package com.spotify.docker.client;

import com.google.common.base.Optional;
import java.io.IOException;
import java.nio.charset.Charset;
import java.nio.file.Files;
import java.nio.file.LinkOption;
import java.nio.file.OpenOption;
import java.nio.file.Path;
import java.security.KeyFactory;
import java.security.KeyManagementException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.UnrecoverableKeyException;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.spec.InvalidKeySpecException;
import java.security.spec.PKCS8EncodedKeySpec;
import javax.net.ssl.HostnameVerifier;
import javax.net.ssl.SSLContext;
import org.apache.http.conn.ssl.NoopHostnameVerifier;
import org.apache.http.ssl.SSLContexts;
import org.apache.http.ssl.TrustStrategy;
import org.bouncycastle.openssl.PEMKeyPair;
import org.bouncycastle.openssl.PEMParser;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/spotify/docker/client/DockerCertificates.class */
public class DockerCertificates {
    public static final String DEFAULT_CA_CERT_NAME = "ca.pem";
    public static final String DEFAULT_CLIENT_CERT_NAME = "cert.pem";
    public static final String DEFAULT_CLIENT_KEY_NAME = "key.pem";
    private static final char[] KEY_STORE_PASSWORD = "docker!!11!!one!".toCharArray();
    private static final Logger log = LoggerFactory.getLogger(DockerCertificates.class);
    private final SSLContext sslContext;

    /* loaded from: input_file:com/spotify/docker/client/DockerCertificates$Builder.class */
    public static class Builder {
        private Path caCertPath;
        private Path clientKeyPath;
        private Path clientCertPath;

        public Builder dockerCertPath(Path path) {
            this.caCertPath = path.resolve(DockerCertificates.DEFAULT_CA_CERT_NAME);
            this.clientKeyPath = path.resolve(DockerCertificates.DEFAULT_CLIENT_KEY_NAME);
            this.clientCertPath = path.resolve(DockerCertificates.DEFAULT_CLIENT_CERT_NAME);
            return this;
        }

        public Builder caCertPath(Path path) {
            this.caCertPath = path;
            return this;
        }

        public Builder clientKeyPath(Path path) {
            this.clientKeyPath = path;
            return this;
        }

        public Builder clientCertPath(Path path) {
            this.clientCertPath = path;
            return this;
        }

        public Optional<DockerCertificates> build() throws DockerCertificateException {
            if (this.caCertPath == null || this.clientKeyPath == null || this.clientCertPath == null) {
                DockerCertificates.log.debug("caCertPath, clientKeyPath or clientCertPath not specified, not using SSL");
                return Optional.absent();
            }
            if (Files.exists(this.caCertPath, new LinkOption[0]) && Files.exists(this.clientKeyPath, new LinkOption[0]) && Files.exists(this.clientCertPath, new LinkOption[0])) {
                return Optional.of(new DockerCertificates(this));
            }
            DockerCertificates.log.debug("{}, {} or {} does not exist, not using SSL", new Object[]{this.caCertPath, this.clientKeyPath, this.clientCertPath});
            return Optional.absent();
        }
    }

    public DockerCertificates(Path path) throws DockerCertificateException {
        this(new Builder().dockerCertPath(path));
    }

    private DockerCertificates(Builder builder) throws DockerCertificateException {
        if (builder.caCertPath == null || builder.clientCertPath == null || builder.clientKeyPath == null) {
            throw new DockerCertificateException("caCertPath, clientCertPath, and clientKeyPath must all be specified");
        }
        try {
            CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509");
            Certificate generateCertificate = certificateFactory.generateCertificate(Files.newInputStream(builder.caCertPath, new OpenOption[0]));
            Certificate generateCertificate2 = certificateFactory.generateCertificate(Files.newInputStream(builder.clientCertPath, new OpenOption[0]));
            PrivateKey generatePrivate = KeyFactory.getInstance("RSA").generatePrivate(new PKCS8EncodedKeySpec(((PEMKeyPair) new PEMParser(Files.newBufferedReader(builder.clientKeyPath, Charset.defaultCharset())).readObject()).getPrivateKeyInfo().getEncoded()));
            KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
            keyStore.load(null, null);
            keyStore.setEntry("ca", new KeyStore.TrustedCertificateEntry(generateCertificate), null);
            KeyStore keyStore2 = KeyStore.getInstance(KeyStore.getDefaultType());
            keyStore2.load(null, null);
            keyStore2.setCertificateEntry("client", generateCertificate2);
            keyStore2.setKeyEntry("key", generatePrivate, KEY_STORE_PASSWORD, new Certificate[]{generateCertificate2});
            this.sslContext = SSLContexts.custom().loadTrustMaterial(keyStore, (TrustStrategy) null).loadKeyMaterial(keyStore2, KEY_STORE_PASSWORD).build();
        } catch (IOException | KeyManagementException | KeyStoreException | NoSuchAlgorithmException | UnrecoverableKeyException | CertificateException | InvalidKeySpecException e) {
            throw new DockerCertificateException(e);
        }
    }

    public SSLContext sslContext() {
        return this.sslContext;
    }

    public HostnameVerifier hostnameVerifier() {
        return NoopHostnameVerifier.INSTANCE;
    }

    public static Builder builder() {
        return new Builder();
    }
}
