package org.apache.nifi.toolkit.tls.service.server;

import com.fasterxml.jackson.databind.ObjectMapper;
import java.io.File;
import java.io.FileOutputStream;
import java.io.IOException;
import java.security.KeyPair;
import java.security.KeyStore;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import org.apache.nifi.security.util.CertificateUtils;
import org.apache.nifi.toolkit.tls.configuration.TlsConfig;
import org.apache.nifi.toolkit.tls.manager.TlsCertificateAuthorityManager;
import org.apache.nifi.toolkit.tls.manager.writer.JsonConfigurationWriter;
import org.apache.nifi.toolkit.tls.util.OutputStreamFactory;
import org.eclipse.jetty.http.HttpVersion;
import org.eclipse.jetty.server.ConnectionFactory;
import org.eclipse.jetty.server.Handler;
import org.eclipse.jetty.server.HttpConfiguration;
import org.eclipse.jetty.server.HttpConnectionFactory;
import org.eclipse.jetty.server.SecureRequestCustomizer;
import org.eclipse.jetty.server.Server;
import org.eclipse.jetty.server.ServerConnector;
import org.eclipse.jetty.server.SslConnectionFactory;
import org.eclipse.jetty.util.ssl.SslContextFactory;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/nifi/toolkit/tls/service/server/TlsCertificateAuthorityService.class */
public class TlsCertificateAuthorityService {
    private final Logger logger;
    private final OutputStreamFactory outputStreamFactory;
    private Server server;

    public TlsCertificateAuthorityService() {
        this(FileOutputStream::new);
    }

    public TlsCertificateAuthorityService(OutputStreamFactory outputStreamFactory) {
        this.logger = LoggerFactory.getLogger(TlsCertificateAuthorityService.class);
        this.outputStreamFactory = outputStreamFactory;
    }

    private static Server createServer(Handler handler, int i, KeyStore keyStore, String str) throws Exception {
        Server server = new Server();
        SslContextFactory sslContextFactory = new SslContextFactory();
        sslContextFactory.setIncludeProtocols(new String[]{CertificateUtils.getHighestCurrentSupportedTlsProtocolVersion()});
        sslContextFactory.setKeyStore(keyStore);
        sslContextFactory.setKeyManagerPassword(str);
        sslContextFactory.setEndpointIdentificationAlgorithm((String) null);
        HttpConfiguration httpConfiguration = new HttpConfiguration();
        httpConfiguration.addCustomizer(new SecureRequestCustomizer());
        ServerConnector serverConnector = new ServerConnector(server, new ConnectionFactory[]{new SslConnectionFactory(sslContextFactory, HttpVersion.HTTP_1_1.asString()), new HttpConnectionFactory(httpConfiguration)});
        serverConnector.setPort(i);
        server.addConnector(serverConnector);
        server.setHandler(handler);
        return server;
    }

    public synchronized void start(TlsConfig tlsConfig, String str, boolean z) throws Exception {
        if (this.server != null) {
            throw new IllegalStateException("Server already started");
        }
        ObjectMapper objectMapper = new ObjectMapper();
        try {
            TlsCertificateAuthorityManager tlsCertificateAuthorityManager = new TlsCertificateAuthorityManager(tlsConfig);
            tlsCertificateAuthorityManager.setDifferentKeyAndKeyStorePassword(z);
            tlsCertificateAuthorityManager.addConfigurationWriter(new JsonConfigurationWriter(objectMapper, new File(str)));
            KeyStore.PrivateKeyEntry orGenerateCertificateAuthority = tlsCertificateAuthorityManager.getOrGenerateCertificateAuthority();
            KeyPair keyPair = new KeyPair(orGenerateCertificateAuthority.getCertificate().getPublicKey(), orGenerateCertificateAuthority.getPrivateKey());
            Certificate[] certificateChain = orGenerateCertificateAuthority.getCertificateChain();
            if (certificateChain.length != 1) {
                throw new IOException("Expected root ca cert to be only certificate in chain");
            }
            Certificate certificate = certificateChain[0];
            if (!(certificate instanceof X509Certificate)) {
                throw new IOException("Expected " + X509Certificate.class + " as root ca cert");
            }
            X509Certificate x509Certificate = (X509Certificate) certificate;
            tlsCertificateAuthorityManager.write(this.outputStreamFactory);
            this.server = createServer(new TlsCertificateAuthorityServiceHandler(tlsConfig.getSigningAlgorithm(), tlsConfig.getDays(), tlsConfig.getToken(), x509Certificate, keyPair, objectMapper), tlsConfig.getPort(), tlsCertificateAuthorityManager.getKeyStore(), tlsConfig.getKeyPassword());
            this.server.start();
        } catch (IOException e) {
            this.logger.error("Unable to open existing keystore, it can be reused by specifiying both configJson and useConfigJson");
            throw e;
        }
    }

    public synchronized void shutdown() throws Exception {
        if (this.server == null) {
            throw new IllegalStateException("Server already shutdown");
        }
        this.server.stop();
        this.server.join();
    }
}
