package ai.vespa.feed.client.impl;

import java.io.IOException;
import java.nio.file.Files;
import java.nio.file.Path;
import java.security.GeneralSecurityException;
import java.security.KeyFactory;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.PrivateKey;
import java.security.Provider;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import java.security.spec.PKCS8EncodedKeySpec;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Iterator;
import java.util.List;
import java.util.Optional;
import javax.net.ssl.KeyManager;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.SSLContext;
import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory;
import org.bouncycastle.asn1.ASN1ObjectIdentifier;
import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers;
import org.bouncycastle.asn1.pkcs.PrivateKeyInfo;
import org.bouncycastle.asn1.x9.X9ObjectIdentifiers;
import org.bouncycastle.cert.X509CertificateHolder;
import org.bouncycastle.cert.jcajce.JcaX509CertificateConverter;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.bouncycastle.openssl.PEMKeyPair;
import org.bouncycastle.openssl.PEMParser;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: input_file:ai/vespa/feed/client/impl/SslContextBuilder.class */
public class SslContextBuilder {
    static final BouncyCastleProvider bcProvider = new BouncyCastleProvider();
    private Path certificateFile;
    private Path privateKeyFile;
    private Path caCertificatesFile;
    private Collection<X509Certificate> certificate;
    private PrivateKey privateKey;
    private Collection<X509Certificate> caCertificates;

    /* JADX INFO: Access modifiers changed from: package-private */
    public SslContextBuilder withCertificateAndKey(Path path, Path path2) {
        this.certificateFile = path;
        this.privateKeyFile = path2;
        return this;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public SslContextBuilder withCertificateAndKey(Collection<X509Certificate> collection, PrivateKey privateKey) {
        this.certificate = collection;
        this.privateKey = privateKey;
        return this;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public SslContextBuilder withCaCertificates(Path path) {
        this.caCertificatesFile = path;
        return this;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public SslContextBuilder withCaCertificates(Collection<X509Certificate> collection) {
        this.caCertificates = collection;
        return this;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public SSLContext build() throws IOException {
        try {
            KeyStore keyStore = KeyStore.getInstance("PKCS12");
            keyStore.load(null);
            if (hasCertificateFile()) {
                keyStore.setKeyEntry("cert", privateKey(this.privateKeyFile), new char[0], certificates(this.certificateFile));
            } else if (hasCertificateInstance()) {
                keyStore.setKeyEntry("cert", this.privateKey, new char[0], (Certificate[]) this.certificate.toArray(new Certificate[0]));
            }
            if (hasCaCertificateFile()) {
                addCaCertificates(keyStore, List.of((Object[]) certificates(this.caCertificatesFile)));
            } else if (hasCaCertificateInstance()) {
                addCaCertificates(keyStore, this.caCertificates);
            }
            SSLContext sSLContext = SSLContext.getInstance("TLSv1.3");
            sSLContext.init(createKeyManagers(keyStore).orElse(null), createTrustManagers(keyStore).orElse(null), null);
            return sSLContext;
        } catch (GeneralSecurityException e) {
            throw new IOException(e);
        }
    }

    private boolean hasCertificateFile() {
        return (this.certificateFile == null || this.privateKeyFile == null) ? false : true;
    }

    private boolean hasCertificateInstance() {
        return (this.certificate == null || this.privateKey == null) ? false : true;
    }

    private boolean hasCaCertificateFile() {
        return this.caCertificatesFile != null;
    }

    private boolean hasCaCertificateInstance() {
        return this.caCertificates != null;
    }

    private Optional<KeyManager[]> createKeyManagers(KeyStore keyStore) throws GeneralSecurityException {
        if (!hasCertificateInstance() && !hasCertificateFile()) {
            return Optional.empty();
        }
        KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
        keyManagerFactory.init(keyStore, new char[0]);
        return Optional.of(keyManagerFactory.getKeyManagers());
    }

    private Optional<TrustManager[]> createTrustManagers(KeyStore keyStore) throws GeneralSecurityException {
        if (!hasCaCertificateInstance() && !hasCaCertificateFile()) {
            return Optional.empty();
        }
        TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
        trustManagerFactory.init(keyStore);
        return Optional.of(trustManagerFactory.getTrustManagers());
    }

    private static void addCaCertificates(KeyStore keyStore, Collection<? extends Certificate> collection) throws KeyStoreException {
        int i = 0;
        Iterator<? extends Certificate> it = collection.iterator();
        while (it.hasNext()) {
            i++;
            keyStore.setCertificateEntry("ca-cert-" + i, it.next());
        }
    }

    private static Certificate[] certificates(Path path) throws IOException, GeneralSecurityException {
        PEMParser pEMParser = new PEMParser(Files.newBufferedReader(path));
        try {
            ArrayList arrayList = new ArrayList();
            while (true) {
                Object readObject = pEMParser.readObject();
                if (readObject == null) {
                    break;
                }
                arrayList.add(toX509Certificate(readObject));
            }
            if (arrayList.isEmpty()) {
                throw new IOException("File contains no PEM encoded certificates: " + path);
            }
            Certificate[] certificateArr = (Certificate[]) arrayList.toArray(new Certificate[0]);
            pEMParser.close();
            return certificateArr;
        } catch (Throwable th) {
            try {
                pEMParser.close();
            } catch (Throwable th2) {
                th.addSuppressed(th2);
            }
            throw th;
        }
    }

    private static PrivateKey privateKey(Path path) throws IOException, GeneralSecurityException {
        Object readObject;
        PEMParser pEMParser = new PEMParser(Files.newBufferedReader(path));
        do {
            try {
                readObject = pEMParser.readObject();
                if (readObject == null) {
                    throw new IOException("Could not find private key in PEM file");
                }
                if (readObject instanceof PrivateKeyInfo) {
                    PrivateKeyInfo privateKeyInfo = (PrivateKeyInfo) readObject;
                    PrivateKey generatePrivate = createKeyFactory(privateKeyInfo).generatePrivate(new PKCS8EncodedKeySpec(privateKeyInfo.getEncoded()));
                    pEMParser.close();
                    return generatePrivate;
                }
            } catch (Throwable th) {
                try {
                    pEMParser.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
                throw th;
            }
        } while (!(readObject instanceof PEMKeyPair));
        PrivateKeyInfo privateKeyInfo2 = ((PEMKeyPair) readObject).getPrivateKeyInfo();
        PrivateKey generatePrivate2 = createKeyFactory(privateKeyInfo2).generatePrivate(new PKCS8EncodedKeySpec(privateKeyInfo2.getEncoded()));
        pEMParser.close();
        return generatePrivate2;
    }

    private static X509Certificate toX509Certificate(Object obj) throws IOException, GeneralSecurityException {
        if (obj instanceof X509Certificate) {
            return (X509Certificate) obj;
        }
        if (obj instanceof X509CertificateHolder) {
            return new JcaX509CertificateConverter().setProvider(bcProvider).getCertificate((X509CertificateHolder) obj);
        }
        throw new IOException("Invalid type of PEM object: " + obj);
    }

    private static KeyFactory createKeyFactory(PrivateKeyInfo privateKeyInfo) throws IOException, GeneralSecurityException {
        ASN1ObjectIdentifier algorithm = privateKeyInfo.getPrivateKeyAlgorithm().getAlgorithm();
        if (X9ObjectIdentifiers.id_ecPublicKey.equals(algorithm)) {
            return KeyFactory.getInstance("EC", (Provider) bcProvider);
        }
        if (PKCSObjectIdentifiers.rsaEncryption.equals(algorithm)) {
            return KeyFactory.getInstance("RSA", (Provider) bcProvider);
        }
        throw new IOException("Unknown key algorithm: " + algorithm);
    }
}
