package org.elasticsearch.gradle.testclusters;

import java.io.File;
import java.io.FileInputStream;
import java.io.IOException;
import java.security.GeneralSecurityException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.SecureRandom;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.Collection;
import java.util.Enumeration;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Locale;
import java.util.Objects;
import java.util.Set;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import javax.net.ssl.KeyManager;
import javax.net.ssl.SSLContext;
import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory;
import javax.net.ssl.X509TrustManager;

/* loaded from: input_file:org/elasticsearch/gradle/testclusters/SslTrustResolver.class */
class SslTrustResolver {
    private Set<File> certificateAuthorities;
    private File trustStoreFile;
    private String trustStorePassword;
    private File serverCertificate;
    private File serverKeyStoreFile;
    private String serverKeyStorePassword;

    public void setCertificateAuthorities(File... fileArr) {
        this.certificateAuthorities = new HashSet(Arrays.asList(fileArr));
    }

    public void setTrustStoreFile(File file) {
        this.trustStoreFile = file;
    }

    public void setTrustStorePassword(String str) {
        this.trustStorePassword = str;
    }

    public void setServerCertificate(File file) {
        this.serverCertificate = file;
    }

    public void setServerKeystoreFile(File file) {
        this.serverKeyStoreFile = file;
    }

    public void setServerKeystorePassword(String str) {
        this.serverKeyStorePassword = str;
    }

    public SSLContext getSslContext() throws GeneralSecurityException, IOException {
        TrustManager[] buildTrustManagers = buildTrustManagers();
        if (buildTrustManagers != null) {
            return createSslContext(buildTrustManagers);
        }
        return null;
    }

    TrustManager[] buildTrustManagers() throws GeneralSecurityException, IOException {
        long count = Stream.of(this.certificateAuthorities, this.trustStoreFile, this.serverCertificate, this.serverKeyStoreFile).filter(Objects::nonNull).count();
        if (count == 0) {
            return null;
        }
        if (count > 1) {
            throw new IllegalStateException(String.format(Locale.ROOT, "Cannot specify more than one trust method (CA=%s, trustStore=%s, serverCert=%s, serverKeyStore=%s)", this.certificateAuthorities, this.trustStoreFile, this.serverCertificate, this.serverKeyStoreFile));
        }
        if (this.certificateAuthorities != null) {
            return getTrustManagers(buildTrustStoreFromCA(this.certificateAuthorities));
        }
        if (this.trustStoreFile != null) {
            return getTrustManagers(readKeyStoreFromFile(this.trustStoreFile, this.trustStorePassword));
        }
        if (this.serverCertificate != null) {
            return buildTrustManagerFromLeafCertificates(head(readCertificates(this.serverCertificate)));
        }
        if (this.serverKeyStoreFile != null) {
            return buildTrustManagerFromLeafCertificates(readCertificatesFromKeystore(this.serverKeyStoreFile, this.serverKeyStorePassword));
        }
        throw new IllegalStateException("Expected to configure trust, but all configuration values are null");
    }

    private SSLContext createSslContext(TrustManager[] trustManagerArr) throws GeneralSecurityException {
        SSLContext sSLContext = SSLContext.getInstance("TLSv1.2");
        sSLContext.init(new KeyManager[0], trustManagerArr, new SecureRandom());
        return sSLContext;
    }

    private TrustManager[] getTrustManagers(KeyStore keyStore) throws GeneralSecurityException {
        checkForTrustEntry(keyStore);
        TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
        trustManagerFactory.init(keyStore);
        return trustManagerFactory.getTrustManagers();
    }

    private void checkForTrustEntry(KeyStore keyStore) throws KeyStoreException {
        Enumeration<String> aliases = keyStore.aliases();
        while (aliases.hasMoreElements()) {
            if (keyStore.isCertificateEntry(aliases.nextElement())) {
                return;
            }
        }
        throw new IllegalStateException("Trust-store does not contain any trusted certificate entries");
    }

    private static KeyStore buildTrustStoreFromCA(Set<File> set) throws GeneralSecurityException, IOException {
        KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
        keyStore.load(null, null);
        int i = 0;
        Iterator<File> it = set.iterator();
        while (it.hasNext()) {
            Iterator<? extends Certificate> it2 = readCertificates(it.next()).iterator();
            while (it2.hasNext()) {
                keyStore.setCertificateEntry("cert-" + i, it2.next());
                i++;
            }
        }
        return keyStore;
    }

    private static TrustManager[] buildTrustManagerFromLeafCertificates(Collection<? extends Certificate> collection) {
        Stream<? extends Certificate> stream = collection.stream();
        Class<X509Certificate> cls = X509Certificate.class;
        Objects.requireNonNull(X509Certificate.class);
        Stream<? extends Certificate> filter = stream.filter((v1) -> {
            return r1.isInstance(v1);
        });
        Class<X509Certificate> cls2 = X509Certificate.class;
        Objects.requireNonNull(X509Certificate.class);
        final Set set = (Set) filter.map((v1) -> {
            return r1.cast(v1);
        }).collect(Collectors.toUnmodifiableSet());
        return new TrustManager[]{new X509TrustManager() { // from class: org.elasticsearch.gradle.testclusters.SslTrustResolver.1
            @Override // javax.net.ssl.X509TrustManager
            public void checkServerTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
                X509Certificate x509Certificate = x509CertificateArr[0];
                if (!set.contains(x509Certificate)) {
                    throw new CertificateException("Untrusted leaf certificate: " + x509Certificate.getSubjectX500Principal());
                }
            }

            @Override // javax.net.ssl.X509TrustManager
            public X509Certificate[] getAcceptedIssuers() {
                return new X509Certificate[0];
            }

            @Override // javax.net.ssl.X509TrustManager
            public void checkClientTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
                throw new CertificateException("This trust manager is for client use only and cannot trust other clients");
            }
        }};
    }

    private static Collection<Certificate> readCertificatesFromKeystore(File file, String str) throws GeneralSecurityException, IOException {
        KeyStore readKeyStoreFromFile = readKeyStoreFromFile(file, str);
        HashSet hashSet = new HashSet(readKeyStoreFromFile.size());
        Enumeration<String> aliases = readKeyStoreFromFile.aliases();
        while (aliases.hasMoreElements()) {
            String nextElement = aliases.nextElement();
            if (readKeyStoreFromFile.isKeyEntry(nextElement)) {
                hashSet.add(readKeyStoreFromFile.getCertificate(nextElement));
            }
        }
        return hashSet;
    }

    private static KeyStore readKeyStoreFromFile(File file, String str) throws GeneralSecurityException, IOException {
        char[] charArray;
        KeyStore keyStore = KeyStore.getInstance(file.getName().endsWith(".jks") ? "JKS" : "PKCS12");
        FileInputStream fileInputStream = new FileInputStream(file);
        if (str == null) {
            charArray = null;
        } else {
            try {
                charArray = str.toCharArray();
            } catch (Throwable th) {
                try {
                    fileInputStream.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
                throw th;
            }
        }
        keyStore.load(fileInputStream, charArray);
        fileInputStream.close();
        return keyStore;
    }

    private static Collection<? extends Certificate> readCertificates(File file) throws GeneralSecurityException, IOException {
        CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509");
        FileInputStream fileInputStream = new FileInputStream(file);
        try {
            Collection<? extends Certificate> generateCertificates = certificateFactory.generateCertificates(fileInputStream);
            fileInputStream.close();
            return generateCertificates;
        } catch (Throwable th) {
            try {
                fileInputStream.close();
            } catch (Throwable th2) {
                th.addSuppressed(th2);
            }
            throw th;
        }
    }

    private Collection<? extends Certificate> head(Collection<? extends Certificate> collection) {
        return collection.isEmpty() ? collection : List.of(collection.iterator().next());
    }
}
