package org.apache.knox.gateway.services.security.impl;

import java.security.cert.Certificate;
import java.security.cert.CertificateExpiredException;
import java.security.cert.CertificateNotYetValidException;
import java.security.cert.X509Certificate;
import java.util.List;
import java.util.Map;
import org.apache.knox.gateway.GatewayMessages;
import org.apache.knox.gateway.config.GatewayConfig;
import org.apache.knox.gateway.i18n.messages.MessagesFactory;
import org.apache.knox.gateway.services.ServiceLifecycleException;
import org.apache.knox.gateway.services.security.AliasService;
import org.apache.knox.gateway.services.security.AliasServiceException;
import org.apache.knox.gateway.services.security.KeystoreService;
import org.apache.knox.gateway.services.security.KeystoreServiceException;
import org.apache.knox.gateway.services.security.SSLService;
import org.apache.knox.gateway.util.X500PrincipalParser;
import org.eclipse.jetty.util.ssl.SslContextFactory;

/* loaded from: input_file:org/apache/knox/gateway/services/security/impl/JettySSLService.class */
public class JettySSLService implements SSLService {
    private static final String EPHEMERAL_DH_KEY_SIZE_PROPERTY = "jdk.tls.ephemeralDHKeySize";
    private static final String GATEWAY_CREDENTIAL_STORE_NAME = "__gateway";
    private static GatewayMessages log = (GatewayMessages) MessagesFactory.get(GatewayMessages.class);
    private KeystoreService ks;
    private AliasService as;

    public void setAliasService(AliasService aliasService) {
        this.as = aliasService;
    }

    public void setKeystoreService(KeystoreService keystoreService) {
        this.ks = keystoreService;
    }

    public void init(GatewayConfig gatewayConfig, Map<String, String> map) throws ServiceLifecycleException {
        System.setProperty(EPHEMERAL_DH_KEY_SIZE_PROPERTY, gatewayConfig.getEphemeralDHKeySize());
        try {
            if (this.ks.isCredentialStoreForClusterAvailable(GATEWAY_CREDENTIAL_STORE_NAME)) {
                log.credentialStoreForGatewayFoundNotCreating();
            } else {
                log.creatingCredentialStoreForGateway();
                this.ks.createCredentialStoreForCluster(GATEWAY_CREDENTIAL_STORE_NAME);
            }
            try {
                if (this.ks.isKeystoreForGatewayAvailable()) {
                    log.keyStoreForGatewayFoundNotCreating();
                } else {
                    log.creatingKeyStoreForGateway();
                    this.ks.createKeystoreForGateway();
                    try {
                        this.ks.addSelfSignedCertForGateway(gatewayConfig.getIdentityKeyAlias(), this.as.getGatewayIdentityPassphrase());
                    } catch (AliasServiceException e) {
                        throw new ServiceLifecycleException("Error accessing credential store for the gateway.", e);
                    }
                }
                logAndValidateCertificate(gatewayConfig);
            } catch (KeystoreServiceException e2) {
                throw new ServiceLifecycleException("The identity keystore was not loaded properly - the provided password may not match the password for the keystore.", e2);
            }
        } catch (KeystoreServiceException e3) {
            throw new ServiceLifecycleException("Keystore was not loaded properly - the provided password may not match the password for the keystore.", e3);
        }
    }

    private void logAndValidateCertificate(GatewayConfig gatewayConfig) throws ServiceLifecycleException {
        String identityKeyAlias = gatewayConfig.getIdentityKeyAlias();
        try {
            Certificate certificateForGateway = this.as.getCertificateForGateway(identityKeyAlias);
            if (certificateForGateway == null) {
                throw new ServiceLifecycleException("Public certificate for the gateway cannot be found with the alias " + identityKeyAlias + ". Please check the identity certificate alias.");
            }
            if (!(certificateForGateway instanceof X509Certificate)) {
                throw new ServiceLifecycleException("Public certificate for the gateway is not of the expected type of  . Something is wrong with the gateway keystore.");
            }
            log.certificateHostNameForGateway(new X500PrincipalParser(((X509Certificate) certificateForGateway).getSubjectX500Principal()).getCN());
            log.certificateValidityPeriod(((X509Certificate) certificateForGateway).getNotBefore(), ((X509Certificate) certificateForGateway).getNotAfter());
            try {
                ((X509Certificate) certificateForGateway).checkValidity();
            } catch (CertificateExpiredException e) {
                throw new ServiceLifecycleException("Gateway SSL Certificate is Expired. Server will not start.", e);
            } catch (CertificateNotYetValidException e2) {
                throw new ServiceLifecycleException("Gateway SSL Certificate is not yet valid. Server will not start.", e2);
            }
        } catch (AliasServiceException e3) {
            throw new ServiceLifecycleException("Cannot Retreive Gateway SSL Certificate. Server will not start.", e3);
        }
    }

    public Object buildSslContextFactory(GatewayConfig gatewayConfig) throws AliasServiceException {
        String str;
        char[] gatewayIdentityKeystorePassword;
        String identityKeystorePath = gatewayConfig.getIdentityKeystorePath();
        String identityKeystoreType = gatewayConfig.getIdentityKeystoreType();
        String identityKeyAlias = gatewayConfig.getIdentityKeyAlias();
        SslContextFactory sslContextFactory = new SslContextFactory(true);
        sslContextFactory.setCertAlias(identityKeyAlias);
        sslContextFactory.setKeyStoreType(identityKeystoreType);
        sslContextFactory.setKeyStorePath(identityKeystorePath);
        try {
            char[] gatewayIdentityKeystorePassword2 = this.as.getGatewayIdentityKeystorePassword();
            if (gatewayIdentityKeystorePassword2 != null) {
                sslContextFactory.setKeyStorePassword(new String(gatewayIdentityKeystorePassword2));
            }
            try {
                char[] gatewayIdentityPassphrase = this.as.getGatewayIdentityPassphrase();
                if (gatewayIdentityPassphrase != null) {
                    sslContextFactory.setKeyManagerPassword(new String(gatewayIdentityPassphrase));
                }
                boolean isClientAuthNeeded = gatewayConfig.isClientAuthNeeded();
                boolean isClientAuthWanted = gatewayConfig.isClientAuthWanted();
                if (isClientAuthNeeded || isClientAuthWanted) {
                    String truststorePath = gatewayConfig.getTruststorePath();
                    if (truststorePath != null) {
                        String truststorePasswordAlias = gatewayConfig.getTruststorePasswordAlias();
                        str = gatewayConfig.getTruststoreType();
                        try {
                            gatewayIdentityKeystorePassword = this.as.getPasswordFromAliasForGateway(truststorePasswordAlias);
                        } catch (AliasServiceException e) {
                            log.failedToGetPasswordForGatewayTruststore(truststorePasswordAlias, e);
                            throw e;
                        }
                    } else {
                        truststorePath = identityKeystorePath;
                        str = identityKeystoreType;
                        try {
                            gatewayIdentityKeystorePassword = this.as.getGatewayIdentityKeystorePassword();
                        } catch (AliasServiceException e2) {
                            log.failedToGetPasswordForGatewayTruststore(gatewayConfig.getIdentityKeystorePasswordAlias(), e2);
                            throw e2;
                        }
                    }
                    sslContextFactory.setTrustStorePath(truststorePath);
                    if (gatewayIdentityKeystorePassword != null) {
                        sslContextFactory.setTrustStorePassword(new String(gatewayIdentityKeystorePassword));
                    }
                    sslContextFactory.setTrustStoreType(str);
                }
                if (isClientAuthNeeded) {
                    sslContextFactory.setNeedClientAuth(isClientAuthNeeded);
                } else {
                    sslContextFactory.setWantClientAuth(isClientAuthWanted);
                }
                sslContextFactory.setTrustAll(gatewayConfig.getTrustAllCerts());
                List includedSSLCiphers = gatewayConfig.getIncludedSSLCiphers();
                if (includedSSLCiphers != null && !includedSSLCiphers.isEmpty()) {
                    sslContextFactory.setIncludeCipherSuites((String[]) includedSSLCiphers.toArray(new String[0]));
                }
                List excludedSSLCiphers = gatewayConfig.getExcludedSSLCiphers();
                if (excludedSSLCiphers != null && !excludedSSLCiphers.isEmpty()) {
                    sslContextFactory.setExcludeCipherSuites((String[]) excludedSSLCiphers.toArray(new String[0]));
                }
                List excludedSSLProtocols = gatewayConfig.getExcludedSSLProtocols();
                if (excludedSSLProtocols != null && !excludedSSLProtocols.isEmpty()) {
                    sslContextFactory.setExcludeProtocols((String[]) excludedSSLProtocols.toArray(new String[0]));
                }
                return sslContextFactory;
            } catch (AliasServiceException e3) {
                log.failedToGetPassphraseForGatewayIdentityKey(e3);
                throw e3;
            }
        } catch (AliasServiceException e4) {
            log.failedToGetPasswordForGatewayIdentityKeystore(e4);
            throw e4;
        }
    }

    public void start() throws ServiceLifecycleException {
    }

    public void stop() throws ServiceLifecycleException {
    }
}
