package org.apache.nifi.security.util;

import java.security.KeyManagementException;
import java.security.NoSuchAlgorithmException;
import java.security.SecureRandom;
import java.util.Arrays;
import javax.net.ssl.KeyManager;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLSocketFactory;
import javax.net.ssl.TrustManager;
import javax.net.ssl.X509TrustManager;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/nifi/security/util/SslContextFactory.class */
public final class SslContextFactory {
    private static final Logger logger = LoggerFactory.getLogger(SslContextFactory.class);

    /* JADX INFO: Access modifiers changed from: package-private */
    /* renamed from: org.apache.nifi.security.util.SslContextFactory$1, reason: invalid class name */
    /* loaded from: input_file:org/apache/nifi/security/util/SslContextFactory$1.class */
    public static /* synthetic */ class AnonymousClass1 {
        static final /* synthetic */ int[] $SwitchMap$org$apache$nifi$security$util$ClientAuth = new int[ClientAuth.values().length];

        static {
            try {
                $SwitchMap$org$apache$nifi$security$util$ClientAuth[ClientAuth.REQUIRED.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$org$apache$nifi$security$util$ClientAuth[ClientAuth.WANT.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
            try {
                $SwitchMap$org$apache$nifi$security$util$ClientAuth[ClientAuth.NONE.ordinal()] = 3;
            } catch (NoSuchFieldError e3) {
            }
        }
    }

    public static SSLContext createSslContext(TlsConfiguration tlsConfiguration) throws TlsException {
        return createSslContext(tlsConfiguration, ClientAuth.REQUIRED);
    }

    public static SSLContext createSslContext(TlsConfiguration tlsConfiguration, ClientAuth clientAuth) throws TlsException {
        if (TlsConfiguration.isEmpty(tlsConfiguration)) {
            logger.debug("Cannot create SSLContext from empty TLS configuration; returning null");
            return null;
        }
        if (tlsConfiguration.isKeystorePopulated() && !tlsConfiguration.isTruststorePopulated()) {
            logger.error("The TLS config keystore properties were populated but the truststore properties were not");
            if (logger.isDebugEnabled()) {
                logger.debug("Provided TLS config: {}", tlsConfiguration);
            }
            throw new TlsException("Truststore properties are required if keystore properties are present");
        }
        if (clientAuth == null) {
            clientAuth = ClientAuth.REQUIRED;
            logger.debug("ClientAuth was null so defaulting to {}", clientAuth);
        }
        return initializeSSLContext(tlsConfiguration, clientAuth, getKeyManagers(tlsConfiguration), getTrustManagers(tlsConfiguration));
    }

    public static X509TrustManager getX509TrustManager(TlsConfiguration tlsConfiguration) throws TlsException {
        TrustManager[] trustManagers = getTrustManagers(tlsConfiguration);
        if (trustManagers == null) {
            return null;
        }
        return (X509TrustManager) Arrays.stream(trustManagers).filter(trustManager -> {
            return trustManager instanceof X509TrustManager;
        }).map(trustManager2 -> {
            return (X509TrustManager) trustManager2;
        }).findFirst().orElse(null);
    }

    public static SSLSocketFactory createSSLSocketFactory(TlsConfiguration tlsConfiguration) throws TlsException {
        SSLContext createSslContext = createSslContext(tlsConfiguration, ClientAuth.REQUIRED);
        if (createSslContext != null) {
            return createSslContext.getSocketFactory();
        }
        if (TlsConfiguration.isEmpty(tlsConfiguration)) {
            return null;
        }
        logger.error("The SSLContext could not be formed from the provided TLS configuration. Check the provided keystore and truststore properties");
        return null;
    }

    protected static KeyManager[] getKeyManagers(TlsConfiguration tlsConfiguration) throws TlsException {
        KeyManager[] keyManagerArr = null;
        if (tlsConfiguration.isKeystoreValid()) {
            keyManagerArr = KeyStoreUtils.loadKeyManagerFactory(tlsConfiguration).getKeyManagers();
        } else {
            if (tlsConfiguration.isAnyKeystorePopulated()) {
                logger.warn("Some keystore properties are populated ({}, {}, {}, {}) but not valid", tlsConfiguration.getKeystorePropertiesForLogging());
                throw new TlsException("The keystore properties are not valid");
            }
            logger.debug("The keystore properties are not populated");
        }
        return keyManagerArr;
    }

    protected static TrustManager[] getTrustManagers(TlsConfiguration tlsConfiguration) throws TlsException {
        TrustManager[] trustManagerArr = null;
        if (tlsConfiguration.isTruststoreValid()) {
            trustManagerArr = KeyStoreUtils.loadTrustManagerFactory(tlsConfiguration).getTrustManagers();
        } else {
            if (tlsConfiguration.isAnyTruststorePopulated()) {
                logger.warn("Some truststore properties are populated ({}, {}, {}) but not valid", tlsConfiguration.getTruststorePropertiesForLogging());
                throw new TlsException("The truststore properties are not valid");
            }
            logger.debug("The truststore properties are not populated");
        }
        return trustManagerArr;
    }

    private static SSLContext initializeSSLContext(TlsConfiguration tlsConfiguration, ClientAuth clientAuth, KeyManager[] keyManagerArr, TrustManager[] trustManagerArr) throws TlsException {
        try {
            SSLContext sSLContext = SSLContext.getInstance(tlsConfiguration.getProtocol());
            sSLContext.init(keyManagerArr, trustManagerArr, new SecureRandom());
            switch (AnonymousClass1.$SwitchMap$org$apache$nifi$security$util$ClientAuth[clientAuth.ordinal()]) {
                case 1:
                    sSLContext.getDefaultSSLParameters().setNeedClientAuth(true);
                    break;
                case 2:
                    sSLContext.getDefaultSSLParameters().setWantClientAuth(true);
                    break;
                case 3:
                default:
                    sSLContext.getDefaultSSLParameters().setWantClientAuth(false);
                    break;
            }
            return sSLContext;
        } catch (KeyManagementException | NoSuchAlgorithmException e) {
            logger.error("Encountered an error creating SSLContext from TLS configuration ({}): {}", tlsConfiguration.toString(), e.getLocalizedMessage());
            throw new TlsException("Error creating SSL context", e);
        }
    }
}
