package io.helidon.common.pki;

import io.helidon.common.configurable.Resource;
import io.helidon.common.configurable.ResourceException;
import io.helidon.config.Config;
import io.helidon.config.metadata.Configured;
import java.io.IOException;
import java.io.InputStream;
import java.security.KeyStore;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.LinkedList;
import java.util.List;
import java.util.Objects;
import java.util.Optional;
import java.util.logging.Level;
import java.util.logging.Logger;

/* loaded from: input_file:io/helidon/common/pki/KeyConfig.class */
public final class KeyConfig {
    private static final String DEFAULT_PRIVATE_KEY_ALIAS = "1";
    private static final Logger LOGGER = Logger.getLogger(KeyConfig.class.getName());
    private static final char[] EMPTY_CHARS = new char[0];
    private final PrivateKey privateKey;
    private final PublicKey publicKey;
    private final X509Certificate publicCert;
    private final List<X509Certificate> certChain = new LinkedList();
    private final List<X509Certificate> certificates = new LinkedList();

    @Configured
    /* loaded from: input_file:io/helidon/common/pki/KeyConfig$Builder.class */
    public static class Builder implements io.helidon.common.Builder<Builder, KeyConfig> {
        private PrivateKey explicitPrivateKey;
        private PublicKey explicitPublicKey;
        private X509Certificate explicitPublicCert;
        private final List<X509Certificate> explicitCertChain = new LinkedList();
        private final List<X509Certificate> explicitCertificates = new LinkedList();

        /* renamed from: build, reason: merged with bridge method [inline-methods] */
        public KeyConfig m1build() throws PkiException {
            PrivateKey privateKey = this.explicitPrivateKey;
            PublicKey publicKey = this.explicitPublicKey;
            X509Certificate x509Certificate = this.explicitPublicCert;
            LinkedList linkedList = new LinkedList(this.explicitCertChain);
            LinkedList linkedList2 = new LinkedList(this.explicitCertificates);
            if (null == publicKey && null != x509Certificate) {
                publicKey = x509Certificate.getPublicKey();
            }
            return new KeyConfig(privateKey, publicKey, x509Certificate, linkedList, linkedList2);
        }

        public Builder privateKey(PrivateKey privateKey) {
            this.explicitPrivateKey = privateKey;
            return this;
        }

        public Builder publicKey(PublicKey publicKey) {
            this.explicitPublicKey = publicKey;
            return this;
        }

        public Builder publicKeyCert(X509Certificate x509Certificate) {
            this.explicitPublicCert = x509Certificate;
            return this;
        }

        public Builder addCertChain(X509Certificate x509Certificate) {
            this.explicitCertChain.add(x509Certificate);
            return this;
        }

        public Builder addCert(X509Certificate x509Certificate) {
            this.explicitCertificates.add(x509Certificate);
            return this;
        }

        public Builder updateWith(PemBuilder pemBuilder) {
            pemBuilder.updateBuilder(this);
            return this;
        }

        public Builder updateWith(KeystoreBuilder keystoreBuilder) {
            keystoreBuilder.updateBuilder(this);
            return this;
        }

        public Builder config(Config config) {
            updateWith(KeyConfig.pemBuilder().config(config));
            updateWith(KeyConfig.keystoreBuilder().config(config));
            return this;
        }
    }

    @Configured(ignoreBuildMethod = true)
    /* loaded from: input_file:io/helidon/common/pki/KeyConfig$KeystoreBuilder.class */
    public static final class KeystoreBuilder implements io.helidon.common.Builder<Builder, KeyConfig> {
        private static final String DEFAULT_KEYSTORE_TYPE = "PKCS12";
        private String keyAlias;
        private String certAlias;
        private String certChainAlias;
        private boolean addAllCertificates;
        private String keystoreType = DEFAULT_KEYSTORE_TYPE;
        private char[] keystorePassphrase = KeyConfig.EMPTY_CHARS;
        private char[] keyPassphrase = null;
        private final List<String> certificateAliases = new LinkedList();
        private final StreamHolder keystoreStream = new StreamHolder("keystore");

        private KeystoreBuilder() {
        }

        public KeystoreBuilder trustStore() {
            return trustStore(true);
        }

        private KeystoreBuilder trustStore(boolean z) {
            this.addAllCertificates = z;
            return this;
        }

        public KeystoreBuilder addCertAlias(String str) {
            this.certificateAliases.add(str);
            return this;
        }

        public KeystoreBuilder keystore(Resource resource) {
            this.keystoreStream.stream(resource);
            return this;
        }

        public KeystoreBuilder keystoreType(String str) {
            this.keystoreType = str;
            return this;
        }

        public KeystoreBuilder keystorePassphrase(char[] cArr) {
            this.keystorePassphrase = Arrays.copyOf(cArr, cArr.length);
            return this;
        }

        public KeystoreBuilder keystorePassphrase(String str) {
            return keystorePassphrase(str.toCharArray());
        }

        public KeystoreBuilder keyAlias(String str) {
            this.keyAlias = str;
            return this;
        }

        public KeystoreBuilder certAlias(String str) {
            this.certAlias = str;
            return this;
        }

        public KeystoreBuilder certChainAlias(String str) {
            this.certChainAlias = str;
            return this;
        }

        public KeystoreBuilder keyPassphrase(char[] cArr) {
            this.keyPassphrase = Arrays.copyOf(cArr, cArr.length);
            return this;
        }

        public KeystoreBuilder keyPassphrase(String str) {
            return keyPassphrase(str.toCharArray());
        }

        /* renamed from: build, reason: merged with bridge method [inline-methods] */
        public KeyConfig m2build() {
            return toFullBuilder().m1build();
        }

        public Builder toFullBuilder() {
            return updateBuilder(KeyConfig.fullBuilder());
        }

        private Builder updateBuilder(Builder builder) {
            boolean z;
            if (this.keystoreStream.isSet()) {
                if (null == this.keyPassphrase) {
                    this.keyPassphrase = this.keystorePassphrase;
                }
                try {
                    KeyStore loadKeystore = PkiUtil.loadKeystore(this.keystoreType, this.keystoreStream.stream(), this.keystorePassphrase, this.keystoreStream.message());
                    boolean z2 = false;
                    if (null == this.keyAlias) {
                        this.keyAlias = KeyConfig.DEFAULT_PRIVATE_KEY_ALIAS;
                        z2 = true;
                    }
                    try {
                        builder.privateKey(PkiUtil.loadPrivateKey(loadKeystore, this.keyAlias, this.keyPassphrase));
                    } catch (Exception e) {
                        if (!z2) {
                            throw e;
                        }
                        KeyConfig.LOGGER.log(Level.FINEST, "Failed to read private key from default alias", (Throwable) e);
                    }
                    List<X509Certificate> list = null;
                    if (null == this.certChainAlias) {
                        z = true;
                        this.certChainAlias = this.keyAlias;
                    } else {
                        z = false;
                    }
                    if (null != this.certChainAlias) {
                        try {
                            list = PkiUtil.loadCertChain(loadKeystore, this.certChainAlias);
                            Objects.requireNonNull(builder);
                            list.forEach(builder::addCertChain);
                        } catch (Exception e2) {
                            if (!z) {
                                throw e2;
                            }
                            KeyConfig.LOGGER.log(Level.FINEST, "Failed to certificate chain from alias \"" + this.certChainAlias + "\"", (Throwable) e2);
                        }
                    }
                    if (null != this.certAlias) {
                        builder.publicKeyCert(PkiUtil.loadCertificate(loadKeystore, this.certAlias));
                    } else if (null != list && !list.isEmpty()) {
                        builder.publicKeyCert(list.get(0));
                    }
                    if (this.addAllCertificates) {
                        List<X509Certificate> loadCertificates = PkiUtil.loadCertificates(loadKeystore);
                        Objects.requireNonNull(builder);
                        loadCertificates.forEach(builder::addCert);
                    } else {
                        this.certificateAliases.forEach(str -> {
                            builder.addCert(PkiUtil.loadCertificate(loadKeystore, str));
                        });
                    }
                } finally {
                    this.keystoreStream.closeStream();
                }
            }
            return builder;
        }

        public KeystoreBuilder config(Config config) {
            Config config2 = config.get("keystore");
            config2.get("resource").as(Resource::create).ifPresent(this::keystore);
            config2.get("type").asString().ifPresent(this::keystoreType);
            config2.get("passphrase").asString().map((v0) -> {
                return v0.toCharArray();
            }).ifPresent(this::keystorePassphrase);
            config2.get("key.alias").asString().ifPresent(this::keyAlias);
            config2.get("key.passphrase").asString().map((v0) -> {
                return v0.toCharArray();
            }).ifPresent(this::keyPassphrase);
            config2.get("cert.alias").asString().ifPresent(this::certAlias);
            config2.get("cert-chain.alias").asString().ifPresent(this::certChainAlias);
            config2.get("trust-store").asBoolean().ifPresent((v1) -> {
                trustStore(v1);
            });
            return this;
        }
    }

    @Configured(ignoreBuildMethod = true)
    /* loaded from: input_file:io/helidon/common/pki/KeyConfig$PemBuilder.class */
    public static final class PemBuilder implements io.helidon.common.Builder<Builder, KeyConfig> {
        private final StreamHolder privateKeyStream = new StreamHolder("privateKey");
        private final StreamHolder publicKeyStream = new StreamHolder("publicKey");
        private final StreamHolder certChainStream = new StreamHolder("certChain");
        private final StreamHolder certificateStream = new StreamHolder("certificate");
        private char[] pemKeyPassphrase;

        private PemBuilder() {
        }

        public PemBuilder key(Resource resource) {
            this.privateKeyStream.stream(resource);
            return this;
        }

        public PemBuilder publicKey(Resource resource) {
            this.publicKeyStream.stream(resource);
            return this;
        }

        public PemBuilder keyPassphrase(char[] cArr) {
            this.pemKeyPassphrase = Arrays.copyOf(cArr, cArr.length);
            return this;
        }

        public PemBuilder keyPassphrase(String str) {
            return keyPassphrase(str.toCharArray());
        }

        public PemBuilder certChain(Resource resource) {
            this.certChainStream.stream(resource);
            return this;
        }

        public PemBuilder certificates(Resource resource) {
            this.certificateStream.stream(resource);
            return this;
        }

        /* renamed from: build, reason: merged with bridge method [inline-methods] */
        public KeyConfig m3build() {
            return toFullBuilder().m1build();
        }

        public Builder toFullBuilder() {
            return updateBuilder(KeyConfig.fullBuilder());
        }

        private Builder updateBuilder(Builder builder) {
            if (this.privateKeyStream.isSet()) {
                builder.privateKey(PemReader.readPrivateKey(this.privateKeyStream.stream(), this.pemKeyPassphrase));
            }
            if (this.publicKeyStream.isSet()) {
                builder.publicKey(PemReader.readPublicKey(this.publicKeyStream.stream()));
            }
            if (this.certChainStream.isSet()) {
                List<X509Certificate> readCertificates = PemReader.readCertificates(this.certChainStream.stream());
                Objects.requireNonNull(builder);
                readCertificates.forEach(builder::addCertChain);
                if (!readCertificates.isEmpty()) {
                    builder.publicKeyCert(readCertificates.get(0));
                }
            }
            if (this.certificateStream.isSet()) {
                List<X509Certificate> readCertificates2 = PemReader.readCertificates(this.certificateStream.stream());
                Objects.requireNonNull(builder);
                readCertificates2.forEach(builder::addCert);
            }
            return builder;
        }

        public PemBuilder config(Config config) {
            Config config2 = config.get("pem");
            config2.get("key.resource").as(Resource::create).ifPresent(this::key);
            config2.get("key.passphrase").asString().map((v0) -> {
                return v0.toCharArray();
            }).ifPresent(this::keyPassphrase);
            config2.get("cert-chain.resource").as(Resource::create).ifPresent(this::certChain);
            config2.get("certificates.resource").as(Resource::create).ifPresent(this::certificates);
            return this;
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:io/helidon/common/pki/KeyConfig$StreamHolder.class */
    public static final class StreamHolder {
        private final String baseMessage;
        private InputStream inputStream;
        private String message;

        private StreamHolder(String str) {
            this.baseMessage = str;
            this.message = str;
        }

        private boolean isSet() {
            return this.inputStream != null;
        }

        private void stream(Resource resource) {
            closeStream();
            Objects.requireNonNull(resource, "Resource for \"" + this.message + "\" must not be null");
            this.inputStream = resource.stream();
            this.message += ":" + resource.sourceType() + ":" + resource.location();
        }

        private InputStream stream() {
            return this.inputStream;
        }

        private String message() {
            return this.message;
        }

        private void closeStream() {
            if (null != this.inputStream) {
                try {
                    this.inputStream.close();
                } catch (IOException e) {
                    KeyConfig.LOGGER.log(Level.WARNING, "Failed to close input stream: " + this.message, (Throwable) e);
                }
            }
            this.message = this.baseMessage;
        }
    }

    private KeyConfig(PrivateKey privateKey, PublicKey publicKey, X509Certificate x509Certificate, Collection<X509Certificate> collection, Collection<X509Certificate> collection2) {
        this.privateKey = privateKey;
        this.publicKey = publicKey;
        this.publicCert = x509Certificate;
        this.certChain.addAll(collection);
        this.certificates.addAll(collection2);
    }

    public static KeyConfig create(Config config) throws PkiException {
        try {
            return fullBuilder().config(config).m1build();
        } catch (ResourceException e) {
            throw new PkiException("Failed to load from config", e);
        }
    }

    public static Builder fullBuilder() {
        return new Builder();
    }

    public static PemBuilder pemBuilder() {
        return new PemBuilder();
    }

    public static KeystoreBuilder keystoreBuilder() {
        return new KeystoreBuilder();
    }

    public Optional<PublicKey> publicKey() {
        return Optional.ofNullable(this.publicKey);
    }

    public Optional<PrivateKey> privateKey() {
        return Optional.ofNullable(this.privateKey);
    }

    public Optional<X509Certificate> publicCert() {
        return Optional.ofNullable(this.publicCert);
    }

    public List<X509Certificate> certChain() {
        return Collections.unmodifiableList(this.certChain);
    }

    public List<X509Certificate> certs() {
        return Collections.unmodifiableList(this.certificates);
    }
}
