package org.wildfly.security.x500.cert.acme;

import java.io.BufferedInputStream;
import java.io.BufferedReader;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.io.InputStream;
import java.io.InputStreamReader;
import java.io.OutputStream;
import java.net.HttpURLConnection;
import java.net.IDN;
import java.net.MalformedURLException;
import java.net.URL;
import java.nio.charset.StandardCharsets;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.Signature;
import java.security.SignatureException;
import java.security.cert.CRLReason;
import java.security.cert.Certificate;
import java.security.cert.CertificateEncodingException;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.security.interfaces.ECPrivateKey;
import java.time.Instant;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Iterator;
import java.util.LinkedHashSet;
import java.util.List;
import java.util.Locale;
import java.util.Map;
import javax.json.Json;
import javax.json.JsonArray;
import javax.json.JsonArrayBuilder;
import javax.json.JsonObject;
import javax.json.JsonObjectBuilder;
import javax.json.JsonString;
import javax.security.auth.x500.X500Principal;
import org.wildfly.common.Assert;
import org.wildfly.common.iteration.CodePointIterator;
import org.wildfly.security.Version;
import org.wildfly.security.asn1.ASN1Encodable;
import org.wildfly.security.asn1.DERDecoder;
import org.wildfly.security.x500.GeneralName;
import org.wildfly.security.x500.X500;
import org.wildfly.security.x500.X500AttributeTypeAndValue;
import org.wildfly.security.x500.X500PrincipalBuilder;
import org.wildfly.security.x500.cert.PKCS10CertificateSigningRequest;
import org.wildfly.security.x500.cert.SelfSignedX509CertificateAndSigningKey;
import org.wildfly.security.x500.cert.SubjectAlternativeNamesExtension;
import org.wildfly.security.x500.cert.X509CertificateChainAndSigningKey;
import org.wildfly.security.x500.cert.acme.AcmeChallenge;
import org.wildfly.security.x500.cert.acme.AcmeMetadata;
import org.wildfly.security.x500.cert.util.KeyUtil;

/* JADX WARN: Classes with same name are omitted:
  input_file:WEB-INF/lib/wildfly-elytron-x500-cert-acme-1.10.7.Final.jar:org/wildfly/security/x500/cert/acme/AcmeClientSpi.class
 */
/* loaded from: input_file:WEB-INF/lib/wildfly-elytron-1.10.7.Final.jar:org/wildfly/security/x500/cert/acme/AcmeClientSpi.class */
public abstract class AcmeClientSpi {
    public static final int DEFAULT_EC_KEY_SIZE = 256;
    public static final int DEFAULT_KEY_SIZE = 2048;
    public static final String DEFAULT_KEY_ALGORITHM_NAME = "RSA";
    private static final int MAX_RETRIES = 10;
    private static final long DEFAULT_RETRY_AFTER_MILLI = 3000;
    private static final String CHARSET = "charset";
    private static final String UTF_8 = "utf-8";
    private static final String EMPTY_STRING = "";
    private static final int[] CONTENT_TYPE_DELIMS = {59, 61};
    private static final String USER_AGENT_STRING = "Elytron ACME Client/" + Version.getVersion();
    private static final JsonObject EMPTY_PAYLOAD = Json.createObjectBuilder().build();

    public Map<AcmeResource, URL> getResourceUrls(AcmeAccount acmeAccount, boolean z) throws AcmeException {
        Assert.checkNotNullParam(Acme.ACCOUNT, acmeAccount);
        Map<AcmeResource, URL> resourceUrls = acmeAccount.getResourceUrls(z);
        if (resourceUrls.isEmpty()) {
            if (z && acmeAccount.getServerUrl(true) == null) {
                throw ElytronMessages.acme.noAcmeServerStagingUrlGiven();
            }
            JsonObject jsonResponse = getJsonResponse(sendGetRequest(acmeAccount.getServerUrl(z), 200, "application/json"));
            try {
                for (AcmeResource acmeResource : AcmeResource.values()) {
                    String optionalJsonString = getOptionalJsonString(jsonResponse, acmeResource.getValue());
                    resourceUrls.put(acmeResource, optionalJsonString != null ? new URL(optionalJsonString) : null);
                }
            } catch (MalformedURLException e) {
                throw ElytronMessages.acme.unableToRetrieveAcmeServerDirectoryUrls(e);
            }
        }
        return resourceUrls;
    }

    public AcmeMetadata getMetadata(AcmeAccount acmeAccount, boolean z) throws AcmeException {
        Assert.checkNotNullParam(Acme.ACCOUNT, acmeAccount);
        if (z && acmeAccount.getServerUrl(true) == null) {
            throw ElytronMessages.acme.noAcmeServerStagingUrlGiven();
        }
        JsonObject jsonObject = getJsonResponse(sendGetRequest(acmeAccount.getServerUrl(z), 200, "application/json")).getJsonObject("meta");
        if (jsonObject == null) {
            return null;
        }
        AcmeMetadata.Builder builder = AcmeMetadata.builder();
        String optionalJsonString = getOptionalJsonString(jsonObject, Acme.TERMS_OF_SERVICE);
        if (optionalJsonString != null) {
            builder.setTermsOfServiceUrl(optionalJsonString);
        }
        String optionalJsonString2 = getOptionalJsonString(jsonObject, "website");
        if (optionalJsonString2 != null) {
            builder.setWebsiteUrl(optionalJsonString2);
        }
        JsonArray jsonArray = jsonObject.getJsonArray(Acme.CAA_IDENTITIES);
        if (jsonArray != null) {
            ArrayList arrayList = new ArrayList(jsonArray.size());
            Iterator it = jsonArray.getValuesAs(JsonString.class).iterator();
            while (it.hasNext()) {
                arrayList.add(((JsonString) it.next()).getString());
            }
            builder.setCaaIdentities((String[]) arrayList.toArray(new String[arrayList.size()]));
        }
        builder.setExternalAccountRequired(jsonObject.getBoolean(Acme.EXTERNAL_ACCOUNT_REQUIRED, false));
        return builder.build();
    }

    public boolean createAccount(AcmeAccount acmeAccount, boolean z) throws AcmeException {
        return createAccount(acmeAccount, z, false);
    }

    public boolean createAccount(AcmeAccount acmeAccount, boolean z, boolean z2) throws AcmeException {
        Assert.checkNotNullParam(Acme.ACCOUNT, acmeAccount);
        String url = getResourceUrl(acmeAccount, AcmeResource.NEW_ACCOUNT, z).toString();
        JsonObjectBuilder createObjectBuilder = Json.createObjectBuilder();
        if (z2) {
            createObjectBuilder.add(Acme.ONLY_RETURN_EXISTING, true);
        } else {
            createObjectBuilder.add(Acme.TERMS_OF_SERVICE_AGREED, acmeAccount.isTermsOfServiceAgreed());
            if (acmeAccount.getContactUrls() != null && acmeAccount.getContactUrls().length != 0) {
                JsonArrayBuilder createArrayBuilder = Json.createArrayBuilder();
                for (String str : acmeAccount.getContactUrls()) {
                    createArrayBuilder.add(str);
                }
                createObjectBuilder.add(Acme.CONTACT, createArrayBuilder.build());
            }
        }
        HttpURLConnection sendPostRequestWithRetries = sendPostRequestWithRetries(acmeAccount, z, url, true, getEncodedJson(createObjectBuilder.build()), 201, 200);
        acmeAccount.setAccountUrl(getLocation(sendPostRequestWithRetries));
        try {
            return sendPostRequestWithRetries.getResponseCode() == 201;
        } catch (IOException e) {
            throw new AcmeException(e);
        }
    }

    public void updateAccount(AcmeAccount acmeAccount, boolean z, boolean z2) throws AcmeException {
        updateAccount(acmeAccount, z, z2, null);
    }

    public void updateAccount(AcmeAccount acmeAccount, boolean z, String[] strArr) throws AcmeException {
        updateAccount(acmeAccount, z, acmeAccount.isTermsOfServiceAgreed(), strArr);
    }

    public void updateAccount(AcmeAccount acmeAccount, boolean z, boolean z2, String[] strArr) throws AcmeException {
        Assert.checkNotNullParam(Acme.ACCOUNT, acmeAccount);
        JsonObjectBuilder add = Json.createObjectBuilder().add(Acme.TERMS_OF_SERVICE_AGREED, z2);
        if (strArr != null && strArr.length != 0) {
            JsonArrayBuilder createArrayBuilder = Json.createArrayBuilder();
            for (String str : strArr) {
                createArrayBuilder.add(str);
            }
            add.add(Acme.CONTACT, createArrayBuilder.build());
        }
        sendPostRequestWithRetries(acmeAccount, z, getAccountUrl(acmeAccount, z), false, getEncodedJson(add.build()), 200);
        acmeAccount.setTermsOfServiceAgreed(z2);
        if (strArr == null || strArr.length == 0) {
            return;
        }
        acmeAccount.setContactUrls(strArr);
    }

    public void changeAccountKey(AcmeAccount acmeAccount, boolean z) throws AcmeException {
        Assert.checkNotNullParam(Acme.ACCOUNT, acmeAccount);
        SelfSignedX509CertificateAndSigningKey build = SelfSignedX509CertificateAndSigningKey.builder().setKeySize(acmeAccount.getKeySize()).setKeyAlgorithmName(acmeAccount.getKeyAlgorithmName()).setDn(acmeAccount.getDn()).build();
        changeAccountKey(acmeAccount, z, build.getSelfSignedCertificate(), build.getSigningKey());
    }

    public void changeAccountKey(AcmeAccount acmeAccount, boolean z, X509Certificate x509Certificate, PrivateKey privateKey) throws AcmeException {
        Assert.checkNotNullParam(Acme.ACCOUNT, acmeAccount);
        Assert.checkNotNullParam(Acme.CERTIFICATE, x509Certificate);
        Assert.checkNotNullParam("privateKey", privateKey);
        String url = getResourceUrl(acmeAccount, AcmeResource.KEY_CHANGE, z).toString();
        String defaultCompatibleSignatureAlgorithmName = KeyUtil.getDefaultCompatibleSignatureAlgorithmName(privateKey);
        String encodedProtectedHeader = getEncodedProtectedHeader(Acme.getAlgHeaderFromSignatureAlgorithm(defaultCompatibleSignatureAlgorithmName), x509Certificate.getPublicKey(), url);
        String encodedJson = getEncodedJson(Json.createObjectBuilder().add(Acme.ACCOUNT, getAccountUrl(acmeAccount, z)).add(Acme.OLD_KEY, Acme.getJwk(acmeAccount.getPublicKey(), acmeAccount.getAlgHeader())).build());
        sendPostRequestWithRetries(acmeAccount, z, url, false, getEncodedJson(getJws(encodedProtectedHeader, encodedJson, getEncodedSignature(privateKey, defaultCompatibleSignatureAlgorithmName, encodedProtectedHeader, encodedJson))), 200);
        acmeAccount.changeCertificateAndPrivateKey(x509Certificate, privateKey);
    }

    public void deactivateAccount(AcmeAccount acmeAccount, boolean z) throws AcmeException {
        Assert.checkNotNullParam(Acme.ACCOUNT, acmeAccount);
        sendPostRequestWithRetries(acmeAccount, z, getAccountUrl(acmeAccount, z), false, getEncodedJson(Json.createObjectBuilder().add("status", Acme.DEACTIVATED).build()), 200);
    }

    public X509CertificateChainAndSigningKey obtainCertificateChain(AcmeAccount acmeAccount, boolean z, String... strArr) throws AcmeException {
        return obtainCertificateChain(acmeAccount, z, null, -1, strArr);
    }

    public X509CertificateChainAndSigningKey obtainCertificateChain(AcmeAccount acmeAccount, boolean z, String str, int i, String... strArr) throws AcmeException {
        Assert.checkNotNullParam(Acme.ACCOUNT, acmeAccount);
        Assert.checkNotNullParam("domainNames", strArr);
        LinkedHashSet<String> domainNames = getDomainNames(strArr);
        String url = getResourceUrl(acmeAccount, AcmeResource.NEW_ORDER, z).toString();
        JsonArrayBuilder createArrayBuilder = Json.createArrayBuilder();
        Iterator<String> it = domainNames.iterator();
        while (it.hasNext()) {
            createArrayBuilder.add(Json.createObjectBuilder().add("type", Acme.DNS).add("value", it.next()).build());
        }
        JsonObject jsonResponse = getJsonResponse(sendPostRequestWithRetries(acmeAccount, z, url, false, getEncodedJson(Json.createObjectBuilder().add(Acme.IDENTIFIERS, createArrayBuilder.build()).build()), 201));
        String string = jsonResponse.getString(Acme.FINALIZE);
        JsonArray jsonArray = jsonResponse.getJsonArray(Acme.AUTHORIZATIONS);
        ArrayList arrayList = new ArrayList(jsonArray.size());
        Iterator it2 = jsonArray.getValuesAs(JsonString.class).iterator();
        while (it2.hasNext()) {
            arrayList.add(((JsonString) it2.next()).getString());
        }
        ArrayList arrayList2 = new ArrayList(arrayList.size());
        try {
            Iterator it3 = arrayList.iterator();
            while (it3.hasNext()) {
                AcmeChallenge respondToChallenges = respondToChallenges(acmeAccount, z, getJsonResponse(sendPostAsGetRequest(acmeAccount, z, (String) it3.next(), "application/json", 200)));
                if (respondToChallenges != null) {
                    arrayList2.add(respondToChallenges);
                }
            }
            Iterator it4 = arrayList.iterator();
            while (it4.hasNext()) {
                if (!pollResourceUntilFinalized(acmeAccount, z, (String) it4.next()).getString("status").equals(Acme.VALID)) {
                    throw ElytronMessages.acme.challengeResponseFailedValidationByAcmeServer();
                }
            }
            ArrayList arrayList3 = new ArrayList(domainNames.size());
            Iterator<String> it5 = domainNames.iterator();
            while (it5.hasNext()) {
                arrayList3.add(new GeneralName.DNSName(it5.next()));
            }
            X500PrincipalBuilder x500PrincipalBuilder = new X500PrincipalBuilder();
            x500PrincipalBuilder.addItem(X500AttributeTypeAndValue.create(X500.OID_AT_COMMON_NAME, ASN1Encodable.ofUtf8String(((GeneralName.DNSName) arrayList3.get(0)).getName())));
            X500Principal build = x500PrincipalBuilder.build();
            if (str == null) {
                str = "RSA";
            }
            if (i == -1) {
                i = str.equals("EC") ? 256 : 2048;
            }
            SelfSignedX509CertificateAndSigningKey build2 = SelfSignedX509CertificateAndSigningKey.builder().setDn(build).setKeyAlgorithmName(str).setKeySize(i).build();
            PKCS10CertificateSigningRequest.Builder subjectDn = PKCS10CertificateSigningRequest.builder().setCertificate(build2.getSelfSignedCertificate()).setSigningKey(build2.getSigningKey()).setSubjectDn(build);
            subjectDn.addExtension(new SubjectAlternativeNamesExtension(false, arrayList3));
            JsonObject pollResourceUntilFinalized = pollResourceUntilFinalized(acmeAccount, z, getLocation(sendPostRequestWithRetries(acmeAccount, z, string, false, getEncodedJson(Json.createObjectBuilder().add(Acme.CSR, Acme.base64UrlEncode(subjectDn.build().getEncoded())).build()), 200)));
            if (!pollResourceUntilFinalized.getString("status").equals(Acme.VALID)) {
                throw ElytronMessages.acme.noCertificateWillBeIssuedByAcmeServer();
            }
            String optionalJsonString = getOptionalJsonString(pollResourceUntilFinalized, Acme.CERTIFICATE);
            if (optionalJsonString == null) {
                throw ElytronMessages.acme.noCertificateUrlProvidedByAcmeServer();
            }
            X509CertificateChainAndSigningKey x509CertificateChainAndSigningKey = new X509CertificateChainAndSigningKey(getPemCertificateChain(sendPostAsGetRequest(acmeAccount, z, optionalJsonString, Acme.PEM_CERTIFICATE_CHAIN_CONTENT_TYPE, 200)), build2.getSigningKey());
            Iterator it6 = arrayList2.iterator();
            while (it6.hasNext()) {
                cleanupAfterChallenge(acmeAccount, (AcmeChallenge) it6.next());
            }
            return x509CertificateChainAndSigningKey;
        } catch (Throwable th) {
            Iterator it7 = arrayList2.iterator();
            while (it7.hasNext()) {
                cleanupAfterChallenge(acmeAccount, (AcmeChallenge) it7.next());
            }
            throw th;
        }
    }

    public String createAuthorization(AcmeAccount acmeAccount, boolean z, String str) throws AcmeException {
        Assert.checkNotNullParam(Acme.ACCOUNT, acmeAccount);
        Assert.checkNotNullParam("domainName", str);
        HttpURLConnection sendPostRequestWithRetries = sendPostRequestWithRetries(acmeAccount, z, getResourceUrl(acmeAccount, AcmeResource.NEW_AUTHZ, z).toString(), false, getEncodedJson(Json.createObjectBuilder().add(Acme.IDENTIFIER, Json.createObjectBuilder().add("type", Acme.DNS).add("value", getSanitizedDomainName(str)).build()).build()), 201);
        String location = getLocation(sendPostRequestWithRetries);
        AcmeChallenge respondToChallenges = respondToChallenges(acmeAccount, z, getJsonResponse(sendPostRequestWithRetries));
        try {
            if (pollResourceUntilFinalized(acmeAccount, z, location).getString("status").equals(Acme.VALID)) {
                return location;
            }
            throw ElytronMessages.acme.challengeResponseFailedValidationByAcmeServer();
        } finally {
            if (respondToChallenges != null) {
                cleanupAfterChallenge(acmeAccount, respondToChallenges);
            }
        }
    }

    public void deactivateAuthorization(AcmeAccount acmeAccount, boolean z, String str) throws AcmeException {
        Assert.checkNotNullParam(Acme.ACCOUNT, acmeAccount);
        Assert.checkNotNullParam("authorizationUrl", str);
        sendPostRequestWithRetries(acmeAccount, z, str, false, getEncodedJson(Json.createObjectBuilder().add("status", Acme.DEACTIVATED).build()), 200);
    }

    public abstract AcmeChallenge proveIdentifierControl(AcmeAccount acmeAccount, List<AcmeChallenge> list) throws AcmeException;

    public abstract void cleanupAfterChallenge(AcmeAccount acmeAccount, AcmeChallenge acmeChallenge) throws AcmeException;

    public void revokeCertificate(AcmeAccount acmeAccount, boolean z, X509Certificate x509Certificate) throws AcmeException {
        revokeCertificate(acmeAccount, z, x509Certificate, null);
    }

    public void revokeCertificate(AcmeAccount acmeAccount, boolean z, X509Certificate x509Certificate, CRLReason cRLReason) throws AcmeException {
        Assert.checkNotNullParam(Acme.ACCOUNT, acmeAccount);
        Assert.checkNotNullParam(Acme.CERTIFICATE, x509Certificate);
        String url = getResourceUrl(acmeAccount, AcmeResource.REVOKE_CERT, z).toString();
        try {
            JsonObjectBuilder add = Json.createObjectBuilder().add(Acme.CERTIFICATE, Acme.base64UrlEncode(x509Certificate.getEncoded()));
            if (cRLReason != null) {
                add.add(Acme.REASON, cRLReason.ordinal());
            }
            sendPostRequestWithRetries(acmeAccount, z, url, false, getEncodedJson(add.build()), 200);
        } catch (CertificateEncodingException e) {
            throw ElytronMessages.acme.unableToGetEncodedFormOfCertificateToBeRevoked(e);
        }
    }

    public byte[] getNewNonce(AcmeAccount acmeAccount, boolean z) throws AcmeException {
        Assert.checkNotNullParam(Acme.ACCOUNT, acmeAccount);
        try {
            HttpURLConnection httpURLConnection = (HttpURLConnection) getResourceUrl(acmeAccount, AcmeResource.NEW_NONCE, z).openConnection();
            httpURLConnection.setRequestMethod("HEAD");
            httpURLConnection.setRequestProperty("Accept-Language", Locale.getDefault().toLanguageTag());
            httpURLConnection.setRequestProperty("User-Agent", USER_AGENT_STRING);
            httpURLConnection.connect();
            int responseCode = httpURLConnection.getResponseCode();
            if (responseCode != 204 && responseCode != 200) {
                handleAcmeErrorResponse(httpURLConnection, responseCode);
            }
            byte[] replayNonce = getReplayNonce(httpURLConnection);
            if (replayNonce == null) {
                throw ElytronMessages.acme.noNonceProvidedByAcmeServer();
            }
            return replayNonce;
        } catch (Exception e) {
            throw ElytronMessages.acme.unableToObtainNewNonceFromAcmeServer();
        }
    }

    String[] queryAccountContactUrls(AcmeAccount acmeAccount, boolean z) throws AcmeException {
        Assert.checkNotNullParam(Acme.ACCOUNT, acmeAccount);
        JsonArray jsonArray = getJsonResponse(sendPostAsGetRequest(acmeAccount, z, getAccountUrl(acmeAccount, z), null, 200)).getJsonArray(Acme.CONTACT);
        if (jsonArray == null || jsonArray.size() <= 0) {
            return null;
        }
        ArrayList arrayList = new ArrayList(jsonArray.size());
        Iterator it = jsonArray.getValuesAs(JsonString.class).iterator();
        while (it.hasNext()) {
            arrayList.add(((JsonString) it.next()).getString());
        }
        return (String[]) arrayList.toArray(new String[arrayList.size()]);
    }

    String queryAccountStatus(AcmeAccount acmeAccount, boolean z) throws AcmeException {
        Assert.checkNotNullParam(Acme.ACCOUNT, acmeAccount);
        return getJsonResponse(sendPostAsGetRequest(acmeAccount, z, getAccountUrl(acmeAccount, z), null, 200)).getString("status");
    }

    private URL getResourceUrl(AcmeAccount acmeAccount, AcmeResource acmeResource, boolean z) throws AcmeException {
        URL url = getResourceUrls(acmeAccount, z).get(acmeResource);
        if (url == null) {
            throw ElytronMessages.acme.resourceNotSupportedByAcmeServer(acmeResource.getValue());
        }
        return url;
    }

    private HttpURLConnection sendGetRequest(String str, int i, String str2) throws AcmeException {
        try {
            HttpURLConnection httpURLConnection = (HttpURLConnection) new URL(str).openConnection();
            httpURLConnection.setRequestMethod("GET");
            httpURLConnection.setRequestProperty("Accept-Language", Locale.getDefault().toLanguageTag());
            httpURLConnection.setRequestProperty("User-Agent", USER_AGENT_STRING);
            httpURLConnection.connect();
            int responseCode = httpURLConnection.getResponseCode();
            if (responseCode != i) {
                handleAcmeErrorResponse(httpURLConnection, responseCode);
            }
            String contentType = httpURLConnection.getContentType();
            if (checkContentType(httpURLConnection, str2)) {
                return httpURLConnection;
            }
            throw ElytronMessages.acme.unexpectedContentTypeFromAcmeServer(contentType);
        } catch (Exception e) {
            if (e instanceof AcmeException) {
                throw ((AcmeException) e);
            }
            throw new AcmeException(e);
        }
    }

    private HttpURLConnection sendPostAsGetRequest(AcmeAccount acmeAccount, boolean z, String str, String str2, int... iArr) throws AcmeException {
        return sendPostRequestWithRetries(acmeAccount, z, str, false, "", str2, iArr);
    }

    private HttpURLConnection sendPostRequestWithRetries(AcmeAccount acmeAccount, boolean z, String str, boolean z2, String str2, int... iArr) throws AcmeException {
        return sendPostRequestWithRetries(acmeAccount, z, str, z2, str2, null, iArr);
    }

    private HttpURLConnection sendPostRequestWithRetries(AcmeAccount acmeAccount, boolean z, String str, boolean z2, String str2, String str3, int... iArr) throws AcmeException {
        try {
            URL url = new URL(str);
            for (int i = 0; i < 10; i++) {
                String encodedProtectedHeader = getEncodedProtectedHeader(z2, str, acmeAccount, z);
                JsonObject jws = getJws(encodedProtectedHeader, str2, getEncodedSignature(acmeAccount.getPrivateKey(), acmeAccount.getSignature(), encodedProtectedHeader, str2));
                HttpURLConnection httpURLConnection = (HttpURLConnection) url.openConnection();
                httpURLConnection.setRequestMethod("POST");
                httpURLConnection.setRequestProperty("Content-Type", Acme.JOSE_JSON_CONTENT_TYPE);
                httpURLConnection.setRequestProperty("Accept-Language", Locale.getDefault().toLanguageTag());
                httpURLConnection.setRequestProperty("User-Agent", USER_AGENT_STRING);
                httpURLConnection.setDoOutput(true);
                httpURLConnection.setFixedLengthStreamingMode(jws.toString().length());
                httpURLConnection.connect();
                OutputStream outputStream = httpURLConnection.getOutputStream();
                try {
                    outputStream.write(jws.toString().getBytes(StandardCharsets.US_ASCII));
                    if (outputStream != null) {
                        outputStream.close();
                    }
                    int responseCode = httpURLConnection.getResponseCode();
                    acmeAccount.setNonce(getReplayNonce(httpURLConnection));
                    for (int i2 : iArr) {
                        if (i2 == responseCode) {
                            if (str3 != null) {
                                String contentType = httpURLConnection.getContentType();
                                if (!checkContentType(httpURLConnection, str3)) {
                                    throw ElytronMessages.acme.unexpectedContentTypeFromAcmeServer(contentType);
                                }
                            }
                            return httpURLConnection;
                        }
                    }
                    handleAcmeErrorResponse(httpURLConnection, responseCode);
                } finally {
                }
            }
            throw ElytronMessages.acme.badAcmeNonce();
        } catch (Exception e) {
            if (e instanceof AcmeException) {
                throw ((AcmeException) e);
            }
            throw new AcmeException(e);
        }
    }

    private JsonObject pollResourceUntilFinalized(AcmeAccount acmeAccount, boolean z, String str) throws AcmeException {
        boolean z2;
        JsonObject jsonResponse;
        do {
            z2 = true;
            HttpURLConnection sendPostAsGetRequest = sendPostAsGetRequest(acmeAccount, z, str, "application/json", 200);
            jsonResponse = getJsonResponse(sendPostAsGetRequest);
            String string = jsonResponse.getString("status");
            if (!string.equals(Acme.VALID) && !string.equals(Acme.INVALID)) {
                z2 = false;
                long retryAfter = getRetryAfter(sendPostAsGetRequest, true);
                if (retryAfter > 0) {
                    try {
                        Thread.sleep(retryAfter);
                    } catch (InterruptedException e) {
                        Thread.currentThread().interrupt();
                        throw new RuntimeException(e);
                    }
                }
            }
        } while (!z2);
        return jsonResponse;
    }

    private AcmeChallenge respondToChallenges(AcmeAccount acmeAccount, boolean z, JsonObject jsonObject) throws AcmeException {
        ArrayList arrayList = null;
        if (jsonObject.getString("status").equals(Acme.PENDING)) {
            JsonObject jsonObject2 = jsonObject.getJsonObject(Acme.IDENTIFIER);
            JsonArray jsonArray = jsonObject.getJsonArray(Acme.CHALLENGES);
            arrayList = new ArrayList(jsonArray.size());
            for (JsonObject jsonObject3 : jsonArray.getValuesAs(JsonObject.class)) {
                arrayList.add(new AcmeChallenge(AcmeChallenge.Type.forName(jsonObject3.getString("type")), jsonObject3.getString("url"), jsonObject3.getString("token"), jsonObject2.getString("type"), jsonObject2.getString("value")));
            }
        }
        if (arrayList == null || arrayList.isEmpty()) {
            return null;
        }
        AcmeChallenge proveIdentifierControl = proveIdentifierControl(acmeAccount, arrayList);
        try {
            sendPostRequestWithRetries(acmeAccount, z, proveIdentifierControl.getUrl(), false, getEncodedJson(EMPTY_PAYLOAD), 200);
            return proveIdentifierControl;
        } catch (AcmeException e) {
            cleanupAfterChallenge(acmeAccount, proveIdentifierControl);
            throw e;
        }
    }

    private static LinkedHashSet<String> getDomainNames(String[] strArr) throws AcmeException {
        if (strArr.length == 0) {
            throw ElytronMessages.acme.domainNamesIsEmpty();
        }
        LinkedHashSet<String> linkedHashSet = new LinkedHashSet<>();
        for (String str : strArr) {
            linkedHashSet.add(getSanitizedDomainName(str));
        }
        return linkedHashSet;
    }

    private static String getSanitizedDomainName(String str) throws AcmeException {
        if (str == null) {
            throw ElytronMessages.acme.domainNameIsNull();
        }
        return IDN.toASCII(str.trim()).toLowerCase(Locale.ROOT);
    }

    private static JsonObject getJsonResponse(HttpURLConnection httpURLConnection) throws AcmeException {
        try {
            BufferedInputStream bufferedInputStream = new BufferedInputStream(httpURLConnection.getResponseCode() < 400 ? httpURLConnection.getInputStream() : httpURLConnection.getErrorStream());
            try {
                JsonObject readObject = Json.createReader(bufferedInputStream).readObject();
                bufferedInputStream.close();
                return readObject;
            } finally {
            }
        } catch (IOException e) {
            throw ElytronMessages.acme.unableToObtainJsonResponseFromAcmeServer(e);
        }
    }

    private static byte[] getReplayNonce(HttpURLConnection httpURLConnection) throws AcmeException {
        String headerField = httpURLConnection.getHeaderField(Acme.REPLAY_NONCE);
        if (headerField == null) {
            return null;
        }
        return CodePointIterator.ofString(headerField).base64Decode(Acme.BASE64_URL, false).drain();
    }

    private static String getLocation(HttpURLConnection httpURLConnection) throws AcmeException {
        String headerField = httpURLConnection.getHeaderField("Location");
        if (headerField == null) {
            throw ElytronMessages.acme.noAccountLocationUrlProvidedByAcmeServer();
        }
        return headerField;
    }

    private static long getRetryAfter(HttpURLConnection httpURLConnection, boolean z) throws AcmeException {
        long j = -1;
        String headerField = httpURLConnection.getHeaderField("Retry-After");
        if (headerField != null) {
            try {
                j = Integer.parseInt(headerField) * 1000;
            } catch (NumberFormatException e) {
                long headerFieldDate = httpURLConnection.getHeaderFieldDate("Retry-After", 0L);
                if (headerFieldDate != 0) {
                    j = headerFieldDate - Instant.now().toEpochMilli();
                }
            }
        }
        if (j == -1 && z) {
            j = 3000;
        }
        return j;
    }

    private static void handleAcmeErrorResponse(HttpURLConnection httpURLConnection, int i) throws AcmeException {
        try {
            String responseMessage = httpURLConnection.getResponseMessage();
            if (!checkContentType(httpURLConnection, Acme.PROBLEM_JSON_CONTENT_TYPE)) {
                throw ElytronMessages.acme.unexpectedResponseCodeFromAcmeServer(i, responseMessage);
            }
            JsonObject jsonResponse = getJsonResponse(httpURLConnection);
            String optionalJsonString = getOptionalJsonString(jsonResponse, "type");
            if (optionalJsonString != null) {
                if (optionalJsonString.equals(Acme.BAD_NONCE)) {
                    return;
                }
                if (optionalJsonString.equals(Acme.USER_ACTION_REQUIRED)) {
                    String optionalJsonString2 = getOptionalJsonString(jsonResponse, "instance");
                    if (optionalJsonString2 != null) {
                        throw ElytronMessages.acme.userActionRequired(optionalJsonString2);
                    }
                } else if (optionalJsonString.equals(Acme.RATE_LIMITED)) {
                    long retryAfter = getRetryAfter(httpURLConnection, false);
                    if (retryAfter <= 0) {
                        throw ElytronMessages.acme.rateLimitExceeded();
                    }
                    throw ElytronMessages.acme.rateLimitExceededTryAgainLater(Instant.ofEpochMilli(retryAfter));
                }
            }
            String problemMessages = getProblemMessages(jsonResponse);
            if (problemMessages != null && !problemMessages.isEmpty()) {
                throw new AcmeException(problemMessages);
            }
            throw ElytronMessages.acme.unexpectedResponseCodeFromAcmeServer(i, responseMessage);
        } catch (Exception e) {
            if (!(e instanceof AcmeException)) {
                throw new AcmeException(e);
            }
            throw ((AcmeException) e);
        }
    }

    private static String getProblemMessages(JsonObject jsonObject) {
        StringBuilder sb = new StringBuilder();
        if (getProblemMessage(jsonObject) != null) {
            sb.append(getProblemMessage(jsonObject));
        }
        JsonArray jsonArray = jsonObject.getJsonArray(Acme.SUBPROBLEMS);
        if (jsonArray != null && jsonArray.size() > 0) {
            sb.append(":");
            Iterator it = jsonArray.getValuesAs(JsonObject.class).iterator();
            while (it.hasNext()) {
                sb.append("\n").append(getProblemMessage((JsonObject) it.next()));
            }
        }
        return sb.toString();
    }

    private static String getProblemMessage(JsonObject jsonObject) {
        String optionalJsonString = getOptionalJsonString(jsonObject, "type");
        String optionalJsonString2 = getOptionalJsonString(jsonObject, Acme.DETAIL);
        String optionalJsonString3 = getOptionalJsonString(jsonObject, "title");
        String str = null;
        if (optionalJsonString2 != null) {
            str = optionalJsonString2;
        } else if (optionalJsonString3 != null) {
            str = optionalJsonString3;
        } else if (optionalJsonString != null) {
            str = optionalJsonString;
        }
        return str;
    }

    private static String getOptionalJsonString(JsonObject jsonObject, String str) {
        JsonString jsonString = jsonObject.getJsonString(str);
        if (jsonString == null) {
            return null;
        }
        return jsonString.getString();
    }

    private static X509Certificate[] getPemCertificateChain(HttpURLConnection httpURLConnection) throws AcmeException {
        try {
            CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509");
            BufferedInputStream bufferedInputStream = new BufferedInputStream(getConvertedInputStream(httpURLConnection.getInputStream()));
            try {
                Collection<? extends Certificate> generateCertificates = certificateFactory.generateCertificates(bufferedInputStream);
                bufferedInputStream.close();
                return X500.asX509CertificateArray(generateCertificates.toArray(new Certificate[generateCertificates.size()]));
            } finally {
            }
        } catch (IOException | CertificateException e) {
            throw ElytronMessages.acme.unableToDownloadCertificateChainFromAcmeServer(e);
        }
    }

    private static String getEncodedJson(JsonObject jsonObject) {
        return CodePointIterator.ofString(jsonObject.toString()).asUtf8().base64Encode(Acme.BASE64_URL, false).drainToString();
    }

    private static JsonObject getJws(String str, String str2, String str3) {
        return Json.createObjectBuilder().add("protected", str).add("payload", str2).add(Acme.SIGNATURE, str3).build();
    }

    private static String getEncodedProtectedHeader(String str, PublicKey publicKey, String str2) {
        return getEncodedJson(Json.createObjectBuilder().add("alg", str).add(Acme.JWK, Acme.getJwk(publicKey, str)).add("url", str2).build());
    }

    private String getEncodedProtectedHeader(boolean z, String str, AcmeAccount acmeAccount, boolean z2) throws AcmeException {
        JsonObjectBuilder add = Json.createObjectBuilder().add("alg", acmeAccount.getAlgHeader());
        if (z) {
            add.add(Acme.JWK, Acme.getJwk(acmeAccount.getPublicKey(), acmeAccount.getAlgHeader()));
        } else {
            add.add("kid", getAccountUrl(acmeAccount, z2));
        }
        add.add("nonce", Acme.base64UrlEncode(getNonce(acmeAccount, z2))).add("url", str);
        return getEncodedJson(add.build());
    }

    private static String getEncodedSignature(PrivateKey privateKey, Signature signature, String str, String str2) throws AcmeException {
        try {
            signature.update((str + "." + str2).getBytes(StandardCharsets.UTF_8));
            byte[] sign = signature.sign();
            if (!(privateKey instanceof ECPrivateKey)) {
                return Acme.base64UrlEncode(sign);
            }
            DERDecoder dERDecoder = new DERDecoder(sign);
            dERDecoder.startSequence();
            byte[] drainElementValue = dERDecoder.drainElementValue();
            byte[] drainElementValue2 = dERDecoder.drainElementValue();
            dERDecoder.endSequence();
            int length = drainElementValue.length;
            int length2 = drainElementValue2.length;
            int i = length;
            int i2 = length2;
            while (i > 0 && drainElementValue[length - i] == 0) {
                i--;
            }
            while (i2 > 0 && drainElementValue2[length2 - i2] == 0) {
                i2--;
            }
            int max = Math.max(Math.max(i, i2), getECSignatureByteLength(signature.getAlgorithm()) / 2);
            byte[] bArr = new byte[max * 2];
            System.arraycopy(drainElementValue, length - i, bArr, max - i, i);
            System.arraycopy(drainElementValue2, length2 - i2, bArr, (2 * max) - i2, i2);
            return Acme.base64UrlEncode(bArr);
        } catch (SignatureException e) {
            throw ElytronMessages.acme.unableToCreateAcmeSignature(e);
        }
    }

    private static String getEncodedSignature(PrivateKey privateKey, String str, String str2, String str3) throws AcmeException {
        try {
            Signature signature = Signature.getInstance(str);
            signature.initSign(privateKey);
            return getEncodedSignature(privateKey, signature, str2, str3);
        } catch (InvalidKeyException | NoSuchAlgorithmException e) {
            throw ElytronMessages.acme.unableToCreateAcmeSignature(e);
        }
    }

    private static int getECSignatureByteLength(String str) throws AcmeException {
        boolean z = -1;
        switch (str.hashCode()) {
            case 637568043:
                if (str.equals("SHA384withECDSA")) {
                    z = true;
                    break;
                }
                break;
            case 982518116:
                if (str.equals("SHA512withECDSA")) {
                    z = 2;
                    break;
                }
                break;
            case 1211345095:
                if (str.equals("SHA256withECDSA")) {
                    z = false;
                    break;
                }
                break;
        }
        switch (z) {
            case false:
                return 64;
            case true:
                return 96;
            case true:
                return 132;
            default:
                throw ElytronMessages.acme.unsupportedAcmeAccountSignatureAlgorithm(str);
        }
    }

    private byte[] getNonce(AcmeAccount acmeAccount, boolean z) throws AcmeException {
        byte[] nonce = acmeAccount.getNonce();
        if (nonce == null) {
            nonce = getNewNonce(acmeAccount, z);
        }
        return nonce;
    }

    private String getAccountUrl(AcmeAccount acmeAccount, boolean z) throws AcmeException {
        String accountUrl = acmeAccount.getAccountUrl();
        if (accountUrl == null) {
            createAccount(acmeAccount, z, true);
            accountUrl = acmeAccount.getAccountUrl();
            if (accountUrl == null) {
                ElytronMessages.acme.acmeAccountDoesNotExist();
            }
        }
        return accountUrl;
    }

    private static boolean checkContentType(HttpURLConnection httpURLConnection, String str) throws AcmeException {
        String contentType = httpURLConnection.getContentType();
        if (contentType == null) {
            return false;
        }
        CodePointIterator ofString = CodePointIterator.ofString(contentType);
        CodePointIterator delimitedBy = ofString.delimitedBy(CONTENT_TYPE_DELIMS);
        String trim = delimitedBy.drainToString().trim();
        skipDelims(delimitedBy, ofString, CONTENT_TYPE_DELIMS);
        while (delimitedBy.hasNext()) {
            String trim2 = delimitedBy.drainToString().trim();
            skipDelims(delimitedBy, ofString, CONTENT_TYPE_DELIMS);
            if (trim2.equalsIgnoreCase("charset") && !delimitedBy.drainToString().trim().equalsIgnoreCase(UTF_8)) {
                return false;
            }
        }
        return trim.equalsIgnoreCase(str);
    }

    private static void skipDelims(CodePointIterator codePointIterator, CodePointIterator codePointIterator2, int... iArr) throws AcmeException {
        while (!codePointIterator.hasNext() && codePointIterator2.hasNext()) {
            if (!isDelim(codePointIterator2.next(), iArr)) {
                throw ElytronMessages.acme.invalidContentTypeFromAcmeServer();
            }
        }
    }

    private static boolean isDelim(int i, int... iArr) {
        for (int i2 : iArr) {
            if (i2 == i) {
                return true;
            }
        }
        return false;
    }

    private static InputStream getConvertedInputStream(InputStream inputStream) throws IOException {
        StringBuilder sb = new StringBuilder();
        BufferedReader bufferedReader = new BufferedReader(new InputStreamReader(inputStream, StandardCharsets.UTF_8));
        while (true) {
            try {
                String readLine = bufferedReader.readLine();
                if (readLine == null) {
                    bufferedReader.close();
                    return new ByteArrayInputStream(sb.toString().getBytes(StandardCharsets.UTF_8));
                }
                if (!readLine.trim().isEmpty()) {
                    sb.append(readLine + System.lineSeparator());
                }
            } catch (Throwable th) {
                try {
                    bufferedReader.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
                throw th;
            }
        }
    }
}
