package org.shredzone.acme4j;

import edu.umd.cs.findbugs.annotations.Nullable;
import java.io.IOException;
import java.io.Writer;
import java.net.MalformedURLException;
import java.net.URL;
import java.security.KeyPair;
import java.security.Security;
import java.security.cert.CertificateEncodingException;
import java.security.cert.X509Certificate;
import java.util.Collection;
import java.util.Collections;
import java.util.Iterator;
import java.util.List;
import java.util.Objects;
import java.util.Optional;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import org.bouncycastle.asn1.nist.NISTObjectIdentifiers;
import org.bouncycastle.asn1.x509.AlgorithmIdentifier;
import org.bouncycastle.cert.X509CertificateHolder;
import org.bouncycastle.cert.ocsp.CertificateID;
import org.bouncycastle.operator.jcajce.JcaDigestCalculatorProviderBuilder;
import org.shredzone.acme4j.connector.Connection;
import org.shredzone.acme4j.connector.Resource;
import org.shredzone.acme4j.exception.AcmeException;
import org.shredzone.acme4j.exception.AcmeLazyLoadingException;
import org.shredzone.acme4j.exception.AcmeNotSupportedException;
import org.shredzone.acme4j.exception.AcmeProtocolException;
import org.shredzone.acme4j.toolbox.AcmeUtils;
import org.shredzone.acme4j.toolbox.JSONBuilder;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/shredzone/acme4j/Certificate.class */
public class Certificate extends AcmeResource {
    private static final long serialVersionUID = 7381527770159084201L;
    private static final Logger LOG = LoggerFactory.getLogger(Certificate.class);

    @Nullable
    private List<X509Certificate> certChain;

    @Nullable
    private Collection<URL> alternates;

    @Nullable
    private transient RenewalInfo renewalInfo;

    @Nullable
    private transient List<Certificate> alternateCerts;

    /* JADX INFO: Access modifiers changed from: protected */
    public Certificate(Login login, URL url) {
        super(login, url);
        this.renewalInfo = null;
        this.alternateCerts = null;
    }

    public void download() throws AcmeException {
        if (this.certChain == null) {
            LOG.debug("download");
            Connection connect = getSession().connect();
            try {
                connect.sendCertificateRequest(getLocation(), getLogin());
                this.alternates = connect.getLinks("alternate");
                this.certChain = connect.readCertificates();
                if (connect != null) {
                    connect.close();
                }
            } catch (Throwable th) {
                if (connect != null) {
                    try {
                        connect.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                }
                throw th;
            }
        }
    }

    public X509Certificate getCertificate() {
        lazyDownload();
        return (X509Certificate) ((List) Objects.requireNonNull(this.certChain)).get(0);
    }

    public List<X509Certificate> getCertificateChain() {
        lazyDownload();
        return Collections.unmodifiableList((List) Objects.requireNonNull(this.certChain));
    }

    public List<URL> getAlternates() {
        lazyDownload();
        return (List) ((Collection) Objects.requireNonNull(this.alternates)).stream().collect(Collectors.toUnmodifiableList());
    }

    public List<Certificate> getAlternateCertificates() {
        if (this.alternateCerts == null) {
            Login login = getLogin();
            Stream<URL> stream = getAlternates().stream();
            Objects.requireNonNull(login);
            this.alternateCerts = (List) stream.map(login::bindCertificate).collect(Collectors.toUnmodifiableList());
        }
        return this.alternateCerts;
    }

    public boolean isIssuedBy(String str) {
        String str2 = "CN=" + str;
        Stream map = getCertificateChain().stream().map((v0) -> {
            return v0.getIssuerX500Principal();
        }).map((v0) -> {
            return v0.getName();
        });
        Objects.requireNonNull(str2);
        return map.anyMatch((v1) -> {
            return r1.equals(v1);
        });
    }

    public Optional<Certificate> findCertificate(String str) {
        return isIssuedBy(str) ? Optional.of(this) : getAlternateCertificates().stream().filter(certificate -> {
            return certificate.isIssuedBy(str);
        }).findFirst();
    }

    public void writeCertificate(Writer writer) throws IOException {
        try {
            Iterator<X509Certificate> it = getCertificateChain().iterator();
            while (it.hasNext()) {
                AcmeUtils.writeToPem(it.next().getEncoded(), AcmeUtils.PemLabel.CERTIFICATE, writer);
            }
        } catch (CertificateEncodingException e) {
            throw new IOException("Encoding error", e);
        }
    }

    public String getCertID() {
        List<X509Certificate> certificateChain = getCertificateChain();
        if (certificateChain.size() < 2) {
            throw new AcmeProtocolException("Certificate has no issuer");
        }
        try {
            JcaDigestCalculatorProviderBuilder jcaDigestCalculatorProviderBuilder = new JcaDigestCalculatorProviderBuilder();
            if (Security.getProvider("BC") != null) {
                jcaDigestCalculatorProviderBuilder.setProvider("BC");
            }
            return AcmeUtils.base64UrlEncode(new CertificateID(jcaDigestCalculatorProviderBuilder.build().get(new AlgorithmIdentifier(NISTObjectIdentifiers.id_sha256)), new X509CertificateHolder(certificateChain.get(1).getEncoded()), certificateChain.get(0).getSerialNumber()).toASN1Primitive().getEncoded());
        } catch (Exception e) {
            throw new AcmeProtocolException("Could not compute Certificate ID", e);
        }
    }

    public Optional<URL> getRenewalInfoLocation() {
        try {
            return getSession().resourceUrlOptional(Resource.RENEWAL_INFO).map(url -> {
                try {
                    String externalForm = url.toExternalForm();
                    if (!externalForm.endsWith("/")) {
                        externalForm = externalForm + "/";
                    }
                    return new URL(externalForm + getCertID());
                } catch (MalformedURLException e) {
                    throw new AcmeProtocolException("Invalid RenewalInfo URL", e);
                }
            });
        } catch (AcmeException e) {
            throw new AcmeLazyLoadingException(this, e);
        }
    }

    public boolean hasRenewalInfo() {
        return getRenewalInfoLocation().isPresent();
    }

    public RenewalInfo getRenewalInfo() {
        if (this.renewalInfo == null) {
            Optional<URL> renewalInfoLocation = getRenewalInfoLocation();
            Login login = getLogin();
            Objects.requireNonNull(login);
            this.renewalInfo = (RenewalInfo) renewalInfoLocation.map(login::bindRenewalInfo).orElseThrow(() -> {
                return new AcmeNotSupportedException("renewal-info");
            });
        }
        return this.renewalInfo;
    }

    public void markAsReplaced() throws AcmeException {
        LOG.debug("mark as replaced");
        Session session = getSession();
        URL resourceUrl = session.resourceUrl(Resource.RENEWAL_INFO);
        Connection connect = session.connect();
        try {
            JSONBuilder jSONBuilder = new JSONBuilder();
            jSONBuilder.put("certID", getCertID());
            jSONBuilder.put("replaced", (Object) true);
            connect.sendSignedRequest(resourceUrl, jSONBuilder, getLogin());
            if (connect != null) {
                connect.close();
            }
        } catch (Throwable th) {
            if (connect != null) {
                try {
                    connect.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    public void revoke() throws AcmeException {
        revoke(null);
    }

    public void revoke(@Nullable RevocationReason revocationReason) throws AcmeException {
        revoke(getLogin(), getCertificate(), revocationReason);
    }

    public static void revoke(Login login, X509Certificate x509Certificate, @Nullable RevocationReason revocationReason) throws AcmeException {
        LOG.debug("revoke");
        Session session = login.getSession();
        URL resourceUrl = session.resourceUrl(Resource.REVOKE_CERT);
        try {
            Connection connect = session.connect();
            try {
                JSONBuilder jSONBuilder = new JSONBuilder();
                jSONBuilder.putBase64("certificate", x509Certificate.getEncoded());
                if (revocationReason != null) {
                    jSONBuilder.put("reason", Integer.valueOf(revocationReason.getReasonCode()));
                }
                connect.sendSignedRequest(resourceUrl, jSONBuilder, login);
                if (connect != null) {
                    connect.close();
                }
            } finally {
            }
        } catch (CertificateEncodingException e) {
            throw new AcmeProtocolException("Invalid certificate", e);
        }
    }

    public static void revoke(Session session, KeyPair keyPair, X509Certificate x509Certificate, @Nullable RevocationReason revocationReason) throws AcmeException {
        LOG.debug("revoke using the domain key pair");
        URL resourceUrl = session.resourceUrl(Resource.REVOKE_CERT);
        try {
            Connection connect = session.connect();
            try {
                JSONBuilder jSONBuilder = new JSONBuilder();
                jSONBuilder.putBase64("certificate", x509Certificate.getEncoded());
                if (revocationReason != null) {
                    jSONBuilder.put("reason", Integer.valueOf(revocationReason.getReasonCode()));
                }
                connect.sendSignedRequest(resourceUrl, jSONBuilder, session, keyPair);
                if (connect != null) {
                    connect.close();
                }
            } finally {
            }
        } catch (CertificateEncodingException e) {
            throw new AcmeProtocolException("Invalid certificate", e);
        }
    }

    private void lazyDownload() {
        try {
            download();
        } catch (AcmeException e) {
            throw new AcmeLazyLoadingException(this, e);
        }
    }
}
