package org.opensearch.sdk.ssl;

import io.netty.handler.codec.http2.Http2SecurityUtil;
import io.netty.handler.ssl.ApplicationProtocolConfig;
import io.netty.handler.ssl.ClientAuth;
import io.netty.handler.ssl.SslContext;
import io.netty.handler.ssl.SslContextBuilder;
import io.netty.handler.ssl.SslProvider;
import io.netty.handler.ssl.SupportedCipherSuiteFilter;
import java.io.File;
import java.nio.charset.StandardCharsets;
import java.nio.file.Files;
import java.nio.file.LinkOption;
import java.nio.file.Path;
import java.nio.file.Paths;
import java.security.AccessController;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
import java.util.Date;
import java.util.List;
import java.util.Objects;
import java.util.Set;
import java.util.function.Function;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import java.util.stream.StreamSupport;
import javax.crypto.Cipher;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLEngine;
import javax.net.ssl.SSLException;
import javax.net.ssl.SSLParameters;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.opensearch.OpenSearchException;
import org.opensearch.OpenSearchSecurityException;
import org.opensearch.SpecialPermission;
import org.opensearch.common.settings.Settings;
import org.opensearch.env.Environment;
import org.opensearch.sdk.ssl.SecureSSLSettings;
import org.opensearch.sdk.ssl.util.CertFileProps;
import org.opensearch.sdk.ssl.util.CertFromFile;
import org.opensearch.sdk.ssl.util.CertFromKeystore;
import org.opensearch.sdk.ssl.util.CertFromTruststore;
import org.opensearch.sdk.ssl.util.ExceptionUtils;
import org.opensearch.sdk.ssl.util.KeystoreProps;
import org.opensearch.transport.NettyAllocator;

/* loaded from: input_file:org/opensearch/sdk/ssl/DefaultSslKeyStore.class */
public class DefaultSslKeyStore implements SslKeyStore {
    private static final String DEFAULT_STORE_TYPE = "JKS";
    private final Settings settings;
    private final Logger log = LogManager.getLogger(getClass());
    public final SslProvider sslTransportServerProvider;
    public final SslProvider sslTransportClientProvider;
    private final boolean transportSSLEnabled;
    private List<String> enabledTransportCiphersJDKProvider;
    private List<String> enabledTransportProtocolsJDKProvider;
    private SslContext transportServerSslContext;
    private SslContext transportClientSslContext;
    private X509Certificate[] transportCerts;
    private final Environment env;

    private void printJCEWarnings() {
        try {
            int maxAllowedKeyLength = Cipher.getMaxAllowedKeyLength("AES");
            if (maxAllowedKeyLength < 256) {
                this.log.info("AES-256 not supported, max key length for AES is {} bit. (This is not an issue, it just limits possible encryption strength. To enable AES 256, install 'Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files')", Integer.valueOf(maxAllowedKeyLength));
            }
        } catch (NoSuchAlgorithmException e) {
            this.log.error("AES encryption not supported (SG 1). ", e);
        }
    }

    public DefaultSslKeyStore(Settings settings, Path path) {
        Environment environment;
        this.settings = settings;
        try {
            environment = new Environment(settings, path);
        } catch (IllegalStateException e) {
            environment = null;
        }
        this.env = environment;
        this.transportSSLEnabled = settings.getAsBoolean(SSLConfigConstants.SSL_TRANSPORT_ENABLED, false).booleanValue();
        if (this.transportSSLEnabled) {
            this.sslTransportClientProvider = SslContext.defaultClientProvider();
            this.sslTransportServerProvider = SslContext.defaultServerProvider();
        } else if (this.transportSSLEnabled) {
            SslProvider sslProvider = SslProvider.JDK;
            this.sslTransportServerProvider = sslProvider;
            this.sslTransportClientProvider = sslProvider;
        } else {
            this.sslTransportServerProvider = null;
            this.sslTransportClientProvider = null;
        }
        initEnabledSSLCiphers();
        initSSLConfig();
        printJCEWarnings();
        this.log.info("TLS Transport Client Provider : {}", this.sslTransportClientProvider);
        this.log.info("TLS Transport Server Provider : {}", this.sslTransportServerProvider);
        this.log.debug("sslTransportClientProvider:{} with ciphers {}", this.sslTransportClientProvider, getEnabledSSLCiphers(this.sslTransportClientProvider));
        this.log.debug("sslTransportServerProvider:{} with ciphers {}", this.sslTransportServerProvider, getEnabledSSLCiphers(this.sslTransportServerProvider));
        this.log.info("Enabled TLS protocols for transport layer : {}", Arrays.toString(getEnabledSSLProtocols(this.sslTransportServerProvider)));
        this.log.debug("sslTransportClientProvider:{} with protocols {}", this.sslTransportClientProvider, getEnabledSSLProtocols(this.sslTransportClientProvider));
        this.log.debug("sslTransportServerProvider:{} with protocols {}", this.sslTransportServerProvider, getEnabledSSLProtocols(this.sslTransportServerProvider));
        if (this.transportSSLEnabled && (getEnabledSSLCiphers(this.sslTransportClientProvider).isEmpty() || getEnabledSSLCiphers(this.sslTransportServerProvider).isEmpty())) {
            throw new OpenSearchSecurityException("no valid cipher suites for transport protocol", new Object[0]);
        }
        if (this.transportSSLEnabled && getEnabledSSLCiphers(this.sslTransportServerProvider).isEmpty()) {
            throw new OpenSearchSecurityException("no ssl protocols for transport protocol", new Object[0]);
        }
        if (this.transportSSLEnabled && getEnabledSSLCiphers(this.sslTransportClientProvider).isEmpty()) {
            throw new OpenSearchSecurityException("no ssl protocols for transport protocol", new Object[0]);
        }
    }

    private String resolve(String str, boolean z) {
        String str2 = this.settings.get(str, (String) null);
        String str3 = str2;
        this.log.debug("Value for {} is {}", str, str2);
        if (this.env != null && str2 != null && str2.length() > 0) {
            str3 = this.env.configFile().resolve(str2).toAbsolutePath().toString();
            this.log.debug("Resolved {} to {} against {}", str2, str3, this.env.configFile().toAbsolutePath().toString());
        }
        if (z) {
            checkPath(str3, str);
        }
        if ("".equals(str3)) {
            str3 = null;
        }
        return str3;
    }

    private void initSSLConfig() {
        if (this.env == null) {
            this.log.info("No config directory, key- and truststore files are resolved absolutely");
        } else {
            this.log.info("Config directory is {}/, from there the key- and truststore files are resolved relatively", this.env.configFile().toAbsolutePath());
        }
        if (this.transportSSLEnabled) {
            initTransportSSLConfig();
        }
    }

    @Override // org.opensearch.sdk.ssl.SslKeyStore
    public void initTransportSSLConfig() {
        CertFromKeystore certFromKeystore;
        CertFromTruststore certFromTruststore;
        boolean hasValue = this.settings.hasValue(SSLConfigConstants.SSL_TRANSPORT_KEYSTORE_FILEPATH);
        boolean z = this.settings.hasValue(SSLConfigConstants.SSL_TRANSPORT_PEMCERT_FILEPATH) || (this.settings.hasValue(SSLConfigConstants.SSL_TRANSPORT_SERVER_PEMCERT_FILEPATH) && this.settings.hasValue(SSLConfigConstants.SSL_TRANSPORT_CLIENT_PEMCERT_FILEPATH));
        boolean booleanValue = this.settings.getAsBoolean(SSLConfigConstants.SSL_TRANSPORT_EXTENDED_KEY_USAGE_ENABLED, false).booleanValue();
        if (!hasValue) {
            if (!z) {
                throw new OpenSearchException("ssl.transport.keystore_filepath or ssl.transport.server.pemcert_filepath and ssl.transport.client.pemcert_filepath must be set if transport ssl is requested.", new Object[0]);
            }
            try {
                CertFromFile certFromFile = booleanValue ? new CertFromFile(new CertFileProps(resolve(SSLConfigConstants.SSL_TRANSPORT_CLIENT_PEMCERT_FILEPATH, true), resolve(SSLConfigConstants.SSL_TRANSPORT_CLIENT_PEMKEY_FILEPATH, true), resolve(SSLConfigConstants.SSL_TRANSPORT_CLIENT_PEMTRUSTEDCAS_FILEPATH, true), SecureSSLSettings.SSLSetting.SSL_TRANSPORT_CLIENT_PEMKEY_PASSWORD.getSetting(this.settings)), new CertFileProps(resolve(SSLConfigConstants.SSL_TRANSPORT_SERVER_PEMCERT_FILEPATH, true), resolve(SSLConfigConstants.SSL_TRANSPORT_SERVER_PEMKEY_FILEPATH, true), resolve(SSLConfigConstants.SSL_TRANSPORT_SERVER_PEMTRUSTEDCAS_FILEPATH, true), SecureSSLSettings.SSLSetting.SSL_TRANSPORT_SERVER_PEMKEY_PASSWORD.getSetting(this.settings))) : new CertFromFile(new CertFileProps(resolve(SSLConfigConstants.SSL_TRANSPORT_PEMCERT_FILEPATH, true), resolve(SSLConfigConstants.SSL_TRANSPORT_PEMKEY_FILEPATH, true), resolve(SSLConfigConstants.SSL_TRANSPORT_PEMTRUSTEDCAS_FILEPATH, true), SecureSSLSettings.SSLSetting.SSL_TRANSPORT_PEMKEY_PASSWORD.getSetting(this.settings)));
                validateNewCerts(this.transportCerts, certFromFile.getCerts());
                this.transportServerSslContext = buildSSLServerContext(certFromFile.getServerPemKey(), certFromFile.getServerPemCert(), certFromFile.getServerTrustedCas(), certFromFile.getServerPemKeyPassword(), getEnabledSSLCiphers(this.sslTransportServerProvider), this.sslTransportServerProvider, ClientAuth.REQUIRE);
                this.transportClientSslContext = buildSSLClientContext(certFromFile.getClientPemKey(), certFromFile.getClientPemCert(), certFromFile.getClientTrustedCas(), certFromFile.getClientPemKeyPassword(), getEnabledSSLCiphers(this.sslTransportClientProvider), this.sslTransportClientProvider);
                setTransportSSLCerts(certFromFile.getCerts());
                return;
            } catch (Exception e) {
                logExplanation(e);
                throw new OpenSearchSecurityException("Error while initializing transport SSL layer from PEM: " + e.toString(), e, new Object[0]);
            }
        }
        String resolve = resolve(SSLConfigConstants.SSL_TRANSPORT_KEYSTORE_FILEPATH, true);
        String str = this.settings.get(SSLConfigConstants.SSL_TRANSPORT_KEYSTORE_TYPE, DEFAULT_STORE_TYPE);
        String setting = SecureSSLSettings.SSLSetting.SSL_TRANSPORT_KEYSTORE_PASSWORD.getSetting(this.settings, SSLConfigConstants.DEFAULT_STORE_PASSWORD);
        String resolve2 = resolve(SSLConfigConstants.SSL_TRANSPORT_TRUSTSTORE_FILEPATH, true);
        if (this.settings.get(SSLConfigConstants.SSL_TRANSPORT_TRUSTSTORE_FILEPATH, (String) null) == null) {
            throw new OpenSearchException("ssl.transport.truststore_filepath must be set if transport ssl is requested.", new Object[0]);
        }
        String str2 = this.settings.get(SSLConfigConstants.SSL_TRANSPORT_TRUSTSTORE_TYPE, DEFAULT_STORE_TYPE);
        String setting2 = SecureSSLSettings.SSLSetting.SSL_TRANSPORT_TRUSTSTORE_PASSWORD.getSetting(this.settings);
        KeystoreProps keystoreProps = new KeystoreProps(resolve, str, setting);
        KeystoreProps keystoreProps2 = new KeystoreProps(resolve2, str2, setting2);
        try {
            if (booleanValue) {
                String str3 = this.settings.get(SSLConfigConstants.SSL_TRANSPORT_SERVER_TRUSTSTORE_ALIAS, (String) null);
                String str4 = this.settings.get(SSLConfigConstants.SSL_TRANSPORT_CLIENT_TRUSTSTORE_ALIAS, (String) null);
                String str5 = this.settings.get(SSLConfigConstants.SSL_TRANSPORT_SERVER_KEYSTORE_ALIAS, (String) null);
                String str6 = this.settings.get(SSLConfigConstants.SSL_TRANSPORT_CLIENT_KEYSTORE_ALIAS, (String) null);
                String setting3 = SecureSSLSettings.SSLSetting.SSL_TRANSPORT_SERVER_KEYSTORE_KEYPASSWORD.getSetting(this.settings, setting);
                String setting4 = SecureSSLSettings.SSLSetting.SSL_TRANSPORT_CLIENT_KEYSTORE_KEYPASSWORD.getSetting(this.settings, setting);
                if (str5 == null || str6 == null || str3 == null || str4 == null) {
                    throw new OpenSearchException("ssl.transport.server.keystore_alias, ssl.transport.client.keystore_alias, ssl.transport.server.truststore_alias, ssl.transport.client.truststore_alias must be set when ssl.transport.extended_key_usage_enabled is true.", new Object[0]);
                }
                certFromKeystore = new CertFromKeystore(keystoreProps, str5, str6, setting3, setting4);
                certFromTruststore = new CertFromTruststore(keystoreProps2, str3, str4);
            } else {
                String str7 = this.settings.get(SSLConfigConstants.SSL_TRANSPORT_TRUSTSTORE_ALIAS, (String) null);
                certFromKeystore = new CertFromKeystore(keystoreProps, this.settings.get(SSLConfigConstants.SSL_TRANSPORT_KEYSTORE_ALIAS, (String) null), SecureSSLSettings.SSLSetting.SSL_TRANSPORT_KEYSTORE_KEYPASSWORD.getSetting(this.settings, setting));
                certFromTruststore = new CertFromTruststore(keystoreProps2, str7);
            }
            validateNewCerts(this.transportCerts, certFromKeystore.getCerts());
            this.transportServerSslContext = buildSSLServerContext(certFromKeystore.getServerKey(), certFromKeystore.getServerCert(), certFromTruststore.getServerTrustedCerts(), getEnabledSSLCiphers(this.sslTransportServerProvider), this.sslTransportServerProvider, ClientAuth.REQUIRE);
            this.transportClientSslContext = buildSSLClientContext(certFromKeystore.getClientKey(), certFromKeystore.getClientCert(), certFromTruststore.getClientTrustedCerts(), getEnabledSSLCiphers(this.sslTransportClientProvider), this.sslTransportClientProvider);
            setTransportSSLCerts(certFromKeystore.getCerts());
        } catch (Exception e2) {
            logExplanation(e2);
            throw new OpenSearchSecurityException("Error while initializing transport SSL layer: " + e2.toString(), e2, new Object[0]);
        }
    }

    private void validateNewCerts(X509Certificate[] x509CertificateArr, X509Certificate[] x509CertificateArr2) throws Exception {
        if (x509CertificateArr == null || areSameCerts(x509CertificateArr, x509CertificateArr2)) {
            return;
        }
        if (!hasValidExpiryDates(x509CertificateArr, x509CertificateArr2)) {
            throw new Exception("New certificates should not expire before the current ones.");
        }
        if (!hasValidDNs(x509CertificateArr, x509CertificateArr2)) {
            throw new Exception("New Certs do not have valid Issuer DN, Subject DN or SAN.");
        }
    }

    private boolean hasValidDNs(X509Certificate[] x509CertificateArr, X509Certificate[] x509CertificateArr2) {
        Function function = x509Certificate -> {
            return String.format("%s/%s/%s", (x509Certificate == null || x509Certificate.getIssuerX500Principal() == null) ? "" : x509Certificate.getIssuerX500Principal().getName(), (x509Certificate == null || x509Certificate.getSubjectX500Principal() == null) ? "" : x509Certificate.getSubjectX500Principal().getName(), getSubjectAlternativeNames(x509Certificate));
        };
        return ((List) Arrays.stream(x509CertificateArr).map(function).sorted().collect(Collectors.toList())).equals((List) Arrays.stream(x509CertificateArr2).map(function).sorted().collect(Collectors.toList()));
    }

    private boolean hasValidExpiryDates(X509Certificate[] x509CertificateArr, X509Certificate[] x509CertificateArr2) {
        Date date = (Date) Arrays.stream(x509CertificateArr).map(x509Certificate -> {
            return x509Certificate.getNotAfter();
        }).min((v0, v1) -> {
            return v0.compareTo(v1);
        }).get();
        return !Arrays.stream(x509CertificateArr2).anyMatch(x509Certificate2 -> {
            Date notAfter = x509Certificate2.getNotAfter();
            return notAfter.before(date) || notAfter.equals(date);
        });
    }

    private boolean areSameCerts(X509Certificate[] x509CertificateArr, X509Certificate[] x509CertificateArr2) {
        Function function = x509Certificate -> {
            return new String((x509Certificate == null || x509Certificate.getSignature() == null) ? null : x509Certificate.getSignature(), StandardCharsets.UTF_8);
        };
        return ((Set) Arrays.stream(x509CertificateArr).map(function).collect(Collectors.toSet())).equals((Set) Arrays.stream(x509CertificateArr2).map(function).collect(Collectors.toSet()));
    }

    @Override // org.opensearch.sdk.ssl.SslKeyStore
    public SSLEngine createServerTransportSSLEngine() throws SSLException {
        SSLEngine newEngine = this.transportServerSslContext.newEngine(NettyAllocator.getAllocator());
        newEngine.setEnabledProtocols(getEnabledSSLProtocols(this.sslTransportServerProvider));
        return newEngine;
    }

    @Override // org.opensearch.sdk.ssl.SslKeyStore
    public SSLEngine createClientTransportSSLEngine(String str, int i) throws SSLException {
        if (str == null) {
            SSLEngine newEngine = this.transportClientSslContext.newEngine(NettyAllocator.getAllocator());
            newEngine.setEnabledProtocols(getEnabledSSLProtocols(this.sslTransportClientProvider));
            return newEngine;
        }
        SSLEngine newEngine2 = this.transportClientSslContext.newEngine(NettyAllocator.getAllocator(), str, i);
        SSLParameters sSLParameters = new SSLParameters();
        sSLParameters.setEndpointIdentificationAlgorithm("HTTPS");
        newEngine2.setSSLParameters(sSLParameters);
        newEngine2.setEnabledProtocols(getEnabledSSLProtocols(this.sslTransportClientProvider));
        return newEngine2;
    }

    private void setTransportSSLCerts(X509Certificate[] x509CertificateArr) {
        this.transportCerts = x509CertificateArr;
    }

    private List<String> getEnabledSSLCiphers(SslProvider sslProvider) {
        return sslProvider == null ? Collections.emptyList() : this.enabledTransportCiphersJDKProvider;
    }

    private String[] getEnabledSSLProtocols(SslProvider sslProvider) {
        return sslProvider == null ? new String[0] : (String[]) this.enabledTransportProtocolsJDKProvider.toArray(new String[0]);
    }

    private void initEnabledSSLCiphers() {
        List<String> secureSSLCiphers = SSLConfigConstants.getSecureSSLCiphers(this.settings);
        List asList = Arrays.asList(SSLConfigConstants.getSecureSSLProtocols(this.settings));
        SSLEngine sSLEngine = null;
        List list = null;
        List list2 = null;
        try {
            try {
                SSLContext sSLContext = SSLContext.getInstance("TLS");
                sSLContext.init(null, null, null);
                sSLEngine = sSLContext.createSSLEngine();
                list = Arrays.asList(sSLEngine.getEnabledCipherSuites());
                list2 = Arrays.asList(sSLEngine.getEnabledProtocols());
                this.log.debug("JVM supports the following {} protocols {}", Integer.valueOf(list2.size()), list2);
                this.log.debug("JVM supports the following {} ciphers {}", Integer.valueOf(list.size()), list);
                if (list2.contains("TLSv1.3")) {
                    this.log.info("JVM supports TLSv1.3");
                }
                if (sSLEngine != null) {
                    try {
                        sSLEngine.closeInbound();
                    } catch (SSLException e) {
                        this.log.debug("Unable to close inbound ssl engine", e);
                    }
                    sSLEngine.closeOutbound();
                }
            } catch (Throwable th) {
                this.log.error("Unable to determine supported ciphers due to ", th);
                if (sSLEngine != null) {
                    try {
                        sSLEngine.closeInbound();
                    } catch (SSLException e2) {
                        this.log.debug("Unable to close inbound ssl engine", e2);
                    }
                    sSLEngine.closeOutbound();
                }
            }
            if (list == null || list.isEmpty() || list2 == null || list2.isEmpty()) {
                throw new OpenSearchException("Unable to determine supported ciphers or protocols", new Object[0]);
            }
            this.enabledTransportCiphersJDKProvider = new ArrayList(list);
            this.enabledTransportCiphersJDKProvider.retainAll(secureSSLCiphers);
            this.enabledTransportProtocolsJDKProvider = new ArrayList(list2);
            this.enabledTransportProtocolsJDKProvider.retainAll(asList);
        } catch (Throwable th2) {
            if (sSLEngine != null) {
                try {
                    sSLEngine.closeInbound();
                } catch (SSLException e3) {
                    this.log.debug("Unable to close inbound ssl engine", e3);
                }
                sSLEngine.closeOutbound();
            }
            throw th2;
        }
    }

    private SslContext buildSSLServerContext(PrivateKey privateKey, X509Certificate[] x509CertificateArr, X509Certificate[] x509CertificateArr2, Iterable<String> iterable, SslProvider sslProvider, ClientAuth clientAuth) throws SSLException {
        SslContextBuilder configureSSLServerContextBuilder = configureSSLServerContextBuilder(SslContextBuilder.forServer(privateKey, x509CertificateArr), sslProvider, iterable, clientAuth);
        if (x509CertificateArr2 != null && x509CertificateArr2.length > 0) {
            configureSSLServerContextBuilder.trustManager(x509CertificateArr2);
        }
        return buildSSLContext0(configureSSLServerContextBuilder);
    }

    private SslContext buildSSLServerContext(File file, File file2, File file3, String str, Iterable<String> iterable, SslProvider sslProvider, ClientAuth clientAuth) throws SSLException {
        SslContextBuilder configureSSLServerContextBuilder = configureSSLServerContextBuilder(SslContextBuilder.forServer(file2, file, str), sslProvider, iterable, clientAuth);
        if (file3 != null) {
            configureSSLServerContextBuilder.trustManager(file3);
        }
        return buildSSLContext0(configureSSLServerContextBuilder);
    }

    private SslContextBuilder configureSSLServerContextBuilder(SslContextBuilder sslContextBuilder, SslProvider sslProvider, Iterable<String> iterable, ClientAuth clientAuth) {
        return sslContextBuilder.ciphers((Iterable) Stream.concat(Http2SecurityUtil.CIPHERS.stream(), StreamSupport.stream(iterable.spliterator(), false)).collect(Collectors.toSet()), SupportedCipherSuiteFilter.INSTANCE).clientAuth((ClientAuth) Objects.requireNonNull(clientAuth)).sessionCacheSize(0L).sessionTimeout(0L).sslProvider(sslProvider).applicationProtocolConfig(new ApplicationProtocolConfig(ApplicationProtocolConfig.Protocol.ALPN, ApplicationProtocolConfig.SelectorFailureBehavior.NO_ADVERTISE, ApplicationProtocolConfig.SelectedListenerFailureBehavior.ACCEPT, new String[]{"h2", "http/1.1"}));
    }

    private SslContext buildSSLClientContext(PrivateKey privateKey, X509Certificate[] x509CertificateArr, X509Certificate[] x509CertificateArr2, Iterable<String> iterable, SslProvider sslProvider) throws SSLException {
        return buildSSLContext0(SslContextBuilder.forClient().ciphers(iterable).applicationProtocolConfig(ApplicationProtocolConfig.DISABLED).sessionCacheSize(0L).sessionTimeout(0L).sslProvider(sslProvider).trustManager(x509CertificateArr2).keyManager(privateKey, x509CertificateArr));
    }

    private SslContext buildSSLClientContext(File file, File file2, File file3, String str, Iterable<String> iterable, SslProvider sslProvider) throws SSLException {
        return buildSSLContext0(SslContextBuilder.forClient().ciphers(iterable).applicationProtocolConfig(ApplicationProtocolConfig.DISABLED).sessionCacheSize(0L).sessionTimeout(0L).sslProvider(sslProvider).trustManager(file3).keyManager(file2, file, str));
    }

    private SslContext buildSSLContext0(final SslContextBuilder sslContextBuilder) throws SSLException {
        SecurityManager securityManager = System.getSecurityManager();
        if (securityManager != null) {
            securityManager.checkPermission(new SpecialPermission());
        }
        try {
            return (SslContext) AccessController.doPrivileged(new PrivilegedExceptionAction<SslContext>() { // from class: org.opensearch.sdk.ssl.DefaultSslKeyStore.1
                /* JADX WARN: Can't rename method to resolve collision */
                @Override // java.security.PrivilegedExceptionAction
                public SslContext run() throws Exception {
                    return sslContextBuilder.build();
                }
            });
        } catch (PrivilegedActionException e) {
            throw ((SSLException) e.getCause());
        }
    }

    private void logExplanation(Exception exc) {
        if (ExceptionUtils.findMsg(exc, "not contain valid private key") != null) {
            this.log.error("Your keystore or PEM does not contain a key. If you specified a key password, try removing it. If you did not specify a key password, perhaps you need to if the key is in fact password-protected. Maybe you just confused keys and certificates.");
        }
        if (ExceptionUtils.findMsg(exc, "not contain valid certificates") != null) {
            this.log.error("Your keystore or PEM does not contain a certificate. Maybe you confused keys and certificates.");
        }
    }

    private static void checkPath(String str, String str2) {
        if (str == null || str.length() == 0) {
            throw new OpenSearchException("Empty file path for " + str2, new Object[0]);
        }
        if (Files.isDirectory(Paths.get(str, new String[0]), LinkOption.NOFOLLOW_LINKS)) {
            throw new OpenSearchException("Is a directory: " + str + " Expected a file for " + str2, new Object[0]);
        }
        if (!Files.isReadable(Paths.get(str, new String[0]))) {
            throw new OpenSearchException("Unable to read " + str + " (" + Paths.get(str, new String[0]) + "). Please make sure this files exists and is readable regarding to permissions. Property: " + str2, new Object[0]);
        }
    }

    /* JADX WARN: Removed duplicated region for block: B:7:0x001b A[Catch: CertificateParsingException -> 0x0065, TryCatch #0 {CertificateParsingException -> 0x0065, blocks: (B:21:0x0007, B:23:0x000e, B:7:0x001b, B:8:0x002c, B:10:0x0036, B:12:0x005c), top: B:20:0x0007 }] */
    @Override // org.opensearch.sdk.ssl.SslKeyStore
    /*
        Code decompiled incorrectly, please refer to instructions dump.
        To view partially-correct add '--show-bad-code' argument
    */
    public java.lang.String getSubjectAlternativeNames(java.security.cert.X509Certificate r5) {
        /*
            r4 = this;
            java.lang.String r0 = ""
            r6 = r0
            r0 = r5
            if (r0 == 0) goto L15
            r0 = r5
            java.util.Collection r0 = r0.getSubjectAlternativeNames()     // Catch: java.security.cert.CertificateParsingException -> L65
            if (r0 == 0) goto L15
            r0 = r5
            java.util.Collection r0 = r0.getSubjectAlternativeNames()     // Catch: java.security.cert.CertificateParsingException -> L65
            goto L16
        L15:
            r0 = 0
        L16:
            r7 = r0
            r0 = r7
            if (r0 == 0) goto L62
            java.util.ArrayList r0 = new java.util.ArrayList     // Catch: java.security.cert.CertificateParsingException -> L65
            r1 = r0
            r1.<init>()     // Catch: java.security.cert.CertificateParsingException -> L65
            r8 = r0
            r0 = r7
            java.util.Iterator r0 = r0.iterator()     // Catch: java.security.cert.CertificateParsingException -> L65
            r9 = r0
        L2c:
            r0 = r9
            boolean r0 = r0.hasNext()     // Catch: java.security.cert.CertificateParsingException -> L65
            if (r0 == 0) goto L5c
            r0 = r9
            java.lang.Object r0 = r0.next()     // Catch: java.security.cert.CertificateParsingException -> L65
            java.util.List r0 = (java.util.List) r0     // Catch: java.security.cert.CertificateParsingException -> L65
            r10 = r0
            r0 = r10
            r1 = 0
            java.lang.Object r0 = r0.get(r1)     // Catch: java.security.cert.CertificateParsingException -> L65
            java.lang.Integer r0 = (java.lang.Integer) r0     // Catch: java.security.cert.CertificateParsingException -> L65
            r11 = r0
            r0 = r8
            r1 = r10
            boolean r0 = r0.add(r1)     // Catch: java.security.cert.CertificateParsingException -> L65
            goto L2c
        L5c:
            r0 = r8
            java.lang.String r0 = r0.toString()     // Catch: java.security.cert.CertificateParsingException -> L65
            r6 = r0
        L62:
            goto L73
        L65:
            r7 = move-exception
            r0 = r4
            org.apache.logging.log4j.Logger r0 = r0.log
            java.lang.String r1 = "Issue parsing SubjectAlternativeName:"
            r2 = r7
            r0.error(r1, r2)
        L73:
            r0 = r6
            return r0
        */
        throw new UnsupportedOperationException("Method not decompiled: org.opensearch.sdk.ssl.DefaultSslKeyStore.getSubjectAlternativeNames(java.security.cert.X509Certificate):java.lang.String");
    }
}
