package net.eightlives.friendlyssl.service;

import java.security.KeyPair;
import java.time.Clock;
import java.time.Duration;
import java.time.Instant;
import java.time.ZoneOffset;
import java.time.format.DateTimeFormatter;
import java.time.temporal.ChronoUnit;
import java.time.temporal.TemporalUnit;
import java.util.concurrent.CountDownLatch;
import java.util.concurrent.TimeUnit;
import net.eightlives.friendlyssl.config.FriendlySSLConfig;
import net.eightlives.friendlyssl.exception.FriendlySSLException;
import net.eightlives.friendlyssl.model.CertificateRenewal;
import net.eightlives.friendlyssl.model.CertificateRenewalStatus;
import org.shredzone.acme4j.Login;
import org.shredzone.acme4j.Session;
import org.shredzone.acme4j.util.KeyPairUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.boot.autoconfigure.ssl.SslProperties;
import org.springframework.boot.autoconfigure.web.ServerProperties;
import org.springframework.boot.ssl.SslBundles;
import org.springframework.boot.web.server.Ssl;
import org.springframework.stereotype.Component;

@Component
/* loaded from: input_file:net/eightlives/friendlyssl/service/CertificateCreateRenewService.class */
public class CertificateCreateRenewService {
    private static final Logger LOG = LoggerFactory.getLogger(CertificateCreateRenewService.class);
    private final FriendlySSLConfig config;
    private final ServerProperties serverConfig;
    private final SslProperties sslConfig;
    private final AcmeAccountService accountService;
    private final PKCS12KeyStoreService keyStoreService;
    private final CertificateOrderHandlerService certificateOrderHandlerService;
    private final Clock clock;
    private final SslBundles sslBundles;

    public CertificateCreateRenewService(FriendlySSLConfig friendlySSLConfig, ServerProperties serverProperties, SslProperties sslProperties, AcmeAccountService acmeAccountService, PKCS12KeyStoreService pKCS12KeyStoreService, CertificateOrderHandlerService certificateOrderHandlerService, Clock clock, SslBundles sslBundles) {
        this.config = friendlySSLConfig;
        this.serverConfig = serverProperties;
        this.sslConfig = sslProperties;
        this.accountService = acmeAccountService;
        this.keyStoreService = pKCS12KeyStoreService;
        this.certificateOrderHandlerService = certificateOrderHandlerService;
        this.clock = clock;
        this.sslBundles = sslBundles;
    }

    public CertificateRenewal createCertificate() {
        LOG.info("Starting certificate create");
        return orderCertificate(KeyPairUtils.createKeyPair(2048));
    }

    public CertificateRenewal renewCertificate() {
        LOG.info("Starting certificate renew");
        KeyPair keyPair = this.keyStoreService.getKeyPair(this.config.getCertificateKeyAlias());
        return keyPair == null ? createCertificate() : orderCertificate(keyPair);
    }

    private CertificateRenewal orderCertificate(KeyPair keyPair) {
        try {
            Login orCreateAccountLogin = this.accountService.getOrCreateAccountLogin(new Session(this.config.getAcmeSessionUrl()));
            LOG.info("Certificate account login accessed");
            Ssl ssl = this.serverConfig.getSsl();
            if (ssl == null) {
                throw new FriendlySSLException("SSL is not configured by server.ssl");
            }
            String bundle = ssl.getBundle();
            if (bundle == null) {
                throw new FriendlySSLException("SSL bundle name is not configured by server.ssl.bundle");
            }
            CountDownLatch countDownLatch = new CountDownLatch(1);
            this.sslBundles.addBundleUpdateHandler(bundle, sslBundle -> {
                LOG.info("Finished reloading SSL context");
                countDownLatch.countDown();
            });
            LOG.info("Beginning certificate order.");
            Instant ofEpochMilli = Instant.ofEpochMilli(this.certificateOrderHandlerService.handleCertificateOrder(orCreateAccountLogin, keyPair).getCertificate().getNotAfter().getTime());
            LOG.info("Certificate renewal successful. New certificate expiration time is {}", DateTimeFormatter.RFC_1123_DATE_TIME.format(ofEpochMilli.atZone(ZoneOffset.UTC)));
            LOG.info("Reloading SSL context...");
            SslProperties.Bundles bundle2 = this.sslConfig.getBundle();
            if (bundle2 == null) {
                throw new FriendlySSLException("Spring SSL Bundle is not configured by spring.ssl.bundle");
            }
            Duration quietPeriod = bundle2.getWatch().getFile().getQuietPeriod();
            if (countDownLatch.await(quietPeriod.toSeconds() + 1, TimeUnit.SECONDS)) {
                return new CertificateRenewal(CertificateRenewalStatus.SUCCESS, ofEpochMilli.minus(this.config.getAutoRenewalHoursBefore(), (TemporalUnit) ChronoUnit.HOURS));
            }
            throw new FriendlySSLException("SSL certificate was not reloaded within the time set by spring.ssl.bundle.watch.file.quiet-period (" + quietPeriod.toSeconds() + " seconds)");
        } catch (IllegalArgumentException e) {
            LOG.error("acmeSessionUrl {} is invalid", this.config.getAcmeSessionUrl(), e);
            throw e;
        } catch (Exception e2) {
            LOG.error("Exception while ordering certificate, retry in {} hours", Integer.valueOf(this.config.getErrorRetryWaitHours()), e2);
            return new CertificateRenewal(CertificateRenewalStatus.ERROR, this.clock.instant().plus(this.config.getErrorRetryWaitHours(), (TemporalUnit) ChronoUnit.HOURS));
        }
    }
}
