package dev.dsf.maven.ca;

import de.hsheilbronn.mi.utils.crypto.io.PemReader;
import de.hsheilbronn.mi.utils.crypto.io.PemWriter;
import dev.dsf.maven.exception.RuntimeIOException;
import java.io.IOException;
import java.nio.file.DirectoryStream;
import java.nio.file.Files;
import java.nio.file.Path;
import java.security.cert.CertificateEncodingException;
import java.security.cert.X509Certificate;
import java.time.ZoneId;
import java.time.ZonedDateTime;
import java.time.format.DateTimeFormatter;
import java.util.ArrayList;
import java.util.Collections;
import java.util.Comparator;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.function.Consumer;
import java.util.function.Function;
import java.util.function.Predicate;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import org.apache.maven.plugin.MojoExecutionException;
import org.bouncycastle.asn1.x500.X500Name;
import org.bouncycastle.asn1.x500.style.BCStyle;
import org.bouncycastle.asn1.x500.style.IETFUtils;
import org.bouncycastle.cert.jcajce.JcaX509CertificateHolder;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:dev/dsf/maven/ca/DefaultCaFilesGenerator.class */
public class DefaultCaFilesGenerator {
    private static final Logger logger = LoggerFactory.getLogger(DefaultCaFilesGenerator.class);
    private static final String LOG_MESSAGE_SERVER_ROOT_C_AS = "server root CAs";
    private static final String LOG_MESSAGE_CLIENT_CA_CHAINS = "client CA chains";
    private static final String LOG_MESSAGE_CLIENT_ISSUING_C_AS = "client issuing CAs";
    private final Path projectBasedir;
    private final Path certFolder;
    private final List<String> clientOnlyCaCommonNames;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:dev/dsf/maven/ca/DefaultCaFilesGenerator$X509CertificateHolder.class */
    public static final class X509CertificateHolder {
        final X509Certificate certificate;
        final Predicate<String> isClientOnly;
        final JcaX509CertificateHolder certificateHolder;
        final List<X509CertificateHolder> children = new ArrayList();
        X509CertificateHolder parent;

        X509CertificateHolder(X509Certificate x509Certificate, Predicate<String> predicate) {
            this.certificate = x509Certificate;
            this.isClientOnly = predicate;
            try {
                this.certificateHolder = new JcaX509CertificateHolder(x509Certificate);
            } catch (CertificateEncodingException e) {
                throw new RuntimeException(e);
            }
        }

        X509Certificate getCertificate() {
            return this.certificate;
        }

        boolean isRoot() {
            return this.certificateHolder.getIssuer() != null && this.certificateHolder.getIssuer().equals(this.certificateHolder.getSubject());
        }

        boolean isCa() {
            return this.certificate.getBasicConstraints() >= 0;
        }

        boolean isIssuingCa() {
            return getChildren().isEmpty();
        }

        boolean isClientOnly() {
            return getChildren().isEmpty() ? this.isClientOnly.test(getSubjectCommonName()) : getChildren().stream().allMatch((v0) -> {
                return v0.isClientOnly();
            });
        }

        X500Name getSubject() {
            return this.certificateHolder.getSubject();
        }

        String getSubjectCommonName() {
            return IETFUtils.valueToString(this.certificateHolder.getSubject().getRDNs(BCStyle.CN)[0].getFirst().getValue());
        }

        X500Name getIssuer() {
            return this.certificateHolder.getIssuer();
        }

        /* JADX INFO: Access modifiers changed from: package-private */
        public void setParent(Map<X500Name, X509CertificateHolder> map) {
            if (isRoot()) {
                return;
            }
            this.parent = map.get(getIssuer());
            if (this.parent != null) {
                this.parent.children.add(this);
            }
        }

        List<X509CertificateHolder> getChildren() {
            return Collections.unmodifiableList(this.children);
        }

        ZonedDateTime getNotAfter() {
            return ZonedDateTime.ofInstant(this.certificate.getNotAfter().toInstant(), ZoneId.of("GMT"));
        }

        ZonedDateTime getNotBefore() {
            return ZonedDateTime.ofInstant(this.certificate.getNotBefore().toInstant(), ZoneId.of("GMT"));
        }
    }

    public DefaultCaFilesGenerator(Path path, Path path2, List<String> list) throws MojoExecutionException {
        this.projectBasedir = path;
        this.certFolder = path2;
        this.clientOnlyCaCommonNames = list;
        if (path == null) {
            throw new MojoExecutionException("projectBasedir not defined");
        }
        if (path2 == null) {
            throw new MojoExecutionException("certFolder not defined");
        }
        if (!Files.isReadable(path2)) {
            throw new MojoExecutionException("certFolder '" + path2.toString() + "' not readable");
        }
        if (list == null || list.isEmpty()) {
            throw new MojoExecutionException("clientOnlyCaCommonNames not defined or empty");
        }
    }

    public void createFiles(Stream<Path> stream, Stream<Path> stream2, Stream<Path> stream3) throws IOException, MojoExecutionException {
        if (stream == null) {
            throw new MojoExecutionException("clientCertIssuingCaFiles not defined");
        }
        if (stream2 == null) {
            throw new MojoExecutionException("clientCertCaChainFiles not defined");
        }
        if (stream3 == null) {
            throw new MojoExecutionException("serverCertRootCaFiles not defined");
        }
        List<Path> list = stream.filter(ifNotExists(LOG_MESSAGE_CLIENT_ISSUING_C_AS)).toList();
        List<Path> list2 = stream2.filter(ifNotExists(LOG_MESSAGE_CLIENT_CA_CHAINS)).toList();
        List<Path> list3 = stream3.filter(ifNotExists(LOG_MESSAGE_SERVER_ROOT_C_AS)).toList();
        if (list.isEmpty() && list2.isEmpty() && list3.isEmpty()) {
            return;
        }
        List<X509CertificateHolder> readCertificates = readCertificates(this.certFolder, this.clientOnlyCaCommonNames);
        try {
            list.forEach(writeClientIssuingCas(readCertificates, LOG_MESSAGE_CLIENT_ISSUING_C_AS));
            list2.forEach(writeClientCaChains(readCertificates, LOG_MESSAGE_CLIENT_CA_CHAINS));
            list3.forEach(writeServerRootCas(readCertificates, LOG_MESSAGE_SERVER_ROOT_C_AS));
        } catch (RuntimeIOException e) {
            throw e.getCause();
        }
    }

    private Predicate<Path> ifNotExists(String str) {
        return path -> {
            boolean isReadable = Files.isReadable(path);
            if (isReadable) {
                logger.info("Default {} file exists at {}", str, this.projectBasedir.relativize(path));
            }
            return !isReadable;
        };
    }

    private List<X509CertificateHolder> readCertificates(Path path, List<String> list) throws IOException {
        ArrayList arrayList = new ArrayList();
        DirectoryStream<Path> newDirectoryStream = Files.newDirectoryStream(path, (DirectoryStream.Filter<? super Path>) path2 -> {
            return path2.getFileName().toString().endsWith(".pem");
        });
        try {
            newDirectoryStream.forEach(readCertificate(arrayList, list));
            if (newDirectoryStream != null) {
                newDirectoryStream.close();
            }
            Map map = (Map) arrayList.stream().collect(Collectors.toMap((v0) -> {
                return v0.getSubject();
            }, Function.identity()));
            arrayList.forEach(x509CertificateHolder -> {
                x509CertificateHolder.setParent(map);
            });
            return arrayList;
        } catch (Throwable th) {
            if (newDirectoryStream != null) {
                try {
                    newDirectoryStream.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    private Consumer<? super Path> readCertificate(List<X509CertificateHolder> list, List<String> list2) {
        return path -> {
            try {
                logger.info("Reading certificate from {}", this.projectBasedir.relativize(path));
                X509Certificate readCertificate = PemReader.readCertificate(path);
                Objects.requireNonNull(list2);
                X509CertificateHolder x509CertificateHolder = new X509CertificateHolder(readCertificate, (v1) -> {
                    return r3.contains(v1);
                });
                if (!x509CertificateHolder.isCa()) {
                    throw new RuntimeException("Certificate in " + path.toString() + " is not a CA certificate");
                }
                ZonedDateTime now = ZonedDateTime.now();
                if (now.isBefore(x509CertificateHolder.getNotBefore())) {
                    throw new RuntimeException("Certificate in " + path.toString() + " is not valid before " + DateTimeFormatter.ISO_ZONED_DATE_TIME.format(x509CertificateHolder.getNotBefore()) + " current date/time " + DateTimeFormatter.ISO_ZONED_DATE_TIME.format(now.withZoneSameInstant(ZoneId.of("GMT"))));
                }
                if (now.isAfter(x509CertificateHolder.getNotAfter())) {
                    throw new RuntimeException("Certificate in " + path.toString() + " is not valid after " + DateTimeFormatter.ISO_OFFSET_DATE_TIME.format(x509CertificateHolder.getNotAfter()) + " current date/time " + DateTimeFormatter.ISO_ZONED_DATE_TIME.format(now.withZoneSameInstant(ZoneId.of("GMT"))));
                }
                if (now.plusYears(1L).isAfter(x509CertificateHolder.getNotAfter())) {
                    logger.warn("Certificate in {} is not valid after {}", path.toString(), DateTimeFormatter.ISO_OFFSET_DATE_TIME.format(x509CertificateHolder.getNotAfter()));
                }
                list.add(x509CertificateHolder);
            } catch (IOException e) {
                throw new RuntimeException(e);
            }
        };
    }

    private Consumer<Path> writeClientIssuingCas(List<X509CertificateHolder> list, String str) {
        return path -> {
            writeCas(list.stream().filter((v0) -> {
                return v0.isIssuingCa();
            }).sorted(Comparator.comparing((v0) -> {
                return v0.getSubjectCommonName();
            })).map((v0) -> {
                return v0.getCertificate();
            }).toList(), path, str);
        };
    }

    private Consumer<Path> writeClientCaChains(List<X509CertificateHolder> list, String str) {
        return path -> {
            writeCas(list.stream().filter((v0) -> {
                return v0.isRoot();
            }).sorted(Comparator.comparing((v0) -> {
                return v0.getSubjectCommonName();
            })).flatMap(childern()).map((v0) -> {
                return v0.getCertificate();
            }).toList(), path, str);
        };
    }

    private Function<X509CertificateHolder, Stream<X509CertificateHolder>> childern() {
        return x509CertificateHolder -> {
            return Stream.concat(Stream.of(x509CertificateHolder), x509CertificateHolder.getChildren().stream().sorted(Comparator.comparing((v0) -> {
                return v0.getSubjectCommonName();
            })).flatMap(childern()));
        };
    }

    private Consumer<Path> writeServerRootCas(List<X509CertificateHolder> list, String str) {
        return path -> {
            writeCas(list.stream().filter((v0) -> {
                return v0.isRoot();
            }).filter(Predicate.not((v0) -> {
                return v0.isClientOnly();
            })).sorted(Comparator.comparing((v0) -> {
                return v0.getSubjectCommonName();
            })).map((v0) -> {
                return v0.getCertificate();
            }).toList(), path, str);
        };
    }

    private void writeCas(List<X509Certificate> list, Path path, String str) throws RuntimeIOException {
        try {
            logger.info("Writing default {} file to {}", str, this.projectBasedir.relativize(path));
            PemWriter.writeCertificates(list, path);
        } catch (IOException e) {
            throw new RuntimeIOException(e);
        }
    }
}
