package org.neo4j.driver.internal.security;

import java.io.File;
import java.io.IOException;
import java.security.GeneralSecurityException;
import java.security.InvalidAlgorithmParameterException;
import java.security.KeyManagementException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.Security;
import java.security.cert.CertificateException;
import java.security.cert.PKIXBuilderParameters;
import java.security.cert.X509CertSelector;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.Collections;
import java.util.List;
import java.util.Objects;
import java.util.concurrent.CompletionStage;
import java.util.function.Supplier;
import javax.net.ssl.CertPathTrustManagerParameters;
import javax.net.ssl.SSLContext;
import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory;
import javax.net.ssl.X509TrustManager;
import org.neo4j.driver.ClientCertificateManager;
import org.neo4j.driver.Logging;
import org.neo4j.driver.RevocationCheckingStrategy;
import org.neo4j.driver.internal.security.SecurityPlan;
import org.neo4j.driver.internal.util.CertificateTool;
import org.neo4j.driver.internal.util.Futures;

/* loaded from: input_file:org/neo4j/driver/internal/security/SecurityPlanImpl.class */
public class SecurityPlanImpl implements SecurityPlan {
    private final boolean requiresEncryption;
    private final boolean requiresClientAuth;
    private final boolean requiresHostnameVerification;
    private final RevocationCheckingStrategy revocationCheckingStrategy;
    private final Supplier<CompletionStage<SSLContext>> sslContextSupplier;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/neo4j/driver/internal/security/SecurityPlanImpl$TrustAllTrustManager.class */
    public static class TrustAllTrustManager implements X509TrustManager {
        private TrustAllTrustManager() {
        }

        @Override // javax.net.ssl.X509TrustManager
        public void checkClientTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
            throw new CertificateException("All client connections to this client are forbidden.");
        }

        @Override // javax.net.ssl.X509TrustManager
        public void checkServerTrusted(X509Certificate[] x509CertificateArr, String str) {
        }

        @Override // javax.net.ssl.X509TrustManager
        public X509Certificate[] getAcceptedIssuers() {
            return new X509Certificate[0];
        }
    }

    public static SecurityPlan forAllCertificates(boolean z, RevocationCheckingStrategy revocationCheckingStrategy, ClientCertificateManager clientCertificateManager, Logging logging) throws NoSuchAlgorithmException, KeyManagementException {
        return new SecurityPlanImpl(keyManagerArr -> {
            SSLContext sSLContext = SSLContext.getInstance("TLS");
            sSLContext.init(keyManagerArr, new TrustManager[]{new TrustAllTrustManager()}, null);
            return sSLContext;
        }, z, revocationCheckingStrategy, clientCertificateManager, logging);
    }

    public static SecurityPlan forCustomCASignedCertificates(List<File> list, boolean z, RevocationCheckingStrategy revocationCheckingStrategy, ClientCertificateManager clientCertificateManager, Logging logging) throws GeneralSecurityException, IOException {
        return new SecurityPlanImpl(configureSSLContextSupplier(list, revocationCheckingStrategy), z, revocationCheckingStrategy, clientCertificateManager, logging);
    }

    public static SecurityPlan forSystemCASignedCertificates(boolean z, RevocationCheckingStrategy revocationCheckingStrategy, ClientCertificateManager clientCertificateManager, Logging logging) throws GeneralSecurityException, IOException {
        return new SecurityPlanImpl(configureSSLContextSupplier(Collections.emptyList(), revocationCheckingStrategy), z, revocationCheckingStrategy, clientCertificateManager, logging);
    }

    private static SecurityPlan.SSLContextSupplier configureSSLContextSupplier(List<File> list, RevocationCheckingStrategy revocationCheckingStrategy) throws GeneralSecurityException, IOException {
        KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
        keyStore.load(null, null);
        if (list.isEmpty()) {
            loadSystemCertificates(keyStore);
        } else {
            CertificateTool.loadX509Cert(list, keyStore);
        }
        PKIXBuilderParameters configurePKIXBuilderParameters = configurePKIXBuilderParameters(keyStore, revocationCheckingStrategy);
        TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
        if (configurePKIXBuilderParameters == null) {
            trustManagerFactory.init(keyStore);
        } else {
            trustManagerFactory.init(new CertPathTrustManagerParameters(configurePKIXBuilderParameters));
        }
        return keyManagerArr -> {
            SSLContext sSLContext = SSLContext.getInstance("TLS");
            sSLContext.init(keyManagerArr, trustManagerFactory.getTrustManagers(), null);
            return sSLContext;
        };
    }

    private static PKIXBuilderParameters configurePKIXBuilderParameters(KeyStore keyStore, RevocationCheckingStrategy revocationCheckingStrategy) throws InvalidAlgorithmParameterException, KeyStoreException {
        PKIXBuilderParameters pKIXBuilderParameters = null;
        if (RevocationCheckingStrategy.requiresRevocationChecking(revocationCheckingStrategy)) {
            pKIXBuilderParameters = new PKIXBuilderParameters(keyStore, new X509CertSelector());
            pKIXBuilderParameters.setRevocationEnabled(true);
            System.setProperty("jdk.tls.client.enableStatusRequestExtension", "true");
            if (revocationCheckingStrategy.equals(RevocationCheckingStrategy.VERIFY_IF_PRESENT)) {
                Security.setProperty("ocsp.enable", "true");
            }
        }
        return pKIXBuilderParameters;
    }

    private static void loadSystemCertificates(KeyStore keyStore) throws GeneralSecurityException {
        TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
        trustManagerFactory.init((KeyStore) null);
        X509TrustManager x509TrustManager = (X509TrustManager) Arrays.stream(trustManagerFactory.getTrustManagers()).filter(trustManager -> {
            return trustManager instanceof X509TrustManager;
        }).findFirst().orElse(null);
        if (x509TrustManager == null) {
            throw new CertificateException("No system certificates found");
        }
        CertificateTool.loadX509Cert(x509TrustManager.getAcceptedIssuers(), keyStore);
    }

    public static SecurityPlan insecure() {
        return new SecurityPlanImpl();
    }

    private SecurityPlanImpl(SecurityPlan.SSLContextSupplier sSLContextSupplier, boolean z, RevocationCheckingStrategy revocationCheckingStrategy, ClientCertificateManager clientCertificateManager, Logging logging) throws NoSuchAlgorithmException, KeyManagementException {
        this.requiresEncryption = true;
        this.requiresHostnameVerification = z;
        this.revocationCheckingStrategy = revocationCheckingStrategy;
        SSLContextManager sSLContextManager = new SSLContextManager(clientCertificateManager, sSLContextSupplier, logging);
        Objects.requireNonNull(sSLContextManager);
        this.sslContextSupplier = sSLContextManager::getSSLContext;
        this.requiresClientAuth = clientCertificateManager != null;
    }

    private SecurityPlanImpl() {
        this.requiresEncryption = false;
        this.requiresHostnameVerification = false;
        this.revocationCheckingStrategy = RevocationCheckingStrategy.NO_CHECKS;
        this.sslContextSupplier = Futures::completedWithNull;
        this.requiresClientAuth = false;
    }

    @Override // org.neo4j.driver.internal.security.SecurityPlan
    public boolean requiresEncryption() {
        return this.requiresEncryption;
    }

    @Override // org.neo4j.driver.internal.security.SecurityPlan
    public boolean requiresClientAuth() {
        return this.requiresClientAuth;
    }

    @Override // org.neo4j.driver.internal.security.SecurityPlan
    public CompletionStage<SSLContext> sslContext() {
        return this.sslContextSupplier.get();
    }

    @Override // org.neo4j.driver.internal.security.SecurityPlan
    public boolean requiresHostnameVerification() {
        return this.requiresHostnameVerification;
    }

    @Override // org.neo4j.driver.internal.security.SecurityPlan
    public RevocationCheckingStrategy revocationCheckingStrategy() {
        return this.revocationCheckingStrategy;
    }
}
