package org.elasticsearch.common.ssl;

import java.nio.file.Path;
import java.security.NoSuchAlgorithmException;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.List;
import java.util.Objects;
import java.util.function.Function;
import java.util.stream.Collectors;
import javax.crypto.Cipher;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.TrustManagerFactory;

/* loaded from: input_file:ingrid-iplug-ige-5.9.2.4/lib/elasticsearch-ssl-config-6.8.4.jar:org/elasticsearch/common/ssl/SslConfigurationLoader.class */
public abstract class SslConfigurationLoader {
    static final List<String> DEFAULT_PROTOCOLS = Arrays.asList("TLSv1.2", "TLSv1.1", "TLSv1");
    static final List<String> DEFAULT_CIPHERS = loadDefaultCiphers();
    private static final char[] EMPTY_PASSWORD = new char[0];
    private final String settingPrefix;
    private SslTrustConfig defaultTrustConfig;
    private SslKeyConfig defaultKeyConfig;
    private SslVerificationMode defaultVerificationMode;
    private SslClientAuthenticationMode defaultClientAuth;
    private List<String> defaultCiphers;
    private List<String> defaultProtocols;

    public SslConfigurationLoader(String str) {
        this.settingPrefix = str == null ? "" : str;
        if (!this.settingPrefix.isEmpty() && !this.settingPrefix.endsWith(".")) {
            throw new IllegalArgumentException("Setting prefix [" + str + "] must be blank or end in '.'");
        }
        this.defaultTrustConfig = new DefaultJdkTrustConfig();
        this.defaultKeyConfig = EmptyKeyConfig.INSTANCE;
        this.defaultVerificationMode = SslVerificationMode.FULL;
        this.defaultClientAuth = SslClientAuthenticationMode.OPTIONAL;
        this.defaultProtocols = DEFAULT_PROTOCOLS;
        this.defaultCiphers = DEFAULT_CIPHERS;
    }

    public void setDefaultTrustConfig(SslTrustConfig sslTrustConfig) {
        this.defaultTrustConfig = sslTrustConfig;
    }

    public void setDefaultKeyConfig(SslKeyConfig sslKeyConfig) {
        this.defaultKeyConfig = sslKeyConfig;
    }

    public void setDefaultVerificationMode(SslVerificationMode sslVerificationMode) {
        this.defaultVerificationMode = sslVerificationMode;
    }

    public void setDefaultClientAuth(SslClientAuthenticationMode sslClientAuthenticationMode) {
        this.defaultClientAuth = sslClientAuthenticationMode;
    }

    public void setDefaultCiphers(List<String> list) {
        this.defaultCiphers = list;
    }

    public void setDefaultProtocols(List<String> list) {
        this.defaultProtocols = list;
    }

    protected abstract String getSettingAsString(String str) throws Exception;

    protected abstract char[] getSecureSetting(String str) throws Exception;

    protected abstract List<String> getSettingAsList(String str) throws Exception;

    public SslConfiguration load(Path path) {
        Objects.requireNonNull(path, "Base Path cannot be null");
        List resolveListSetting = resolveListSetting(SslConfigurationKeys.PROTOCOLS, Function.identity(), this.defaultProtocols);
        List resolveListSetting2 = resolveListSetting(SslConfigurationKeys.CIPHERS, Function.identity(), this.defaultCiphers);
        SslVerificationMode sslVerificationMode = (SslVerificationMode) resolveSetting(SslConfigurationKeys.VERIFICATION_MODE, SslVerificationMode::parse, this.defaultVerificationMode);
        SslClientAuthenticationMode sslClientAuthenticationMode = (SslClientAuthenticationMode) resolveSetting(SslConfigurationKeys.CLIENT_AUTH, SslClientAuthenticationMode::parse, this.defaultClientAuth);
        SslTrustConfig buildTrustConfig = buildTrustConfig(path, sslVerificationMode);
        SslKeyConfig buildKeyConfig = buildKeyConfig(path);
        if (resolveListSetting == null || resolveListSetting.isEmpty()) {
            throw new SslConfigException("no protocols configured in [" + this.settingPrefix + SslConfigurationKeys.PROTOCOLS + "]");
        }
        if (resolveListSetting2 == null || resolveListSetting2.isEmpty()) {
            throw new SslConfigException("no cipher suites configured in [" + this.settingPrefix + SslConfigurationKeys.CIPHERS + "]");
        }
        return new SslConfiguration(buildTrustConfig, buildKeyConfig, sslVerificationMode, sslClientAuthenticationMode, resolveListSetting2, resolveListSetting);
    }

    private SslTrustConfig buildTrustConfig(Path path, SslVerificationMode sslVerificationMode) {
        Objects.requireNonNull(path);
        List resolveListSetting = resolveListSetting(SslConfigurationKeys.CERTIFICATE_AUTHORITIES, path::resolve, null);
        Objects.requireNonNull(path);
        Path path2 = (Path) resolveSetting(SslConfigurationKeys.TRUSTSTORE_PATH, path::resolve, null);
        if (resolveListSetting == null || path2 == null) {
            return !sslVerificationMode.isCertificateVerificationEnabled() ? TrustEverythingConfig.TRUST_EVERYTHING : resolveListSetting != null ? new PemTrustConfig(resolveListSetting) : path2 != null ? new StoreTrustConfig(path2, resolvePasswordSetting(SslConfigurationKeys.TRUSTSTORE_SECURE_PASSWORD, SslConfigurationKeys.TRUSTSTORE_LEGACY_PASSWORD), (String) resolveSetting(SslConfigurationKeys.TRUSTSTORE_TYPE, Function.identity(), KeyStoreUtil.inferKeyStoreType(path2)), (String) resolveSetting(SslConfigurationKeys.TRUSTSTORE_ALGORITHM, Function.identity(), TrustManagerFactory.getDefaultAlgorithm())) : this.defaultTrustConfig;
        }
        throw new SslConfigException("cannot specify both [" + this.settingPrefix + SslConfigurationKeys.CERTIFICATE_AUTHORITIES + "] and [" + this.settingPrefix + SslConfigurationKeys.TRUSTSTORE_PATH + "]");
    }

    private SslKeyConfig buildKeyConfig(Path path) {
        Objects.requireNonNull(path);
        Path path2 = (Path) resolveSetting(SslConfigurationKeys.CERTIFICATE, path::resolve, null);
        Objects.requireNonNull(path);
        Path path3 = (Path) resolveSetting("key", path::resolve, null);
        Objects.requireNonNull(path);
        Path path4 = (Path) resolveSetting(SslConfigurationKeys.KEYSTORE_PATH, path::resolve, null);
        if (path2 != null && path4 != null) {
            throw new SslConfigException("cannot specify both [" + this.settingPrefix + SslConfigurationKeys.CERTIFICATE + "] and [" + this.settingPrefix + SslConfigurationKeys.KEYSTORE_PATH + "]");
        }
        if (path2 != null || path3 != null) {
            if (path3 == null) {
                throw new SslConfigException("cannot specify [" + this.settingPrefix + SslConfigurationKeys.CERTIFICATE + "] without also setting [" + this.settingPrefix + "key]");
            }
            if (path2 == null) {
                throw new SslConfigException("cannot specify [" + this.settingPrefix + SslConfigurationKeys.KEYSTORE_PATH + "] without also setting [" + this.settingPrefix + SslConfigurationKeys.CERTIFICATE + "]");
            }
            return new PemKeyConfig(path2, path3, resolvePasswordSetting(SslConfigurationKeys.KEY_SECURE_PASSPHRASE, SslConfigurationKeys.KEY_LEGACY_PASSPHRASE));
        }
        if (path4 == null) {
            return this.defaultKeyConfig;
        }
        char[] resolvePasswordSetting = resolvePasswordSetting(SslConfigurationKeys.KEYSTORE_SECURE_PASSWORD, SslConfigurationKeys.KEYSTORE_LEGACY_PASSWORD);
        char[] resolvePasswordSetting2 = resolvePasswordSetting(SslConfigurationKeys.KEYSTORE_SECURE_KEY_PASSWORD, SslConfigurationKeys.KEYSTORE_LEGACY_KEY_PASSWORD);
        if (resolvePasswordSetting2.length == 0) {
            resolvePasswordSetting2 = resolvePasswordSetting;
        }
        return new StoreKeyConfig(path4, resolvePasswordSetting, (String) resolveSetting(SslConfigurationKeys.KEYSTORE_TYPE, Function.identity(), KeyStoreUtil.inferKeyStoreType(path4)), resolvePasswordSetting2, (String) resolveSetting(SslConfigurationKeys.KEYSTORE_ALGORITHM, Function.identity(), KeyManagerFactory.getDefaultAlgorithm()));
    }

    private char[] resolvePasswordSetting(String str, String str2) {
        char[] resolveSecureSetting = resolveSecureSetting(str, null);
        String str3 = (String) resolveSetting(str2, Function.identity(), null);
        if (resolveSecureSetting == null) {
            return str3 == null ? EMPTY_PASSWORD : str3.toCharArray();
        }
        if (str3 != null) {
            throw new SslConfigException("cannot specify both [" + this.settingPrefix + str + "] and [" + this.settingPrefix + str2 + "]");
        }
        return resolveSecureSetting;
    }

    private <V> V resolveSetting(String str, Function<String, V> function, V v) {
        try {
            String settingAsString = getSettingAsString(this.settingPrefix + str);
            return (settingAsString == null || settingAsString.isEmpty()) ? v : function.apply(settingAsString);
        } catch (RuntimeException e) {
            throw e;
        } catch (Exception e2) {
            throw new SslConfigException("cannot retrieve setting [" + this.settingPrefix + str + "]", e2);
        }
    }

    private char[] resolveSecureSetting(String str, char[] cArr) {
        try {
            char[] secureSetting = getSecureSetting(this.settingPrefix + str);
            if (secureSetting != null) {
                if (secureSetting.length != 0) {
                    return secureSetting;
                }
            }
            return cArr;
        } catch (RuntimeException e) {
            throw e;
        } catch (Exception e2) {
            throw new SslConfigException("cannot retrieve secure setting [" + this.settingPrefix + str + "]", e2);
        }
    }

    private <V> List<V> resolveListSetting(String str, Function<String, V> function, List<V> list) {
        try {
            List<String> settingAsList = getSettingAsList(this.settingPrefix + str);
            return (settingAsList == null || settingAsList.isEmpty()) ? list : (List) settingAsList.stream().map(function).collect(Collectors.toList());
        } catch (RuntimeException e) {
            throw e;
        } catch (Exception e2) {
            throw new SslConfigException("cannot retrieve setting [" + this.settingPrefix + str + "]", e2);
        }
    }

    private static List<String> loadDefaultCiphers() {
        List<String> asList = Arrays.asList("TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA", "TLS_RSA_WITH_AES_128_CBC_SHA256", "TLS_RSA_WITH_AES_128_CBC_SHA");
        List asList2 = Arrays.asList("TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA", "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA", "TLS_RSA_WITH_AES_256_CBC_SHA256", "TLS_RSA_WITH_AES_256_CBC_SHA");
        if (!has256BitAES()) {
            return asList;
        }
        ArrayList arrayList = new ArrayList(asList2.size() + asList.size());
        arrayList.addAll(asList2);
        arrayList.addAll(asList);
        return arrayList;
    }

    private static boolean has256BitAES() {
        try {
            return Cipher.getMaxAllowedKeyLength("AES") > 128;
        } catch (NoSuchAlgorithmException e) {
            return false;
        }
    }
}
