package se.swedenconnect.security.credential.factory;

import jakarta.annotation.Nonnull;
import jakarta.annotation.Nullable;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.io.InputStream;
import java.security.KeyException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchProviderException;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.List;
import java.util.Objects;
import java.util.Optional;
import java.util.concurrent.ConcurrentHashMap;
import java.util.concurrent.ConcurrentMap;
import java.util.function.Function;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import se.swedenconnect.security.credential.AbstractPkiCredential;
import se.swedenconnect.security.credential.BasicCredential;
import se.swedenconnect.security.credential.KeyStoreCredential;
import se.swedenconnect.security.credential.KeyStoreReloader;
import se.swedenconnect.security.credential.PkiCredential;
import se.swedenconnect.security.credential.bundle.CredentialBundles;
import se.swedenconnect.security.credential.bundle.NoSuchCredentialException;
import se.swedenconnect.security.credential.bundle.NoSuchKeyStoreException;
import se.swedenconnect.security.credential.config.BaseCredentialConfiguration;
import se.swedenconnect.security.credential.config.ConfigurationResourceLoader;
import se.swedenconnect.security.credential.config.DefaultConfigurationResourceLoader;
import se.swedenconnect.security.credential.config.PemCredentialConfiguration;
import se.swedenconnect.security.credential.config.PkiCredentialConfiguration;
import se.swedenconnect.security.credential.config.StoreCredentialConfiguration;
import se.swedenconnect.security.credential.monitoring.DefaultCredentialTestFunction;
import se.swedenconnect.security.credential.pkcs11.Pkcs11KeyStoreReloader;
import se.swedenconnect.security.credential.utils.KeyUtils;
import se.swedenconnect.security.credential.utils.X509Utils;

/* loaded from: input_file:se/swedenconnect/security/credential/factory/PkiCredentialFactory.class */
public class PkiCredentialFactory {
    private static final Logger log = LoggerFactory.getLogger(PkiCredentialFactory.class);
    private final Function<String, PkiCredential> credentialProvider;
    private final Function<String, KeyStore> keyStoreProvider;
    private final ConfigurationResourceLoader resourceLoader;
    private ConcurrentMap<Integer, PkiCredential> cache;

    public PkiCredentialFactory(@Nullable Function<String, PkiCredential> function, @Nullable Function<String, KeyStore> function2, @Nullable ConfigurationResourceLoader configurationResourceLoader, boolean z) {
        this.credentialProvider = function;
        this.keyStoreProvider = function2;
        this.resourceLoader = (ConfigurationResourceLoader) Optional.ofNullable(configurationResourceLoader).orElseGet(DefaultConfigurationResourceLoader::new);
        if (z) {
            this.cache = new ConcurrentHashMap();
        }
    }

    public PkiCredentialFactory(@Nullable CredentialBundles credentialBundles, @Nullable ConfigurationResourceLoader configurationResourceLoader, boolean z) {
        this((Function) Optional.ofNullable(credentialBundles).map((v0) -> {
            return v0.getCredentialProvider();
        }).orElse(null), (Function) Optional.ofNullable(credentialBundles).map((v0) -> {
            return v0.getKeyStoreProvider();
        }).orElse(null), configurationResourceLoader, z);
    }

    @Nonnull
    public static PkiCredential createCredential(@Nonnull PkiCredentialConfiguration pkiCredentialConfiguration, @Nullable ConfigurationResourceLoader configurationResourceLoader, @Nullable Function<String, PkiCredential> function, @Nullable Function<String, KeyStore> function2, @Nullable Function<String, KeyStoreReloader> function3) throws IllegalArgumentException, IOException, NoSuchCredentialException, NoSuchKeyStoreException, CertificateException, KeyException, KeyStoreException, NoSuchProviderException {
        if (pkiCredentialConfiguration.bundle().isPresent()) {
            if (pkiCredentialConfiguration.jks().isPresent() || pkiCredentialConfiguration.pem().isPresent()) {
                throw new IllegalArgumentException("Invalid credential configuration - if bundle is used, jks or pem can not be present");
            }
            if (function == null) {
                throw new IllegalArgumentException("Missing credentialProvider - can not resolve reference");
            }
            String str = pkiCredentialConfiguration.bundle().get();
            return (PkiCredential) Optional.ofNullable(function.apply(str)).orElseThrow(() -> {
                return new NoSuchCredentialException(str, "Referenced bundle not found");
            });
        }
        if (pkiCredentialConfiguration.jks().isPresent()) {
            if (pkiCredentialConfiguration.pem().isPresent()) {
                throw new IllegalArgumentException("Invalid credential configuration - both jks and pem can not be present");
            }
            return createCredential(pkiCredentialConfiguration.jks().get(), configurationResourceLoader, function2, function3);
        }
        if (pkiCredentialConfiguration.pem().isPresent()) {
            return createCredential(pkiCredentialConfiguration.pem().get(), configurationResourceLoader);
        }
        throw new IllegalArgumentException("Invalid credential configuration - one of jks or pem must be present");
    }

    @Nonnull
    public PkiCredential createCredential(@Nonnull PkiCredentialConfiguration pkiCredentialConfiguration) throws IllegalArgumentException, IOException, NoSuchCredentialException, NoSuchKeyStoreException, CertificateException, KeyException, KeyStoreException, NoSuchProviderException {
        PkiCredential pkiCredential;
        if (this.cache != null && pkiCredentialConfiguration.bundle().isEmpty() && (pkiCredential = this.cache.get(Integer.valueOf(pkiCredentialConfiguration.hashCode()))) != null) {
            log.debug("Returning cached credential '{}'", pkiCredential.getName());
            return pkiCredential;
        }
        PkiCredential createCredential = createCredential(pkiCredentialConfiguration, this.resourceLoader, this.credentialProvider, this.keyStoreProvider, null);
        Optional.ofNullable(this.cache).ifPresent(concurrentMap -> {
            concurrentMap.put(Integer.valueOf(pkiCredentialConfiguration.hashCode()), createCredential);
        });
        return createCredential;
    }

    @Nonnull
    public static PkiCredential createCredential(@Nonnull PemCredentialConfiguration pemCredentialConfiguration, @Nullable ConfigurationResourceLoader configurationResourceLoader) throws IllegalArgumentException, IOException, CertificateException, KeyException {
        List<X509Certificate> list;
        InputStream stream;
        PublicKey decodePublicKey;
        ByteArrayInputStream byteArrayInputStream;
        PrivateKey decodePrivateKey;
        ConfigurationResourceLoader configurationResourceLoader2 = (ConfigurationResourceLoader) Optional.ofNullable(configurationResourceLoader).orElseGet(DefaultConfigurationResourceLoader::new);
        if (pemCredentialConfiguration.certificates().isPresent() && pemCredentialConfiguration.publicKey().isPresent()) {
            throw new IllegalArgumentException("Certificate(s) and public key must not both be present");
        }
        if (pemCredentialConfiguration.certificates().isPresent()) {
            decodePublicKey = null;
            if (X509Utils.isInlinedPem(pemCredentialConfiguration.certificates().get())) {
                byteArrayInputStream = new ByteArrayInputStream(pemCredentialConfiguration.certificates().get().getBytes());
                try {
                    list = X509Utils.decodeCertificateChain(byteArrayInputStream);
                    byteArrayInputStream.close();
                } finally {
                }
            } else {
                stream = configurationResourceLoader2.getStream(pemCredentialConfiguration.certificates().get());
                try {
                    list = X509Utils.decodeCertificateChain(stream);
                    if (stream != null) {
                        stream.close();
                    }
                } finally {
                }
            }
        } else {
            if (!pemCredentialConfiguration.publicKey().isPresent()) {
                throw new IllegalArgumentException("Missing Certificate(s) or public key");
            }
            list = null;
            if (KeyUtils.isInlinedPem(pemCredentialConfiguration.publicKey().get())) {
                byteArrayInputStream = new ByteArrayInputStream(pemCredentialConfiguration.publicKey().get().getBytes());
                try {
                    decodePublicKey = KeyUtils.decodePublicKey(byteArrayInputStream);
                    byteArrayInputStream.close();
                } finally {
                }
            } else {
                stream = configurationResourceLoader2.getStream(pemCredentialConfiguration.publicKey().get());
                try {
                    decodePublicKey = KeyUtils.decodePublicKey(stream);
                    if (stream != null) {
                        stream.close();
                    }
                } finally {
                }
            }
        }
        if (pemCredentialConfiguration.privateKey() == null) {
            throw new IllegalArgumentException("No private key assigned");
        }
        char[] cArr = (char[]) pemCredentialConfiguration.keyPassword().map((v0) -> {
            return v0.toCharArray();
        }).orElse(null);
        if (KeyUtils.isInlinedPem(pemCredentialConfiguration.privateKey())) {
            byteArrayInputStream = new ByteArrayInputStream(pemCredentialConfiguration.privateKey().getBytes());
            try {
                decodePrivateKey = KeyUtils.decodePrivateKey(byteArrayInputStream, cArr);
                byteArrayInputStream.close();
            } finally {
                try {
                    byteArrayInputStream.close();
                } catch (Throwable th) {
                    th.addSuppressed(th);
                }
            }
        } else {
            InputStream stream2 = configurationResourceLoader2.getStream(pemCredentialConfiguration.privateKey());
            try {
                decodePrivateKey = KeyUtils.decodePrivateKey(stream2, cArr);
                if (stream2 != null) {
                    stream2.close();
                }
            } finally {
                if (stream2 != null) {
                    try {
                        stream2.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                }
            }
        }
        BasicCredential basicCredential = list != null ? new BasicCredential(list, decodePrivateKey) : new BasicCredential(decodePublicKey, decodePrivateKey);
        assignBaseProperties(pemCredentialConfiguration, basicCredential);
        return basicCredential;
    }

    @Nonnull
    public PkiCredential createCredential(@Nonnull PemCredentialConfiguration pemCredentialConfiguration) throws IllegalArgumentException, IOException, CertificateException, KeyException {
        PkiCredential pkiCredential;
        if (this.cache != null && (pkiCredential = this.cache.get(Integer.valueOf(pemCredentialConfiguration.hashCode()))) != null) {
            log.debug("Returning cached credential '{}'", pkiCredential.getName());
            return pkiCredential;
        }
        PkiCredential createCredential = createCredential(pemCredentialConfiguration, this.resourceLoader);
        Optional.ofNullable(this.cache).ifPresent(concurrentMap -> {
            concurrentMap.put(Integer.valueOf(pemCredentialConfiguration.hashCode()), createCredential);
        });
        return createCredential;
    }

    @Nonnull
    public static PkiCredential createCredential(@Nonnull StoreCredentialConfiguration storeCredentialConfiguration, @Nullable ConfigurationResourceLoader configurationResourceLoader, @Nullable Function<String, KeyStore> function, @Nullable Function<String, KeyStoreReloader> function2) throws IllegalArgumentException, IOException, NoSuchKeyStoreException, KeyStoreException, NoSuchProviderException, CertificateException {
        KeyStore apply;
        char[] charArray;
        List<X509Certificate> list;
        ConfigurationResourceLoader configurationResourceLoader2 = (ConfigurationResourceLoader) Optional.ofNullable(configurationResourceLoader).orElseGet(DefaultConfigurationResourceLoader::new);
        KeyStoreReloader keyStoreReloader = null;
        if (storeCredentialConfiguration.store().isPresent()) {
            if (storeCredentialConfiguration.storeReference().isPresent()) {
                throw new IllegalArgumentException("Both store and store-reference can not be set");
            }
            apply = KeyStoreFactory.loadKeyStore(storeCredentialConfiguration.store().get(), configurationResourceLoader2);
            if (KeyStoreFactory.PKCS11_KEYSTORE_TYPE.equalsIgnoreCase(apply.getType())) {
                keyStoreReloader = new Pkcs11KeyStoreReloader(storeCredentialConfiguration.store().get().password().toCharArray());
            }
        } else {
            if (!storeCredentialConfiguration.storeReference().isPresent()) {
                throw new IllegalArgumentException("No store or store-reference assigned");
            }
            if (function == null) {
                throw new IllegalArgumentException("No key store provider provided - can not resolve store reference");
            }
            apply = function.apply(storeCredentialConfiguration.storeReference().get());
            if (apply == null) {
                throw new NoSuchKeyStoreException(storeCredentialConfiguration.storeReference().get(), "Referenced store '%s' is not present".formatted(storeCredentialConfiguration.storeReference().get()));
            }
            if (function2 != null) {
                keyStoreReloader = function2.apply(storeCredentialConfiguration.storeReference().get());
            }
        }
        if (storeCredentialConfiguration.key() == null) {
            throw new IllegalArgumentException("No key entry assigned");
        }
        String str = (String) Optional.ofNullable(storeCredentialConfiguration.key().alias()).orElseThrow(() -> {
            return new IllegalArgumentException("No key entry alias assigned");
        });
        if (storeCredentialConfiguration.key().keyPassword().isPresent()) {
            charArray = storeCredentialConfiguration.key().keyPassword().get().toCharArray();
        } else {
            if (!storeCredentialConfiguration.store().isPresent()) {
                throw new IllegalArgumentException("No key password given, and can not get store password since store reference was used");
            }
            charArray = storeCredentialConfiguration.store().get().password().toCharArray();
        }
        if (!storeCredentialConfiguration.key().certificates().isPresent()) {
            list = null;
        } else if (X509Utils.isInlinedPem(storeCredentialConfiguration.key().certificates().get())) {
            ByteArrayInputStream byteArrayInputStream = new ByteArrayInputStream(storeCredentialConfiguration.key().certificates().get().getBytes());
            try {
                list = X509Utils.decodeCertificateChain(byteArrayInputStream);
                byteArrayInputStream.close();
            } catch (Throwable th) {
                try {
                    byteArrayInputStream.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
                throw th;
            }
        } else {
            InputStream stream = configurationResourceLoader2.getStream(storeCredentialConfiguration.key().certificates().get());
            try {
                list = X509Utils.decodeCertificateChain(stream);
                if (stream != null) {
                    stream.close();
                }
            } catch (Throwable th3) {
                if (stream != null) {
                    try {
                        stream.close();
                    } catch (Throwable th4) {
                        th3.addSuppressed(th4);
                    }
                }
                throw th3;
            }
        }
        KeyStoreCredential keyStoreCredential = new KeyStoreCredential(apply, str, charArray, list);
        assignBaseProperties(storeCredentialConfiguration, keyStoreCredential);
        KeyStore keyStore = apply;
        if (storeCredentialConfiguration.monitor().orElseGet(() -> {
            return Boolean.valueOf(KeyStoreFactory.PKCS11_KEYSTORE_TYPE.equalsIgnoreCase(keyStore.getType()));
        }).booleanValue()) {
            keyStoreCredential.setTestFunction(new DefaultCredentialTestFunction());
            Optional ofNullable = Optional.ofNullable(keyStoreReloader);
            Objects.requireNonNull(keyStoreCredential);
            ofNullable.ifPresent(keyStoreCredential::setReloader);
        } else {
            keyStoreCredential.setTestFunction(null);
        }
        return keyStoreCredential;
    }

    @Nonnull
    public PkiCredential createCredential(@Nonnull StoreCredentialConfiguration storeCredentialConfiguration) throws IllegalArgumentException, IOException, NoSuchKeyStoreException, KeyStoreException, NoSuchProviderException, CertificateException {
        PkiCredential pkiCredential;
        if (this.cache != null && (pkiCredential = this.cache.get(Integer.valueOf(storeCredentialConfiguration.hashCode()))) != null) {
            log.debug("Returning cached credential '{}'", pkiCredential.getName());
            return pkiCredential;
        }
        PkiCredential createCredential = createCredential(storeCredentialConfiguration, this.resourceLoader, this.keyStoreProvider, null);
        Optional.ofNullable(this.cache).ifPresent(concurrentMap -> {
            concurrentMap.put(Integer.valueOf(storeCredentialConfiguration.hashCode()), createCredential);
        });
        return createCredential;
    }

    private static <T extends AbstractPkiCredential> void assignBaseProperties(@Nonnull BaseCredentialConfiguration baseCredentialConfiguration, @Nonnull T t) {
        Optional<String> name = baseCredentialConfiguration.name();
        Objects.requireNonNull(t);
        name.ifPresent(t::setName);
        baseCredentialConfiguration.metadata().ifPresent(map -> {
            map.forEach((str, str2) -> {
                t.getMetadata().getProperties().put(str, str2);
            });
        });
        baseCredentialConfiguration.keyId().ifPresent(str -> {
            t.getMetadata().getProperties().put(PkiCredential.Metadata.KEY_ID_PROPERTY, str);
        });
        baseCredentialConfiguration.issuedAt().ifPresent(instant -> {
            t.getMetadata().getProperties().put(PkiCredential.Metadata.ISSUED_AT_PROPERTY, instant);
        });
        baseCredentialConfiguration.expiresAt().ifPresent(instant2 -> {
            t.getMetadata().getProperties().put(PkiCredential.Metadata.EXPIRES_AT_PROPERTY, instant2);
        });
    }
}
