package com.redhat.insights.tls;

import com.redhat.insights.InsightsErrorCode;
import com.redhat.insights.InsightsException;
import com.redhat.insights.config.InsightsConfiguration;
import com.redhat.insights.logging.InsightsLogger;
import java.io.IOException;
import java.nio.file.Files;
import java.nio.file.LinkOption;
import java.nio.file.Path;
import java.nio.file.Paths;
import java.security.Key;
import java.security.KeyManagementException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.UnrecoverableKeyException;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.util.ArrayList;
import java.util.List;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.SSLContext;
import org.wildfly.common.iteration.CodePointIterator;
import org.wildfly.security.pem.Pem;

/* loaded from: input_file:com/redhat/insights/tls/PEMSupport.class */
public class PEMSupport {
    private final InsightsLogger logger;
    private final InsightsConfiguration configuration;

    public PEMSupport(InsightsLogger insightsLogger, InsightsConfiguration insightsConfiguration) {
        this.logger = insightsLogger;
        this.configuration = insightsConfiguration;
    }

    public SSLContext createTLSContext() {
        if (!this.configuration.useMTLS()) {
            throw new InsightsException(InsightsErrorCode.ERROR_SSL_CREATING_CONTEXT, "Illegal attempt to create SSLContext for token auth");
        }
        byte[] bytesPossiblyPrivileged = getBytesPossiblyPrivileged("--cert");
        byte[] bytesPossiblyPrivileged2 = getBytesPossiblyPrivileged("--key");
        if (bytesPossiblyPrivileged.length == 0 || bytesPossiblyPrivileged2.length == 0) {
            throw new InsightsException(InsightsErrorCode.ERROR_SSL_READING_CERTS, "SSLContext creation error - could not get file bytes");
        }
        this.logger.debug("Cert and key obtained successfully, trying to create TLS context");
        return createTLSContext(bytesPossiblyPrivileged, bytesPossiblyPrivileged2);
    }

    public SSLContext createTLSContext(Path path, Path path2) {
        if (!Files.exists(path, new LinkOption[0])) {
            throw new InsightsException(InsightsErrorCode.ERROR_SSL_CREATING_CONTEXT, "The certificate file does not exist: " + path);
        }
        if (!Files.exists(path2, new LinkOption[0])) {
            throw new InsightsException(InsightsErrorCode.ERROR_SSL_CREATING_CONTEXT, "The key file does not exist: " + path);
        }
        try {
            return createTLSContext(Files.readAllBytes(path), Files.readAllBytes(path2));
        } catch (Exception e) {
            throw new InsightsException(InsightsErrorCode.ERROR_SSL_CREATING_CONTEXT, "SSLContext creation error", e);
        }
    }

    byte[] getBytesPossiblyPrivileged(String str) {
        String keyFilePath;
        boolean z = -1;
        switch (str.hashCode()) {
            case 43005119:
                if (str.equals("--key")) {
                    z = true;
                    break;
                }
                break;
            case 1332920260:
                if (str.equals("--cert")) {
                    z = false;
                    break;
                }
                break;
        }
        switch (z) {
            case false:
                keyFilePath = this.configuration.getCertFilePath();
                break;
            case true:
                keyFilePath = this.configuration.getKeyFilePath();
                break;
            default:
                throw new InsightsException(InsightsErrorCode.ERROR_SSL_READING_CERTS_INVALID_MODE, "Invalid mode " + str + " passed for cert retrieval. This should not happen.");
        }
        try {
            return Files.readAllBytes(Paths.get(keyFilePath, new String[0]));
        } catch (IOException e) {
            this.logger.debug("Direct read of cert and key failed.", e);
            this.logger.debug("Trying to use the helper binary " + this.configuration.getCertHelperBinary() + " to read default cert: " + InsightsConfiguration.DEFAULT_RHEL_CERT_FILE_PATH + " and key: " + InsightsConfiguration.DEFAULT_RHEL_KEY_FILE_PATH);
            try {
                return new CertHelper(this.logger, this.configuration).readUsingHelper(str);
            } catch (IOException | InterruptedException e2) {
                throw new InsightsException(InsightsErrorCode.ERROR_SSL_CREATING_CONTEXT, "SSLContext creation error", e2);
            }
        }
    }

    SSLContext createTLSContext(byte[] bArr, byte[] bArr2) {
        char[] cArr = new char[0];
        try {
            Certificate[] certificateArr = (Certificate[]) parsePemData(Certificate.class, bArr).toArray(new Certificate[0]);
            List parsePemData = parsePemData(PrivateKey.class, bArr2);
            KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
            keyStore.load(null);
            for (int i = 0; i < certificateArr.length; i++) {
                keyStore.setCertificateEntry("cert-" + i, certificateArr[i]);
            }
            for (int i2 = 0; i2 < parsePemData.size(); i2++) {
                keyStore.setKeyEntry("key-" + i2, (Key) parsePemData.get(i2), cArr, certificateArr);
            }
            KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
            keyManagerFactory.init(keyStore, cArr);
            SSLContext sSLContext = SSLContext.getInstance("TLSv1.3");
            sSLContext.init(keyManagerFactory.getKeyManagers(), null, null);
            return sSLContext;
        } catch (IOException | KeyManagementException | KeyStoreException | NoSuchAlgorithmException | UnrecoverableKeyException e) {
            throw new InsightsException(InsightsErrorCode.ERROR_SSL_CREATING_CONTEXT, "SSLContext creation error", e);
        } catch (CertificateException e2) {
            throw new InsightsException(InsightsErrorCode.ERROR_SSL_CERTS_PROBLEM, "Certificates error", e2);
        }
    }

    private static <T> List<T> parsePemData(Class<T> cls, byte[] bArr) {
        ArrayList arrayList = new ArrayList();
        Pem.parsePemContent(CodePointIterator.ofUtf8Bytes(bArr)).forEachRemaining(pemEntry -> {
            Object tryCast = pemEntry.tryCast(cls);
            if (tryCast == null) {
                throw new InsightsException(InsightsErrorCode.ERROR_SSL_PARSING_CERTS, "Could not cast the a PemEntry of type " + cls + " to class " + cls);
            }
            arrayList.add(tryCast);
        });
        return arrayList;
    }
}
