package org.apache.hadoop.hdds.security.x509.certificate.authority;

import java.io.IOException;
import java.util.ArrayList;
import java.util.Iterator;
import java.util.List;
import java.util.Objects;
import java.util.concurrent.CompletableFuture;
import org.apache.hadoop.hdds.security.exception.SCMSecurityException;
import org.apache.hadoop.hdds.security.x509.SecurityConfig;
import org.apache.hadoop.hdds.security.x509.certificate.authority.PKIProfiles.PKIProfile;
import org.apache.hadoop.hdds.security.x509.certificates.utils.CertificateSignRequest;
import org.bouncycastle.asn1.ASN1Encodable;
import org.bouncycastle.asn1.ASN1ObjectIdentifier;
import org.bouncycastle.asn1.pkcs.Attribute;
import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers;
import org.bouncycastle.asn1.x500.RDN;
import org.bouncycastle.asn1.x509.Extension;
import org.bouncycastle.asn1.x509.Extensions;
import org.bouncycastle.cert.X509CertificateHolder;
import org.bouncycastle.operator.OperatorCreationException;
import org.bouncycastle.operator.jcajce.JcaContentVerifierProviderBuilder;
import org.bouncycastle.pkcs.PKCS10CertificationRequest;
import org.bouncycastle.pkcs.PKCSException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/hadoop/hdds/security/x509/certificate/authority/BaseApprover.class */
public abstract class BaseApprover implements CertificateApprover {
    private static final Logger LOG = LoggerFactory.getLogger(CertificateApprover.class);
    private final PKIProfile profile;
    private final SecurityConfig securityConfig;

    public BaseApprover(PKIProfile pKIProfile, SecurityConfig securityConfig) {
        this.profile = (PKIProfile) Objects.requireNonNull(pKIProfile);
        this.securityConfig = (SecurityConfig) Objects.requireNonNull(securityConfig);
    }

    public PKIProfile getProfile() {
        return this.profile;
    }

    public SecurityConfig getSecurityConfig() {
        return this.securityConfig;
    }

    Attribute[] getAttributes(PKCS10CertificationRequest pKCS10CertificationRequest) {
        Objects.requireNonNull(pKCS10CertificationRequest);
        return pKCS10CertificationRequest.getAttributes(PKCSObjectIdentifiers.pkcs_9_at_extensionRequest);
    }

    List<Extensions> getExtensionsList(Attribute attribute) {
        Objects.requireNonNull(attribute);
        ArrayList arrayList = new ArrayList();
        for (ASN1Encodable aSN1Encodable : attribute.getAttributeValues()) {
            if (aSN1Encodable != null) {
                arrayList.add(Extensions.getInstance(aSN1Encodable));
            }
        }
        return arrayList;
    }

    List<Extension> getIndividualExtension(Extensions extensions) {
        Extension extension;
        Objects.requireNonNull(extensions);
        ArrayList arrayList = new ArrayList();
        for (ASN1ObjectIdentifier aSN1ObjectIdentifier : extensions.getExtensionOIDs()) {
            if (aSN1ObjectIdentifier != null && (extension = extensions.getExtension(aSN1ObjectIdentifier)) != null) {
                arrayList.add(extension);
            }
        }
        return arrayList;
    }

    boolean verfiyExtensions(PKCS10CertificationRequest pKCS10CertificationRequest) {
        Objects.requireNonNull(pKCS10CertificationRequest);
        for (Attribute attribute : getAttributes(pKCS10CertificationRequest)) {
            Iterator<Extensions> it = getExtensionsList(attribute).iterator();
            while (it.hasNext()) {
                for (Extension extension : getIndividualExtension(it.next())) {
                    if (!this.profile.validateExtension(extension)) {
                        LOG.error("Failed to verify extension. {}", extension.getExtnId().getId());
                        return false;
                    }
                }
            }
        }
        return true;
    }

    boolean verifyPkcs10Request(PKCS10CertificationRequest pKCS10CertificationRequest) throws OperatorCreationException, PKCSException {
        return pKCS10CertificationRequest.isSignatureValid(new JcaContentVerifierProviderBuilder().setProvider(this.securityConfig.getProvider()).build(pKCS10CertificationRequest.getSubjectPublicKeyInfo()));
    }

    @Override // org.apache.hadoop.hdds.security.x509.certificate.authority.CertificateApprover
    public CompletableFuture<X509CertificateHolder> inspectCSR(String str) throws IOException {
        return inspectCSR(CertificateSignRequest.getCertificationRequest(str));
    }

    @Override // org.apache.hadoop.hdds.security.x509.certificate.authority.CertificateApprover
    public CompletableFuture<X509CertificateHolder> inspectCSR(PKCS10CertificationRequest pKCS10CertificationRequest) {
        CompletableFuture<X509CertificateHolder> completableFuture = new CompletableFuture<>();
        try {
            if (!verifyPkcs10Request(pKCS10CertificationRequest)) {
                LOG.error("Failed to verify the signature in CSR.");
                completableFuture.completeExceptionally(new SCMSecurityException("Failed to verify the CSR."));
            }
            for (RDN rdn : pKCS10CertificationRequest.getSubject().getRDNs()) {
                if (!this.profile.validateRDN(rdn)) {
                    LOG.error("Failed in verifying RDNs");
                    completableFuture.completeExceptionally(new SCMSecurityException("Failed to verify the RDNs. Please check the subject name."));
                }
            }
            if (!verfiyExtensions(pKCS10CertificationRequest)) {
                LOG.error("failed in verification of extensions.");
                completableFuture.completeExceptionally(new SCMSecurityException("Failed to verify extensions."));
            }
        } catch (OperatorCreationException | PKCSException e) {
            LOG.error("Approval Failure.", e);
            completableFuture.completeExceptionally(new SCMSecurityException(e));
        }
        return completableFuture;
    }
}
