package be.iminds.ilabt.jfed.util.library;

import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.io.File;
import java.io.FileInputStream;
import java.io.IOException;
import java.security.Key;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.UnrecoverableKeyException;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
import java.util.Date;
import java.util.Enumeration;
import java.util.HashSet;
import java.util.List;
import java.util.Set;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import javax.inject.Singleton;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@Singleton
/* loaded from: input_file:be/iminds/ilabt/jfed/util/library/JFedTrustStore.class */
public class JFedTrustStore {
    private static final Logger LOG;

    @Nonnull
    private final Set<String> allowedServerCertificateHostnameAliases;

    @Nonnull
    private final KeyStore trustStore;

    @Nonnull
    public final List<String> addedPems;

    @Nonnull
    private final List<Certificate> extraTrustedCertificates;
    private static KeyStore systemTrustStore;
    static final /* synthetic */ boolean $assertionsDisabled;

    /* loaded from: input_file:be/iminds/ilabt/jfed/util/library/JFedTrustStore$InvalidCertificateDate.class */
    public static class InvalidCertificateDate extends Exception {
        public InvalidCertificateDate() {
        }

        public InvalidCertificateDate(String str) {
            super(str);
        }

        public InvalidCertificateDate(String str, Throwable th) {
            super(str, th);
        }

        public InvalidCertificateDate(Throwable th) {
            super(th);
        }
    }

    /* loaded from: input_file:be/iminds/ilabt/jfed/util/library/JFedTrustStore$TrustInfo.class */
    public interface TrustInfo {
        @Nullable
        String getCertificateChain();

        @Nullable
        String getAllowedCertificateAlias();
    }

    public JFedTrustStore() {
        this.addedPems = new ArrayList();
        this.extraTrustedCertificates = new ArrayList();
        this.trustStore = getSystemTrustStore();
        if (this.trustStore == null) {
            throw new NullPointerException("getSystemTrustStore returned null");
        }
        this.allowedServerCertificateHostnameAliases = new HashSet();
    }

    public JFedTrustStore(@Nonnull KeyStore keyStore) {
        this.addedPems = new ArrayList();
        this.extraTrustedCertificates = new ArrayList();
        if (keyStore == null) {
            throw new NullPointerException("trustStore may not be null");
        }
        try {
            this.trustStore = copyTrustStore(keyStore, null, null, "somepass".toCharArray());
            this.allowedServerCertificateHostnameAliases = new HashSet();
        } catch (Exception e) {
            throw new RuntimeException("Could not copy trust store: " + e.getMessage(), e);
        }
    }

    public JFedTrustStore(@Nonnull JFedTrustStore jFedTrustStore) {
        this.addedPems = new ArrayList();
        this.extraTrustedCertificates = new ArrayList();
        if (jFedTrustStore == null) {
            throw new NullPointerException("jFedTrustStore may not be null");
        }
        if (jFedTrustStore.trustStore == null) {
            throw new NullPointerException("jFedTrustStore.trustStore may not be null");
        }
        try {
            this.trustStore = copyTrustStore(jFedTrustStore.trustStore, null, null, "somepass".toCharArray());
            this.allowedServerCertificateHostnameAliases = new HashSet(jFedTrustStore.getAllowedServerCertificateHostnameAliases());
        } catch (Exception e) {
            throw new RuntimeException("Could not copy trust store: " + e.getMessage(), e);
        }
    }

    public JFedTrustStore(@Nonnull TrustInfo trustInfo) {
        this.addedPems = new ArrayList();
        this.extraTrustedCertificates = new ArrayList();
        this.trustStore = getSystemTrustStore();
        if (this.trustStore == null) {
            throw new NullPointerException("getSystemTrustStore() returned null");
        }
        if (trustInfo.getCertificateChain() != null) {
            addTrustedPemCertificateIfNotAdded(trustInfo.getCertificateChain());
        }
        this.allowedServerCertificateHostnameAliases = new HashSet();
        if (trustInfo.getAllowedCertificateAlias() == null || trustInfo.getAllowedCertificateAlias().trim().isEmpty()) {
            return;
        }
        this.allowedServerCertificateHostnameAliases.add(trustInfo.getAllowedCertificateAlias());
    }

    public JFedTrustStore(@Nonnull Collection<TrustInfo> collection) {
        this.addedPems = new ArrayList();
        this.extraTrustedCertificates = new ArrayList();
        this.trustStore = getSystemTrustStore();
        if (this.trustStore == null) {
            throw new NullPointerException("getSystemTrustStore() returned null");
        }
        addAuthorityCerts(collection);
        this.allowedServerCertificateHostnameAliases = new HashSet();
    }

    public void addAuthorityCerts(@Nonnull Collection<TrustInfo> collection) {
        collection.stream().filter(trustInfo -> {
            return trustInfo.getCertificateChain() != null;
        }).forEach(trustInfo2 -> {
            addTrustedPemCertificateIfNotAddedAndValidPem(trustInfo2.getCertificateChain());
        });
    }

    public void addAuthorityCert(@Nonnull TrustInfo trustInfo) {
        if (trustInfo.getCertificateChain() != null) {
            addTrustedPemCertificateIfNotAddedAndValidPem(trustInfo.getCertificateChain());
        }
    }

    @Nonnull
    public Collection<String> getAllowedServerCertificateHostnameAliases() {
        return Collections.unmodifiableCollection(this.allowedServerCertificateHostnameAliases);
    }

    @Nonnull
    public KeyStore getTrustStore() {
        return this.trustStore;
    }

    public void addAllowedServerCertificateHostnameAlias(@Nonnull String str) {
        if (str != null) {
            this.allowedServerCertificateHostnameAliases.add(str);
        }
    }

    public void addAllowedServerCertificateHostnameAliases(@Nonnull Collection<String> collection) {
        if (collection != null) {
            this.allowedServerCertificateHostnameAliases.addAll(collection);
        }
    }

    public void addTrustedCertificate(@Nonnull X509Certificate x509Certificate) throws InvalidCertificateDate {
        if (!$assertionsDisabled && x509Certificate == null) {
            throw new AssertionError();
        }
        Date date = new Date();
        if (x509Certificate.getNotAfter() == null || x509Certificate.getNotAfter().before(date)) {
            throw new InvalidCertificateDate("provided PEM has expired (notAfter=" + x509Certificate.getNotAfter() + "). Subject=\"" + x509Certificate.getSubjectDN() + "\"");
        }
        if (x509Certificate.getNotBefore() == null || x509Certificate.getNotBefore().after(date)) {
            throw new InvalidCertificateDate("provided PEM is not valid yet (notBefore=" + x509Certificate.getNotBefore() + "). Subject=\"" + x509Certificate.getSubjectDN() + "\"");
        }
        this.extraTrustedCertificates.add(x509Certificate);
        try {
            this.trustStore.setCertificateEntry("extraCert" + this.extraTrustedCertificates.size(), x509Certificate);
        } catch (KeyStoreException e) {
            LOG.error("Error while creating adding certificate to trust store", e);
            throw new RuntimeException("Could not add certificate to trust store: " + e.getMessage(), e);
        }
    }

    public void addTrustedPemCertificate(@Nonnull String str) {
        if (!$assertionsDisabled && str == null) {
            throw new AssertionError();
        }
        X509Certificate pemToX509Certificate = KeyUtil.pemToX509Certificate(str);
        if (pemToX509Certificate == null) {
            throw new RuntimeException("provided PEM is not a valid certificate: \"" + str + "\"");
        }
        try {
            addTrustedCertificate(pemToX509Certificate);
        } catch (InvalidCertificateDate e) {
            throw new RuntimeException("provided PEM is an expired certificate: \"" + str + "\" " + e.getMessage());
        }
    }

    public void addTrustedPemCertificateIfNotAdded(@Nonnull String str) {
        if (!$assertionsDisabled && str == null) {
            throw new AssertionError();
        }
        if (this.addedPems.contains(str)) {
            return;
        }
        this.addedPems.add(str);
        addTrustedPemCertificate(str);
    }

    public void addTrustedPemCertificateIfNotAddedAndValidPem(@Nonnull String str) {
        if (!$assertionsDisabled && str == null) {
            throw new AssertionError();
        }
        if (this.addedPems.contains(str)) {
            return;
        }
        X509Certificate pemToX509Certificate = KeyUtil.pemToX509Certificate(str);
        if (pemToX509Certificate == null) {
            LOG.warn("Invalid PEM ignored");
            return;
        }
        this.addedPems.add(str);
        try {
            addTrustedCertificate(pemToX509Certificate);
        } catch (InvalidCertificateDate e) {
            LOG.warn("Expired PEM ignored: " + e.getMessage());
        }
    }

    public void add(@Nonnull JFedTrustStore jFedTrustStore) {
        if (jFedTrustStore == null) {
            throw new NullPointerException("other may not be null");
        }
        if (jFedTrustStore.trustStore == null) {
            throw new NullPointerException("other.trustStore may not be null");
        }
        "somepass".toCharArray();
        try {
            Enumeration<String> aliases = jFedTrustStore.trustStore.aliases();
            while (aliases.hasMoreElements()) {
                String nextElement = aliases.nextElement();
                if (this.trustStore.containsAlias(nextElement)) {
                    LOG.info("Skipping duplicate alias " + nextElement);
                } else {
                    Certificate certificate = jFedTrustStore.trustStore.getCertificate(nextElement);
                    Key key = jFedTrustStore.trustStore.getKey(nextElement, null);
                    Certificate[] certificateChain = jFedTrustStore.trustStore.getCertificateChain(nextElement);
                    if (certificate != null && key == null && certificateChain == null) {
                        this.trustStore.setCertificateEntry(nextElement, certificate);
                    } else if (key == null || certificateChain == null) {
                        LOG.warn("While merging KeyStore " + (key == null ? "key==null" : "") + " " + (certificateChain == null ? "certs==null" : "") + " " + (certificate == null ? "cert==null" : "") + " for alias=" + nextElement);
                    } else {
                        this.trustStore.setKeyEntry(nextElement, key, null, certificateChain);
                    }
                }
            }
            this.allowedServerCertificateHostnameAliases.addAll(jFedTrustStore.getAllowedServerCertificateHostnameAliases());
            this.addedPems.addAll(jFedTrustStore.addedPems);
            this.extraTrustedCertificates.addAll(jFedTrustStore.extraTrustedCertificates);
        } catch (Exception e) {
            throw new RuntimeException("Failed to merge KeyStores", e);
        }
    }

    public static synchronized KeyStore getSystemTrustStore() {
        String property = System.getProperty("javax.net.ssl.trustStorePassword");
        if (property == null) {
            property = "changeit";
        }
        if (systemTrustStore != null) {
            try {
                return copyTrustStore(systemTrustStore, property.toCharArray(), null, property.toCharArray());
            } catch (Exception e) {
                LOG.error("Failed to copy system trust store", e);
                throw new RuntimeException("Failed to copy system trust store", e);
            }
        }
        String str = System.getProperty("java.home") + File.separator + "lib" + File.separator + "security" + File.separator + "jssecacerts";
        String str2 = System.getProperty("java.home") + File.separator + "lib" + File.separator + "security" + File.separator + "cacerts";
        String property2 = System.getProperty("javax.net.ssl.trustStore");
        if (property2 == null) {
            property2 = str;
            if (!new File(property2).exists()) {
                property2 = str2;
            }
            if (!new File(property2).exists()) {
                throw new RuntimeException("Could not find any system trust store!");
            }
        }
        try {
            systemTrustStore = KeyStore.getInstance(KeyStore.getDefaultType());
            FileInputStream fileInputStream = new FileInputStream(property2);
            systemTrustStore.load(fileInputStream, property.toCharArray());
            fileInputStream.close();
            if (systemTrustStore == null) {
                throw new NullPointerException("systemTrustStore may not be null");
            }
            try {
                return copyTrustStore(systemTrustStore, property.toCharArray(), null, property.toCharArray());
            } catch (Exception e2) {
                LOG.error("Could not copy the found system trust store.", e2);
                throw new RuntimeException("Could not copy the found system trust store.", e2);
            }
        } catch (Exception e3) {
            LOG.error("ERROR loading system trust store: " + e3.getMessage(), e3);
            LOG.error("  Normally, the trust store is at one of these locations:\n   - <JAVA_HOME>/lib/security/jssecacerts => \"" + str + "\"\n   - <JAVA_HOME>/lib/security/cacerts => \"" + str2 + "\"\n");
            LOG.error("  You can use another by setting the system property \"javax.net.ssl.trustStore\"");
            LOG.error("  You can specify a non default password with \"javax.net.ssl.trustStorePassword\" (default pass is \"changeit\")");
            systemTrustStore = null;
            throw new RuntimeException("Cannot locate and load system trust store: " + e3.getMessage(), e3);
        }
    }

    public static KeyStore copyTrustStore(@Nonnull KeyStore keyStore, @Nullable char[] cArr, @Nullable char[] cArr2, @Nullable char[] cArr3) throws KeyStoreException, UnrecoverableKeyException, NoSuchAlgorithmException, IOException, CertificateException {
        return copyKeyStore(keyStore, cArr, cArr2, cArr3);
    }

    public static KeyStore copyKeyStore(@Nonnull KeyStore keyStore, @Nullable char[] cArr, @Nullable char[] cArr2, @Nullable char[] cArr3) throws KeyStoreException, NoSuchAlgorithmException, IOException, CertificateException {
        if (keyStore == null) {
            throw new NullPointerException("origKeyStore may not be null");
        }
        ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
        keyStore.store(byteArrayOutputStream, cArr3);
        KeyStore keyStore2 = KeyStore.getInstance("jks");
        keyStore2.load(new ByteArrayInputStream(byteArrayOutputStream.toByteArray()), cArr3);
        return keyStore2;
    }

    static {
        $assertionsDisabled = !JFedTrustStore.class.desiredAssertionStatus();
        LOG = LoggerFactory.getLogger(JFedTrustStore.class);
        systemTrustStore = null;
    }
}
