package io.kroxylicious.testing.kafka.common;

import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
import java.io.BufferedReader;
import java.io.File;
import java.io.FileInputStream;
import java.io.FileOutputStream;
import java.io.IOException;
import java.io.InputStreamReader;
import java.lang.System;
import java.nio.file.Files;
import java.nio.file.Path;
import java.nio.file.Paths;
import java.nio.file.attribute.FileAttribute;
import java.security.GeneralSecurityException;
import java.security.KeyStore;
import java.util.ArrayList;
import java.util.List;
import java.util.UUID;
import java.util.stream.Collectors;

@SuppressFBWarnings(value = {"PATH_TRAVERSAL_IN"}, justification = "Requires ability to write test key material to file-system.")
/* loaded from: input_file:io/kroxylicious/testing/kafka/common/KeytoolCertificateGenerator.class */
public class KeytoolCertificateGenerator {
    private static final String PKCS12_KEYSTORE_TYPE = "PKCS12";
    private String password;
    private final Path certFilePath;
    private final Path keyStoreFilePath;
    private final Path trustStoreFilePath;
    private final System.Logger log;

    public KeytoolCertificateGenerator() throws IOException {
        this(null, null);
    }

    public KeytoolCertificateGenerator(String str, String str2) throws IOException {
        this.log = System.getLogger(KeytoolCertificateGenerator.class.getName());
        Path createTempDirectory = Files.createTempDirectory("kproxy", new FileAttribute[0]);
        this.certFilePath = Path.of(createTempDirectory.toAbsolutePath() + "/cert-file", new String[0]);
        this.keyStoreFilePath = str != null ? Path.of(str, new String[0]) : Paths.get(createTempDirectory.toAbsolutePath().toString(), "kafka.keystore.jks");
        this.trustStoreFilePath = str2 != null ? Path.of(str2, new String[0]) : Paths.get(createTempDirectory.toAbsolutePath().toString(), "kafka.truststore.jks");
        createTempDirectory.toFile().deleteOnExit();
        if (str == null) {
            this.keyStoreFilePath.toFile().deleteOnExit();
        }
        if (str2 == null) {
            this.trustStoreFilePath.toFile().deleteOnExit();
        }
        this.certFilePath.toFile().deleteOnExit();
    }

    public String getCertFilePath() {
        return this.certFilePath.toAbsolutePath().toString();
    }

    public String getKeyStoreLocation() {
        return this.keyStoreFilePath.toAbsolutePath().toString();
    }

    public String getTrustStoreLocation() {
        return this.trustStoreFilePath.toAbsolutePath().toString();
    }

    public String getPassword() {
        if (this.password == null) {
            this.password = UUID.randomUUID().toString().replace("-", "");
        }
        return this.password;
    }

    public boolean canGenerateWildcardSAN() {
        return Runtime.version().feature() >= 17;
    }

    public void generateTrustStore(String str, String str2) throws GeneralSecurityException, IOException {
        generateTrustStore(str, str2, getTrustStoreLocation());
    }

    public void generateTrustStore(String str, String str2, String str3) throws GeneralSecurityException, IOException {
        if (Path.of(str3, new String[0]).toFile().exists()) {
            KeyStore keyStore = KeyStore.getInstance(new File(str3), getPassword().toCharArray());
            if (keyStore.containsAlias(str2)) {
                keyStore.deleteEntry(str2);
                keyStore.store(new FileOutputStream(str3), getPassword().toCharArray());
            }
        }
        ArrayList arrayList = new ArrayList(List.of("keytool", "-import", "-trustcacerts"));
        arrayList.addAll(List.of("-keystore", str3));
        arrayList.addAll(List.of("-storepass", getPassword()));
        arrayList.add("-noprompt");
        arrayList.addAll(List.of("-alias", str2));
        arrayList.addAll(List.of("-file", str));
        runCommand(arrayList);
    }

    public void generateSelfSignedCertificateEntry(String str, String str2, String str3, String str4, String str5, String str6, String str7) throws GeneralSecurityException, IOException {
        if (this.keyStoreFilePath.toFile().exists()) {
            KeyStore keyStore = KeyStore.getInstance(this.keyStoreFilePath.toFile(), getPassword().toCharArray());
            keyStore.load(new FileInputStream(this.keyStoreFilePath.toFile()), getPassword().toCharArray());
            if (keyStore.containsAlias(str2)) {
                keyStore.deleteEntry(str2);
                keyStore.store(new FileOutputStream(this.keyStoreFilePath.toFile()), getPassword().toCharArray());
            }
        }
        ArrayList arrayList = new ArrayList(List.of("keytool", "-genkey"));
        arrayList.addAll(List.of("-alias", str2));
        arrayList.addAll(List.of("-keyalg", "RSA"));
        arrayList.addAll(List.of("-keysize", "2048"));
        arrayList.addAll(List.of("-sigalg", "SHA256withRSA"));
        arrayList.addAll(List.of("-storetype", PKCS12_KEYSTORE_TYPE));
        arrayList.addAll(List.of("-keystore", getKeyStoreLocation()));
        arrayList.addAll(List.of("-storepass", getPassword()));
        arrayList.addAll(List.of("-keypass", getPassword()));
        arrayList.addAll(List.of("-dname", getDomainName(str, str2, str3, str4, str5, str6, str7)));
        arrayList.addAll(List.of("-validity", "365"));
        if (canGenerateWildcardSAN() && !isWildcardDomain(str2)) {
            arrayList.addAll(getSAN(str2));
        }
        runCommand(arrayList);
        createCrtFileToImport(str2);
    }

    private void createCrtFileToImport(String str) throws IOException {
        ArrayList arrayList = new ArrayList(List.of("keytool", "-export", "-rfc"));
        arrayList.addAll(List.of("-keystore", getKeyStoreLocation()));
        arrayList.addAll(List.of("-storepass", getPassword()));
        arrayList.addAll(List.of("-storetype", getKeyStoreType()));
        arrayList.addAll(List.of("-alias", str));
        arrayList.addAll(List.of("-file", this.certFilePath.toAbsolutePath().toString()));
        runCommand(arrayList);
    }

    private void runCommand(List<String> list) throws IOException {
        Process start = new ProcessBuilder(new String[0]).command(list).start();
        try {
            start.waitFor();
            this.log.log(System.Logger.Level.DEBUG, "Generating certificate using `keytool` using command: {0}, parameters: {1}", new Object[]{start.info(), list});
            if (start.exitValue() > 0) {
                String str = (String) new BufferedReader(new InputStreamReader(start.getErrorStream())).lines().collect(Collectors.joining(" \\ "));
                String str2 = (String) new BufferedReader(new InputStreamReader(start.getInputStream())).lines().collect(Collectors.joining(" \\ "));
                this.log.log(System.Logger.Level.WARNING, "Error generating certificate, error output: {0}, normal output: {1}, commandline parameters: {2}", new Object[]{str, str2, list});
                throw new IOException("Keytool execution error: '" + str + "', output: '" + str2 + "', commandline parameters: " + list);
            }
        } catch (InterruptedException e) {
            throw new IOException("Keytool execution error");
        }
    }

    private boolean isWildcardDomain(String str) {
        return str.startsWith("*.");
    }

    private String getDomainName(String str, String str2, String str3, String str4, String str5, String str6, String str7) {
        return "CN=" + str2 + ", OU=" + str3 + ", O=" + str4 + ", L=" + str5 + ", ST=" + str6 + ", C=" + str7 + ", EMAILADDRESS=" + str;
    }

    private List<String> getSAN(String str) {
        return List.of("-ext", "SAN=dns:" + str);
    }

    public String getTrustStoreType() {
        return PKCS12_KEYSTORE_TYPE;
    }

    public String getKeyStoreType() {
        return PKCS12_KEYSTORE_TYPE;
    }
}
