/*
    * Copyright 2024 The Netty Project
    *
    * The Netty Project licenses this file to you under the Apache License,
    * version 2.0 (the "License"); you may not use this file except in compliance
    * with the License. You may obtain a copy of the License at:
    *
    *   https://www.apache.org/licenses/LICENSE-2.0
    *
   * Unless required by applicable law or agreed to in writing, software
   * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
   * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
   * License for the specific language governing permissions and limitations
   * under the License.
   */
  
  package io.netty.handler.ssl.util;
  
  import io.netty.buffer.ByteBuf;
  import io.netty.buffer.Unpooled;
  import io.netty.util.internal.PlatformDependent;
  
  import java.io.IOException;
  import java.io.InputStream;
  import java.io.InterruptedIOException;
  import java.nio.charset.StandardCharsets;
  import java.nio.file.Files;
  import java.nio.file.Path;
  import java.nio.file.Paths;
  import java.security.GeneralSecurityException;
  import java.security.KeyStore;
  import java.security.cert.X509Certificate;
  import java.time.ZoneId;
  import java.time.format.DateTimeFormatter;
  import java.time.temporal.ChronoUnit;
  import java.util.Locale;
  import java.util.concurrent.TimeUnit;
  
  /**
   * Self-signed certificate generator based on the keytool CLI.
   */
  final class KeytoolSelfSignedCertGenerator {
      private static final DateTimeFormatter DATE_FORMAT =
              DateTimeFormatter.ofPattern("yyyy/MM/dd HH:mm:ss", Locale.ROOT);
      private static final String ALIAS = "alias";
      private static final String PASSWORD = "insecurepassword";
      private static final Path KEYTOOL;
      private static final String KEY_STORE_TYPE;
  
      static {
          String home = System.getProperty("java.home");
          if (home == null) {
              KEYTOOL = null;
          } else {
              Path likely = Paths.get(home).resolve("bin").resolve("keytool");
              if (Files.exists(likely)) {
                  KEYTOOL = likely;
              } else {
                  KEYTOOL = null;
              }
          }
          // Java < 11 does not support encryption for PKCS#12: JDK-8220734
          // For 11+, we prefer PKCS#12 for FIPS compliance
          KEY_STORE_TYPE = PlatformDependent.javaVersion() >= 11 ? "PKCS12" : "JKS";
      }
  
      private KeytoolSelfSignedCertGenerator() {
      }
  
      static boolean isAvailable() {
          return KEYTOOL != null;
      }
  
      static void generate(SelfSignedCertificate.Builder builder) throws IOException, GeneralSecurityException {
          // Change all asterisk to 'x' for file name safety.
          String dirFqdn = builder.fqdn.replaceAll("[^\\w.-]", "x");
  
          Path directory = Files.createTempDirectory("keytool_" + dirFqdn);
          Path keyStore = directory.resolve("keystore.jks");
          try {
              Process process = new ProcessBuilder()
                      .command(
                              "keytool",
                              "-genkeypair",
                              "-keyalg", builder.algorithm,
                              "-keysize", String.valueOf(builder.bits),
                              "-startdate", DATE_FORMAT.format(
                                      builder.notBefore.toInstant().atZone(ZoneId.systemDefault())),
                              "-validity", String.valueOf(builder.notBefore.toInstant().until(
                                      builder.notAfter.toInstant(), ChronoUnit.DAYS)),
                              "-keystore", keyStore.toString(),
                              "-alias", ALIAS,
                              "-keypass", PASSWORD,
                              "-storepass", PASSWORD,
                              "-dname", "CN=" + builder.fqdn,
                              "-storetype", KEY_STORE_TYPE
                      )
                      .redirectErrorStream(true)
                      .start();
             try {
                 if (!process.waitFor(60, TimeUnit.SECONDS)) {
                     process.destroyForcibly();
                     throw new IOException("keytool timeout");
                 }
             } catch (InterruptedException e) {
                 process.destroyForcibly();
                 Thread.currentThread().interrupt();
                 throw new InterruptedIOException();
             }
 
             if (process.exitValue() != 0) {
                 ByteBuf buffer = Unpooled.buffer();
                 try {
                     try (InputStream stream = process.getInputStream()) {
                         while (true) {
                             if (buffer.writeBytes(stream, 4096) == -1) {
                                 break;
                             }
                         }
                     }
                     String log = buffer.toString(StandardCharsets.UTF_8);
                     throw new IOException("Keytool exited with status " + process.exitValue() + ": " + log);
                 } finally {
                     buffer.release();
                 }
             }
 
             KeyStore ks = KeyStore.getInstance(KEY_STORE_TYPE);
             try (InputStream is = Files.newInputStream(keyStore)) {
                 ks.load(is, PASSWORD.toCharArray());
             }
             KeyStore.PrivateKeyEntry entry = (KeyStore.PrivateKeyEntry) ks.getEntry(
                     ALIAS, new KeyStore.PasswordProtection(PASSWORD.toCharArray()));
             builder.paths = SelfSignedCertificate.newSelfSignedCertificate(
                     builder.fqdn, entry.getPrivateKey(), (X509Certificate) entry.getCertificate());
             builder.privateKey = entry.getPrivateKey();
         } finally {
             Files.deleteIfExists(keyStore);
             Files.delete(directory);
         }
     }
 }