package org.apache.meecrowave.letencrypt;

import java.io.BufferedWriter;
import java.io.File;
import java.io.FileReader;
import java.io.FileWriter;
import java.io.IOException;
import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.NoSuchAlgorithmException;
import java.util.Objects;
import java.util.Optional;
import java.util.concurrent.Executors;
import java.util.concurrent.ScheduledExecutorService;
import java.util.concurrent.ScheduledFuture;
import java.util.concurrent.ThreadFactory;
import java.util.concurrent.TimeUnit;
import java.util.concurrent.atomic.AtomicReference;
import java.util.function.BiConsumer;
import java.util.stream.Stream;
import org.apache.coyote.http11.AbstractHttp11Protocol;
import org.apache.meecrowave.logging.tomcat.LogFacade;
import org.apache.meecrowave.runner.Cli;
import org.apache.meecrowave.runner.cli.CliOption;
import org.bouncycastle.openssl.PEMKeyPair;
import org.bouncycastle.openssl.PEMParser;
import org.bouncycastle.openssl.jcajce.JcaPEMKeyConverter;
import org.bouncycastle.openssl.jcajce.JcaPEMWriter;
import org.shredzone.acme4j.AccountBuilder;
import org.shredzone.acme4j.Authorization;
import org.shredzone.acme4j.Certificate;
import org.shredzone.acme4j.Order;
import org.shredzone.acme4j.Session;
import org.shredzone.acme4j.Status;
import org.shredzone.acme4j.challenge.Challenge;
import org.shredzone.acme4j.challenge.Http01Challenge;
import org.shredzone.acme4j.exception.AcmeException;
import org.shredzone.acme4j.util.CSRBuilder;

/* loaded from: input_file:org/apache/meecrowave/letencrypt/LetsEncryptReloadLifecycle.class */
public class LetsEncryptReloadLifecycle implements AutoCloseable, Runnable {
    private final AtomicReference<LogFacade> logger = new AtomicReference<>();
    private final AbstractHttp11Protocol<?> protocol;
    private final ScheduledExecutorService thread;
    private final ScheduledFuture<?> refreshTask;
    private final LetsEncryptConfig config;
    private final BiConsumer<String, String> challengeUpdater;

    /* loaded from: input_file:org/apache/meecrowave/letencrypt/LetsEncryptReloadLifecycle$LetsEncryptConfig.class */
    public static class LetsEncryptConfig implements Cli.Options {

        @CliOption(name = "letsencrypt-domains", description = "Comma separated list of domains to manage")
        private String domains;

        @CliOption(name = "letsencrypt-key-user-location", description = "Where the user key must be stored")
        private File userKeyLocation;

        @CliOption(name = "letsencrypt-key-domain-location", description = "Where the domain key must be stored")
        private File domainKey;

        @CliOption(name = "letsencrypt-certificate-domain-location", description = "Where the domain certificate must be stored")
        private File domainCertificate;

        @CliOption(name = "letsencrypt-chain-domain-location", description = "Where the domain chain must be stored")
        private File domainChain;

        @CliOption(name = "letsencrypt-endpoint", description = "Endpoint to use to get the certificates")
        private String endpoint;

        @CliOption(name = "letsencrypt-refresh-interval", description = "Number of second between let'sencrypt refreshes")
        private long refreshInterval = 60;

        @CliOption(name = "letsencrypt-key-user-size", description = "User key size")
        private int userKeySize = 2048;

        @CliOption(name = "letsencrypt-key-domain-size", description = "Domain key size")
        private int domainKeySize = 2048;

        @CliOption(name = "letsencrypt-endpoint-staging", description = "Ignore if endpoint is set, otherwise it set the endpoint accordingly")
        private boolean staging = false;

        @CliOption(name = "letsencrypt-retry-timeout-ms", description = "How long to wait before retrying to get the certificate, default is 3s")
        private long retryTimeoutMs = 3000;

        @CliOption(name = "letsencrypt-retry-count", description = "How many retries to do")
        private int retryCount = 20;

        public void init() {
            if (this.userKeyLocation == null) {
                this.userKeyLocation = new File(System.getProperty("catalina.base"), "conf/letsencrypt/user.key");
            }
            if (this.domainKey == null) {
                this.domainKey = new File(System.getProperty("catalina.base"), "conf/letsencrypt/domain.key");
            }
            if (this.domainCertificate == null) {
                this.domainCertificate = new File(System.getProperty("catalina.base"), "conf/letsencrypt/domain.csr");
            }
            if (this.domainChain == null) {
                this.domainChain = new File(System.getProperty("catalina.base"), "conf/letsencrypt/domain.chain.csr");
            }
            if (this.endpoint == null) {
                if (isStaging()) {
                    this.endpoint = "https://acme-staging-v02.api.letsencrypt.org/directory";
                } else {
                    this.endpoint = "https://acme-v02.api.letsencrypt.org/directory";
                }
            }
            Stream.of((Object[]) new File[]{this.userKeyLocation, this.domainKey, this.domainCertificate, this.domainChain}).map((v0) -> {
                return v0.getAbsoluteFile();
            }).map((v0) -> {
                return v0.getParentFile();
            }).filter((v0) -> {
                return Objects.nonNull(v0);
            }).distinct().forEach((v0) -> {
                v0.mkdirs();
            });
        }

        public boolean isStaging() {
            return this.staging;
        }

        public int getRetryCount() {
            return this.retryCount;
        }

        public int getDomainKeySize() {
            return this.domainKeySize;
        }

        public String getEndpoint() {
            return this.endpoint;
        }

        public long getRefreshInterval() {
            return this.refreshInterval;
        }

        public String getDomains() {
            return this.domains;
        }

        public File getUserKeyLocation() {
            return this.userKeyLocation;
        }

        public int getUserKeySize() {
            return this.userKeySize;
        }

        public File getDomainKey() {
            return this.domainKey;
        }

        public File getDomainCertificate() {
            return this.domainCertificate;
        }

        public File getDomainChain() {
            return this.domainChain;
        }

        public long getRetryTimeoutMs() {
            return this.retryTimeoutMs;
        }
    }

    public LetsEncryptReloadLifecycle(LetsEncryptConfig letsEncryptConfig, AbstractHttp11Protocol<?> abstractHttp11Protocol, BiConsumer<String, String> biConsumer) {
        this.config = letsEncryptConfig;
        this.config.init();
        this.protocol = abstractHttp11Protocol;
        this.challengeUpdater = biConsumer;
        SecurityManager securityManager = System.getSecurityManager();
        final ThreadGroup threadGroup = securityManager != null ? securityManager.getThreadGroup() : Thread.currentThread().getThreadGroup();
        this.thread = Executors.newSingleThreadScheduledExecutor(new ThreadFactory() { // from class: org.apache.meecrowave.letencrypt.LetsEncryptReloadLifecycle.1
            @Override // java.util.concurrent.ThreadFactory
            public Thread newThread(Runnable runnable) {
                Thread thread = new Thread(threadGroup, runnable, LetsEncryptReloadLifecycle.class.getName() + "_" + hashCode());
                thread.setDaemon(false);
                thread.setPriority(5);
                thread.setContextClassLoader(getClass().getClassLoader());
                return thread;
            }
        });
        this.refreshTask = this.thread.scheduleAtFixedRate(this, 0L, letsEncryptConfig.getRefreshInterval(), TimeUnit.SECONDS);
    }

    @Override // java.lang.Runnable
    public synchronized void run() {
        KeyPair loadOrCreateKeyPair = loadOrCreateKeyPair(this.config.getUserKeySize(), this.config.getUserKeyLocation());
        KeyPair loadOrCreateKeyPair2 = loadOrCreateKeyPair(this.config.getDomainKeySize(), this.config.getDomainKey());
        try {
            Order create = new AccountBuilder().agreeToTermsOfService().useKeyPair(loadOrCreateKeyPair).create(new Session(this.config.getEndpoint())).newOrder().domains(this.config.getDomains().trim().split(",")).create();
            if (((Boolean) create.getAuthorizations().stream().map(authorization -> {
                try {
                    return Boolean.valueOf(authorize(authorization));
                } catch (AcmeException e) {
                    getLogger().error(e.getMessage(), e);
                    return false;
                }
            }).reduce(false, (bool, bool2) -> {
                return Boolean.valueOf(bool.booleanValue() || bool2.booleanValue());
            })).booleanValue()) {
                CSRBuilder cSRBuilder = new CSRBuilder();
                cSRBuilder.addDomains(new String[]{this.config.getDomains()});
                cSRBuilder.sign(loadOrCreateKeyPair2);
                BufferedWriter bufferedWriter = new BufferedWriter(new FileWriter(this.config.getDomainCertificate()));
                Throwable th = null;
                try {
                    try {
                        cSRBuilder.write(bufferedWriter);
                        if (bufferedWriter != null) {
                            if (0 != 0) {
                                try {
                                    bufferedWriter.close();
                                } catch (Throwable th2) {
                                    th.addSuppressed(th2);
                                }
                            } else {
                                bufferedWriter.close();
                            }
                        }
                        create.execute(cSRBuilder.getEncoded());
                        try {
                            int retryCount = this.config.getRetryCount();
                            while (create.getStatus() != Status.VALID) {
                                int i = retryCount;
                                retryCount--;
                                if (i <= 0) {
                                    break;
                                }
                                if (create.getStatus() == Status.INVALID) {
                                    throw new AcmeException("Order failed... Giving up.");
                                }
                                Thread.sleep(this.config.getRetryTimeoutMs());
                                create.update();
                            }
                            Certificate certificate = create.getCertificate();
                            getLogger().info("Got new certificate " + certificate.getLocation() + " for domain(s) " + this.config.getDomains());
                            bufferedWriter = new BufferedWriter(new FileWriter(this.config.getDomainChain()));
                            Throwable th3 = null;
                            try {
                                try {
                                    certificate.writeCertificate(bufferedWriter);
                                    if (bufferedWriter != null) {
                                        if (0 != 0) {
                                            try {
                                                bufferedWriter.close();
                                            } catch (Throwable th4) {
                                                th3.addSuppressed(th4);
                                            }
                                        } else {
                                            bufferedWriter.close();
                                        }
                                    }
                                    this.protocol.reloadSsslHostConfigs();
                                } catch (Throwable th5) {
                                    th3 = th5;
                                    throw th5;
                                }
                            } finally {
                            }
                        } catch (InterruptedException e) {
                            getLogger().error(e.getMessage());
                            Thread.currentThread().interrupt();
                        }
                    } catch (Throwable th6) {
                        th = th6;
                        throw th6;
                    }
                } finally {
                }
            }
        } catch (AcmeException | IOException e2) {
            getLogger().error(e2.getMessage(), e2);
        }
    }

    private LogFacade getLogger() {
        LogFacade logFacade = this.logger.get();
        if (logFacade == null) {
            logFacade = new LogFacade(getClass().getName());
            this.logger.compareAndSet(null, logFacade);
        }
        return logFacade;
    }

    @Override // java.lang.AutoCloseable
    public void close() {
        Optional.ofNullable(this.refreshTask).ifPresent(scheduledFuture -> {
            scheduledFuture.cancel(true);
        });
        Optional.ofNullable(this.thread).ifPresent((v0) -> {
            v0.shutdownNow();
        });
        try {
            this.thread.awaitTermination(5L, TimeUnit.SECONDS);
        } catch (InterruptedException e) {
            Thread.currentThread().interrupt();
        }
    }

    private boolean authorize(Authorization authorization) throws AcmeException {
        Challenge httpChallenge = httpChallenge(authorization);
        if (httpChallenge == null) {
            throw new AcmeException("HTTP challenge is null");
        }
        if (httpChallenge.getStatus() == Status.VALID) {
            return false;
        }
        httpChallenge.trigger();
        try {
            int retryCount = this.config.getRetryCount();
            while (httpChallenge.getStatus() != Status.VALID) {
                int i = retryCount;
                retryCount--;
                if (i <= 0) {
                    break;
                }
                if (httpChallenge.getStatus() == Status.INVALID) {
                    throw new AcmeException("Invalid challenge status, exiting refresh iteration");
                }
                Thread.sleep(this.config.getRetryTimeoutMs());
                httpChallenge.update();
            }
        } catch (InterruptedException e) {
            Thread.currentThread().interrupt();
        }
        if (httpChallenge.getStatus() != Status.VALID) {
            throw new AcmeException("Challenge for domain " + authorization.getDomain() + ", is invalid, exiting iteration");
        }
        return true;
    }

    private Challenge httpChallenge(Authorization authorization) throws AcmeException {
        Http01Challenge findChallenge = authorization.findChallenge("http-01");
        if (findChallenge == null) {
            throw new AcmeException("Challenge is null");
        }
        this.challengeUpdater.accept("/.well-known/acme-challenge/" + findChallenge.getToken(), findChallenge.getAuthorization());
        return findChallenge;
    }

    private KeyPair loadOrCreateKeyPair(int i, File file) {
        if (file.exists()) {
            try {
                PEMParser pEMParser = new PEMParser(new FileReader(file));
                Throwable th = null;
                try {
                    try {
                        KeyPair keyPair = new JcaPEMKeyConverter().getKeyPair((PEMKeyPair) PEMKeyPair.class.cast(pEMParser.readObject()));
                        if (pEMParser != null) {
                            if (0 != 0) {
                                try {
                                    pEMParser.close();
                                } catch (Throwable th2) {
                                    th.addSuppressed(th2);
                                }
                            } else {
                                pEMParser.close();
                            }
                        }
                        return keyPair;
                    } finally {
                    }
                } finally {
                }
            } catch (IOException e) {
                throw new IllegalStateException("Can't read PEM file: " + file, e);
            }
        }
        try {
            KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA");
            keyPairGenerator.initialize(i);
            KeyPair generateKeyPair = keyPairGenerator.generateKeyPair();
            try {
                JcaPEMWriter jcaPEMWriter = new JcaPEMWriter(new FileWriter(file));
                Throwable th3 = null;
                try {
                    try {
                        jcaPEMWriter.writeObject(generateKeyPair);
                        if (jcaPEMWriter != null) {
                            if (0 != 0) {
                                try {
                                    jcaPEMWriter.close();
                                } catch (Throwable th4) {
                                    th3.addSuppressed(th4);
                                }
                            } else {
                                jcaPEMWriter.close();
                            }
                        }
                        return generateKeyPair;
                    } finally {
                    }
                } catch (Throwable th5) {
                    if (jcaPEMWriter != null) {
                        if (th3 != null) {
                            try {
                                jcaPEMWriter.close();
                            } catch (Throwable th6) {
                                th3.addSuppressed(th6);
                            }
                        } else {
                            jcaPEMWriter.close();
                        }
                    }
                    throw th5;
                }
            } catch (IOException e2) {
                throw new IllegalStateException("Can't read PEM file: " + file, e2);
            }
        } catch (NoSuchAlgorithmException e3) {
            throw new IllegalStateException(e3);
        }
    }
}
