package io.quarkus.test.security.certificate;

import io.quarkus.test.services.Certificate;
import io.quarkus.test.utils.TestExecutionProperties;
import io.smallrye.certs.CertificateFiles;
import io.smallrye.certs.CertificateGenerator;
import io.smallrye.certs.CertificateRequest;
import io.smallrye.certs.Format;
import io.smallrye.certs.JksCertificateFiles;
import io.smallrye.certs.PemCertificateFiles;
import io.smallrye.certs.Pkcs12CertificateFiles;
import java.io.File;
import java.io.FileInputStream;
import java.io.FileOutputStream;
import java.io.IOException;
import java.io.OutputStream;
import java.nio.file.CopyOption;
import java.nio.file.Files;
import java.nio.file.OpenOption;
import java.nio.file.Path;
import java.nio.file.StandardCopyOption;
import java.nio.file.attribute.FileAttribute;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.time.Duration;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Random;
import java.util.Set;
import java.util.stream.Collectors;
import org.apache.commons.io.FileUtils;
import org.junit.jupiter.api.condition.OS;

/* loaded from: input_file:io/quarkus/test/security/certificate/Certificate.class */
public interface Certificate {

    /* loaded from: input_file:io/quarkus/test/security/certificate/Certificate$PemCertificate.class */
    public interface PemCertificate extends Certificate {
        String keyPath();

        String certPath();
    }

    String prefix();

    String format();

    default boolean isPemCertificate() {
        return format().equals(Certificate.Format.PEM.toString()) || format().equals(Certificate.Format.ENCRYPTED_PEM.toString());
    }

    String password();

    String keystorePath();

    String truststorePath();

    Map<String, String> configProperties();

    ClientCertificate getClientCertificateByCn(String str);

    Collection<ClientCertificate> clientCertificates();

    static PemCertificate ofRegeneratedCert(CertificateOptions certificateOptions) {
        return of(certificateOptions);
    }

    static PemCertificate ofInterchangeable(CertificateOptions certificateOptions) {
        return InterchangeableCertificate.wrapCert(of(certificateOptions), certificateOptions);
    }

    static Certificate of(String str, Certificate.Format format, String str2, Path path, ContainerMountStrategy containerMountStrategy, boolean z) {
        return ofInterchangeable(new CertificateOptions(str, format, str2, false, false, false, new ClientCertificateRequest[0], path, containerMountStrategy, z, null, null, null, null, false, null, false));
    }

    static PemCertificate of(String str, Certificate.Format format, String str2, boolean z, String str3, ClientCertificateRequest[] clientCertificateRequestArr) {
        return ofInterchangeable(new CertificateOptions(str, format, str2, false, false, false, clientCertificateRequestArr, createCertsTempDir(str), new DefaultContainerMountStrategy(str), false, null, null, null, null, z, str3, false));
    }

    static Certificate of(String str, Certificate.Format format, String str2, boolean z, String str3) {
        return ofInterchangeable(new CertificateOptions(str, format, str2, false, false, false, new ClientCertificateRequest[0], createCertsTempDir(str), new DefaultContainerMountStrategy(str), false, null, null, null, null, z, str3, false));
    }

    static Certificate of(String str, Certificate.Format format, String str2) {
        return of(str, format, str2, createCertsTempDir(str), (ContainerMountStrategy) new DefaultContainerMountStrategy(str), false);
    }

    private static PemCertificate of(CertificateOptions certificateOptions) {
        HashMap hashMap = new HashMap();
        CertificateGenerator certificateGenerator = new CertificateGenerator(certificateOptions.localTargetDir(), true);
        String str = null;
        String str2 = null;
        String str3 = null;
        String str4 = null;
        ArrayList arrayList = new ArrayList();
        String[] collectCommonNames = collectCommonNames(certificateOptions.clientCertificates());
        String unknownClientCnAttr = getUnknownClientCnAttr(certificateOptions.clientCertificates(), collectCommonNames);
        boolean z = collectCommonNames.length > 0;
        String str5 = z ? collectCommonNames[0] : "localhost";
        try {
            Pkcs12CertificateFiles pkcs12CertificateFiles = (CertificateFiles) certificateGenerator.generate(createCertificateRequest(certificateOptions.prefix(), certificateOptions.format(), certificateOptions.password(), z, str5)).get(0);
            if (pkcs12CertificateFiles instanceof Pkcs12CertificateFiles) {
                Pkcs12CertificateFiles pkcs12CertificateFiles2 = pkcs12CertificateFiles;
                str2 = getPathOrNull(pkcs12CertificateFiles2.keyStoreFile());
                if (z) {
                    str = getPathOrNull(pkcs12CertificateFiles2.serverTrustStoreFile());
                    arrayList.add(new ClientCertificateImpl(str5, getPathOrNull(pkcs12CertificateFiles2.clientKeyStoreFile()), getPathOrNull(pkcs12CertificateFiles2.trustStoreFile())));
                } else {
                    str = getPathOrNull(pkcs12CertificateFiles2.trustStoreFile());
                }
            } else if (pkcs12CertificateFiles instanceof PemCertificateFiles) {
                PemCertificateFiles pemCertificateFiles = (PemCertificateFiles) pkcs12CertificateFiles;
                str3 = getPathOrNull(pemCertificateFiles.keyFile());
                str4 = getPathOrNull(pemCertificateFiles.certFile());
                if (certificateOptions.createPkcs12TsForPem()) {
                    str = createPkcs12TruststoreForPem(pemCertificateFiles.trustStore(), certificateOptions.password(), str5);
                } else if (z) {
                    str = getPathOrNull(pemCertificateFiles.serverTrustFile());
                    arrayList.add(new ClientCertificateImpl(str5, null, getPathOrNull(pemCertificateFiles.trustFile()), getPathOrNull(pemCertificateFiles.clientKeyFile()), getPathOrNull(pemCertificateFiles.clientCertFile()), certificateOptions.format() == Certificate.Format.ENCRYPTED_PEM, certificateOptions.password()));
                } else {
                    str = getPathOrNull(pemCertificateFiles.trustStore());
                }
                if (certificateOptions.containerMountStrategy().mountToContainer()) {
                    if (str4 != null) {
                        String certPath = certificateOptions.containerMountStrategy().certPath(str4);
                        if (certificateOptions.containerMountStrategy().containerShareMountPathWithApp()) {
                            str4 = certPath;
                        }
                        hashMap.put(getRandomPropKey("crt"), toSecretProperty(certPath));
                    }
                    if (str3 != null) {
                        String keyPath = certificateOptions.containerMountStrategy().keyPath(str3);
                        if (certificateOptions.containerMountStrategy().containerShareMountPathWithApp()) {
                            str3 = keyPath;
                        }
                        hashMap.put(getRandomPropKey("key"), toSecretProperty(keyPath));
                    }
                }
            } else if (pkcs12CertificateFiles instanceof JksCertificateFiles) {
                JksCertificateFiles jksCertificateFiles = (JksCertificateFiles) pkcs12CertificateFiles;
                str2 = getPathOrNull(jksCertificateFiles.keyStoreFile());
                if (z) {
                    str = getPathOrNull(jksCertificateFiles.serverTrustStoreFile());
                    arrayList.add(new ClientCertificateImpl(str5, getPathOrNull(jksCertificateFiles.clientKeyStoreFile()), getPathOrNull(jksCertificateFiles.trustStoreFile())));
                } else {
                    str = getPathOrNull(jksCertificateFiles.trustStoreFile());
                }
            }
            if (z && collectCommonNames.length > 1) {
                if (certificateOptions.format() != Certificate.Format.PKCS12) {
                    throw new IllegalArgumentException("Generation of more than one client certificate is only implemented for PKCS12.");
                }
                File file = Path.of(((ClientCertificate) arrayList.get(0)).truststorePath(), new String[0]).toFile();
                for (int i = 1; i < collectCommonNames.length; i++) {
                    String str6 = collectCommonNames[i];
                    String str7 = str6 + "-" + certificateOptions.prefix();
                    try {
                        Pkcs12CertificateFiles pkcs12CertificateFiles3 = (Pkcs12CertificateFiles) certificateGenerator.generate(createCertificateRequest(str7, certificateOptions.format(), certificateOptions.password(), true, str6)).get(0);
                        fixGeneratedClientCerts(str7, certificateOptions.password(), pkcs12CertificateFiles3, file, str, unknownClientCnAttr, str6);
                        arrayList.add(new ClientCertificateImpl(str6, getPathOrNull(pkcs12CertificateFiles3.clientKeyStoreFile()), getPathOrNull(pkcs12CertificateFiles3.trustStoreFile())));
                    } catch (Exception e) {
                        throw new RuntimeException(e);
                    }
                }
            }
            if (str != null) {
                if (certificateOptions.containerMountStrategy().mountToContainer()) {
                    String truststorePath = certificateOptions.containerMountStrategy().truststorePath(str);
                    if (certificateOptions.containerMountStrategy().containerShareMountPathWithApp()) {
                        str = truststorePath;
                    }
                    hashMap.put(getRandomPropKey("truststore"), toSecretProperty(truststorePath));
                }
                configureServerTrustStoreProps(certificateOptions, hashMap, str);
            }
            if (str2 != null) {
                if (certificateOptions.containerMountStrategy().mountToContainer()) {
                    String keystorePath = certificateOptions.containerMountStrategy().keystorePath(str2);
                    if (certificateOptions.containerMountStrategy().containerShareMountPathWithApp()) {
                        str2 = keystorePath;
                    }
                    hashMap.put(getRandomPropKey("keystore"), toSecretProperty(keystorePath));
                }
                configureServerKeyStoreProps(certificateOptions, hashMap, str2);
            }
            configureManagementInterfaceProps(certificateOptions, hashMap, str2);
            configureHttpServerProps(certificateOptions, hashMap);
            configurePemConfigurationProperties(certificateOptions, hashMap, str3, str4, str);
            doubleBackSlashesOnWin(hashMap);
            return createCertificate(str2, str, Map.copyOf(hashMap), List.copyOf(arrayList), str3, str4, certificateOptions);
        } catch (Exception e2) {
            throw new RuntimeException("Failed to generate certificate", e2);
        }
    }

    private static void doubleBackSlashesOnWin(Map<String, String> map) {
        if (OS.WINDOWS.isCurrentOs()) {
            map.replaceAll((str, str2) -> {
                return str2.replace("\\", "\\\\");
            });
        }
    }

    private static void configurePemConfigurationProperties(CertificateOptions certificateOptions, Map<String, String> map, String str, String str2, String str3) {
        if ((certificateOptions.format() == Certificate.Format.PEM || certificateOptions.format() == Certificate.Format.ENCRYPTED_PEM) && certificateOptions.tlsRegistryEnabled()) {
            String tlsConfigPropPrefix = tlsConfigPropPrefix(certificateOptions, "key-store");
            if (str != null) {
                map.put(tlsConfigPropPrefix + "pem-1.key", str);
            }
            if (str2 != null) {
                map.put(tlsConfigPropPrefix + "pem-1.cert", str2);
            }
            if (certificateOptions.format() == Certificate.Format.ENCRYPTED_PEM) {
                map.put(tlsConfigPropPrefix + "pem-1.password", certificateOptions.password());
            }
            String tlsConfigPropPrefix2 = tlsConfigPropPrefix(certificateOptions, "trust-store");
            if (str3 != null) {
                map.put(tlsConfigPropPrefix2 + "certs", str3);
            }
        }
    }

    private static void configureManagementInterfaceProps(CertificateOptions certificateOptions, Map<String, String> map, String str) {
        if (certificateOptions.configureManagementInterface()) {
            map.put(TestExecutionProperties.MANAGEMENT_INTERFACE_ENABLED, Boolean.TRUE.toString());
            if (certificateOptions.tlsRegistryEnabled()) {
                if (isNotDefaultTlsConfig(certificateOptions)) {
                    map.put("quarkus.management.tls-configuration-name", certificateOptions.tlsConfigName());
                }
            } else if (str != null) {
                map.put("quarkus.management.ssl.certificate.key-store-file", str);
                map.put("quarkus.management.ssl.certificate.key-store-file-type", certificateOptions.format().toString());
                map.put("quarkus.management.ssl.certificate.key-store-password", certificateOptions.password());
            }
        }
    }

    private static void configureHttpServerProps(CertificateOptions certificateOptions, Map<String, String> map) {
        if (certificateOptions.configureHttpServer() && certificateOptions.tlsRegistryEnabled() && isNotDefaultTlsConfig(certificateOptions)) {
            map.put("quarkus.http.tls-configuration-name", certificateOptions.tlsConfigName());
        }
    }

    private static boolean isNotDefaultTlsConfig(CertificateOptions certificateOptions) {
        if (certificateOptions.tlsConfigName() == null) {
            throw new IllegalArgumentException("TLS registry is enabled but TLS config name is null");
        }
        return !io.quarkus.test.services.Certificate.DEFAULT_CONFIG.equals(certificateOptions.tlsConfigName());
    }

    private static void configureServerKeyStoreProps(CertificateOptions certificateOptions, Map<String, String> map, String str) {
        if (certificateOptions.keystoreProps()) {
            if (!certificateOptions.tlsRegistryEnabled()) {
                map.put("quarkus.http.ssl.certificate.key-store-file", str);
                map.put("quarkus.http.ssl.certificate.key-store-file-type", certificateOptions.format().toString());
                map.put("quarkus.http.ssl.certificate.key-store-password", certificateOptions.password());
            } else if (certificateOptions.format() != Certificate.Format.PEM) {
                String tlsConfigPropPrefix = tlsConfigPropPrefix(certificateOptions, "key-store");
                map.put(tlsConfigPropPrefix + "path", str);
                map.put(tlsConfigPropPrefix + "password", certificateOptions.password());
            }
        }
    }

    private static void configureServerTrustStoreProps(CertificateOptions certificateOptions, Map<String, String> map, String str) {
        if (certificateOptions.truststoreProps()) {
            if (!certificateOptions.tlsRegistryEnabled()) {
                map.put("quarkus.http.ssl.certificate.trust-store-file", str);
                map.put("quarkus.http.ssl.certificate.trust-store-file-type", certificateOptions.format().toString());
                map.put("quarkus.http.ssl.certificate.trust-store-password", certificateOptions.password());
            } else {
                if (certificateOptions.format() == Certificate.Format.PEM || certificateOptions.format() == Certificate.Format.ENCRYPTED_PEM) {
                    return;
                }
                String tlsConfigPropPrefix = tlsConfigPropPrefix(certificateOptions, "trust-store");
                map.put(tlsConfigPropPrefix + "path", str);
                map.put(tlsConfigPropPrefix + "password", certificateOptions.password());
            }
        }
    }

    private static String tlsConfigPropPrefix(CertificateOptions certificateOptions, String str) {
        String str2;
        if (certificateOptions.tlsConfigName() == null) {
            throw new IllegalArgumentException("TLS registry is enabled but TLS config name is null");
        }
        String str3 = io.quarkus.test.services.Certificate.DEFAULT_CONFIG.equals(certificateOptions.tlsConfigName()) ? "quarkus.tls." : "quarkus.tls." + certificateOptions.tlsConfigName() + ".";
        switch (certificateOptions.format()) {
            case PKCS12:
                str2 = "p12.";
                break;
            case JKS:
                str2 = "jks.";
                break;
            default:
                str2 = "pem.";
                break;
        }
        return str3 + str + "." + str2;
    }

    private static PemCertificate createCertificate(String str, String str2, Map<String, String> map, Collection<ClientCertificate> collection, String str3, String str4, CertificateOptions certificateOptions) {
        String format = certificateOptions.format().toString();
        String moveFileIfRequired = moveFileIfRequired(certificateOptions.certLocation(), str4);
        return new CertificateImpl(moveFileIfRequired(certificateOptions.serverKeyStoreLocation(), str), moveFileIfRequired(certificateOptions.serverTrustStoreLocation(), str2), Map.copyOf(map), collection, certificateOptions.password(), format, moveFileIfRequired(certificateOptions.keyLocation(), str3), moveFileIfRequired, certificateOptions.prefix());
    }

    private static String getUnknownClientCnAttr(ClientCertificateRequest[] clientCertificateRequestArr, String[] strArr) {
        Set set = (Set) Arrays.stream(clientCertificateRequestArr).filter((v0) -> {
            return v0.unknownToServer();
        }).map((v0) -> {
            return v0.cnAttribute();
        }).collect(Collectors.toSet());
        if (set.isEmpty()) {
            return null;
        }
        if (set.size() > 1) {
            throw new IllegalArgumentException("Only one client certificate can be unknown to the server");
        }
        if (strArr.length == 1) {
            throw new IllegalArgumentException("More than one client certificate must be specified to support unknown one");
        }
        String str = (String) set.stream().findFirst().get();
        if (str.equals(strArr[0])) {
            strArr[0] = strArr[strArr.length - 1];
            strArr[strArr.length - 1] = str;
        }
        return str;
    }

    private static void fixGeneratedClientCerts(String str, String str2, Pkcs12CertificateFiles pkcs12CertificateFiles, File file, String str3, String str4, String str5) throws KeyStoreException, IOException, NoSuchAlgorithmException, CertificateException {
        FileUtils.copyFile(file, pkcs12CertificateFiles.trustStoreFile().toFile(), new CopyOption[]{StandardCopyOption.REPLACE_EXISTING});
        if (str4 == null || !str4.equals(str5)) {
            java.security.cert.Certificate certificate = KeyStore.getInstance(pkcs12CertificateFiles.clientKeyStoreFile().toFile(), str2.toCharArray()).getCertificate(str);
            Objects.requireNonNull(certificate);
            File file2 = Path.of(str3, new String[0]).toFile();
            KeyStore keyStore = KeyStore.getInstance(file2, str2.toCharArray());
            keyStore.setCertificateEntry(str, certificate);
            FileOutputStream fileOutputStream = new FileOutputStream(file2);
            try {
                keyStore.store(fileOutputStream, str2.toCharArray());
                fileOutputStream.close();
            } catch (Throwable th) {
                try {
                    fileOutputStream.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
                throw th;
            }
        }
    }

    private static String[] collectCommonNames(ClientCertificateRequest[] clientCertificateRequestArr) {
        return (String[]) Arrays.stream(clientCertificateRequestArr).map((v0) -> {
            return v0.cnAttribute();
        }).toArray(i -> {
            return new String[i];
        });
    }

    private static CertificateRequest createCertificateRequest(String str, Certificate.Format format, String str2, boolean z, String str3) {
        return new CertificateRequest().withName(str).withFormat(Format.valueOf(format.toString())).withClientCertificate(z).withCN(str3).withPassword(str2).withSubjectAlternativeName("localhost").withSubjectAlternativeName("0.0.0.0").withDuration(Duration.ofDays(2L));
    }

    private static String getRandomPropKey(String str) {
        return str + "-" + new Random().nextInt();
    }

    private static String toSecretProperty(String str) {
        File file = Path.of(str, new String[0]).toFile();
        return "secret_with_destination::" + file.getParentFile().getAbsolutePath() + "|" + file.getName();
    }

    private static String getPathOrNull(Path path) {
        if (path != null) {
            return path.toAbsolutePath().toString();
        }
        return null;
    }

    static Path createCertsTempDir(String str) {
        try {
            return Files.createTempDirectory(str + "-certs", new FileAttribute[0]);
        } catch (IOException e) {
            throw new RuntimeException(e);
        }
    }

    private static String createPkcs12TruststoreForPem(Path path, String str, String str2) {
        try {
            CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509");
            FileInputStream fileInputStream = new FileInputStream(path.toFile());
            try {
                X509Certificate x509Certificate = (X509Certificate) certificateFactory.generateCertificate(fileInputStream);
                Path createTempFile = Files.createTempFile("pem-12-truststore", ".p12", new FileAttribute[0]);
                OutputStream newOutputStream = Files.newOutputStream(createTempFile, new OpenOption[0]);
                try {
                    KeyStore keyStore = KeyStore.getInstance("PKCS12");
                    keyStore.load(null, str.toCharArray());
                    keyStore.setCertificateEntry(str2, x509Certificate);
                    keyStore.store(newOutputStream, str.toCharArray());
                    if (newOutputStream != null) {
                        newOutputStream.close();
                    }
                    String path2 = createTempFile.toAbsolutePath().toString();
                    fileInputStream.close();
                    return path2;
                } catch (Throwable th) {
                    if (newOutputStream != null) {
                        try {
                            newOutputStream.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    }
                    throw th;
                }
            } catch (Throwable th3) {
                try {
                    fileInputStream.close();
                } catch (Throwable th4) {
                    th3.addSuppressed(th4);
                }
                throw th3;
            }
        } catch (IOException | KeyStoreException | NoSuchAlgorithmException | CertificateException e) {
            throw new RuntimeException("Failed to create PKCS12 truststore", e);
        }
    }

    private static String moveFileIfRequired(String str, String str2) {
        if (str == null) {
            return str2;
        }
        io.quarkus.test.utils.FileUtils.copyFileTo(str2, Path.of(str, new String[0]));
        return str;
    }
}
