package org.elasticsearch.common.ssl;

import java.io.IOException;
import java.nio.file.Path;
import java.security.AccessControlException;
import java.security.GeneralSecurityException;
import java.security.KeyStore;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.Collection;
import java.util.Enumeration;
import java.util.List;
import java.util.Objects;
import javax.net.ssl.X509ExtendedTrustManager;

/* loaded from: input_file:org/elasticsearch/common/ssl/StoreTrustConfig.class */
public final class StoreTrustConfig implements SslTrustConfig {
    private final String truststorePath;
    private final char[] password;
    private final String type;
    private final String algorithm;
    private final boolean requireTrustAnchors;
    private final Path configBasePath;

    public StoreTrustConfig(String str, char[] cArr, String str2, String str3, boolean z, Path path) {
        this.truststorePath = (String) Objects.requireNonNull(str, "Truststore path cannot be null");
        this.type = (String) Objects.requireNonNull(str2, "Truststore type cannot be null");
        this.algorithm = (String) Objects.requireNonNull(str3, "Truststore algorithm cannot be null");
        this.password = (char[]) Objects.requireNonNull(cArr, "Truststore password cannot be null (but may be empty)");
        this.requireTrustAnchors = z;
        this.configBasePath = path;
    }

    @Override // org.elasticsearch.common.ssl.SslTrustConfig
    public Collection<Path> getDependentFiles() {
        return List.of(resolvePath());
    }

    private Path resolvePath() {
        return this.configBasePath.resolve(this.truststorePath);
    }

    @Override // org.elasticsearch.common.ssl.SslTrustConfig
    public Collection<? extends StoredCertificate> getConfiguredCertificates() {
        Path resolvePath = resolvePath();
        return KeyStoreUtil.stream(readKeyStore(resolvePath), generalSecurityException -> {
            return keystoreException(resolvePath, generalSecurityException);
        }).map(keyStoreEntry -> {
            X509Certificate x509Certificate = keyStoreEntry.getX509Certificate();
            if (x509Certificate == null) {
                return null;
            }
            return new StoredCertificate(x509Certificate, this.truststorePath, this.type, keyStoreEntry.getAlias(), keyStoreEntry.isKeyEntry());
        }).filter((v0) -> {
            return Objects.nonNull(v0);
        }).toList();
    }

    @Override // org.elasticsearch.common.ssl.SslTrustConfig
    public X509ExtendedTrustManager createTrustManager() {
        Path resolvePath = resolvePath();
        try {
            KeyStore readKeyStore = readKeyStore(resolvePath);
            if (this.requireTrustAnchors) {
                checkTrustStore(readKeyStore, resolvePath);
            }
            return KeyStoreUtil.createTrustManager(readKeyStore, this.algorithm);
        } catch (GeneralSecurityException e) {
            throw keystoreException(resolvePath, e);
        }
    }

    private KeyStore readKeyStore(Path path) {
        try {
            return KeyStoreUtil.readKeyStore(path, this.type, this.password);
        } catch (IOException e) {
            throw SslFileUtil.ioException(fileTypeForException(), List.of(path), e, getAdditionalErrorDetails());
        } catch (AccessControlException e2) {
            throw SslFileUtil.accessControlFailure(fileTypeForException(), List.of(path), e2, this.configBasePath);
        } catch (GeneralSecurityException e3) {
            throw keystoreException(path, e3);
        }
    }

    private SslConfigException keystoreException(Path path, GeneralSecurityException generalSecurityException) {
        return SslFileUtil.securityException(fileTypeForException(), List.of(path), generalSecurityException, getAdditionalErrorDetails());
    }

    private String getAdditionalErrorDetails() {
        return this.password.length == 0 ? "(no password was provided)" : "(a keystore password was provided)";
    }

    private String fileTypeForException() {
        return "[" + this.type + "] keystore (as a truststore)";
    }

    private static void checkTrustStore(KeyStore keyStore, Path path) throws GeneralSecurityException {
        Enumeration<String> aliases = keyStore.aliases();
        while (aliases.hasMoreElements()) {
            if (keyStore.isCertificateEntry(aliases.nextElement())) {
                return;
            }
        }
        throw new SslConfigException("the truststore [" + path + "] does not contain any trusted certificate entries");
    }

    public boolean equals(Object obj) {
        if (this == obj) {
            return true;
        }
        if (obj == null || getClass() != obj.getClass()) {
            return false;
        }
        StoreTrustConfig storeTrustConfig = (StoreTrustConfig) obj;
        return this.truststorePath.equals(storeTrustConfig.truststorePath) && Arrays.equals(this.password, storeTrustConfig.password) && this.type.equals(storeTrustConfig.type) && this.algorithm.equals(storeTrustConfig.algorithm);
    }

    public int hashCode() {
        return (31 * Objects.hash(this.truststorePath, this.type, this.algorithm)) + Arrays.hashCode(this.password);
    }

    public String toString() {
        StringBuilder sb = new StringBuilder("StoreTrustConfig{");
        sb.append("path=").append(this.truststorePath);
        sb.append(", password=").append(this.password.length == 0 ? "<empty>" : "<non-empty>");
        sb.append(", type=").append(this.type);
        sb.append(", algorithm=").append(this.algorithm);
        sb.append('}');
        return sb.toString();
    }
}
