyManagers()) {
            if (keyManager instanceof X509ExtendedKeyManager) {
                return (X509ExtendedKeyManager) keyManager;
            }
        }
        throw new IllegalStateException("failed to find a X509ExtendedKeyManager");
    }

    public static X509ExtendedKeyManager getKeyManager(X509KeyPairSettings x509KeyPairSettings, Settings settings, @Nullable String str, Environment environment) {
        if (str == null) {
            str = TrustManagerFactory.getDefaultAlgorithm();
        }
        KeyConfig createKeyConfig = createKeyConfig(x509KeyPairSettings, settings, str);
        if (createKeyConfig == null) {
            return null;
        }
        return createKeyConfig.createKeyManager(environment);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static KeyConfig createKeyConfig(X509KeyPairSettings x509KeyPairSettings, Settings settings, String str) {
        String orElse = x509KeyPairSettings.keyPath.get(settings).orElse(null);
        String orElse2 = x509KeyPairSettings.keystorePath.get(settings).orElse(null);
        String keyStoreType = SSLConfigurationSettings.getKeyStoreType(x509KeyPairSettings.keystoreType, settings, orElse2);
        if (orElse != null && orElse2 != null) {
            throw new IllegalArgumentException("you cannot specify a keystore and key file");
        }
        if (orElse != null) {
            SecureString secureString = x509KeyPairSettings.keyPassword.get(settings);
            String orElse3 = x509KeyPairSettings.certificatePath.get(settings).orElse(null);
            if (orElse3 == null) {
                throw new IllegalArgumentException("you must specify the certificates [" + x509KeyPairSettings.certificatePath.getKey() + "] to use with the key [" + x509KeyPairSettings.keyPath.getKey() + "]");
            }
            return new PEMKeyConfig(orElse, secureString, orElse3);
        }
        if (orElse2 == null && !keyStoreType.equalsIgnoreCase("pkcs11")) {
            return null;
        }
        SecureString secureString2 = x509KeyPairSettings.keystorePassword.get(settings);
        String str2 = x509KeyPairSettings.keystoreAlgorithm.get(settings);
        SecureString secureString3 = x509KeyPairSettings.keystoreKeyPassword.get(settings);
        if (secureString3.length() == 0) {
            secureString3 = secureString2;
        }
        return new StoreKeyConfig(orElse2, keyStoreType, secureString2, secureString3, str2, str);
    }

    public static X509ExtendedTrustManager trustManager(Certificate[] certificateArr) throws NoSuchAlgorithmException, KeyStoreException, IOException, CertificateException {
        return trustManager(trustStore(certificateArr), TrustManagerFactory.getDefaultAlgorithm());
    }

    public static KeyStore trustStore(Certificate[] certificateArr) throws KeyStoreException, IOException, NoSuchAlgorithmException, CertificateException {
        if (!$assertionsDisabled && certificateArr == null) {
            throw new AssertionError("Cannot create trust store with null certificates");
        }
        KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
        keyStore.load(null, null);
        int i = 0;
        for (Certificate certificate : certificateArr) {
            keyStore.setCertificateEntry("cert" + i, certificate);
            i++;
        }
        return keyStore;
    }

    public static X509ExtendedTrustManager trustManager(String str, String str2, char[] cArr, String str3, @Nullable Environment environment) throws NoSuchAlgorithmException, KeyStoreException, IOException, CertificateException {
        return trustManager(readKeyStore(resolvePath(str, environment), str2, cArr), str3);
    }

    public static X509ExtendedTrustManager trustManager(KeyStore keyStore, String str) throws NoSuchAlgorithmException, KeyStoreException {
        TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(str);
        trustManagerFactory.init(keyStore);
        for (TrustManager trustManager : trustManagerFactory.getTrustManagers()) {
            if (trustManager instanceof X509ExtendedTrustManager) {
                return (X509ExtendedTrustManager) trustManager;
            }
        }
        throw new IllegalStateException("failed to find a X509ExtendedTrustManager");
    }

    public static boolean isOrderedCertificateChain(List<X509Certificate> list) {
        for (int i = 1; i < list.size(); i++) {
            if (false == list.get(i - 1).getIssuerX500Principal().equals(list.get(i).getSubjectX500Principal())) {
                return false;
            }
        }
        return true;
    }

    static {
        $assertionsDisabled = !CertParsingUtils.class.desiredAssertionStatus();
    }
}
