package dev.dsf.maven.dev;

import de.hsheilbronn.mi.utils.crypto.ca.CertificateAuthority;
import de.hsheilbronn.mi.utils.crypto.ca.CertificationRequest;
import de.hsheilbronn.mi.utils.crypto.io.PemReader;
import de.hsheilbronn.mi.utils.crypto.io.PemWriter;
import de.hsheilbronn.mi.utils.crypto.keypair.KeyPairValidator;
import java.io.IOException;
import java.lang.invoke.MethodHandles;
import java.lang.invoke.MethodType;
import java.lang.runtime.ObjectMethods;
import java.nio.file.Files;
import java.nio.file.Path;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.cert.CertificateEncodingException;
import java.security.cert.CertificateExpiredException;
import java.security.cert.CertificateNotYetValidException;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Optional;
import java.util.function.BiFunction;
import java.util.stream.Collectors;
import org.apache.commons.codec.binary.Hex;
import org.bouncycastle.asn1.x500.style.BCStyle;
import org.bouncycastle.asn1.x500.style.IETFUtils;
import org.bouncycastle.cert.jcajce.JcaX509CertificateHolder;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:dev/dsf/maven/dev/CertificateGenerator.class */
public class CertificateGenerator {
    public static final String POSTFIX_PRIVATE_KEY = ".key";
    public static final String POSTFIX_CERTIFICATE = ".crt";
    private static final String SUBJECT_C = "DE";
    private static final String SUBJECT_O = "DSF";
    public static final String SUBJECT_CN_ROOT_CA = "DSF Dev Root CA";
    private final Path certDir;
    private final char[] privateKeyPassword;
    private final List<CertificationRequestConfig> certificationRequestConfigs = new ArrayList();
    private CertificateAuthority rootCa;
    private CertificateAuthority issuingCa;
    private Map<String, CertificateAndPrivateKey> certificatesByCommonName;
    private static final Logger logger = LoggerFactory.getLogger(CertificateGenerator.class);
    public static final String SUBJECT_CN_ISSUING_CA = "DSF Dev Issuing CA";
    private static final CertificationRequestConfig CERTIFICATION_REQUEST_ISSUING_CA = new CertificationRequestConfig((v0, v1) -> {
        return v0.signClientServerIssuingCaCertificate(v1);
    }, SUBJECT_CN_ISSUING_CA);

    /* loaded from: input_file:dev/dsf/maven/dev/CertificateGenerator$CertificateAndPrivateKey.class */
    public static final class CertificateAndPrivateKey extends Record {
        private final X509Certificate certificate;
        private final PrivateKey privateKey;

        public CertificateAndPrivateKey(X509Certificate x509Certificate, PrivateKey privateKey) {
            this.certificate = x509Certificate;
            this.privateKey = privateKey;
        }

        @Override // java.lang.Record
        public final String toString() {
            return (String) ObjectMethods.bootstrap(MethodHandles.lookup(), "toString", MethodType.methodType(String.class, CertificateAndPrivateKey.class), CertificateAndPrivateKey.class, "certificate;privateKey", "FIELD:Ldev/dsf/maven/dev/CertificateGenerator$CertificateAndPrivateKey;->certificate:Ljava/security/cert/X509Certificate;", "FIELD:Ldev/dsf/maven/dev/CertificateGenerator$CertificateAndPrivateKey;->privateKey:Ljava/security/PrivateKey;").dynamicInvoker().invoke(this) /* invoke-custom */;
        }

        @Override // java.lang.Record
        public final int hashCode() {
            return (int) ObjectMethods.bootstrap(MethodHandles.lookup(), "hashCode", MethodType.methodType(Integer.TYPE, CertificateAndPrivateKey.class), CertificateAndPrivateKey.class, "certificate;privateKey", "FIELD:Ldev/dsf/maven/dev/CertificateGenerator$CertificateAndPrivateKey;->certificate:Ljava/security/cert/X509Certificate;", "FIELD:Ldev/dsf/maven/dev/CertificateGenerator$CertificateAndPrivateKey;->privateKey:Ljava/security/PrivateKey;").dynamicInvoker().invoke(this) /* invoke-custom */;
        }

        @Override // java.lang.Record
        public final boolean equals(Object obj) {
            return (boolean) ObjectMethods.bootstrap(MethodHandles.lookup(), "equals", MethodType.methodType(Boolean.TYPE, CertificateAndPrivateKey.class, Object.class), CertificateAndPrivateKey.class, "certificate;privateKey", "FIELD:Ldev/dsf/maven/dev/CertificateGenerator$CertificateAndPrivateKey;->certificate:Ljava/security/cert/X509Certificate;", "FIELD:Ldev/dsf/maven/dev/CertificateGenerator$CertificateAndPrivateKey;->privateKey:Ljava/security/PrivateKey;").dynamicInvoker().invoke(this, obj) /* invoke-custom */;
        }

        public X509Certificate certificate() {
            return this.certificate;
        }

        public PrivateKey privateKey() {
            return this.privateKey;
        }
    }

    /* loaded from: input_file:dev/dsf/maven/dev/CertificateGenerator$CertificationRequestConfig.class */
    public static final class CertificationRequestConfig extends Record {
        private final BiFunction<CertificateAuthority, CertificationRequest, X509Certificate> signer;
        private final String commonName;
        private final List<String> dnsNames;

        public CertificationRequestConfig(BiFunction<CertificateAuthority, CertificationRequest, X509Certificate> biFunction, String str, String... strArr) {
            this(biFunction, str, (List<String>) List.of((Object[]) strArr));
        }

        public CertificationRequestConfig(BiFunction<CertificateAuthority, CertificationRequest, X509Certificate> biFunction, String str) {
            this(biFunction, str, (List<String>) List.of());
        }

        public CertificationRequestConfig(BiFunction<CertificateAuthority, CertificationRequest, X509Certificate> biFunction, String str, List<String> list) {
            this.signer = biFunction;
            this.commonName = str;
            this.dnsNames = list;
        }

        public CertificateAndPrivateKey sign(CertificateAuthority certificateAuthority) {
            CertificationRequest build = CertificationRequest.builder(certificateAuthority, CertificateGenerator.SUBJECT_C, (String) null, (String) null, CertificateGenerator.SUBJECT_O, (String) null, this.commonName).generateKeyPair().setDnsNames(this.dnsNames).build();
            return new CertificateAndPrivateKey(this.signer.apply(certificateAuthority, build), build.getPrivateKey());
        }

        @Override // java.lang.Record
        public final String toString() {
            return (String) ObjectMethods.bootstrap(MethodHandles.lookup(), "toString", MethodType.methodType(String.class, CertificationRequestConfig.class), CertificationRequestConfig.class, "signer;commonName;dnsNames", "FIELD:Ldev/dsf/maven/dev/CertificateGenerator$CertificationRequestConfig;->signer:Ljava/util/function/BiFunction;", "FIELD:Ldev/dsf/maven/dev/CertificateGenerator$CertificationRequestConfig;->commonName:Ljava/lang/String;", "FIELD:Ldev/dsf/maven/dev/CertificateGenerator$CertificationRequestConfig;->dnsNames:Ljava/util/List;").dynamicInvoker().invoke(this) /* invoke-custom */;
        }

        @Override // java.lang.Record
        public final int hashCode() {
            return (int) ObjectMethods.bootstrap(MethodHandles.lookup(), "hashCode", MethodType.methodType(Integer.TYPE, CertificationRequestConfig.class), CertificationRequestConfig.class, "signer;commonName;dnsNames", "FIELD:Ldev/dsf/maven/dev/CertificateGenerator$CertificationRequestConfig;->signer:Ljava/util/function/BiFunction;", "FIELD:Ldev/dsf/maven/dev/CertificateGenerator$CertificationRequestConfig;->commonName:Ljava/lang/String;", "FIELD:Ldev/dsf/maven/dev/CertificateGenerator$CertificationRequestConfig;->dnsNames:Ljava/util/List;").dynamicInvoker().invoke(this) /* invoke-custom */;
        }

        @Override // java.lang.Record
        public final boolean equals(Object obj) {
            return (boolean) ObjectMethods.bootstrap(MethodHandles.lookup(), "equals", MethodType.methodType(Boolean.TYPE, CertificationRequestConfig.class, Object.class), CertificationRequestConfig.class, "signer;commonName;dnsNames", "FIELD:Ldev/dsf/maven/dev/CertificateGenerator$CertificationRequestConfig;->signer:Ljava/util/function/BiFunction;", "FIELD:Ldev/dsf/maven/dev/CertificateGenerator$CertificationRequestConfig;->commonName:Ljava/lang/String;", "FIELD:Ldev/dsf/maven/dev/CertificateGenerator$CertificationRequestConfig;->dnsNames:Ljava/util/List;").dynamicInvoker().invoke(this, obj) /* invoke-custom */;
        }

        public BiFunction<CertificateAuthority, CertificationRequest, X509Certificate> signer() {
            return this.signer;
        }

        public String commonName() {
            return this.commonName;
        }

        public List<String> dnsNames() {
            return this.dnsNames;
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:dev/dsf/maven/dev/CertificateGenerator$ReadOrCreated.class */
    public static final class ReadOrCreated<T> extends Record {
        private final T element;
        private final boolean created;

        private ReadOrCreated(T t, boolean z) {
            this.element = t;
            this.created = z;
        }

        public static <T> ReadOrCreated<T> read(T t) {
            return new ReadOrCreated<>(t, false);
        }

        public static <T> ReadOrCreated<T> created(T t) {
            return new ReadOrCreated<>(t, true);
        }

        @Override // java.lang.Record
        public final String toString() {
            return (String) ObjectMethods.bootstrap(MethodHandles.lookup(), "toString", MethodType.methodType(String.class, ReadOrCreated.class), ReadOrCreated.class, "element;created", "FIELD:Ldev/dsf/maven/dev/CertificateGenerator$ReadOrCreated;->element:Ljava/lang/Object;", "FIELD:Ldev/dsf/maven/dev/CertificateGenerator$ReadOrCreated;->created:Z").dynamicInvoker().invoke(this) /* invoke-custom */;
        }

        @Override // java.lang.Record
        public final int hashCode() {
            return (int) ObjectMethods.bootstrap(MethodHandles.lookup(), "hashCode", MethodType.methodType(Integer.TYPE, ReadOrCreated.class), ReadOrCreated.class, "element;created", "FIELD:Ldev/dsf/maven/dev/CertificateGenerator$ReadOrCreated;->element:Ljava/lang/Object;", "FIELD:Ldev/dsf/maven/dev/CertificateGenerator$ReadOrCreated;->created:Z").dynamicInvoker().invoke(this) /* invoke-custom */;
        }

        @Override // java.lang.Record
        public final boolean equals(Object obj) {
            return (boolean) ObjectMethods.bootstrap(MethodHandles.lookup(), "equals", MethodType.methodType(Boolean.TYPE, ReadOrCreated.class, Object.class), ReadOrCreated.class, "element;created", "FIELD:Ldev/dsf/maven/dev/CertificateGenerator$ReadOrCreated;->element:Ljava/lang/Object;", "FIELD:Ldev/dsf/maven/dev/CertificateGenerator$ReadOrCreated;->created:Z").dynamicInvoker().invoke(this, obj) /* invoke-custom */;
        }

        public T element() {
            return this.element;
        }

        public boolean created() {
            return this.created;
        }
    }

    public CertificateGenerator(Path path, char[] cArr, List<CertificationRequestConfig> list) {
        Objects.requireNonNull(path, "certDir");
        Objects.requireNonNull(cArr, "privateKeyPassword");
        this.certDir = path;
        this.privateKeyPassword = cArr;
        if (list != null) {
            this.certificationRequestConfigs.addAll(list);
        }
    }

    public void initialize() {
        logger.info("Initializing certificate generator ...");
        ReadOrCreated<CertificateAuthority> initRootCa = initRootCa();
        this.rootCa = initRootCa.element();
        ReadOrCreated<CertificateAuthority> initIssuingCa = initIssuingCa(initRootCa);
        this.issuingCa = initIssuingCa.element();
        this.certificatesByCommonName = initCertificates(initIssuingCa);
    }

    public boolean isInitialized() {
        return (this.rootCa == null || this.issuingCa == null || this.certificatesByCommonName == null) ? false : true;
    }

    private void checkInitialized() {
        if (!isInitialized()) {
            throw new IllegalStateException("not initialized");
        }
    }

    public X509Certificate getRootCaCertificate() {
        checkInitialized();
        return this.rootCa.getCertificate();
    }

    public X509Certificate getIssuingCaCertificate() {
        checkInitialized();
        return this.issuingCa.getCertificate();
    }

    public Map<String, CertificateAndPrivateKey> getCertificatesAndPrivateKeysByCommonName() {
        checkInitialized();
        return Collections.unmodifiableMap(this.certificatesByCommonName);
    }

    public Optional<CertificateAndPrivateKey> getCertificateAndPrivateKey(String str) {
        checkInitialized();
        return Optional.ofNullable(this.certificatesByCommonName.get(str));
    }

    public Map<String, String> getCertificateThumbprintsByCommonNameAsHex() {
        checkInitialized();
        return (Map) this.certificatesByCommonName.entrySet().stream().collect(Collectors.toUnmodifiableMap((v0) -> {
            return v0.getKey();
        }, entry -> {
            return toHexThumbprint(((CertificateAndPrivateKey) entry.getValue()).certificate());
        }));
    }

    private String toHexThumbprint(X509Certificate x509Certificate) {
        try {
            return Hex.encodeHexString(MessageDigest.getInstance("SHA-512").digest(x509Certificate.getEncoded()));
        } catch (NoSuchAlgorithmException | CertificateEncodingException e) {
            logger.error("Unable to calculating SHA-512 certificate thumbprint: {} - {}", e.getClass().getName(), e.getMessage());
            throw new RuntimeException(e);
        }
    }

    private Path toPath(String str, String str2) {
        return this.certDir.resolve(str.replaceAll(" ", "_") + str2);
    }

    private Optional<X509Certificate> readCertificate(String str) {
        Path path = toPath(str, POSTFIX_CERTIFICATE);
        if (!Files.isReadable(path)) {
            return Optional.empty();
        }
        try {
            return Optional.of(PemReader.readCertificate(path));
        } catch (IOException e) {
            logger.error("Unable to read certificate {}: {} - {}", new Object[]{path.toAbsolutePath().normalize(), e.getClass().getName(), e.getMessage()});
            throw new RuntimeException(e);
        }
    }

    private Optional<PrivateKey> readPrivateKey(String str) {
        Path path = toPath(str, POSTFIX_PRIVATE_KEY);
        if (!Files.isReadable(path)) {
            return Optional.empty();
        }
        try {
            return Optional.of(PemReader.readPrivateKey(path, this.privateKeyPassword));
        } catch (IOException e) {
            logger.error("Unable to read private-key {}: {} - {}", new Object[]{path.toAbsolutePath().normalize(), e.getClass().getName(), e.getMessage()});
            throw new RuntimeException(e);
        }
    }

    private Optional<CertificateAndPrivateKey> readCertificateAndPrivateKey(String str) {
        Optional<X509Certificate> readCertificate = readCertificate(str);
        if (readCertificate.isEmpty()) {
            logger.debug("Certificate for '{}' not found", str);
            return Optional.empty();
        }
        if (getCommonName(readCertificate.get()).filter(str2 -> {
            return str2.equals(str);
        }).isEmpty()) {
            logger.warn("Found certificate for '{}' subject common-name not matching", str);
            return Optional.empty();
        }
        Optional<PrivateKey> readPrivateKey = readPrivateKey(str);
        if (readPrivateKey.isEmpty()) {
            logger.debug("Private-Key for '{}' not found", str);
            return Optional.empty();
        }
        if (!KeyPairValidator.matches(readPrivateKey.get(), (PublicKey) readCertificate.map((v0) -> {
            return v0.getPublicKey();
        }).get())) {
            logger.warn("Found certificate and private-key for '{}' not matching", str);
            return Optional.empty();
        }
        try {
            readCertificate.get().checkValidity();
            logger.info("Using existing certificate and private-key for '{}'", str);
            return Optional.of(new CertificateAndPrivateKey(readCertificate.get(), readPrivateKey.get()));
        } catch (CertificateExpiredException | CertificateNotYetValidException e) {
            logger.warn("Found certificate not valid: {}", e.getMessage());
            return Optional.empty();
        }
    }

    private Optional<String> getCommonName(X509Certificate x509Certificate) {
        try {
            return Arrays.stream(new JcaX509CertificateHolder(x509Certificate).getSubject().getRDNs(BCStyle.CN)).filter((v0) -> {
                return Objects.nonNull(v0);
            }).map((v0) -> {
                return v0.getFirst();
            }).map((v0) -> {
                return v0.getValue();
            }).map(IETFUtils::valueToString).findFirst();
        } catch (CertificateEncodingException e) {
            return Optional.empty();
        }
    }

    private void writeCertificate(String str, X509Certificate x509Certificate) {
        Path path = toPath(str, POSTFIX_CERTIFICATE);
        try {
            PemWriter.writeCertificate(x509Certificate, true, path);
        } catch (IOException e) {
            logger.error("Unable to write certificate {}: {} - {}", new Object[]{path.toAbsolutePath().normalize(), e.getClass().getName(), e.getMessage()});
            throw new RuntimeException(e);
        }
    }

    private void writePrivateKey(String str, PrivateKey privateKey) {
        Path path = toPath(str, POSTFIX_PRIVATE_KEY);
        try {
            PemWriter.writePrivateKey(privateKey).asPkcs8().encryptedAes128(this.privateKeyPassword).toFile(path);
        } catch (IOException e) {
            logger.error("Unable to write private-key {}: {} - {}", new Object[]{path.toAbsolutePath().normalize(), e.getClass().getName(), e.getMessage()});
            throw new RuntimeException(e);
        }
    }

    private void writeCertificateAndPrivateKey(String str, CertificateAndPrivateKey certificateAndPrivateKey) {
        writeCertificate(str, certificateAndPrivateKey.certificate());
        writePrivateKey(str, certificateAndPrivateKey.privateKey());
    }

    private ReadOrCreated<CertificateAuthority> initRootCa() {
        return readCa(SUBJECT_CN_ROOT_CA).orElseGet(() -> {
            return createRootCa();
        });
    }

    private Optional<ReadOrCreated<CertificateAuthority>> readCa(String str) {
        return readCertificateAndPrivateKey(str).map(certificateAndPrivateKey -> {
            return ReadOrCreated.read(CertificateAuthority.existingCa(certificateAndPrivateKey.certificate(), certificateAndPrivateKey.privateKey()));
        });
    }

    private ReadOrCreated<CertificateAuthority> createRootCa() {
        logger.info("Creating '{}'", SUBJECT_CN_ROOT_CA);
        CertificateAuthority build = CertificateAuthority.builderSha384EcdsaSecp384r1(SUBJECT_C, (String) null, (String) null, SUBJECT_O, (String) null, SUBJECT_CN_ROOT_CA).build();
        writeCertificateAndPrivateKey(SUBJECT_CN_ROOT_CA, new CertificateAndPrivateKey(build.getCertificate(), build.getKeyPair().getPrivate()));
        return ReadOrCreated.created(build);
    }

    private ReadOrCreated<CertificateAuthority> initIssuingCa(ReadOrCreated<CertificateAuthority> readOrCreated) {
        return readOrCreated.created() ? createIssuingCa(readOrCreated.element()) : readCa(SUBJECT_CN_ISSUING_CA).orElseGet(() -> {
            return createIssuingCa((CertificateAuthority) readOrCreated.element());
        });
    }

    private ReadOrCreated<CertificateAuthority> createIssuingCa(CertificateAuthority certificateAuthority) {
        logger.info("Creating private-key and signing certificate for '{}'", SUBJECT_CN_ISSUING_CA);
        CertificateAndPrivateKey sign = CERTIFICATION_REQUEST_ISSUING_CA.sign(certificateAuthority);
        CertificateAuthority existingCa = CertificateAuthority.existingCa(sign.certificate(), sign.privateKey());
        writeCertificateAndPrivateKey(SUBJECT_CN_ISSUING_CA, sign);
        return ReadOrCreated.created(existingCa);
    }

    private Map<String, CertificateAndPrivateKey> initCertificates(ReadOrCreated<CertificateAuthority> readOrCreated) {
        return (Map) this.certificationRequestConfigs.stream().collect(Collectors.toMap((v0) -> {
            return v0.commonName();
        }, certificationRequestConfig -> {
            return readOrCreated.created() ? createCertificate(certificationRequestConfig, readOrCreated) : readCertificateAndPrivateKey(certificationRequestConfig.commonName()).orElseGet(() -> {
                return createCertificate(certificationRequestConfig, readOrCreated);
            });
        }));
    }

    private CertificateAndPrivateKey createCertificate(CertificationRequestConfig certificationRequestConfig, ReadOrCreated<CertificateAuthority> readOrCreated) {
        logger.info("Creating private-key and signing certificate for '{}'", certificationRequestConfig.commonName());
        CertificateAndPrivateKey sign = certificationRequestConfig.sign(readOrCreated.element());
        writeCertificateAndPrivateKey(certificationRequestConfig.commonName, sign);
        return sign;
    }
}
