package de.gematik.test.tiger.proxy.tls;

import de.gematik.test.tiger.common.data.config.tigerProxy.TigerProxyConfiguration;
import de.gematik.test.tiger.common.pki.TigerPkiIdentity;
import de.gematik.test.tiger.proxy.configuration.ProxyConfigurationConverter;
import de.gematik.test.tiger.proxy.exceptions.TigerProxyConfigurationException;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.math.BigInteger;
import java.security.GeneralSecurityException;
import java.security.Key;
import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.SecureRandom;
import java.security.Security;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.security.interfaces.RSAPrivateKey;
import java.time.Duration;
import java.time.ZonedDateTime;
import java.time.temporal.TemporalAmount;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Date;
import java.util.Iterator;
import java.util.List;
import java.util.Objects;
import java.util.Random;
import lombok.Generated;
import org.bouncycastle.asn1.ASN1Encodable;
import org.bouncycastle.asn1.ASN1InputStream;
import org.bouncycastle.asn1.DERSequence;
import org.bouncycastle.asn1.x500.X500Name;
import org.bouncycastle.asn1.x509.BasicConstraints;
import org.bouncycastle.asn1.x509.Extension;
import org.bouncycastle.asn1.x509.GeneralName;
import org.bouncycastle.asn1.x509.SubjectKeyIdentifier;
import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo;
import org.bouncycastle.cert.X509CertificateHolder;
import org.bouncycastle.cert.X509v3CertificateBuilder;
import org.bouncycastle.cert.bc.BcX509ExtensionUtils;
import org.bouncycastle.cert.jcajce.JcaX509CertificateConverter;
import org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.bouncycastle.operator.OperatorCreationException;
import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder;
import org.bouncycastle.util.IPAddress;
import org.mockserver.configuration.Configuration;
import org.mockserver.configuration.ConfigurationProperties;
import org.mockserver.log.model.LogEntry;
import org.mockserver.logging.MockServerLogger;
import org.mockserver.socket.tls.bouncycastle.BCKeyAndCertificateFactory;
import org.slf4j.event.Level;

/* loaded from: input_file:de/gematik/test/tiger/proxy/tls/DynamicTigerKeyAndCertificateFactory.class */
public class DynamicTigerKeyAndCertificateFactory extends BCKeyAndCertificateFactory {
    private static final Duration MAXIMUM_VALIDITY = Duration.ofDays(397);
    private final TigerPkiIdentity caIdentity;
    private final MockServerLogger mockServerLogger;
    private final List<X509Certificate> certificateChain;
    private final String serverName;
    private final List<String> serverAlternativeNames;
    private TigerPkiIdentity eeIdentity;
    private List<String> hostsCoveredByGeneratedIdentity;
    private final Configuration mockServerConfiguration;

    @Generated
    /* loaded from: input_file:de/gematik/test/tiger/proxy/tls/DynamicTigerKeyAndCertificateFactory$DynamicTigerKeyAndCertificateFactoryBuilder.class */
    public static class DynamicTigerKeyAndCertificateFactoryBuilder {

        @Generated
        private MockServerLogger mockServerLogger;

        @Generated
        private TigerProxyConfiguration tigerProxyConfiguration;

        @Generated
        private TigerPkiIdentity caIdentity;

        @Generated
        private Configuration mockServerConfiguration;

        @Generated
        DynamicTigerKeyAndCertificateFactoryBuilder() {
        }

        @Generated
        public DynamicTigerKeyAndCertificateFactoryBuilder mockServerLogger(MockServerLogger mockServerLogger) {
            this.mockServerLogger = mockServerLogger;
            return this;
        }

        @Generated
        public DynamicTigerKeyAndCertificateFactoryBuilder tigerProxyConfiguration(TigerProxyConfiguration tigerProxyConfiguration) {
            this.tigerProxyConfiguration = tigerProxyConfiguration;
            return this;
        }

        @Generated
        public DynamicTigerKeyAndCertificateFactoryBuilder caIdentity(TigerPkiIdentity tigerPkiIdentity) {
            this.caIdentity = tigerPkiIdentity;
            return this;
        }

        @Generated
        public DynamicTigerKeyAndCertificateFactoryBuilder mockServerConfiguration(Configuration configuration) {
            this.mockServerConfiguration = configuration;
            return this;
        }

        @Generated
        public DynamicTigerKeyAndCertificateFactory build() {
            return new DynamicTigerKeyAndCertificateFactory(this.mockServerLogger, this.tigerProxyConfiguration, this.caIdentity, this.mockServerConfiguration);
        }

        @Generated
        public String toString() {
            return "DynamicTigerKeyAndCertificateFactory.DynamicTigerKeyAndCertificateFactoryBuilder(mockServerLogger=" + this.mockServerLogger + ", tigerProxyConfiguration=" + this.tigerProxyConfiguration + ", caIdentity=" + this.caIdentity + ", mockServerConfiguration=" + this.mockServerConfiguration + ")";
        }
    }

    public DynamicTigerKeyAndCertificateFactory(MockServerLogger mockServerLogger, TigerProxyConfiguration tigerProxyConfiguration, TigerPkiIdentity tigerPkiIdentity, Configuration configuration) {
        super(ProxyConfigurationConverter.convertToMockServerConfiguration(tigerProxyConfiguration), mockServerLogger);
        this.hostsCoveredByGeneratedIdentity = List.of();
        this.certificateChain = new ArrayList();
        this.mockServerLogger = mockServerLogger;
        this.caIdentity = tigerPkiIdentity;
        this.eeIdentity = null;
        this.serverName = tigerProxyConfiguration.getTls().getDomainName();
        this.serverAlternativeNames = new ArrayList();
        if (tigerProxyConfiguration.getTls().getAlternativeNames() != null) {
            this.serverAlternativeNames.addAll(tigerProxyConfiguration.getTls().getAlternativeNames());
        }
        this.mockServerConfiguration = configuration;
    }

    public boolean certificateAuthorityCertificateNotYetCreated() {
        return false;
    }

    public X509Certificate certificateAuthorityX509Certificate() {
        buildAndSavePrivateKeyAndX509Certificate();
        if (this.caIdentity != null) {
            return this.caIdentity.getCertificate();
        }
        if (this.eeIdentity.getCertificateChain() == null || this.eeIdentity.getCertificateChain().size() <= 0) {
            throw new TigerProxyConfigurationException("Discovered illegal configuration in TLS-setup: Dynamic certificate generation, but no CA certificate present!");
        }
        return (X509Certificate) this.eeIdentity.getCertificateChain().get(0);
    }

    public PrivateKey privateKey() {
        buildAndSavePrivateKeyAndX509Certificate();
        return this.eeIdentity.getPrivateKey();
    }

    public X509Certificate x509Certificate() {
        buildAndSavePrivateKeyAndX509Certificate();
        return this.eeIdentity.getCertificate();
    }

    public void buildAndSavePrivateKeyAndX509Certificate() {
        assureCurrentCertificateCoversAllNecessaryHosts();
        if (this.eeIdentity == null) {
            try {
                KeyPair generateRsaKeyPair = generateRsaKeyPair(2048);
                X509Certificate createCertificateSignedByCa = createCertificateSignedByCa(generateRsaKeyPair.getPublic(), this.caIdentity.getCertificate(), this.caIdentity.getPrivateKey());
                this.eeIdentity = new TigerPkiIdentity(createCertificateSignedByCa, generateRsaKeyPair.getPrivate());
                this.certificateChain.clear();
                this.certificateChain.add(createCertificateSignedByCa);
                this.certificateChain.add(this.caIdentity.getCertificate());
                if (MockServerLogger.isEnabled(Level.TRACE)) {
                    this.mockServerLogger.logEvent(new LogEntry().setLogLevel(Level.TRACE).setMessageFormat("created new X509 {} with SAN Domain Names {} and IPs {}").setArguments(new Object[]{x509Certificate(), Arrays.toString(ConfigurationProperties.sslSubjectAlternativeNameDomains().toArray()), Arrays.toString(ConfigurationProperties.sslSubjectAlternativeNameIps().toArray())}));
                }
            } catch (Exception e) {
                this.mockServerLogger.logEvent(new LogEntry().setLogLevel(Level.ERROR).setMessageFormat("exception while generating private key and X509 certificate").setThrowable(e));
            }
        }
    }

    private void assureCurrentCertificateCoversAllNecessaryHosts() {
        Iterator it = this.mockServerConfiguration.sslSubjectAlternativeNameDomains().iterator();
        while (it.hasNext()) {
            if (!this.hostsCoveredByGeneratedIdentity.contains((String) it.next())) {
                this.eeIdentity = null;
            }
        }
    }

    public List<X509Certificate> certificateChain() {
        buildAndSavePrivateKeyAndX509Certificate();
        return this.certificateChain;
    }

    private X509Certificate createCertificateSignedByCa(PublicKey publicKey, X509Certificate x509Certificate, PrivateKey privateKey) throws GeneralSecurityException, IOException, OperatorCreationException {
        JcaX509v3CertificateBuilder jcaX509v3CertificateBuilder = new JcaX509v3CertificateBuilder(new X509CertificateHolder(x509Certificate.getEncoded()).getSubject(), BigInteger.valueOf(new Random().nextInt(Integer.MAX_VALUE)), Date.from(ZonedDateTime.now().minusDays(10L).toInstant()), Date.from(ZonedDateTime.now().plus((TemporalAmount) MAXIMUM_VALIDITY).minusDays(10L).toInstant()), new X500Name("CN=" + this.serverName + ", O=Gematik, L=Berlin, ST=Berlin, C=DE"), publicKey);
        jcaX509v3CertificateBuilder.addExtension(Extension.subjectKeyIdentifier, false, createNewSubjectKeyIdentifier(publicKey));
        jcaX509v3CertificateBuilder.addExtension(Extension.basicConstraints, false, new BasicConstraints(false));
        this.hostsCoveredByGeneratedIdentity = new ArrayList();
        this.hostsCoveredByGeneratedIdentity.addAll(this.serverAlternativeNames);
        this.hostsCoveredByGeneratedIdentity.addAll(this.mockServerConfiguration.sslSubjectAlternativeNameDomains());
        this.hostsCoveredByGeneratedIdentity.add(this.serverName);
        jcaX509v3CertificateBuilder.addExtension(Extension.subjectAlternativeName, false, new DERSequence((ASN1Encodable[]) this.hostsCoveredByGeneratedIdentity.stream().distinct().filter((v0) -> {
            return Objects.nonNull(v0);
        }).map(this::mapAlternativeNameToAsn1Encodable).toArray(i -> {
            return new ASN1Encodable[i];
        })));
        return signTheCertificate(jcaX509v3CertificateBuilder, privateKey);
    }

    private ASN1Encodable mapAlternativeNameToAsn1Encodable(String str) {
        return (IPAddress.isValidIPv6WithNetmask(str) || IPAddress.isValidIPv6(str) || IPAddress.isValidIPv4WithNetmask(str) || IPAddress.isValidIPv4(str)) ? new GeneralName(7, str) : new GeneralName(2, str);
    }

    private X509Certificate signTheCertificate(X509v3CertificateBuilder x509v3CertificateBuilder, PrivateKey privateKey) throws OperatorCreationException, CertificateException {
        return new JcaX509CertificateConverter().setProvider("BC").getCertificate(x509v3CertificateBuilder.build(privateKey instanceof RSAPrivateKey ? new JcaContentSignerBuilder("SHA256WithRSAEncryption").setProvider("BC").build(privateKey) : new JcaContentSignerBuilder("SHA256withECDSA").setProvider("BC").build(privateKey)));
    }

    private KeyPair generateRsaKeyPair(int i) throws GeneralSecurityException {
        KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA", "BC");
        keyPairGenerator.initialize(i, new SecureRandom());
        return keyPairGenerator.generateKeyPair();
    }

    private SubjectKeyIdentifier createNewSubjectKeyIdentifier(Key key) throws IOException {
        ASN1InputStream aSN1InputStream = new ASN1InputStream(new ByteArrayInputStream(key.getEncoded()));
        try {
            SubjectKeyIdentifier createSubjectKeyIdentifier = new BcX509ExtensionUtils().createSubjectKeyIdentifier(SubjectPublicKeyInfo.getInstance(aSN1InputStream.readObject()));
            aSN1InputStream.close();
            return createSubjectKeyIdentifier;
        } catch (Throwable th) {
            try {
                aSN1InputStream.close();
            } catch (Throwable th2) {
                th.addSuppressed(th2);
            }
            throw th;
        }
    }

    public boolean certificateNotYetCreated() {
        return this.eeIdentity == null;
    }

    public void resetEeCertificate() {
        this.eeIdentity = null;
    }

    public void addAlternativeName(String str) {
        this.serverAlternativeNames.add(str);
    }

    @Generated
    public static DynamicTigerKeyAndCertificateFactoryBuilder builder() {
        return new DynamicTigerKeyAndCertificateFactoryBuilder();
    }

    static {
        Security.addProvider(new BouncyCastleProvider());
    }
}
