package org.apache.nifi.toolkit.tls.standalone;

import java.io.File;
import java.io.FileOutputStream;
import java.io.FileReader;
import java.io.FileWriter;
import java.io.IOException;
import java.io.OutputStreamWriter;
import java.security.GeneralSecurityException;
import java.security.KeyPair;
import java.security.KeyStore;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import java.util.List;
import org.apache.nifi.security.util.CertificateUtils;
import org.apache.nifi.security.util.KeyStoreUtils;
import org.apache.nifi.security.util.KeystoreType;
import org.apache.nifi.toolkit.tls.commandLine.BaseCommandLine;
import org.apache.nifi.toolkit.tls.configuration.InstanceDefinition;
import org.apache.nifi.toolkit.tls.configuration.StandaloneConfig;
import org.apache.nifi.toolkit.tls.configuration.TlsClientConfig;
import org.apache.nifi.toolkit.tls.manager.TlsCertificateAuthorityManager;
import org.apache.nifi.toolkit.tls.manager.TlsClientManager;
import org.apache.nifi.toolkit.tls.manager.writer.NifiPropertiesTlsClientConfigWriter;
import org.apache.nifi.toolkit.tls.properties.NiFiPropertiesWriterFactory;
import org.apache.nifi.toolkit.tls.util.OutputStreamFactory;
import org.apache.nifi.toolkit.tls.util.TlsHelper;
import org.bouncycastle.openssl.jcajce.JcaMiscPEMGenerator;
import org.bouncycastle.util.io.pem.PemWriter;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/nifi/toolkit/tls/standalone/TlsToolkitStandalone.class */
public class TlsToolkitStandalone {
    public static final String NIFI_KEY = "nifi-key";
    public static final String NIFI_CERT = "nifi-cert";
    public static final String NIFI_PROPERTIES = "nifi.properties";
    private final Logger logger;
    private final OutputStreamFactory outputStreamFactory;

    public TlsToolkitStandalone() {
        this(FileOutputStream::new);
    }

    public TlsToolkitStandalone(OutputStreamFactory outputStreamFactory) {
        this.logger = LoggerFactory.getLogger(TlsToolkitStandalone.class);
        this.outputStreamFactory = outputStreamFactory;
    }

    public void createNifiKeystoresAndTrustStores(StandaloneConfig standaloneConfig) throws GeneralSecurityException, IOException {
        X509Certificate x509Certificate;
        KeyPair keyPair;
        File baseDir = standaloneConfig.getBaseDir();
        if (!baseDir.exists() && !baseDir.mkdirs()) {
            throw new IOException(baseDir + " doesn't exist and unable to create it.");
        }
        if (!baseDir.isDirectory()) {
            throw new IOException("Expected directory to output to");
        }
        String signingAlgorithm = standaloneConfig.getSigningAlgorithm();
        int days = standaloneConfig.getDays();
        String keyPairAlgorithm = standaloneConfig.getKeyPairAlgorithm();
        int keySize = standaloneConfig.getKeySize();
        File file = new File(baseDir, "nifi-cert.pem");
        File file2 = new File(baseDir, "nifi-key.key");
        if (this.logger.isInfoEnabled()) {
            this.logger.info("Running standalone certificate generation with output directory " + baseDir);
        }
        if (file.exists()) {
            if (!file2.exists()) {
                throw new IOException(file + " exists already, but " + file2 + " does not, we need both certificate and key to continue with an existing CA.");
            }
            FileReader fileReader = new FileReader(file);
            Throwable th = null;
            try {
                try {
                    x509Certificate = TlsHelper.parseCertificate(fileReader);
                    if (fileReader != null) {
                        if (0 != 0) {
                            try {
                                fileReader.close();
                            } catch (Throwable th2) {
                                th.addSuppressed(th2);
                            }
                        } else {
                            fileReader.close();
                        }
                    }
                    fileReader = new FileReader(file2);
                    Throwable th3 = null;
                    try {
                        try {
                            keyPair = TlsHelper.parseKeyPair(fileReader);
                            if (fileReader != null) {
                                if (0 != 0) {
                                    try {
                                        fileReader.close();
                                    } catch (Throwable th4) {
                                        th3.addSuppressed(th4);
                                    }
                                } else {
                                    fileReader.close();
                                }
                            }
                            x509Certificate.verify(keyPair.getPublic());
                            if (!keyPair.getPublic().equals(x509Certificate.getPublicKey())) {
                                throw new IOException("Expected " + file2 + " to correspond to CA certificate at " + file);
                            }
                            if (this.logger.isInfoEnabled()) {
                                this.logger.info("Using existing CA certificate " + file + " and key " + file2);
                            }
                        } catch (Throwable th5) {
                            th3 = th5;
                            throw th5;
                        }
                    } finally {
                    }
                } catch (Throwable th6) {
                    th = th6;
                    throw th6;
                }
            } finally {
            }
        } else {
            if (file2.exists()) {
                throw new IOException(file2 + " exists already, but " + file + " does not, we need both certificate and key to continue with an existing CA.");
            }
            KeyStore.PrivateKeyEntry orGenerateCertificateAuthority = new TlsCertificateAuthorityManager(standaloneConfig).getOrGenerateCertificateAuthority();
            x509Certificate = (X509Certificate) orGenerateCertificateAuthority.getCertificateChain()[0];
            keyPair = new KeyPair(x509Certificate.getPublicKey(), orGenerateCertificateAuthority.getPrivateKey());
            PemWriter pemWriter = new PemWriter(new OutputStreamWriter(this.outputStreamFactory.create(file)));
            Throwable th7 = null;
            try {
                try {
                    pemWriter.writeObject(new JcaMiscPEMGenerator(x509Certificate));
                    if (pemWriter != null) {
                        if (0 != 0) {
                            try {
                                pemWriter.close();
                            } catch (Throwable th8) {
                                th7.addSuppressed(th8);
                            }
                        } else {
                            pemWriter.close();
                        }
                    }
                    pemWriter = new PemWriter(new OutputStreamWriter(this.outputStreamFactory.create(file2)));
                    Throwable th9 = null;
                    try {
                        try {
                            pemWriter.writeObject(new JcaMiscPEMGenerator(keyPair));
                            if (pemWriter != null) {
                                if (0 != 0) {
                                    try {
                                        pemWriter.close();
                                    } catch (Throwable th10) {
                                        th9.addSuppressed(th10);
                                    }
                                } else {
                                    pemWriter.close();
                                }
                            }
                            if (this.logger.isInfoEnabled()) {
                                this.logger.info("Generated new CA certificate " + file + " and key " + file2);
                            }
                        } catch (Throwable th11) {
                            th9 = th11;
                            throw th11;
                        }
                    } finally {
                    }
                } catch (Throwable th12) {
                    th7 = th12;
                    throw th12;
                }
            } finally {
            }
        }
        NiFiPropertiesWriterFactory niFiPropertiesWriterFactory = standaloneConfig.getNiFiPropertiesWriterFactory();
        boolean isOverwrite = standaloneConfig.isOverwrite();
        List<InstanceDefinition> instanceDefinitions = standaloneConfig.getInstanceDefinitions();
        if (instanceDefinitions.isEmpty() && this.logger.isInfoEnabled()) {
            this.logger.info("No hostnames specified, not generating any host certificates or configuration.");
        }
        for (InstanceDefinition instanceDefinition : instanceDefinitions) {
            String hostname = instanceDefinition.getHostname();
            int number = instanceDefinition.getInstanceIdentifier().getNumber();
            File file3 = number == 1 ? new File(baseDir, hostname) : new File(baseDir, hostname + "_" + number);
            TlsClientConfig tlsClientConfig = new TlsClientConfig(standaloneConfig);
            File file4 = new File(file3, BaseCommandLine.KEYSTORE + tlsClientConfig.getKeyStoreType().toLowerCase());
            File file5 = new File(file3, BaseCommandLine.TRUSTSTORE + tlsClientConfig.getTrustStoreType().toLowerCase());
            if (file3.exists()) {
                if (!file3.isDirectory()) {
                    throw new IOException(file3 + " exists but is not a directory.");
                }
                if (!isOverwrite) {
                    throw new IOException(file3 + " exists and overwrite is not set.");
                }
                if (this.logger.isInfoEnabled()) {
                    this.logger.info("Overwriting any existing ssl configuration in " + file3);
                }
                file4.delete();
                if (file4.exists()) {
                    throw new IOException("Keystore " + file4 + " already exists and couldn't be deleted.");
                }
                file5.delete();
                if (file5.exists()) {
                    throw new IOException("Truststore " + file5 + " already exists and couldn't be deleted.");
                }
            } else {
                if (!file3.mkdirs()) {
                    throw new IOException("Unable to make directory: " + file3.getAbsolutePath());
                }
                if (this.logger.isInfoEnabled()) {
                    this.logger.info("Writing new ssl configuration to " + file3);
                }
            }
            tlsClientConfig.setKeyStore(file4.getAbsolutePath());
            tlsClientConfig.setKeyStorePassword(instanceDefinition.getKeyStorePassword());
            tlsClientConfig.setKeyPassword(instanceDefinition.getKeyPassword());
            tlsClientConfig.setTrustStore(file5.getAbsolutePath());
            tlsClientConfig.setTrustStorePassword(instanceDefinition.getTrustStorePassword());
            TlsClientManager tlsClientManager = new TlsClientManager(tlsClientConfig);
            KeyPair generateKeyPair = TlsHelper.generateKeyPair(keyPairAlgorithm, keySize);
            tlsClientManager.addPrivateKeyToKeyStore(generateKeyPair, NIFI_KEY, CertificateUtils.generateIssuedCertificate(tlsClientConfig.calcDefaultDn(hostname), generateKeyPair.getPublic(), x509Certificate, keyPair, signingAlgorithm, days), x509Certificate);
            tlsClientManager.setCertificateEntry(NIFI_CERT, x509Certificate);
            tlsClientManager.addClientConfigurationWriter(new NifiPropertiesTlsClientConfigWriter(niFiPropertiesWriterFactory, new File(file3, NIFI_PROPERTIES), hostname, instanceDefinition.getNumber()));
            tlsClientManager.write(this.outputStreamFactory);
            if (this.logger.isInfoEnabled()) {
                this.logger.info("Successfully generated TLS configuration for " + hostname + " " + number + " in " + file3);
            }
        }
        List<String> clientDns = standaloneConfig.getClientDns();
        if (standaloneConfig.getClientDns().isEmpty() && this.logger.isInfoEnabled()) {
            this.logger.info("No clientCertDn specified, not generating any client certificates.");
        }
        List<String> clientPasswords = standaloneConfig.getClientPasswords();
        for (int i = 0; i < clientDns.size(); i++) {
            String reorderDn = CertificateUtils.reorderDn(clientDns.get(i));
            String clientDnFile = getClientDnFile(reorderDn);
            File file6 = new File(baseDir, clientDnFile + ".p12");
            if (file6.exists()) {
                if (!isOverwrite) {
                    throw new IOException(file6 + " exists and overwrite is not set.");
                }
                if (this.logger.isInfoEnabled()) {
                    this.logger.info("Overwriting existing client cert " + file6);
                }
            } else if (this.logger.isInfoEnabled()) {
                this.logger.info("Generating new client certificate " + file6);
            }
            KeyPair generateKeyPair2 = TlsHelper.generateKeyPair(keyPairAlgorithm, keySize);
            X509Certificate generateIssuedCertificate = CertificateUtils.generateIssuedCertificate(reorderDn, generateKeyPair2.getPublic(), x509Certificate, keyPair, signingAlgorithm, days);
            KeyStore keyStore = KeyStoreUtils.getKeyStore(KeystoreType.PKCS12.toString());
            keyStore.load(null, null);
            keyStore.setKeyEntry(NIFI_KEY, generateKeyPair2.getPrivate(), null, new Certificate[]{generateIssuedCertificate, x509Certificate});
            String writeKeyStore = TlsHelper.writeKeyStore(keyStore, this.outputStreamFactory, file6, clientPasswords.get(i), standaloneConfig.isClientPasswordsGenerated());
            FileWriter fileWriter = new FileWriter(new File(baseDir, clientDnFile + ".password"));
            Throwable th13 = null;
            try {
                try {
                    fileWriter.write(writeKeyStore);
                    if (fileWriter != null) {
                        if (0 != 0) {
                            try {
                                fileWriter.close();
                            } catch (Throwable th14) {
                                th13.addSuppressed(th14);
                            }
                        } else {
                            fileWriter.close();
                        }
                    }
                    if (this.logger.isInfoEnabled()) {
                        this.logger.info("Successfully generated client certificate " + file6);
                    }
                } catch (Throwable th15) {
                    th13 = th15;
                    throw th15;
                }
            } catch (Throwable th16) {
                if (fileWriter != null) {
                    if (th13 != null) {
                        try {
                            fileWriter.close();
                        } catch (Throwable th17) {
                            th13.addSuppressed(th17);
                        }
                    } else {
                        fileWriter.close();
                    }
                }
                throw th16;
            }
        }
        if (this.logger.isInfoEnabled()) {
            this.logger.info("tls-toolkit standalone completed successfully");
        }
    }

    protected static String getClientDnFile(String str) {
        return str.replace(',', '_').replace(' ', '_');
    }
}
