package org.elasticsearch.xpack.ssl;

import java.io.IOException;
import java.io.UncheckedIOException;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.SignatureException;
import java.security.cert.CertificateException;
import java.util.Arrays;
import java.util.Objects;
import java.util.stream.Stream;
import javax.net.ssl.X509ExtendedTrustManager;
import org.elasticsearch.ElasticsearchException;
import org.elasticsearch.bootstrap.BootstrapCheck;
import org.elasticsearch.common.inject.internal.Nullable;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.env.Environment;
import org.elasticsearch.xpack.XPackSettings;

/* loaded from: input_file:org/elasticsearch/xpack/ssl/SSLBootstrapCheck.class */
public final class SSLBootstrapCheck implements BootstrapCheck {
    private final SSLService sslService;
    private final Settings settings;
    private final Environment environment;

    public SSLBootstrapCheck(SSLService sSLService, Settings settings, @Nullable Environment environment) {
        this.sslService = sSLService;
        this.settings = settings;
        this.environment = environment;
    }

    public boolean check() {
        return this.sslService.sslConfiguration(this.settings.getByPrefix(XPackSettings.TRANSPORT_SSL_PREFIX)).keyConfig() == KeyConfig.NONE || isDefaultCACertificateTrusted() || isDefaultPrivateKeyUsed();
    }

    private boolean isDefaultCACertificateTrusted() {
        try {
            PublicKey publicKey = GeneratedKeyConfig.readCACert().getPublicKey();
            return this.sslService.getLoadedSSLConfigurations().stream().flatMap(sSLConfiguration -> {
                return Stream.of((Object[]) new X509ExtendedTrustManager[]{sSLConfiguration.keyConfig().createTrustManager(this.environment), sSLConfiguration.trustConfig().createTrustManager(this.environment)});
            }).filter((v0) -> {
                return Objects.nonNull(v0);
            }).flatMap(x509ExtendedTrustManager -> {
                return Arrays.stream(x509ExtendedTrustManager.getAcceptedIssuers());
            }).anyMatch(x509Certificate -> {
                try {
                    x509Certificate.verify(publicKey);
                    return true;
                } catch (InvalidKeyException | NoSuchAlgorithmException | NoSuchProviderException | SignatureException | CertificateException e) {
                    return false;
                }
            });
        } catch (IOException | CertificateException e) {
            throw new ElasticsearchException("failed to check default CA", e, new Object[0]);
        }
    }

    private boolean isDefaultPrivateKeyUsed() {
        try {
            PrivateKey readPrivateKey = GeneratedKeyConfig.readPrivateKey();
            Stream<R> flatMap = this.sslService.getLoadedSSLConfigurations().stream().flatMap(sSLConfiguration -> {
                return sSLConfiguration.keyConfig().privateKeys(this.environment).stream();
            });
            readPrivateKey.getClass();
            return flatMap.anyMatch((v1) -> {
                return r1.equals(v1);
            });
        } catch (IOException e) {
            throw new UncheckedIOException("failed to read key", e);
        }
    }

    public String errorMessage() {
        return "Default SSL key and certificate do not provide security; please generate keys and certificates";
    }
}
