package org.embulk.util.ssl;

import com.fasterxml.jackson.annotation.JsonCreator;
import com.fasterxml.jackson.annotation.JsonIgnore;
import com.fasterxml.jackson.annotation.JsonProperty;
import java.io.ByteArrayInputStream;
import java.io.FileReader;
import java.io.IOException;
import java.io.Reader;
import java.io.StringReader;
import java.security.GeneralSecurityException;
import java.security.KeyManagementException;
import java.security.cert.CertificateEncodingException;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Collections;
import java.util.List;
import java.util.Optional;
import java.util.stream.Collectors;
import javax.net.ssl.SSLSocketFactory;
import javax.net.ssl.X509TrustManager;
import org.embulk.config.ConfigException;
import org.embulk.util.config.Config;
import org.embulk.util.config.ConfigDefault;

/* loaded from: input_file:org/embulk/util/ssl/SSLPlugins.class */
public class SSLPlugins {
    private static final List<byte[]> EMPTY_CERTIFICATES = Collections.unmodifiableList(new ArrayList());

    /* loaded from: input_file:org/embulk/util/ssl/SSLPlugins$DefaultVerifyMode.class */
    public enum DefaultVerifyMode {
        VERIFY_BY_JVM_TRUSTED_CA_CERTS,
        NO_VERIFY
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/embulk/util/ssl/SSLPlugins$NoVerifyTrustManager.class */
    public static class NoVerifyTrustManager implements X509TrustManager {
        static final NoVerifyTrustManager INSTANCE = new NoVerifyTrustManager();

        private NoVerifyTrustManager() {
        }

        @Override // javax.net.ssl.X509TrustManager
        public X509Certificate[] getAcceptedIssuers() {
            return null;
        }

        @Override // javax.net.ssl.X509TrustManager
        public void checkClientTrusted(X509Certificate[] x509CertificateArr, String str) {
        }

        @Override // javax.net.ssl.X509TrustManager
        public void checkServerTrusted(X509Certificate[] x509CertificateArr, String str) {
        }
    }

    /* loaded from: input_file:org/embulk/util/ssl/SSLPlugins$SSLPluginConfig.class */
    public static class SSLPluginConfig {
        static SSLPluginConfig NO_VERIFY = new SSLPluginConfig(VerifyMode.NO_VERIFY, false, SSLPlugins.EMPTY_CERTIFICATES);
        private final VerifyMode verifyMode;
        private final boolean verifyHostname;
        private final List<X509Certificate> certificates;

        @JsonCreator
        private SSLPluginConfig(@JsonProperty("verifyMode") VerifyMode verifyMode, @JsonProperty("verifyHostname") boolean z, @JsonProperty("certificates") List<byte[]> list) {
            this.verifyMode = verifyMode;
            this.verifyHostname = z;
            this.certificates = Collections.unmodifiableList((List) list.stream().map(bArr -> {
                try {
                    ByteArrayInputStream byteArrayInputStream = new ByteArrayInputStream(bArr);
                    Throwable th = null;
                    try {
                        X509Certificate x509Certificate = (X509Certificate) CertificateFactory.getInstance("X.509").generateCertificate(byteArrayInputStream);
                        if (byteArrayInputStream != null) {
                            if (0 != 0) {
                                try {
                                    byteArrayInputStream.close();
                                } catch (Throwable th2) {
                                    th.addSuppressed(th2);
                                }
                            } else {
                                byteArrayInputStream.close();
                            }
                        }
                        return x509Certificate;
                    } catch (Throwable th3) {
                        if (byteArrayInputStream != null) {
                            if (0 != 0) {
                                try {
                                    byteArrayInputStream.close();
                                } catch (Throwable th4) {
                                    th.addSuppressed(th4);
                                }
                            } else {
                                byteArrayInputStream.close();
                            }
                        }
                        throw th3;
                    }
                } catch (IOException | CertificateException e) {
                    throw new RuntimeException(e);
                }
            }).collect(Collectors.toList()));
        }

        SSLPluginConfig(List<X509Certificate> list, boolean z) {
            this.verifyMode = VerifyMode.CERTIFICATES;
            this.verifyHostname = z;
            this.certificates = list;
        }

        static SSLPluginConfig useJvmDefault(boolean z) {
            return new SSLPluginConfig(VerifyMode.JVM_DEFAULT, z, SSLPlugins.EMPTY_CERTIFICATES);
        }

        @JsonProperty("verifyMode")
        private VerifyMode getVerifyMode() {
            return this.verifyMode;
        }

        /* JADX INFO: Access modifiers changed from: private */
        @JsonProperty("verifyHostname")
        public boolean getVerifyHostname() {
            return this.verifyHostname;
        }

        @JsonProperty("certificates")
        private List<byte[]> getCertData() {
            return Collections.unmodifiableList((List) this.certificates.stream().map(x509Certificate -> {
                try {
                    return x509Certificate.getEncoded();
                } catch (CertificateEncodingException e) {
                    throw new RuntimeException(e);
                }
            }).collect(Collectors.toList()));
        }

        @JsonIgnore
        public X509TrustManager[] newTrustManager() {
            try {
                switch (this.verifyMode) {
                    case NO_VERIFY:
                        return new X509TrustManager[]{SSLPlugins.access$100()};
                    case CERTIFICATES:
                        return TrustManagers.newTrustManager(this.certificates);
                    default:
                        return TrustManagers.newDefaultJavaTrustManager();
                }
            } catch (IOException | GeneralSecurityException e) {
                throw new RuntimeException(e);
            }
        }
    }

    /* loaded from: input_file:org/embulk/util/ssl/SSLPlugins$SSLPluginTask.class */
    public interface SSLPluginTask {
        @ConfigDefault("null")
        @Config("ssl_verify")
        Optional<Boolean> getSslVerify();

        @ConfigDefault("true")
        @Config("ssl_verify_hostname")
        boolean getSslVerifyHostname();

        @ConfigDefault("null")
        @Config("ssl_trusted_ca_cert_file")
        Optional<String> getSslTrustedCaCertFile();

        @ConfigDefault("null")
        @Config("ssl_trusted_ca_cert_data")
        Optional<String> getSslTrustedCaCertData();
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/embulk/util/ssl/SSLPlugins$VerifyMode.class */
    public enum VerifyMode {
        NO_VERIFY,
        CERTIFICATES,
        JVM_DEFAULT
    }

    private SSLPlugins() {
    }

    public static SSLPluginConfig configure(SSLPluginTask sSLPluginTask) {
        return configure(sSLPluginTask, DefaultVerifyMode.VERIFY_BY_JVM_TRUSTED_CA_CERTS);
    }

    public static SSLPluginConfig configure(SSLPluginTask sSLPluginTask, DefaultVerifyMode defaultVerifyMode) {
        if (!sSLPluginTask.getSslVerify().orElse(Boolean.valueOf(defaultVerifyMode != DefaultVerifyMode.NO_VERIFY)).booleanValue()) {
            return SSLPluginConfig.NO_VERIFY;
        }
        Optional<List<X509Certificate>> readTrustedCertificates = readTrustedCertificates(sSLPluginTask);
        return readTrustedCertificates.isPresent() ? new SSLPluginConfig(readTrustedCertificates.get(), sSLPluginTask.getSslVerifyHostname()) : SSLPluginConfig.useJvmDefault(sSLPluginTask.getSslVerifyHostname());
    }

    public static Optional<List<X509Certificate>> readTrustedCertificates(SSLPluginTask sSLPluginTask) {
        String str;
        Reader fileReader;
        if (sSLPluginTask.getSslTrustedCaCertData().isPresent()) {
            str = "ssl_trusted_ca_cert_data";
            fileReader = new StringReader(sSLPluginTask.getSslTrustedCaCertData().get());
        } else {
            if (!sSLPluginTask.getSslTrustedCaCertFile().isPresent()) {
                return Optional.empty();
            }
            str = "ssl_trusted_ca_cert_file '" + sSLPluginTask.getSslTrustedCaCertFile().get() + "'";
            try {
                fileReader = new FileReader(sSLPluginTask.getSslTrustedCaCertFile().get());
            } catch (IOException e) {
                throw new ConfigException("Failed to open " + str, e);
            }
        }
        Reader reader = fileReader;
        Throwable th = null;
        try {
            try {
                try {
                    List<X509Certificate> readPemEncodedX509Certificates = TrustManagers.readPemEncodedX509Certificates(reader);
                    if (readPemEncodedX509Certificates.isEmpty()) {
                        throw new ConfigException(str + " does not include valid X.509 PEM certificates");
                    }
                    if (reader != null) {
                        if (0 != 0) {
                            try {
                                reader.close();
                            } catch (Throwable th2) {
                                th.addSuppressed(th2);
                            }
                        } else {
                            reader.close();
                        }
                    }
                    return Optional.of(readPemEncodedX509Certificates);
                } catch (IOException | CertificateException e2) {
                    throw new ConfigException("Failed to read " + str, e2);
                }
            } finally {
            }
        } finally {
        }
    }

    public static SSLSocketFactory newSSLSocketFactory(SSLPluginConfig sSLPluginConfig, String str) {
        try {
            return TrustManagers.newSSLSocketFactory(null, sSLPluginConfig.newTrustManager(), sSLPluginConfig.getVerifyHostname() ? str : null);
        } catch (KeyManagementException e) {
            throw new RuntimeException(e);
        }
    }

    private static X509TrustManager getNoVerifyTrustManager() {
        return NoVerifyTrustManager.INSTANCE;
    }

    static /* synthetic */ X509TrustManager access$100() {
        return getNoVerifyTrustManager();
    }
}
