package org.elasticsearch.xpack.core.ssl;

import java.io.IOException;
import java.nio.file.Path;
import java.security.GeneralSecurityException;
import java.security.KeyStore;
import java.util.ArrayList;
import java.util.List;
import java.util.Objects;
import java.util.Optional;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.TrustManagerFactory;
import org.elasticsearch.common.Nullable;
import org.elasticsearch.common.settings.SecureString;
import org.elasticsearch.common.settings.Setting;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.env.Environment;
import org.elasticsearch.xpack.core.XPackSettings;
import org.elasticsearch.xpack.core.ssl.cert.CertificateInfo;

/* loaded from: input_file:org/elasticsearch/xpack/core/ssl/SSLConfiguration.class */
public final class SSLConfiguration {
    static final SSLConfigurationSettings SETTINGS_PARSER = SSLConfigurationSettings.withoutPrefix();
    private final KeyConfig keyConfig;
    private final TrustConfig trustConfig;
    private final List<String> ciphers;
    private final List<String> supportedProtocols;
    private final SSLClientAuth sslClientAuth;
    private final VerificationMode verificationMode;

    /* JADX INFO: Access modifiers changed from: package-private */
    public SSLConfiguration(Settings settings) {
        this.keyConfig = createKeyConfig(settings, (SSLConfiguration) null);
        this.trustConfig = createTrustConfig(settings, this.keyConfig, null);
        this.ciphers = getListOrDefault(SETTINGS_PARSER.ciphers, settings, XPackSettings.DEFAULT_CIPHERS);
        this.supportedProtocols = getListOrDefault(SETTINGS_PARSER.supportedProtocols, settings, XPackSettings.DEFAULT_SUPPORTED_PROTOCOLS);
        this.sslClientAuth = (SSLClientAuth) ((Optional) SETTINGS_PARSER.clientAuth.get(settings)).orElse(XPackSettings.CLIENT_AUTH_DEFAULT);
        this.verificationMode = (VerificationMode) ((Optional) SETTINGS_PARSER.verificationMode.get(settings)).orElse(XPackSettings.VERIFICATION_MODE_DEFAULT);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public SSLConfiguration(Settings settings, SSLConfiguration sSLConfiguration) {
        Objects.requireNonNull(sSLConfiguration);
        this.keyConfig = createKeyConfig(settings, sSLConfiguration);
        this.trustConfig = createTrustConfig(settings, this.keyConfig, sSLConfiguration);
        this.ciphers = getListOrDefault(SETTINGS_PARSER.ciphers, settings, sSLConfiguration.cipherSuites());
        this.supportedProtocols = getListOrDefault(SETTINGS_PARSER.supportedProtocols, settings, sSLConfiguration.supportedProtocols());
        this.sslClientAuth = (SSLClientAuth) ((Optional) SETTINGS_PARSER.clientAuth.get(settings)).orElse(sSLConfiguration.sslClientAuth());
        this.verificationMode = (VerificationMode) ((Optional) SETTINGS_PARSER.verificationMode.get(settings)).orElse(sSLConfiguration.verificationMode());
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public KeyConfig keyConfig() {
        return this.keyConfig;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public TrustConfig trustConfig() {
        return this.trustConfig;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public List<String> cipherSuites() {
        return this.ciphers;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public List<String> supportedProtocols() {
        return this.supportedProtocols;
    }

    public VerificationMode verificationMode() {
        return this.verificationMode;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public SSLClientAuth sslClientAuth() {
        return this.sslClientAuth;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public List<Path> filesToMonitor(@Nullable Environment environment) {
        if (keyConfig() == trustConfig()) {
            return keyConfig().filesToMonitor(environment);
        }
        ArrayList arrayList = new ArrayList(keyConfig().filesToMonitor(environment));
        arrayList.addAll(trustConfig().filesToMonitor(environment));
        return arrayList;
    }

    public String toString() {
        return "SSLConfiguration{keyConfig=[" + this.keyConfig + "], trustConfig=" + this.trustConfig + "], cipherSuites=[" + this.ciphers + "], supportedProtocols=[" + this.supportedProtocols + "], sslClientAuth=[" + this.sslClientAuth + "], verificationMode=[" + this.verificationMode + "]}";
    }

    public boolean equals(Object obj) {
        if (this == obj) {
            return true;
        }
        if (!(obj instanceof SSLConfiguration)) {
            return false;
        }
        SSLConfiguration sSLConfiguration = (SSLConfiguration) obj;
        if (keyConfig() != null) {
            if (!keyConfig().equals(sSLConfiguration.keyConfig())) {
                return false;
            }
        } else if (sSLConfiguration.keyConfig() != null) {
            return false;
        }
        if (trustConfig() != null) {
            if (!trustConfig().equals(sSLConfiguration.trustConfig())) {
                return false;
            }
        } else if (sSLConfiguration.trustConfig() != null) {
            return false;
        }
        if (cipherSuites() != null) {
            if (!cipherSuites().equals(sSLConfiguration.cipherSuites())) {
                return false;
            }
        } else if (sSLConfiguration.cipherSuites() != null) {
            return false;
        }
        if (supportedProtocols().equals(sSLConfiguration.supportedProtocols()) && verificationMode() == sSLConfiguration.verificationMode() && sslClientAuth() == sSLConfiguration.sslClientAuth()) {
            return supportedProtocols() != null ? supportedProtocols().equals(sSLConfiguration.supportedProtocols()) : sSLConfiguration.supportedProtocols() == null;
        }
        return false;
    }

    public int hashCode() {
        return (31 * ((31 * ((31 * ((31 * ((31 * (keyConfig() != null ? keyConfig().hashCode() : 0)) + (trustConfig() != null ? trustConfig().hashCode() : 0))) + (cipherSuites() != null ? cipherSuites().hashCode() : 0))) + (supportedProtocols() != null ? supportedProtocols().hashCode() : 0))) + verificationMode().hashCode())) + sslClientAuth().hashCode();
    }

    private static KeyConfig createKeyConfig(Settings settings, SSLConfiguration sSLConfiguration) {
        KeyConfig createKeyConfig = CertParsingUtils.createKeyConfig(SETTINGS_PARSER.x509KeyPair, settings, (String) SETTINGS_PARSER.truststoreAlgorithm.get(settings));
        if (createKeyConfig != null) {
            return createKeyConfig;
        }
        if (sSLConfiguration != null) {
            return sSLConfiguration.keyConfig();
        }
        if (System.getProperty("javax.net.ssl.keyStore") == null) {
            return KeyConfig.NONE;
        }
        SecureString secureString = new SecureString(System.getProperty("javax.net.ssl.keyStorePassword", ""));
        Throwable th = null;
        try {
            try {
                StoreKeyConfig storeKeyConfig = new StoreKeyConfig(System.getProperty("javax.net.ssl.keyStore"), KeyStore.getDefaultType(), secureString, secureString, System.getProperty("ssl.KeyManagerFactory.algorithm", KeyManagerFactory.getDefaultAlgorithm()), System.getProperty("ssl.TrustManagerFactory.algorithm", TrustManagerFactory.getDefaultAlgorithm()));
                $closeResource(null, secureString);
                return storeKeyConfig;
            } finally {
            }
        } catch (Throwable th2) {
            $closeResource(th, secureString);
            throw th2;
        }
    }

    private static TrustConfig createTrustConfig(Settings settings, KeyConfig keyConfig, SSLConfiguration sSLConfiguration) {
        TrustConfig createCertChainTrustConfig = createCertChainTrustConfig(settings, keyConfig, sSLConfiguration);
        return (TrustConfig) ((Optional) SETTINGS_PARSER.trustRestrictionsPath.get(settings)).map(str -> {
            return new RestrictedTrustConfig(settings, str, createCertChainTrustConfig);
        }).orElse(createCertChainTrustConfig);
    }

    private static TrustConfig createCertChainTrustConfig(Settings settings, KeyConfig keyConfig, SSLConfiguration sSLConfiguration) {
        String str = (String) ((Optional) SETTINGS_PARSER.truststorePath.get(settings)).orElse(null);
        List<String> listOrNull = getListOrNull(SETTINGS_PARSER.caPaths, settings);
        if (str != null && listOrNull != null) {
            throw new IllegalArgumentException("you cannot specify a truststore and ca files");
        }
        if (!((VerificationMode) ((Optional) SETTINGS_PARSER.verificationMode.get(settings)).orElseGet(() -> {
            return sSLConfiguration != null ? sSLConfiguration.verificationMode() : XPackSettings.VERIFICATION_MODE_DEFAULT;
        })).isCertificateVerificationEnabled()) {
            return TrustAllConfig.INSTANCE;
        }
        if (listOrNull != null) {
            return new PEMTrustConfig(listOrNull);
        }
        if (str != null) {
            return new StoreTrustConfig(str, SSLConfigurationSettings.getKeyStoreType(SETTINGS_PARSER.truststoreType, settings, str), (SecureString) SETTINGS_PARSER.truststorePassword.get(settings), (String) SETTINGS_PARSER.truststoreAlgorithm.get(settings));
        }
        if (sSLConfiguration != null || System.getProperty("javax.net.ssl.trustStore") == null) {
            return (sSLConfiguration == null || keyConfig != sSLConfiguration.keyConfig()) ? keyConfig != KeyConfig.NONE ? DefaultJDKTrustConfig.merge(keyConfig) : DefaultJDKTrustConfig.INSTANCE : sSLConfiguration.trustConfig();
        }
        SecureString secureString = new SecureString(System.getProperty("javax.net.ssl.trustStorePassword", ""));
        Throwable th = null;
        try {
            try {
                StoreTrustConfig storeTrustConfig = new StoreTrustConfig(System.getProperty("javax.net.ssl.trustStore"), KeyStore.getDefaultType(), secureString, System.getProperty("ssl.TrustManagerFactory.algorithm", TrustManagerFactory.getDefaultAlgorithm()));
                $closeResource(null, secureString);
                return storeTrustConfig;
            } finally {
            }
        } catch (Throwable th2) {
            $closeResource(th, secureString);
            throw th2;
        }
    }

    private static List<String> getListOrNull(Setting<List<String>> setting, Settings settings) {
        return getListOrDefault(setting, settings, null);
    }

    private static List<String> getListOrDefault(Setting<List<String>> setting, Settings settings, List<String> list) {
        return setting.exists(settings) ? (List) setting.get(settings) : list;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public List<CertificateInfo> getDefinedCertificates(@Nullable Environment environment) throws GeneralSecurityException, IOException {
        ArrayList arrayList = new ArrayList();
        arrayList.addAll(this.keyConfig.certificates(environment));
        arrayList.addAll(this.trustConfig.certificates(environment));
        return arrayList;
    }

    private static /* synthetic */ void $closeResource(Throwable th, AutoCloseable autoCloseable) {
        if (th == null) {
            autoCloseable.close();
            return;
        }
        try {
            autoCloseable.close();
        } catch (Throwable th2) {
            th.addSuppressed(th2);
        }
    }
}
