package com.palantir.foundry.sql.os.utils;

import com.palantir.foundry.sql.driver.logging.DriverLoggerFactory;
import com.palantir.logsafe.Arg;
import com.palantir.logsafe.UnsafeArg;
import com.palantir.logsafe.exceptions.SafeRuntimeException;
import java.io.IOException;
import java.nio.file.Files;
import java.nio.file.Path;
import java.nio.file.attribute.FileAttribute;
import java.security.GeneralSecurityException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
import java.util.Iterator;
import java.util.List;
import java.util.Optional;
import java.util.stream.Collectors;
import javax.net.ssl.KeyManager;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLSocketFactory;
import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory;
import javax.net.ssl.X509TrustManager;
import org.slf4j.Logger;
import shadow.palantir.driver.com.google.common.annotations.VisibleForTesting;
import shadow.palantir.driver.com.google.common.collect.ImmutableList;
import shadow.palantir.driver.com.palantir.conjure.java.api.config.ssl.SslConfiguration;
import shadow.palantir.driver.com.palantir.conjure.java.config.ssl.SslSocketFactories;
import shadow.palantir.driver.com.palantir.conjure.java.config.ssl.TrustContext;

/* loaded from: input_file:com/palantir/foundry/sql/os/utils/TrustStores.class */
public final class TrustStores {
    private static final Logger log = DriverLoggerFactory.getLogger(TrustStores.class);

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:com/palantir/foundry/sql/os/utils/TrustStores$OsStoreId.class */
    public enum OsStoreId {
        WINDOWS("Windows-ROOT"),
        MAC("KeyChainStore");

        private final String storeId;

        OsStoreId(String str) {
            this.storeId = str;
        }
    }

    public static TrustContext loadCertificates(Optional<SslConfiguration> optional) {
        return SystemUtils.isWindows() ? loadCertificates(Optional.of(OsStoreId.WINDOWS), optional) : SystemUtils.isMac() ? loadCertificates(Optional.of(OsStoreId.MAC), optional) : loadCertificates(Optional.empty(), optional);
    }

    /* JADX WARN: Multi-variable type inference failed */
    @VisibleForTesting
    static TrustContext loadCertificates(Optional<OsStoreId> optional, Optional<SslConfiguration> optional2) {
        List<X509Certificate> loadCustomAndDefaultJavaCertificates;
        try {
            Thread.currentThread().setContextClassLoader(TrustStores.class.getClassLoader());
            KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
            keyStore.load(null, null);
            List<X509Certificate> loadOsCerts = optional.isPresent() ? loadOsCerts(optional.get().storeId) : Collections.emptyList();
            if (optional2.isPresent()) {
                loadCustomAndDefaultJavaCertificates = loadCustomAndDefaultJavaCertificates(optional2.get());
            } else {
                Path createEmptyPemFile = createEmptyPemFile();
                loadCustomAndDefaultJavaCertificates = loadCustomAndDefaultJavaCertificates(SslConfiguration.of(createEmptyPemFile));
                shadow.palantir.driver.org.apache.commons.io.FileUtils.deleteQuietly(createEmptyPemFile.toFile());
            }
            ImmutableList build = ImmutableList.builder().addAll((Iterable) loadOsCerts).addAll((Iterable) loadCustomAndDefaultJavaCertificates).build();
            for (int i = 0; i < build.size(); i++) {
                keyStore.setCertificateEntry("cert-" + i, (Certificate) build.get(i));
            }
            X509TrustManager createX509TrustManager = createX509TrustManager(keyStore);
            return TrustContext.of(createSslSocketFactory(createX509TrustManager), createX509TrustManager);
        } catch (IOException | KeyStoreException | NoSuchAlgorithmException | CertificateException e) {
            throw new SafeRuntimeException("Failed to build trust store", e, new Arg[0]);
        }
    }

    private static List<X509Certificate> loadCustomAndDefaultJavaCertificates(SslConfiguration sslConfiguration) {
        log.info("Loading custom certificates: {}", UnsafeArg.of("certificatesPath", sslConfiguration.trustStorePath()));
        X509Certificate[] acceptedIssuers = SslSocketFactories.createX509TrustManager(sslConfiguration).getAcceptedIssuers();
        log.debug("Loaded custom and JVM default certificates: {}", UnsafeArg.of("certificates", (List) Arrays.stream(acceptedIssuers).map(x509Certificate -> {
            return x509Certificate.getSubjectX500Principal().getName();
        }).collect(Collectors.toList())));
        return Arrays.asList(acceptedIssuers);
    }

    private static List<X509Certificate> loadOsCerts(String str) throws KeyStoreException {
        KeyStore loadOsTrustStore = loadOsTrustStore(str);
        ArrayList arrayList = new ArrayList(loadOsTrustStore.size());
        Iterator it = Collections.list(loadOsTrustStore.aliases()).iterator();
        while (it.hasNext()) {
            arrayList.add((X509Certificate) loadOsTrustStore.getCertificate((String) it.next()));
        }
        log.debug("Loaded OS certificates: {}", UnsafeArg.of("certificates", (List) arrayList.stream().map(x509Certificate -> {
            return x509Certificate.getSubjectX500Principal().getName();
        }).collect(Collectors.toList())));
        return arrayList;
    }

    private static KeyStore loadOsTrustStore(String str) {
        try {
            KeyStore keyStore = KeyStore.getInstance(str);
            keyStore.load(null, null);
            return keyStore;
        } catch (IOException | KeyStoreException | NoSuchAlgorithmException | CertificateException e) {
            throw new SafeRuntimeException("Failed to load OS trust store", e, new Arg[0]);
        }
    }

    private static X509TrustManager createX509TrustManager(KeyStore keyStore) {
        try {
            TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
            trustManagerFactory.init(keyStore);
            return (X509TrustManager) trustManagerFactory.getTrustManagers()[0];
        } catch (GeneralSecurityException e) {
            throw new SafeRuntimeException("Failed to create trust manager", e, new Arg[0]);
        }
    }

    private static SSLSocketFactory createSslSocketFactory(TrustManager trustManager) {
        try {
            SSLContext sSLContext = SSLContext.getInstance("TLSv1.3");
            sSLContext.init(new KeyManager[0], new TrustManager[]{trustManager}, null);
            return sSLContext.getSocketFactory();
        } catch (GeneralSecurityException e) {
            throw new SafeRuntimeException("Failed to create SslSocketFactory", e, new Arg[0]);
        }
    }

    private static Path createEmptyPemFile() {
        try {
            return Files.createTempFile("emptyFile", ".pem", new FileAttribute[0]);
        } catch (IOException e) {
            throw new SafeRuntimeException("Failed to load empty certificates path", e, new Arg[0]);
        }
    }

    private TrustStores() {
    }
}
