package com.yahoo.vespa.config.server.tenant;

import com.yahoo.config.model.api.EndpointCertificateMetadata;
import com.yahoo.config.model.api.EndpointCertificateSecretStore;
import com.yahoo.config.model.api.EndpointCertificateSecrets;
import com.yahoo.security.KeyUtils;
import com.yahoo.security.X509CertificateUtils;
import com.yahoo.stream.CustomCollectors;
import java.util.List;
import java.util.Optional;
import java.util.logging.Level;
import java.util.logging.Logger;

/* loaded from: input_file:com/yahoo/vespa/config/server/tenant/EndpointCertificateRetriever.class */
public class EndpointCertificateRetriever {
    private final List<EndpointCertificateSecretStore> secretStores;
    private static final Logger log = Logger.getLogger(EndpointCertificateRetriever.class.getName());

    public EndpointCertificateRetriever(List<EndpointCertificateSecretStore> list) {
        this.secretStores = List.copyOf(list);
    }

    public Optional<EndpointCertificateSecrets> readEndpointCertificateSecrets(EndpointCertificateMetadata endpointCertificateMetadata) {
        return Optional.of(readFromSecretStore(endpointCertificateMetadata));
    }

    private EndpointCertificateSecrets readFromSecretStore(EndpointCertificateMetadata endpointCertificateMetadata) {
        try {
            EndpointCertificateSecrets secret = ((EndpointCertificateSecretStore) ((Optional) this.secretStores.stream().filter(endpointCertificateSecretStore -> {
                return endpointCertificateSecretStore.supports(endpointCertificateMetadata.issuer());
            }).collect(CustomCollectors.singleton())).orElseThrow(() -> {
                return new RuntimeException("No provider of secrets for issuer " + endpointCertificateMetadata.issuer());
            })).getSecret(endpointCertificateMetadata);
            if (secret.isMissing()) {
                return secret;
            }
            verifyKeyMatchesCertificate(endpointCertificateMetadata, secret);
            return secret;
        } catch (RuntimeException e) {
            log.log(Level.WARNING, "Exception thrown during certificate retrieval", (Throwable) e);
            return EndpointCertificateSecrets.missing(endpointCertificateMetadata.version());
        }
    }

    private void verifyKeyMatchesCertificate(EndpointCertificateMetadata endpointCertificateMetadata, EndpointCertificateSecrets endpointCertificateSecrets) {
        if (!X509CertificateUtils.privateKeyMatchesPublicKey(KeyUtils.fromPemEncodedPrivateKey(endpointCertificateSecrets.key()), X509CertificateUtils.fromPem(endpointCertificateSecrets.certificate()).getPublicKey())) {
            throw new IllegalArgumentException("Failed to retrieve endpoint secrets: Certificate and key data do not match for " + endpointCertificateMetadata);
        }
    }
}
