package tigase.io;

import java.io.CharArrayReader;
import java.io.File;
import java.io.FileFilter;
import java.io.FileInputStream;
import java.io.IOException;
import java.io.Serializable;
import java.net.Socket;
import java.nio.file.Files;
import java.nio.file.Path;
import java.nio.file.Paths;
import java.nio.file.StandardCopyOption;
import java.security.InvalidKeyException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.Principal;
import java.security.PrivateKey;
import java.security.SignatureException;
import java.security.UnrecoverableKeyException;
import java.security.cert.Certificate;
import java.security.cert.CertificateEncodingException;
import java.security.cert.CertificateException;
import java.security.cert.CertificateParsingException;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
import java.util.Comparator;
import java.util.HashMap;
import java.util.Iterator;
import java.util.Map;
import java.util.Optional;
import java.util.Set;
import java.util.TreeSet;
import java.util.concurrent.ConcurrentSkipListMap;
import java.util.concurrent.ConcurrentSkipListSet;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.net.ssl.ExtendedSSLSession;
import javax.net.ssl.KeyManager;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.SNIHostName;
import javax.net.ssl.SNIServerName;
import javax.net.ssl.SSLEngine;
import javax.net.ssl.SSLSocket;
import javax.net.ssl.TrustManager;
import javax.net.ssl.X509ExtendedKeyManager;
import javax.net.ssl.X509KeyManager;
import javax.net.ssl.X509TrustManager;
import org.apache.derby.shared.common.reference.DRDAConstants;
import org.apache.derby.shared.common.reference.Property;
import tigase.cert.CertificateEntry;
import tigase.cert.CertificateUtil;
import tigase.db.comp.RepositoryChangeListenerIfc;
import tigase.db.jdbc.TigaseCustomAuth;
import tigase.eventbus.EventBus;
import tigase.eventbus.EventBusEvent;
import tigase.eventbus.EventBusFactory;
import tigase.eventbus.HandleEvent;
import tigase.io.repo.CertificateItem;
import tigase.io.repo.CertificateRepository;
import tigase.kernel.beans.Bean;
import tigase.kernel.beans.Initializable;
import tigase.kernel.beans.Inject;
import tigase.kernel.beans.RegistrarBean;
import tigase.kernel.beans.UnregisterAware;
import tigase.kernel.beans.config.ConfigField;
import tigase.kernel.core.Kernel;

@Bean(name = "certificate-container", parent = Kernel.class, active = true, exportable = true)
/* loaded from: input_file:tigase/io/CertificateContainer.class */
public class CertificateContainer implements CertificateContainerIfc, Initializable, UnregisterAware, RegistrarBean, RepositoryChangeListenerIfc<CertificateItem> {
    public static final String PER_DOMAIN_CERTIFICATE_KEY = "virt-hosts-cert-";
    public static final String SNI_DISABLE_KEY = "sni-disable";
    private static final Logger log = Logger.getLogger(CertificateContainer.class.getCanonicalName());
    private static final EventBus eventBus = EventBusFactory.getInstance();

    @Inject(nullAllowed = true)
    CertificateRepository repository;
    private Map<String, CertificateEntry> cens = new ConcurrentSkipListMap();

    @ConfigField(desc = "Custom certificates", alias = "custom-certificates")
    private Map<String, String> customCerts = new HashMap();

    @ConfigField(desc = "Alias for default certificate", alias = SSLContextContainerIfc.DEFAULT_DOMAIN_CERT_KEY)
    private String def_cert_alias = "default";
    private File defaultCertDirectory = null;
    private String email = "admin@tigase.org";
    private char[] emptyPass = new char[0];
    private Map<String, KeyManagerFactory> kmfs = new ConcurrentSkipListMap();
    private KeyManager[] kms = {new SniKeyManager()};
    private String o = "Tigase.org";
    private String ou = "XMPP Service";

    @ConfigField(desc = "Remove root CA (efectively self-signed) certificate from chain")
    private boolean removeRootCACertificate = true;

    @ConfigField(desc = "Disable SNI support", alias = SNI_DISABLE_KEY)
    private boolean sniDisable = false;

    @ConfigField(desc = "Location of server SSL certificates", alias = SSLContextContainerIfc.SERVER_CERTS_LOCATION_KEY)
    private String[] sslCertsLocation = {SSLContextContainerIfc.SERVER_CERTS_LOCATION_VAL};
    private X509TrustManager[] tms = {new FakeTrustManager()};
    private KeyStore trustKeyStore = null;

    @ConfigField(desc = "Location of trusted certificates", alias = SSLContextContainerIfc.TRUSTED_CERTS_DIR_KEY)
    private String[] trustedCertsDir = {SSLContextContainerIfc.TRUSTED_CERTS_DIR_VAL};

    /* loaded from: input_file:tigase/io/CertificateContainer$CertificateChange.class */
    public static class CertificateChange implements Serializable, EventBusEvent {
        private String alias;
        private transient boolean local;
        private String pemCert;
        private boolean saveToDisk;

        public CertificateChange() {
            this.local = false;
        }

        public CertificateChange(String str, String str2, boolean z) {
            this.local = false;
            this.alias = str;
            this.pemCert = str2;
            this.saveToDisk = z;
            this.local = true;
        }

        public String getAlias() {
            return this.alias;
        }

        public String getPemCertificate() {
            return this.pemCert;
        }

        public boolean isLocal() {
            return this.local;
        }

        public boolean isSaveToDisk() {
            return this.saveToDisk;
        }
    }

    /* loaded from: input_file:tigase/io/CertificateContainer$CertificateChanged.class */
    public class CertificateChanged implements EventBusEvent {
        Set<String> domains = new ConcurrentSkipListSet();
        private String alias;

        public CertificateChanged(String str, Set<String> set) {
            this.alias = str;
            if (set != null) {
                this.domains.addAll(set);
            }
        }

        public String getAlias() {
            return this.alias;
        }

        public Set<String> getDomains() {
            return this.domains;
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:tigase/io/CertificateContainer$FakeTrustManager.class */
    public static class FakeTrustManager implements X509TrustManager {
        private X509Certificate[] issuers;

        FakeTrustManager() {
            this(new X509Certificate[0]);
        }

        FakeTrustManager(X509Certificate[] x509CertificateArr) {
            this.issuers = null;
            this.issuers = x509CertificateArr;
        }

        @Override // javax.net.ssl.X509TrustManager
        public void checkClientTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
        }

        @Override // javax.net.ssl.X509TrustManager
        public void checkServerTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
        }

        @Override // javax.net.ssl.X509TrustManager
        public X509Certificate[] getAcceptedIssuers() {
            return this.issuers;
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:tigase/io/CertificateContainer$PEMFileFilter.class */
    public class PEMFileFilter implements FileFilter {
        private PEMFileFilter() {
        }

        @Override // java.io.FileFilter
        public boolean accept(File file) {
            return file.isFile() && (file.getName().endsWith(".pem") || file.getName().endsWith(".PEM") || file.getName().endsWith(".crt") || file.getName().endsWith(".CRT") || file.getName().endsWith(".cer") || file.getName().endsWith(".CER"));
        }
    }

    /* loaded from: input_file:tigase/io/CertificateContainer$SniKeyManager.class */
    private class SniKeyManager extends X509ExtendedKeyManager {
        private SniKeyManager() {
        }

        @Override // javax.net.ssl.X509KeyManager
        public String[] getClientAliases(String str, Principal[] principalArr) {
            return null;
        }

        @Override // javax.net.ssl.X509KeyManager
        public String chooseClientAlias(String[] strArr, Principal[] principalArr, Socket socket) {
            return null;
        }

        @Override // javax.net.ssl.X509KeyManager
        public String[] getServerAliases(String str, Principal[] principalArr) {
            Set<String> keySet = CertificateContainer.this.kmfs.keySet();
            return (String[]) keySet.toArray(new String[keySet.size()]);
        }

        @Override // javax.net.ssl.X509KeyManager
        public String chooseServerAlias(String str, Principal[] principalArr, Socket socket) {
            if (socket instanceof SSLSocket) {
                return chooseServerAlias((ExtendedSSLSession) ((SSLSocket) socket).getSession());
            }
            return null;
        }

        @Override // javax.net.ssl.X509ExtendedKeyManager
        public String chooseEngineServerAlias(String str, Principal[] principalArr, SSLEngine sSLEngine) {
            return chooseServerAlias((ExtendedSSLSession) sSLEngine.getHandshakeSession());
        }

        @Override // javax.net.ssl.X509KeyManager
        public X509Certificate[] getCertificateChain(String str) {
            if (str == null) {
                str = CertificateContainer.this.def_cert_alias;
            }
            KeyManagerFactory keyManagerFactory = (KeyManagerFactory) SSLContextContainerAbstract.find(CertificateContainer.this.kmfs, str);
            if (keyManagerFactory == null) {
                str = CertificateContainer.this.def_cert_alias;
                keyManagerFactory = (KeyManagerFactory) SSLContextContainer.find(CertificateContainer.this.kmfs, str);
            }
            if (keyManagerFactory == null) {
                try {
                    keyManagerFactory = CertificateContainer.this.createCertificateKmf(str);
                } catch (Exception e) {
                    if (CertificateContainer.log.isLoggable(Level.FINEST)) {
                        CertificateContainer.log.log(Level.FINEST, "Failed to create certificate for alias: " + str, (Throwable) e);
                    }
                    CertificateContainer.log.log(Level.WARNING, "Failed to create certificate for alias: " + str);
                }
            }
            if (keyManagerFactory != null) {
                return ((X509KeyManager) keyManagerFactory.getKeyManagers()[0]).getCertificateChain(str);
            }
            return null;
        }

        @Override // javax.net.ssl.X509KeyManager
        public PrivateKey getPrivateKey(String str) {
            if (str == null) {
                str = CertificateContainer.this.def_cert_alias;
            }
            KeyManagerFactory keyManagerFactory = (KeyManagerFactory) SSLContextContainerAbstract.find(CertificateContainer.this.kmfs, str);
            if (keyManagerFactory == null) {
                str = CertificateContainer.this.def_cert_alias;
                keyManagerFactory = (KeyManagerFactory) SSLContextContainer.find(CertificateContainer.this.kmfs, str);
            }
            if (keyManagerFactory == null) {
                try {
                    keyManagerFactory = CertificateContainer.this.createCertificateKmf(str);
                } catch (Exception e) {
                    if (CertificateContainer.log.isLoggable(Level.FINEST)) {
                        CertificateContainer.log.log(Level.FINEST, "Failed to create certificate for alias: " + str, (Throwable) e);
                    }
                    CertificateContainer.log.log(Level.WARNING, "Failed to create certificate for alias: " + str);
                }
            }
            if (keyManagerFactory != null) {
                return ((X509KeyManager) keyManagerFactory.getKeyManagers()[0]).getPrivateKey(str);
            }
            return null;
        }

        private String chooseServerAlias(ExtendedSSLSession extendedSSLSession) {
            String str = null;
            Iterator<SNIServerName> it = extendedSSLSession.getRequestedServerNames().iterator();
            while (true) {
                if (!it.hasNext()) {
                    break;
                }
                SNIServerName next = it.next();
                if (next.getType() == 0) {
                    str = ((SNIHostName) next).getAsciiName();
                    break;
                }
            }
            return (str == null || getCertificateChain(str) == null || getPrivateKey(str) == null) ? CertificateContainer.this.def_cert_alias : str;
        }
    }

    private static Set<String> getAllCNames(Certificate certificate) {
        TreeSet treeSet = new TreeSet();
        if (certificate instanceof X509Certificate) {
            X509Certificate x509Certificate = (X509Certificate) certificate;
            String certCName = CertificateUtil.getCertCName(x509Certificate);
            if (certCName != null) {
                treeSet.add(certCName);
            }
            treeSet.addAll(CertificateUtil.getCertAltCName(x509Certificate));
        }
        return treeSet;
    }

    public void setRepository(CertificateRepository certificateRepository) {
        if (certificateRepository != null) {
            log.log(Level.INFO, "CertificateRepository configured! No certificate will be loaded from the local filesystem!");
        }
        this.repository = certificateRepository;
    }

    @Override // tigase.io.CertificateContainerIfc
    public void addCertificates(Map<String, String> map) throws CertificateParsingException {
        String str = map.get("pem-certificate");
        String str2 = map.get(SSLContextContainerIfc.CERT_SAVE_TO_DISK_KEY);
        boolean z = str2 != null && str2.equalsIgnoreCase(SSLContextContainerIfc.ALLOW_SELF_SIGNED_CERTS_VAL);
        String str3 = map.get(SSLContextContainerIfc.DEFAULT_DOMAIN_CERT_KEY);
        boolean z2 = str3 != null && str3.equalsIgnoreCase(SSLContextContainerIfc.ALLOW_SELF_SIGNED_CERTS_VAL);
        String str4 = map.get(SSLContextContainerIfc.CERT_ALIAS_KEY);
        if (str4 == null) {
            throw new RuntimeException("Certificate alias must be specified");
        }
        if (str != null) {
            addCertificate(str4, str, z, true);
            if (z2) {
                addCertificate(this.def_cert_alias, str, z, true);
            }
        }
    }

    @Override // tigase.io.CertificateContainerIfc
    public KeyManager[] createCertificate(String str) throws NoSuchAlgorithmException, CertificateException, SignatureException, NoSuchProviderException, InvalidKeyException, IOException, UnrecoverableKeyException, KeyStoreException {
        KeyManager[] keyManagers = createCertificateKmf(str).getKeyManagers();
        log.log(Level.WARNING, "Auto-generated certificate for domain: {0}", str);
        return keyManagers;
    }

    @Override // tigase.io.CertificateContainerIfc
    public String getDefCertAlias() {
        return this.def_cert_alias;
    }

    @Override // tigase.io.CertificateContainerIfc
    public CertificateEntry getCertificateEntry(String str) {
        return (CertificateEntry) SSLContextContainerAbstract.find(this.cens, str == null ? getDefCertAlias() : str.toLowerCase());
    }

    @Override // tigase.io.CertificateContainerIfc
    public KeyManager[] getKeyManagers(String str) {
        if (str == null && !this.sniDisable) {
            return this.kms;
        }
        String str2 = str;
        if (str2 == null) {
            str2 = getDefCertAlias();
        }
        KeyManagerFactory keyManagerFactory = (KeyManagerFactory) SSLContextContainerAbstract.find(this.kmfs, str2);
        if (keyManagerFactory == null) {
            return null;
        }
        return keyManagerFactory.getKeyManagers();
    }

    @Override // tigase.io.CertificateContainerIfc
    public TrustManager[] getTrustManagers() {
        return this.tms;
    }

    @Override // tigase.io.CertificateContainerIfc
    public KeyStore getTrustStore() {
        return this.trustKeyStore;
    }

    /* JADX WARN: Type inference failed for: r0v10, types: [tigase.io.CertificateContainer$1] */
    @Override // tigase.io.CertificateContainerIfc
    public void init(Map<String, Object> map) {
        try {
            this.def_cert_alias = (String) map.get(SSLContextContainerIfc.DEFAULT_DOMAIN_CERT_KEY);
            if (this.def_cert_alias == null) {
                this.def_cert_alias = "default";
            }
            if (map.containsKey(SNI_DISABLE_KEY)) {
                this.sniDisable = ((Boolean) map.get(SNI_DISABLE_KEY)).booleanValue();
            } else {
                this.sniDisable = false;
            }
            if (this.repository != null) {
                loadCertificatesFromRepository();
            } else {
                String str = (String) map.get(SSLContextContainerIfc.SERVER_CERTS_LOCATION_KEY);
                if (str == null) {
                    str = SSLContextContainerIfc.SERVER_CERTS_LOCATION_VAL;
                }
                String[] split = str.split(",");
                this.defaultCertDirectory = getDefaultCertDirectory(split);
                loadCertificatesFromDirectories(split, false);
                loadPredefinedCertificates(findPredefinedCertificates(map), false);
            }
        } catch (Exception e) {
            if (log.isLoggable(Level.FINEST)) {
                log.log(Level.FINEST, "There was a problem initializing SSL certificates.", (Throwable) e);
            }
            log.log(Level.WARNING, "There was a problem initializing SSL certificates.");
        }
        String str2 = (String) map.get(SSLContextContainerIfc.TRUSTED_CERTS_DIR_KEY);
        if (str2 == null) {
            str2 = SSLContextContainerIfc.TRUSTED_CERTS_DIR_VAL;
        }
        final String[] split2 = str2.split(",");
        new Thread() { // from class: tigase.io.CertificateContainer.1
            @Override // java.lang.Thread, java.lang.Runnable
            public void run() {
                CertificateContainer.this.loadTrustedCerts(split2);
            }
        }.start();
    }

    @Override // tigase.db.comp.RepositoryChangeListenerIfc
    public void itemAdded(CertificateItem certificateItem) {
        try {
            addCertificateEntry(certificateItem.getCertificateEntry(), certificateItem.getAlias(), false);
            if (certificateItem.isDefault()) {
                addCertificateEntry(certificateItem.getCertificateEntry(), "default", false);
            }
        } catch (Exception e) {
            log.log(Level.WARNING, "Problem adding certificate while reloading from repository", (Throwable) e);
        }
    }

    @Override // tigase.db.comp.RepositoryChangeListenerIfc
    public void itemUpdated(CertificateItem certificateItem) {
        try {
            addCertificateEntry(certificateItem.getCertificateEntry(), certificateItem.getAlias(), false);
            if (certificateItem.isDefault()) {
                addCertificateEntry(certificateItem.getCertificateEntry(), "default", false);
            }
        } catch (Exception e) {
            log.log(Level.WARNING, "Problem adding certificate while reloading from repository", (Throwable) e);
        }
    }

    @Override // tigase.db.comp.RepositoryChangeListenerIfc
    public void itemRemoved(CertificateItem certificateItem) {
        this.kmfs.remove(certificateItem.getAlias());
        this.cens.remove(certificateItem.getAlias());
        if (certificateItem.isDefault()) {
            this.kmfs.remove("default");
            this.cens.remove("default");
        }
    }

    /* JADX WARN: Type inference failed for: r0v5, types: [tigase.io.CertificateContainer$2] */
    @Override // tigase.kernel.beans.Initializable
    public void initialize() {
        eventBus.registerAll(this);
        try {
            if (this.repository != null) {
                loadCertificatesFromRepository();
                if (this.repository.isMoveFromFilesystemToRepository()) {
                    loadCertificatesFromDirectories(this.sslCertsLocation, true);
                    loadPredefinedCertificates(this.customCerts, true);
                    for (Map.Entry<String, CertificateEntry> entry : this.cens.entrySet()) {
                        this.repository.addItem(new CertificateItem(entry.getKey(), entry.getValue()));
                    }
                }
            } else {
                String[] strArr = this.sslCertsLocation;
                this.defaultCertDirectory = getDefaultCertDirectory(strArr);
                loadCertificatesFromDirectories(strArr, false);
                loadPredefinedCertificates(this.customCerts, false);
            }
        } catch (Exception e) {
            if (log.isLoggable(Level.FINEST)) {
                log.log(Level.FINEST, "There was a problem initializing SSL certificates.", (Throwable) e);
            }
            log.log(Level.WARNING, "There was a problem initializing SSL certificates.");
        }
        new Thread() { // from class: tigase.io.CertificateContainer.2
            @Override // java.lang.Thread, java.lang.Runnable
            public void run() {
                CertificateContainer.this.loadTrustedCerts(CertificateContainer.this.trustedCertsDir);
            }
        }.start();
    }

    @Override // tigase.kernel.beans.UnregisterAware
    public void beforeUnregister() {
        eventBus.unregisterAll(this);
    }

    @HandleEvent
    public void certificateChange(CertificateChange certificateChange) {
        if (certificateChange.isLocal()) {
            return;
        }
        addCertificate(certificateChange.getAlias(), certificateChange.getPemCertificate(), certificateChange.isSaveToDisk());
        if (this.repository != null) {
            this.repository.reload();
        }
    }

    @Override // tigase.kernel.beans.RegistrarBean
    public void register(Kernel kernel) {
    }

    @Override // tigase.kernel.beans.RegistrarBean
    public void unregister(Kernel kernel) {
    }

    KeyManagerFactory addCertificateEntry(CertificateEntry certificateEntry, String str, boolean z) throws KeyStoreException, IOException, NoSuchAlgorithmException, CertificateException, UnrecoverableKeyException {
        log.log(Level.FINEST, "Adding certificate entry for alias: {0}. Saving to disk: {1}, entry: {2}", new Object[]{str, Boolean.valueOf(z), certificateEntry});
        PrivateKey privateKey = certificateEntry.getPrivateKey();
        Certificate[] sort = CertificateUtil.sort(certificateEntry.getCertChain());
        if (this.removeRootCACertificate) {
            log.log(Level.FINEST, "Removing RootCA from certificate chain.");
            sort = CertificateUtil.removeRootCACertificate(sort);
        }
        KeyManagerFactory keyManagerFactory = getKeyManagerFactory(str, privateKey, sort);
        this.kmfs.put(str, keyManagerFactory);
        this.cens.put(str, certificateEntry);
        if (!this.def_cert_alias.equals(str)) {
            Optional certificate = certificateEntry.getCertificate();
            if (certificate.isPresent()) {
                Set<String> allCNames = getAllCNames((Certificate) certificate.get());
                log.log(Level.FINEST, "Certificate present with domains: {0}. Replacing in collections, kmfs domains: {1}, cens domains: {2}. Certificate: {3}", new Object[]{allCNames, this.kmfs.keySet(), this.cens.keySet(), certificate.get()});
                SSLContextContainerAbstract.removeMatchedDomains(this.kmfs, allCNames);
                SSLContextContainerAbstract.removeMatchedDomains(this.cens, allCNames);
                log.log(Level.FINEST, "Certificate present with domains: {0}. Collections after domain removal, kmfs domains: {1}, cens domains: {2}", new Object[]{allCNames, this.kmfs.keySet(), this.cens.keySet()});
                for (String str2 : allCNames) {
                    keyManagerFactory = getKeyManagerFactory(str2, privateKey, sort);
                    this.kmfs.put(str2, keyManagerFactory);
                    this.cens.put(str2, certificateEntry);
                }
            }
        }
        if (z) {
            if (this.repository != null) {
                CertificateItem certificateItem = new CertificateItem(str, certificateEntry);
                log.log(Level.FINEST, "Storing to repository, certificate entry for alias: {0} with SerialNumber: {1}", new Object[]{str, certificateItem.getSerialNumber()});
                this.repository.addItem(certificateItem);
            } else {
                storeCertificateToFile(certificateEntry, str);
            }
        }
        return keyManagerFactory;
    }

    private void loadCertificatesFromRepository() {
        if (this.repository != null) {
            for (Item item : this.repository.allItems()) {
                try {
                    addCertificateEntry(item.getCertificateEntry(), item.getAlias(), false);
                } catch (Exception e) {
                    if (log.isLoggable(Level.FINEST)) {
                        log.log(Level.FINEST, "Cannot load certficate from repository: " + item.getKey(), (Throwable) e);
                    }
                    log.log(Level.WARNING, "Cannot load certficate from repository: " + item.getKey());
                }
            }
        }
    }

    private void loadCertificatesFromDirectories(String[] strArr, boolean z) {
        for (String str : strArr) {
            log.log(Level.CONFIG, "Loading server certificates from PEM directory: {0}", str);
            File file = new File(str);
            if (file.exists()) {
                File[] listFiles = file.listFiles(new PEMFileFilter());
                Arrays.sort(listFiles, Comparator.comparingInt(file2 -> {
                    return file2.getName().split("\\.").length;
                }));
                for (File file3 : listFiles) {
                    loadCertificateFromFile(file3, z);
                }
            }
        }
    }

    private void loadCertificateFromFile(File file, boolean z) {
        String name = file.getName();
        if (name.endsWith(".pem")) {
            name = name.substring(0, name.length() - 4);
        }
        loadCertificateFromFile(file, name, z);
    }

    private void loadCertificateFromFile(File file, String str, boolean z) {
        try {
            CertificateEntry loadCertificate = CertificateUtil.loadCertificate(file);
            addCertificateEntry(loadCertificate, str, false);
            log.log(Level.CONFIG, "Loaded server certificate for domain: {0} (altCNames: {1}) from file: {2}", new Object[]{str, String.join(", ", (Set) loadCertificate.getCertificate().map(CertificateContainer::getAllCNames).orElse(Collections.emptySet())), file});
            if (z) {
                Path path = null;
                try {
                    path = file.toPath().resolveSibling(file.toPath().getFileName() + ".bak");
                    Files.move(file.toPath(), path, StandardCopyOption.REPLACE_EXISTING);
                    log.log(Level.CONFIG, "Made backup of file: {0} to: {1}", new Object[]{file, path});
                } catch (Exception e) {
                    log.log(Level.INFO, "Making certificate backup file from: {0} to: {1} failed!", new Object[]{file, path, e});
                }
            }
        } catch (Exception e2) {
            if (log.isLoggable(Level.FINEST)) {
                log.log(Level.FINEST, "Cannot load certficate from file: " + file, (Throwable) e2);
            }
            log.log(Level.WARNING, "Cannot load certficate from file: " + file + ", " + e2.getMessage());
        }
    }

    private void loadPredefinedCertificates(Map<String, String> map, boolean z) {
        log.log(Level.CONFIG, "Loading predefined server certificates");
        for (Map.Entry<String, String> entry : map.entrySet()) {
            loadCertificateFromFile(new File(entry.getValue()), entry.getKey(), z);
        }
    }

    private File getDefaultCertDirectory(String[] strArr) {
        File file = (File) Arrays.stream(strArr).map(str -> {
            return Paths.get(str, new String[0]);
        }).map((v0) -> {
            return v0.toFile();
        }).filter((v0) -> {
            return v0.exists();
        }).findFirst().orElse(Paths.get(strArr[0], new String[0]).toFile());
        log.log(Level.CONFIG, () -> {
            return "Setting default directory for storing certificates to: " + file.getAbsolutePath();
        });
        return file;
    }

    private void storeCertificateToFile(CertificateEntry certificateEntry, String str) throws CertificateEncodingException, IOException {
        CertificateUtil.storeCertificate(new File(this.defaultCertDirectory, str + ".pem").toString(), certificateEntry);
    }

    private KeyManagerFactory getKeyManagerFactory(String str, PrivateKey privateKey, Certificate[] certificateArr) throws KeyStoreException, IOException, NoSuchAlgorithmException, CertificateException, UnrecoverableKeyException {
        KeyStore keyStore = KeyStore.getInstance("JKS");
        keyStore.load(null, this.emptyPass);
        keyStore.setKeyEntry(str, privateKey, this.emptyPass, certificateArr);
        KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance("SunX509");
        keyManagerFactory.init(keyStore, this.emptyPass);
        return keyManagerFactory;
    }

    private void addCertificate(String str, String str2, boolean z) {
        try {
            addCertificate(str, str2, z, false);
        } catch (CertificateParsingException e) {
            if (log.isLoggable(Level.FINEST)) {
                log.log(Level.FINEST, "Failed to update certificate for " + str, (Throwable) e);
            }
            log.log(Level.WARNING, "Failed to update certificate for " + str + ", " + e);
        }
    }

    private void addCertificate(String str, String str2, boolean z, boolean z2) throws CertificateParsingException {
        try {
            log.log(Level.FINEST, "Adding new certificate with alias: {0}. Saving to disk: {1}, notify cluster: {2}", new Object[]{str, Boolean.valueOf(z), Boolean.valueOf(z2)});
            CertificateEntry parseCertificate = CertificateUtil.parseCertificate(new CharArrayReader(str2.toCharArray()));
            addCertificateEntry(parseCertificate, str, z);
            if (z2) {
                eventBus.fire((EventBusEvent) new CertificateChange(str, str2, z));
            }
            Set set = (Set) parseCertificate.getCertificate().map(CertificateContainer::getAllCNames).orElse(Collections.emptySet());
            eventBus.fire((EventBusEvent) new CertificateChanged(str, set));
            log.log(Level.CONFIG, "Certificate with alias: {0} for domains: {1} added. Saving to disk: {2}, notify cluster: {3}", new Object[]{str, set, Boolean.valueOf(z), Boolean.valueOf(z2)});
        } catch (Exception e) {
            throw new CertificateParsingException("Problem adding a new certificate (" + e.getMessage() + ")", e);
        }
    }

    private KeyManagerFactory createCertificateKmf(String str) throws NoSuchAlgorithmException, CertificateException, IOException, InvalidKeyException, NoSuchProviderException, SignatureException, KeyStoreException, UnrecoverableKeyException {
        return addCertificateEntry(CertificateUtil.createSelfSignedCertificate(this.email, str, this.ou, this.o, (String) null, (String) null, (String) null, () -> {
            return CertificateUtil.createKeyPair(Property.IDX_PAGE_SIZE_BUMP_THRESHOLD, "secret");
        }), str, true);
    }

    private Map<String, String> findPredefinedCertificates(Map<String, Object> map) {
        HashMap hashMap = new HashMap();
        if (map == null) {
            return hashMap;
        }
        for (String str : map.keySet()) {
            if (str.startsWith(PER_DOMAIN_CERTIFICATE_KEY)) {
                hashMap.put(str.substring(PER_DOMAIN_CERTIFICATE_KEY.length()), map.get(str).toString());
            }
        }
        return hashMap;
    }

    private void loadTrustedCerts(String[] strArr) {
        int i = 0;
        long currentTimeMillis = System.currentTimeMillis();
        ArrayList arrayList = new ArrayList(DRDAConstants.DRDA_TYPE_LOBBYTES);
        try {
            this.trustKeyStore = KeyStore.getInstance(KeyStore.getDefaultType());
            this.trustKeyStore.load(null, this.emptyPass);
            File file = new File(System.getProperty("java.home") + "/lib/security/cacerts".replace('/', File.separatorChar));
            File file2 = new File("~/.keystore");
            if (log.isLoggable(Level.FINE)) {
                log.log(Level.FINE, "Looking for trusted certs in: {0}", file);
            }
            if (file.exists()) {
                log.log(Level.CONFIG, "Loading trustKeyStore from location: {0}", file);
                FileInputStream fileInputStream = new FileInputStream(file);
                this.trustKeyStore.load(fileInputStream, null);
                fileInputStream.close();
            }
            if (log.isLoggable(Level.FINE)) {
                log.log(Level.FINE, "Looking for trusted certs in: {0}", file2);
            }
            if (file2.exists()) {
                log.log(Level.CONFIG, "Loading trustKeyStore from location: {0}", file2);
                FileInputStream fileInputStream2 = new FileInputStream(file2);
                this.trustKeyStore.load(fileInputStream2, null);
                fileInputStream2.close();
            }
            log.log(Level.CONFIG, "Loading trustKeyStore from locations: {0}", Arrays.toString(strArr));
            for (String str : strArr) {
                File[] listFiles = new File(str).listFiles(new PEMFileFilter());
                if (listFiles != null) {
                    for (File file3 : listFiles) {
                        try {
                            Certificate[] certChain = CertificateUtil.loadCertificate(file3).getCertChain();
                            if (certChain != null) {
                                for (Certificate certificate : certChain) {
                                    if (certificate instanceof X509Certificate) {
                                        X509Certificate x509Certificate = (X509Certificate) certificate;
                                        String name = x509Certificate.getSubjectX500Principal().getName();
                                        this.trustKeyStore.setCertificateEntry(name, x509Certificate);
                                        arrayList.add(x509Certificate);
                                        log.log(Level.FINEST, "Imported certificate: {0}", name);
                                        i++;
                                    }
                                }
                            }
                        } catch (Exception e) {
                            if (log.isLoggable(Level.FINEST)) {
                                log.log(Level.FINEST, "Problem loading certificate from file: " + file3, (Throwable) e);
                            }
                            log.log(Level.WARNING, "Problem loading certificate from file: {0}", file3);
                        }
                    }
                }
            }
        } catch (Exception e2) {
            if (log.isLoggable(Level.FINEST)) {
                log.log(Level.FINEST, "An error loading trusted certificates", (Throwable) e2);
            }
            log.log(Level.WARNING, "An error loading trusted certificates");
        }
        try {
            if (!this.trustKeyStore.aliases().hasMoreElements()) {
                log.log(Level.CONFIG, "No Trusted Anchors!!! Creating temporary trusted CA cert!");
                this.trustKeyStore.setCertificateEntry("generated fake CA", CertificateUtil.createSelfSignedCertificate("fake_local@tigase", "fake one", TigaseCustomAuth.NO_QUERY, TigaseCustomAuth.NO_QUERY, TigaseCustomAuth.NO_QUERY, TigaseCustomAuth.NO_QUERY, "US", () -> {
                    return CertificateUtil.createKeyPair(Property.IDX_PAGE_SIZE_BUMP_THRESHOLD, "secret");
                }).getCertChain()[0]);
            }
        } catch (Exception e3) {
            if (log.isLoggable(Level.FINEST)) {
                log.log(Level.FINEST, "Can''t generate fake trusted CA certificate", (Throwable) e3);
            }
            log.log(Level.WARNING, "Can''t generate fake trusted CA certificate");
        }
        this.tms = new X509TrustManager[]{new FakeTrustManager((X509Certificate[]) arrayList.toArray(new X509Certificate[arrayList.size()]))};
        log.log(Level.CONFIG, "Loaded {0} trust certificates, it took {1} seconds.", new Object[]{Integer.valueOf(i), Long.valueOf((System.currentTimeMillis() - currentTimeMillis) / 1000)});
    }
}
