package com.yahoo.jdisc.http.server.jetty;

import com.yahoo.component.AbstractComponent;
import com.yahoo.component.annotation.Inject;
import com.yahoo.security.KeyUtils;
import com.yahoo.security.X509CertificateUtils;
import com.yahoo.security.X509CertificateWithKey;
import com.yahoo.vespa.defaults.Defaults;
import com.yahoo.yolean.Exceptions;
import java.io.IOException;
import java.nio.file.Files;
import java.nio.file.LinkOption;
import java.nio.file.OpenOption;
import java.nio.file.Path;
import java.nio.file.Paths;
import java.security.cert.X509Certificate;
import java.time.Duration;
import java.util.Optional;
import java.util.logging.Level;
import java.util.logging.Logger;

/* loaded from: input_file:com/yahoo/jdisc/http/server/jetty/DataplaneProxyCredentials.class */
public class DataplaneProxyCredentials extends AbstractComponent {
    private static final Logger log = Logger.getLogger(DataplaneProxyCredentials.class.getName());
    private final Path certificateFile;
    private final Path keyFile;
    private final X509Certificate certificate;

    @Inject
    public DataplaneProxyCredentials() {
        this(Paths.get(Defaults.getDefaults().underVespaHome("secure/proxy_cert.pem"), new String[0]), Paths.get(Defaults.getDefaults().underVespaHome("secure/proxy_key.pem"), new String[0]));
    }

    public DataplaneProxyCredentials(Path path, Path path2) {
        this.certificateFile = path;
        this.keyFile = path2;
        X509Certificate orElse = regenerateCredentials(path, path2).orElse(null);
        if (orElse != null) {
            this.certificate = orElse;
            return;
        }
        X509CertificateWithKey createSelfSigned = X509CertificateUtils.createSelfSigned("cn=vespa dataplane proxy", Duration.ofDays(30L));
        Exceptions.uncheck(() -> {
            return Files.writeString(path, X509CertificateUtils.toPem(createSelfSigned.certificate()), new OpenOption[0]);
        });
        Exceptions.uncheck(() -> {
            return Files.writeString(path2, KeyUtils.toPem(createSelfSigned.privateKey()), new OpenOption[0]);
        });
        this.certificate = createSelfSigned.certificate();
    }

    private Optional<X509Certificate> regenerateCredentials(Path path, Path path2) {
        if (!Files.exists(path, new LinkOption[0]) || !Files.exists(path2, new LinkOption[0])) {
            return Optional.empty();
        }
        try {
            X509Certificate fromPem = X509CertificateUtils.fromPem(Files.readString(path));
            return !X509CertificateUtils.privateKeyMatchesPublicKey(KeyUtils.fromPemEncodedPrivateKey(Files.readString(path2)), fromPem.getPublicKey()) ? Optional.empty() : Optional.of(fromPem);
        } catch (IOException e) {
            log.log(Level.WARNING, "Failed to load credentials: %s".formatted(e.getMessage()));
            log.log(Level.FINE, e.toString(), (Throwable) e);
            return Optional.empty();
        }
    }

    public Path certificateFile() {
        return this.certificateFile;
    }

    public Path keyFile() {
        return this.keyFile;
    }

    public X509Certificate certificate() {
        return this.certificate;
    }

    public void deconstruct() {
        super.deconstruct();
    }
}
