package se.swedenconnect.security.credential.container;

import jakarta.annotation.Nonnull;
import jakarta.annotation.Nullable;
import java.io.IOException;
import java.math.BigInteger;
import java.security.KeyException;
import java.security.KeyPair;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.Provider;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.security.interfaces.ECPublicKey;
import java.time.Duration;
import java.time.Instant;
import java.util.Date;
import java.util.List;
import java.util.Map;
import java.util.Optional;
import java.util.concurrent.ConcurrentHashMap;
import org.bouncycastle.asn1.DERUTF8String;
import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers;
import org.bouncycastle.asn1.x500.AttributeTypeAndValue;
import org.bouncycastle.asn1.x500.RDN;
import org.bouncycastle.asn1.x500.X500Name;
import org.bouncycastle.asn1.x500.style.BCStyle;
import org.bouncycastle.asn1.x9.X9ObjectIdentifiers;
import org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder;
import org.bouncycastle.operator.AlgorithmNameFinder;
import org.bouncycastle.operator.DefaultAlgorithmNameFinder;
import org.bouncycastle.operator.OperatorCreationException;
import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder;
import org.cryptacular.EncodingException;
import org.cryptacular.util.CertUtil;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import se.swedenconnect.security.credential.PkiCredential;

/* loaded from: input_file:se/swedenconnect/security/credential/container/AbstractKeyStorePkiCredentialContainer.class */
public abstract class AbstractKeyStorePkiCredentialContainer extends AbstractPkiCredentialContainer {
    private static final Logger log = LoggerFactory.getLogger(AbstractKeyStorePkiCredentialContainer.class);
    private static final AlgorithmNameFinder algorithmNameFinder = new DefaultAlgorithmNameFinder();
    private final char[] password;
    private final KeyStore keyStore;
    private final Map<String, ManagedPkiCredential> credentials;

    public AbstractKeyStorePkiCredentialContainer(@Nonnull Provider provider, @Nullable String str) throws KeyStoreException {
        super(provider);
        this.credentials = new ConcurrentHashMap();
        this.password = (char[]) Optional.ofNullable(str).map((v0) -> {
            return v0.toCharArray();
        }).orElse(null);
        this.keyStore = createKeyStore(provider, this.password);
    }

    @Nonnull
    protected abstract KeyStore createKeyStore(@Nonnull Provider provider, @Nullable char[] cArr) throws KeyStoreException;

    @Override // se.swedenconnect.security.credential.container.PkiCredentialContainer
    @Nonnull
    public String generateCredential(@Nonnull String str) throws KeyException, NoSuchAlgorithmException, CertificateException {
        KeyPair generateKeyPair = getKeyGeneratorFactory(str).getKeyPairGenerator(getProvider()).generateKeyPair();
        BigInteger generateAlias = generateAlias();
        String bigInteger = generateAlias.toString(16);
        try {
            this.keyStore.setKeyEntry(bigInteger, generateKeyPair.getPrivate(), null, new Certificate[]{generateKeyCertificate(generateKeyPair, generateAlias)});
            this.credentials.put(bigInteger, new ManagedPkiCredential(getCredentialFromAlias(bigInteger), pkiCredential -> {
                try {
                    deleteCredential(bigInteger);
                } catch (PkiCredentialContainerException e) {
                    log.warn("Failed to remove key entry for alias '{}'", bigInteger, e);
                }
            }, x509CertificateArr -> {
                try {
                    this.keyStore.setKeyEntry(bigInteger, generateKeyPair.getPrivate(), null, new Certificate[]{x509CertificateArr[0]});
                } catch (Exception e) {
                    log.warn("Failed to update key entry for alias '{}' with new certificate", bigInteger, e);
                }
            }));
            return bigInteger;
        } catch (KeyStoreException | PkiCredentialContainerException e) {
            throw new KeyException("Failed to add generated key to keystore - " + e.getMessage(), e);
        }
    }

    @Override // se.swedenconnect.security.credential.container.PkiCredentialContainer
    @Nonnull
    public final ManagedPkiCredential getCredential(@Nonnull String str) throws PkiCredentialContainerException {
        ManagedPkiCredential managedPkiCredential = this.credentials.get(str);
        if (managedPkiCredential == null) {
            throw new PkiCredentialContainerException("No credential found for alias '" + str + "'");
        }
        if (!isExpired(str)) {
            return managedPkiCredential;
        }
        managedPkiCredential.destroy();
        throw new PkiCredentialContainerException("Requested credential has expired - Destroying credential");
    }

    @Nonnull
    protected abstract PkiCredential getCredentialFromAlias(@Nonnull String str) throws PkiCredentialContainerException;

    @Override // se.swedenconnect.security.credential.container.PkiCredentialContainer
    public void deleteCredential(@Nonnull String str) throws PkiCredentialContainerException {
        try {
            this.credentials.remove(str);
            this.keyStore.deleteEntry(str);
        } catch (KeyStoreException e) {
            throw new PkiCredentialContainerException("Failed to delete " + str, e);
        }
    }

    @Override // se.swedenconnect.security.credential.container.PkiCredentialContainer
    @Nullable
    public Instant getExpiryTime(@Nonnull String str) throws PkiCredentialContainerException {
        ManagedPkiCredential managedPkiCredential = this.credentials.get(str);
        if (managedPkiCredential == null) {
            throw new PkiCredentialContainerException("Requested alias is not present");
        }
        return Instant.ofEpochMilli(managedPkiCredential.getCertificate().getNotAfter().getTime());
    }

    @Override // se.swedenconnect.security.credential.container.PkiCredentialContainer
    @Nonnull
    public List<String> listCredentials() {
        return this.credentials.keySet().stream().toList();
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Nullable
    public char[] getPassword() {
        return this.password;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Nonnull
    public KeyStore getKeyStore() {
        return this.keyStore;
    }

    @Nonnull
    private X509Certificate generateKeyCertificate(@Nonnull KeyPair keyPair, @Nonnull BigInteger bigInteger) throws CertificateException {
        try {
            Date date = new Date();
            Date date2 = new Date(System.currentTimeMillis() + ((Long) Optional.ofNullable(getKeyValidity()).map((v0) -> {
                return v0.toMillis();
            }).orElseGet(() -> {
                return Long.valueOf(Duration.ofDays(3650L).toMillis());
            })).longValue());
            X500Name x500Name = getX500Name(bigInteger);
            return CertUtil.decodeCertificate(new JcaX509v3CertificateBuilder(x500Name, bigInteger, date, date2, x500Name, keyPair.getPublic()).build(new JcaContentSignerBuilder(getAlgorithmName(keyPair)).build(keyPair.getPrivate())).getEncoded());
        } catch (EncodingException | IOException | OperatorCreationException e) {
            throw new CertificateException("Error generating certificate - " + e.getMessage(), e);
        }
    }

    @Nonnull
    protected String getAlgorithmName(@Nonnull KeyPair keyPair) {
        return keyPair.getPublic() instanceof ECPublicKey ? algorithmNameFinder.getAlgorithmName(X9ObjectIdentifiers.ecdsa_with_SHA256) : algorithmNameFinder.getAlgorithmName(PKCSObjectIdentifiers.sha256WithRSAEncryption);
    }

    @Nonnull
    protected X500Name getX500Name(@Nonnull BigInteger bigInteger) {
        return new X500Name(new RDN[]{new RDN(new AttributeTypeAndValue(BCStyle.CN, new DERUTF8String(bigInteger.toString(16))))});
    }
}
