package com.floragunn.signals.watch.common;

import com.fasterxml.jackson.databind.JsonNode;
import com.floragunn.searchguard.support.PemKeyReader;
import com.floragunn.searchsupport.config.validation.ConfigValidationException;
import com.floragunn.searchsupport.config.validation.InvalidAttributeValue;
import com.floragunn.searchsupport.config.validation.ValidatingJsonNode;
import com.floragunn.searchsupport.config.validation.ValidationError;
import com.floragunn.searchsupport.config.validation.ValidationErrors;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.net.Socket;
import java.nio.charset.StandardCharsets;
import java.security.InvalidAlgorithmParameterException;
import java.security.KeyException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.cert.Certificate;
import java.security.spec.InvalidKeySpecException;
import java.util.Collection;
import java.util.Map;
import javax.crypto.NoSuchPaddingException;
import org.apache.http.ssl.PrivateKeyDetails;
import org.apache.http.ssl.PrivateKeyStrategy;
import org.apache.http.ssl.SSLContextBuilder;
import org.elasticsearch.common.xcontent.ToXContent;
import org.elasticsearch.common.xcontent.ToXContentObject;
import org.elasticsearch.common.xcontent.XContentBuilder;

/* loaded from: input_file:com/floragunn/signals/watch/common/TlsClientAuthConfig.class */
public class TlsClientAuthConfig implements ToXContentObject {
    private String inlineAuthCertsPem;
    private Collection<? extends Certificate> inlineAuthCerts;
    private String inlineAuthKey;
    private String inlineAuthKeyPassword;
    private PrivateKey authKey;
    private KeyStore authKeyStore;
    private char[] effectiveKeyPassword;
    private String alias = "alias";

    void init(JsonNode jsonNode) throws ConfigValidationException {
        ValidationErrors validationErrors = new ValidationErrors();
        ValidatingJsonNode validatingJsonNode = new ValidatingJsonNode(jsonNode, validationErrors);
        this.inlineAuthCertsPem = validatingJsonNode.requiredString("certs");
        this.inlineAuthKeyPassword = validatingJsonNode.string("private_key_password");
        this.inlineAuthKey = validatingJsonNode.requiredString("private_key");
        init(validationErrors);
        validationErrors.throwExceptionForPresentErrors();
    }

    public void init() throws ConfigValidationException {
        ValidationErrors validationErrors = new ValidationErrors();
        init(validationErrors);
        validationErrors.throwExceptionForPresentErrors();
    }

    private void init(ValidationErrors validationErrors) {
        try {
            this.inlineAuthCerts = TlsConfig.parseCertificates(this.inlineAuthCertsPem);
        } catch (ConfigValidationException e) {
            validationErrors.add("certificate", e);
        }
        this.authKey = parsePrivateKey(this.inlineAuthKey, "private_key", null, this.inlineAuthKeyPassword, validationErrors);
        this.effectiveKeyPassword = PemKeyReader.randomChars(12);
        try {
            this.authKeyStore = toKeystore("alias", this.effectiveKeyPassword, this.inlineAuthCerts, this.authKey);
        } catch (ConfigValidationException e2) {
            validationErrors.add((String) null, e2);
        }
    }

    private PrivateKey parsePrivateKey(String str, String str2, JsonNode jsonNode, String str3, ValidationErrors validationErrors) {
        if (str == null) {
            return null;
        }
        try {
            return PemKeyReader.toPrivateKey(new ByteArrayInputStream(str.getBytes(StandardCharsets.US_ASCII)), str3);
        } catch (IOException | InvalidAlgorithmParameterException | KeyException | NoSuchAlgorithmException | InvalidKeySpecException | NoSuchPaddingException e) {
            validationErrors.add(new InvalidAttributeValue(str2, str, "Private key in PEM file", jsonNode).cause(e));
            return null;
        }
    }

    private KeyStore toKeystore(String str, char[] cArr, Collection<? extends Certificate> collection, PrivateKey privateKey) throws ConfigValidationException {
        if (str == null || collection == null || privateKey == null) {
            return null;
        }
        try {
            KeyStore keyStore = KeyStore.getInstance("JKS");
            keyStore.load(null);
            try {
                keyStore.setKeyEntry(str, privateKey, cArr, (Certificate[]) collection.toArray(new Certificate[collection.size()]));
                return keyStore;
            } catch (KeyStoreException e) {
                throw new ConfigValidationException(new ValidationError((String) null, e.getMessage()).cause(e));
            }
        } catch (Exception e2) {
            throw new ConfigValidationException(new ValidationError((String) null, "Could not initialize JKS KeyStore").cause(e2));
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static TlsClientAuthConfig create(JsonNode jsonNode) throws ConfigValidationException {
        TlsClientAuthConfig tlsClientAuthConfig = new TlsClientAuthConfig();
        tlsClientAuthConfig.init(jsonNode);
        return tlsClientAuthConfig;
    }

    KeyStore getAuthKeyStore() {
        return this.authKeyStore;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void loadKeyMaterial(SSLContextBuilder sSLContextBuilder) throws ConfigValidationException {
        try {
            sSLContextBuilder.loadKeyMaterial(this.authKeyStore, this.effectiveKeyPassword, new PrivateKeyStrategy() { // from class: com.floragunn.signals.watch.common.TlsClientAuthConfig.1
                public String chooseAlias(Map<String, PrivateKeyDetails> map, Socket socket) {
                    return (map == null || map.isEmpty()) ? TlsClientAuthConfig.this.alias : (TlsClientAuthConfig.this.alias == null || TlsClientAuthConfig.this.alias.isEmpty()) ? map.keySet().iterator().next() : TlsClientAuthConfig.this.alias;
                }
            });
        } catch (Exception e) {
            throw new ConfigValidationException(new ValidationError((String) null, e.getMessage()).cause(e));
        }
    }

    public XContentBuilder toXContent(XContentBuilder xContentBuilder, ToXContent.Params params) throws IOException {
        xContentBuilder.startObject();
        if (this.inlineAuthCertsPem != null) {
            xContentBuilder.field("certs", this.inlineAuthCertsPem);
        }
        if (this.inlineAuthKey != null) {
            xContentBuilder.field("private_key", this.inlineAuthKey);
        }
        if (this.inlineAuthKeyPassword != null) {
            xContentBuilder.field("private_key_password", this.inlineAuthKeyPassword);
        }
        xContentBuilder.endObject();
        return xContentBuilder;
    }

    public String getInlineAuthCertsPem() {
        return this.inlineAuthCertsPem;
    }

    public void setInlineAuthCertsPem(String str) {
        this.inlineAuthCertsPem = str;
    }

    public String getInlineAuthKey() {
        return this.inlineAuthKey;
    }

    public void setInlineAuthKey(String str) {
        this.inlineAuthKey = str;
    }

    public String getInlineAuthKeyPassword() {
        return this.inlineAuthKeyPassword;
    }

    public void setInlineAuthKeyPassword(String str) {
        this.inlineAuthKeyPassword = str;
    }
}
