package org.apache.nifi.ssl;

import java.io.InputStream;
import java.security.GeneralSecurityException;
import java.security.KeyStore;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.List;
import java.util.Map;
import java.util.Optional;
import javax.net.ssl.SSLContext;
import javax.net.ssl.TrustManagerFactory;
import javax.net.ssl.X509ExtendedKeyManager;
import javax.net.ssl.X509ExtendedTrustManager;
import javax.net.ssl.X509TrustManager;
import org.apache.nifi.annotation.documentation.CapabilityDescription;
import org.apache.nifi.annotation.documentation.Tags;
import org.apache.nifi.annotation.lifecycle.OnDisabled;
import org.apache.nifi.annotation.lifecycle.OnEnabled;
import org.apache.nifi.components.AllowableValue;
import org.apache.nifi.components.ConfigVerificationResult;
import org.apache.nifi.components.DescribedValue;
import org.apache.nifi.components.PropertyDescriptor;
import org.apache.nifi.components.resource.ResourceCardinality;
import org.apache.nifi.components.resource.ResourceReference;
import org.apache.nifi.components.resource.ResourceType;
import org.apache.nifi.controller.AbstractControllerService;
import org.apache.nifi.controller.ConfigurationContext;
import org.apache.nifi.controller.VerifiableControllerService;
import org.apache.nifi.logging.ComponentLog;
import org.apache.nifi.processor.util.StandardValidators;
import org.apache.nifi.reporting.InitializationException;
import org.apache.nifi.security.ssl.BuilderConfigurationException;
import org.apache.nifi.security.ssl.PemCertificateKeyStoreBuilder;
import org.apache.nifi.security.ssl.PemPrivateKeyCertificateKeyStoreBuilder;
import org.apache.nifi.security.ssl.StandardKeyManagerBuilder;
import org.apache.nifi.security.ssl.StandardSslContextBuilder;
import org.apache.nifi.security.ssl.StandardTrustManagerBuilder;
import org.apache.nifi.security.util.TlsPlatform;

@CapabilityDescription("    SSLContext Provider configurable using PEM Private Key and Certificate files.\n    Supports PKCS1 and PKCS8 encoding for Private Keys as well as X.509 encoding for Certificates.\n")
@Tags({"PEM", StandardSSLContextService.SSL_PROTOCOL, "TLS", "Key", "Certificate", "PKCS1", "PKCS8", "X.509", "ECDSA", "Ed25519", "RSA"})
/* loaded from: input_file:org/apache/nifi/ssl/PEMEncodedSSLContextProvider.class */
public class PEMEncodedSSLContextProvider extends AbstractControllerService implements SSLContextProvider, VerifiableControllerService {
    static final String DEFAULT_PROTOCOL = "TLS";
    static final PropertyDescriptor TLS_PROTOCOL = new PropertyDescriptor.Builder().name("TLS Protocol").description("TLS protocol version required for negotiating encrypted communications.").required(true).sensitive(false).defaultValue("TLS").allowableValues(getProtocolAllowableValues()).addValidator(StandardValidators.NON_EMPTY_VALIDATOR).build();
    static final PropertyDescriptor PRIVATE_KEY_SOURCE = new PropertyDescriptor.Builder().name("Private Key Source").description("Source of information for loading Private Key and Certificate Chain").required(true).defaultValue(PrivateKeySource.PROPERTIES).allowableValues(PrivateKeySource.class).build();
    static final PropertyDescriptor PRIVATE_KEY = new PropertyDescriptor.Builder().name("Private Key").description("PEM Private Key encoded using either PKCS1 or PKCS8. Supported algorithms include ECDSA, Ed25519, and RSA").required(true).sensitive(true).addValidator(StandardValidators.NON_EMPTY_VALIDATOR).identifiesExternalResource(ResourceCardinality.SINGLE, ResourceType.TEXT, new ResourceType[0]).dependsOn(PRIVATE_KEY_SOURCE, PrivateKeySource.PROPERTIES, new DescribedValue[0]).build();
    static final PropertyDescriptor PRIVATE_KEY_LOCATION = new PropertyDescriptor.Builder().name("Private Key Location").description("PEM Private Key file location encoded using either PKCS1 or PKCS8. Supported algorithms include ECDSA, Ed25519, and RSA").required(true).sensitive(false).addValidator(StandardValidators.NON_EMPTY_VALIDATOR).identifiesExternalResource(ResourceCardinality.SINGLE, ResourceType.FILE, new ResourceType[0]).dependsOn(PRIVATE_KEY_SOURCE, PrivateKeySource.FILES, new DescribedValue[0]).build();
    static final PropertyDescriptor CERTIFICATE_CHAIN = new PropertyDescriptor.Builder().name("Certificate Chain").description("PEM X.509 Certificate Chain associated with Private Key starting with standard BEGIN CERTIFICATE header").required(true).sensitive(false).addValidator(StandardValidators.NON_EMPTY_VALIDATOR).identifiesExternalResource(ResourceCardinality.SINGLE, ResourceType.TEXT, new ResourceType[0]).dependsOn(PRIVATE_KEY_SOURCE, PrivateKeySource.PROPERTIES, new DescribedValue[0]).build();
    static final PropertyDescriptor CERTIFICATE_CHAIN_LOCATION = new PropertyDescriptor.Builder().name("Certificate Chain Location").description("PEM X.509 Certificate Chain file location associated with Private Key starting with standard BEGIN CERTIFICATE header").required(true).sensitive(false).addValidator(StandardValidators.NON_EMPTY_VALIDATOR).identifiesExternalResource(ResourceCardinality.SINGLE, ResourceType.FILE, new ResourceType[0]).dependsOn(PRIVATE_KEY_SOURCE, PrivateKeySource.FILES, new DescribedValue[0]).build();
    static final PropertyDescriptor CERTIFICATE_AUTHORITIES_SOURCE = new PropertyDescriptor.Builder().name("Certificate Authorities Source").description("Source of information for loading trusted Certificate Authorities").required(true).defaultValue(CertificateAuthoritiesSource.PROPERTIES).allowableValues(CertificateAuthoritiesSource.class).build();
    static final PropertyDescriptor CERTIFICATE_AUTHORITIES = new PropertyDescriptor.Builder().name("Certificate Authorities").description("PEM X.509 Certificate Authorities trusted for verifying peers in TLS communications containing one or more standard certificates").required(true).sensitive(false).addValidator(StandardValidators.NON_EMPTY_VALIDATOR).identifiesExternalResource(ResourceCardinality.SINGLE, ResourceType.FILE, new ResourceType[]{ResourceType.TEXT}).dependsOn(CERTIFICATE_AUTHORITIES_SOURCE, CertificateAuthoritiesSource.PROPERTIES, new DescribedValue[0]).build();
    private static final List<PropertyDescriptor> PROPERTY_DESCRIPTORS = List.of(TLS_PROTOCOL, PRIVATE_KEY_SOURCE, PRIVATE_KEY, PRIVATE_KEY_LOCATION, CERTIFICATE_CHAIN, CERTIFICATE_CHAIN_LOCATION, CERTIFICATE_AUTHORITIES_SOURCE, CERTIFICATE_AUTHORITIES);
    private static final char[] EMPTY_PROTECTION_PARAMETER = new char[0];
    private String protocol = "TLS";
    private KeyStore keyStore;
    private KeyStore trustStore;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:org/apache/nifi/ssl/PEMEncodedSSLContextProvider$CertificateAuthoritiesSource.class */
    public enum CertificateAuthoritiesSource implements DescribedValue {
        PROPERTIES("Properties", "Load trusted Certificate Authorities from configured properties"),
        SYSTEM("System", "Load trusted Certificate Authorities from the default system location");

        private final String displayName;
        private final String description;

        CertificateAuthoritiesSource(String str, String str2) {
            this.displayName = str;
            this.description = str2;
        }

        public String getValue() {
            return name();
        }

        public String getDisplayName() {
            return this.displayName;
        }

        public String getDescription() {
            return this.description;
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:org/apache/nifi/ssl/PEMEncodedSSLContextProvider$PrivateKeySource.class */
    public enum PrivateKeySource implements DescribedValue {
        UNDEFINED("Undefined", "Avoid configuring Private Key and Certificate Chain properties"),
        PROPERTIES("Properties", "Load Private Key and Certificate Chain from configured properties"),
        FILES("Files", "Load Private Key and Certificate Chain from configured files");

        private final String displayName;
        private final String description;

        PrivateKeySource(String str, String str2) {
            this.displayName = str;
            this.description = str2;
        }

        public String getValue() {
            return name();
        }

        public String getDisplayName() {
            return this.displayName;
        }

        public String getDescription() {
            return this.description;
        }
    }

    protected List<PropertyDescriptor> getSupportedPropertyDescriptors() {
        return PROPERTY_DESCRIPTORS;
    }

    public List<ConfigVerificationResult> verify(ConfigurationContext configurationContext, ComponentLog componentLog, Map<String, String> map) {
        ArrayList arrayList = new ArrayList();
        ConfigVerificationResult.Builder verificationStepName = new ConfigVerificationResult.Builder().verificationStepName("Load Private Key and Certificate Chain");
        if (((PrivateKeySource) configurationContext.getProperty(PRIVATE_KEY_SOURCE).asAllowableValue(PrivateKeySource.class)) == PrivateKeySource.UNDEFINED) {
            verificationStepName.outcome(ConfigVerificationResult.Outcome.SKIPPED).explanation("Private Key and Certificate Chain properties not required");
        } else {
            try {
                loadKeyStore(configurationContext);
                verificationStepName.outcome(ConfigVerificationResult.Outcome.SUCCESSFUL);
            } catch (Exception e) {
                verificationStepName.outcome(ConfigVerificationResult.Outcome.FAILED).explanation(e.getMessage());
            }
        }
        arrayList.add(verificationStepName.build());
        ConfigVerificationResult.Builder verificationStepName2 = new ConfigVerificationResult.Builder().verificationStepName("Load Certificate Authorities");
        try {
            loadTrustStore(configurationContext);
            verificationStepName2.outcome(ConfigVerificationResult.Outcome.SUCCESSFUL);
        } catch (Exception e2) {
            verificationStepName2.outcome(ConfigVerificationResult.Outcome.FAILED).explanation(e2.getMessage());
        }
        arrayList.add(verificationStepName2.build());
        return arrayList;
    }

    @OnEnabled
    public void onEnabled(ConfigurationContext configurationContext) throws InitializationException {
        this.protocol = configurationContext.getProperty(TLS_PROTOCOL).getValue();
        loadKeyStore(configurationContext);
        loadTrustStore(configurationContext);
    }

    @OnDisabled
    public void onDisabled() {
        this.keyStore = null;
        this.trustStore = null;
    }

    public SSLContext createContext() {
        StandardSslContextBuilder standardSslContextBuilder = new StandardSslContextBuilder();
        standardSslContextBuilder.protocol(this.protocol);
        standardSslContextBuilder.trustManager(createTrustManager());
        Optional<X509ExtendedKeyManager> createKeyManager = createKeyManager();
        if (createKeyManager.isPresent()) {
            standardSslContextBuilder.keyManager(createKeyManager.get());
        }
        return standardSslContextBuilder.build();
    }

    public Optional<X509ExtendedKeyManager> createKeyManager() {
        return this.keyStore == null ? Optional.empty() : Optional.of(new StandardKeyManagerBuilder().keyStore(this.keyStore).keyPassword(EMPTY_PROTECTION_PARAMETER).build());
    }

    public X509TrustManager createTrustManager() {
        X509ExtendedTrustManager x509ExtendedTrustManager;
        if (this.trustStore == null) {
            try {
                TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
                trustManagerFactory.init(this.trustStore);
                x509ExtendedTrustManager = (X509ExtendedTrustManager) Arrays.stream(trustManagerFactory.getTrustManagers()).filter(trustManager -> {
                    return trustManager instanceof X509ExtendedTrustManager;
                }).map(trustManager2 -> {
                    return (X509ExtendedTrustManager) trustManager2;
                }).findFirst().orElseThrow(() -> {
                    return new BuilderConfigurationException("X.509 Trust Manager not configured");
                });
            } catch (GeneralSecurityException e) {
                throw new BuilderConfigurationException("Trust Manager creation failed for System Certificate Authorities", e);
            }
        } else {
            x509ExtendedTrustManager = new StandardTrustManagerBuilder().trustStore(this.trustStore).build();
        }
        return x509ExtendedTrustManager;
    }

    private void loadKeyStore(ConfigurationContext configurationContext) throws InitializationException {
        PropertyDescriptor propertyDescriptor;
        PropertyDescriptor propertyDescriptor2;
        PrivateKeySource privateKeySource = (PrivateKeySource) configurationContext.getProperty(PRIVATE_KEY_SOURCE).asAllowableValue(PrivateKeySource.class);
        if (privateKeySource == PrivateKeySource.UNDEFINED) {
            getLogger().debug("Private Key and Certificate Chain not configured");
            return;
        }
        if (privateKeySource == PrivateKeySource.FILES) {
            propertyDescriptor = PRIVATE_KEY_LOCATION;
            propertyDescriptor2 = CERTIFICATE_CHAIN_LOCATION;
        } else {
            propertyDescriptor = PRIVATE_KEY;
            propertyDescriptor2 = CERTIFICATE_CHAIN;
        }
        ResourceReference asResource = configurationContext.getProperty(propertyDescriptor).asResource();
        ResourceReference asResource2 = configurationContext.getProperty(propertyDescriptor2).asResource();
        PemPrivateKeyCertificateKeyStoreBuilder pemPrivateKeyCertificateKeyStoreBuilder = new PemPrivateKeyCertificateKeyStoreBuilder();
        try {
            InputStream read = asResource.read();
            try {
                InputStream read2 = asResource2.read();
                try {
                    this.keyStore = pemPrivateKeyCertificateKeyStoreBuilder.privateKeyInputStream(read).certificateInputStream(read2).build();
                    if (read2 != null) {
                        read2.close();
                    }
                    if (read != null) {
                        read.close();
                    }
                } catch (Throwable th) {
                    if (read2 != null) {
                        try {
                            read2.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    }
                    throw th;
                }
            } finally {
            }
        } catch (Exception e) {
            throw new InitializationException("Failed to load Private Key or Certificate Chain from configured properties", e);
        }
    }

    private void loadTrustStore(ConfigurationContext configurationContext) throws InitializationException {
        CertificateAuthoritiesSource certificateAuthoritiesSource = (CertificateAuthoritiesSource) configurationContext.getProperty(CERTIFICATE_AUTHORITIES_SOURCE).asAllowableValue(CertificateAuthoritiesSource.class);
        if (certificateAuthoritiesSource == CertificateAuthoritiesSource.SYSTEM) {
            this.trustStore = null;
            return;
        }
        if (certificateAuthoritiesSource == CertificateAuthoritiesSource.PROPERTIES) {
            try {
                InputStream read = configurationContext.getProperty(CERTIFICATE_AUTHORITIES).asResource().read();
                try {
                    this.trustStore = new PemCertificateKeyStoreBuilder().inputStream(read).build();
                    if (read != null) {
                        read.close();
                    }
                } finally {
                }
            } catch (Exception e) {
                throw new InitializationException("Failed to load Certificate Authorities from configured properties", e);
            }
        }
    }

    private static AllowableValue[] getProtocolAllowableValues() {
        ArrayList arrayList = new ArrayList();
        arrayList.add(new AllowableValue("TLS", "TLS", "Negotiate latest TLS protocol version based on platform supported versions"));
        for (String str : TlsPlatform.getPreferredProtocols()) {
            arrayList.add(new AllowableValue(str, str, String.format("Require %s protocol version", str)));
        }
        return (AllowableValue[]) arrayList.toArray(new AllowableValue[0]);
    }
}
