package org.neo4j.driver.internal.security;

import java.io.File;
import java.io.IOException;
import java.security.GeneralSecurityException;
import java.security.InvalidAlgorithmParameterException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.Security;
import java.security.cert.CertificateException;
import java.security.cert.PKIXBuilderParameters;
import java.security.cert.X509CertSelector;
import java.security.cert.X509Certificate;
import java.util.Collections;
import java.util.List;
import javax.net.ssl.CertPathTrustManagerParameters;
import javax.net.ssl.KeyManager;
import javax.net.ssl.SSLContext;
import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory;
import javax.net.ssl.X509TrustManager;
import org.neo4j.driver.internal.RevocationStrategy;
import org.neo4j.driver.internal.util.CertificateTool;

/* loaded from: input_file:org/neo4j/driver/internal/security/SecurityPlanImpl.class */
public class SecurityPlanImpl implements SecurityPlan {
    private final boolean requiresEncryption;
    private final SSLContext sslContext;
    private final boolean requiresHostnameVerification;
    private final RevocationStrategy revocationStrategy;

    /* loaded from: input_file:org/neo4j/driver/internal/security/SecurityPlanImpl$TrustAllTrustManager.class */
    private static class TrustAllTrustManager implements X509TrustManager {
        private TrustAllTrustManager() {
        }

        @Override // javax.net.ssl.X509TrustManager
        public void checkClientTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
            throw new CertificateException("All client connections to this client are forbidden.");
        }

        @Override // javax.net.ssl.X509TrustManager
        public void checkServerTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
        }

        @Override // javax.net.ssl.X509TrustManager
        public X509Certificate[] getAcceptedIssuers() {
            return new X509Certificate[0];
        }
    }

    public static SecurityPlan forAllCertificates(boolean z, RevocationStrategy revocationStrategy) throws GeneralSecurityException {
        SSLContext sSLContext = SSLContext.getInstance("TLS");
        sSLContext.init(new KeyManager[0], new TrustManager[]{new TrustAllTrustManager()}, null);
        return new SecurityPlanImpl(true, sSLContext, z, revocationStrategy);
    }

    public static SecurityPlan forCustomCASignedCertificates(List<File> list, boolean z, RevocationStrategy revocationStrategy) throws GeneralSecurityException, IOException {
        return new SecurityPlanImpl(true, configureSSLContext(list, revocationStrategy), z, revocationStrategy);
    }

    public static SecurityPlan forSystemCASignedCertificates(boolean z, RevocationStrategy revocationStrategy) throws GeneralSecurityException, IOException {
        return new SecurityPlanImpl(true, configureSSLContext(Collections.emptyList(), revocationStrategy), z, revocationStrategy);
    }

    private static SSLContext configureSSLContext(List<File> list, RevocationStrategy revocationStrategy) throws GeneralSecurityException, IOException {
        KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
        keyStore.load(null, null);
        if (list.isEmpty()) {
            loadSystemCertificates(keyStore);
        } else {
            CertificateTool.loadX509Cert(list, keyStore);
        }
        PKIXBuilderParameters configurePKIXBuilderParameters = configurePKIXBuilderParameters(keyStore, revocationStrategy);
        SSLContext sSLContext = SSLContext.getInstance("TLS");
        TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
        if (configurePKIXBuilderParameters == null) {
            trustManagerFactory.init(keyStore);
        } else {
            trustManagerFactory.init(new CertPathTrustManagerParameters(configurePKIXBuilderParameters));
        }
        sSLContext.init(new KeyManager[0], trustManagerFactory.getTrustManagers(), null);
        return sSLContext;
    }

    private static PKIXBuilderParameters configurePKIXBuilderParameters(KeyStore keyStore, RevocationStrategy revocationStrategy) throws InvalidAlgorithmParameterException, KeyStoreException {
        PKIXBuilderParameters pKIXBuilderParameters = null;
        if (RevocationStrategy.requiresRevocationChecking(revocationStrategy)) {
            pKIXBuilderParameters = new PKIXBuilderParameters(keyStore, new X509CertSelector());
            pKIXBuilderParameters.setRevocationEnabled(true);
            System.setProperty("jdk.tls.client.enableStatusRequestExtension", "true");
            if (revocationStrategy.equals(RevocationStrategy.VERIFY_IF_PRESENT)) {
                Security.setProperty("ocsp.enable", "true");
            }
        }
        return pKIXBuilderParameters;
    }

    private static void loadSystemCertificates(KeyStore keyStore) throws GeneralSecurityException, IOException {
        TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
        trustManagerFactory.init((KeyStore) null);
        X509TrustManager x509TrustManager = null;
        TrustManager[] trustManagers = trustManagerFactory.getTrustManagers();
        int length = trustManagers.length;
        int i = 0;
        while (true) {
            if (i >= length) {
                break;
            }
            TrustManager trustManager = trustManagers[i];
            if (trustManager instanceof X509TrustManager) {
                x509TrustManager = (X509TrustManager) trustManager;
                break;
            }
            i++;
        }
        if (x509TrustManager == null) {
            throw new CertificateException("No system certificates found");
        }
        CertificateTool.loadX509Cert(x509TrustManager.getAcceptedIssuers(), keyStore);
    }

    public static SecurityPlan insecure() {
        return new SecurityPlanImpl(false, null, false, RevocationStrategy.NO_CHECKS);
    }

    private SecurityPlanImpl(boolean z, SSLContext sSLContext, boolean z2, RevocationStrategy revocationStrategy) {
        this.requiresEncryption = z;
        this.sslContext = sSLContext;
        this.requiresHostnameVerification = z2;
        this.revocationStrategy = revocationStrategy;
    }

    @Override // org.neo4j.driver.internal.security.SecurityPlan
    public boolean requiresEncryption() {
        return this.requiresEncryption;
    }

    @Override // org.neo4j.driver.internal.security.SecurityPlan
    public SSLContext sslContext() {
        return this.sslContext;
    }

    @Override // org.neo4j.driver.internal.security.SecurityPlan
    public boolean requiresHostnameVerification() {
        return this.requiresHostnameVerification;
    }

    @Override // org.neo4j.driver.internal.security.SecurityPlan
    public RevocationStrategy revocationStrategy() {
        return this.revocationStrategy;
    }
}
