package com.yahoo.vespa.config.server.tenant;

import com.yahoo.config.model.api.EndpointCertificateMetadata;
import com.yahoo.config.model.api.EndpointCertificateSecrets;
import com.yahoo.container.jdisc.secretstore.SecretStore;
import com.yahoo.security.KeyUtils;
import com.yahoo.security.X509CertificateUtils;
import java.util.Optional;

/* loaded from: input_file:com/yahoo/vespa/config/server/tenant/EndpointCertificateRetriever.class */
public class EndpointCertificateRetriever {
    private final SecretStore secretStore;

    public EndpointCertificateRetriever(SecretStore secretStore) {
        this.secretStore = secretStore;
    }

    public Optional<EndpointCertificateSecrets> readEndpointCertificateSecrets(EndpointCertificateMetadata endpointCertificateMetadata) {
        return Optional.of(readFromSecretStore(endpointCertificateMetadata));
    }

    private EndpointCertificateSecrets readFromSecretStore(EndpointCertificateMetadata endpointCertificateMetadata) {
        try {
            String secret = this.secretStore.getSecret(endpointCertificateMetadata.certName(), endpointCertificateMetadata.version());
            String secret2 = this.secretStore.getSecret(endpointCertificateMetadata.keyName(), endpointCertificateMetadata.version());
            verifyKeyMatchesCertificate(endpointCertificateMetadata, secret, secret2);
            return new EndpointCertificateSecrets(secret, secret2);
        } catch (RuntimeException e) {
            return EndpointCertificateSecrets.MISSING;
        }
    }

    private void verifyKeyMatchesCertificate(EndpointCertificateMetadata endpointCertificateMetadata, String str, String str2) {
        if (!X509CertificateUtils.privateKeyMatchesPublicKey(KeyUtils.fromPemEncodedPrivateKey(str2), X509CertificateUtils.fromPem(str).getPublicKey())) {
            throw new IllegalArgumentException("Failed to retrieve endpoint secrets: Certificate and key data do not match for " + endpointCertificateMetadata);
        }
    }
}
