package io.gravitee.am.certificate.api;

import com.nimbusds.jose.jwk.JWKSet;
import com.nimbusds.jose.jwk.RSAKey;
import io.gravitee.am.certificate.api.jwk.JwkNimbusConverter;
import io.gravitee.am.common.jwt.SignatureAlgorithm;
import io.gravitee.am.model.jose.JWK;
import io.reactivex.rxjava3.core.Flowable;
import io.reactivex.rxjava3.core.Single;
import java.io.ByteArrayInputStream;
import java.security.KeyPair;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.cert.X509Certificate;
import java.security.interfaces.ECPublicKey;
import java.security.interfaces.RSAPrivateKey;
import java.security.interfaces.RSAPublicKey;
import java.util.ArrayList;
import java.util.Date;
import java.util.List;
import java.util.Objects;
import java.util.Optional;
import java.util.Set;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.ConfigurableApplicationContext;

/* loaded from: input_file:io/gravitee/am/certificate/api/AbstractCertificateProvider.class */
public abstract class AbstractCertificateProvider implements CertificateProvider {
    public static final String RSA = "RSA";
    public static final String EC = "EC";

    @Autowired
    protected CertificateMetadata certificateMetadata;

    @Autowired
    protected ConfigurableApplicationContext context;
    private Date expirationDate;
    private java.security.cert.Certificate cert;
    private JWKSet jwkSet;
    private Set<JWK> keys;
    private SignatureAlgorithm signature = SignatureAlgorithm.RS256;
    private Key certificateKey;
    private List<CertificateKey> certificateKeys;

    public void createCertificateKeys(CertificateMetadata certificateMetadata) throws Exception {
        Object certificateContent = getCertificateContent(certificateMetadata);
        Objects.requireNonNull(certificateContent, invalidCertificateFileMessage());
        ByteArrayInputStream byteArrayInputStream = new ByteArrayInputStream((byte[]) certificateContent);
        try {
            KeyStore keyStore = keyStore();
            keyStore.load(byteArrayInputStream, getStorepass().toCharArray());
            this.jwkSet = JWKSet.load(keyStore, str -> {
                return getKeypass().toCharArray();
            });
            this.keys = getKeys();
            java.security.Key key = keyStore.getKey(getAlias(), getKeypass().toCharArray());
            if (!(key instanceof PrivateKey)) {
                throw new IllegalArgumentException("An ECSDA or RSA Signer must be supplied");
            }
            this.cert = keyStore.getCertificate(getAlias());
            KeyPair keyPair = new KeyPair(this.cert.getPublicKey(), (PrivateKey) key);
            this.certificateKey = new DefaultKey(getAlias(), keyPair);
            certificateMetadata.getMetadata().put(CertificateMetadata.DIGEST_ALGORITHM_NAME, this.signature.getDigestName());
            this.certificateKeys = new ArrayList();
            java.security.cert.Certificate certificate = this.cert;
            if (certificate instanceof X509Certificate) {
                X509Certificate x509Certificate = (X509Certificate) certificate;
                this.signature = getSignature(x509Certificate.getSigAlgName());
                this.certificateKeys.add(new CertificateKey(CertificateFormat.PEM, X509CertUtils.toPEMString(x509Certificate)));
                this.expirationDate = x509Certificate.getNotAfter();
            }
            PublicKey publicKey = keyPair.getPublic();
            if (publicKey.getAlgorithm().equals(RSA)) {
                this.certificateKeys.add(new CertificateKey(CertificateFormat.SSH_RSA, KeyUtils.toSSHRSAString((RSAPublicKey) publicKey)));
            } else if (publicKey.getAlgorithm().equals(EC)) {
                this.certificateKeys.add(new CertificateKey(CertificateFormat.ECDSA, KeyUtils.toEcdsaString((ECPublicKey) publicKey)));
            }
            byteArrayInputStream.close();
        } catch (Throwable th) {
            try {
                byteArrayInputStream.close();
            } catch (Throwable th2) {
                th.addSuppressed(th2);
            }
            throw th;
        }
    }

    protected Object getCertificateContent(CertificateMetadata certificateMetadata) {
        return certificateMetadata.getMetadata().get(CertificateMetadata.FILE);
    }

    protected abstract String getStorepass();

    protected abstract String getAlias();

    protected abstract String getKeypass();

    protected abstract Set<String> getUse();

    protected abstract String getAlgorithm();

    protected abstract String invalidCertificateFileMessage();

    protected abstract KeyStore keyStore() throws KeyStoreException;

    @Override // io.gravitee.am.certificate.api.CertificateProvider
    public Optional<Date> getExpirationDate() {
        return Optional.ofNullable(this.expirationDate);
    }

    @Override // io.gravitee.am.certificate.api.CertificateProvider
    public Flowable<JWK> privateKey() {
        return Flowable.fromIterable(JwkNimbusConverter.converter(new RSAKey.Builder((RSAPublicKey) ((KeyPair) this.certificateKey.getValue()).getPublic()).privateKey((RSAPrivateKey) ((KeyPair) this.certificateKey.getValue()).getPrivate()).keyID(getAlias()).build(), true, getUse(), signatureAlgorithm()).createJwk().toList());
    }

    @Override // io.gravitee.am.certificate.api.CertificateProvider
    public Single<Key> key() {
        return Single.just(this.certificateKey);
    }

    @Override // io.gravitee.am.certificate.api.CertificateProvider
    public Single<String> publicKey() {
        return Single.just((String) this.certificateKeys.stream().filter(certificateKey -> {
            return certificateKey.getFmt().equals(CertificateFormat.SSH_RSA);
        }).map((v0) -> {
            return v0.getPayload();
        }).findFirst().orElseThrow());
    }

    @Override // io.gravitee.am.certificate.api.CertificateProvider
    public Single<List<CertificateKey>> publicKeys() {
        return Single.just(this.certificateKeys);
    }

    @Override // io.gravitee.am.certificate.api.CertificateProvider
    public Flowable<JWK> keys() {
        return Flowable.fromIterable(this.keys);
    }

    @Override // io.gravitee.am.certificate.api.CertificateProvider
    public java.security.cert.Certificate certificate() {
        return this.cert;
    }

    @Override // io.gravitee.am.certificate.api.CertificateProvider
    public String signatureAlgorithm() {
        return getAlgorithm() != null ? getAlgorithm() : this.signature.getValue();
    }

    private Set<JWK> getKeys() {
        return (Set) this.jwkSet.toPublicJWKSet().getKeys().stream().map(jwk -> {
            return JwkNimbusConverter.converter(jwk, false, getUse(), getAlgorithm());
        }).flatMap((v0) -> {
            return v0.createJwk();
        }).collect(Collectors.toSet());
    }

    private SignatureAlgorithm getSignature(String str) {
        return (SignatureAlgorithm) Stream.of((Object[]) SignatureAlgorithm.values()).filter(signatureAlgorithm -> {
            return signatureAlgorithm.getJcaName() != null;
        }).filter(signatureAlgorithm2 -> {
            return signatureAlgorithm2.getJcaName().equals(str);
        }).findFirst().orElse(SignatureAlgorithm.RS256);
    }

    @Override // io.gravitee.am.certificate.api.CertificateProvider
    public void unregister() {
        this.context.close();
    }
}
