package org.elasticsearch.xpack.core.ssl;

import java.io.FileNotFoundException;
import java.io.IOException;
import java.io.UncheckedIOException;
import java.nio.file.AccessDeniedException;
import java.nio.file.NoSuchFileException;
import java.nio.file.Path;
import java.security.AccessControlException;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.UnrecoverableKeyException;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
import java.util.List;
import java.util.Objects;
import javax.net.ssl.X509ExtendedKeyManager;
import javax.net.ssl.X509ExtendedTrustManager;
import org.elasticsearch.ElasticsearchException;
import org.elasticsearch.common.Nullable;
import org.elasticsearch.common.settings.SecureString;
import org.elasticsearch.env.Environment;
import org.elasticsearch.xpack.core.ssl.cert.CertificateInfo;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: input_file:lib/x-pack-core-7.9.0.jar:org/elasticsearch/xpack/core/ssl/PEMKeyConfig.class */
public class PEMKeyConfig extends KeyConfig {
    private static final String CERTIFICATE_FILE = "certificate";
    private static final String KEY_FILE = "key";
    private final String keyPath;
    private final SecureString keyPassword;
    private final String certPath;

    /* JADX INFO: Access modifiers changed from: package-private */
    public PEMKeyConfig(String str, SecureString secureString, String str2) {
        this.keyPath = (String) Objects.requireNonNull(str, "key file must be specified");
        this.keyPassword = ((SecureString) Objects.requireNonNull(secureString)).m6069clone();
        this.certPath = (String) Objects.requireNonNull(str2, "certificate must be specified");
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    @Override // org.elasticsearch.xpack.core.ssl.KeyConfig
    public X509ExtendedKeyManager createKeyManager(@Nullable Environment environment) {
        try {
            PrivateKey readPrivateKey = readPrivateKey(this.keyPath, this.keyPassword, environment);
            if (readPrivateKey == null) {
                throw new IllegalArgumentException("private key [" + this.keyPath + "] could not be loaded");
            }
            return CertParsingUtils.keyManager(getCertificateChain(environment), readPrivateKey, this.keyPassword.getChars());
        } catch (IOException | KeyStoreException | NoSuchAlgorithmException | UnrecoverableKeyException | CertificateException e) {
            throw new ElasticsearchException("failed to initialize SSL KeyManagerFactory", e, new Object[0]);
        }
    }

    private Certificate[] getCertificateChain(@Nullable Environment environment) throws CertificateException, IOException {
        Path resolvePath = CertParsingUtils.resolvePath(this.certPath, environment);
        try {
            return CertParsingUtils.readCertificates((List<Path>) Collections.singletonList(resolvePath));
        } catch (FileNotFoundException | NoSuchFileException e) {
            throw missingKeyConfigFile(e, "certificate", resolvePath);
        } catch (AccessDeniedException e2) {
            throw unreadableKeyConfigFile(e2, "certificate", resolvePath);
        } catch (AccessControlException e3) {
            throw blockedKeyConfigFile(e3, environment, "certificate", resolvePath);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    @Override // org.elasticsearch.xpack.core.ssl.TrustConfig
    public Collection<CertificateInfo> certificates(Environment environment) throws CertificateException, IOException {
        Certificate[] certificateChain = getCertificateChain(environment);
        ArrayList arrayList = new ArrayList(certificateChain.length);
        int i = 0;
        while (i < certificateChain.length) {
            Certificate certificate = certificateChain[i];
            if (certificate instanceof X509Certificate) {
                arrayList.add(new CertificateInfo(this.certPath, "PEM", null, i == 0, (X509Certificate) certificate));
            }
            i++;
        }
        return arrayList;
    }

    @Override // org.elasticsearch.xpack.core.ssl.KeyConfig
    List<PrivateKey> privateKeys(@Nullable Environment environment) {
        try {
            return Collections.singletonList(readPrivateKey(this.keyPath, this.keyPassword, environment));
        } catch (IOException e) {
            throw new UncheckedIOException("failed to read key", e);
        }
    }

    private static PrivateKey readPrivateKey(String str, SecureString secureString, Environment environment) throws IOException {
        Path resolvePath = CertParsingUtils.resolvePath(str, environment);
        try {
            Objects.requireNonNull(secureString);
            return PemUtils.readPrivateKey(resolvePath, secureString::getChars);
        } catch (FileNotFoundException | NoSuchFileException e) {
            throw missingKeyConfigFile(e, "key", resolvePath);
        } catch (AccessDeniedException e2) {
            throw unreadableKeyConfigFile(e2, "key", resolvePath);
        } catch (AccessControlException e3) {
            throw blockedKeyConfigFile(e3, environment, "key", resolvePath);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    @Override // org.elasticsearch.xpack.core.ssl.TrustConfig
    public X509ExtendedTrustManager createTrustManager(@Nullable Environment environment) {
        try {
            return CertParsingUtils.trustManager(getCertificateChain(environment));
        } catch (Exception e) {
            throw new ElasticsearchException("failed to initialize a TrustManagerFactory", e, new Object[0]);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    @Override // org.elasticsearch.xpack.core.ssl.TrustConfig
    public List<Path> filesToMonitor(@Nullable Environment environment) {
        ArrayList arrayList = new ArrayList(2);
        arrayList.add(CertParsingUtils.resolvePath(this.keyPath, environment));
        arrayList.add(CertParsingUtils.resolvePath(this.certPath, environment));
        return arrayList;
    }

    @Override // org.elasticsearch.xpack.core.ssl.TrustConfig
    public boolean equals(Object obj) {
        if (this == obj) {
            return true;
        }
        if (obj == null || getClass() != obj.getClass()) {
            return false;
        }
        PEMKeyConfig pEMKeyConfig = (PEMKeyConfig) obj;
        if (this.keyPath != null) {
            if (!this.keyPath.equals(pEMKeyConfig.keyPath)) {
                return false;
            }
        } else if (pEMKeyConfig.keyPath != null) {
            return false;
        }
        if (this.keyPassword != null) {
            if (!this.keyPassword.equals(pEMKeyConfig.keyPassword)) {
                return false;
            }
        } else if (pEMKeyConfig.keyPassword != null) {
            return false;
        }
        return this.certPath != null ? this.certPath.equals(pEMKeyConfig.certPath) : pEMKeyConfig.certPath == null;
    }

    @Override // org.elasticsearch.xpack.core.ssl.TrustConfig
    public int hashCode() {
        return (31 * ((31 * (this.keyPath != null ? this.keyPath.hashCode() : 0)) + (this.keyPassword != null ? this.keyPassword.hashCode() : 0))) + (this.certPath != null ? this.certPath.hashCode() : 0);
    }

    @Override // org.elasticsearch.xpack.core.ssl.TrustConfig
    public String toString() {
        return "keyPath=[" + this.keyPath + "], certPaths=[" + this.certPath + "]";
    }
}
