package org.neo4j.kernel.configuration.ssl;

import io.netty.handler.ssl.util.InsecureTrustManagerFactory;
import java.io.File;
import java.io.FileInputStream;
import java.io.IOException;
import java.security.GeneralSecurityException;
import java.security.KeyStore;
import java.security.PrivateKey;
import java.security.cert.CRLException;
import java.security.cert.CertStore;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.CollectionCertStoreParameters;
import java.security.cert.PKIXBuilderParameters;
import java.security.cert.X509CRL;
import java.security.cert.X509CertSelector;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Collection;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.concurrent.ConcurrentHashMap;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import javax.net.ssl.CertPathTrustManagerParameters;
import javax.net.ssl.TrustManagerFactory;
import org.bouncycastle.operator.OperatorCreationException;
import org.neo4j.graphdb.factory.GraphDatabaseSettings;
import org.neo4j.kernel.configuration.Config;
import org.neo4j.kernel.configuration.GroupSettingSupport;
import org.neo4j.kernel.configuration.Settings;
import org.neo4j.logging.Log;
import org.neo4j.logging.LogProvider;
import org.neo4j.ssl.ClientAuth;
import org.neo4j.ssl.PkiUtils;
import org.neo4j.ssl.SslPolicy;

/* loaded from: input_file:org/neo4j/kernel/configuration/ssl/SslPolicyLoader.class */
public class SslPolicyLoader {
    private final Map<String, SslPolicy> policies = new ConcurrentHashMap();
    private final PkiUtils pkiUtils = new PkiUtils();
    private final Config config;
    private SslPolicy legacyPolicy;

    private SslPolicyLoader(Config config) {
        this.config = config;
    }

    public static SslPolicyLoader create(Config config, LogProvider logProvider) {
        SslPolicyLoader sslPolicyLoader = new SslPolicyLoader(config);
        sslPolicyLoader.load(config, logProvider.getLog(SslPolicyLoader.class));
        return sslPolicyLoader;
    }

    public SslPolicy getPolicy(String str) {
        if (str == null) {
            return null;
        }
        if (str.equals(LegacySslPolicyConfig.LEGACY_POLICY_NAME)) {
            return getOrCreateLegacyPolicy();
        }
        SslPolicy sslPolicy = this.policies.get(str);
        if (sslPolicy == null) {
            throw new IllegalArgumentException(String.format("Cannot find enabled SSL policy with name '%s' in the configuration", str));
        }
        return sslPolicy;
    }

    private SslPolicy getOrCreateLegacyPolicy() {
        if (this.legacyPolicy != null) {
            return this.legacyPolicy;
        }
        this.legacyPolicy = loadOrCreateLegacyPolicy();
        return this.legacyPolicy;
    }

    private SslPolicy loadOrCreateLegacyPolicy() {
        File absoluteFile = ((File) this.config.get(LegacySslPolicyConfig.tls_key_file)).getAbsoluteFile();
        File absoluteFile2 = ((File) this.config.get(LegacySslPolicyConfig.tls_certificate_file)).getAbsoluteFile();
        if (!absoluteFile.exists() && !absoluteFile2.exists()) {
            try {
                this.pkiUtils.createSelfSignedCertificate(absoluteFile2, absoluteFile, (String) this.config.get(GraphDatabaseSettings.default_advertised_address));
            } catch (Exception e) {
                throw new RuntimeException("Failed to generate private key and certificate", e);
            }
        }
        return new SslPolicy(loadPrivateKey(absoluteFile, null), loadCertificateChain(absoluteFile2), (List) null, (List) null, ClientAuth.NONE, InsecureTrustManagerFactory.INSTANCE);
    }

    private void load(Config config, Log log) {
        for (String str : (Set) ((Stream) config.view(GroupSettingSupport.enumerate(SslPolicyConfig.class))).collect(Collectors.toSet())) {
            if (str.equals(LegacySslPolicyConfig.LEGACY_POLICY_NAME)) {
                throw new IllegalArgumentException("Legacy policy cannot be configured. Please migrate to new SSL policy system.");
            }
            SslPolicyConfig sslPolicyConfig = new SslPolicyConfig(str);
            File file = (File) sslPolicyConfig.base_directory.from(config);
            File file2 = (File) sslPolicyConfig.trusted_dir.from(config);
            File file3 = (File) sslPolicyConfig.revoked_dir.from(config);
            if (!file.exists()) {
                throw new IllegalArgumentException(String.format("Base directory '%s' for SSL policy with name '%s' does not exist.", file, str));
            }
            boolean booleanValue = ((Boolean) sslPolicyConfig.allow_key_generation.from(config)).booleanValue();
            File file4 = (File) sslPolicyConfig.private_key.from(config);
            String str2 = (String) sslPolicyConfig.private_key_password.from(config);
            File file5 = (File) sslPolicyConfig.public_certificate.from(config);
            if (!file4.exists() && !file5.exists() && booleanValue) {
                log.info(String.format("Generating key and self-signed certificate for SSL policy '%s'", str));
                try {
                    this.pkiUtils.createSelfSignedCertificate(file5, file4, (String) config.get(GraphDatabaseSettings.default_advertised_address));
                    file2.mkdir();
                    file3.mkdir();
                } catch (IOException | GeneralSecurityException | OperatorCreationException e) {
                    throw new RuntimeException("Failed to generate private key and certificate", e);
                }
            }
            PrivateKey loadPrivateKey = loadPrivateKey(file4, str2);
            X509Certificate[] loadCertificateChain = loadCertificateChain(file5);
            ClientAuth clientAuth = (ClientAuth) sslPolicyConfig.client_auth.from(config);
            try {
                SslPolicy sslPolicy = new SslPolicy(loadPrivateKey, loadCertificateChain, (List) sslPolicyConfig.tls_versions.from(config), (List) sslPolicyConfig.ciphers.from(config), clientAuth, createTrustManagerFactory(((Boolean) sslPolicyConfig.trust_all.from(config)).booleanValue(), file2, getCRLs(file3), clientAuth));
                log.info(String.format("Loaded SSL policy '%s' = %s", str, sslPolicy));
                this.policies.put(str, sslPolicy);
            } catch (Exception e2) {
                throw new RuntimeException("Failed to create trust manager based on: " + file2, e2);
            }
        }
    }

    private Collection<X509CRL> getCRLs(File file) {
        ArrayList arrayList = new ArrayList();
        File[] listFiles = file.listFiles();
        if (listFiles == null) {
            throw new RuntimeException(String.format("Could not find or list files in revoked directory: %s", file));
        }
        if (listFiles.length == 0) {
            return arrayList;
        }
        try {
            CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509");
            for (File file2 : listFiles) {
                try {
                    FileInputStream fileInputStream = new FileInputStream(file2);
                    Throwable th = null;
                    try {
                        try {
                            arrayList.addAll(certificateFactory.generateCRLs(fileInputStream));
                            if (fileInputStream != null) {
                                if (0 != 0) {
                                    try {
                                        fileInputStream.close();
                                    } catch (Throwable th2) {
                                        th.addSuppressed(th2);
                                    }
                                } else {
                                    fileInputStream.close();
                                }
                            }
                        } finally {
                        }
                    } finally {
                    }
                } catch (IOException | CRLException e) {
                    throw new RuntimeException(String.format("Could not load CRL: %s", file2), e);
                }
            }
            return arrayList;
        } catch (CertificateException e2) {
            throw new RuntimeException("Could not generated certificate factory", e2);
        }
    }

    private X509Certificate[] loadCertificateChain(File file) {
        try {
            return this.pkiUtils.loadCertificates(file);
        } catch (Exception e) {
            throw new RuntimeException("Failed to load public certificate chain: " + file, e);
        }
    }

    private PrivateKey loadPrivateKey(File file, String str) {
        if (str != null) {
            throw new UnsupportedOperationException("Loading private keys with passwords is not yet supported");
        }
        try {
            return this.pkiUtils.loadPrivateKey(file);
        } catch (Exception e) {
            throw new RuntimeException("Failed to load private key: " + file + (str == null ? Settings.EMPTY : " (using configured password)"), e);
        }
    }

    private TrustManagerFactory createTrustManagerFactory(boolean z, File file, Collection<X509CRL> collection, ClientAuth clientAuth) throws Exception {
        if (z) {
            return InsecureTrustManagerFactory.INSTANCE;
        }
        KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
        keyStore.load(null, null);
        File[] listFiles = file.listFiles();
        if (listFiles == null) {
            throw new RuntimeException(String.format("Could not find or list files in trusted directory: %s", file));
        }
        if (clientAuth == ClientAuth.REQUIRE && listFiles.length == 0) {
            throw new RuntimeException(String.format("Client auth is required but no trust anchors found in: %s", file));
        }
        int i = 0;
        for (File file2 : listFiles) {
            CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509");
            FileInputStream fileInputStream = new FileInputStream(file2);
            Throwable th = null;
            while (fileInputStream.available() > 0) {
                try {
                    try {
                        int i2 = i;
                        i++;
                        keyStore.setCertificateEntry(Integer.toString(i2), (X509Certificate) certificateFactory.generateCertificate(fileInputStream));
                    } catch (Throwable th2) {
                        if (fileInputStream != null) {
                            if (th != null) {
                                try {
                                    fileInputStream.close();
                                } catch (Throwable th3) {
                                    th.addSuppressed(th3);
                                }
                            } else {
                                fileInputStream.close();
                            }
                        }
                        throw th2;
                    }
                } finally {
                }
            }
            if (fileInputStream != null) {
                if (0 != 0) {
                    try {
                        fileInputStream.close();
                    } catch (Throwable th4) {
                        th.addSuppressed(th4);
                    }
                } else {
                    fileInputStream.close();
                }
            }
        }
        TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
        if (collection.isEmpty()) {
            trustManagerFactory.init(keyStore);
        } else {
            PKIXBuilderParameters pKIXBuilderParameters = new PKIXBuilderParameters(keyStore, new X509CertSelector());
            pKIXBuilderParameters.setRevocationEnabled(true);
            pKIXBuilderParameters.addCertStore(CertStore.getInstance("Collection", new CollectionCertStoreParameters(collection)));
            trustManagerFactory.init(new CertPathTrustManagerParameters(pKIXBuilderParameters));
        }
        return trustManagerFactory;
    }
}
