package io.kroxylicious.kms.provider.aws.kms.config;

import edu.umd.cs.findbugs.annotations.NonNull;
import edu.umd.cs.findbugs.annotations.Nullable;
import io.kroxylicious.proxy.config.secret.PasswordProvider;
import io.kroxylicious.proxy.config.tls.InsecureTls;
import io.kroxylicious.proxy.config.tls.KeyPair;
import io.kroxylicious.proxy.config.tls.KeyProvider;
import io.kroxylicious.proxy.config.tls.KeyProviderVisitor;
import io.kroxylicious.proxy.config.tls.KeyStore;
import io.kroxylicious.proxy.config.tls.PlatformTrustProvider;
import io.kroxylicious.proxy.config.tls.Tls;
import io.kroxylicious.proxy.config.tls.TrustProvider;
import io.kroxylicious.proxy.config.tls.TrustProviderVisitor;
import io.kroxylicious.proxy.config.tls.TrustStore;
import java.io.FileInputStream;
import java.lang.invoke.MethodHandles;
import java.lang.invoke.MethodType;
import java.lang.runtime.ObjectMethods;
import java.security.SecureRandom;
import java.security.cert.X509Certificate;
import java.util.Optional;
import javax.net.ssl.KeyManager;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.SSLContext;
import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory;
import javax.net.ssl.X509TrustManager;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:io/kroxylicious/kms/provider/aws/kms/config/JdkTls.class */
public final class JdkTls extends Record {
    private final Tls tls;
    private static final Logger logger = LoggerFactory.getLogger(JdkTls.class);
    public static final X509TrustManager INSECURE_TRUST_MANAGER = new X509TrustManager() { // from class: io.kroxylicious.kms.provider.aws.kms.config.JdkTls.1
        @Override // javax.net.ssl.X509TrustManager
        public void checkClientTrusted(X509Certificate[] x509CertificateArr, String str) {
        }

        @Override // javax.net.ssl.X509TrustManager
        public void checkServerTrusted(X509Certificate[] x509CertificateArr, String str) {
        }

        @Override // javax.net.ssl.X509TrustManager
        public X509Certificate[] getAcceptedIssuers() {
            return new X509Certificate[0];
        }
    };
    public static final TrustManager[] INSECURE_TRUST_MANAGERS = {INSECURE_TRUST_MANAGER};

    public JdkTls(Tls tls) {
        if (tls != null && tls.key() != null) {
            logger.warn("TLS key material is currently not supported by the AWS client");
        }
        this.tls = tls;
    }

    public SSLContext sslContext() {
        try {
            if (this.tls == null) {
                return SSLContext.getDefault();
            }
            TrustManager[] trustManagerArr = null;
            KeyManager[] keyManagerArr = null;
            if (this.tls.trust() != null) {
                trustManagerArr = getTrustManagers(this.tls.trust());
            }
            if (this.tls.key() != null) {
                keyManagerArr = getKeyManagers(this.tls.key());
            }
            return getSslContext(trustManagerArr, keyManagerArr);
        } catch (Exception e) {
            throw new SslConfigurationException(e);
        }
    }

    static KeyManager[] getKeyManagers(KeyProvider keyProvider) {
        return (KeyManager[]) keyProvider.accept(new KeyProviderVisitor<KeyManager[]>() { // from class: io.kroxylicious.kms.provider.aws.kms.config.JdkTls.2
            /* renamed from: visit, reason: merged with bridge method [inline-methods] */
            public KeyManager[] m7visit(KeyPair keyPair) {
                throw new SslConfigurationException("KeyPair is not supported by vault KMS yet");
            }

            /* renamed from: visit, reason: merged with bridge method [inline-methods] */
            public KeyManager[] m6visit(KeyStore keyStore) {
                try {
                    if (keyStore.isPemType()) {
                        throw new SslConfigurationException("PEM is not supported by vault KMS yet");
                    }
                    java.security.KeyStore keyStore2 = java.security.KeyStore.getInstance(keyStore.getType());
                    char[] passwordOrNull = passwordOrNull(keyStore.storePasswordProvider());
                    FileInputStream fileInputStream = new FileInputStream(keyStore.storeFile());
                    try {
                        keyStore2.load(fileInputStream, passwordOrNull);
                        fileInputStream.close();
                        KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
                        char[] passwordOrNull2 = passwordOrNull(keyStore.keyPasswordProvider());
                        keyManagerFactory.init(keyStore2, passwordOrNull2 == null ? passwordOrNull : passwordOrNull2);
                        return keyManagerFactory.getKeyManagers();
                    } finally {
                    }
                } catch (Exception e) {
                    throw new SslConfigurationException(e);
                }
            }

            @Nullable
            private static char[] passwordOrNull(PasswordProvider passwordProvider) {
                return (char[]) Optional.ofNullable(passwordProvider).map((v0) -> {
                    return v0.getProvidedPassword();
                }).map((v0) -> {
                    return v0.toCharArray();
                }).orElse(null);
            }
        });
    }

    @NonNull
    private static SSLContext getSslContext(TrustManager[] trustManagerArr, KeyManager[] keyManagerArr) {
        try {
            if (trustManagerArr == null && keyManagerArr == null) {
                return SSLContext.getDefault();
            }
            SSLContext sSLContext = SSLContext.getInstance("TLS");
            sSLContext.init(keyManagerArr, trustManagerArr, new SecureRandom());
            return sSLContext;
        } catch (Exception e) {
            throw new SslConfigurationException(e);
        }
    }

    static TrustManager[] getTrustManagers(TrustProvider trustProvider) {
        return (TrustManager[]) trustProvider.accept(new TrustProviderVisitor<TrustManager[]>() { // from class: io.kroxylicious.kms.provider.aws.kms.config.JdkTls.3
            /* renamed from: visit, reason: merged with bridge method [inline-methods] */
            public TrustManager[] m10visit(TrustStore trustStore) {
                if (trustStore.isPemType()) {
                    throw new SslConfigurationException("PEM trust not supported by vault yet");
                }
                try {
                    java.security.KeyStore keyStore = java.security.KeyStore.getInstance(trustStore.getType());
                    keyStore.load(new FileInputStream(trustStore.storeFile()), trustStore.storePasswordProvider() != null ? trustStore.storePasswordProvider().getProvidedPassword().toCharArray() : null);
                    TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
                    trustManagerFactory.init(keyStore);
                    return trustManagerFactory.getTrustManagers();
                } catch (Exception e) {
                    throw new SslConfigurationException(e);
                }
            }

            /* renamed from: visit, reason: merged with bridge method [inline-methods] */
            public TrustManager[] m9visit(InsecureTls insecureTls) {
                return insecureTls.insecure() ? JdkTls.INSECURE_TRUST_MANAGERS : getDefaultTrustManagers();
            }

            /* renamed from: visit, reason: merged with bridge method [inline-methods] */
            public TrustManager[] m8visit(PlatformTrustProvider platformTrustProvider) {
                return new TrustManager[0];
            }

            private static TrustManager[] getDefaultTrustManagers() {
                try {
                    TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
                    trustManagerFactory.init((java.security.KeyStore) null);
                    return trustManagerFactory.getTrustManagers();
                } catch (Exception e) {
                    throw new SslConfigurationException(e);
                }
            }
        });
    }

    @Override // java.lang.Record
    public final String toString() {
        return (String) ObjectMethods.bootstrap(MethodHandles.lookup(), "toString", MethodType.methodType(String.class, JdkTls.class), JdkTls.class, "tls", "FIELD:Lio/kroxylicious/kms/provider/aws/kms/config/JdkTls;->tls:Lio/kroxylicious/proxy/config/tls/Tls;").dynamicInvoker().invoke(this) /* invoke-custom */;
    }

    @Override // java.lang.Record
    public final int hashCode() {
        return (int) ObjectMethods.bootstrap(MethodHandles.lookup(), "hashCode", MethodType.methodType(Integer.TYPE, JdkTls.class), JdkTls.class, "tls", "FIELD:Lio/kroxylicious/kms/provider/aws/kms/config/JdkTls;->tls:Lio/kroxylicious/proxy/config/tls/Tls;").dynamicInvoker().invoke(this) /* invoke-custom */;
    }

    @Override // java.lang.Record
    public final boolean equals(Object obj) {
        return (boolean) ObjectMethods.bootstrap(MethodHandles.lookup(), "equals", MethodType.methodType(Boolean.TYPE, JdkTls.class, Object.class), JdkTls.class, "tls", "FIELD:Lio/kroxylicious/kms/provider/aws/kms/config/JdkTls;->tls:Lio/kroxylicious/proxy/config/tls/Tls;").dynamicInvoker().invoke(this, obj) /* invoke-custom */;
    }

    public Tls tls() {
        return this.tls;
    }
}
