package org.apache.ambari.logsearch.configurer;

import java.io.File;
import java.io.FileInputStream;
import java.io.FileOutputStream;
import java.io.IOException;
import java.math.BigInteger;
import java.net.InetAddress;
import java.security.InvalidKeyException;
import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.KeyStore;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.SecureRandom;
import java.security.Security;
import java.security.SignatureException;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.security.interfaces.RSAPrivateKey;
import java.security.interfaces.RSAPublicKey;
import java.util.Date;
import javax.inject.Inject;
import javax.inject.Named;
import javax.net.ssl.SSLContext;
import org.apache.ambari.logsearch.conf.LogSearchSslConfig;
import org.apache.ambari.logsearch.util.FileUtil;
import org.apache.commons.io.FileUtils;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.lang3.ArrayUtils;
import org.apache.hadoop.conf.Configuration;
import org.bouncycastle.asn1.ASN1InputStream;
import org.bouncycastle.asn1.x500.X500Name;
import org.bouncycastle.asn1.x509.AlgorithmIdentifier;
import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo;
import org.bouncycastle.cert.X509v3CertificateBuilder;
import org.bouncycastle.cert.jcajce.JcaX509CertificateConverter;
import org.bouncycastle.crypto.params.RSAKeyParameters;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.bouncycastle.operator.DefaultDigestAlgorithmIdentifierFinder;
import org.bouncycastle.operator.DefaultSignatureAlgorithmIdentifierFinder;
import org.bouncycastle.operator.OperatorCreationException;
import org.bouncycastle.operator.bc.BcRSAContentSignerBuilder;
import org.eclipse.jetty.util.ssl.SslContextFactory;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@Named
/* loaded from: input_file:org/apache/ambari/logsearch/configurer/SslConfigurer.class */
public class SslConfigurer {
    private static final Logger LOG = LoggerFactory.getLogger(SslConfigurer.class);
    private static final String KEYSTORE_LOCATION_ARG = "javax.net.ssl.keyStore";
    private static final String KEYSTORE_PASSWORD_ARG = "javax.net.ssl.keyStorePassword";
    private static final String KEYSTORE_TYPE_ARG = "javax.net.ssl.keyStoreType";
    private static final String DEFAULT_KEYSTORE_TYPE = "JKS";
    private static final String TRUSTSTORE_LOCATION_ARG = "javax.net.ssl.trustStore";
    private static final String TRUSTSTORE_PASSWORD_ARG = "javax.net.ssl.trustStorePassword";
    private static final String TRUSTSTORE_TYPE_ARG = "javax.net.ssl.trustStoreType";
    private static final String DEFAULT_TRUSTSTORE_TYPE = "JKS";
    private static final String KEYSTORE_PASSWORD_PROPERTY_NAME = "logsearch_keystore_password";
    private static final String TRUSTSTORE_PASSWORD_PROPERTY_NAME = "logsearch_truststore_password";
    private static final String KEYSTORE_PASSWORD_FILE = "ks_pass.txt";
    private static final String TRUSTSTORE_PASSWORD_FILE = "ts_pass.txt";
    private static final String LOGSEARCH_CERT_FILENAME = "logsearch.crt";
    private static final String LOGSEARCH_KEYSTORE_FILENAME = "logsearch.jks";
    private static final String LOGSEARCH_KEYSTORE_PRIVATE_KEY = "logsearch.private.key";
    private static final String LOGSEARCH_KEYSTORE_PUBLIC_KEY = "logsearch.public.key";
    private static final String LOGSEARCH_KEYSTORE_DEFAULT_PASSWORD = "bigdata";

    @Inject
    private LogSearchSslConfig logSearchSslConfig;

    private String getKeyStoreLocation() {
        return System.getProperty(KEYSTORE_LOCATION_ARG);
    }

    private String getKeyStorePassword() {
        return System.getProperty(KEYSTORE_PASSWORD_ARG);
    }

    private String getKeyStoreType() {
        return System.getProperty(KEYSTORE_TYPE_ARG, "JKS");
    }

    private String getTrustStoreLocation() {
        return System.getProperty(TRUSTSTORE_LOCATION_ARG);
    }

    private String getTrustStorePassword() {
        return System.getProperty(TRUSTSTORE_PASSWORD_ARG);
    }

    private String getTrustStoreType() {
        return System.getProperty(TRUSTSTORE_TYPE_ARG, "JKS");
    }

    public boolean isKeyStoreSpecified() {
        return StringUtils.isNotEmpty(getKeyStoreLocation());
    }

    private boolean isTrustStoreSpecified() {
        return StringUtils.isNotEmpty(getTrustStoreLocation());
    }

    public SslContextFactory getSslContextFactory() {
        SslContextFactory sslContextFactory = new SslContextFactory();
        sslContextFactory.setKeyStorePath(getKeyStoreLocation());
        sslContextFactory.setKeyStorePassword(getKeyStorePassword());
        sslContextFactory.setKeyStoreType(getKeyStoreType());
        if (isTrustStoreSpecified()) {
            sslContextFactory.setTrustStorePath(getTrustStoreLocation());
            sslContextFactory.setTrustStorePassword(getTrustStorePassword());
            sslContextFactory.setTrustStoreType(getTrustStoreType());
        }
        return sslContextFactory;
    }

    public SSLContext getSSLContext() {
        SslContextFactory sslContextFactory = getSslContextFactory();
        try {
            try {
                sslContextFactory.start();
                SSLContext sslContext = sslContextFactory.getSslContext();
                try {
                    sslContextFactory.stop();
                } catch (Exception e) {
                    LOG.error("Could not stop sslContextFactory", e);
                }
                return sslContext;
            } catch (Throwable th) {
                try {
                    sslContextFactory.stop();
                } catch (Exception e2) {
                    LOG.error("Could not stop sslContextFactory", e2);
                }
                throw th;
            }
        } catch (Exception e3) {
            LOG.error("Could not create SSL Context", e3);
            try {
                sslContextFactory.stop();
            } catch (Exception e4) {
                LOG.error("Could not stop sslContextFactory", e4);
            }
            return null;
        }
    }

    private String getPasswordFromFile(String str) {
        try {
            File file = new File(LogSearchSslConfig.LOGSEARCH_CERT_DEFAULT_FOLDER, str);
            if (file.exists()) {
                return FileUtils.readFileToString(file);
            }
            FileUtils.writeStringToFile(file, LOGSEARCH_KEYSTORE_DEFAULT_PASSWORD);
            return LOGSEARCH_KEYSTORE_DEFAULT_PASSWORD;
        } catch (Exception e) {
            LOG.warn("Exception occurred during read/write password file for keystore/truststore.", e);
            return null;
        }
    }

    private String getPasswordFromCredentialStore(String str) {
        try {
            String credentialStoreProviderPath = this.logSearchSslConfig.getCredentialStoreProviderPath();
            if (StringUtils.isEmpty(credentialStoreProviderPath)) {
                return null;
            }
            Configuration configuration = new Configuration();
            configuration.set(LogSearchSslConfig.CREDENTIAL_STORE_PROVIDER_PATH, credentialStoreProviderPath);
            char[] password = configuration.getPassword(str);
            if (ArrayUtils.isNotEmpty(password)) {
                return new String(password);
            }
            return null;
        } catch (Exception e) {
            LOG.warn(String.format("Could not load password %s from credential store, using default password", str), e);
            return null;
        }
    }

    private String getPassword(String str, String str2) {
        String passwordFromCredentialStore = getPasswordFromCredentialStore(str);
        if (passwordFromCredentialStore != null) {
            return passwordFromCredentialStore;
        }
        String passwordFromFile = getPasswordFromFile(str2);
        return passwordFromFile != null ? passwordFromFile : LOGSEARCH_KEYSTORE_DEFAULT_PASSWORD;
    }

    private void setKeyAndCertInKeystore(X509Certificate x509Certificate, KeyPair keyPair, KeyStore keyStore, String str, char[] cArr) throws Exception {
        Certificate[] certificateArr = {x509Certificate};
        try {
            FileOutputStream fileOutputStream = new FileOutputStream(str);
            Throwable th = null;
            try {
                try {
                    keyStore.setKeyEntry("logsearch.alias", keyPair.getPrivate(), cArr, certificateArr);
                    keyStore.store(fileOutputStream, cArr);
                    if (fileOutputStream != null) {
                        if (0 != 0) {
                            try {
                                fileOutputStream.close();
                            } catch (Throwable th2) {
                                th.addSuppressed(th2);
                            }
                        } else {
                            fileOutputStream.close();
                        }
                    }
                } finally {
                }
            } finally {
            }
        } catch (Exception e) {
            LOG.error("Could not write certificate to Keystore", e);
            throw e;
        }
    }

    private KeyPair createKeyPair(String str, int i) throws NoSuchProviderException, NoSuchAlgorithmException {
        Security.addProvider(new BouncyCastleProvider());
        return createKeyPairGenerator(str, i).genKeyPair();
    }

    private X509Certificate generateCertificate(String str, KeyPair keyPair, String str2) throws Exception {
        try {
            File file = new File(str);
            if (file.exists()) {
                LOG.info("Certificate file exists ({}), skip the generation.", str);
                return getCertFile(str);
            }
            Security.addProvider(new BouncyCastleProvider());
            X509Certificate createCert = createCert(keyPair, str2, InetAddress.getLocalHost().getCanonicalHostName());
            FileUtils.writeByteArrayToFile(file, createCert.getEncoded());
            return createCert;
        } catch (Exception e) {
            LOG.error("Could not create certificate.", e);
            throw e;
        }
    }

    private void ensureStorePassword(String str, String str2, String str3, String str4) {
        if (StringUtils.isNotEmpty(System.getProperty(str)) && StringUtils.isEmpty(System.getProperty(str2))) {
            System.setProperty(str2, getPassword(str3, str4));
        }
    }

    public void ensureStorePasswords() {
        ensureStorePassword(KEYSTORE_LOCATION_ARG, KEYSTORE_PASSWORD_ARG, KEYSTORE_PASSWORD_PROPERTY_NAME, KEYSTORE_PASSWORD_FILE);
        ensureStorePassword(TRUSTSTORE_LOCATION_ARG, TRUSTSTORE_PASSWORD_ARG, TRUSTSTORE_PASSWORD_PROPERTY_NAME, TRUSTSTORE_PASSWORD_FILE);
    }

    private X509Certificate getCertFile(String str) throws Exception {
        try {
            FileInputStream fileInputStream = new FileInputStream(str);
            Throwable th = null;
            try {
                try {
                    X509Certificate x509Certificate = (X509Certificate) CertificateFactory.getInstance("X.509").generateCertificate(fileInputStream);
                    if (fileInputStream != null) {
                        if (0 != 0) {
                            try {
                                fileInputStream.close();
                            } catch (Throwable th2) {
                                th.addSuppressed(th2);
                            }
                        } else {
                            fileInputStream.close();
                        }
                    }
                    return x509Certificate;
                } finally {
                }
            } finally {
            }
        } catch (Exception e) {
            LOG.error("Cannot read cert file. ('" + str + "')", e);
            throw e;
        }
    }

    private X509Certificate createCert(KeyPair keyPair, String str, String str2) throws NoSuchAlgorithmException, InvalidKeyException, SignatureException, OperatorCreationException, CertificateException, IOException {
        RSAPublicKey rSAPublicKey = (RSAPublicKey) keyPair.getPublic();
        RSAPrivateKey rSAPrivateKey = (RSAPrivateKey) keyPair.getPrivate();
        AlgorithmIdentifier find = new DefaultSignatureAlgorithmIdentifierFinder().find(str);
        BcRSAContentSignerBuilder bcRSAContentSignerBuilder = new BcRSAContentSignerBuilder(find, new DefaultDigestAlgorithmIdentifierFinder().find(find));
        ASN1InputStream aSN1InputStream = new ASN1InputStream(rSAPublicKey.getEncoded());
        SubjectPublicKeyInfo subjectPublicKeyInfo = SubjectPublicKeyInfo.getInstance(aSN1InputStream.readObject());
        aSN1InputStream.close();
        return new JcaX509CertificateConverter().setProvider("BC").getCertificate(new X509v3CertificateBuilder(new X500Name("CN=" + str2 + ", OU=None, O=None L=None, C=None"), BigInteger.valueOf(Math.abs(new SecureRandom().nextInt())), new Date(System.currentTimeMillis() - 2592000000L), new Date(System.currentTimeMillis() + 315360000000L), new X500Name("CN=" + str2 + ", OU=None, O=None L=None, C=None"), subjectPublicKeyInfo).build(bcRSAContentSignerBuilder.build(new RSAKeyParameters(true, rSAPrivateKey.getPrivateExponent(), rSAPrivateKey.getModulus()))));
    }

    private KeyPairGenerator createKeyPairGenerator(String str, int i) throws NoSuchProviderException, NoSuchAlgorithmException {
        KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance(str, "BC");
        keyPairGenerator.initialize(i);
        return keyPairGenerator;
    }

    public void loadKeystore() {
        try {
            String certFolder = this.logSearchSslConfig.getCertFolder();
            String certAlgorithm = this.logSearchSslConfig.getCertAlgorithm();
            String format = String.format("%s/%s", LogSearchSslConfig.LOGSEARCH_CERT_DEFAULT_FOLDER, LOGSEARCH_CERT_FILENAME);
            String keyStoreLocation = StringUtils.isNotEmpty(getKeyStoreLocation()) ? getKeyStoreLocation() : String.format("%s/%s", LogSearchSslConfig.LOGSEARCH_CERT_DEFAULT_FOLDER, LOGSEARCH_KEYSTORE_FILENAME);
            char[] charArray = StringUtils.isNotEmpty(getKeyStorePassword()) ? getKeyStorePassword().toCharArray() : LOGSEARCH_KEYSTORE_DEFAULT_PASSWORD.toCharArray();
            if (!new File(keyStoreLocation).exists()) {
                FileUtil.createDirectory(certFolder);
                LOG.warn("Keystore file ('{}') does not exist, creating new one. If the file exists, make sure you have proper permissions on that.", keyStoreLocation);
                if (isKeyStoreSpecified() && !"JKS".equalsIgnoreCase(getKeyStoreType())) {
                    throw new RuntimeException(String.format("Keystore does not exist. Only JKS keystore can be auto generated. (%s)", keyStoreLocation));
                }
                LOG.info("SSL keystore is not specified. Generating it with certificate ... (using default format: JKS)");
                Security.addProvider(new BouncyCastleProvider());
                KeyPair createKeyPair = createKeyPair("RSA", 2048);
                File file = new File(String.format("%s/%s", certFolder, LOGSEARCH_KEYSTORE_PRIVATE_KEY));
                if (!file.exists()) {
                    FileUtils.writeByteArrayToFile(file, createKeyPair.getPrivate().getEncoded());
                }
                File file2 = new File(String.format("%s/%s", certFolder, LOGSEARCH_KEYSTORE_PUBLIC_KEY));
                if (!file2.exists()) {
                    FileUtils.writeByteArrayToFile(file2, createKeyPair.getPublic().getEncoded());
                }
                X509Certificate generateCertificate = generateCertificate(format, createKeyPair, certAlgorithm);
                KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
                keyStore.load(null, charArray);
                setKeyAndCertInKeystore(generateCertificate, createKeyPair, keyStore, keyStoreLocation, charArray);
                FileUtil.setPermissionOnDirectory(certFolder, "600");
            }
        } catch (Exception e) {
            throw new RuntimeException(e);
        }
    }
}
