package org.apache.knox.gateway.services.security.impl;

import java.io.FileInputStream;
import java.io.IOException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.CertificateExpiredException;
import java.security.cert.CertificateNotYetValidException;
import java.security.cert.X509Certificate;
import java.util.List;
import java.util.Map;
import org.apache.knox.gateway.GatewayMessages;
import org.apache.knox.gateway.config.GatewayConfig;
import org.apache.knox.gateway.i18n.messages.MessagesFactory;
import org.apache.knox.gateway.services.ServiceLifecycleException;
import org.apache.knox.gateway.services.security.AliasService;
import org.apache.knox.gateway.services.security.AliasServiceException;
import org.apache.knox.gateway.services.security.KeystoreService;
import org.apache.knox.gateway.services.security.KeystoreServiceException;
import org.apache.knox.gateway.services.security.MasterService;
import org.apache.knox.gateway.services.security.SSLService;
import org.apache.knox.gateway.util.X500PrincipalParser;
import org.eclipse.jetty.util.ssl.SslContextFactory;

/* loaded from: input_file:org/apache/knox/gateway/services/security/impl/JettySSLService.class */
public class JettySSLService implements SSLService {
    private static final String EPHEMERAL_DH_KEY_SIZE_PROPERTY = "jdk.tls.ephemeralDHKeySize";
    private static final String GATEWAY_TRUSTSTORE_PASSWORD = "gateway-truststore-password";
    private static final String GATEWAY_CREDENTIAL_STORE_NAME = "__gateway";
    private static GatewayMessages log = (GatewayMessages) MessagesFactory.get(GatewayMessages.class);
    private MasterService ms;
    private KeystoreService ks;
    private AliasService as;
    private List<String> sslIncludeCiphers = null;
    private List<String> sslExcludeCiphers = null;
    private List<String> sslExcludeProtocols = null;
    private boolean clientAuthNeeded;
    private boolean trustAllCerts;
    private String truststorePath;
    private String keystoreType;
    private String trustStoreType;
    private boolean clientAuthWanted;

    public void setMasterService(MasterService masterService) {
        this.ms = masterService;
    }

    public void setAliasService(AliasService aliasService) {
        this.as = aliasService;
    }

    public void setKeystoreService(KeystoreService keystoreService) {
        this.ks = keystoreService;
    }

    public void init(GatewayConfig gatewayConfig, Map<String, String> map) throws ServiceLifecycleException {
        System.setProperty(EPHEMERAL_DH_KEY_SIZE_PROPERTY, gatewayConfig.getEphemeralDHKeySize());
        try {
            if (this.ks.isCredentialStoreForClusterAvailable("__gateway")) {
                log.credentialStoreForGatewayFoundNotCreating();
            } else {
                log.creatingCredentialStoreForGateway();
                this.ks.createCredentialStoreForCluster("__gateway");
            }
            try {
                if (this.ks.isKeystoreForGatewayAvailable()) {
                    log.keyStoreForGatewayFoundNotCreating();
                } else {
                    log.creatingKeyStoreForGateway();
                    this.ks.createKeystoreForGateway();
                    try {
                        char[] gatewayIdentityPassphrase = this.as.getGatewayIdentityPassphrase();
                        if (gatewayIdentityPassphrase == null) {
                            gatewayIdentityPassphrase = this.ms.getMasterSecret();
                        }
                        this.ks.addSelfSignedCertForGateway("gateway-identity", gatewayIdentityPassphrase);
                    } catch (AliasServiceException e) {
                        throw new ServiceLifecycleException("Error accessing credential store for the gateway.", e);
                    }
                }
                logAndValidateCertificate();
                this.keystoreType = gatewayConfig.getKeystoreType();
                this.sslIncludeCiphers = gatewayConfig.getIncludedSSLCiphers();
                this.sslExcludeCiphers = gatewayConfig.getExcludedSSLCiphers();
                this.sslExcludeProtocols = gatewayConfig.getExcludedSSLProtocols();
                this.clientAuthNeeded = gatewayConfig.isClientAuthNeeded();
                this.clientAuthWanted = gatewayConfig.isClientAuthWanted();
                this.truststorePath = gatewayConfig.getTruststorePath();
                this.trustAllCerts = gatewayConfig.getTrustAllCerts();
                this.trustStoreType = gatewayConfig.getTruststoreType();
            } catch (KeystoreServiceException e2) {
                throw new ServiceLifecycleException("Keystore was not loaded properly - the provided (or persisted) master secret may not match the password for the keystore.", e2);
            }
        } catch (KeystoreServiceException e3) {
            throw new ServiceLifecycleException("Keystore was not loaded properly - the provided (or persisted) master secret may not match the password for the keystore.", e3);
        }
    }

    private void logAndValidateCertificate() throws ServiceLifecycleException {
        try {
            Certificate certificateForGateway = this.as.getCertificateForGateway("gateway-identity");
            if (certificateForGateway == null) {
                throw new ServiceLifecycleException("Public certificate for the gateway is not of the expected type of X509Certificate. Something is wrong with the gateway keystore.");
            }
            if (!(certificateForGateway instanceof X509Certificate)) {
                throw new ServiceLifecycleException("Public certificate for the gateway cannot be found with the alias gateway-identity. Plase check the identity certificate alias.");
            }
            log.certificateHostNameForGateway(new X500PrincipalParser(((X509Certificate) certificateForGateway).getSubjectX500Principal()).getCN());
            log.certificateValidityPeriod(((X509Certificate) certificateForGateway).getNotBefore(), ((X509Certificate) certificateForGateway).getNotAfter());
            try {
                ((X509Certificate) certificateForGateway).checkValidity();
            } catch (CertificateExpiredException e) {
                throw new ServiceLifecycleException("Gateway SSL Certificate is Expired. Server will not start.", e);
            } catch (CertificateNotYetValidException e2) {
                throw new ServiceLifecycleException("Gateway SSL Certificate is not yet valid. Server will not start.", e2);
            }
        } catch (AliasServiceException e3) {
            throw new ServiceLifecycleException("Cannot Retreive Gateway SSL Certificate. Server will not start.", e3);
        }
    }

    public Object buildSslContextFactory(String str) throws KeyStoreException, IOException, CertificateException, NoSuchAlgorithmException {
        SslContextFactory sslContextFactory = new SslContextFactory(true);
        sslContextFactory.setCertAlias("gateway-identity");
        sslContextFactory.setKeyStoreType(this.keystoreType);
        sslContextFactory.setKeyStorePath(str);
        char[] masterSecret = this.ms.getMasterSecret();
        sslContextFactory.setKeyStorePassword(new String(masterSecret));
        char[] cArr = null;
        try {
            cArr = this.as.getGatewayIdentityPassphrase();
        } catch (AliasServiceException e) {
        }
        if (cArr == null) {
            cArr = masterSecret;
        }
        sslContextFactory.setKeyManagerPassword(new String(cArr));
        if (this.clientAuthNeeded || this.clientAuthWanted) {
            if (this.truststorePath != null) {
                char[] cArr2 = null;
                try {
                    cArr2 = this.as.getPasswordFromAliasForGateway(GATEWAY_TRUSTSTORE_PASSWORD);
                } catch (AliasServiceException e2) {
                }
                String str2 = cArr2 != null ? new String(cArr2) : new String(masterSecret);
                sslContextFactory.setTrustStore(loadKeyStore(this.truststorePath, this.trustStoreType, str2.toCharArray()));
                sslContextFactory.setTrustStorePassword(str2);
                sslContextFactory.setTrustStoreType(this.trustStoreType);
            } else {
                sslContextFactory.setTrustStore(loadKeyStore(str, this.keystoreType, masterSecret));
                sslContextFactory.setTrustStorePassword(new String(masterSecret));
                sslContextFactory.setTrustStoreType(this.keystoreType);
            }
        }
        if (this.clientAuthNeeded) {
            sslContextFactory.setNeedClientAuth(this.clientAuthNeeded);
        } else {
            sslContextFactory.setWantClientAuth(this.clientAuthWanted);
        }
        sslContextFactory.setTrustAll(this.trustAllCerts);
        if (this.sslIncludeCiphers != null && !this.sslIncludeCiphers.isEmpty()) {
            sslContextFactory.setIncludeCipherSuites((String[]) this.sslIncludeCiphers.toArray(new String[this.sslIncludeCiphers.size()]));
        }
        if (this.sslExcludeCiphers != null && !this.sslExcludeCiphers.isEmpty()) {
            sslContextFactory.setExcludeCipherSuites((String[]) this.sslExcludeCiphers.toArray(new String[this.sslExcludeCiphers.size()]));
        }
        if (this.sslExcludeProtocols != null && !this.sslExcludeProtocols.isEmpty()) {
            sslContextFactory.setExcludeProtocols((String[]) this.sslExcludeProtocols.toArray(new String[this.sslExcludeProtocols.size()]));
        }
        return sslContextFactory;
    }

    public void start() throws ServiceLifecycleException {
    }

    public void stop() throws ServiceLifecycleException {
    }

    private static KeyStore loadKeyStore(String str, String str2, char[] cArr) throws CertificateException, NoSuchAlgorithmException, IOException, KeyStoreException {
        KeyStore keyStore = KeyStore.getInstance(str2);
        FileInputStream fileInputStream = new FileInputStream(str);
        try {
            keyStore.load(fileInputStream, cArr);
            if (fileInputStream != null) {
                fileInputStream.close();
            }
            return keyStore;
        } catch (Throwable th) {
            if (fileInputStream != null) {
                fileInputStream.close();
            }
            throw th;
        }
    }
}
