package org.neo4j.ssl.config;

import io.netty.handler.ssl.SslProvider;
import io.netty.handler.ssl.util.InsecureTrustManagerFactory;
import java.io.File;
import java.io.FilenameFilter;
import java.io.IOException;
import java.io.InputStream;
import java.nio.file.Files;
import java.nio.file.OpenOption;
import java.nio.file.Path;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.cert.CRLException;
import java.security.cert.CertStore;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.CollectionCertStoreParameters;
import java.security.cert.PKIXBuilderParameters;
import java.security.cert.X509CRL;
import java.security.cert.X509CertSelector;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Collection;
import java.util.List;
import java.util.Map;
import java.util.concurrent.ConcurrentHashMap;
import javax.net.ssl.CertPathTrustManagerParameters;
import javax.net.ssl.TrustManagerFactory;
import org.neo4j.configuration.Config;
import org.neo4j.configuration.SslSystemInternalSettings;
import org.neo4j.configuration.SslSystemSettings;
import org.neo4j.configuration.ssl.ClientAuth;
import org.neo4j.configuration.ssl.SslPolicyConfig;
import org.neo4j.configuration.ssl.SslPolicyScope;
import org.neo4j.logging.Log;
import org.neo4j.logging.LogProvider;
import org.neo4j.ssl.PkiUtils;
import org.neo4j.ssl.SslPolicy;
import org.neo4j.string.SecureString;

/* loaded from: input_file:org/neo4j/ssl/config/SslPolicyLoader.class */
public class SslPolicyLoader {
    private static final FilenameFilter ALL_FILES = (file, str) -> {
        return true;
    };
    private static final FilenameFilter SKIP_DOT_FILES = (file, str) -> {
        return !str.startsWith(".");
    };
    private final Map<SslPolicyScope, SslPolicy> policies = new ConcurrentHashMap();
    private final Config config;
    private final SslProvider sslProvider;
    private final LogProvider logProvider;
    private final Log log;
    private final boolean skipDotFiles;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/neo4j/ssl/config/SslPolicyLoader$KeyAndChain.class */
    public static final class KeyAndChain {
        final PrivateKey privateKey;
        final X509Certificate[] keyCertChain;
        final KeyStore trustStore;

        private KeyAndChain(PrivateKey privateKey, X509Certificate[] x509CertificateArr, KeyStore keyStore) {
            this.privateKey = privateKey;
            this.keyCertChain = x509CertificateArr;
            this.trustStore = keyStore;
        }
    }

    private SslPolicyLoader(Config config, LogProvider logProvider) {
        this.config = config;
        this.skipDotFiles = ((Boolean) config.get(SslSystemInternalSettings.ignore_dotfiles)).booleanValue();
        this.sslProvider = (SslProvider) config.get(SslSystemSettings.netty_ssl_provider);
        this.logProvider = logProvider;
        this.log = logProvider.getLog(SslPolicyLoader.class);
    }

    public static SslPolicyLoader create(Config config, LogProvider logProvider) {
        SslPolicyLoader sslPolicyLoader = new SslPolicyLoader(config, logProvider);
        sslPolicyLoader.load();
        return sslPolicyLoader;
    }

    public SslPolicy getPolicy(SslPolicyScope sslPolicyScope) {
        if (sslPolicyScope == null) {
            return null;
        }
        SslPolicy sslPolicy = this.policies.get(sslPolicyScope);
        if (sslPolicy == null) {
            throw new IllegalArgumentException(String.format("Cannot find enabled SSL policy with name '%s' in the configuration", sslPolicyScope));
        }
        return sslPolicy;
    }

    public boolean hasPolicyForSource(SslPolicyScope sslPolicyScope) {
        return this.policies.containsKey(sslPolicyScope);
    }

    private void load() {
        this.config.getGroups(SslPolicyConfig.class).values().forEach(this::addPolicy);
        this.policies.forEach((sslPolicyScope, sslPolicy) -> {
            this.log.info(String.format("Loaded SSL policy '%s' = %s", sslPolicyScope.name(), sslPolicy));
        });
    }

    private void addPolicy(SslPolicyConfig sslPolicyConfig) {
        if (((Boolean) this.config.get(sslPolicyConfig.enabled)).booleanValue()) {
            SslPolicyScope scope = sslPolicyConfig.getScope();
            if (this.policies.put(scope, createSslPolicy(sslPolicyConfig)) != null) {
                throw new IllegalStateException("Can not have multiple SslPolicies configured for " + scope.name());
            }
        }
    }

    private SslPolicy createSslPolicy(SslPolicyConfig sslPolicyConfig) {
        File file = ((Path) this.config.get(sslPolicyConfig.base_directory)).toFile();
        File file2 = ((Path) this.config.get(sslPolicyConfig.revoked_dir)).toFile();
        if (!file.exists()) {
            throw new IllegalArgumentException(String.format("Base directory '%s' for SSL policy with name '%s' does not exist.", file, sslPolicyConfig.name()));
        }
        KeyAndChain pemKeyAndChain = pemKeyAndChain(sslPolicyConfig);
        try {
            TrustManagerFactory createTrustManagerFactory = createTrustManagerFactory(((Boolean) this.config.get(sslPolicyConfig.trust_all)).booleanValue(), getCRLs(file2, certificateFilenameFilter()), pemKeyAndChain.trustStore);
            boolean booleanValue = ((Boolean) this.config.get(sslPolicyConfig.verify_hostname)).booleanValue();
            return new SslPolicy(pemKeyAndChain.privateKey, pemKeyAndChain.keyCertChain, (List) this.config.get(sslPolicyConfig.tls_versions), (List) this.config.get(sslPolicyConfig.ciphers), (ClientAuth) this.config.get(sslPolicyConfig.client_auth), createTrustManagerFactory, this.sslProvider, booleanValue, this.logProvider);
        } catch (Exception e) {
            throw new RuntimeException("Failed to create trust manager", e);
        }
    }

    private KeyAndChain pemKeyAndChain(SslPolicyConfig sslPolicyConfig) {
        File file = ((Path) this.config.get(sslPolicyConfig.private_key)).toFile();
        SecureString secureString = (SecureString) this.config.get(sslPolicyConfig.private_key_password);
        File file2 = ((Path) this.config.get(sslPolicyConfig.trusted_dir)).toFile();
        try {
            KeyStore createTrustStoreFromPem = createTrustStoreFromPem(file2, (ClientAuth) this.config.get(sslPolicyConfig.client_auth));
            if (sslPolicyConfig.getScope().isClientOnly() && !file.exists()) {
                return new KeyAndChain(null, new X509Certificate[0], createTrustStoreFromPem);
            }
            return new KeyAndChain(loadPrivateKey(file, secureString), loadCertificateChain(((Path) this.config.get(sslPolicyConfig.public_certificate)).toFile()), createTrustStoreFromPem);
        } catch (Exception e) {
            throw new RuntimeException("Failed to create trust manager based on: " + file2, e);
        }
    }

    private static Collection<X509CRL> getCRLs(File file, FilenameFilter filenameFilter) {
        ArrayList arrayList = new ArrayList();
        File[] listFiles = file.exists() ? file.listFiles(filenameFilter) : new File[0];
        if (listFiles == null) {
            throw new RuntimeException(String.format("Could not find or list files in revoked directory: %s", file));
        }
        if (listFiles.length == 0) {
            return arrayList;
        }
        try {
            CertificateFactory certificateFactory = CertificateFactory.getInstance(PkiUtils.CERTIFICATE_TYPE);
            for (File file2 : listFiles) {
                try {
                    InputStream newInputStream = Files.newInputStream(file2.toPath(), new OpenOption[0]);
                    try {
                        arrayList.addAll(certificateFactory.generateCRLs(newInputStream));
                        if (newInputStream != null) {
                            newInputStream.close();
                        }
                    } finally {
                    }
                } catch (IOException | CRLException e) {
                    throw new RuntimeException(String.format("Could not load CRL: %s", file2), e);
                }
            }
            return arrayList;
        } catch (CertificateException e2) {
            throw new RuntimeException("Could not generated certificate factory", e2);
        }
    }

    private static X509Certificate[] loadCertificateChain(File file) {
        try {
            return PkiUtils.loadCertificates(file);
        } catch (Exception e) {
            throw new RuntimeException("Failed to load public certificate chain: " + file, e);
        }
    }

    private PrivateKey loadPrivateKey(File file, SecureString secureString) {
        try {
            return PkiUtils.loadPrivateKey(file, secureString != null ? secureString.getString() : null);
        } catch (Exception e) {
            throw new RuntimeException("Failed to load private key: " + file + (secureString == null ? "" : " (using configured password)"), e);
        }
    }

    private static TrustManagerFactory createTrustManagerFactory(boolean z, Collection<X509CRL> collection, KeyStore keyStore) throws Exception {
        if (z) {
            return InsecureTrustManagerFactory.INSTANCE;
        }
        TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
        if (collection.isEmpty()) {
            trustManagerFactory.init(keyStore);
        } else {
            PKIXBuilderParameters pKIXBuilderParameters = new PKIXBuilderParameters(keyStore, new X509CertSelector());
            pKIXBuilderParameters.setRevocationEnabled(true);
            pKIXBuilderParameters.addCertStore(CertStore.getInstance("Collection", new CollectionCertStoreParameters(collection)));
            trustManagerFactory.init(new CertPathTrustManagerParameters(pKIXBuilderParameters));
        }
        return trustManagerFactory;
    }

    private KeyStore createTrustStoreFromPem(File file, ClientAuth clientAuth) throws KeyStoreException, IOException, NoSuchAlgorithmException, CertificateException {
        KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
        keyStore.load(null, null);
        File[] listFiles = file.exists() ? file.listFiles(certificateFilenameFilter()) : new File[0];
        if (listFiles == null) {
            throw new RuntimeException(String.format("Could not find or list files in trusted directory: %s", file));
        }
        if (clientAuth == ClientAuth.REQUIRE && listFiles.length == 0) {
            throw new RuntimeException(String.format("Client auth is required but no trust anchors found in: %s", file));
        }
        int i = 0;
        for (File file2 : listFiles) {
            CertificateFactory certificateFactory = CertificateFactory.getInstance(PkiUtils.CERTIFICATE_TYPE);
            InputStream newInputStream = Files.newInputStream(file2.toPath(), new OpenOption[0]);
            while (newInputStream.available() > 0) {
                try {
                    try {
                        int i2 = i;
                        i++;
                        keyStore.setCertificateEntry(Integer.toString(i2), (X509Certificate) certificateFactory.generateCertificate(newInputStream));
                    } catch (Exception e) {
                        throw new CertificateException("Error loading certificate file: " + file2, e);
                    }
                } catch (Throwable th) {
                    if (newInputStream != null) {
                        try {
                            newInputStream.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    }
                    throw th;
                }
            }
            if (newInputStream != null) {
                newInputStream.close();
            }
        }
        return keyStore;
    }

    private FilenameFilter certificateFilenameFilter() {
        return this.skipDotFiles ? SKIP_DOT_FILES : ALL_FILES;
    }
}
