package io.quarkus.vault.runtime;

import io.quarkus.vault.VaultPKISecretReactiveEngine;
import io.quarkus.vault.client.VaultClient;
import io.quarkus.vault.client.VaultClientException;
import io.quarkus.vault.client.VaultException;
import io.quarkus.vault.client.api.secrets.pki.VaultSecretsPKI;
import io.quarkus.vault.client.api.secrets.pki.VaultSecretsPKIConfigCrlParams;
import io.quarkus.vault.client.api.secrets.pki.VaultSecretsPKIConfigUrlsParams;
import io.quarkus.vault.client.api.secrets.pki.VaultSecretsPKIExtKeyUsage;
import io.quarkus.vault.client.api.secrets.pki.VaultSecretsPKIFormat;
import io.quarkus.vault.client.api.secrets.pki.VaultSecretsPKIGenerateCsrParams;
import io.quarkus.vault.client.api.secrets.pki.VaultSecretsPKIGenerateRootParams;
import io.quarkus.vault.client.api.secrets.pki.VaultSecretsPKIIssueParams;
import io.quarkus.vault.client.api.secrets.pki.VaultSecretsPKIKeyBits;
import io.quarkus.vault.client.api.secrets.pki.VaultSecretsPKIKeyType;
import io.quarkus.vault.client.api.secrets.pki.VaultSecretsPKIKeyUsage;
import io.quarkus.vault.client.api.secrets.pki.VaultSecretsPKIManageType;
import io.quarkus.vault.client.api.secrets.pki.VaultSecretsPKIPrivateKeyFormat;
import io.quarkus.vault.client.api.secrets.pki.VaultSecretsPKIRevokeParams;
import io.quarkus.vault.client.api.secrets.pki.VaultSecretsPKISignIntermediateParams;
import io.quarkus.vault.client.api.secrets.pki.VaultSecretsPKISignParams;
import io.quarkus.vault.client.api.secrets.pki.VaultSecretsPKITidyParams;
import io.quarkus.vault.client.api.secrets.pki.VaultSecretsPKIUpdateRoleParams;
import io.quarkus.vault.pki.CAChainData;
import io.quarkus.vault.pki.CRLData;
import io.quarkus.vault.pki.CSRData;
import io.quarkus.vault.pki.CertificateData;
import io.quarkus.vault.pki.CertificateExtendedKeyUsage;
import io.quarkus.vault.pki.CertificateKeyType;
import io.quarkus.vault.pki.CertificateKeyUsage;
import io.quarkus.vault.pki.ConfigCRLOptions;
import io.quarkus.vault.pki.ConfigURLsOptions;
import io.quarkus.vault.pki.DataFormat;
import io.quarkus.vault.pki.GenerateCertificateOptions;
import io.quarkus.vault.pki.GenerateIntermediateCSROptions;
import io.quarkus.vault.pki.GenerateRootOptions;
import io.quarkus.vault.pki.GeneratedCertificate;
import io.quarkus.vault.pki.GeneratedIntermediateCSRResult;
import io.quarkus.vault.pki.GeneratedRootCertificate;
import io.quarkus.vault.pki.PrivateKeyData;
import io.quarkus.vault.pki.PrivateKeyEncoding;
import io.quarkus.vault.pki.RoleOptions;
import io.quarkus.vault.pki.SignIntermediateCAOptions;
import io.quarkus.vault.pki.SignedCertificate;
import io.quarkus.vault.pki.TidyOptions;
import io.smallrye.mutiny.Uni;
import io.smallrye.mutiny.unchecked.Unchecked;
import jakarta.enterprise.context.ApplicationScoped;
import jakarta.inject.Inject;
import java.time.OffsetDateTime;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Base64;
import java.util.Collections;
import java.util.Iterator;
import java.util.List;
import java.util.Locale;
import java.util.stream.Collectors;

@ApplicationScoped
/* loaded from: input_file:io/quarkus/vault/runtime/VaultPKIManager.class */
public class VaultPKIManager implements VaultPKISecretReactiveEngine {
    private final VaultSecretsPKI pki;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* renamed from: io.quarkus.vault.runtime.VaultPKIManager$1, reason: invalid class name */
    /* loaded from: input_file:io/quarkus/vault/runtime/VaultPKIManager$1.class */
    public static /* synthetic */ class AnonymousClass1 {
        static final /* synthetic */ int[] $SwitchMap$io$quarkus$vault$client$api$secrets$pki$VaultSecretsPKIFormat = new int[VaultSecretsPKIFormat.values().length];

        static {
            try {
                $SwitchMap$io$quarkus$vault$client$api$secrets$pki$VaultSecretsPKIFormat[VaultSecretsPKIFormat.DER.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$io$quarkus$vault$client$api$secrets$pki$VaultSecretsPKIFormat[VaultSecretsPKIFormat.PEM.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
        }
    }

    @Inject
    public VaultPKIManager(VaultClient vaultClient) {
        this(vaultClient, "pki");
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public VaultPKIManager(VaultClient vaultClient, String str) {
        this.pki = vaultClient.secrets().pki(str);
    }

    @Override // io.quarkus.vault.VaultPKISecretReactiveEngine
    public Uni<CertificateData.PEM> getCertificateAuthority() {
        return getCertificateAuthority(DataFormat.PEM).map(certificateData -> {
            return (CertificateData.PEM) certificateData;
        });
    }

    @Override // io.quarkus.vault.VaultPKISecretReactiveEngine
    public Uni<CertificateData> getCertificateAuthority(DataFormat dataFormat) {
        return Uni.createFrom().completionStage(this.pki.readIssuerCaCert()).map(Unchecked.function(vaultSecretsPKIReadIssuerCaCertResultData -> {
            CertificateData.PEM pem = new CertificateData.PEM(vaultSecretsPKIReadIssuerCaCertResultData.getCertificate());
            return dataFormat == DataFormat.PEM ? pem : new CertificateData.DER(pem.getCertificate().getEncoded());
        }));
    }

    @Override // io.quarkus.vault.VaultPKISecretReactiveEngine
    public Uni<Void> configCertificateAuthority(String str) {
        return Uni.createFrom().completionStage(this.pki.configCa(str)).map(vaultSecretsPKIImportResultData -> {
            return null;
        });
    }

    @Override // io.quarkus.vault.VaultPKISecretReactiveEngine
    public Uni<Void> configURLs(ConfigURLsOptions configURLsOptions) {
        return Uni.createFrom().completionStage(this.pki.configUrls(new VaultSecretsPKIConfigUrlsParams().setIssuingCertificates(configURLsOptions.issuingCertificates).setCrlDistributionPoints(configURLsOptions.crlDistributionPoints).setOcspServers(configURLsOptions.ocspServers)));
    }

    @Override // io.quarkus.vault.VaultPKISecretReactiveEngine
    public Uni<ConfigURLsOptions> readURLsConfig() {
        return Uni.createFrom().completionStage(this.pki.readUrlsConfig()).map(vaultSecretsPKIReadUrlsConfigResultData -> {
            ConfigURLsOptions configURLsOptions = new ConfigURLsOptions();
            configURLsOptions.issuingCertificates = vaultSecretsPKIReadUrlsConfigResultData.getIssuingCertificates();
            configURLsOptions.crlDistributionPoints = vaultSecretsPKIReadUrlsConfigResultData.getCrlDistributionPoints();
            configURLsOptions.ocspServers = vaultSecretsPKIReadUrlsConfigResultData.getOcspServers();
            return configURLsOptions;
        });
    }

    @Override // io.quarkus.vault.VaultPKISecretReactiveEngine
    public Uni<Void> configCRL(ConfigCRLOptions configCRLOptions) {
        return Uni.createFrom().completionStage(this.pki.configCrl(new VaultSecretsPKIConfigCrlParams().setExpiry(DurationHelper.fromVaultDuration(configCRLOptions.expiry)).setDisable(configCRLOptions.disable)));
    }

    @Override // io.quarkus.vault.VaultPKISecretReactiveEngine
    public Uni<ConfigCRLOptions> readCRLConfig() {
        return Uni.createFrom().completionStage(this.pki.readCrlConfig()).map(vaultSecretsPKIReadCrlConfigResultData -> {
            ConfigCRLOptions configCRLOptions = new ConfigCRLOptions();
            configCRLOptions.expiry = DurationHelper.toVaultDuration(vaultSecretsPKIReadCrlConfigResultData.getExpiry());
            configCRLOptions.disable = vaultSecretsPKIReadCrlConfigResultData.isDisable();
            return configCRLOptions;
        });
    }

    @Override // io.quarkus.vault.VaultPKISecretReactiveEngine
    public Uni<CAChainData.PEM> getCertificateAuthorityChain() {
        return Uni.createFrom().completionStage(this.pki.readIssuerCaChain()).map(CAChainData.PEM::new);
    }

    @Override // io.quarkus.vault.VaultPKISecretReactiveEngine
    public Uni<CRLData.PEM> getCertificateRevocationList() {
        return getCertificateRevocationList(DataFormat.PEM).map(cRLData -> {
            return (CRLData.PEM) cRLData;
        });
    }

    @Override // io.quarkus.vault.VaultPKISecretReactiveEngine
    public Uni<CRLData> getCertificateRevocationList(DataFormat dataFormat) {
        return Uni.createFrom().completionStage(this.pki.readIssuerCrl()).map(Unchecked.function(str -> {
            CRLData.PEM pem = new CRLData.PEM(str);
            return dataFormat == DataFormat.PEM ? pem : new CRLData.DER(pem.getCRL().getEncoded());
        }));
    }

    @Override // io.quarkus.vault.VaultPKISecretReactiveEngine
    public Uni<Boolean> rotateCertificateRevocationList() {
        return Uni.createFrom().completionStage(this.pki.rotateCrl()).map((v0) -> {
            return v0.isSuccess();
        });
    }

    @Override // io.quarkus.vault.VaultPKISecretReactiveEngine
    public Uni<List<String>> getCertificates() {
        return Uni.createFrom().completionStage(this.pki.listCertificates()).map(list -> {
            ArrayList arrayList = new ArrayList();
            Iterator it = list.iterator();
            while (it.hasNext()) {
                arrayList.add(((String) it.next()).replaceAll("-", ":"));
            }
            return arrayList;
        });
    }

    @Override // io.quarkus.vault.VaultPKISecretReactiveEngine
    public Uni<CertificateData.PEM> getCertificate(String str) {
        return Uni.createFrom().completionStage(this.pki.readCertificate(str)).map(vaultSecretsPKIReadCertificateResultData -> {
            return new CertificateData.PEM(vaultSecretsPKIReadCertificateResultData.getCertificate());
        });
    }

    @Override // io.quarkus.vault.VaultPKISecretReactiveEngine
    public Uni<GeneratedCertificate> generateCertificate(String str, GenerateCertificateOptions generateCertificateOptions) {
        VaultSecretsPKIIssueParams excludeCommonNameFromSubjectAlternativeNames = new VaultSecretsPKIIssueParams().setFormat(dataFormatToFormat(generateCertificateOptions.format)).setPrivateKeyFormat(privateKeyFormat(generateCertificateOptions.privateKeyEncoding)).setCommonName(generateCertificateOptions.subjectCommonName).setAltNames(generateCertificateOptions.subjectAlternativeNames).setIpSans(generateCertificateOptions.ipSubjectAlternativeNames).setUriSans(generateCertificateOptions.uriSubjectAlternativeNames).setOtherSans(generateCertificateOptions.otherSubjectAlternativeNames).setTtl(DurationHelper.fromVaultDuration(generateCertificateOptions.timeToLive)).setExcludeCommonNameFromSubjectAlternativeNames(generateCertificateOptions.excludeCommonNameFromSubjectAlternativeNames);
        return Uni.createFrom().completionStage(this.pki.issue(str, excludeCommonNameFromSubjectAlternativeNames)).map(vaultSecretsPKIIssueResultData -> {
            GeneratedCertificate generatedCertificate = new GeneratedCertificate();
            generatedCertificate.certificate = createCertificateData(vaultSecretsPKIIssueResultData.getCertificate(), excludeCommonNameFromSubjectAlternativeNames.getFormat());
            generatedCertificate.issuingCA = createCertificateData(vaultSecretsPKIIssueResultData.getIssuingCa(), excludeCommonNameFromSubjectAlternativeNames.getFormat());
            generatedCertificate.caChain = createCertificateDataList(vaultSecretsPKIIssueResultData.getCaChain(), excludeCommonNameFromSubjectAlternativeNames.getFormat());
            generatedCertificate.serialNumber = vaultSecretsPKIIssueResultData.getSerialNumber();
            generatedCertificate.privateKeyType = stringToCertificateKeyType(vaultSecretsPKIIssueResultData.getPrivateKeyType());
            generatedCertificate.privateKey = createPrivateKeyData(vaultSecretsPKIIssueResultData.getPrivateKey(), excludeCommonNameFromSubjectAlternativeNames.getFormat(), excludeCommonNameFromSubjectAlternativeNames.getPrivateKeyFormat());
            return generatedCertificate;
        });
    }

    @Override // io.quarkus.vault.VaultPKISecretReactiveEngine
    public Uni<SignedCertificate> signRequest(String str, String str2, GenerateCertificateOptions generateCertificateOptions) {
        VaultSecretsPKISignParams excludeCommonNameFromSubjectAlternativeNames = new VaultSecretsPKISignParams().setFormat(dataFormatToFormat(generateCertificateOptions.format)).setCsr(str2).setCommonName(generateCertificateOptions.subjectCommonName).setAltNames(generateCertificateOptions.subjectAlternativeNames).setIpSans(generateCertificateOptions.ipSubjectAlternativeNames).setUriSans(generateCertificateOptions.uriSubjectAlternativeNames).setOtherSans(generateCertificateOptions.otherSubjectAlternativeNames).setTtl(DurationHelper.fromVaultDuration(generateCertificateOptions.timeToLive)).setExcludeCommonNameFromSubjectAlternativeNames(generateCertificateOptions.excludeCommonNameFromSubjectAlternativeNames);
        return Uni.createFrom().completionStage(this.pki.sign(str, excludeCommonNameFromSubjectAlternativeNames)).map(vaultSecretsPKISignResultData -> {
            SignedCertificate signedCertificate = new SignedCertificate();
            signedCertificate.certificate = createCertificateData(vaultSecretsPKISignResultData.getCertificate(), excludeCommonNameFromSubjectAlternativeNames.getFormat());
            signedCertificate.issuingCA = createCertificateData(vaultSecretsPKISignResultData.getIssuingCa(), excludeCommonNameFromSubjectAlternativeNames.getFormat());
            signedCertificate.caChain = createCertificateDataList(vaultSecretsPKISignResultData.getCaChain(), excludeCommonNameFromSubjectAlternativeNames.getFormat());
            signedCertificate.serialNumber = vaultSecretsPKISignResultData.getSerialNumber();
            return signedCertificate;
        });
    }

    @Override // io.quarkus.vault.VaultPKISecretReactiveEngine
    public Uni<OffsetDateTime> revokeCertificate(String str) {
        return Uni.createFrom().completionStage(this.pki.revoke(new VaultSecretsPKIRevokeParams().setSerialNumber(str))).map((v0) -> {
            return v0.getRevocationTime();
        });
    }

    @Override // io.quarkus.vault.VaultPKISecretReactiveEngine
    public Uni<Void> updateRole(String str, RoleOptions roleOptions) {
        return Uni.createFrom().completionStage(this.pki.updateRole(str, new VaultSecretsPKIUpdateRoleParams().setTtl(DurationHelper.fromVaultDuration(roleOptions.timeToLive)).setMaxTtl(DurationHelper.fromVaultDuration(roleOptions.maxTimeToLive)).setAllowLocalhost(roleOptions.allowLocalhost).setAllowedDomains(roleOptions.allowedDomains).setAllowedDomainsTemplate(roleOptions.allowTemplatesInAllowedDomains).setAllowBareDomains(roleOptions.allowBareDomains).setAllowSubdomains(roleOptions.allowSubdomains).setAllowGlobDomains(roleOptions.allowGlobsInAllowedDomains).setAllowAnyName(roleOptions.allowAnyName).setEnforceHostnames(roleOptions.enforceHostnames).setAllowIpSans(roleOptions.allowIpSubjectAlternativeNames).setAllowedUriSans(roleOptions.allowedUriSubjectAlternativeNames).setAllowedOtherSans(roleOptions.allowedOtherSubjectAlternativeNames).setServerFlag(roleOptions.serverFlag).setClientFlag(roleOptions.clientFlag).setCodeSigningFlag(roleOptions.codeSigningFlag).setEmailProtectionFlag(roleOptions.emailProtectionFlag).setKeyType(roleOptions.keyType != null ? VaultSecretsPKIKeyType.from(roleOptions.keyType.name().toLowerCase(Locale.ROOT)) : null).setKeyBits(roleOptions.keyBits != null ? VaultSecretsPKIKeyBits.fromBits(roleOptions.keyBits) : null).setKeyUsage(mapKeyUsagesToClient(roleOptions.keyUsages)).setExtKeyUsage(mapExtKeyUsagesToClient(roleOptions.extendedKeyUsages)).setExtKeyUsageOids(roleOptions.extendedKeyUsageOIDs).setUseCsrCommonName(roleOptions.useCSRCommonName).setUseCsrSans(roleOptions.useCSRSubjectAlternativeNames).setOrganization(commaStringToStringList(roleOptions.subjectOrganization)).setOu(commaStringToStringList(roleOptions.subjectOrganizationalUnit)).setStreetAddress(commaStringToStringList(roleOptions.subjectStreetAddress)).setPostalCode(commaStringToStringList(roleOptions.subjectPostalCode)).setLocality(commaStringToStringList(roleOptions.subjectLocality)).setProvince(commaStringToStringList(roleOptions.subjectProvince)).setCountry(commaStringToStringList(roleOptions.subjectCountry)).setAllowedSerialNumbers(roleOptions.allowedSubjectSerialNumbers).setGenerateLease(roleOptions.generateLease).setNoStore(roleOptions.noStore).setRequireCn(roleOptions.requireCommonName).setPolicyIdentifiers(roleOptions.policyOIDs).setBasicConstraintsValidForNonCa(roleOptions.basicConstraintsValidForNonCA).setNotBefore(DurationHelper.fromVaultDuration(roleOptions.notBeforeDuration))));
    }

    @Override // io.quarkus.vault.VaultPKISecretReactiveEngine
    public Uni<RoleOptions> getRole(String str) {
        return Uni.createFrom().completionStage(this.pki.readRole(str)).map(vaultSecretsPKIReadRoleResultData -> {
            RoleOptions roleOptions = new RoleOptions();
            roleOptions.timeToLive = DurationHelper.toStringDurationSeconds(vaultSecretsPKIReadRoleResultData.getTtl());
            roleOptions.maxTimeToLive = DurationHelper.toStringDurationSeconds(vaultSecretsPKIReadRoleResultData.getMaxTtl());
            roleOptions.allowLocalhost = vaultSecretsPKIReadRoleResultData.isAllowLocalhost();
            roleOptions.allowedDomains = vaultSecretsPKIReadRoleResultData.getAllowedDomains();
            roleOptions.allowTemplatesInAllowedDomains = vaultSecretsPKIReadRoleResultData.isAllowedDomainsTemplate();
            roleOptions.allowBareDomains = vaultSecretsPKIReadRoleResultData.isAllowBareDomains();
            roleOptions.allowSubdomains = vaultSecretsPKIReadRoleResultData.isAllowSubdomains();
            roleOptions.allowGlobsInAllowedDomains = vaultSecretsPKIReadRoleResultData.isAllowGlobDomains();
            roleOptions.allowAnyName = vaultSecretsPKIReadRoleResultData.isAllowAnyName();
            roleOptions.enforceHostnames = vaultSecretsPKIReadRoleResultData.isEnforceHostnames();
            roleOptions.allowIpSubjectAlternativeNames = vaultSecretsPKIReadRoleResultData.isAllowIpSans();
            roleOptions.allowedUriSubjectAlternativeNames = vaultSecretsPKIReadRoleResultData.getAllowedUriSans();
            roleOptions.allowedOtherSubjectAlternativeNames = vaultSecretsPKIReadRoleResultData.getAllowedOtherSans();
            roleOptions.serverFlag = vaultSecretsPKIReadRoleResultData.isServerFlag();
            roleOptions.clientFlag = vaultSecretsPKIReadRoleResultData.isClientFlag();
            roleOptions.codeSigningFlag = vaultSecretsPKIReadRoleResultData.isCodeSigningFlag();
            roleOptions.emailProtectionFlag = vaultSecretsPKIReadRoleResultData.isEmailProtectionFlag();
            roleOptions.keyType = stringToCertificateKeyType(vaultSecretsPKIReadRoleResultData.getKeyType());
            roleOptions.keyBits = Integer.valueOf(vaultSecretsPKIReadRoleResultData.getKeyBits().getBits());
            roleOptions.keyUsages = mapKeyUsagesFromClient(vaultSecretsPKIReadRoleResultData.getKeyUsage());
            roleOptions.extendedKeyUsages = mapExtKeyUsagesFromClient(vaultSecretsPKIReadRoleResultData.getExtKeyUsage());
            roleOptions.extendedKeyUsageOIDs = vaultSecretsPKIReadRoleResultData.getExtKeyUsageOids();
            roleOptions.useCSRCommonName = vaultSecretsPKIReadRoleResultData.isUseCsrCommonName();
            roleOptions.useCSRSubjectAlternativeNames = vaultSecretsPKIReadRoleResultData.isUseCsrSans();
            roleOptions.subjectOrganization = stringListToCommaString(vaultSecretsPKIReadRoleResultData.getOrganization());
            roleOptions.subjectOrganizationalUnit = stringListToCommaString(vaultSecretsPKIReadRoleResultData.getOu());
            roleOptions.subjectStreetAddress = stringListToCommaString(vaultSecretsPKIReadRoleResultData.getStreetAddress());
            roleOptions.subjectPostalCode = stringListToCommaString(vaultSecretsPKIReadRoleResultData.getPostalCode());
            roleOptions.subjectLocality = stringListToCommaString(vaultSecretsPKIReadRoleResultData.getLocality());
            roleOptions.subjectProvince = stringListToCommaString(vaultSecretsPKIReadRoleResultData.getProvince());
            roleOptions.subjectCountry = stringListToCommaString(vaultSecretsPKIReadRoleResultData.getCountry());
            roleOptions.allowedSubjectSerialNumbers = vaultSecretsPKIReadRoleResultData.getAllowedSerialNumbers();
            roleOptions.generateLease = vaultSecretsPKIReadRoleResultData.isGenerateLease();
            roleOptions.noStore = vaultSecretsPKIReadRoleResultData.isNoStore();
            roleOptions.requireCommonName = vaultSecretsPKIReadRoleResultData.isRequireCn();
            roleOptions.policyOIDs = vaultSecretsPKIReadRoleResultData.getPolicyIdentifiers();
            roleOptions.basicConstraintsValidForNonCA = vaultSecretsPKIReadRoleResultData.isBasicConstraintsValidForNonCa();
            roleOptions.notBeforeDuration = DurationHelper.toStringDurationSeconds(vaultSecretsPKIReadRoleResultData.getNotBefore());
            return roleOptions;
        });
    }

    @Override // io.quarkus.vault.VaultPKISecretReactiveEngine
    public Uni<List<String>> getRoles() {
        return Uni.createFrom().completionStage(this.pki.listRoles()).onFailure(VaultClientException.class).recoverWithUni(th -> {
            return ((VaultClientException) th).getStatus().intValue() == 404 ? Uni.createFrom().item(Collections.emptyList()) : Uni.createFrom().failure(th);
        });
    }

    @Override // io.quarkus.vault.VaultPKISecretReactiveEngine
    public Uni<Void> deleteRole(String str) {
        return Uni.createFrom().completionStage(this.pki.deleteRole(str));
    }

    @Override // io.quarkus.vault.VaultPKISecretReactiveEngine
    public Uni<GeneratedRootCertificate> generateRoot(GenerateRootOptions generateRootOptions) {
        VaultSecretsPKIGenerateRootParams serialNumber = new VaultSecretsPKIGenerateRootParams().setFormat(dataFormatToFormat(generateRootOptions.format)).setPrivateKeyFormat(privateKeyFormat(generateRootOptions.privateKeyEncoding)).setCommonName(generateRootOptions.subjectCommonName).setAltNames(generateRootOptions.subjectAlternativeNames).setIpSans(generateRootOptions.ipSubjectAlternativeNames).setUriSans(generateRootOptions.uriSubjectAlternativeNames).setOtherSans(generateRootOptions.otherSubjectAlternativeNames).setTtl(DurationHelper.fromVaultDuration(generateRootOptions.timeToLive)).setKeyType(generateRootOptions.keyType != null ? VaultSecretsPKIKeyType.from(generateRootOptions.keyType.name().toLowerCase(Locale.ROOT)) : null).setKeyBits(VaultSecretsPKIKeyBits.fromBits(generateRootOptions.keyBits)).setMaxPathLength(generateRootOptions.maxPathLength).setExcludeCommonNameFromSubjectAlternativeNames(generateRootOptions.excludeCommonNameFromSubjectAlternativeNames).setPermittedDnsDomains(generateRootOptions.permittedDnsDomains).setOrganization(commaStringToStringList(generateRootOptions.subjectOrganization)).setOu(commaStringToStringList(generateRootOptions.subjectOrganizationalUnit)).setStreetAddress(commaStringToStringList(generateRootOptions.subjectStreetAddress)).setPostalCode(commaStringToStringList(generateRootOptions.subjectPostalCode)).setLocality(commaStringToStringList(generateRootOptions.subjectLocality)).setProvince(commaStringToStringList(generateRootOptions.subjectProvince)).setCountry(commaStringToStringList(generateRootOptions.subjectCountry)).setSerialNumber(generateRootOptions.subjectSerialNumber);
        return Uni.createFrom().completionStage(this.pki.generateRoot(generateRootOptions.exportPrivateKey ? VaultSecretsPKIManageType.EXPORTED : VaultSecretsPKIManageType.INTERNAL, serialNumber)).map(vaultSecretsPKIGenerateRootResultData -> {
            GeneratedRootCertificate generatedRootCertificate = new GeneratedRootCertificate();
            generatedRootCertificate.certificate = createCertificateData(vaultSecretsPKIGenerateRootResultData.getCertificate(), serialNumber.getFormat());
            generatedRootCertificate.issuingCA = createCertificateData(vaultSecretsPKIGenerateRootResultData.getIssuingCa(), serialNumber.getFormat());
            generatedRootCertificate.serialNumber = vaultSecretsPKIGenerateRootResultData.getSerialNumber();
            generatedRootCertificate.privateKeyType = stringToCertificateKeyType(vaultSecretsPKIGenerateRootResultData.getPrivateKeyType());
            generatedRootCertificate.privateKey = createPrivateKeyData(vaultSecretsPKIGenerateRootResultData.getPrivateKey(), serialNumber.getFormat(), serialNumber.getPrivateKeyFormat());
            return generatedRootCertificate;
        });
    }

    @Override // io.quarkus.vault.VaultPKISecretReactiveEngine
    public Uni<Void> deleteRoot() {
        return Uni.createFrom().completionStage(this.pki.deleteIssuer("default"));
    }

    @Override // io.quarkus.vault.VaultPKISecretReactiveEngine
    public Uni<SignedCertificate> signIntermediateCA(String str, SignIntermediateCAOptions signIntermediateCAOptions) {
        VaultSecretsPKISignIntermediateParams serialNumber = new VaultSecretsPKISignIntermediateParams().setFormat(dataFormatToFormat(signIntermediateCAOptions.format)).setCsr(str).setCommonName(signIntermediateCAOptions.subjectCommonName).setAltNames(signIntermediateCAOptions.subjectAlternativeNames).setIpSans(signIntermediateCAOptions.ipSubjectAlternativeNames).setUriSans(signIntermediateCAOptions.uriSubjectAlternativeNames).setOtherSans(signIntermediateCAOptions.otherSubjectAlternativeNames).setTtl(DurationHelper.fromVaultDuration(signIntermediateCAOptions.timeToLive)).setMaxPathLength(signIntermediateCAOptions.maxPathLength).setExcludeCommonNameFromSubjectAlternativeNames(signIntermediateCAOptions.excludeCommonNameFromSubjectAlternativeNames).setUseCsrValues(signIntermediateCAOptions.useCSRValues).setPermittedDnsDomains(signIntermediateCAOptions.permittedDnsDomains).setOrganization(commaStringToStringList(signIntermediateCAOptions.subjectOrganization)).setOu(commaStringToStringList(signIntermediateCAOptions.subjectOrganizationalUnit)).setStreetAddress(commaStringToStringList(signIntermediateCAOptions.subjectStreetAddress)).setPostalCode(commaStringToStringList(signIntermediateCAOptions.subjectPostalCode)).setLocality(commaStringToStringList(signIntermediateCAOptions.subjectLocality)).setProvince(commaStringToStringList(signIntermediateCAOptions.subjectProvince)).setCountry(commaStringToStringList(signIntermediateCAOptions.subjectCountry)).setSerialNumber(signIntermediateCAOptions.subjectSerialNumber);
        return Uni.createFrom().completionStage(this.pki.signIntermediate(serialNumber)).map(vaultSecretsPKISignResultData -> {
            SignedCertificate signedCertificate = new SignedCertificate();
            signedCertificate.certificate = createCertificateData(vaultSecretsPKISignResultData.getCertificate(), serialNumber.getFormat());
            signedCertificate.issuingCA = createCertificateData(vaultSecretsPKISignResultData.getIssuingCa(), serialNumber.getFormat());
            signedCertificate.caChain = createCertificateDataList(vaultSecretsPKISignResultData.getCaChain(), serialNumber.getFormat());
            signedCertificate.serialNumber = vaultSecretsPKISignResultData.getSerialNumber();
            return signedCertificate;
        });
    }

    @Override // io.quarkus.vault.VaultPKISecretReactiveEngine
    public Uni<GeneratedIntermediateCSRResult> generateIntermediateCSR(GenerateIntermediateCSROptions generateIntermediateCSROptions) {
        VaultSecretsPKIGenerateCsrParams serialNumber = new VaultSecretsPKIGenerateCsrParams().setFormat(dataFormatToFormat(generateIntermediateCSROptions.format)).setPrivateKeyFormat(privateKeyFormat(generateIntermediateCSROptions.privateKeyEncoding)).setCommonName(generateIntermediateCSROptions.subjectCommonName).setAltNames(generateIntermediateCSROptions.subjectAlternativeNames).setIpSans(generateIntermediateCSROptions.ipSubjectAlternativeNames).setUriSans(generateIntermediateCSROptions.uriSubjectAlternativeNames).setOtherSans(generateIntermediateCSROptions.otherSubjectAlternativeNames).setKeyType(generateIntermediateCSROptions.keyType != null ? VaultSecretsPKIKeyType.from(generateIntermediateCSROptions.keyType.name().toLowerCase(Locale.ROOT)) : null).setKeyBits(VaultSecretsPKIKeyBits.fromBits(generateIntermediateCSROptions.keyBits)).setExcludeCommonNameFromSubjectAlternativeNames(generateIntermediateCSROptions.excludeCommonNameFromSubjectAlternativeNames).setOrganization(commaStringToStringList(generateIntermediateCSROptions.subjectOrganization)).setOu(commaStringToStringList(generateIntermediateCSROptions.subjectOrganizationalUnit)).setStreetAddress(commaStringToStringList(generateIntermediateCSROptions.subjectStreetAddress)).setPostalCode(commaStringToStringList(generateIntermediateCSROptions.subjectPostalCode)).setLocality(commaStringToStringList(generateIntermediateCSROptions.subjectLocality)).setProvince(commaStringToStringList(generateIntermediateCSROptions.subjectProvince)).setCountry(commaStringToStringList(generateIntermediateCSROptions.subjectCountry)).setSerialNumber(generateIntermediateCSROptions.subjectSerialNumber);
        return Uni.createFrom().completionStage(this.pki.generateIntermediateCsr(generateIntermediateCSROptions.exportPrivateKey ? VaultSecretsPKIManageType.EXPORTED : VaultSecretsPKIManageType.INTERNAL, serialNumber)).map(vaultSecretsPKIGenerateCsrResultData -> {
            GeneratedIntermediateCSRResult generatedIntermediateCSRResult = new GeneratedIntermediateCSRResult();
            generatedIntermediateCSRResult.csr = createCSRData(vaultSecretsPKIGenerateCsrResultData.getCsr(), serialNumber.getFormat());
            generatedIntermediateCSRResult.privateKeyType = stringToCertificateKeyType(vaultSecretsPKIGenerateCsrResultData.getPrivateKeyType());
            generatedIntermediateCSRResult.privateKey = createPrivateKeyData(vaultSecretsPKIGenerateCsrResultData.getPrivateKey(), serialNumber.getFormat(), serialNumber.getPrivateKeyFormat());
            return generatedIntermediateCSRResult;
        });
    }

    @Override // io.quarkus.vault.VaultPKISecretReactiveEngine
    public Uni<Void> setSignedIntermediateCA(String str) {
        return Uni.createFrom().completionStage(this.pki.setSignedIntermediate(str)).map(vaultSecretsPKIImportResultData -> {
            return null;
        });
    }

    @Override // io.quarkus.vault.VaultPKISecretReactiveEngine
    public Uni<Void> tidy(TidyOptions tidyOptions) {
        return Uni.createFrom().completionStage(this.pki.tidy(new VaultSecretsPKITidyParams().setTidyCertStore(tidyOptions.tidyCertStore).setTidyRevokedCerts(tidyOptions.tidyRevokedCerts).setSafetyBuffer(DurationHelper.fromVaultDuration(tidyOptions.safetyBuffer))));
    }

    private String stringListToCommaString(List<String> list) {
        if (list == null) {
            return null;
        }
        return String.join(",", list);
    }

    private List<String> commaStringToStringList(String str) {
        if (str == null) {
            return null;
        }
        return Arrays.asList(str.split(","));
    }

    private CertificateKeyType stringToCertificateKeyType(VaultSecretsPKIKeyType vaultSecretsPKIKeyType) {
        if (vaultSecretsPKIKeyType == null) {
            return null;
        }
        return CertificateKeyType.valueOf(vaultSecretsPKIKeyType.getValue().toUpperCase(Locale.ROOT));
    }

    private VaultSecretsPKIFormat dataFormatToFormat(DataFormat dataFormat) {
        return dataFormat == null ? VaultSecretsPKIFormat.PEM : VaultSecretsPKIFormat.from(dataFormat.name().toLowerCase(Locale.ROOT));
    }

    private VaultSecretsPKIFormat nonNullFormat(VaultSecretsPKIFormat vaultSecretsPKIFormat) {
        return vaultSecretsPKIFormat == null ? VaultSecretsPKIFormat.PEM : vaultSecretsPKIFormat;
    }

    private VaultSecretsPKIPrivateKeyFormat privateKeyFormat(PrivateKeyEncoding privateKeyEncoding) {
        return (privateKeyEncoding == null || privateKeyEncoding == PrivateKeyEncoding.PKCS8) ? VaultSecretsPKIPrivateKeyFormat.PKCS8 : VaultSecretsPKIPrivateKeyFormat.DER;
    }

    private CertificateData createCertificateData(String str, VaultSecretsPKIFormat vaultSecretsPKIFormat) {
        if (str == null) {
            return null;
        }
        switch (AnonymousClass1.$SwitchMap$io$quarkus$vault$client$api$secrets$pki$VaultSecretsPKIFormat[nonNullFormat(vaultSecretsPKIFormat).ordinal()]) {
            case 1:
                return new CertificateData.DER(Base64.getDecoder().decode(str));
            case 2:
                return new CertificateData.PEM(str);
            default:
                throw new VaultException("Unsupported certificate format");
        }
    }

    private List<CertificateData> createCertificateDataList(List<String> list, VaultSecretsPKIFormat vaultSecretsPKIFormat) {
        if (list == null) {
            return null;
        }
        ArrayList arrayList = new ArrayList(list.size());
        Iterator<String> it = list.iterator();
        while (it.hasNext()) {
            arrayList.add(createCertificateData(it.next(), vaultSecretsPKIFormat));
        }
        return arrayList;
    }

    private CSRData createCSRData(String str, VaultSecretsPKIFormat vaultSecretsPKIFormat) {
        if (str == null) {
            return null;
        }
        switch (AnonymousClass1.$SwitchMap$io$quarkus$vault$client$api$secrets$pki$VaultSecretsPKIFormat[nonNullFormat(vaultSecretsPKIFormat).ordinal()]) {
            case 1:
                return new CSRData.DER(Base64.getDecoder().decode(str));
            case 2:
                return new CSRData.PEM(str);
            default:
                throw new VaultException("Unsupported certification request format");
        }
    }

    private PrivateKeyData createPrivateKeyData(String str, VaultSecretsPKIFormat vaultSecretsPKIFormat, VaultSecretsPKIPrivateKeyFormat vaultSecretsPKIPrivateKeyFormat) {
        if (str == null) {
            return null;
        }
        boolean z = vaultSecretsPKIPrivateKeyFormat == VaultSecretsPKIPrivateKeyFormat.PKCS8;
        switch (AnonymousClass1.$SwitchMap$io$quarkus$vault$client$api$secrets$pki$VaultSecretsPKIFormat[nonNullFormat(vaultSecretsPKIFormat).ordinal()]) {
            case 1:
                return new PrivateKeyData.DER(Base64.getDecoder().decode(str), z);
            case 2:
                return new PrivateKeyData.PEM(str, z);
            default:
                throw new VaultException("Unsupported private key format");
        }
    }

    private static List<VaultSecretsPKIKeyUsage> mapKeyUsagesToClient(List<CertificateKeyUsage> list) {
        if (list == null) {
            return null;
        }
        return (List) list.stream().map(certificateKeyUsage -> {
            return VaultSecretsPKIKeyUsage.from(certificateKeyUsage.name());
        }).collect(Collectors.toList());
    }

    private static List<CertificateKeyUsage> mapKeyUsagesFromClient(List<VaultSecretsPKIKeyUsage> list) {
        if (list == null) {
            return null;
        }
        return (List) list.stream().map(vaultSecretsPKIKeyUsage -> {
            return CertificateKeyUsage.valueOf(vaultSecretsPKIKeyUsage.getValue());
        }).collect(Collectors.toList());
    }

    private static List<VaultSecretsPKIExtKeyUsage> mapExtKeyUsagesToClient(List<CertificateExtendedKeyUsage> list) {
        if (list == null) {
            return null;
        }
        return (List) list.stream().map(certificateExtendedKeyUsage -> {
            return VaultSecretsPKIExtKeyUsage.from(certificateExtendedKeyUsage.name());
        }).collect(Collectors.toList());
    }

    private static List<CertificateExtendedKeyUsage> mapExtKeyUsagesFromClient(List<VaultSecretsPKIExtKeyUsage> list) {
        if (list == null) {
            return null;
        }
        return (List) list.stream().map(vaultSecretsPKIExtKeyUsage -> {
            return CertificateExtendedKeyUsage.valueOf(vaultSecretsPKIExtKeyUsage.getValue());
        }).collect(Collectors.toList());
    }
}
