package com.ibm.ws.security.acme.internal;

import com.ibm.websphere.ras.Tr;
import com.ibm.websphere.ras.TraceComponent;
import java.io.File;
import java.io.FileReader;
import java.io.FileWriter;
import java.io.IOException;
import java.net.URI;
import java.security.KeyPair;
import java.security.cert.X509Certificate;
import java.time.Instant;
import java.util.HashMap;
import java.util.Iterator;
import java.util.Map;
import java.util.Set;
import org.shredzone.acme4j.Account;
import org.shredzone.acme4j.AccountBuilder;
import org.shredzone.acme4j.Authorization;
import org.shredzone.acme4j.Certificate;
import org.shredzone.acme4j.Login;
import org.shredzone.acme4j.Order;
import org.shredzone.acme4j.OrderBuilder;
import org.shredzone.acme4j.RevocationReason;
import org.shredzone.acme4j.Session;
import org.shredzone.acme4j.Status;
import org.shredzone.acme4j.challenge.Challenge;
import org.shredzone.acme4j.challenge.Http01Challenge;
import org.shredzone.acme4j.exception.AcmeException;
import org.shredzone.acme4j.exception.AcmeRetryAfterException;
import org.shredzone.acme4j.exception.AcmeServerException;
import org.shredzone.acme4j.util.CSRBuilder;
import org.shredzone.acme4j.util.KeyPairUtils;

/* loaded from: input_file:com/ibm/ws/security/acme/internal/AcmeClient.class */
public class AcmeClient {
    private static final TraceComponent tc = Tr.register(AcmeClient.class);
    private static final int KEY_SIZE = 2048;
    private Set<String> accountContact;
    private String accountKeyFilePath;
    private String directoryURI;
    private String domainKeyFilePath;
    private int challengeRetries = 10;
    private long challengeRetryWaitMs = 5000;
    private final Map<String, String> httpTokenToAuthzMap = new HashMap();
    private int orderRetries = 10;
    private long orderRetryWaitMs = 3000;
    private boolean termsOfServiceAgreed = false;

    public AcmeClient(String str, String str2, String str3, Set<String> set) {
        this.accountKeyFilePath = null;
        this.domainKeyFilePath = null;
        if (str == null || str.trim().isEmpty()) {
            throw new IllegalArgumentException("The ACME CA's directory URI must be a valid URI.");
        }
        validateKeyFilePath(str2, "account");
        validateKeyFilePath(str3, "domain");
        this.directoryURI = str;
        this.accountKeyFilePath = str2;
        this.domainKeyFilePath = str3;
        this.accountContact = set;
    }

    private void authorize(Authorization authorization) throws AcmeException, IOException {
        boolean z;
        if (authorization.getStatus() == Status.VALID) {
            return;
        }
        Http01Challenge prepareHttpChallenge = prepareHttpChallenge(authorization);
        try {
            if (prepareHttpChallenge.getStatus() == Status.VALID) {
                if (z) {
                    return;
                } else {
                    return;
                }
            }
            prepareHttpChallenge.trigger();
            int i = this.challengeRetries + 1;
            while (prepareHttpChallenge.getStatus() != Status.VALID) {
                int i2 = i;
                i--;
                if (i2 <= 0) {
                    break;
                }
                if (prepareHttpChallenge.getStatus() == Status.INVALID) {
                    String str = "ACME CA responded that the challenge failed for domain '" + authorization.getIdentifier().getDomain() + "' with status " + Status.INVALID.toString() + ".";
                    Tr.error(tc, str, new Object[0]);
                    throw new AcmeException(str);
                }
                sleep(this.challengeRetryWaitMs);
                try {
                    prepareHttpChallenge.update();
                } catch (AcmeRetryAfterException e) {
                }
            }
            if (prepareHttpChallenge.getStatus() != Status.VALID) {
                String str2 = "Timed out waiting for successful challenge for domain '" + authorization.getIdentifier().getDomain() + "'. Status is " + prepareHttpChallenge.getStatus().toString();
                Tr.error(tc, str2, new Object[0]);
                throw new AcmeException(str2);
            }
            if (prepareHttpChallenge instanceof Http01Challenge) {
                this.httpTokenToAuthzMap.remove(prepareHttpChallenge.getToken());
            }
        } finally {
            if (prepareHttpChallenge instanceof Http01Challenge) {
                this.httpTokenToAuthzMap.remove(prepareHttpChallenge.getToken());
            }
        }
    }

    public AcmeCertificate fetchCertificate(CSROptions cSROptions) throws IOException, AcmeException {
        Account findOrRegisterAccount = findOrRegisterAccount(new Session(this.directoryURI), loadOrCreateAccountKeyPair());
        KeyPair loadOrCreateDomainKeyPair = loadOrCreateDomainKeyPair();
        OrderBuilder newOrder = findOrRegisterAccount.newOrder();
        newOrder.domains(cSROptions.getDomains());
        if (cSROptions.getValidForMs() != null && cSROptions.getValidForMs().longValue() > 0) {
            newOrder.notAfter(Instant.now().plusMillis(cSROptions.getValidForMs().longValue()));
        }
        Order create = newOrder.create();
        Iterator it = create.getAuthorizations().iterator();
        while (it.hasNext()) {
            authorize((Authorization) it.next());
        }
        CSRBuilder cSRBuilder = new CSRBuilder();
        cSRBuilder.addDomains(cSROptions.getDomains());
        if (cSROptions.getCountry() != null) {
            cSRBuilder.setCountry(cSROptions.getCountry());
        }
        if (cSROptions.getState() != null) {
            cSRBuilder.setState(cSROptions.getState());
        }
        if (cSROptions.getLocality() != null) {
            cSRBuilder.setLocality(cSROptions.getLocality());
        }
        if (cSROptions.getOrganization() != null) {
            cSRBuilder.setOrganization(cSROptions.getOrganization());
        }
        if (cSROptions.getOrganizationalUnit() != null) {
            cSRBuilder.setOrganizationalUnit(cSROptions.getOrganizationalUnit());
        }
        cSRBuilder.sign(loadOrCreateDomainKeyPair);
        Tr.debug(tc, "Certificate Signing Request: " + cSRBuilder.toString(), new Object[0]);
        create.execute(cSRBuilder.getEncoded());
        int i = this.orderRetries + 1;
        while (create.getStatus() != Status.VALID) {
            int i2 = i;
            i--;
            if (i2 <= 0) {
                break;
            }
            if (create.getStatus() == Status.INVALID) {
                String str = "ACME CA responded that the challenge failed for domains " + cSROptions.getDomains() + " with status " + Status.INVALID.toString() + ".";
                Tr.error(tc, str, new Object[0]);
                throw new AcmeException(str);
            }
            sleep(this.orderRetryWaitMs);
            try {
                create.update();
            } catch (AcmeRetryAfterException e) {
            }
        }
        if (create.getStatus() == Status.VALID) {
            Certificate certificate = create.getCertificate();
            return new AcmeCertificate(loadOrCreateDomainKeyPair, certificate.getCertificate(), certificate.getCertificateChain());
        }
        String str2 = "Timed out waiting for successful order for domains " + cSROptions.getDomains() + ". Status is " + create.getStatus().toString();
        Tr.error(tc, str2, new Object[0]);
        throw new AcmeException(str2);
    }

    private Account findExistingAccount(Session session, KeyPair keyPair) throws AcmeException {
        try {
            return new AccountBuilder().useKeyPair(keyPair).onlyExisting().create(session);
        } catch (AcmeServerException e) {
            return null;
        }
    }

    private Account findOrRegisterAccount(Session session, KeyPair keyPair) throws AcmeException {
        Account findExistingAccount = findExistingAccount(session, keyPair);
        if (findExistingAccount == null) {
            URI termsOfService = session.getMetadata().getTermsOfService();
            if (termsOfService != null && !this.termsOfServiceAgreed) {
                String str = "The account must accept the terms of service. The terms of service can be found at the following URI: " + termsOfService;
                Tr.error(tc, str, new Object[0]);
                throw new AcmeException(str);
            }
            if (termsOfService != null) {
                Tr.info(tc, "Accepted the ACME CA's terms of service on behalf of the account. See the terms of service here: " + termsOfService, new Object[0]);
            }
            AccountBuilder useKeyPair = new AccountBuilder().agreeToTermsOfService().useKeyPair(keyPair);
            if (this.accountContact != null && !this.accountContact.isEmpty()) {
                Iterator<String> it = this.accountContact.iterator();
                while (it.hasNext()) {
                    useKeyPair.addContact(it.next());
                }
            }
            findExistingAccount = useKeyPair.create(session);
        }
        Tr.info(tc, "Fetched account from ACME CA. URL: " + findExistingAccount.getLocation(), new Object[0]);
        return findExistingAccount;
    }

    public String getHttp01Authorization(String str) {
        return this.httpTokenToAuthzMap.get(str);
    }

    private KeyPair loadAccountKeyPair() throws IOException {
        File file = null;
        if (this.accountKeyFilePath != null) {
            file = new File(this.accountKeyFilePath);
        }
        if (file == null || !file.exists()) {
            return null;
        }
        FileReader fileReader = new FileReader(file);
        try {
            KeyPair readKeyPair = KeyPairUtils.readKeyPair(fileReader);
            fileReader.close();
            return readKeyPair;
        } catch (Throwable th) {
            try {
                fileReader.close();
            } catch (Throwable th2) {
                th.addSuppressed(th2);
            }
            throw th;
        }
    }

    private KeyPair loadDomainKeyPair() throws IOException {
        File file = null;
        if (this.domainKeyFilePath != null) {
            file = new File(this.domainKeyFilePath);
        }
        if (file == null || !file.exists()) {
            return null;
        }
        FileReader fileReader = new FileReader(file);
        try {
            KeyPair readKeyPair = KeyPairUtils.readKeyPair(fileReader);
            fileReader.close();
            return readKeyPair;
        } catch (Throwable th) {
            try {
                fileReader.close();
            } catch (Throwable th2) {
                th.addSuppressed(th2);
            }
            throw th;
        }
    }

    private KeyPair loadOrCreateAccountKeyPair() throws IOException {
        KeyPair loadAccountKeyPair = loadAccountKeyPair();
        if (loadAccountKeyPair == null) {
            loadAccountKeyPair = KeyPairUtils.createKeyPair(KEY_SIZE);
            File file = null;
            if (this.accountKeyFilePath != null) {
                file = new File(this.accountKeyFilePath);
            }
            if (file != null) {
                KeyPairUtils.writeKeyPair(loadAccountKeyPair, new FileWriter(file));
            }
        }
        return loadAccountKeyPair;
    }

    private KeyPair loadOrCreateDomainKeyPair() throws IOException {
        KeyPair loadDomainKeyPair = loadDomainKeyPair();
        if (loadDomainKeyPair == null) {
            loadDomainKeyPair = KeyPairUtils.createKeyPair(KEY_SIZE);
            File file = null;
            if (this.domainKeyFilePath != null) {
                file = new File(this.domainKeyFilePath);
            }
            if (file != null) {
                KeyPairUtils.writeKeyPair(loadDomainKeyPair, new FileWriter(file));
            }
        }
        return loadDomainKeyPair;
    }

    public Challenge prepareHttpChallenge(Authorization authorization) throws AcmeException, IOException {
        Http01Challenge findChallenge = authorization.findChallenge("http-01");
        if (findChallenge == null) {
            Tr.error(tc, "Didn't find a http-01 challenge type.", new Object[0]);
            throw new AcmeException("Didn't find a http-01 challenge type.");
        }
        this.httpTokenToAuthzMap.put(findChallenge.getToken(), findChallenge.getAuthorization());
        Tr.debug(tc, "Prepared the following challenge with token '" + findChallenge.getToken() + "' and authorization '" + findChallenge.getAuthorization() + "'.", new Object[0]);
        return findChallenge;
    }

    public void revoke(X509Certificate x509Certificate) throws AcmeException, IOException {
        KeyPair loadAccountKeyPair = loadAccountKeyPair();
        if (loadAccountKeyPair == null) {
            throw new AcmeException("Could not load account KeyPair.");
        }
        Session session = new Session(this.directoryURI);
        Account findExistingAccount = findExistingAccount(session, loadAccountKeyPair);
        if (findExistingAccount == null) {
            throw new AcmeException("Unable to find account to revoke certificate.");
        }
        Certificate.revoke(new Login(findExistingAccount.getLocation(), loadAccountKeyPair, session), x509Certificate, RevocationReason.UNSPECIFIED);
    }

    public void setAcceptTos(boolean z) {
        this.termsOfServiceAgreed = z;
    }

    public void setChallengeRetries(int i) {
        if (i >= 0) {
            this.challengeRetries = i;
        }
    }

    public void setChallengeRetryWait(long j) {
        if (j >= 0) {
            this.challengeRetryWaitMs = j;
        }
    }

    public void setOrderRetries(int i) {
        if (i >= 0) {
            this.orderRetries = i;
        }
    }

    public void setOrderRetryWait(long j) {
        if (j >= 0) {
            this.orderRetryWaitMs = j;
        }
    }

    private static void sleep(long j) {
        long currentTimeMillis = System.currentTimeMillis() + j;
        while (true) {
            long currentTimeMillis2 = System.currentTimeMillis();
            if (currentTimeMillis2 >= currentTimeMillis) {
                return;
            }
            try {
                Thread.sleep(currentTimeMillis - currentTimeMillis2);
            } catch (InterruptedException e) {
                Thread.currentThread().interrupt();
            }
        }
    }

    private static void validateKeyFilePath(String str, String str2) {
        if (str == null || str.trim().isEmpty()) {
            throw new IllegalArgumentException("The " + str2 + " key file path must be valid.");
        }
        File file = new File(str);
        if (file.exists() && !file.canRead()) {
            throw new IllegalArgumentException("Cannot read existing " + str2 + " key file.");
        }
        if (file.exists() && !file.canWrite()) {
            throw new IllegalArgumentException("Cannot write to specified " + str2 + " key file location.");
        }
    }
}
