package org.keycloak.infinispan.module.certificates;

import java.io.IOException;
import java.lang.invoke.MethodHandles;
import java.security.GeneralSecurityException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import java.util.Objects;
import javax.net.ssl.KeyManager;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory;
import javax.net.ssl.X509ExtendedKeyManager;
import javax.net.ssl.X509ExtendedTrustManager;
import org.jboss.logging.Logger;
import org.keycloak.common.crypto.CryptoIntegration;
import org.keycloak.common.util.KeystoreUtil;

/* loaded from: input_file:org/keycloak/infinispan/module/certificates/JGroupsCertificateHolder.class */
public class JGroupsCertificateHolder {
    private static final Logger logger = Logger.getLogger(MethodHandles.lookup().lookupClass());
    private static final char[] KEY_PASSWORD = "jgroups-password".toCharArray();
    private volatile JGroupsCertificate certificate;
    private final ReloadingX509ExtendedKeyManager keyManager;
    private final ReloadingX509ExtendedTrustManager trustManager;

    private JGroupsCertificateHolder(ReloadingX509ExtendedKeyManager reloadingX509ExtendedKeyManager, ReloadingX509ExtendedTrustManager reloadingX509ExtendedTrustManager, JGroupsCertificate jGroupsCertificate) {
        this.keyManager = reloadingX509ExtendedKeyManager;
        this.trustManager = reloadingX509ExtendedTrustManager;
        this.certificate = jGroupsCertificate;
    }

    public static JGroupsCertificateHolder create(JGroupsCertificate jGroupsCertificate) throws GeneralSecurityException, IOException {
        Objects.requireNonNull(jGroupsCertificate);
        X509ExtendedKeyManager createKeyManager = createKeyManager(jGroupsCertificate);
        X509ExtendedTrustManager createTrustManager = createTrustManager(null, jGroupsCertificate);
        X509Certificate certificate = jGroupsCertificate.getCertificate();
        logger.debugf("Using JGroups certificate (serial: %s). Valid until %s", certificate.getSerialNumber(), certificate.getNotAfter());
        return new JGroupsCertificateHolder(new ReloadingX509ExtendedKeyManager(createKeyManager), new ReloadingX509ExtendedTrustManager(createTrustManager), jGroupsCertificate);
    }

    public JGroupsCertificate getCertificateInUse() {
        return this.certificate;
    }

    public void useCertificate(JGroupsCertificate jGroupsCertificate) throws GeneralSecurityException, IOException {
        Objects.requireNonNull(jGroupsCertificate);
        if (Objects.equals(jGroupsCertificate.getAlias(), this.certificate.getAlias())) {
            return;
        }
        X509Certificate certificate = jGroupsCertificate.getCertificate();
        logger.debugf("Using JGroups certificate (serial: %s). Valid until %s", certificate.getSerialNumber(), certificate.getNotAfter());
        if (this.certificate != null) {
            X509Certificate certificate2 = this.certificate.getCertificate();
            logger.debugf("Old JGroups certificate (serial: %s). Valid until %s", certificate2.getSerialNumber(), certificate2.getNotAfter());
        }
        X509ExtendedKeyManager createKeyManager = createKeyManager(jGroupsCertificate);
        X509ExtendedTrustManager createTrustManager = createTrustManager(this.certificate, jGroupsCertificate);
        this.keyManager.reload(createKeyManager);
        this.trustManager.reload(createTrustManager);
        this.certificate = jGroupsCertificate;
    }

    public X509ExtendedKeyManager keyManager() {
        return this.keyManager;
    }

    public X509ExtendedTrustManager trustManager() {
        return this.trustManager;
    }

    public void setExceptionHandler(Runnable runnable) {
        this.trustManager.setExceptionHandler(runnable);
    }

    private static X509ExtendedKeyManager createKeyManager(JGroupsCertificate jGroupsCertificate) throws GeneralSecurityException, IOException {
        KeyStore keyStore = CryptoIntegration.getProvider().getKeyStore((KeystoreUtil.KeystoreFormat) CryptoIntegration.getProvider().getSupportedKeyStoreTypes().findFirst().orElseThrow(() -> {
            return new RuntimeException("No supported keystore types found");
        }));
        keyStore.load(null, null);
        keyStore.setKeyEntry(jGroupsCertificate.getAlias(), jGroupsCertificate.getPrivateKey(), KEY_PASSWORD, new Certificate[]{jGroupsCertificate.getCertificate()});
        KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
        keyManagerFactory.init(keyStore, KEY_PASSWORD);
        for (KeyManager keyManager : keyManagerFactory.getKeyManagers()) {
            if (keyManager instanceof X509ExtendedKeyManager) {
                return (X509ExtendedKeyManager) keyManager;
            }
        }
        throw new GeneralSecurityException("Could not obtain an X509ExtendedKeyManager");
    }

    private static X509ExtendedTrustManager createTrustManager(JGroupsCertificate jGroupsCertificate, JGroupsCertificate jGroupsCertificate2) throws GeneralSecurityException, IOException {
        KeyStore keyStore = CryptoIntegration.getProvider().getKeyStore((KeystoreUtil.KeystoreFormat) CryptoIntegration.getProvider().getSupportedKeyStoreTypes().findFirst().orElseThrow(() -> {
            return new RuntimeException("No supported keystore types found");
        }));
        keyStore.load(null, null);
        if (jGroupsCertificate != null) {
            addCertificateEntry(keyStore, jGroupsCertificate);
        }
        addCertificateEntry(keyStore, jGroupsCertificate2);
        TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
        trustManagerFactory.init(keyStore);
        for (TrustManager trustManager : trustManagerFactory.getTrustManagers()) {
            if (trustManager instanceof X509ExtendedTrustManager) {
                return (X509ExtendedTrustManager) trustManager;
            }
        }
        throw new GeneralSecurityException("Could not obtain an X509TrustManager");
    }

    private static void addCertificateEntry(KeyStore keyStore, JGroupsCertificate jGroupsCertificate) throws KeyStoreException {
        keyStore.setCertificateEntry(jGroupsCertificate.getAlias(), jGroupsCertificate.getCertificate());
    }
}
