package org.apache.nifi.security.util;

import java.io.BufferedInputStream;
import java.io.FileInputStream;
import java.io.FileOutputStream;
import java.io.IOException;
import java.io.UncheckedIOException;
import java.net.URL;
import java.nio.file.Files;
import java.nio.file.Path;
import java.nio.file.attribute.FileAttribute;
import java.security.GeneralSecurityException;
import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.SecureRandom;
import java.security.Security;
import java.security.UnrecoverableKeyException;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.HashMap;
import java.util.Iterator;
import java.util.Map;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLServerSocket;
import javax.net.ssl.TrustManagerFactory;
import org.apache.commons.codec.binary.Hex;
import org.apache.commons.lang3.StringUtils;
import org.apache.commons.lang3.builder.ToStringBuilder;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/nifi/security/util/KeyStoreUtils.class */
public class KeyStoreUtils {
    public static final String SUN_PROVIDER_NAME = "SUN";
    public static final String SUN_JSSE_PROVIDER_NAME = "SunJSSE";
    private static final String JKS_EXT = ".jks";
    private static final String PKCS12_EXT = ".p12";
    private static final String BCFKS_EXT = ".bcfks";
    private static final String KEY_ALIAS = "nifi-key";
    private static final String CERT_ALIAS = "nifi-cert";
    private static final String CERT_DN = "CN=localhost";
    private static final String KEY_ALGORITHM = "RSA";
    private static final String SIGNING_ALGORITHM = "SHA256withRSA";
    private static final int CERT_DURATION_DAYS = 365;
    private static final int PASSWORD_LENGTH = 16;
    private static final String TEST_KEYSTORE_PREFIX = "test-keystore-";
    private static final String TEST_TRUSTSTORE_PREFIX = "test-truststore-";
    private static final String KEYSTORE_ERROR_MSG = "There was an error creating a Keystore.";
    private static final String TRUSTSTORE_ERROR_MSG = "There was an error creating a Truststore.";
    private static final Logger logger = LoggerFactory.getLogger(KeyStoreUtils.class);
    private static final Map<String, String> KEY_STORE_TYPE_PROVIDERS = new HashMap();
    private static final Map<KeystoreType, String> KEY_STORE_EXTENSIONS = new HashMap();
    private static final Map<KeystoreType, String> SECRET_KEY_STORE_PROVIDERS = new HashMap();

    public static String getKeyStoreProvider(String str) {
        return KEY_STORE_TYPE_PROVIDERS.get(StringUtils.upperCase(str));
    }

    public static KeyStore getKeyStore(String str) throws KeyStoreException {
        String keyStoreProvider = getKeyStoreProvider(str);
        if (StringUtils.isNotEmpty(keyStoreProvider)) {
            try {
                return KeyStore.getInstance(str, keyStoreProvider);
            } catch (Exception e) {
                logger.error("KeyStore Type [{}] Provider [{}] instance creation failed", new Object[]{str, keyStoreProvider, e});
            }
        }
        return KeyStore.getInstance(str);
    }

    public static KeyStore getSecretKeyStore(String str) throws KeyStoreException {
        KeystoreType keystoreType = getKeystoreType(str);
        String str2 = SECRET_KEY_STORE_PROVIDERS.get(keystoreType);
        if (str2 == null) {
            throw new KeyStoreException(String.format("Keystore Type [%s] does not support Secret Keys", keystoreType.getType()));
        }
        try {
            return KeyStore.getInstance(keystoreType.getType(), str2);
        } catch (NoSuchProviderException e) {
            throw new KeyStoreException(String.format("KeyStore Type [%s] Provider [%s] not found", keystoreType.getType(), str2), e);
        }
    }

    public static KeyStore loadKeyStore(String str, char[] cArr, String str2) throws TlsException {
        try {
            KeyStore keyStore = getKeyStore(str2);
            FileInputStream fileInputStream = new FileInputStream(str);
            Throwable th = null;
            try {
                try {
                    keyStore.load(fileInputStream, cArr);
                    if (fileInputStream != null) {
                        if (0 != 0) {
                            try {
                                fileInputStream.close();
                            } catch (Throwable th2) {
                                th.addSuppressed(th2);
                            }
                        } else {
                            fileInputStream.close();
                        }
                    }
                    return keyStore;
                } finally {
                }
            } finally {
            }
        } catch (IOException | KeyStoreException | NoSuchAlgorithmException | CertificateException e) {
            logger.error("Encountered an error loading keystore: {}", e.getLocalizedMessage());
            throw new TlsException("Error loading keystore", e);
        }
    }

    public static KeyStore loadSecretKeyStore(String str, char[] cArr, String str2) throws TlsException {
        try {
            KeyStore secretKeyStore = getSecretKeyStore(str2);
            FileInputStream fileInputStream = new FileInputStream(str);
            Throwable th = null;
            try {
                try {
                    secretKeyStore.load(fileInputStream, cArr);
                    if (fileInputStream != null) {
                        if (0 != 0) {
                            try {
                                fileInputStream.close();
                            } catch (Throwable th2) {
                                th.addSuppressed(th2);
                            }
                        } else {
                            fileInputStream.close();
                        }
                    }
                    return secretKeyStore;
                } finally {
                }
            } finally {
            }
        } catch (IOException | GeneralSecurityException e) {
            throw new TlsException(String.format("Loading Secret Keystore [%s] Type [%s] Failed", str, str2), e);
        }
    }

    public static TlsConfiguration createTlsConfigAndNewKeystoreTruststore(TlsConfiguration tlsConfiguration, int i, String[] strArr) throws IOException, GeneralSecurityException {
        String keystorePassword = StringUtils.isNotBlank(tlsConfiguration.getKeystorePassword()) ? tlsConfiguration.getKeystorePassword() : generatePassword();
        KeystoreType keystoreType = tlsConfiguration.getKeystoreType() != null ? tlsConfiguration.getKeystoreType() : KeystoreType.PKCS12;
        String keyPassword = StringUtils.isNotBlank(tlsConfiguration.getKeyPassword()) ? tlsConfiguration.getKeyPassword() : keystorePassword;
        String truststorePassword = StringUtils.isNotBlank(tlsConfiguration.getTruststorePassword()) ? tlsConfiguration.getTruststorePassword() : generatePassword();
        KeystoreType truststoreType = tlsConfiguration.getTruststoreType() != null ? tlsConfiguration.getTruststoreType() : KeystoreType.PKCS12;
        try {
            Path generateTempKeystorePath = generateTempKeystorePath(keystoreType);
            try {
                Path generateTempTruststorePath = generateTempTruststorePath(truststoreType);
                createTrustStore(createKeyStoreAndGetX509Certificate(KEY_ALIAS, keystorePassword, keyPassword, generateTempKeystorePath.toString(), keystoreType, i, strArr), CERT_ALIAS, truststorePassword, generateTempTruststorePath.toString(), truststoreType);
                return new StandardTlsConfiguration(generateTempKeystorePath.toString(), keystorePassword, keyPassword, keystoreType, generateTempTruststorePath.toString(), truststorePassword, truststoreType, TlsPlatform.getLatestProtocol());
            } catch (IOException e) {
                logger.error(TRUSTSTORE_ERROR_MSG, e);
                throw new UncheckedIOException(TRUSTSTORE_ERROR_MSG, e);
            }
        } catch (IOException e2) {
            logger.error(KEYSTORE_ERROR_MSG, e2);
            throw new UncheckedIOException(KEYSTORE_ERROR_MSG, e2);
        }
    }

    public static KeyManagerFactory getKeyManagerFactoryFromKeyStore(KeyStore keyStore, char[] cArr, char[] cArr2) throws TlsException {
        try {
            KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
            if (cArr2 == null) {
                keyManagerFactory.init(keyStore, cArr);
            } else {
                keyManagerFactory.init(keyStore, cArr2);
            }
            return keyManagerFactory;
        } catch (KeyStoreException | NoSuchAlgorithmException | UnrecoverableKeyException e) {
            logger.error("Encountered an error loading keystore: {}", e.getLocalizedMessage());
            throw new TlsException("Error loading keystore", e);
        }
    }

    public static KeyManagerFactory loadKeyManagerFactory(TlsConfiguration tlsConfiguration) throws TlsException {
        return loadKeyManagerFactory(tlsConfiguration.getKeystorePath(), tlsConfiguration.getKeystorePassword(), tlsConfiguration.getFunctionalKeyPassword(), tlsConfiguration.getKeystoreType().getType());
    }

    public static KeyManagerFactory loadKeyManagerFactory(String str, String str2, String str3, String str4) throws TlsException {
        if (StringUtils.isEmpty(str2)) {
            throw new IllegalArgumentException("The keystore password cannot be null or empty");
        }
        char[] charArray = str2.toCharArray();
        return getKeyManagerFactoryFromKeyStore(loadKeyStore(str, charArray, str4), charArray, StringUtils.isNotEmpty(str3) ? str3.toCharArray() : charArray);
    }

    public static KeyStore loadTrustStore(String str, char[] cArr, String str2) throws TlsException {
        try {
            KeyStore keyStore = getKeyStore(str2);
            FileInputStream fileInputStream = new FileInputStream(str);
            Throwable th = null;
            try {
                try {
                    keyStore.load(fileInputStream, cArr);
                    if (fileInputStream != null) {
                        if (0 != 0) {
                            try {
                                fileInputStream.close();
                            } catch (Throwable th2) {
                                th.addSuppressed(th2);
                            }
                        } else {
                            fileInputStream.close();
                        }
                    }
                    return keyStore;
                } finally {
                }
            } finally {
            }
        } catch (IOException | KeyStoreException | NoSuchAlgorithmException | CertificateException e) {
            logger.error("Encountered an error loading truststore: {}", e.getLocalizedMessage());
            throw new TlsException("Error loading truststore", e);
        }
    }

    public static TrustManagerFactory getTrustManagerFactoryFromTrustStore(KeyStore keyStore) throws TlsException {
        try {
            TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
            trustManagerFactory.init(keyStore);
            return trustManagerFactory;
        } catch (KeyStoreException | NoSuchAlgorithmException e) {
            logger.error("Encountered an error loading truststore: {}", e.getLocalizedMessage());
            throw new TlsException("Error loading truststore", e);
        }
    }

    public static TrustManagerFactory loadTrustManagerFactory(TlsConfiguration tlsConfiguration) throws TlsException {
        return loadTrustManagerFactory(tlsConfiguration.getTruststorePath(), tlsConfiguration.getTruststorePassword(), tlsConfiguration.getTruststoreType().getType());
    }

    public static TrustManagerFactory loadTrustManagerFactory(String str, String str2, String str3) throws TlsException {
        if (str3.equalsIgnoreCase(KeystoreType.PKCS12.getType()) && StringUtils.isBlank(str2)) {
            throw new IllegalArgumentException("A PKCS12 Truststore Type requires a password");
        }
        return getTrustManagerFactoryFromTrustStore(loadTrustStore(str, StringUtils.isNotBlank(str2) ? str2.toCharArray() : null, str3));
    }

    public static boolean isStoreValid(URL url, KeystoreType keystoreType, char[] cArr) {
        if (url == null) {
            throw new IllegalArgumentException("Keystore may not be null");
        }
        if (keystoreType == null) {
            throw new IllegalArgumentException("Keystore type may not be null");
        }
        if (cArr == null) {
            throw new IllegalArgumentException("Password may not be null");
        }
        BufferedInputStream bufferedInputStream = null;
        try {
            try {
                bufferedInputStream = new BufferedInputStream(url.openStream());
                getKeyStore(keystoreType.name()).load(bufferedInputStream, cArr);
                if (bufferedInputStream != null) {
                    try {
                        bufferedInputStream.close();
                    } catch (IOException e) {
                        logger.warn("Failed to close input stream", e);
                    }
                }
                return true;
            } catch (Throwable th) {
                if (bufferedInputStream != null) {
                    try {
                        bufferedInputStream.close();
                    } catch (IOException e2) {
                        logger.warn("Failed to close input stream", e2);
                    }
                }
                throw th;
            }
        } catch (Exception e3) {
            logger.debug("Keystore [{}] Type [{}] load failed", new Object[]{url, keystoreType, e3});
            if (bufferedInputStream != null) {
                try {
                    bufferedInputStream.close();
                } catch (IOException e4) {
                    logger.warn("Failed to close input stream", e4);
                }
            }
            return false;
        }
    }

    public static boolean isKeyPasswordCorrect(URL url, KeystoreType keystoreType, char[] cArr, char[] cArr2) {
        if (url == null) {
            throw new IllegalArgumentException("Keystore may not be null");
        }
        if (keystoreType == null) {
            throw new IllegalArgumentException("Keystore type may not be null");
        }
        if (cArr == null) {
            throw new IllegalArgumentException("Password may not be null");
        }
        BufferedInputStream bufferedInputStream = null;
        try {
            bufferedInputStream = new BufferedInputStream(url.openStream());
            KeyStore keyStore = getKeyStore(keystoreType.name());
            keyStore.load(bufferedInputStream, cArr);
            try {
                keyStore.getKey(keyStore.aliases().nextElement(), cArr2);
                if (bufferedInputStream != null) {
                    try {
                        bufferedInputStream.close();
                    } catch (IOException e) {
                        logger.warn("Failed to close input stream", e);
                    }
                }
                return true;
            } catch (UnrecoverableKeyException e2) {
                logger.warn("Tried to access a key in keystore " + url + " with a key password that failed");
                if (bufferedInputStream != null) {
                    try {
                        bufferedInputStream.close();
                    } catch (IOException e3) {
                        logger.warn("Failed to close input stream", e3);
                    }
                }
                return false;
            }
        } catch (Exception e4) {
            if (bufferedInputStream != null) {
                try {
                    bufferedInputStream.close();
                } catch (IOException e5) {
                    logger.warn("Failed to close input stream", e5);
                }
            }
            return false;
        } catch (Throwable th) {
            if (bufferedInputStream != null) {
                try {
                    bufferedInputStream.close();
                } catch (IOException e6) {
                    logger.warn("Failed to close input stream", e6);
                }
            }
            throw th;
        }
    }

    public static KeystoreType getKeystoreTypeFromExtension(String str) {
        KeystoreType keystoreType = KeystoreType.PKCS12;
        Iterator<Map.Entry<KeystoreType, String>> it = KEY_STORE_EXTENSIONS.entrySet().iterator();
        while (true) {
            if (!it.hasNext()) {
                break;
            }
            Map.Entry<KeystoreType, String> next = it.next();
            if (StringUtils.endsWithIgnoreCase(str, next.getValue())) {
                keystoreType = next.getKey();
                break;
            }
        }
        return keystoreType;
    }

    public static boolean isSecretKeyEntrySupported(KeystoreType keystoreType) {
        return SECRET_KEY_STORE_PROVIDERS.containsKey(keystoreType);
    }

    public static String sslContextToString(SSLContext sSLContext) {
        return new ToStringBuilder(sSLContext).append("protocol", sSLContext.getProtocol()).append("provider", sSLContext.getProvider().toString()).toString();
    }

    public static String sslServerSocketToString(SSLServerSocket sSLServerSocket) {
        return new ToStringBuilder(sSLServerSocket).append("enabledProtocols", sSLServerSocket.getEnabledProtocols()).append("needClientAuth", sSLServerSocket.getNeedClientAuth()).append("wantClientAuth", sSLServerSocket.getWantClientAuth()).append("useClientMode", sSLServerSocket.getUseClientMode()).toString();
    }

    private static X509Certificate createKeyStoreAndGetX509Certificate(String str, String str2, String str3, String str4, KeystoreType keystoreType, int i, String[] strArr) throws IOException, KeyStoreException, NoSuchAlgorithmException, CertificateException {
        FileOutputStream fileOutputStream = new FileOutputStream(str4);
        Throwable th = null;
        try {
            try {
                KeyPair generateKeyPair = KeyPairGenerator.getInstance(KEY_ALGORITHM).generateKeyPair();
                X509Certificate generateSelfSignedX509Certificate = CertificateUtils.generateSelfSignedX509Certificate(generateKeyPair, CERT_DN, SIGNING_ALGORITHM, i, strArr);
                KeyStore loadEmptyKeyStore = loadEmptyKeyStore(keystoreType);
                loadEmptyKeyStore.setKeyEntry(str, generateKeyPair.getPrivate(), str3.toCharArray(), new Certificate[]{generateSelfSignedX509Certificate});
                loadEmptyKeyStore.store(fileOutputStream, str2.toCharArray());
                if (fileOutputStream != null) {
                    if (0 != 0) {
                        try {
                            fileOutputStream.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    } else {
                        fileOutputStream.close();
                    }
                }
                return generateSelfSignedX509Certificate;
            } finally {
            }
        } catch (Throwable th3) {
            if (fileOutputStream != null) {
                if (th != null) {
                    try {
                        fileOutputStream.close();
                    } catch (Throwable th4) {
                        th.addSuppressed(th4);
                    }
                } else {
                    fileOutputStream.close();
                }
            }
            throw th3;
        }
    }

    private static void createTrustStore(X509Certificate x509Certificate, String str, String str2, String str3, KeystoreType keystoreType) throws KeyStoreException, NoSuchAlgorithmException, CertificateException {
        try {
            FileOutputStream fileOutputStream = new FileOutputStream(str3);
            Throwable th = null;
            try {
                try {
                    KeyStore loadEmptyKeyStore = loadEmptyKeyStore(keystoreType);
                    loadEmptyKeyStore.setCertificateEntry(str, x509Certificate);
                    loadEmptyKeyStore.store(fileOutputStream, str2.toCharArray());
                    if (fileOutputStream != null) {
                        if (0 != 0) {
                            try {
                                fileOutputStream.close();
                            } catch (Throwable th2) {
                                th.addSuppressed(th2);
                            }
                        } else {
                            fileOutputStream.close();
                        }
                    }
                } finally {
                }
            } finally {
            }
        } catch (IOException e) {
            throw new UncheckedIOException(TRUSTSTORE_ERROR_MSG, e);
        }
    }

    private static Path generateTempKeystorePath(KeystoreType keystoreType) throws IOException {
        return Files.createTempFile(TEST_KEYSTORE_PREFIX, getKeystoreExtension(keystoreType), new FileAttribute[0]);
    }

    private static Path generateTempTruststorePath(KeystoreType keystoreType) throws IOException {
        return Files.createTempFile(TEST_TRUSTSTORE_PREFIX, getKeystoreExtension(keystoreType), new FileAttribute[0]);
    }

    private static KeyStore loadEmptyKeyStore(KeystoreType keystoreType) throws KeyStoreException, CertificateException, NoSuchAlgorithmException {
        try {
            KeyStore keyStore = getKeyStore(keystoreType.getType());
            keyStore.load(null, null);
            return keyStore;
        } catch (IOException e) {
            throw new UncheckedIOException("Error loading keystore", e);
        }
    }

    private static String getKeystoreExtension(KeystoreType keystoreType) {
        return KEY_STORE_EXTENSIONS.get(keystoreType);
    }

    private static String generatePassword() {
        byte[] bArr = new byte[PASSWORD_LENGTH];
        new SecureRandom().nextBytes(bArr);
        return Hex.encodeHexString(bArr);
    }

    private static KeystoreType getKeystoreType(String str) {
        String upperCase = str.toUpperCase();
        return (KeystoreType) Arrays.stream(KeystoreType.values()).filter(keystoreType -> {
            return keystoreType.getType().equals(upperCase);
        }).findFirst().orElseThrow(() -> {
            return new IllegalArgumentException(String.format("Keystore Type [%s] not found", upperCase));
        });
    }

    static {
        Security.addProvider(new BouncyCastleProvider());
        KEY_STORE_TYPE_PROVIDERS.put(KeystoreType.BCFKS.getType(), "BC");
        KEY_STORE_TYPE_PROVIDERS.put(KeystoreType.PKCS12.getType(), "BC");
        KEY_STORE_TYPE_PROVIDERS.put(KeystoreType.JKS.getType(), SUN_PROVIDER_NAME);
        SECRET_KEY_STORE_PROVIDERS.put(KeystoreType.BCFKS, "BC");
        SECRET_KEY_STORE_PROVIDERS.put(KeystoreType.PKCS12, SUN_JSSE_PROVIDER_NAME);
        KEY_STORE_EXTENSIONS.put(KeystoreType.JKS, JKS_EXT);
        KEY_STORE_EXTENSIONS.put(KeystoreType.PKCS12, PKCS12_EXT);
        KEY_STORE_EXTENSIONS.put(KeystoreType.BCFKS, BCFKS_EXT);
    }
}
