package org.neo4j.driver.internal.security;

import com.fasterxml.jackson.core.util.MinimalPrettyPrinter;
import java.io.BufferedReader;
import java.io.BufferedWriter;
import java.io.File;
import java.io.FileReader;
import java.io.FileWriter;
import java.io.IOException;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import javax.net.ssl.X509TrustManager;
import org.apache.commons.codec.digest.MessageDigestAlgorithms;
import org.neo4j.driver.internal.net.BoltServerAddress;
import org.neo4j.driver.internal.util.BytePrinter;
import org.neo4j.driver.internal.util.CertificateTool;
import org.neo4j.driver.v1.Logger;

/* loaded from: input_file:org/neo4j/driver/internal/security/TrustOnFirstUseTrustManager.class */
public class TrustOnFirstUseTrustManager implements X509TrustManager {
    private final File knownHosts;
    private final String serverId;
    private final Logger logger;
    private String fingerprint;

    /* JADX INFO: Access modifiers changed from: package-private */
    public TrustOnFirstUseTrustManager(BoltServerAddress boltServerAddress, File file, Logger logger) throws IOException {
        this.logger = logger;
        this.serverId = boltServerAddress.toString();
        this.knownHosts = file;
        load();
    }

    private void load() throws IOException {
        if (!this.knownHosts.exists()) {
            return;
        }
        assertKnownHostFileReadable();
        BufferedReader bufferedReader = new BufferedReader(new FileReader(this.knownHosts));
        while (true) {
            String readLine = bufferedReader.readLine();
            if (readLine == null) {
                bufferedReader.close();
                return;
            } else if (!readLine.trim().startsWith("#")) {
                String[] split = readLine.split(MinimalPrettyPrinter.DEFAULT_ROOT_VALUE_SEPARATOR);
                if (split[0].trim().equals(this.serverId)) {
                    this.fingerprint = split[1].trim();
                    return;
                }
            }
        }
    }

    private void saveTrustedHost(String str) throws IOException {
        this.fingerprint = str;
        this.logger.info("Adding %s as known and trusted certificate for %s.", str, this.serverId);
        createKnownCertFileIfNotExists();
        assertKnownHostFileWritable();
        BufferedWriter bufferedWriter = new BufferedWriter(new FileWriter(this.knownHosts, true));
        bufferedWriter.write(this.serverId + MinimalPrettyPrinter.DEFAULT_ROOT_VALUE_SEPARATOR + this.fingerprint);
        bufferedWriter.newLine();
        bufferedWriter.close();
    }

    private void assertKnownHostFileReadable() throws IOException {
        if (!this.knownHosts.canRead()) {
            throw new IOException(String.format("Failed to load certificates from file %s as you have no read permissions to it.\nTry configuring the Neo4j driver to use a file system location you do have read permissions to.", this.knownHosts.getAbsolutePath()));
        }
    }

    private void assertKnownHostFileWritable() throws IOException {
        if (!this.knownHosts.canWrite()) {
            throw new IOException(String.format("Failed to write certificates to file %s as you have no write permissions to it.\nTry configuring the Neo4j driver to use a file system location you do have write permissions to.", this.knownHosts.getAbsolutePath()));
        }
    }

    @Override // javax.net.ssl.X509TrustManager
    public void checkClientTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
        throw new CertificateException("All client connections to this client are forbidden.");
    }

    @Override // javax.net.ssl.X509TrustManager
    public void checkServerTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
        String fingerprint = fingerprint(x509CertificateArr[0]);
        if (this.fingerprint != null) {
            if (!this.fingerprint.equals(fingerprint)) {
                throw new CertificateException(String.format("Unable to connect to neo4j at `%s`, because the certificate the server uses has changed. This is a security feature to protect against man-in-the-middle attacks.\nIf you trust the certificate the server uses now, simply remove the line that starts with `%s` in the file `%s`.\nThe old certificate saved in file is:\n%sThe New certificate received is:\n%s", this.serverId, this.serverId, this.knownHosts.getAbsolutePath(), CertificateTool.X509CertToString(this.fingerprint), CertificateTool.X509CertToString(fingerprint)));
            }
        } else {
            try {
                saveTrustedHost(fingerprint);
            } catch (IOException e) {
                throw new CertificateException(String.format("Failed to save the server ID and the certificate received from the server to file %s.\nServer ID: %s\nReceived cert:\n%s", this.knownHosts.getAbsolutePath(), this.serverId, CertificateTool.X509CertToString(fingerprint)), e);
            }
        }
    }

    public static String fingerprint(X509Certificate x509Certificate) throws CertificateException {
        try {
            MessageDigest messageDigest = MessageDigest.getInstance(MessageDigestAlgorithms.SHA_512);
            messageDigest.update(x509Certificate.getEncoded());
            return BytePrinter.compactHex(messageDigest.digest());
        } catch (NoSuchAlgorithmException e) {
            throw new CertificateException("Cannot use TLS on this platform, because SHA-512 message digest algorithm is not available: " + e.getMessage(), e);
        }
    }

    private File createKnownCertFileIfNotExists() throws IOException {
        if (!this.knownHosts.exists()) {
            File parentFile = this.knownHosts.getParentFile();
            if (parentFile != null) {
                try {
                    if (!parentFile.exists() && !parentFile.mkdirs()) {
                        throw new IOException("Failed to create directories for the known hosts file in " + this.knownHosts.getAbsolutePath() + ". This is usually because you do not have write permissions to the directory. Try configuring the Neo4j driver to use a file system location you do have write permissions to.");
                    }
                } catch (SecurityException e) {
                    throw new IOException("Failed to create known host file and/or parent directories at " + this.knownHosts.getAbsolutePath() + ". This is usually because you do not have write permission to the directory. Try configuring the Neo4j driver to use a file location you have write permissions to.");
                }
            }
            if (!this.knownHosts.createNewFile()) {
                throw new IOException("Failed to create a known hosts file at " + this.knownHosts.getAbsolutePath() + ". This is usually because you do not have write permissions to the directory. Try configuring the Neo4j driver to use a file system location you do have write permissions to.");
            }
            BufferedWriter bufferedWriter = new BufferedWriter(new FileWriter(this.knownHosts));
            bufferedWriter.write("# This file contains trusted certificates for Neo4j servers, it's created by Neo4j drivers.");
            bufferedWriter.newLine();
            bufferedWriter.write("# You can configure the location of this file in `org.neo4j.driver.Config`");
            bufferedWriter.newLine();
            bufferedWriter.close();
        }
        return this.knownHosts;
    }

    @Override // javax.net.ssl.X509TrustManager
    public X509Certificate[] getAcceptedIssuers() {
        return new X509Certificate[0];
    }
}
