package io.netty.pkitesting;

import com.sun.net.httpserver.HttpServer;
import java.io.OutputStream;
import java.math.BigInteger;
import java.net.InetAddress;
import java.net.InetSocketAddress;
import java.net.URI;
import java.security.cert.X509Certificate;
import java.time.Instant;
import java.util.Collections;
import java.util.Map;
import java.util.Objects;
import java.util.concurrent.ConcurrentHashMap;
import java.util.concurrent.ConcurrentMap;
import java.util.concurrent.ForkJoinPool;
import java.util.concurrent.atomic.AtomicInteger;

/* loaded from: input_file:io/netty/pkitesting/RevocationServer.class */
public final class RevocationServer {
    private static volatile RevocationServer instance;
    private final HttpServer crlServer = HttpServer.create(new InetSocketAddress(InetAddress.getLoopbackAddress(), 0), 0);
    private final String crlBaseAddress = "http://localhost:" + this.crlServer.getAddress().getPort();
    private final AtomicInteger issuerCounter = new AtomicInteger();
    private final ConcurrentMap<X509Certificate, CrlInfo> issuers = new ConcurrentHashMap();
    private final ConcurrentMap<String, CrlInfo> paths = new ConcurrentHashMap();

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:io/netty/pkitesting/RevocationServer$CrlInfo.class */
    public static final class CrlInfo {
        private final X509Bundle issuer;
        private final URI uri;
        private final Map<BigInteger, Instant> revokedCerts = new ConcurrentHashMap();

        CrlInfo(X509Bundle x509Bundle, URI uri) {
            this.issuer = x509Bundle;
            this.uri = uri;
        }
    }

    public static RevocationServer getInstance() throws Exception {
        RevocationServer revocationServer;
        if (instance != null) {
            return instance;
        }
        synchronized (RevocationServer.class) {
            RevocationServer revocationServer2 = instance;
            if (revocationServer2 == null) {
                revocationServer2 = new RevocationServer();
                revocationServer2.start();
                instance = revocationServer2;
            }
            revocationServer = revocationServer2;
        }
        return revocationServer;
    }

    private RevocationServer() throws Exception {
        this.crlServer.createContext("/", httpExchange -> {
            if ("GET".equals(httpExchange.getRequestMethod())) {
                CrlInfo crlInfo = this.paths.get(httpExchange.getRequestURI().getPath());
                if (crlInfo == null) {
                    httpExchange.sendResponseHeaders(404, 0L);
                    httpExchange.close();
                    return;
                }
                byte[] generateCrl = generateCrl(crlInfo);
                httpExchange.getResponseHeaders().put("Content-Type", Collections.singletonList("application/pkix-crl"));
                httpExchange.sendResponseHeaders(200, generateCrl.length);
                OutputStream responseBody = httpExchange.getResponseBody();
                try {
                    responseBody.write(generateCrl);
                    responseBody.flush();
                    if (responseBody != null) {
                        responseBody.close();
                    }
                } catch (Throwable th) {
                    if (responseBody != null) {
                        try {
                            responseBody.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    }
                    throw th;
                }
            } else {
                httpExchange.sendResponseHeaders(405, 0L);
            }
            httpExchange.close();
        });
    }

    private void start() {
        if (Thread.currentThread().isDaemon()) {
            this.crlServer.start();
            return;
        }
        ForkJoinPool commonPool = ForkJoinPool.commonPool();
        HttpServer httpServer = this.crlServer;
        Objects.requireNonNull(httpServer);
        commonPool.execute(httpServer::start);
    }

    public void register(X509Bundle x509Bundle) {
        this.issuers.computeIfAbsent(x509Bundle.getCertificate(), x509Certificate -> {
            String str = "/crl/" + this.issuerCounter.incrementAndGet() + ".crl";
            CrlInfo crlInfo = new CrlInfo(x509Bundle, URI.create(this.crlBaseAddress + str));
            this.paths.put(str, crlInfo);
            return crlInfo;
        });
    }

    public void revoke(X509Bundle x509Bundle, Instant instant) {
        X509Certificate[] certificatePathWithRoot = x509Bundle.getCertificatePathWithRoot();
        X509Certificate x509Certificate = certificatePathWithRoot.length == 1 ? certificatePathWithRoot[0] : certificatePathWithRoot[1];
        CrlInfo crlInfo = this.issuers.get(x509Certificate);
        if (crlInfo == null) {
            throw new IllegalArgumentException("Not a registered issuer: " + x509Certificate.getSubjectX500Principal());
        }
        crlInfo.revokedCerts.put(x509Bundle.getCertificate().getSerialNumber(), instant);
    }

    public URI getCrlUri(X509Bundle x509Bundle) {
        CrlInfo crlInfo = this.issuers.get(x509Bundle.getCertificate());
        if (crlInfo != null) {
            return crlInfo.uri;
        }
        return null;
    }

    private static byte[] generateCrl(CrlInfo crlInfo) {
        X509Bundle x509Bundle = crlInfo.issuer;
        Map map = crlInfo.revokedCerts;
        Instant now = Instant.now();
        try {
            return new Signed(new CertificateList(x509Bundle, now, now, map.entrySet()).getEncoded(), x509Bundle).getEncoded();
        } catch (Exception e) {
            throw new IllegalStateException("Failed to sign CRL", e);
        }
    }
}
