package org.apache.dubbo.registry.xds.istio;

import io.grpc.ClientInterceptor;
import io.grpc.ManagedChannel;
import io.grpc.Metadata;
import io.grpc.netty.shaded.io.grpc.netty.GrpcSslContexts;
import io.grpc.netty.shaded.io.grpc.netty.NettyChannelBuilder;
import io.grpc.netty.shaded.io.netty.handler.ssl.util.InsecureTrustManagerFactory;
import io.grpc.stub.MetadataUtils;
import io.grpc.stub.StreamObserver;
import istio.v1.auth.IstioCertificateRequest;
import istio.v1.auth.IstioCertificateResponse;
import istio.v1.auth.IstioCertificateServiceGrpc;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.io.StringWriter;
import java.nio.charset.StandardCharsets;
import java.security.InvalidAlgorithmParameterException;
import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.SecureRandom;
import java.security.spec.ECGenParameterSpec;
import java.util.concurrent.CountDownLatch;
import java.util.concurrent.Executors;
import java.util.concurrent.TimeUnit;
import java.util.concurrent.atomic.AtomicBoolean;
import org.apache.dubbo.common.URL;
import org.apache.dubbo.common.logger.ErrorTypeAwareLogger;
import org.apache.dubbo.common.logger.LoggerFactory;
import org.apache.dubbo.common.utils.StringUtils;
import org.apache.dubbo.registry.xds.XdsCertificateSigner;
import org.apache.dubbo.rpc.RpcException;
import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers;
import org.bouncycastle.asn1.x500.X500Name;
import org.bouncycastle.asn1.x509.Extension;
import org.bouncycastle.asn1.x509.ExtensionsGenerator;
import org.bouncycastle.asn1.x509.GeneralName;
import org.bouncycastle.asn1.x509.GeneralNames;
import org.bouncycastle.openssl.jcajce.JcaPEMWriter;
import org.bouncycastle.operator.ContentSigner;
import org.bouncycastle.operator.OperatorCreationException;
import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder;
import org.bouncycastle.pkcs.jcajce.JcaPKCS10CertificationRequestBuilder;
import org.bouncycastle.util.io.pem.PemObject;

/* loaded from: input_file:org/apache/dubbo/registry/xds/istio/IstioCitadelCertificateSigner.class */
public class IstioCitadelCertificateSigner implements XdsCertificateSigner {
    private static final ErrorTypeAwareLogger logger = LoggerFactory.getErrorTypeAwareLogger(IstioCitadelCertificateSigner.class);
    private final IstioEnv istioEnv;
    private XdsCertificateSigner.CertPair certPair;

    /* loaded from: input_file:org/apache/dubbo/registry/xds/istio/IstioCitadelCertificateSigner$GenerateCertTask.class */
    private class GenerateCertTask implements Runnable {
        private GenerateCertTask() {
        }

        @Override // java.lang.Runnable
        public void run() {
            IstioCitadelCertificateSigner.this.doGenerateCert();
        }
    }

    public IstioCitadelCertificateSigner() {
        Executors.newScheduledThreadPool(1).scheduleAtFixedRate(new GenerateCertTask(), 0L, 30L, TimeUnit.SECONDS);
        this.istioEnv = IstioEnv.getInstance();
    }

    @Override // org.apache.dubbo.registry.xds.XdsCertificateSigner
    public XdsCertificateSigner.CertPair GenerateCert(URL url) {
        return (this.certPair == null || this.certPair.isExpire()) ? doGenerateCert() : this.certPair;
    }

    /* JADX INFO: Access modifiers changed from: private */
    public XdsCertificateSigner.CertPair doGenerateCert() {
        synchronized (this) {
            if (this.certPair == null || this.certPair.isExpire()) {
                try {
                    this.certPair = createCert();
                } catch (IOException e) {
                    logger.error("1-26", "", "", "Generate Cert from Istio failed.", e);
                    throw new RpcException("Generate Cert from Istio failed.", e);
                }
            }
        }
        return this.certPair;
    }

    public XdsCertificateSigner.CertPair createCert() throws IOException {
        PublicKey publicKey = null;
        PrivateKey privateKey = null;
        ContentSigner contentSigner = null;
        if (this.istioEnv.isECCFirst()) {
            try {
                ECGenParameterSpec eCGenParameterSpec = new ECGenParameterSpec("secp256r1");
                KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("EC");
                keyPairGenerator.initialize(eCGenParameterSpec, new SecureRandom());
                KeyPair generateKeyPair = keyPairGenerator.generateKeyPair();
                publicKey = generateKeyPair.getPublic();
                privateKey = generateKeyPair.getPrivate();
                contentSigner = new JcaContentSignerBuilder("SHA256withECDSA").build(generateKeyPair.getPrivate());
            } catch (InvalidAlgorithmParameterException | NoSuchAlgorithmException | OperatorCreationException e) {
                logger.error("1-27", "", "", "Generate Key with secp256r1 algorithm failed. Please check if your system support. Will attempt to generate with RSA2048.", e);
            }
        }
        if (publicKey == null) {
            try {
                KeyPairGenerator keyPairGenerator2 = KeyPairGenerator.getInstance("RSA");
                keyPairGenerator2.initialize(this.istioEnv.getRasKeySize());
                KeyPair generateKeyPair2 = keyPairGenerator2.generateKeyPair();
                publicKey = generateKeyPair2.getPublic();
                privateKey = generateKeyPair2.getPrivate();
                contentSigner = new JcaContentSignerBuilder("SHA256WithRSA").build(generateKeyPair2.getPrivate());
            } catch (NoSuchAlgorithmException | OperatorCreationException e2) {
                logger.error("1-27", "", "", "Generate Key with SHA256WithRSA algorithm failed. Please check if your system support.", e2);
                throw new RpcException(e2);
            }
        }
        String generateCsr = generateCsr(publicKey, contentSigner);
        String caCert = this.istioEnv.getCaCert();
        ManagedChannel build = StringUtils.isNotEmpty(caCert) ? NettyChannelBuilder.forTarget(this.istioEnv.getCaAddr()).sslContext(GrpcSslContexts.forClient().trustManager(new ByteArrayInputStream(caCert.getBytes(StandardCharsets.UTF_8))).build()).build() : NettyChannelBuilder.forTarget(this.istioEnv.getCaAddr()).sslContext(GrpcSslContexts.forClient().trustManager(InsecureTrustManagerFactory.INSTANCE).build()).build();
        Metadata metadata = new Metadata();
        metadata.put(Metadata.Key.of("authorization", Metadata.ASCII_STRING_MARSHALLER), "Bearer " + this.istioEnv.getServiceAccount());
        metadata.put(Metadata.Key.of("ClusterID", Metadata.ASCII_STRING_MARSHALLER), this.istioEnv.getIstioMetaClusterId());
        IstioCertificateServiceGrpc.IstioCertificateServiceStub withInterceptors = IstioCertificateServiceGrpc.newStub(build).withInterceptors(new ClientInterceptor[]{MetadataUtils.newAttachHeadersInterceptor(metadata)});
        CountDownLatch countDownLatch = new CountDownLatch(1);
        StringBuffer stringBuffer = new StringBuffer();
        AtomicBoolean atomicBoolean = new AtomicBoolean(false);
        withInterceptors.createCertificate(generateRequest(generateCsr), generateResponseObserver(countDownLatch, stringBuffer, atomicBoolean));
        long currentTimeMillis = System.currentTimeMillis() + (this.istioEnv.getSecretTTL() * this.istioEnv.getSecretGracePeriodRatio());
        try {
            countDownLatch.await();
            if (atomicBoolean.get()) {
                throw new RpcException("Generate Cert Failed. Send csr request failed. Please check log above.");
            }
            XdsCertificateSigner.CertPair certPair = new XdsCertificateSigner.CertPair(generatePrivatePemKey(privateKey), stringBuffer.toString(), System.currentTimeMillis(), currentTimeMillis);
            build.shutdown();
            return certPair;
        } catch (InterruptedException e3) {
            throw new RpcException("Generate Cert Failed. Wait for cert failed.", e3);
        }
    }

    private IstioCertificateRequest generateRequest(String str) {
        return IstioCertificateRequest.newBuilder().setCsr(str).setValidityDuration(this.istioEnv.getSecretTTL()).m26build();
    }

    private StreamObserver<IstioCertificateResponse> generateResponseObserver(final CountDownLatch countDownLatch, final StringBuffer stringBuffer, final AtomicBoolean atomicBoolean) {
        return new StreamObserver<IstioCertificateResponse>() { // from class: org.apache.dubbo.registry.xds.istio.IstioCitadelCertificateSigner.1
            public void onNext(IstioCertificateResponse istioCertificateResponse) {
                for (int i = 0; i < istioCertificateResponse.getCertChainCount(); i++) {
                    stringBuffer.append(istioCertificateResponse.getCertChainBytes(i).toStringUtf8());
                }
                if (IstioCitadelCertificateSigner.logger.isDebugEnabled()) {
                    IstioCitadelCertificateSigner.logger.debug("Receive Cert chain from Istio Citadel. \n" + ((Object) stringBuffer));
                }
                countDownLatch.countDown();
            }

            public void onError(Throwable th) {
                atomicBoolean.set(true);
                IstioCitadelCertificateSigner.logger.error("1-28", "", "", "Receive error message from Istio Citadel grpc stub.", th);
                countDownLatch.countDown();
            }

            public void onCompleted() {
                countDownLatch.countDown();
            }
        };
    }

    private String generatePrivatePemKey(PrivateKey privateKey) throws IOException {
        String generatePemKey = generatePemKey("RSA PRIVATE KEY", privateKey.getEncoded());
        if (logger.isDebugEnabled()) {
            logger.debug("Generated Private Key. \n" + generatePemKey);
        }
        return generatePemKey;
    }

    private String generatePemKey(String str, byte[] bArr) throws IOException {
        PemObject pemObject = new PemObject(str, bArr);
        StringWriter stringWriter = new StringWriter();
        JcaPEMWriter jcaPEMWriter = new JcaPEMWriter(stringWriter);
        jcaPEMWriter.writeObject(pemObject);
        jcaPEMWriter.close();
        stringWriter.close();
        return stringWriter.toString();
    }

    private String generateCsr(PublicKey publicKey, ContentSigner contentSigner) throws IOException {
        GeneralNames generalNames = new GeneralNames(new GeneralName[]{new GeneralName(6, this.istioEnv.getCsrHost())});
        ExtensionsGenerator extensionsGenerator = new ExtensionsGenerator();
        extensionsGenerator.addExtension(Extension.subjectAlternativeName, true, generalNames);
        String generatePemKey = generatePemKey("CERTIFICATE REQUEST", new JcaPKCS10CertificationRequestBuilder(new X500Name("O=" + this.istioEnv.getTrustDomain()), publicKey).addAttribute(PKCSObjectIdentifiers.pkcs_9_at_extensionRequest, extensionsGenerator.generate()).build(contentSigner).getEncoded());
        if (logger.isDebugEnabled()) {
            logger.debug("CSR Request to Istio Citadel. \n" + generatePemKey);
        }
        return generatePemKey;
    }
}
