package io.quarkus.tls.runtime.keystores;

import io.quarkus.tls.runtime.KeyStoreAndKeyCertOptions;
import io.quarkus.tls.runtime.TrustStoreAndTrustOptions;
import io.quarkus.tls.runtime.config.KeyStoreConfig;
import io.quarkus.tls.runtime.config.KeyStoreCredentialProviderConfig;
import io.quarkus.tls.runtime.config.P12KeyStoreConfig;
import io.quarkus.tls.runtime.config.P12TrustStoreConfig;
import io.quarkus.tls.runtime.config.TlsConfigUtils;
import io.quarkus.tls.runtime.config.TrustStoreConfig;
import io.quarkus.tls.runtime.config.TrustStoreCredentialProviderConfig;
import io.vertx.core.Vertx;
import io.vertx.core.buffer.Buffer;
import io.vertx.core.net.PfxOptions;
import java.io.UncheckedIOException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.UnrecoverableKeyException;
import java.util.Optional;

/* loaded from: input_file:io/quarkus/tls/runtime/keystores/P12KeyStores.class */
public class P12KeyStores {
    private P12KeyStores() {
    }

    public static KeyStoreAndKeyCertOptions verifyP12KeyStore(KeyStoreConfig keyStoreConfig, Vertx vertx, String str) {
        PfxOptions options = toOptions(keyStoreConfig.p12().orElseThrow(), keyStoreConfig.credentialsProvider(), str);
        KeyStore loadKeyStore = loadKeyStore(vertx, str, options, "key");
        verifyKeyStoreAlias(options, str, loadKeyStore);
        return new KeyStoreAndKeyCertOptions(loadKeyStore, options);
    }

    public static TrustStoreAndTrustOptions verifyP12TrustStoreStore(TrustStoreConfig trustStoreConfig, Vertx vertx, String str) {
        P12TrustStoreConfig orElseThrow = trustStoreConfig.p12().orElseThrow();
        PfxOptions options = toOptions(orElseThrow, trustStoreConfig.credentialsProvider(), str);
        KeyStore loadKeyStore = loadKeyStore(vertx, str, options, "trust");
        verifyTrustStoreAlias(orElseThrow.alias(), str, loadKeyStore);
        return trustStoreConfig.certificateExpirationPolicy() == TrustStoreConfig.CertificateExpiryPolicy.IGNORE ? new TrustStoreAndTrustOptions(loadKeyStore, options) : new TrustStoreAndTrustOptions(loadKeyStore, new ExpiryTrustOptions(options, trustStoreConfig.certificateExpirationPolicy()));
    }

    private static PfxOptions toOptions(P12KeyStoreConfig p12KeyStoreConfig, KeyStoreCredentialProviderConfig keyStoreCredentialProviderConfig, String str) {
        PfxOptions pfxOptions = new PfxOptions();
        try {
            pfxOptions.setValue(Buffer.buffer(TlsConfigUtils.read(p12KeyStoreConfig.path())));
            String orElse = CredentialProviders.getKeyStorePassword(p12KeyStoreConfig.password(), keyStoreCredentialProviderConfig).orElse(null);
            if (orElse == null) {
                throw new IllegalStateException("Invalid P12 key store configuration for certificate '" + str + "' - the key store password is not set and cannot be retrieved from the credential provider.");
            }
            pfxOptions.setPassword(orElse);
            if (p12KeyStoreConfig.alias().isPresent()) {
                pfxOptions.setAlias(p12KeyStoreConfig.alias().get());
            }
            pfxOptions.setAliasPassword(CredentialProviders.getAliasPassword(p12KeyStoreConfig.aliasPassword(), keyStoreCredentialProviderConfig).orElse(null));
            return pfxOptions;
        } catch (UncheckedIOException e) {
            throw new IllegalStateException("Invalid P12 key store configuration for certificate '" + str + "' - cannot read the key store file '" + String.valueOf(p12KeyStoreConfig.path()) + "'", e);
        } catch (Exception e2) {
            throw new IllegalStateException("Invalid P12 key store configuration for certificate '" + str + "'", e2);
        }
    }

    private static PfxOptions toOptions(P12TrustStoreConfig p12TrustStoreConfig, TrustStoreCredentialProviderConfig trustStoreCredentialProviderConfig, String str) {
        PfxOptions pfxOptions = new PfxOptions();
        try {
            pfxOptions.setValue(Buffer.buffer(TlsConfigUtils.read(p12TrustStoreConfig.path())));
            String orElse = CredentialProviders.getTrustStorePassword(p12TrustStoreConfig.password(), trustStoreCredentialProviderConfig).orElse(null);
            if (orElse == null) {
                throw new IllegalStateException("Invalid P12 trust store configuration for certificate '" + str + "' - the trust store password is not set and cannot be retrieved from the credential provider.");
            }
            pfxOptions.setPassword(orElse);
            if (p12TrustStoreConfig.alias().isPresent()) {
                pfxOptions.setAlias(p12TrustStoreConfig.alias().get());
            }
            return pfxOptions;
        } catch (UncheckedIOException e) {
            throw new IllegalStateException("Invalid P12 trust store configuration for certificate '" + str + "' - cannot read the trust store file '" + String.valueOf(p12TrustStoreConfig.path()) + "'", e);
        } catch (Exception e2) {
            throw new IllegalStateException("Invalid P12 trust store configuration for certificate '" + str + "'", e2);
        }
    }

    private static void verifyKeyStoreAlias(PfxOptions pfxOptions, String str, KeyStore keyStore) {
        String alias = pfxOptions.getAlias();
        String aliasPassword = pfxOptions.getAliasPassword();
        if (alias != null) {
            try {
                if (keyStore.getCertificate(alias) == null) {
                    throw new IllegalStateException("Alias '" + alias + "' not found in P12 key store (certificate not found)'" + str + "'");
                }
                char[] cArr = null;
                if (aliasPassword != null) {
                    cArr = aliasPassword.toCharArray();
                }
                try {
                    if (keyStore.getKey(alias, cArr) == null) {
                        throw new IllegalStateException("Alias '" + alias + "' not found in P12 key store (private key not found)'" + str + "'");
                    }
                    if (keyStore.getCertificate(alias) == null) {
                        throw new IllegalStateException("Alias '" + alias + "' not found in P12 key store (certificate not found)'" + str + "'");
                    }
                } catch (KeyStoreException | NoSuchAlgorithmException e) {
                    throw new IllegalStateException("Unable to verify alias '" + alias + "' in P12 key store '" + str + "'", e);
                } catch (UnrecoverableKeyException e2) {
                    throw new IllegalArgumentException("Unable to recover the key for alias '" + alias + "' in P12 key store '" + str + "'", e2);
                }
            } catch (KeyStoreException e3) {
                throw new IllegalStateException("Unable to verify alias '" + alias + "' in P12 key store '" + str + "'", e3);
            }
        }
    }

    private static void verifyTrustStoreAlias(Optional<String> optional, String str, KeyStore keyStore) {
        if (optional.isPresent()) {
            String str2 = optional.get();
            try {
                if (keyStore.getCertificate(str2) == null) {
                    throw new IllegalStateException("Alias '" + str2 + "' not found in P12 trust store (certificate not found)'" + str + "'");
                }
            } catch (KeyStoreException e) {
                throw new IllegalStateException("Unable to verify alias '" + str2 + "' in P12 trust store '" + str + "'", e);
            }
        }
    }

    private static KeyStore loadKeyStore(Vertx vertx, String str, PfxOptions pfxOptions, String str2) {
        try {
            return pfxOptions.loadKeyStore(vertx);
        } catch (Exception e) {
            throw new IllegalStateException("Unable to load P12 " + str2 + " store '" + str + "', verify the password.", e);
        }
    }
}
