+ Throwable failure = null;
+
+ final var keys = Maps.<String, CertifiedPrivateKey>newHashMapWithExpectedSize(newState.privateKeys.size());
+ for (var key : newState.privateKeys.values()) {
+ final var keyName = key.requireName();
+
+ final byte[] keyBytes;
+ try {
+ keyBytes = base64Decode(key.requireData());
+ } catch (IllegalArgumentException e) {
+ LOG.debug("Failed to decode private key {}", keyName, e);
+ failure = updateFailure(failure, e);
+ continue;
+ }
+
+ final java.security.PrivateKey privateKey;
+ try {
+ privateKey = securityHelper.generatePrivateKey(keyBytes);
+ } catch (GeneralSecurityException e) {
+ LOG.debug("Failed to generate key for {}", keyName, e);
+ failure = updateFailure(failure, e);
+ continue;
+ }
+
+ final var certChain = key.requireCertificateChain();
+ if (certChain.isEmpty()) {
+ LOG.debug("Key {} has an empty certificate chain", keyName);
+ failure = updateFailure(failure,
+ new IllegalArgumentException("Empty certificate chain for private key " + keyName));
+ continue;
+ }
+
+ final var certs = new ArrayList<X509Certificate>(certChain.size());
+ for (int i = 0, size = certChain.size(); i < size; i++) {
+ final byte[] bytes;
+ try {
+ bytes = base64Decode(certChain.get(i));
+ } catch (IllegalArgumentException e) {
+ LOG.debug("Failed to decode certificate chain item {} for private key {}", i, keyName, e);
+ failure = updateFailure(failure, e);
+ continue;
+ }
+
+ final X509Certificate x509cert;
+ try {
+ x509cert = securityHelper.generateCertificate(bytes);
+ } catch (GeneralSecurityException e) {
+ LOG.debug("Failed to generate certificate chain item {} for private key {}", i, keyName, e);
+ failure = updateFailure(failure, e);
+ continue;
+ }
+
+ certs.add(x509cert);
+ }
+
+ keys.put(keyName, new CertifiedPrivateKey(privateKey, certs));
+ }
+
+ final var certs = Maps.<String, X509Certificate>newHashMapWithExpectedSize(newState.trustedCertificates.size());
+ for (var cert : newState.trustedCertificates.values()) {
+ final var certName = cert.requireName();
+
+ final byte[] bytes;
+ try {
+ bytes = base64Decode(cert.requireCertificate());
+ } catch (IllegalArgumentException e) {
+ LOG.debug("Failed to decode trusted certificate {}", certName, e);
+ failure = updateFailure(failure, e);
+ continue;
+ }
+
+ final X509Certificate x509cert;
+ try {
+ x509cert = securityHelper.generateCertificate(bytes);
+ } catch (GeneralSecurityException e) {
+ LOG.debug("Failed to generate certificate for {}", certName, e);
+ failure = updateFailure(failure, e);
+ continue;
+ }
+
+ certs.put(certName, x509cert);
+ }