package io.buildlogic.truststore.maven.plugin.mojo;

import io.buildlogic.truststore.maven.plugin.bc.BouncyCastleKeyStore;
import io.buildlogic.truststore.maven.plugin.certificate.CertificateDownloader;
import io.buildlogic.truststore.maven.plugin.certificate.CertificateFilter;
import io.buildlogic.truststore.maven.plugin.certificate.CertificateReader;
import io.buildlogic.truststore.maven.plugin.certificate.RetryingCertificateDownloader;
import io.buildlogic.truststore.maven.plugin.certificate.SimpleCertificateDownloader;
import io.buildlogic.truststore.maven.plugin.dns.DnsResolver;
import io.buildlogic.truststore.maven.plugin.dns.DnsResolverFactory;
import io.buildlogic.truststore.maven.plugin.file.FileChecker;
import io.buildlogic.truststore.maven.plugin.keystore.KeyStoreReader;
import io.buildlogic.truststore.maven.plugin.truststore.TruststoreFormat;
import io.buildlogic.truststore.maven.plugin.truststore.TruststoreWriter;
import java.net.InetAddress;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import org.apache.maven.plugin.MojoExecutionException;
import org.apache.maven.plugin.logging.Log;
import org.apache.maven.plugins.annotations.LifecyclePhase;
import org.apache.maven.plugins.annotations.Mojo;

@Mojo(name = "generate-truststore", defaultPhase = LifecyclePhase.PRE_INTEGRATION_TEST)
/* loaded from: input_file:io/buildlogic/truststore/maven/plugin/mojo/TruststoreMojo.class */
public class TruststoreMojo extends ConfigurationMojo {
    private final List<X509Certificate> certs = new ArrayList();

    public void execute() throws MojoExecutionException {
        if (this.skip) {
            getLog().info("Requested to skip Truststore Maven Plugin execution");
            return;
        }
        validateConfig();
        loadFileSystemCerts();
        loadFileSystemTruststores();
        loadTlsCerts();
        loadDefaultTruststore();
        createTruststore();
    }

    private void validateConfig() {
        validateDownloadTimeout();
        validateScryptConfig();
        validateProviderDependency();
    }

    private void validateDownloadTimeout() {
        if (this.downloadTimeout < 0) {
            throw new RuntimeException("downloadTimeout can not be negative");
        }
    }

    private void validateScryptConfig() {
        if (this.scryptConfig != null) {
            this.scryptConfig.validate();
        }
    }

    private void validateProviderDependency() {
        if (new HashSet<TruststoreFormat>() { // from class: io.buildlogic.truststore.maven.plugin.mojo.TruststoreMojo.1
            {
                add(TruststoreFormat.BKS);
                add(TruststoreFormat.BCFKS);
                add(TruststoreFormat.UBER);
            }
        }.contains(this.truststoreFormat)) {
            BouncyCastleKeyStore.getProvider();
        }
    }

    private void loadFileSystemCerts() {
        for (String str : this.certificates) {
            getLog().info("Loading certificates from file: " + str);
            this.certs.addAll(CertificateReader.read(str));
        }
    }

    private void loadFileSystemTruststores() {
        for (Truststore truststore : getTruststores()) {
            String file = truststore.getFile();
            String password = truststore.getPassword();
            getLog().info("Loading certificates from truststore: " + file);
            readCertificates(file, password);
        }
    }

    private void loadTlsCerts() {
        DnsResolver dnsResolverFactory = DnsResolverFactory.getInstance(this.dnsResolution, getDnsMappings());
        CertificateDownloader certDownloader = getCertDownloader();
        CertificateFilter certificateFilter = new CertificateFilter(this.includeCertificates);
        for (String str : this.servers) {
            int indexOf = str.indexOf(":");
            String substring = str.substring(0, indexOf);
            int parseInt = Integer.parseInt(str.substring(indexOf + 1));
            List<X509Certificate> list = null;
            Iterator<InetAddress> it = dnsResolverFactory.resolve(substring).iterator();
            while (it.hasNext()) {
                list = certDownloader.getTlsServerCertificates(it.next(), parseInt);
            }
            this.certs.addAll(certificateFilter.filter(list));
        }
    }

    private void loadDefaultTruststore() throws MojoExecutionException {
        if (this.includeDefaultTruststore) {
            String property = System.getProperty("java.home");
            String format = String.format("%s/lib/security/jssecacerts", property);
            String format2 = String.format("%s/lib/security/cacerts", property);
            if (FileChecker.isReadableFile(format)) {
                getLog().info("Loading certificates from default truststore: " + format);
                readCertificates(format, "changeit");
            } else {
                if (!FileChecker.isReadableFile(format2)) {
                    throw new MojoExecutionException("Default truststore not found");
                }
                getLog().info("Loading certificates from default truststore: " + format2);
                readCertificates(format2, "changeit");
            }
        }
    }

    private void readCertificates(String str, String str2) {
        this.certs.addAll(KeyStoreReader.readCertificates(str, str2));
    }

    private void createTruststore() {
        TruststoreWriter truststoreWriter = new TruststoreWriter(getLog(), this.truststoreFormat, this.truststoreFile, this.truststorePassword);
        CustomScryptConfig scryptConfig = getScryptConfig();
        if (this.truststoreFormat.equals(TruststoreFormat.BCFKS) && scryptConfig != null) {
            truststoreWriter.setScryptConfig(scryptConfig);
        }
        truststoreWriter.write(this.certs);
    }

    private CertificateDownloader getCertDownloader() {
        Log log = getLog();
        return this.retryDownloadOnFailure ? new RetryingCertificateDownloader(log, this.trustAllCertificates, this.downloadTimeout) : new SimpleCertificateDownloader(log, this.trustAllCertificates, this.downloadTimeout);
    }
}
