package io.micronaut.acme.services;

import io.micronaut.acme.AcmeConfiguration;
import io.micronaut.acme.challenge.dns.TxtRenderer;
import io.micronaut.acme.challenge.http.endpoint.HttpChallengeDetails;
import io.micronaut.acme.events.CertificateEvent;
import io.micronaut.context.event.ApplicationEventPublisher;
import io.micronaut.core.annotation.NonNull;
import io.micronaut.core.io.IOUtils;
import io.micronaut.core.io.ResourceResolver;
import io.micronaut.scheduling.TaskScheduler;
import jakarta.inject.Named;
import jakarta.inject.Singleton;
import java.io.BufferedReader;
import java.io.BufferedWriter;
import java.io.File;
import java.io.IOException;
import java.io.InputStreamReader;
import java.io.StringReader;
import java.net.URL;
import java.nio.file.Files;
import java.nio.file.OpenOption;
import java.nio.file.StandardOpenOption;
import java.security.KeyPair;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.time.Duration;
import java.time.Instant;
import java.util.List;
import java.util.Objects;
import java.util.Optional;
import java.util.concurrent.CancellationException;
import java.util.concurrent.ExecutionException;
import java.util.concurrent.ScheduledFuture;
import java.util.concurrent.atomic.AtomicInteger;
import java.util.concurrent.atomic.AtomicLong;
import java.util.stream.Stream;
import org.shredzone.acme4j.AccountBuilder;
import org.shredzone.acme4j.Authorization;
import org.shredzone.acme4j.Login;
import org.shredzone.acme4j.Order;
import org.shredzone.acme4j.Session;
import org.shredzone.acme4j.Status;
import org.shredzone.acme4j.challenge.Challenge;
import org.shredzone.acme4j.challenge.Dns01Challenge;
import org.shredzone.acme4j.challenge.Http01Challenge;
import org.shredzone.acme4j.challenge.TlsAlpn01Challenge;
import org.shredzone.acme4j.exception.AcmeException;
import org.shredzone.acme4j.exception.AcmeRetryAfterException;
import org.shredzone.acme4j.util.CSRBuilder;
import org.shredzone.acme4j.util.CertificateUtils;
import org.shredzone.acme4j.util.KeyPairUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@Singleton
/* loaded from: input_file:io/micronaut/acme/services/AcmeService.class */
public class AcmeService {
    private static final Logger LOG = LoggerFactory.getLogger(AcmeService.class);
    private static final String DOMAIN_CRT = "domain.crt";
    private static final String DOMAIN_CSR = "domain.csr";
    private static final String X509_CERT = "X.509";
    private final String acmeServerUrl;
    private final AcmeConfiguration acmeConfiguration;
    private ResourceResolver resourceResolver;
    private final TaskScheduler taskScheduler;
    private final File certLocation;
    private final String domainKeyString;
    private final String accountKeyString;
    private final Duration authPause;
    private final Duration orderPause;
    private final Duration timeout;
    private ApplicationEventPublisher eventPublisher;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:io/micronaut/acme/services/AcmeService$SelfCancellable.class */
    public abstract class SelfCancellable implements Runnable {
        private ScheduledFuture<?> future;

        private SelfCancellable() {
        }

        void setFuture(ScheduledFuture<?> scheduledFuture) {
            this.future = scheduledFuture;
        }

        void cancel() {
            this.future.cancel(false);
        }
    }

    public AcmeService(ApplicationEventPublisher applicationEventPublisher, AcmeConfiguration acmeConfiguration, ResourceResolver resourceResolver, @Named("scheduled") TaskScheduler taskScheduler) {
        this.eventPublisher = applicationEventPublisher;
        this.timeout = acmeConfiguration.getTimeout();
        this.orderPause = acmeConfiguration.getOrder().getPause();
        this.authPause = acmeConfiguration.getAuth().getPause();
        this.accountKeyString = acmeConfiguration.getAccountKey();
        this.domainKeyString = acmeConfiguration.getDomainKey();
        this.certLocation = acmeConfiguration.getCertLocation();
        this.acmeServerUrl = acmeConfiguration.getAcmeServer();
        this.acmeConfiguration = acmeConfiguration;
        this.resourceResolver = resourceResolver;
        this.taskScheduler = taskScheduler;
    }

    public X509Certificate getCurrentCertificate() {
        try {
            CertificateFactory certificateFactory = CertificateFactory.getInstance(X509_CERT);
            File file = new File(this.certLocation, DOMAIN_CRT);
            if (file.exists()) {
                return (X509Certificate) certificateFactory.generateCertificate(Files.newInputStream(file.toPath(), new OpenOption[0]));
            }
            return null;
        } catch (IOException | CertificateException e) {
            if (!LOG.isWarnEnabled()) {
                return null;
            }
            LOG.warn("Could not create certificate from file", e);
            return null;
        }
    }

    @NonNull
    protected Optional<X509Certificate[]> getFullCertificateChain() {
        try {
            CertificateFactory certificateFactory = CertificateFactory.getInstance(X509_CERT);
            File file = new File(this.certLocation, DOMAIN_CRT);
            if (file.exists()) {
                Stream<? extends Certificate> stream = certificateFactory.generateCertificates(Files.newInputStream(file.toPath(), new OpenOption[0])).stream();
                Class<X509Certificate> cls = X509Certificate.class;
                Objects.requireNonNull(X509Certificate.class);
                return Optional.of((X509Certificate[]) stream.map((v1) -> {
                    return r1.cast(v1);
                }).toArray(i -> {
                    return new X509Certificate[i];
                }));
            }
        } catch (IOException | CertificateException e) {
            if (LOG.isWarnEnabled()) {
                LOG.warn("Could not create certificate from file", e);
            }
        }
        return Optional.empty();
    }

    public void orderCertificate(List<String> list) throws AcmeException {
        AtomicInteger atomicInteger = new AtomicInteger(this.acmeConfiguration.getOrder().getRefreshAttempts());
        Session session = new Session(this.acmeServerUrl);
        if (this.timeout != null) {
            session.networkSettings().setTimeout(this.timeout);
        }
        try {
            Order createOrder = createOrder(list, doLogin(session, getKeyPairFromConfigValue(this.accountKeyString)));
            for (Authorization authorization : createOrder.getAuthorizations()) {
                try {
                    authorize(authorization);
                } catch (AcmeException | IOException e) {
                    if (LOG.isErrorEnabled()) {
                        LOG.error("ACME certificate order failed. Failed to authorize the domain [{}]", authorization.getIdentifier(), e);
                        return;
                    }
                    return;
                }
            }
            KeyPair domainKeyPair = getDomainKeyPair();
            if (domainKeyPair == null) {
                return;
            }
            attemptCertificateOrder(list, atomicInteger, createOrder, domainKeyPair);
        } catch (IOException e2) {
            if (LOG.isErrorEnabled()) {
                LOG.error("ACME certificate order failed. Failed to read the account keys", e2);
            }
        }
    }

    private KeyPair getKeyPairFromConfigValue(String str) throws IOException {
        String str2 = str;
        if (str.startsWith("file:") || str.startsWith("classpath:")) {
            Optional resource = this.resourceResolver.getResource(str);
            if (resource.isPresent()) {
                str2 = IOUtils.readText(new BufferedReader(new InputStreamReader(((URL) resource.get()).openStream())));
            }
        }
        return KeyPairUtils.readKeyPair(new StringReader(str2));
    }

    private Order createOrder(List<String> list, Login login) throws AcmeException {
        return login.getAccount().newOrder().domains(list).create();
    }

    private Login doLogin(Session session, KeyPair keyPair) throws AcmeException {
        return new AccountBuilder().onlyExisting().useKeyPair(keyPair).createLogin(session);
    }

    private void attemptCertificateOrder(final List<String> list, final AtomicInteger atomicInteger, final Order order, final KeyPair keyPair) {
        final AtomicLong atomicLong = new AtomicLong();
        SelfCancellable selfCancellable = new SelfCancellable() { // from class: io.micronaut.acme.services.AcmeService.1
            /* JADX WARN: 'super' call moved to the top of the method (can break code semantics) */
            {
                super();
            }

            @Override // java.lang.Runnable
            public void run() {
                int andDecrement = atomicInteger.getAndDecrement();
                if (andDecrement <= 0) {
                    throw new AcmeRuntimeException("ACME certificate order failed. Status still not valid after [" + AcmeService.this.acmeConfiguration.getOrder().getRefreshAttempts() + "] attempts");
                }
                if (atomicLong.get() < Instant.now().toEpochMilli()) {
                    try {
                        order.update();
                        Status status = order.getStatus();
                        if (status == Status.INVALID) {
                            throw new AcmeRuntimeException("ACME certificate order failed. The certificate order was invalid: " + order.getError());
                        }
                        if (status == Status.READY) {
                            CSRBuilder cSRBuilder = new CSRBuilder();
                            cSRBuilder.addDomains(list);
                            if (csrbSign(cSRBuilder) || csrbWrite(cSRBuilder) || orderCertificate(cSRBuilder)) {
                                return;
                            }
                            org.shredzone.acme4j.Certificate certificate = order.getCertificate();
                            if (certificate != null) {
                                if (writeCombinedFile(certificate)) {
                                    return;
                                }
                            } else if (AcmeService.LOG.isErrorEnabled()) {
                                AcmeService.LOG.error("ACME certificate order failed. The certificate was not found in the order");
                            }
                            cancel();
                        } else if (AcmeService.LOG.isDebugEnabled()) {
                            AcmeService.LOG.debug("Waiting on valid order status. Attempt : {}", Integer.valueOf(andDecrement));
                        }
                    } catch (AcmeRetryAfterException e) {
                        atomicLong.set(e.getRetryAfter().toEpochMilli());
                    } catch (AcmeException e2) {
                        throw new AcmeRuntimeException("ACME certificate order failed. Failed to update the certificate order. Reason : " + e2.getMessage());
                    }
                }
            }

            private boolean writeCombinedFile(org.shredzone.acme4j.Certificate certificate) {
                boolean z = false;
                try {
                    BufferedWriter newBufferedWriter = Files.newBufferedWriter(new File(AcmeService.this.certLocation, AcmeService.DOMAIN_CRT).toPath(), StandardOpenOption.WRITE, StandardOpenOption.CREATE, StandardOpenOption.TRUNCATE_EXISTING);
                    try {
                        certificate.writeCertificate(newBufferedWriter);
                        if (newBufferedWriter != null) {
                            newBufferedWriter.close();
                        }
                        Optional<X509Certificate[]> fullCertificateChain = AcmeService.this.getFullCertificateChain();
                        if (fullCertificateChain.isPresent()) {
                            AcmeService.this.eventPublisher.publishEvent(new CertificateEvent(keyPair, false, fullCertificateChain.get()));
                            if (AcmeService.LOG.isInfoEnabled()) {
                                AcmeService.LOG.info("ACME certificate order success! Certificate URL: {}", certificate.getLocation());
                            }
                        } else {
                            if (AcmeService.LOG.isErrorEnabled()) {
                                AcmeService.LOG.error("ACME certificate chain could not be loaded from file.");
                            }
                            z = true;
                        }
                    } finally {
                    }
                } catch (IOException e) {
                    if (AcmeService.LOG.isErrorEnabled()) {
                        AcmeService.LOG.error("ACME certificate order failed. Failed to write the certificate chain to the configured location", e);
                    }
                    z = true;
                }
                return z;
            }

            private boolean orderCertificate(CSRBuilder cSRBuilder) {
                try {
                    order.execute(cSRBuilder.getEncoded());
                    return false;
                } catch (AcmeException | IOException e) {
                    if (!AcmeService.LOG.isErrorEnabled()) {
                        return true;
                    }
                    AcmeService.LOG.error("ACME certificate order failed. Failed to execute the certificate order", e);
                    return true;
                }
            }

            private boolean csrbWrite(CSRBuilder cSRBuilder) {
                try {
                    cSRBuilder.write(Files.newOutputStream(new File(AcmeService.this.certLocation, AcmeService.DOMAIN_CSR).toPath(), StandardOpenOption.WRITE, StandardOpenOption.CREATE, StandardOpenOption.TRUNCATE_EXISTING));
                    return false;
                } catch (IOException e) {
                    if (!AcmeService.LOG.isErrorEnabled()) {
                        return true;
                    }
                    AcmeService.LOG.error("ACME certificate order failed. Failed to write the CSR to the configured location", e);
                    return true;
                }
            }

            private boolean csrbSign(CSRBuilder cSRBuilder) {
                try {
                    cSRBuilder.sign(keyPair);
                    return false;
                } catch (IOException e) {
                    if (!AcmeService.LOG.isErrorEnabled()) {
                        return true;
                    }
                    AcmeService.LOG.error("ACME certificate order failed. Failed to sign the domain keys with the CSR", e);
                    return true;
                }
            }
        };
        ScheduledFuture<?> scheduleWithFixedDelay = this.taskScheduler.scheduleWithFixedDelay(Duration.ZERO, this.orderPause, selfCancellable);
        selfCancellable.setFuture(scheduleWithFixedDelay);
        try {
            scheduleWithFixedDelay.get();
        } catch (InterruptedException e) {
            if (LOG.isErrorEnabled()) {
                LOG.error("ACME certificate order poll interrupted", e);
            }
            Thread.currentThread().interrupt();
        } catch (CancellationException e2) {
        } catch (ExecutionException e3) {
            if (LOG.isErrorEnabled()) {
                LOG.error("ACME certificate order poll threw an error", e3);
            }
        }
    }

    private KeyPair getDomainKeyPair() {
        KeyPair keyPair = null;
        try {
            keyPair = getKeyPairFromConfigValue(this.domainKeyString);
        } catch (IOException e) {
            if (LOG.isErrorEnabled()) {
                LOG.error("ACME certificate order failed. Failed to read the domain keys", e);
            }
        }
        return keyPair;
    }

    private void authorize(Authorization authorization) throws AcmeException, IOException {
        if (LOG.isDebugEnabled()) {
            LOG.debug("Authorization {} for domain {}", authorization, authorization.getIdentifier().getDomain());
        }
        if (authorization.getStatus() == Status.VALID) {
            return;
        }
        AcmeConfiguration.ChallengeType challengeType = this.acmeConfiguration.getChallengeType();
        if (LOG.isDebugEnabled()) {
            LOG.debug("Challenge type selected : {}", challengeType);
        }
        Optional findFirst = authorization.getChallenges().stream().filter(challenge -> {
            return challenge.getStatus() != Status.VALID;
        }).filter(challenge2 -> {
            return challengeType.getAcmeChallengeName().equals(challenge2.getType());
        }).findFirst();
        if (findFirst.isPresent()) {
            Challenge challenge3 = (Challenge) findFirst.get();
            doChallengeSpecificSetup(authorization, challenge3);
            doChallengeAuthorization(authorization, challenge3);
        }
    }

    private void doChallengeAuthorization(final Authorization authorization, final Challenge challenge) throws AcmeException {
        final AtomicInteger atomicInteger = new AtomicInteger(this.acmeConfiguration.getAuth().getRefreshAttempts());
        challenge.trigger();
        SelfCancellable selfCancellable = new SelfCancellable() { // from class: io.micronaut.acme.services.AcmeService.2
            /* JADX WARN: 'super' call moved to the top of the method (can break code semantics) */
            {
                super();
            }

            @Override // java.lang.Runnable
            public void run() {
                int andDecrement = atomicInteger.getAndDecrement();
                if (AcmeService.LOG.isDebugEnabled()) {
                    AcmeService.LOG.debug("Challenge auth check retry number : {}", Integer.valueOf(andDecrement));
                }
                if (andDecrement <= 0) {
                    throw new AcmeRuntimeException("ACME certificate order failed. Challenge of type " + challenge.getType() + " failed. Still not valid after " + AcmeService.this.acmeConfiguration.getAuth().getRefreshAttempts() + " attempts");
                }
                Status status = challenge.getStatus();
                if (status == Status.VALID) {
                    cancel();
                    return;
                }
                if (status == Status.INVALID) {
                    throw new AcmeRuntimeException("ACME certificate order failed. Challenge of type " + challenge.getType() + " failed. With error : " + challenge.getError() + ", for domain" + authorization.getIdentifier().toString() + " ... Giving up.");
                }
                try {
                    challenge.update();
                } catch (AcmeException e) {
                    if (AcmeService.LOG.isWarnEnabled()) {
                        AcmeService.LOG.warn("ACME certificate order failed. Challenge of type {} failed.", challenge.getType(), e);
                    }
                }
            }
        };
        ScheduledFuture<?> scheduleWithFixedDelay = this.taskScheduler.scheduleWithFixedDelay(Duration.ZERO, this.authPause, selfCancellable);
        selfCancellable.setFuture(scheduleWithFixedDelay);
        try {
            scheduleWithFixedDelay.get();
            if (LOG.isDebugEnabled()) {
                LOG.debug("Challenge of type {} has been completed for domain : {}.", challenge.getType(), authorization.getIdentifier());
            }
        } catch (InterruptedException e) {
            if (LOG.isErrorEnabled()) {
                LOG.error("ACME certificate auth poll interrupted", e);
            }
            Thread.currentThread().interrupt();
        } catch (CancellationException e2) {
        } catch (ExecutionException e3) {
            if (!(e3.getCause() instanceof AcmeRuntimeException)) {
                throw new AcmeException("ACME certificate challenge poll threw an error", e3);
            }
            throw new AcmeException(e3.getCause().getMessage());
        }
    }

    private void doChallengeSpecificSetup(Authorization authorization, Challenge challenge) throws IOException {
        if (challenge instanceof TlsAlpn01Challenge) {
            if (LOG.isDebugEnabled()) {
                LOG.debug("TLS challenge selected, creating keys");
            }
            KeyPair domainKeyPair = getDomainKeyPair();
            this.eventPublisher.publishEvent(new CertificateEvent(domainKeyPair, true, CertificateUtils.createTlsAlpn01Certificate(domainKeyPair, authorization.getIdentifier(), ((TlsAlpn01Challenge) challenge).getAcmeValidation())));
            return;
        }
        if (challenge instanceof Http01Challenge) {
            Http01Challenge http01Challenge = (Http01Challenge) challenge;
            this.eventPublisher.publishEvent(new HttpChallengeDetails(http01Challenge.getToken(), http01Challenge.getAuthorization()));
        } else if (challenge instanceof Dns01Challenge) {
            if (LOG.isDebugEnabled()) {
                LOG.debug("DNS challenge selected, spitting out TXT record.");
            }
            new TxtRenderer().render(((Dns01Challenge) challenge).getDigest(), authorization.getIdentifier().getDomain());
        }
    }

    public void setupCurrentCertificate() {
        Optional<X509Certificate[]> fullCertificateChain = getFullCertificateChain();
        if (fullCertificateChain.isPresent()) {
            this.eventPublisher.publishEvent(new CertificateEvent(getDomainKeyPair(), false, fullCertificateChain.get()));
        } else if (LOG.isErrorEnabled()) {
            LOG.error("ACME certificate chain could not be loaded from file.");
        }
    }
}
