package org.elasticsearch.common.ssl;

import java.io.IOException;
import java.nio.file.Path;
import java.security.AccessControlException;
import java.security.GeneralSecurityException;
import java.security.PrivateKey;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.List;
import java.util.Objects;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.X509ExtendedKeyManager;
import org.elasticsearch.core.Tuple;

/* loaded from: input_file:org/elasticsearch/common/ssl/PemKeyConfig.class */
public final class PemKeyConfig implements SslKeyConfig {
    private static final String KEY_FILE_TYPE = "PEM private key";
    private static final String CERT_FILE_TYPE = "PEM certificate";
    private final String certificate;
    private final String key;
    private final char[] keyPassword;
    private final Path configBasePath;

    public PemKeyConfig(String str, String str2, char[] cArr, Path path) {
        this.certificate = (String) Objects.requireNonNull(str, "Certificate path cannot be null");
        this.key = (String) Objects.requireNonNull(str2, "Key path cannot be null");
        this.keyPassword = (char[]) Objects.requireNonNull(cArr, "Key password cannot be null (but may be empty)");
        this.configBasePath = (Path) Objects.requireNonNull(path, "Config base path cannot be null");
    }

    @Override // org.elasticsearch.common.ssl.SslKeyConfig
    public boolean hasKeyMaterial() {
        return true;
    }

    @Override // org.elasticsearch.common.ssl.SslKeyConfig
    public Collection<Path> getDependentFiles() {
        return Arrays.asList(resolve(this.certificate), resolve(this.key));
    }

    private Path resolve(String str) {
        return this.configBasePath.resolve(str);
    }

    @Override // org.elasticsearch.common.ssl.SslKeyConfig
    public Collection<StoredCertificate> getConfiguredCertificates() {
        List<Certificate> certificates = getCertificates(resolve(this.certificate));
        ArrayList arrayList = new ArrayList(certificates.size());
        boolean z = true;
        for (Certificate certificate : certificates) {
            if (certificate instanceof X509Certificate) {
                arrayList.add(new StoredCertificate((X509Certificate) certificate, this.certificate, "PEM", null, z));
            }
            z = false;
        }
        return arrayList;
    }

    @Override // org.elasticsearch.common.ssl.SslKeyConfig
    public X509ExtendedKeyManager createKeyManager() {
        Path resolve = resolve(this.key);
        PrivateKey privateKey = getPrivateKey(resolve);
        Path resolve2 = resolve(this.certificate);
        try {
            return KeyStoreUtil.createKeyManager(KeyStoreUtil.buildKeyStore(getCertificates(resolve2), privateKey, this.keyPassword), this.keyPassword, KeyManagerFactory.getDefaultAlgorithm());
        } catch (GeneralSecurityException e) {
            throw new SslConfigException("failed to load a KeyManager for certificate/key pair [" + resolve2 + "], [" + resolve + "]", e);
        }
    }

    @Override // org.elasticsearch.common.ssl.SslKeyConfig
    public List<Tuple<PrivateKey, X509Certificate>> getKeys() {
        Path resolve = resolve(this.key);
        List<Certificate> certificates = getCertificates(resolve(this.certificate));
        if (certificates.isEmpty()) {
            return List.of();
        }
        Certificate certificate = certificates.get(0);
        return certificate instanceof X509Certificate ? List.of(Tuple.tuple(getPrivateKey(resolve), (X509Certificate) certificate)) : List.of();
    }

    @Override // org.elasticsearch.common.ssl.SslKeyConfig
    public SslTrustConfig asTrustConfig() {
        return new PemTrustConfig(List.of(this.certificate), this.configBasePath);
    }

    private PrivateKey getPrivateKey(Path path) {
        try {
            PrivateKey parsePrivateKey = PemUtils.parsePrivateKey(path, () -> {
                return this.keyPassword;
            });
            if (parsePrivateKey == null) {
                throw new SslConfigException("could not load ssl private key file [" + path + "]");
            }
            return parsePrivateKey;
        } catch (IOException e) {
            throw SslFileUtil.ioException(KEY_FILE_TYPE, List.of(path), e);
        } catch (AccessControlException e2) {
            throw SslFileUtil.accessControlFailure(KEY_FILE_TYPE, List.of(path), e2, this.configBasePath);
        } catch (GeneralSecurityException e3) {
            throw SslFileUtil.securityException(KEY_FILE_TYPE, List.of(path), e3);
        }
    }

    private List<Certificate> getCertificates(Path path) {
        try {
            return PemUtils.readCertificates(Collections.singleton(path));
        } catch (IOException e) {
            throw SslFileUtil.ioException(CERT_FILE_TYPE, List.of(path), e);
        } catch (AccessControlException e2) {
            throw SslFileUtil.accessControlFailure(CERT_FILE_TYPE, List.of(path), e2, this.configBasePath);
        } catch (GeneralSecurityException e3) {
            throw SslFileUtil.securityException(CERT_FILE_TYPE, List.of(path), e3);
        }
    }

    public String toString() {
        return "PEM-key-config{cert=" + this.certificate + " key=" + this.key + "}";
    }

    public boolean equals(Object obj) {
        if (this == obj) {
            return true;
        }
        if (obj == null || getClass() != obj.getClass()) {
            return false;
        }
        PemKeyConfig pemKeyConfig = (PemKeyConfig) obj;
        return Objects.equals(this.certificate, pemKeyConfig.certificate) && Objects.equals(this.key, pemKeyConfig.key) && Arrays.equals(this.keyPassword, pemKeyConfig.keyPassword);
    }

    public int hashCode() {
        return (31 * Objects.hash(this.certificate, this.key)) + Arrays.hashCode(this.keyPassword);
    }
}
