package org.eclipse.leshan.server.core.demo.cli;

import java.io.IOException;
import java.security.GeneralSecurityException;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import java.util.Collections;
import java.util.List;
import org.eclipse.leshan.core.demo.cli.MultiParameterException;
import org.eclipse.leshan.core.demo.cli.converters.PrivateKeyConverter;
import org.eclipse.leshan.core.demo.cli.converters.PublicKeyConverter;
import org.eclipse.leshan.core.demo.cli.converters.TruststoreConverter;
import org.eclipse.leshan.core.util.SecurityUtil;
import picocli.CommandLine;

/* loaded from: input_file:org/eclipse/leshan/server/core/demo/cli/IdentitySection.class */
public class IdentitySection {

    @CommandLine.ArgGroup(exclusive = false, heading = "%n@|bold,underline X509 Options|@ %n%n@|italic By default Leshan demo uses an embedded self-signed certificate and trusts any client certificates allowing to use RPK or X509 at client side.%nTo use X509 with your own server key, certificate and truststore : %n     [-xcert, -xprik], [-truststore] should be used together.%nTo get helps about files format and how to generate it, see : %nSee https://github.com/eclipse/leshan/wiki/Credential-files-format|@%n%n")
    private X509Section x509;

    @CommandLine.ArgGroup(exclusive = false, heading = "%n@|bold,underline RPK Options|@ %n%n@|italic By default Leshan demo uses an embedded self-signed certificate and trusts any client certificates allowing to use RPK or X509 at client side.%nTo allow RPK only with your own keys : %n     -rpubk -rprik options should be used together.%nTo get helps about files format and how to generate it, see : %nSee https://github.com/eclipse/leshan/wiki/Credential-files-format|@%n%n")
    private RpkSection rpk;
    protected PublicKey publicKey;
    protected PrivateKey privateKey;
    protected X509Certificate[] certChain;
    protected List<Certificate> trustStore;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/eclipse/leshan/server/core/demo/cli/IdentitySection$RpkSection.class */
    public static class RpkSection {

        @CommandLine.Option(required = true, names = {"-rpubk", "--rpk-public-key"}, description = {"The path to your server public key file.", "The public Key should be in SubjectPublicKeyInfo format (DER encoding)."}, converter = {PublicKeyConverter.class})
        public PublicKey pubk;

        @CommandLine.Option(required = true, names = {"-rprik", "--rpk-private-key"}, description = {"The path to your server private key file", "The private key should be in PKCS#8 format (DER encoding)."}, converter = {PrivateKeyConverter.class})
        private PrivateKey prik;

        private RpkSection() {
        }
    }

    /* loaded from: input_file:org/eclipse/leshan/server/core/demo/cli/IdentitySection$X509Section.class */
    private static class X509Section {
        private X509Certificate[] certchain;

        @CommandLine.Option(names = {"-xprik", "--x509-private-key"}, order = 2, description = {"The path to your server private key file", "The private key should be in PKCS#8 format (DER encoding)."}, converter = {PrivateKeyConverter.class})
        private PrivateKey prik;
        private List<Certificate> trustStore = Collections.emptyList();

        private X509Section() {
        }

        @CommandLine.Option(names = {"-xcert", "--x509-certificate-chain"}, order = 1, description = {"The path to your server certificate or certificate chain file.", "The certificate Common Name (CN) should generally be equal to the server hostname.", "The certificate should be in X509v3 format (DER or PEM encoding).", "The certificate chain should be in X509v3 format (PEM encoding)."})
        private void setCertChain(String str) throws IOException, GeneralSecurityException {
            this.certchain = SecurityUtil.certificateChain.readFromFile(str);
        }

        @CommandLine.Option(names = {"-ts", "--truststore"}, order = 3, description = {"The path to  : ", " - a root certificate file to trust, ", " - OR a folder containing trusted certificates,", " - OR trust store URI.", "", "Certificates must be in in X509v3 format (DER encoding)", "", "URI format:", "  file://<path-to-store>#<password>#<alias-pattern>", "Where : ", "- path-to-store is path to pkcs12 trust store file", "- password is HEX formatted password for store", "- alias-pattern can be used to filter trusted certificates and can also be empty to get all", "", "Default: trust all certificates (only OK for demos)."})
        private void setTruststore(String str) throws Exception {
            this.trustStore = TruststoreConverter.convertValue(str);
        }
    }

    public void build(CommandLine commandLine) {
        if (isRPK()) {
            this.publicKey = this.rpk.pubk;
            this.privateKey = this.rpk.prik;
            return;
        }
        try {
            if (this.x509 != null) {
                if ((this.x509.certchain != null && this.x509.prik == null) || (this.x509.certchain == null && this.x509.prik != null)) {
                    throw new MultiParameterException(commandLine, "-xprik and -xcert MUST be used together", "-xprik", "-xcert");
                }
                this.certChain = this.x509.certchain;
                this.privateKey = this.x509.prik;
                this.trustStore = this.x509.trustStore;
            }
            if (this.certChain == null) {
                this.certChain = SecurityUtil.certificateChain.readFromResource("credentials/server_cert.der");
            }
            if (this.privateKey == null) {
                this.privateKey = SecurityUtil.privateKey.readFromResource("credentials/server_privkey.der");
            }
            if (this.trustStore == null) {
                this.trustStore = Collections.emptyList();
            }
        } catch (IOException | GeneralSecurityException e) {
            throw new IllegalStateException("Unable to load default credentials", e);
        }
    }

    public boolean isRPK() {
        return this.rpk != null;
    }

    public boolean isx509() {
        return !isRPK();
    }

    public PrivateKey getPrivateKey() {
        return this.privateKey;
    }

    public PublicKey getPublicKey() {
        return this.publicKey;
    }

    public X509Certificate[] getCertChain() {
        return this.certChain;
    }

    public List<Certificate> getTrustStore() {
        return this.trustStore;
    }
}
