package com.dsingley.testpki;

import java.io.File;
import java.io.FileOutputStream;
import java.net.InetAddress;
import java.nio.file.Files;
import java.nio.file.LinkOption;
import java.security.KeyStore;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import java.util.Collection;
import java.util.Collections;
import java.util.Iterator;
import java.util.LinkedHashMap;
import java.util.Map;
import java.util.Set;
import java.util.TreeSet;
import java.util.concurrent.ConcurrentHashMap;
import java.util.concurrent.atomic.AtomicLong;
import java.util.function.Function;
import javax.naming.ldap.LdapName;
import javax.naming.ldap.Rdn;
import javax.net.ssl.SSLSocketFactory;
import javax.net.ssl.X509TrustManager;
import lombok.Generated;
import lombok.NonNull;
import okhttp3.tls.HandshakeCertificates;
import okhttp3.tls.HeldCertificate;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/dsingley/testpki/TestPKI.class */
public class TestPKI {

    @Generated
    private static final Logger log = LoggerFactory.getLogger(TestPKI.class);

    @Generated
    private final Object $lock = new Object[0];
    private static final String ORGANIZATIONAL_UNIT = "TestPKI";
    private static final String TRUSTSTORE_PASSWORD = "changeit";
    private final KeyType keyType;
    private final File baseDirectory;
    private final AtomicLong serialNumber;
    private final Map<String, HeldCertificate> caCertificates;
    private final HeldCertificate rootCertificate;
    private final HeldCertificate intermediateCertificate;
    private final Map<String, TestPKICertificate> issuedCertificates;
    private File truststoreFile;
    private File caPemFile;

    public static void main(String[] strArr) {
        CommandLineOptions parse = CommandLineOptions.parse(strArr);
        TestPKI testPKI = new TestPKI(parse.getKeyType(), parse.getBaseDirectory());
        File orCreateTruststoreFile = testPKI.getOrCreateTruststoreFile();
        File orCreateCaPemFile = testPKI.getOrCreateCaPemFile();
        TestPKICertificate orCreateServerCertificate = testPKI.getOrCreateServerCertificate();
        File orCreateKeystoreFile = orCreateServerCertificate.getOrCreateKeystoreFile();
        File orCreateCertPemFile = orCreateServerCertificate.getOrCreateCertPemFile();
        File orCreateKeyPemFile = orCreateServerCertificate.getOrCreateKeyPemFile();
        TestPKICertificate orCreateClientCertificate = testPKI.getOrCreateClientCertificate();
        File orCreateKeystoreFile2 = orCreateClientCertificate.getOrCreateKeystoreFile();
        File orCreateCertPemFile2 = orCreateClientCertificate.getOrCreateCertPemFile();
        File orCreateKeyPemFile2 = orCreateClientCertificate.getOrCreateKeyPemFile();
        if (parse.isExport()) {
            String variableNamePrefix = parse.getVariableNamePrefix();
            if (variableNamePrefix == null) {
                variableNamePrefix = "";
            } else if (!variableNamePrefix.isEmpty() && !variableNamePrefix.endsWith("_")) {
                variableNamePrefix = variableNamePrefix.toUpperCase() + "_";
            }
            System.out.printf("export %sTRUSTSTORE_PATH=%s%n", variableNamePrefix, orCreateTruststoreFile.getAbsolutePath());
            System.out.printf("export %sTRUSTSTORE_PASSWORD='%s'%n", variableNamePrefix, testPKI.getTruststorePassword());
            System.out.printf("export %sCA_PATH=%s%n", variableNamePrefix, orCreateCaPemFile.getAbsolutePath());
            System.out.printf("export %sSERVER_KEYSTORE_PATH=%s%n", variableNamePrefix, orCreateKeystoreFile.getAbsolutePath());
            System.out.printf("export %sSERVER_KEYSTORE_PASSWORD='%s'%n", variableNamePrefix, orCreateServerCertificate.getKeystorePassword());
            System.out.printf("export %sSERVER_CERT_PATH=%s%n", variableNamePrefix, orCreateCertPemFile.getAbsolutePath());
            System.out.printf("export %sSERVER_KEY_PATH=%s%n", variableNamePrefix, orCreateKeyPemFile.getAbsolutePath());
            System.out.printf("export %sCLIENT_KEYSTORE_PATH=%s%n", variableNamePrefix, orCreateKeystoreFile2.getAbsolutePath());
            System.out.printf("export %sCLIENT_KEYSTORE_PASSWORD='%s'%n", variableNamePrefix, orCreateClientCertificate.getKeystorePassword());
            System.out.printf("export %sCLIENT_CERT_PATH=%s%n", variableNamePrefix, orCreateCertPemFile2.getAbsolutePath());
            System.out.printf("export %sCLIENT_KEY_PATH=%s%n", variableNamePrefix, orCreateKeyPemFile2.getAbsolutePath());
        }
    }

    public TestPKI(@NonNull KeyType keyType, File file) {
        if (keyType == null) {
            throw new NullPointerException("keyType is marked non-null but is null");
        }
        this.keyType = keyType;
        if (file != null && !Files.isDirectory(file.toPath(), new LinkOption[0])) {
            throw new IllegalArgumentException("baseDirectory, if specified, must be an existing directory: " + file);
        }
        this.baseDirectory = file;
        this.serialNumber = new AtomicLong(1L);
        this.caCertificates = new LinkedHashMap();
        this.rootCertificate = newCertificate(new HeldCertificate.Builder().commonName("Root CA").organizationalUnit(ORGANIZATIONAL_UNIT).serialNumber(this.serialNumber.getAndIncrement()).certificateAuthority(1));
        this.caCertificates.put("root", this.rootCertificate);
        this.intermediateCertificate = newCertificate(new HeldCertificate.Builder().commonName("Intermediate CA").organizationalUnit(ORGANIZATIONAL_UNIT).serialNumber(this.serialNumber.getAndIncrement()).certificateAuthority(0).signedBy(this.rootCertificate));
        this.caCertificates.put("intermediate", this.intermediateCertificate);
        this.issuedCertificates = new ConcurrentHashMap();
    }

    public File getOrCreateTruststoreFile() {
        synchronized (this.$lock) {
            if (this.truststoreFile != null) {
                return this.truststoreFile;
            }
            this.truststoreFile = createKeystoreFile("truststore", TRUSTSTORE_PASSWORD, null);
            return this.truststoreFile;
        }
    }

    public String getTruststorePassword() {
        return TRUSTSTORE_PASSWORD;
    }

    public File getOrCreateCaPemFile() {
        synchronized (this.$lock) {
            if (this.caPemFile != null) {
                return this.caPemFile;
            }
            this.caPemFile = createPemFile("ca", ".pem", this.caCertificates.values(), heldCertificate -> {
                return heldCertificate.certificatePem().getBytes();
            });
            return this.caPemFile;
        }
    }

    public TestPKICertificate getOrCreateServerCertificate() {
        TreeSet treeSet = new TreeSet();
        treeSet.add("localhost");
        treeSet.add(InetAddress.getLocalHost().getHostName());
        treeSet.add(InetAddress.getLocalHost().getCanonicalHostName());
        return getOrCreateServerCertificate("server", treeSet);
    }

    public TestPKICertificate getOrCreateServerCertificate(@NonNull String str) {
        if (str == null) {
            throw new NullPointerException("commonName is marked non-null but is null");
        }
        return getOrCreateServerCertificate(str, Collections.emptySet());
    }

    public TestPKICertificate getOrCreateServerCertificate(@NonNull String str, @NonNull Set<String> set) {
        if (str == null) {
            throw new NullPointerException("commonName is marked non-null but is null");
        }
        if (set == null) {
            throw new NullPointerException("subjectAlternativeNames is marked non-null but is null");
        }
        return this.issuedCertificates.computeIfAbsent(str, str2 -> {
            return new TestPKICertificate(this, str, newCertificate(str2, set));
        });
    }

    public TestPKICertificate getOrCreateClientCertificate() {
        return getOrCreateClientCertificate("client");
    }

    public TestPKICertificate getOrCreateClientCertificate(@NonNull String str) {
        if (str == null) {
            throw new NullPointerException("commonName is marked non-null but is null");
        }
        return this.issuedCertificates.computeIfAbsent(str, str2 -> {
            return new TestPKICertificate(this, str, newCertificate(str2, Collections.emptySet()));
        });
    }

    public TestPKICertificate getCertificateBySerialNumber(long j) {
        if (j <= 0) {
            return null;
        }
        for (HeldCertificate heldCertificate : this.caCertificates.values()) {
            if (heldCertificate.certificate().getSerialNumber().longValueExact() == j) {
                return new TestPKICertificate(this, getCn(heldCertificate.certificate()), heldCertificate);
            }
        }
        for (TestPKICertificate testPKICertificate : this.issuedCertificates.values()) {
            if (testPKICertificate.getSerialNumber() == j) {
                return testPKICertificate;
            }
        }
        return null;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public SSLSocketFactory getSSLSocketFactory(HeldCertificate heldCertificate) {
        return new HandshakeCertificates.Builder().addTrustedCertificate(this.rootCertificate.certificate()).heldCertificate(heldCertificate, new X509Certificate[]{this.intermediateCertificate.certificate()}).build().sslSocketFactory();
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public X509TrustManager getTrustManager(HeldCertificate heldCertificate) {
        return new HandshakeCertificates.Builder().addTrustedCertificate(this.rootCertificate.certificate()).heldCertificate(heldCertificate, new X509Certificate[]{this.intermediateCertificate.certificate()}).build().trustManager();
    }

    private HeldCertificate newCertificate(HeldCertificate.Builder builder) {
        switch (this.keyType) {
            case ECDSA_256:
                builder.ecdsa256();
                break;
            case RSA_2048:
                builder.rsa2048();
                break;
            default:
                throw new RuntimeException("unexpected KeyType: " + this.keyType.name());
        }
        HeldCertificate build = builder.build();
        log.info("issued certificate {}: {}", build.certificate().getSerialNumber(), build.certificate().getSubjectX500Principal());
        return build;
    }

    private HeldCertificate newCertificate(String str, Set<String> set) {
        HeldCertificate.Builder signedBy = new HeldCertificate.Builder().commonName(str).organizationalUnit(ORGANIZATIONAL_UNIT).serialNumber(this.serialNumber.getAndIncrement()).signedBy(this.intermediateCertificate);
        Iterator<String> it = set.iterator();
        while (it.hasNext()) {
            signedBy.addSubjectAlternativeName(it.next());
        }
        return newCertificate(signedBy);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public File createKeystoreFile(String str, String str2, HeldCertificate heldCertificate) {
        File newFile = newFile(str, ".pkcs12");
        KeyStore keyStore = KeyStore.getInstance("PKCS12");
        keyStore.load(null, str2.toCharArray());
        if (heldCertificate != null) {
            keyStore.setKeyEntry(getCn(heldCertificate.certificate()), heldCertificate.keyPair().getPrivate(), str2.toCharArray(), new Certificate[]{heldCertificate.certificate()});
        }
        for (Map.Entry<String, HeldCertificate> entry : this.caCertificates.entrySet()) {
            keyStore.setCertificateEntry(entry.getKey(), entry.getValue().certificate());
        }
        FileOutputStream fileOutputStream = new FileOutputStream(newFile.getAbsolutePath());
        Throwable th = null;
        try {
            try {
                keyStore.store(fileOutputStream, str2.toCharArray());
                if (fileOutputStream != null) {
                    if (0 != 0) {
                        try {
                            fileOutputStream.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    } else {
                        fileOutputStream.close();
                    }
                }
                log.debug("wrote keystore: {}", newFile.getAbsolutePath());
                return newFile;
            } finally {
            }
        } finally {
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public File createPemFile(String str, String str2, Collection<HeldCertificate> collection, Function<HeldCertificate, byte[]> function) {
        File newFile = newFile(str, str2);
        FileOutputStream fileOutputStream = new FileOutputStream(newFile.getAbsolutePath());
        Throwable th = null;
        try {
            try {
                boolean z = true;
                for (HeldCertificate heldCertificate : collection) {
                    if (z) {
                        z = false;
                    } else {
                        fileOutputStream.write("\n".getBytes());
                    }
                    fileOutputStream.write(String.format("# %s%n", heldCertificate.certificate().getSubjectX500Principal().getName()).getBytes());
                    fileOutputStream.write(function.apply(heldCertificate));
                }
                if (fileOutputStream != null) {
                    if (0 != 0) {
                        try {
                            fileOutputStream.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    } else {
                        fileOutputStream.close();
                    }
                }
                log.debug("wrote PEM file: {}", newFile.getAbsolutePath());
                return newFile;
            } finally {
            }
        } finally {
        }
    }

    private File newFile(String str, String str2) {
        File createTempFile;
        if (this.baseDirectory != null) {
            createTempFile = new File(this.baseDirectory, str + str2);
        } else {
            createTempFile = File.createTempFile(str + "-", str2);
            createTempFile.deleteOnExit();
        }
        return createTempFile;
    }

    private static String getCn(X509Certificate x509Certificate) {
        return ((Rdn) new LdapName(x509Certificate.getSubjectX500Principal().getName()).getRdns().stream().filter(rdn -> {
            return rdn.getType().equalsIgnoreCase("CN");
        }).findFirst().orElseThrow(() -> {
            return new RuntimeException("no CN found");
        })).getValue().toString();
    }
}
