package org.apache.hadoop.hdds.security.x509.certificate.authority;

import com.google.common.annotations.VisibleForTesting;
import com.google.common.base.Preconditions;
import com.twitter.zipkin.thriftjava.zipkincoreConstants;
import java.io.IOException;
import java.math.BigInteger;
import java.nio.file.Files;
import java.nio.file.LinkOption;
import java.nio.file.Path;
import java.nio.file.Paths;
import java.security.KeyPair;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.security.spec.InvalidKeySpecException;
import java.sql.Date;
import java.time.LocalDate;
import java.time.LocalDateTime;
import java.time.LocalTime;
import java.time.temporal.TemporalAmount;
import java.util.concurrent.CompletableFuture;
import java.util.concurrent.Future;
import java.util.function.Consumer;
import org.apache.hadoop.hdds.security.exception.SCMSecurityException;
import org.apache.hadoop.hdds.security.x509.SecurityConfig;
import org.apache.hadoop.hdds.security.x509.certificate.authority.CertificateApprover;
import org.apache.hadoop.hdds.security.x509.certificate.authority.CertificateServer;
import org.apache.hadoop.hdds.security.x509.certificate.authority.CertificateStore;
import org.apache.hadoop.hdds.security.x509.certificate.authority.PKIProfiles.DefaultProfile;
import org.apache.hadoop.hdds.security.x509.certificate.authority.PKIProfiles.PKIProfile;
import org.apache.hadoop.hdds.security.x509.certificate.utils.CertificateCodec;
import org.apache.hadoop.hdds.security.x509.certificates.utils.CertificateSignRequest;
import org.apache.hadoop.hdds.security.x509.certificates.utils.SelfSignedCertificate;
import org.apache.hadoop.hdds.security.x509.keys.HDDSKeyGenerator;
import org.apache.hadoop.hdds.security.x509.keys.KeyCodec;
import org.apache.hadoop.ozone.OzoneConsts;
import org.bouncycastle.cert.X509CertificateHolder;
import org.bouncycastle.operator.OperatorCreationException;
import org.bouncycastle.pkcs.PKCS10CertificationRequest;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/hadoop/hdds/security/x509/certificate/authority/DefaultCAServer.class */
public class DefaultCAServer implements CertificateServer {
    private static final Logger LOG = LoggerFactory.getLogger((Class<?>) DefaultCAServer.class);
    private final String subject;
    private final String clusterID;
    private final String scmID;
    private String componentName = Paths.get(OzoneConsts.STORAGE_DIR, zipkincoreConstants.CLIENT_ADDR).toString();
    private Path caKeysPath;
    private Path caRootX509Path;
    private SecurityConfig config;
    private PKIProfile profile;
    private CertificateApprover approver;
    private CertificateStore store;

    /* JADX INFO: Access modifiers changed from: package-private */
    @VisibleForTesting
    /* loaded from: input_file:org/apache/hadoop/hdds/security/x509/certificate/authority/DefaultCAServer$VerificationStatus.class */
    public enum VerificationStatus {
        SUCCESS,
        MISSING_KEYS,
        MISSING_CERTIFICATE,
        INITIALIZE
    }

    public DefaultCAServer(String str, String str2, String str3, CertificateStore certificateStore) {
        this.subject = str;
        this.clusterID = str2;
        this.scmID = str3;
        this.store = certificateStore;
    }

    @Override // org.apache.hadoop.hdds.security.x509.certificate.authority.CertificateServer
    public void init(SecurityConfig securityConfig, CertificateServer.CAType cAType) throws SCMSecurityException {
        this.caKeysPath = securityConfig.getKeyLocation(this.componentName);
        this.caRootX509Path = securityConfig.getCertificateLocation(this.componentName);
        this.config = securityConfig;
        this.profile = new DefaultProfile();
        this.approver = new DefaultApprover(this.profile, this.config);
        if (cAType == CertificateServer.CAType.SELF_SIGNED_CA) {
            processVerificationStatus(verifySelfSignedCA(securityConfig)).accept(securityConfig);
        } else {
            LOG.error("We support only Self-Signed CAs for now.");
            throw new IllegalStateException("Not implemented functionality requested.");
        }
    }

    @Override // org.apache.hadoop.hdds.security.x509.certificate.authority.CertificateServer
    public X509CertificateHolder getCACertificate() throws IOException {
        try {
            return new CertificateCodec(this.config, this.componentName).readCertificate();
        } catch (CertificateException e) {
            throw new IOException(e);
        }
    }

    @Override // org.apache.hadoop.hdds.security.x509.certificate.authority.CertificateServer
    public X509Certificate getCertificate(String str) throws IOException {
        return this.store.getCertificateByID(new BigInteger(str), CertificateStore.CertType.VALID_CERTS);
    }

    private KeyPair getCAKeys() throws IOException {
        KeyCodec keyCodec = new KeyCodec(this.config, this.componentName);
        try {
            return new KeyPair(keyCodec.readPublicKey(), keyCodec.readPrivateKey());
        } catch (NoSuchAlgorithmException | InvalidKeySpecException e) {
            throw new IOException(e);
        }
    }

    /* JADX WARN: Failed to find 'out' block for switch in B:8:0x0043. Please report as an issue. */
    @Override // org.apache.hadoop.hdds.security.x509.certificate.authority.CertificateServer
    public Future<X509CertificateHolder> requestCertificate(PKCS10CertificationRequest pKCS10CertificationRequest, CertificateApprover.ApprovalType approvalType) {
        X509CertificateHolder signAndStoreCertificate;
        LocalDate localDate = LocalDate.now().atStartOfDay().toLocalDate();
        LocalDate localDate2 = LocalDateTime.of(localDate, LocalTime.MIDNIGHT).plus((TemporalAmount) this.config.getDefaultCertDuration()).toLocalDate();
        CompletableFuture<X509CertificateHolder> inspectCSR = this.approver.inspectCSR(pKCS10CertificationRequest);
        if (inspectCSR.isCompletedExceptionally()) {
            return inspectCSR;
        }
        try {
        } catch (IOException | CertificateException | OperatorCreationException e) {
            LOG.error("Unable to issue a certificate. {}", e);
            inspectCSR.completeExceptionally(new SCMSecurityException(e));
        }
        switch (approvalType) {
            case MANUAL:
                inspectCSR.completeExceptionally(new SCMSecurityException("Manual approval is not yet implemented."));
                return inspectCSR;
            case KERBEROS_TRUSTED:
            case TESTING_AUTOMATIC:
                try {
                    signAndStoreCertificate = signAndStoreCertificate(localDate, localDate2, pKCS10CertificationRequest);
                } catch (SCMSecurityException e2) {
                    LOG.error("Certificate storage failed, retrying one more time.", (Throwable) e2);
                    signAndStoreCertificate = signAndStoreCertificate(localDate, localDate2, pKCS10CertificationRequest);
                }
                inspectCSR.complete(signAndStoreCertificate);
                return inspectCSR;
            default:
                return null;
        }
    }

    private X509CertificateHolder signAndStoreCertificate(LocalDate localDate, LocalDate localDate2, PKCS10CertificationRequest pKCS10CertificationRequest) throws IOException, OperatorCreationException, CertificateException {
        X509CertificateHolder sign = this.approver.sign(this.config, getCAKeys().getPrivate(), getCACertificate(), Date.valueOf(localDate), Date.valueOf(localDate2), pKCS10CertificationRequest, this.scmID, this.clusterID);
        this.store.storeValidCertificate(sign.getSerialNumber(), CertificateCodec.getX509Certificate(sign));
        return sign;
    }

    @Override // org.apache.hadoop.hdds.security.x509.certificate.authority.CertificateServer
    public Future<X509CertificateHolder> requestCertificate(String str, CertificateApprover.ApprovalType approvalType) throws IOException {
        return requestCertificate(CertificateSignRequest.getCertificationRequest(str), approvalType);
    }

    @Override // org.apache.hadoop.hdds.security.x509.certificate.authority.CertificateServer
    public Future<Boolean> revokeCertificate(X509Certificate x509Certificate, CertificateApprover.ApprovalType approvalType) throws SCMSecurityException {
        CompletableFuture completableFuture = new CompletableFuture();
        if (x509Certificate == null) {
            completableFuture.completeExceptionally(new SCMSecurityException("Certificate cannot be null"));
            return completableFuture;
        }
        try {
            this.store.revokeCertificate(x509Certificate.getSerialNumber());
            return completableFuture;
        } catch (IOException e) {
            LOG.error("Revoking the certificate failed. {}", e.getCause());
            throw new SCMSecurityException(e);
        }
    }

    private void generateSelfSignedCA(SecurityConfig securityConfig) throws NoSuchAlgorithmException, NoSuchProviderException, IOException {
        generateRootCertificate(securityConfig, generateKeys(securityConfig));
    }

    private VerificationStatus verifySelfSignedCA(SecurityConfig securityConfig) {
        boolean checkIfKeysExist = checkIfKeysExist();
        boolean checkIfCertificatesExist = checkIfCertificatesExist();
        return (checkIfCertificatesExist == checkIfKeysExist && checkIfCertificatesExist) ? VerificationStatus.SUCCESS : (checkIfCertificatesExist != checkIfKeysExist || checkIfCertificatesExist) ? checkIfCertificatesExist ? VerificationStatus.MISSING_KEYS : VerificationStatus.MISSING_CERTIFICATE : VerificationStatus.INITIALIZE;
    }

    private boolean checkIfKeysExist() {
        if (Files.exists(this.caKeysPath, new LinkOption[0])) {
            return Files.exists(Paths.get(this.caKeysPath.toString(), this.config.getPrivateKeyFileName()), new LinkOption[0]);
        }
        return false;
    }

    private boolean checkIfCertificatesExist() {
        if (Files.exists(this.caRootX509Path, new LinkOption[0])) {
            return Files.exists(Paths.get(this.caRootX509Path.toString(), this.config.getCertificateFileName()), new LinkOption[0]);
        }
        return false;
    }

    @VisibleForTesting
    Consumer<SecurityConfig> processVerificationStatus(VerificationStatus verificationStatus) {
        Consumer<SecurityConfig> consumer = null;
        switch (verificationStatus) {
            case SUCCESS:
                consumer = securityConfig -> {
                    LOG.info("CertificateServer validation is successful");
                };
                break;
            case MISSING_KEYS:
                consumer = securityConfig2 -> {
                    LOG.error("We have found the Certificate for this CertificateServer, but keys used by this CertificateServer is missing. This is a non-recoverable error. Please restart the system after locating the Keys used by the CertificateServer.");
                    LOG.error("Exiting due to unrecoverable CertificateServer error.");
                    throw new IllegalStateException("Missing Keys, cannot continue.");
                };
                break;
            case MISSING_CERTIFICATE:
                consumer = securityConfig3 -> {
                    LOG.error("We found the keys, but the root certificate for this CertificateServer is missing. Please restart SCM after locating the Certificates.");
                    LOG.error("Exiting due to unrecoverable CertificateServer error.");
                    throw new IllegalStateException("Missing Root Certs, cannot continue.");
                };
                break;
            case INITIALIZE:
                consumer = securityConfig4 -> {
                    try {
                        generateSelfSignedCA(securityConfig4);
                    } catch (IOException | NoSuchAlgorithmException | NoSuchProviderException e) {
                        LOG.error("Unable to initialize CertificateServer.", e);
                    }
                    if (verifySelfSignedCA(securityConfig4) != VerificationStatus.SUCCESS) {
                        LOG.error("Unable to initialize CertificateServer, failed in verification.");
                    }
                };
                break;
        }
        return consumer;
    }

    private KeyPair generateKeys(SecurityConfig securityConfig) throws NoSuchProviderException, NoSuchAlgorithmException, IOException {
        KeyPair generateKey = new HDDSKeyGenerator(securityConfig).generateKey();
        new KeyCodec(securityConfig, this.componentName).writeKey(generateKey);
        return generateKey;
    }

    private void generateRootCertificate(SecurityConfig securityConfig, KeyPair keyPair) throws IOException, SCMSecurityException {
        Preconditions.checkNotNull(this.config);
        LocalDate localDate = LocalDate.now().atStartOfDay().toLocalDate();
        new CertificateCodec(this.config, this.componentName).writeCertificate(SelfSignedCertificate.newBuilder().setSubject(this.subject).setScmID(this.scmID).setClusterID(this.clusterID).setBeginDate(localDate).setEndDate(LocalDateTime.of(localDate, LocalTime.MIDNIGHT).plus((TemporalAmount) securityConfig.getMaxCertificateDuration()).toLocalDate()).makeCA().setConfiguration(securityConfig.getConfiguration()).setKey(keyPair).build());
    }
}
