package org.eclipse.sensinact.gateway.southbound.mqtt.impl;

import java.io.FileInputStream;
import java.io.IOException;
import java.security.KeyManagementException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.SecureRandom;
import java.security.UnrecoverableKeyException;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.spec.InvalidKeySpecException;
import java.util.Arrays;
import java.util.List;
import java.util.Objects;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLSocketFactory;
import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory;

/* loaded from: input_file:org/eclipse/sensinact/gateway/southbound/mqtt/impl/SSLUtils.class */
public class SSLUtils {
    public static final String PKCS12 = "PKCS12";

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/eclipse/sensinact/gateway/southbound/mqtt/impl/SSLUtils$CertKeys.class */
    public static class CertKeys {
        private KeyStore trustStore;
        private Certificate caCertificate;
        private KeyStore keyStore;
        private char[] keyPassword;

        private CertKeys() {
        }
    }

    private static void clearArray(char[] cArr) {
        if (cArr != null) {
            Arrays.fill(cArr, (char) 0);
        }
    }

    public static void loadKeyStore(MqttClientConfiguration mqttClientConfiguration, CertKeys certKeys) throws KeyStoreException, NoSuchAlgorithmException, CertificateException, IOException, InvalidKeySpecException {
        FileInputStream fileInputStream;
        String auth_keystore_type = mqttClientConfiguration.auth_keystore_type();
        KeyStore keyStore = KeyStore.getInstance(auth_keystore_type != null ? auth_keystore_type.strip() : PKCS12);
        String auth_keystore_path = mqttClientConfiguration.auth_keystore_path();
        String auth_clientcert_path = mqttClientConfiguration.auth_clientcert_path();
        String auth_clientcert_key = mqttClientConfiguration.auth_clientcert_key();
        if (auth_keystore_path != null && !auth_keystore_path.isBlank()) {
            String _auth_keystore_password = mqttClientConfiguration._auth_keystore_password();
            certKeys.keyPassword = _auth_keystore_password != null ? _auth_keystore_password.toCharArray() : null;
            fileInputStream = new FileInputStream(auth_keystore_path);
            try {
                keyStore.load(fileInputStream, certKeys.keyPassword);
                fileInputStream.close();
            } finally {
            }
        } else {
            if (auth_clientcert_path == null || auth_clientcert_path.isBlank() || auth_clientcert_key == null || auth_clientcert_key.isBlank()) {
                throw new KeyStoreException("No client authentication configuration given");
            }
            String _auth_clientcert_key_password = mqttClientConfiguration._auth_clientcert_key_password();
            certKeys.keyPassword = _auth_clientcert_key_password != null ? _auth_clientcert_key_password.toCharArray() : null;
            keyStore.load(null, certKeys.keyPassword);
            if (certKeys.caCertificate != null) {
                keyStore.setCertificateEntry("ca", certKeys.caCertificate);
            }
            fileInputStream = new FileInputStream(auth_clientcert_path);
            try {
                Certificate loadCertificate = PEMUtils.loadCertificate(fileInputStream);
                fileInputStream.close();
                fileInputStream = new FileInputStream(auth_clientcert_key);
                try {
                    keyStore.setKeyEntry("client", PEMUtils.loadPrivateKey(fileInputStream, mqttClientConfiguration.auth_clientcert_key_algorithm()), certKeys.keyPassword, (Certificate[]) List.of(loadCertificate, certKeys.caCertificate).stream().filter((v0) -> {
                        return Objects.nonNull(v0);
                    }).toArray(i -> {
                        return new Certificate[i];
                    }));
                    fileInputStream.close();
                } finally {
                    try {
                        fileInputStream.close();
                    } catch (Throwable th) {
                        th.addSuppressed(th);
                    }
                }
            } finally {
            }
        }
        certKeys.keyStore = keyStore;
    }

    public static void loadTrustStore(MqttClientConfiguration mqttClientConfiguration, CertKeys certKeys) throws KeyStoreException, NoSuchAlgorithmException, CertificateException, IOException {
        String auth_truststore_type = mqttClientConfiguration.auth_truststore_type();
        KeyStore keyStore = KeyStore.getInstance(auth_truststore_type != null ? auth_truststore_type.strip() : PKCS12);
        keyStore.load(null);
        String auth_truststore_path = mqttClientConfiguration.auth_truststore_path();
        if (auth_truststore_path != null && !auth_truststore_path.isBlank()) {
            char[] charArray = mqttClientConfiguration._auth_truststore_password() != null ? mqttClientConfiguration._auth_truststore_password().toCharArray() : null;
            try {
                FileInputStream fileInputStream = new FileInputStream(auth_truststore_path);
                try {
                    keyStore.load(fileInputStream, charArray);
                    fileInputStream.close();
                } finally {
                }
            } finally {
                clearArray(charArray);
            }
        }
        String auth_clientcert_ca_path = mqttClientConfiguration.auth_clientcert_ca_path();
        if (auth_clientcert_ca_path != null && !auth_clientcert_ca_path.isBlank()) {
            FileInputStream fileInputStream2 = new FileInputStream(auth_clientcert_ca_path);
            try {
                Certificate loadCertificate = PEMUtils.loadCertificate(fileInputStream2);
                certKeys.caCertificate = loadCertificate;
                keyStore.setCertificateEntry("ca", loadCertificate);
                fileInputStream2.close();
            } catch (Throwable th) {
                try {
                    fileInputStream2.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
                throw th;
            }
        }
        String[] auth_trusted_certs = mqttClientConfiguration.auth_trusted_certs();
        if (auth_trusted_certs != null && auth_trusted_certs.length > 0) {
            if (auth_trusted_certs.length == 1 && auth_trusted_certs[0].contains(",")) {
                auth_trusted_certs = auth_trusted_certs[0].split("\\s*,\\s*");
            }
            int i = 0;
            for (String str : auth_trusted_certs) {
                FileInputStream fileInputStream3 = new FileInputStream(str);
                try {
                    i++;
                    keyStore.setCertificateEntry("trusted-" + i, PEMUtils.loadCertificate(fileInputStream3));
                    fileInputStream3.close();
                } catch (Throwable th3) {
                    try {
                        fileInputStream3.close();
                    } catch (Throwable th4) {
                        th3.addSuppressed(th4);
                    }
                    throw th3;
                }
            }
        }
        certKeys.trustStore = keyStore;
    }

    public static SSLSocketFactory setupSSLSocketFactory(MqttClientConfiguration mqttClientConfiguration) throws KeyStoreException, IOException, NoSuchAlgorithmException, CertificateException, KeyManagementException, UnrecoverableKeyException, InvalidKeySpecException {
        CertKeys certKeys = new CertKeys();
        try {
            loadTrustStore(mqttClientConfiguration, certKeys);
            loadKeyStore(mqttClientConfiguration, certKeys);
            return setupSSLSocketFactory(certKeys, mqttClientConfiguration.auth_truststore_default_merge(), mqttClientConfiguration.auth_allow_expired());
        } finally {
            clearArray(certKeys.keyPassword);
        }
    }

    /* JADX WARN: Type inference failed for: r6v3, types: [javax.net.ssl.TrustManager[], javax.net.ssl.TrustManager[][]] */
    private static SSLSocketFactory setupSSLSocketFactory(CertKeys certKeys, boolean z, boolean z2) throws KeyStoreException, IOException, NoSuchAlgorithmException, CertificateException, KeyManagementException, UnrecoverableKeyException {
        TrustManager[] trustManagers;
        KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
        keyManagerFactory.init(certKeys.keyStore, certKeys.keyPassword);
        if (!certKeys.trustStore.aliases().hasMoreElements()) {
            certKeys.trustStore = certKeys.keyStore;
        }
        TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
        trustManagerFactory.init(certKeys.trustStore);
        if (z) {
            TrustManagerFactory trustManagerFactory2 = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
            trustManagerFactory2.init((KeyStore) null);
            trustManagers = new TrustManager[]{new ChainedTrustManagers(z2, (TrustManager[][]) new TrustManager[]{trustManagerFactory.getTrustManagers(), trustManagerFactory2.getTrustManagers()})};
        } else {
            trustManagers = z2 ? new TrustManager[]{new ChainedTrustManagers(true, trustManagerFactory.getTrustManagers())} : trustManagerFactory.getTrustManagers();
        }
        SSLContext sSLContext = SSLContext.getInstance("TLSv1.3");
        sSLContext.init(keyManagerFactory.getKeyManagers(), trustManagers, new SecureRandom());
        return sSLContext.getSocketFactory();
    }
}
