package com.couchbase.client.core.env;

import com.couchbase.client.core.annotation.Stability;
import com.couchbase.client.core.error.CouchbaseException;
import com.couchbase.client.core.error.InvalidArgumentException;
import com.couchbase.client.core.io.netty.SslHandlerFactory;
import com.couchbase.client.core.util.Bytes;
import com.couchbase.client.core.util.Validators;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.io.InputStream;
import java.nio.charset.StandardCharsets;
import java.nio.file.Files;
import java.nio.file.OpenOption;
import java.nio.file.Path;
import java.security.KeyStore;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.util.Collections;
import java.util.LinkedHashMap;
import java.util.List;
import java.util.Map;
import java.util.Optional;
import java.util.stream.Collectors;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.TrustManagerFactory;

/* loaded from: input_file:com/couchbase/client/core/env/SecurityConfig.class */
public class SecurityConfig {
    private final boolean nativeTlsEnabled;
    private final boolean hostnameVerificationEnabled;
    private final boolean tlsEnabled;
    private final List<X509Certificate> trustCertificates;
    private final TrustManagerFactory trustManagerFactory;
    private final List<String> ciphers;

    /* loaded from: input_file:com/couchbase/client/core/env/SecurityConfig$Builder.class */
    public static class Builder {
        private boolean tlsEnabled = false;
        private boolean nativeTlsEnabled = true;
        private boolean hostnameVerificationEnabled = true;
        private List<X509Certificate> trustCertificates = null;
        private TrustManagerFactory trustManagerFactory = null;
        private List<String> ciphers = Collections.emptyList();

        public SecurityConfig build() {
            return new SecurityConfig(this);
        }

        public Builder enableTls(boolean z) {
            this.tlsEnabled = z;
            return this;
        }

        public Builder enableHostnameVerification(boolean z) {
            this.hostnameVerificationEnabled = z;
            return this;
        }

        public Builder enableNativeTls(boolean z) {
            this.nativeTlsEnabled = z;
            return this;
        }

        public Builder trustCertificates(List<X509Certificate> list) {
            this.trustCertificates = Validators.notNullOrEmpty((List) list, "X509 Certificates");
            return this;
        }

        public Builder trustCertificate(Path path) {
            Validators.notNull(path, "CertificatePath");
            try {
                InputStream newInputStream = Files.newInputStream(path, new OpenOption[0]);
                try {
                    Builder trustCertificates = trustCertificates(SecurityConfig.decodeCertificates(Bytes.readAllBytes(newInputStream)));
                    if (newInputStream != null) {
                        newInputStream.close();
                    }
                    return trustCertificates;
                } finally {
                }
            } catch (IOException e) {
                throw InvalidArgumentException.fromMessage("Could not read trust certificates from file \"" + path + "\"", e);
            }
        }

        public Builder trustManagerFactory(TrustManagerFactory trustManagerFactory) {
            this.trustManagerFactory = (TrustManagerFactory) Validators.notNull(trustManagerFactory, "TrustManagerFactory");
            return this;
        }

        public Builder trustStore(KeyStore keyStore) {
            Validators.notNull(keyStore, "TrustStore");
            try {
                TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
                trustManagerFactory.init(keyStore);
                return trustManagerFactory(trustManagerFactory);
            } catch (Exception e) {
                throw InvalidArgumentException.fromMessage("Could not initialize TrustManagerFactory from TrustStore", e);
            }
        }

        public Builder trustStore(Path path, String str, Optional<String> optional) {
            Validators.notNull(path, "TrustStorePath");
            Validators.notNull(optional, "TrustStoreType");
            try {
                InputStream newInputStream = Files.newInputStream(path, new OpenOption[0]);
                try {
                    KeyStore keyStore = KeyStore.getInstance(optional.orElse(KeyStore.getDefaultType()));
                    keyStore.load(newInputStream, str != null ? str.toCharArray() : null);
                    Builder trustStore = trustStore(keyStore);
                    if (newInputStream != null) {
                        newInputStream.close();
                    }
                    return trustStore;
                } finally {
                }
            } catch (Exception e) {
                throw InvalidArgumentException.fromMessage("Could not initialize TrustStore", e);
            }
        }

        public Builder ciphers(List<String> list) {
            this.ciphers = Validators.notNullOrEmpty((List) list, "Ciphers");
            return this;
        }
    }

    @Stability.Internal
    /* loaded from: input_file:com/couchbase/client/core/env/SecurityConfig$Defaults.class */
    public static class Defaults {
        public static final boolean DEFAULT_TLS_ENABLED = false;
        public static final boolean DEFAULT_NATIVE_TLS_ENABLED = true;
        public static final boolean DEFAULT_HOSTNAME_VERIFICATION_ENABLED = true;
    }

    public static Builder builder() {
        return new Builder();
    }

    public static SecurityConfig create() {
        return new SecurityConfig(builder());
    }

    public static Builder enableTls(boolean z) {
        return builder().enableTls(z);
    }

    public static Builder enableHostnameVerification(boolean z) {
        return builder().enableHostnameVerification(z);
    }

    public static Builder enableNativeTls(boolean z) {
        return builder().enableNativeTls(z);
    }

    public static Builder trustCertificates(List<X509Certificate> list) {
        return builder().trustCertificates(list);
    }

    public static Builder trustCertificate(Path path) {
        return builder().trustCertificate(path);
    }

    public static Builder trustStore(KeyStore keyStore) {
        return builder().trustStore(keyStore);
    }

    public static Builder trustStore(Path path, String str, Optional<String> optional) {
        return builder().trustStore(path, str, optional);
    }

    public static Builder trustManagerFactory(TrustManagerFactory trustManagerFactory) {
        return builder().trustManagerFactory(trustManagerFactory);
    }

    public static Builder ciphers(List<String> list) {
        return builder().ciphers(list);
    }

    private SecurityConfig(Builder builder) {
        this.tlsEnabled = builder.tlsEnabled;
        this.nativeTlsEnabled = builder.nativeTlsEnabled;
        this.trustCertificates = builder.trustCertificates;
        this.trustManagerFactory = builder.trustManagerFactory;
        this.hostnameVerificationEnabled = builder.hostnameVerificationEnabled;
        this.ciphers = builder.ciphers;
        if (this.tlsEnabled) {
            if (this.trustCertificates != null && this.trustManagerFactory != null) {
                throw InvalidArgumentException.fromMessage("Either trust certificates or a trust manager factory can be provided, but not both!");
            }
            if ((this.trustCertificates == null || this.trustCertificates.isEmpty()) && this.trustManagerFactory == null) {
                throw InvalidArgumentException.fromMessage("Either a trust certificate or a trust manager factory must be provided when TLS is enabled!");
            }
        }
    }

    public boolean tlsEnabled() {
        return this.tlsEnabled;
    }

    public boolean hostnameVerificationEnabled() {
        return this.hostnameVerificationEnabled;
    }

    public List<X509Certificate> trustCertificates() {
        return this.trustCertificates;
    }

    public TrustManagerFactory trustManagerFactory() {
        return this.trustManagerFactory;
    }

    public boolean nativeTlsEnabled() {
        return this.nativeTlsEnabled;
    }

    public List<String> ciphers() {
        return this.ciphers;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    @Stability.Volatile
    public Map<String, Object> exportAsMap() {
        LinkedHashMap linkedHashMap = new LinkedHashMap();
        linkedHashMap.put("tlsEnabled", Boolean.valueOf(this.tlsEnabled));
        linkedHashMap.put("nativeTlsEnabled", Boolean.valueOf(this.nativeTlsEnabled));
        linkedHashMap.put("hostnameVerificationEnabled", Boolean.valueOf(this.hostnameVerificationEnabled));
        linkedHashMap.put("hasTrustCertificates", Boolean.valueOf((this.trustCertificates == null || this.trustCertificates.isEmpty()) ? false : true));
        linkedHashMap.put("trustManagerFactory", this.trustManagerFactory != null ? this.trustManagerFactory.getClass().getSimpleName() : null);
        linkedHashMap.put("ciphers", this.ciphers);
        return linkedHashMap;
    }

    public static List<X509Certificate> decodeCertificates(List<String> list) {
        Validators.notNull(list, "Certificates");
        return (List) list.stream().flatMap(str -> {
            return decodeCertificates(str.getBytes(StandardCharsets.UTF_8)).stream();
        }).collect(Collectors.toList());
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static List<X509Certificate> decodeCertificates(byte[] bArr) {
        Validators.notNull(bArr, "bytes");
        try {
            return (List) getX509CertificateFactory().generateCertificates(new ByteArrayInputStream(bArr));
        } catch (CertificateException e) {
            throw InvalidArgumentException.fromMessage("Could not generate certificates from raw input: \"" + new String(bArr, StandardCharsets.UTF_8) + "\"", e);
        }
    }

    private static CertificateFactory getX509CertificateFactory() {
        try {
            return CertificateFactory.getInstance("X.509");
        } catch (CertificateException e) {
            throw new CouchbaseException("Could not instantiate X.509 CertificateFactory", e);
        }
    }

    public static List<String> defaultCiphers(boolean z) {
        return SslHandlerFactory.defaultCiphers(z);
    }
}
