package se.swedenconnect.security.credential;

import jakarta.annotation.Nonnull;
import jakarta.annotation.Nullable;
import jakarta.annotation.PreDestroy;
import java.security.Key;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.UnrecoverableKeyException;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.Collections;
import java.util.List;
import java.util.Objects;
import java.util.Optional;
import java.util.stream.Stream;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import se.swedenconnect.security.credential.factory.KeyStoreFactory;
import se.swedenconnect.security.credential.monitoring.DefaultCredentialTestFunction;
import se.swedenconnect.security.credential.pkcs11.Pkcs11KeyStoreReloader;

/* loaded from: input_file:se/swedenconnect/security/credential/KeyStoreCredential.class */
public class KeyStoreCredential extends AbstractReloadablePkiCredential {
    private static final Logger log = LoggerFactory.getLogger(KeyStoreCredential.class);
    private final KeyStore keyStore;
    private final String alias;
    private final char[] keyPassword;
    private final List<X509Certificate> certificates;
    private final boolean residesInHardware;
    private KeyStoreReloader reloader;

    public KeyStoreCredential(@Nonnull KeyStore keyStore, @Nonnull String str, @Nullable char[] cArr) throws KeyStoreException {
        this(keyStore, str, cArr, null);
    }

    public KeyStoreCredential(@Nonnull KeyStore keyStore, @Nonnull String str, @Nullable char[] cArr, @Nullable List<X509Certificate> list) throws KeyStoreException {
        this.keyStore = (KeyStore) Objects.requireNonNull(keyStore, "keyStore must not be null");
        this.alias = (String) Objects.requireNonNull(str, "alias must not be null");
        if (cArr != null) {
            this.keyPassword = new char[cArr.length];
            System.arraycopy(cArr, 0, this.keyPassword, 0, cArr.length);
        } else {
            this.keyPassword = null;
        }
        this.residesInHardware = KeyStoreFactory.PKCS11_KEYSTORE_TYPE.equalsIgnoreCase(this.keyStore.getType());
        if (this.residesInHardware) {
            DefaultCredentialTestFunction defaultCredentialTestFunction = new DefaultCredentialTestFunction();
            defaultCredentialTestFunction.setProvider((String) Optional.ofNullable(this.keyStore.getProvider()).map((v0) -> {
                return v0.getName();
            }).orElse(null));
            setTestFunction(defaultCredentialTestFunction);
        }
        getPrivateKey();
        if (list == null) {
            this.certificates = loadCertificateChain();
        } else {
            this.certificates = Collections.unmodifiableList(list);
            if (this.certificates.isEmpty()) {
                throw new IllegalArgumentException("certificateChain must not be empty");
            }
        }
        updateMetadataValidityProperties();
    }

    @Nonnull
    public KeyStore getKeyStore() {
        return this.keyStore;
    }

    @Override // se.swedenconnect.security.credential.PkiCredential
    @Nonnull
    public synchronized PrivateKey getPrivateKey() {
        try {
            Key key = this.keyStore.getKey(this.alias, this.keyPassword);
            if (key instanceof PrivateKey) {
                return (PrivateKey) key;
            }
            throw new SecurityException("No private key entry found for '%s'".formatted(this.alias));
        } catch (KeyStoreException | NoSuchAlgorithmException | UnrecoverableKeyException e) {
            throw new SecurityException(e);
        }
    }

    @Override // se.swedenconnect.security.credential.PkiCredential
    @Nonnull
    public List<X509Certificate> getCertificateChain() {
        return this.certificates;
    }

    @Override // se.swedenconnect.security.credential.PkiCredential
    @PreDestroy
    public void destroy() {
        if (this.keyPassword != null) {
            Arrays.fill(this.keyPassword, (char) 0);
        }
    }

    @Override // se.swedenconnect.security.credential.PkiCredential
    public boolean isHardwareCredential() {
        return this.residesInHardware;
    }

    @Nonnull
    private List<X509Certificate> loadCertificateChain() throws KeyStoreException {
        Certificate[] certificateChain = this.keyStore.getCertificateChain(this.alias);
        if (certificateChain == null || certificateChain.length == 0) {
            X509Certificate x509Certificate = (X509Certificate) this.keyStore.getCertificate(this.alias);
            if (x509Certificate == null) {
                throw new KeyStoreException("No certificate found at entry " + this.alias);
            }
            return Collections.singletonList(x509Certificate);
        }
        Stream stream = Arrays.stream(certificateChain);
        Class<X509Certificate> cls = X509Certificate.class;
        Objects.requireNonNull(X509Certificate.class);
        return stream.map(cls::cast).toList();
    }

    public void setReloader(@Nonnull KeyStoreReloader keyStoreReloader) {
        this.reloader = keyStoreReloader;
    }

    private synchronized KeyStoreReloader getReloader() {
        if (this.reloader == null && isHardwareCredential()) {
            this.reloader = new Pkcs11KeyStoreReloader(this.keyPassword);
        }
        return this.reloader;
    }

    @Override // se.swedenconnect.security.credential.ReloadablePkiCredential
    public synchronized void reload() throws Exception {
        KeyStoreReloader reloader = getReloader();
        if (reloader == null) {
            if (isHardwareCredential()) {
                throw new SecurityException("No reload function installed for credential '%s'".formatted(getName()));
            }
            return;
        }
        try {
            log.trace("Reloading private key of credential '{}' ...", getName());
            reloader.reload(this.keyStore);
            getPrivateKey();
            log.trace("Reloading private key of credential '{}' successful", getName());
        } catch (Exception e) {
            log.trace("Failed to reload private key - {}", e.getMessage(), e);
            throw e;
        }
    }

    @Override // se.swedenconnect.security.credential.AbstractPkiCredential
    @Nonnull
    protected String getDefaultName() {
        return KeyStoreFactory.PKCS11_KEYSTORE_TYPE.equalsIgnoreCase(this.keyStore.getType()) ? "%s-%s-%s".formatted(this.keyStore.getProvider().getName(), this.alias, getCertificate().getSerialNumber().toString(10)) : "%s-%s-%s".formatted(getPublicKey().getAlgorithm(), this.alias, getCertificate().getSerialNumber().toString(10));
    }
}
