package com.predic8.membrane.core.transport.ssl;

import com.predic8.membrane.core.Constants;
import com.predic8.membrane.core.config.security.SSLParser;
import com.predic8.membrane.core.interceptor.session.SessionManager;
import com.predic8.membrane.core.kubernetes.client.KubernetesClientFactory;
import com.predic8.membrane.core.transport.http.HttpClientFactory;
import com.predic8.membrane.core.transport.ssl.acme.AcmeClient;
import com.predic8.membrane.core.transport.ssl.acme.AcmeKeyCert;
import com.predic8.membrane.core.transport.ssl.acme.AcmeRenewal;
import com.predic8.membrane.core.util.TimerManager;
import java.io.IOException;
import java.net.InetAddress;
import java.net.ServerSocket;
import java.net.Socket;
import java.security.Key;
import java.security.KeyPair;
import java.security.KeyStore;
import java.security.cert.Certificate;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.List;
import java.util.TimerTask;
import java.util.concurrent.atomic.AtomicBoolean;
import javax.annotation.Nullable;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.SSLSocketFactory;
import org.jose4j.lang.JoseException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/predic8/membrane/core/transport/ssl/AcmeSSLContext.class */
public class AcmeSSLContext extends SSLContext {
    private static final Logger log = LoggerFactory.getLogger(AcmeSSLContext.class);
    private final SSLParser parser;
    private final AcmeClient client;
    private final String[] hosts;
    private final boolean selfCreatedTimerManager;
    private final TimerManager timerManager;
    private final AtomicBoolean shutdown = new AtomicBoolean(false);
    private volatile AcmeKeyCert keyCert;

    public AcmeSSLContext(SSLParser sSLParser, String[] strArr, @Nullable HttpClientFactory httpClientFactory, @Nullable TimerManager timerManager) throws JoseException, IOException {
        this.parser = sSLParser;
        this.hosts = computeHostList(strArr, sSLParser.getAcme().getHosts());
        this.client = new AcmeClient(sSLParser.getAcme(), httpClientFactory);
        this.selfCreatedTimerManager = timerManager == null;
        this.timerManager = timerManager != null ? timerManager : new TimerManager();
    }

    public void init(@Nullable KubernetesClientFactory kubernetesClientFactory) {
        this.client.init(kubernetesClientFactory);
        initAndSchedule();
    }

    private String[] computeHostList(String[] strArr, String str) {
        if (str == null) {
            return strArr;
        }
        String[] split = str.split(" +");
        for (String str2 : strArr) {
            boolean z = false;
            for (String str3 : split) {
                if (hostMatches(str2, str3)) {
                    z = true;
                }
            }
            if (!z) {
                throw new RuntimeException("Hostname " + str2 + " seems not to be fulfillable by a certificate issued for " + str);
            }
        }
        return split;
    }

    private boolean hostMatches(String str, String str2) {
        if (str.equals(str2)) {
            return true;
        }
        return str2.startsWith("*.") && str.endsWith(str2.substring(2)) && str.length() >= str2.length() && str.codePointAt((str.length() - str2.length()) + 1) == 46 && isHostname(str.substring(0, (str.length() - str2.length()) + 1));
    }

    private boolean isHostname(String str) {
        for (int i = 0; i < str.length(); i++) {
            if (!Character.isDigit(str.codePointAt(i)) && !Character.isLetter(str.codePointAt(i)) && str.codePointAt(i) != 45 && str.codePointAt(i) != 42) {
                return false;
            }
        }
        return true;
    }

    @Override // com.predic8.membrane.core.transport.ssl.SSLContext
    String getLocation() {
        return "ACME certificate from " + constructHostsString();
    }

    @Override // com.predic8.membrane.core.transport.ssl.SSLContext
    List<String> getDnsNames() {
        return Arrays.asList(this.hosts);
    }

    @Override // com.predic8.membrane.core.transport.ssl.SSLContext
    SSLSocketFactory getSocketFactory() {
        AcmeKeyCert acmeKeyCert = this.keyCert;
        if (acmeKeyCert == null) {
            throw new RuntimeException("ACME has not yet acquired a certificate.");
        }
        return acmeKeyCert.getSslContext().getSocketFactory();
    }

    public AcmeClient getClient() {
        return this.client;
    }

    public String[] getHosts() {
        return this.hosts;
    }

    @Override // com.predic8.membrane.core.transport.ssl.SSLProvider
    public ServerSocket createServerSocket(int i, int i2, InetAddress inetAddress) throws IOException {
        return new ServerSocket(i, i2, inetAddress);
    }

    @Override // com.predic8.membrane.core.transport.ssl.SSLProvider
    public Socket createSocket() throws IOException {
        throw new IllegalStateException("not implemented");
    }

    @Override // com.predic8.membrane.core.transport.ssl.SSLProvider
    public Socket createSocket(Socket socket, String str, int i, int i2, @Nullable String str2, @Nullable String[] strArr) throws IOException {
        throw new IllegalStateException("not implemented");
    }

    @Override // com.predic8.membrane.core.transport.ssl.SSLProvider
    public Socket createSocket(String str, int i, int i2, @Nullable String str2, @Nullable String[] strArr) throws IOException {
        throw new IllegalStateException("not implemented");
    }

    @Override // com.predic8.membrane.core.transport.ssl.SSLProvider
    public Socket createSocket(String str, int i, InetAddress inetAddress, int i2, int i3, @Nullable String str2, @Nullable String[] strArr) throws IOException {
        throw new IllegalStateException("not implemented");
    }

    @Override // com.predic8.membrane.core.transport.ssl.SSLProvider
    public Socket wrapAcceptedSocket(Socket socket) throws IOException {
        return wrap(socket, new byte[0], 0);
    }

    @Override // com.predic8.membrane.core.transport.ssl.SSLContext
    public Socket wrap(Socket socket, byte[] bArr, int i) throws IOException {
        check(socket);
        return super.wrap(socket, bArr, i);
    }

    private void check(Socket socket) throws IOException {
        if (getSocketFactory() == null) {
            try {
                socket.getOutputStream().write(new byte[]{21, 3, 1, 0, 2, 2, 46});
                if (socket != null) {
                    socket.close();
                }
                throw new RuntimeException("no ACME certificate available for " + constructHostsString());
            } catch (Throwable th) {
                if (socket != null) {
                    try {
                        socket.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                }
                throw th;
            }
        }
    }

    private String constructHostsString() {
        StringBuilder sb = new StringBuilder();
        for (int i = 0; i < this.hosts.length; i++) {
            if (i > 0) {
                sb.append(SessionManager.SESSION_VALUE_SEPARATOR);
            }
            sb.append(this.hosts[i]);
        }
        return sb.toString();
    }

    private void initAndSchedule() {
        try {
            tryLoad();
        } catch (Exception e) {
            log.info("ACME: do not yet have a certificate for " + constructHostsString(), e);
        }
        schedule();
    }

    private void tryLoad() {
        String key = this.client.getKey(this.hosts);
        String certificates = this.client.getCertificates(this.hosts);
        if (key == null) {
            log.debug("ACME: do not yet have a key for " + constructHostsString());
            return;
        }
        if (certificates == null) {
            log.debug("ACME: do not yet have a certificate for " + constructHostsString());
            return;
        }
        AcmeKeyCert acmeKeyCert = this.keyCert;
        if (acmeKeyCert != null && key.equals(acmeKeyCert.getKey()) && certificates.equals(acmeKeyCert.getCerts())) {
            return;
        }
        try {
            KeyStore keyStore = KeyStore.getInstance("JKS");
            keyStore.load(null, Constants.EMPTY_STRING.toCharArray());
            ArrayList arrayList = new ArrayList(PEMSupport.getInstance().parseCertificates(certificates));
            if (arrayList.size() == 0) {
                throw new RuntimeException("At least one certificate is required.");
            }
            checkChainValidity(arrayList);
            long validFrom = getValidFrom(arrayList);
            long minimumValidity = getMinimumValidity(arrayList);
            Object parseKey = PEMSupport.getInstance().parseKey(key);
            Key key2 = parseKey instanceof Key ? (Key) parseKey : ((KeyPair) parseKey).getPrivate();
            checkKeyMatchesCert(key2, arrayList);
            keyStore.setKeyEntry("inlinePemKeyAndCertificate", key2, Constants.EMPTY_STRING.toCharArray(), (Certificate[]) arrayList.toArray(new Certificate[arrayList.size()]));
            KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
            keyManagerFactory.init(keyStore, Constants.EMPTY_STRING.toCharArray());
            javax.net.ssl.SSLContext sSLContext = javax.net.ssl.SSLContext.getInstance("TLS");
            sSLContext.init(keyManagerFactory.getKeyManagers(), null, null);
            init(this.parser, sSLContext);
            this.keyCert = new AcmeKeyCert(key, certificates, validFrom, minimumValidity, sSLContext);
            log.info("ACME: installed key and certificate for " + constructHostsString());
        } catch (Exception e) {
            throw new RuntimeException(e);
        }
    }

    public void schedule() {
        long retry = this.parser.getAcme().getRetry();
        AcmeKeyCert acmeKeyCert = this.keyCert;
        if (acmeKeyCert != null) {
            retry = Math.max(renewAt(acmeKeyCert.getValidFrom(), acmeKeyCert.getValidUntil()) - System.currentTimeMillis(), this.parser.getAcme().getRetry());
        }
        if (this.shutdown.get()) {
            return;
        }
        this.timerManager.schedule(new TimerTask() { // from class: com.predic8.membrane.core.transport.ssl.AcmeSSLContext.1
            @Override // java.util.TimerTask, java.lang.Runnable
            public void run() {
                if (!"never".equals(AcmeSSLContext.this.parser.getAcme().getRenewal())) {
                    new AcmeRenewal(AcmeSSLContext.this.client, AcmeSSLContext.this.hosts).doWork();
                }
                AcmeSSLContext.this.initAndSchedule();
            }
        }, retry, "ACME timer " + constructHostsString());
    }

    public static long renewAt(long j, long j2) {
        return j2 - ((j2 - j) / 3);
    }

    @Override // com.predic8.membrane.core.transport.ssl.SSLContext, com.predic8.membrane.core.transport.ssl.SSLProvider
    public void stop() {
        this.shutdown.set(true);
        if (this.selfCreatedTimerManager) {
            this.timerManager.shutdown();
        }
    }

    public boolean isReady() {
        return this.keyCert != null;
    }

    @Override // com.predic8.membrane.core.transport.ssl.SSLContext
    public boolean hasKeyAndCertificate() {
        return this.keyCert != null;
    }

    @Override // com.predic8.membrane.core.transport.ssl.SSLContext
    public long getValidFrom() {
        return this.keyCert.getValidFrom();
    }

    @Override // com.predic8.membrane.core.transport.ssl.SSLContext
    public long getValidUntil() {
        return this.keyCert.getValidUntil();
    }

    @Override // com.predic8.membrane.core.transport.ssl.SSLContext
    public String getPrometheusContextTypeName() {
        return "acme";
    }
}
