package org.neo4j.ssl.config;

import io.netty.handler.ssl.SslProvider;
import io.netty.handler.ssl.util.InsecureTrustManagerFactory;
import java.io.IOException;
import java.io.InputStream;
import java.lang.invoke.MethodHandles;
import java.lang.invoke.MethodType;
import java.lang.runtime.ObjectMethods;
import java.nio.file.DirectoryStream;
import java.nio.file.Path;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.cert.CRLException;
import java.security.cert.CertStore;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.CertificateExpiredException;
import java.security.cert.CertificateNotYetValidException;
import java.security.cert.CollectionCertStoreParameters;
import java.security.cert.PKIXBuilderParameters;
import java.security.cert.X509CRL;
import java.security.cert.X509CertSelector;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.concurrent.ConcurrentHashMap;
import javax.net.ssl.CertPathTrustManagerParameters;
import javax.net.ssl.TrustManagerFactory;
import org.neo4j.configuration.Config;
import org.neo4j.configuration.SslSystemInternalSettings;
import org.neo4j.configuration.SslSystemSettings;
import org.neo4j.configuration.ssl.ClientAuth;
import org.neo4j.configuration.ssl.SslPolicyConfig;
import org.neo4j.configuration.ssl.SslPolicyScope;
import org.neo4j.io.fs.FileSystemAbstraction;
import org.neo4j.logging.InternalLog;
import org.neo4j.logging.InternalLogProvider;
import org.neo4j.pki.PkiUtils;
import org.neo4j.ssl.SslPolicy;
import org.neo4j.string.SecureString;

/* loaded from: input_file:org/neo4j/ssl/config/SslPolicyLoader.class */
public class SslPolicyLoader {
    private static final DirectoryStream.Filter<Path> ALL_FILES = path -> {
        return true;
    };
    private static final DirectoryStream.Filter<Path> SKIP_DOT_FILES = path -> {
        return !path.getFileName().toString().startsWith(".");
    };
    private final Map<SslPolicyScope, SslPolicy> policies = new ConcurrentHashMap();
    private final Config config;
    private final SslProvider sslProvider;
    private final InternalLogProvider logProvider;
    private final InternalLog log;
    private final boolean skipDotFiles;
    private final FileSystemAbstraction fileSystem;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/neo4j/ssl/config/SslPolicyLoader$KeyAndChain.class */
    public static final class KeyAndChain extends Record {
        private final PrivateKey privateKey;
        private final X509Certificate[] keyCertChain;
        private final KeyStore trustStore;

        private KeyAndChain(PrivateKey privateKey, X509Certificate[] x509CertificateArr, KeyStore keyStore) {
            this.privateKey = privateKey;
            this.keyCertChain = x509CertificateArr;
            this.trustStore = keyStore;
        }

        @Override // java.lang.Record
        public final String toString() {
            return (String) ObjectMethods.bootstrap(MethodHandles.lookup(), "toString", MethodType.methodType(String.class, KeyAndChain.class), KeyAndChain.class, "privateKey;keyCertChain;trustStore", "FIELD:Lorg/neo4j/ssl/config/SslPolicyLoader$KeyAndChain;->privateKey:Ljava/security/PrivateKey;", "FIELD:Lorg/neo4j/ssl/config/SslPolicyLoader$KeyAndChain;->keyCertChain:[Ljava/security/cert/X509Certificate;", "FIELD:Lorg/neo4j/ssl/config/SslPolicyLoader$KeyAndChain;->trustStore:Ljava/security/KeyStore;").dynamicInvoker().invoke(this) /* invoke-custom */;
        }

        @Override // java.lang.Record
        public final int hashCode() {
            return (int) ObjectMethods.bootstrap(MethodHandles.lookup(), "hashCode", MethodType.methodType(Integer.TYPE, KeyAndChain.class), KeyAndChain.class, "privateKey;keyCertChain;trustStore", "FIELD:Lorg/neo4j/ssl/config/SslPolicyLoader$KeyAndChain;->privateKey:Ljava/security/PrivateKey;", "FIELD:Lorg/neo4j/ssl/config/SslPolicyLoader$KeyAndChain;->keyCertChain:[Ljava/security/cert/X509Certificate;", "FIELD:Lorg/neo4j/ssl/config/SslPolicyLoader$KeyAndChain;->trustStore:Ljava/security/KeyStore;").dynamicInvoker().invoke(this) /* invoke-custom */;
        }

        @Override // java.lang.Record
        public final boolean equals(Object obj) {
            return (boolean) ObjectMethods.bootstrap(MethodHandles.lookup(), "equals", MethodType.methodType(Boolean.TYPE, KeyAndChain.class, Object.class), KeyAndChain.class, "privateKey;keyCertChain;trustStore", "FIELD:Lorg/neo4j/ssl/config/SslPolicyLoader$KeyAndChain;->privateKey:Ljava/security/PrivateKey;", "FIELD:Lorg/neo4j/ssl/config/SslPolicyLoader$KeyAndChain;->keyCertChain:[Ljava/security/cert/X509Certificate;", "FIELD:Lorg/neo4j/ssl/config/SslPolicyLoader$KeyAndChain;->trustStore:Ljava/security/KeyStore;").dynamicInvoker().invoke(this, obj) /* invoke-custom */;
        }

        public PrivateKey privateKey() {
            return this.privateKey;
        }

        public X509Certificate[] keyCertChain() {
            return this.keyCertChain;
        }

        public KeyStore trustStore() {
            return this.trustStore;
        }
    }

    private SslPolicyLoader(FileSystemAbstraction fileSystemAbstraction, Config config, InternalLogProvider internalLogProvider) {
        this.fileSystem = fileSystemAbstraction;
        this.config = config;
        this.skipDotFiles = ((Boolean) config.get(SslSystemInternalSettings.ignore_dotfiles)).booleanValue();
        this.sslProvider = (SslProvider) config.get(SslSystemSettings.netty_ssl_provider);
        this.logProvider = internalLogProvider;
        this.log = internalLogProvider.getLog(SslPolicyLoader.class);
    }

    public static SslPolicyLoader create(FileSystemAbstraction fileSystemAbstraction, Config config, InternalLogProvider internalLogProvider) {
        SslPolicyLoader sslPolicyLoader = new SslPolicyLoader(fileSystemAbstraction, config, internalLogProvider);
        sslPolicyLoader.load();
        return sslPolicyLoader;
    }

    public SslPolicy getPolicy(SslPolicyScope sslPolicyScope) {
        if (sslPolicyScope == null) {
            return null;
        }
        SslPolicy sslPolicy = this.policies.get(sslPolicyScope);
        if (sslPolicy == null) {
            throw new IllegalArgumentException(String.format("Cannot find enabled SSL policy with name '%s' in the configuration", sslPolicyScope));
        }
        return sslPolicy;
    }

    public boolean hasPolicyForSource(SslPolicyScope sslPolicyScope) {
        return this.policies.containsKey(sslPolicyScope);
    }

    private void load() {
        this.config.getGroups(SslPolicyConfig.class).values().forEach(this::addPolicy);
        this.policies.forEach((sslPolicyScope, sslPolicy) -> {
            this.log.info(String.format("Loaded SSL policy '%s' = %s", sslPolicyScope.name(), sslPolicy));
        });
    }

    private void addPolicy(SslPolicyConfig sslPolicyConfig) {
        if (((Boolean) this.config.get(sslPolicyConfig.enabled)).booleanValue()) {
            SslPolicyScope scope = sslPolicyConfig.getScope();
            if (this.policies.put(scope, createSslPolicy(sslPolicyConfig)) != null) {
                throw new IllegalStateException("Can not have multiple SslPolicies configured for " + scope.name());
            }
        }
    }

    private SslPolicy createSslPolicy(SslPolicyConfig sslPolicyConfig) {
        Path path = (Path) this.config.get(sslPolicyConfig.base_directory);
        Path path2 = (Path) this.config.get(sslPolicyConfig.revoked_dir);
        if (!this.fileSystem.fileExists(path)) {
            throw new IllegalArgumentException(String.format("Base directory '%s' for SSL policy with name '%s' does not exist.", path, sslPolicyConfig.name()));
        }
        KeyAndChain pemKeyAndChain = pemKeyAndChain(sslPolicyConfig);
        try {
            TrustManagerFactory createTrustManagerFactory = createTrustManagerFactory(((Boolean) this.config.get(sslPolicyConfig.trust_all)).booleanValue(), getCRLs(this.fileSystem, path2, certificateFilenameFilter()), pemKeyAndChain.trustStore);
            boolean booleanValue = ((Boolean) this.config.get(sslPolicyConfig.verify_hostname)).booleanValue();
            boolean z = !((Boolean) this.config.get(sslPolicyConfig.trust_expired)).booleanValue();
            ClientAuth clientAuth = (ClientAuth) this.config.get(sslPolicyConfig.client_auth);
            List list = (List) this.config.get(sslPolicyConfig.tls_versions);
            List list2 = (List) this.config.get(sslPolicyConfig.ciphers);
            if (!booleanValue && !this.config.isExplicitlySet(sslPolicyConfig.verify_hostname)) {
                this.log.warn("SSL Hostname verification is disabled by default. Consider explicitly setting %s", new Object[]{sslPolicyConfig.verify_hostname.name()});
            }
            return new SslPolicy(pemKeyAndChain.privateKey, pemKeyAndChain.keyCertChain, list, list2, clientAuth, createTrustManagerFactory, this.sslProvider, booleanValue, z, this.logProvider);
        } catch (Exception e) {
            throw new RuntimeException("Failed to create trust manager", e);
        }
    }

    private KeyAndChain pemKeyAndChain(SslPolicyConfig sslPolicyConfig) {
        Path path = (Path) this.config.get(sslPolicyConfig.private_key);
        SecureString secureString = (SecureString) this.config.get(sslPolicyConfig.private_key_password);
        Path path2 = (Path) this.config.get(sslPolicyConfig.trusted_dir);
        try {
            KeyStore createTrustStoreFromPem = createTrustStoreFromPem(path2, (ClientAuth) this.config.get(sslPolicyConfig.client_auth));
            if (sslPolicyConfig.getScope().isClientOnly() && !this.fileSystem.fileExists(path)) {
                return new KeyAndChain(null, new X509Certificate[0], createTrustStoreFromPem);
            }
            Path path3 = (Path) this.config.get(sslPolicyConfig.public_certificate);
            PrivateKey loadPrivateKey = loadPrivateKey(this.fileSystem, path, secureString);
            X509Certificate[] loadCertificateChain = loadCertificateChain(this.fileSystem, path3);
            if (!((Boolean) this.config.get(sslPolicyConfig.trust_expired)).booleanValue()) {
                for (X509Certificate x509Certificate : loadCertificateChain) {
                    if (x509Certificate != null) {
                        try {
                            x509Certificate.checkValidity();
                        } catch (CertificateExpiredException | CertificateNotYetValidException e) {
                            throw new RuntimeException("Expired certificate", e);
                        }
                    }
                }
            }
            return new KeyAndChain(loadPrivateKey, loadCertificateChain, createTrustStoreFromPem);
        } catch (Exception e2) {
            throw new RuntimeException("Failed to create trust manager based on: " + String.valueOf(path2), e2);
        }
    }

    private static Collection<X509CRL> getCRLs(FileSystemAbstraction fileSystemAbstraction, Path path, DirectoryStream.Filter<Path> filter) {
        if (!fileSystemAbstraction.fileExists(path)) {
            return new ArrayList();
        }
        try {
            Path[] listFiles = fileSystemAbstraction.listFiles(path, filter);
            ArrayList arrayList = new ArrayList();
            for (Path path2 : listFiles) {
                try {
                    InputStream openAsInputStream = fileSystemAbstraction.openAsInputStream(path2);
                    try {
                        arrayList.addAll(PkiUtils.CERTIFICATE_FACTORY.generateCRLs(openAsInputStream));
                        if (openAsInputStream != null) {
                            openAsInputStream.close();
                        }
                    } finally {
                    }
                } catch (IOException | CRLException e) {
                    throw new RuntimeException(String.format("Could not load CRL: %s", path2), e);
                }
            }
            return arrayList;
        } catch (IOException e2) {
            throw new RuntimeException(String.format("Could not find or list files in revoked directory: %s", path), e2);
        }
    }

    private static X509Certificate[] loadCertificateChain(FileSystemAbstraction fileSystemAbstraction, Path path) {
        try {
            return PkiUtils.loadCertificates(fileSystemAbstraction, path);
        } catch (Exception e) {
            throw new RuntimeException("Failed to load public certificate chain: " + String.valueOf(path), e);
        }
    }

    private static PrivateKey loadPrivateKey(FileSystemAbstraction fileSystemAbstraction, Path path, SecureString secureString) {
        try {
            return PkiUtils.loadPrivateKey(fileSystemAbstraction, path, secureString != null ? secureString.getString() : null);
        } catch (Exception e) {
            throw new RuntimeException("Failed to load private key: " + String.valueOf(path) + (secureString == null ? "" : " (using configured password)"), e);
        }
    }

    private static TrustManagerFactory createTrustManagerFactory(boolean z, Collection<X509CRL> collection, KeyStore keyStore) throws Exception {
        if (z) {
            return InsecureTrustManagerFactory.INSTANCE;
        }
        TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
        if (collection.isEmpty()) {
            trustManagerFactory.init(keyStore);
        } else {
            PKIXBuilderParameters pKIXBuilderParameters = new PKIXBuilderParameters(keyStore, new X509CertSelector());
            pKIXBuilderParameters.setRevocationEnabled(true);
            pKIXBuilderParameters.addCertStore(CertStore.getInstance("Collection", new CollectionCertStoreParameters(collection)));
            trustManagerFactory.init(new CertPathTrustManagerParameters(pKIXBuilderParameters));
        }
        return trustManagerFactory;
    }

    private KeyStore createTrustStoreFromPem(Path path, ClientAuth clientAuth) throws KeyStoreException, IOException, NoSuchAlgorithmException, CertificateException {
        KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
        keyStore.load(null, null);
        if (!this.fileSystem.fileExists(path)) {
            return keyStore;
        }
        Path[] listFiles = this.fileSystem.listFiles(path, certificateFilenameFilter());
        if (clientAuth == ClientAuth.REQUIRE && listFiles.length == 0) {
            throw new RuntimeException(String.format("Client auth is required but no trust anchors found in: %s", path));
        }
        int i = 0;
        for (Path path2 : listFiles) {
            InputStream openAsInputStream = this.fileSystem.openAsInputStream(path2);
            try {
                try {
                    Iterator<? extends Certificate> it = PkiUtils.CERTIFICATE_FACTORY.generateCertificates(openAsInputStream).iterator();
                    while (it.hasNext()) {
                        int i2 = i;
                        i++;
                        keyStore.setCertificateEntry(Integer.toString(i2), (X509Certificate) it.next());
                    }
                    if (openAsInputStream != null) {
                        openAsInputStream.close();
                    }
                } catch (Exception e) {
                    throw new CertificateException("Error loading certificate file: " + String.valueOf(path2), e);
                }
            } catch (Throwable th) {
                if (openAsInputStream != null) {
                    try {
                        openAsInputStream.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                }
                throw th;
            }
        }
        return keyStore;
    }

    private DirectoryStream.Filter<Path> certificateFilenameFilter() {
        return this.skipDotFiles ? SKIP_DOT_FILES : ALL_FILES;
    }
}
