package org.apache.hadoop.hdds.security.x509.certificate.client;

import com.google.common.annotations.VisibleForTesting;
import com.google.common.base.Preconditions;
import com.google.common.util.concurrent.ThreadFactoryBuilder;
import java.io.File;
import java.io.IOException;
import java.math.BigInteger;
import java.nio.charset.StandardCharsets;
import java.nio.file.Files;
import java.nio.file.LinkOption;
import java.nio.file.Path;
import java.nio.file.Paths;
import java.nio.file.StandardCopyOption;
import java.nio.file.attribute.FileAttribute;
import java.security.InvalidKeyException;
import java.security.KeyFactory;
import java.security.KeyPair;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.SecureRandom;
import java.security.Signature;
import java.security.SignatureException;
import java.security.cert.CertPath;
import java.security.cert.X509Certificate;
import java.security.interfaces.RSAPrivateCrtKey;
import java.security.spec.InvalidKeySpecException;
import java.security.spec.RSAPublicKeySpec;
import java.time.Duration;
import java.time.LocalDateTime;
import java.time.ZoneId;
import java.time.temporal.TemporalAmount;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Set;
import java.util.concurrent.CompletableFuture;
import java.util.concurrent.ConcurrentHashMap;
import java.util.concurrent.Executors;
import java.util.concurrent.ScheduledExecutorService;
import java.util.concurrent.TimeUnit;
import java.util.concurrent.locks.Lock;
import java.util.concurrent.locks.ReentrantLock;
import java.util.function.Consumer;
import java.util.function.Function;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import org.apache.commons.io.FileUtils;
import org.apache.commons.lang3.RandomStringUtils;
import org.apache.hadoop.hdds.freon.FakeScmBlockLocationProtocolClient;
import org.apache.hadoop.hdds.protocol.proto.SCMSecurityProtocolProtos;
import org.apache.hadoop.hdds.protocolPB.SCMSecurityProtocolClientSideTranslatorPB;
import org.apache.hadoop.hdds.security.SecurityConfig;
import org.apache.hadoop.hdds.security.ssl.KeyStoresFactory;
import org.apache.hadoop.hdds.security.x509.certificate.authority.CAType;
import org.apache.hadoop.hdds.security.x509.certificate.client.CertificateClient;
import org.apache.hadoop.hdds.security.x509.certificate.utils.CertificateCodec;
import org.apache.hadoop.hdds.security.x509.certificate.utils.CertificateSignRequest;
import org.apache.hadoop.hdds.security.x509.exception.CertificateException;
import org.apache.hadoop.hdds.security.x509.keys.HDDSKeyGenerator;
import org.apache.hadoop.hdds.security.x509.keys.KeyCodec;
import org.apache.hadoop.hdds.security.x509.keys.SecurityUtil;
import org.apache.hadoop.ozone.OzoneSecurityUtil;
import org.bouncycastle.pkcs.PKCS10CertificationRequest;
import org.slf4j.Logger;

/* loaded from: input_file:org/apache/hadoop/hdds/security/x509/certificate/client/DefaultCertificateClient.class */
public abstract class DefaultCertificateClient implements CertificateClient {
    private static final String CERT_FILE_EXTENSION = ".crt";
    public static final String CERT_FILE_NAME_FORMAT = "%s.crt";
    private final Logger logger;
    private final SecurityConfig securityConfig;
    private final KeyCodec keyCodec;
    private PrivateKey privateKey;
    private PublicKey publicKey;
    private CertPath certPath;
    private Map<String, CertPath> certificateMap;
    private Set<X509Certificate> rootCaCertificates;
    private Set<X509Certificate> caCertificates;
    private String certSerialId;
    private String caCertId;
    private String rootCaCertId;
    private String component;
    private final String threadNamePrefix;
    private List<String> pemEncodedCACerts = null;
    private Lock pemEncodedCACertsLock = new ReentrantLock();
    private KeyStoresFactory serverKeyStoresFactory;
    private KeyStoresFactory clientKeyStoresFactory;
    private ScheduledExecutorService executorService;
    private Consumer<String> certIdSaveCallback;
    private Runnable shutdownCallback;
    private SCMSecurityProtocolClientSideTranslatorPB scmSecurityClient;
    private final Set<CertificateNotification> notificationReceivers;
    private RootCaRotationPoller rootCaRotationPoller;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* renamed from: org.apache.hadoop.hdds.security.x509.certificate.client.DefaultCertificateClient$1, reason: invalid class name */
    /* loaded from: input_file:org/apache/hadoop/hdds/security/x509/certificate/client/DefaultCertificateClient$1.class */
    public static /* synthetic */ class AnonymousClass1 {
        static final /* synthetic */ int[] $SwitchMap$org$apache$hadoop$hdds$security$x509$certificate$client$CertificateClient$InitResponse = new int[CertificateClient.InitResponse.values().length];

        static {
            try {
                $SwitchMap$org$apache$hadoop$hdds$security$x509$certificate$client$CertificateClient$InitResponse[CertificateClient.InitResponse.SUCCESS.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$org$apache$hadoop$hdds$security$x509$certificate$client$CertificateClient$InitResponse[CertificateClient.InitResponse.GETCERT.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
            try {
                $SwitchMap$org$apache$hadoop$hdds$security$x509$certificate$client$CertificateClient$InitResponse[CertificateClient.InitResponse.FAILURE.ordinal()] = 3;
            } catch (NoSuchFieldError e3) {
            }
            $SwitchMap$org$apache$hadoop$hdds$security$x509$certificate$client$DefaultCertificateClient$InitCase = new int[InitCase.values().length];
            try {
                $SwitchMap$org$apache$hadoop$hdds$security$x509$certificate$client$DefaultCertificateClient$InitCase[InitCase.NONE.ordinal()] = 1;
            } catch (NoSuchFieldError e4) {
            }
            try {
                $SwitchMap$org$apache$hadoop$hdds$security$x509$certificate$client$DefaultCertificateClient$InitCase[InitCase.CERT.ordinal()] = 2;
            } catch (NoSuchFieldError e5) {
            }
            try {
                $SwitchMap$org$apache$hadoop$hdds$security$x509$certificate$client$DefaultCertificateClient$InitCase[InitCase.PUBLIC_KEY.ordinal()] = 3;
            } catch (NoSuchFieldError e6) {
            }
            try {
                $SwitchMap$org$apache$hadoop$hdds$security$x509$certificate$client$DefaultCertificateClient$InitCase[InitCase.PRIVATE_KEY.ordinal()] = 4;
            } catch (NoSuchFieldError e7) {
            }
            try {
                $SwitchMap$org$apache$hadoop$hdds$security$x509$certificate$client$DefaultCertificateClient$InitCase[InitCase.PUBLICKEY_CERT.ordinal()] = 5;
            } catch (NoSuchFieldError e8) {
            }
            try {
                $SwitchMap$org$apache$hadoop$hdds$security$x509$certificate$client$DefaultCertificateClient$InitCase[InitCase.PRIVATEKEY_CERT.ordinal()] = 6;
            } catch (NoSuchFieldError e9) {
            }
            try {
                $SwitchMap$org$apache$hadoop$hdds$security$x509$certificate$client$DefaultCertificateClient$InitCase[InitCase.PUBLICKEY_PRIVATEKEY.ordinal()] = 7;
            } catch (NoSuchFieldError e10) {
            }
            try {
                $SwitchMap$org$apache$hadoop$hdds$security$x509$certificate$client$DefaultCertificateClient$InitCase[InitCase.ALL.ordinal()] = 8;
            } catch (NoSuchFieldError e11) {
            }
        }
    }

    /* loaded from: input_file:org/apache/hadoop/hdds/security/x509/certificate/client/DefaultCertificateClient$CertificateRenewerService.class */
    public class CertificateRenewerService implements Runnable {
        private boolean forceRenewal;
        private Runnable rotationErrorCallback;

        public CertificateRenewerService(boolean z, Runnable runnable) {
            this.forceRenewal = z;
            this.rotationErrorCallback = runnable;
        }

        @Override // java.lang.Runnable
        public void run() {
            synchronized (DefaultCertificateClient.class) {
                X509Certificate certificate = DefaultCertificateClient.this.getCertificate();
                Duration timeBeforeExpiryGracePeriod = DefaultCertificateClient.this.timeBeforeExpiryGracePeriod(certificate);
                if (!this.forceRenewal && !timeBeforeExpiryGracePeriod.isZero()) {
                    DefaultCertificateClient.this.getLogger().info("Current certificate {} hasn't entered the renew grace period. Remaining period is {}. ", certificate.getSerialNumber().toString(), timeBeforeExpiryGracePeriod);
                    return;
                }
                try {
                    DefaultCertificateClient.this.getLogger().info("Current certificate {} needs to be renewed remaining grace period {}. Forced renewal due to root ca rotation: {}.", new Object[]{certificate.getSerialNumber().toString(), timeBeforeExpiryGracePeriod, Boolean.valueOf(this.forceRenewal)});
                    String renewAndStoreKeyAndCertificate = DefaultCertificateClient.this.renewAndStoreKeyAndCertificate(this.forceRenewal);
                    if (DefaultCertificateClient.this.certIdSaveCallback != null) {
                        DefaultCertificateClient.this.certIdSaveCallback.accept(renewAndStoreKeyAndCertificate);
                    }
                    DefaultCertificateClient.this.reloadKeyAndCertificate(renewAndStoreKeyAndCertificate);
                    DefaultCertificateClient.this.cleanBackupDir();
                } catch (CertificateException e) {
                    this.rotationErrorCallback.run();
                    if (e.errorCode() == CertificateException.ErrorCode.ROLLBACK_ERROR && DefaultCertificateClient.this.shutdownCallback != null) {
                        DefaultCertificateClient.this.getLogger().error("Failed to rollback key and cert after an  unsuccessful renew try.", e);
                        DefaultCertificateClient.this.shutdownCallback.run();
                    }
                    DefaultCertificateClient.this.getLogger().error("Failed to renew and store key and cert. Keep using existing certificates.", e);
                }
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    /* loaded from: input_file:org/apache/hadoop/hdds/security/x509/certificate/client/DefaultCertificateClient$InitCase.class */
    public enum InitCase {
        NONE,
        CERT,
        PUBLIC_KEY,
        PUBLICKEY_CERT,
        PRIVATE_KEY,
        PRIVATEKEY_CERT,
        PUBLICKEY_PRIVATEKEY,
        ALL
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public DefaultCertificateClient(SecurityConfig securityConfig, SCMSecurityProtocolClientSideTranslatorPB sCMSecurityProtocolClientSideTranslatorPB, Logger logger, String str, String str2, String str3, Consumer<String> consumer, Runnable runnable) {
        Objects.requireNonNull(securityConfig);
        this.securityConfig = securityConfig;
        this.scmSecurityClient = sCMSecurityProtocolClientSideTranslatorPB;
        this.keyCodec = new KeyCodec(securityConfig, str2);
        this.logger = logger;
        this.certificateMap = new ConcurrentHashMap();
        this.component = str2;
        this.threadNamePrefix = str3;
        this.certIdSaveCallback = consumer;
        this.shutdownCallback = runnable;
        this.notificationReceivers = new HashSet();
        this.rootCaCertificates = ConcurrentHashMap.newKeySet();
        this.caCertificates = ConcurrentHashMap.newKeySet();
        updateCertSerialId(str);
    }

    private synchronized void loadAllCertificates() {
        Path certificateLocation = this.securityConfig.getCertificateLocation(this.component);
        if (certificateLocation.toFile().exists() || this.certSerialId != null) {
            try {
                Stream<Path> list = Files.list(certificateLocation);
                Throwable th = null;
                try {
                    try {
                        list.filter(path -> {
                            return Files.isRegularFile(path, new LinkOption[0]);
                        }).forEach(this::readCertificateFile);
                        if (list != null) {
                            if (0 != 0) {
                                try {
                                    list.close();
                                } catch (Throwable th2) {
                                    th.addSuppressed(th2);
                                }
                            } else {
                                list.close();
                            }
                        }
                        if (!shouldStartCertificateRenewerService()) {
                            getLogger().info("CertificateRenewerService and root ca rotation polling is disabled for {}", this.component);
                            return;
                        }
                        if (this.securityConfig.isAutoCARotationEnabled()) {
                            startRootCaRotationPoller();
                        }
                        if (this.certPath != null && this.executorService == null) {
                            startCertificateRenewerService();
                        } else if (this.executorService != null) {
                            getLogger().debug("CertificateRenewerService is already started.");
                        } else {
                            getLogger().warn("Component certificate was not loaded.");
                        }
                    } catch (Throwable th3) {
                        th = th3;
                        throw th3;
                    }
                } finally {
                }
            } catch (IOException e) {
                getLogger().warn("Certificates could not be loaded.", e);
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public String threadNamePrefix() {
        return this.threadNamePrefix;
    }

    private void startRootCaRotationPoller() {
        if (this.rootCaRotationPoller != null) {
            getLogger().debug("Root CA certificate rotation poller is already started.");
            return;
        }
        this.rootCaRotationPoller = new RootCaRotationPoller(this.securityConfig, new HashSet(this.rootCaCertificates), this.scmSecurityClient, this.threadNamePrefix);
        this.rootCaRotationPoller.addRootCARotationProcessor(this::getRootCaRotationListener);
        this.rootCaRotationPoller.run();
    }

    public synchronized void registerRootCARotationListener(Function<List<X509Certificate>, CompletableFuture<Void>> function) {
        if (this.securityConfig.isAutoCARotationEnabled()) {
            this.rootCaRotationPoller.addRootCARotationProcessor(function);
        }
    }

    private synchronized void readCertificateFile(Path path) {
        CertificateCodec certificateCodec = new CertificateCodec(this.securityConfig, this.component);
        String path2 = path.getFileName().toString();
        try {
            CertPath certPath = certificateCodec.getCertPath(path2);
            X509Certificate firstCertificateFrom = firstCertificateFrom(certPath);
            String bigInteger = firstCertificateFrom.getSerialNumber().toString();
            if (bigInteger.equals(this.certSerialId)) {
                this.certPath = certPath;
            }
            this.certificateMap.put(bigInteger, certPath);
            addCertsToSubCaMapIfNeeded(path2, certPath);
            addCertToRootCaMapIfNeeded(path2, certPath);
            updateCachedData(path2, CAType.SUBORDINATE, this::updateCachedSubCAId);
            updateCachedData(path2, CAType.ROOT, this::updateCachedRootCAId);
            getLogger().info("Added certificate {} from file: {}.", firstCertificateFrom, path.toAbsolutePath());
        } catch (IOException | IndexOutOfBoundsException | java.security.cert.CertificateException e) {
            getLogger().error("Error reading certificate from file: {}.", path.toAbsolutePath(), e);
        }
    }

    private void updateCachedData(String str, CAType cAType, Consumer<String> consumer) throws IOException {
        String fileNamePrefix = cAType.getFileNamePrefix();
        if (str.startsWith(fileNamePrefix)) {
            consumer.accept(str.substring(fileNamePrefix.length(), str.length() - CERT_FILE_EXTENSION.length()));
        }
    }

    private synchronized void updateCachedRootCAId(String str) {
        BigInteger bigInteger = new BigInteger(str);
        if (this.rootCaCertId == null || new BigInteger(this.rootCaCertId).compareTo(bigInteger) < 0) {
            this.rootCaCertId = str;
        }
    }

    private synchronized void updateCachedSubCAId(String str) {
        BigInteger bigInteger = new BigInteger(str);
        if (this.caCertId == null || new BigInteger(this.caCertId).compareTo(bigInteger) < 0) {
            this.caCertId = str;
        }
    }

    private void addCertsToSubCaMapIfNeeded(String str, CertPath certPath) {
        if (str.startsWith(CAType.SUBORDINATE.getFileNamePrefix())) {
            this.caCertificates.addAll((Collection) certPath.getCertificates().stream().map(certificate -> {
                return (X509Certificate) certificate;
            }).collect(Collectors.toSet()));
        }
    }

    private void addCertToRootCaMapIfNeeded(String str, CertPath certPath) {
        if (str.startsWith(CAType.ROOT.getFileNamePrefix())) {
            this.rootCaCertificates.add(firstCertificateFrom(certPath));
        }
    }

    public synchronized PrivateKey getPrivateKey() {
        if (this.privateKey != null) {
            return this.privateKey;
        }
        if (OzoneSecurityUtil.checkIfFileExist(this.securityConfig.getKeyLocation(this.component), this.securityConfig.getPrivateKeyFileName())) {
            try {
                this.privateKey = this.keyCodec.readPrivateKey();
            } catch (IOException | NoSuchAlgorithmException | InvalidKeySpecException e) {
                getLogger().error("Error while getting private key.", e);
            }
        }
        return this.privateKey;
    }

    public synchronized PublicKey getPublicKey() {
        if (this.publicKey != null) {
            return this.publicKey;
        }
        if (OzoneSecurityUtil.checkIfFileExist(this.securityConfig.getKeyLocation(this.component), this.securityConfig.getPublicKeyFileName())) {
            try {
                this.publicKey = this.keyCodec.readPublicKey();
            } catch (IOException | NoSuchAlgorithmException | InvalidKeySpecException e) {
                getLogger().error("Error while getting public key.", e);
            }
        }
        return this.publicKey;
    }

    public X509Certificate getCertificate() {
        CertPath certPath = getCertPath();
        if (certPath == null || certPath.getCertificates() == null) {
            return null;
        }
        return firstCertificateFrom(certPath);
    }

    public synchronized CertPath getCertPath() {
        if (this.certPath != null) {
            return this.certPath;
        }
        if (this.certSerialId == null) {
            getLogger().error("Default certificate serial id is not set. Can't locate the default certificate for this client.");
            return null;
        }
        loadAllCertificates();
        if (this.certificateMap.containsKey(this.certSerialId)) {
            this.certPath = this.certificateMap.get(this.certSerialId);
        }
        return this.certPath;
    }

    public synchronized X509Certificate getCACertificate() {
        CertPath cACertPath = getCACertPath();
        if (cACertPath == null || cACertPath.getCertificates() == null) {
            return null;
        }
        return firstCertificateFrom(cACertPath);
    }

    public synchronized List<X509Certificate> getTrustChain() throws IOException {
        CertPath certPath = getCertPath();
        if (certPath == null || certPath.getCertificates() == null) {
            return null;
        }
        ArrayList arrayList = new ArrayList();
        if (certPath.getCertificates().size() > 1) {
            for (int i = 0; i < certPath.getCertificates().size(); i++) {
                arrayList.add((X509Certificate) certPath.getCertificates().get(i));
            }
        } else {
            if (getCertificate() != null) {
                arrayList.add(getCertificate());
            }
            if (getCACertificate() != null) {
                arrayList.add(getCACertificate());
            }
            X509Certificate rootCACertificate = getRootCACertificate();
            if (rootCACertificate != null) {
                arrayList.add(rootCACertificate);
            }
            Preconditions.checkState(arrayList.size() > 0, "Empty trust chain");
        }
        return arrayList;
    }

    public synchronized CertPath getCACertPath() {
        if (this.caCertId != null) {
            return this.certificateMap.get(this.caCertId);
        }
        return null;
    }

    public synchronized X509Certificate getCertificate(String str) throws CertificateException {
        return (!this.certificateMap.containsKey(str) || this.certificateMap.get(str).getCertificates() == null) ? getCertificateFromScm(str) : firstCertificateFrom(this.certificateMap.get(str));
    }

    private X509Certificate getCertificateFromScm(String str) throws CertificateException {
        getLogger().info("Getting certificate with certSerialId:{}.", str);
        try {
            String certificate = getScmSecureClient().getCertificate(str);
            storeCertificate(certificate, CAType.NONE);
            return CertificateCodec.getX509Certificate(certificate);
        } catch (Exception e) {
            getLogger().error("Error while getting Certificate with certSerialId:{} from scm.", str, e);
            throw new CertificateException("Error while getting certificate for certSerialId:" + str, e, CertificateException.ErrorCode.CERTIFICATE_ERROR);
        }
    }

    public byte[] signData(byte[] bArr) throws CertificateException {
        try {
            Signature signature = Signature.getInstance(this.securityConfig.getSignatureAlgo(), this.securityConfig.getProvider());
            signature.initSign(getPrivateKey());
            signature.update(bArr);
            return signature.sign();
        } catch (InvalidKeyException | NoSuchAlgorithmException | NoSuchProviderException | SignatureException e) {
            getLogger().error("Error while signing the stream", e);
            throw new CertificateException("Error while signing the stream", e, CertificateException.ErrorCode.CRYPTO_SIGN_ERROR);
        }
    }

    public boolean verifySignature(byte[] bArr, byte[] bArr2, X509Certificate x509Certificate) throws CertificateException {
        try {
            Signature signature = Signature.getInstance(this.securityConfig.getSignatureAlgo(), this.securityConfig.getProvider());
            signature.initVerify(x509Certificate);
            signature.update(bArr);
            return signature.verify(bArr2);
        } catch (InvalidKeyException | NoSuchAlgorithmException | NoSuchProviderException | SignatureException e) {
            getLogger().error("Error while signing the stream", e);
            throw new CertificateException("Error while signing the stream", e, CertificateException.ErrorCode.CRYPTO_SIGNATURE_VERIFICATION_ERROR);
        }
    }

    private boolean verifySignature(byte[] bArr, byte[] bArr2, PublicKey publicKey) throws CertificateException {
        try {
            Signature signature = Signature.getInstance(this.securityConfig.getSignatureAlgo(), this.securityConfig.getProvider());
            signature.initVerify(publicKey);
            signature.update(bArr);
            return signature.verify(bArr2);
        } catch (InvalidKeyException | NoSuchAlgorithmException | NoSuchProviderException | SignatureException e) {
            getLogger().error("Error while signing the stream", e);
            throw new CertificateException("Error while signing the stream", e, CertificateException.ErrorCode.CRYPTO_SIGNATURE_VERIFICATION_ERROR);
        }
    }

    public CertificateSignRequest.Builder getCSRBuilder() throws CertificateException {
        return new CertificateSignRequest.Builder().setConfiguration(this.securityConfig).addInetAddresses().setDigitalEncryption(true).setDigitalSignature(true);
    }

    public void storeCertificate(String str, CAType cAType) throws CertificateException {
        storeCertificate(str, cAType, new CertificateCodec(this.securityConfig, this.component), true, false);
    }

    public synchronized void storeCertificate(String str, CAType cAType, CertificateCodec certificateCodec, boolean z, boolean z2) throws CertificateException {
        try {
            CertPath certPathFromPemEncodedString = CertificateCodec.getCertPathFromPemEncodedString(str);
            X509Certificate firstCertificateFrom = firstCertificateFrom(certPathFromPemEncodedString);
            String format = String.format(CERT_FILE_NAME_FORMAT, cAType.getFileNamePrefix() + firstCertificateFrom.getSerialNumber().toString());
            if (z2) {
                if (cAType == CAType.SUBORDINATE) {
                    this.caCertId = firstCertificateFrom.getSerialNumber().toString();
                }
                if (cAType == CAType.ROOT) {
                    this.rootCaCertId = firstCertificateFrom.getSerialNumber().toString();
                }
            }
            certificateCodec.writeCertificate(format, str);
            if (z) {
                this.certificateMap.put(firstCertificateFrom.getSerialNumber().toString(), certPathFromPemEncodedString);
                if (cAType == CAType.SUBORDINATE) {
                    this.caCertificates.add(firstCertificateFrom);
                }
                if (cAType == CAType.ROOT) {
                    this.rootCaCertificates.add(firstCertificateFrom);
                }
            }
        } catch (IOException | java.security.cert.CertificateException e) {
            throw new CertificateException("Error while storing certificate.", e, CertificateException.ErrorCode.CERTIFICATE_ERROR);
        }
    }

    public synchronized void initWithRecovery() throws IOException {
        recoverStateIfNeeded(init());
    }

    @VisibleForTesting
    public synchronized CertificateClient.InitResponse init() throws IOException {
        int i = 0;
        PrivateKey privateKey = getPrivateKey();
        PublicKey publicKey = getPublicKey();
        X509Certificate certificate = getCertificate();
        if (privateKey != null) {
            i = 0 | 4;
        }
        if (publicKey != null) {
            i |= 2;
        }
        if (certificate != null) {
            i |= 1;
        }
        getLogger().info("Certificate client init case: {}", Integer.valueOf(i));
        Preconditions.checkArgument(i < InitCase.values().length, "Not a valid case.");
        return handleCase(InitCase.values()[i]);
    }

    private X509Certificate firstCertificateFrom(CertPath certPath) {
        return CertificateCodec.firstCertificateFrom(certPath);
    }

    protected CertificateClient.InitResponse handleCase(InitCase initCase) throws CertificateException {
        switch (initCase) {
            case NONE:
                getLogger().info("Creating keypair for client as keypair and certificate not found.");
                bootstrapClientKeys();
                return CertificateClient.InitResponse.GETCERT;
            case CERT:
                getLogger().error("Private key not found, while certificate is still present. Delete keypair and try again.");
                return CertificateClient.InitResponse.FAILURE;
            case PUBLIC_KEY:
                getLogger().error("Found public key but private key and certificate missing.");
                return CertificateClient.InitResponse.FAILURE;
            case PRIVATE_KEY:
                getLogger().info("Found private key but public key and certificate is missing.");
                return recoverPublicKeyFromPrivateKey() ? CertificateClient.InitResponse.GETCERT : CertificateClient.InitResponse.FAILURE;
            case PUBLICKEY_CERT:
                getLogger().error("Found public key and certificate but private key is missing.");
                return CertificateClient.InitResponse.FAILURE;
            case PRIVATEKEY_CERT:
                getLogger().info("Found private key and certificate but public key missing.");
                if (recoverPublicKey()) {
                    return CertificateClient.InitResponse.SUCCESS;
                }
                getLogger().error("Public key recovery failed.");
                return CertificateClient.InitResponse.FAILURE;
            case PUBLICKEY_PRIVATEKEY:
                getLogger().info("Found private and public key but certificate is missing.");
                if (validateKeyPair(getPublicKey())) {
                    return CertificateClient.InitResponse.GETCERT;
                }
                getLogger().info("Keypair validation failed.");
                return CertificateClient.InitResponse.FAILURE;
            case ALL:
                getLogger().info("Found certificate file along with KeyPair.");
                return validateKeyPairAndCertificate() ? CertificateClient.InitResponse.SUCCESS : CertificateClient.InitResponse.FAILURE;
            default:
                getLogger().error("Unexpected case: {} (private/public/cert)", Integer.toBinaryString(initCase.ordinal()));
                return CertificateClient.InitResponse.FAILURE;
        }
    }

    protected void recoverStateIfNeeded(CertificateClient.InitResponse initResponse) throws IOException {
        String upperCase = this.component.toUpperCase();
        getLogger().info("Init response: {}", initResponse);
        switch (AnonymousClass1.$SwitchMap$org$apache$hadoop$hdds$security$x509$certificate$client$CertificateClient$InitResponse[initResponse.ordinal()]) {
            case 1:
                getLogger().info("Initialization successful, case:{}.", initResponse);
                return;
            case 2:
                String signAndStoreCertificate = signAndStoreCertificate(getCSRBuilder().build());
                if (this.certIdSaveCallback == null) {
                    throw new RuntimeException(upperCase + " doesn't have the certIdSaveCallback set. The new certificate ID " + signAndStoreCertificate + " cannot be persisted to the VERSION file");
                }
                this.certIdSaveCallback.accept(signAndStoreCertificate);
                getLogger().info("Successfully stored {} signed certificate, case:{}.", upperCase, initResponse);
                return;
            case 3:
            default:
                getLogger().error("{} security initialization failed. Init response: {}", upperCase, initResponse);
                throw new RuntimeException(upperCase + " security initialization failed.");
        }
    }

    protected boolean validateKeyPairAndCertificate() throws CertificateException {
        if (!validateKeyPair(getPublicKey())) {
            getLogger().error("Keypair validation failed.");
            return false;
        }
        getLogger().info("Keypair validated.");
        if (validateKeyPair(getCertificate().getPublicKey())) {
            getLogger().info("Keypair validated with certificate.");
            return true;
        }
        getLogger().error("Stored certificate is generated with different private key.");
        return false;
    }

    protected boolean recoverPublicKey() throws CertificateException {
        PublicKey publicKey = getCertificate().getPublicKey();
        try {
            if (!validateKeyPair(publicKey)) {
                getLogger().error("Can't recover public key corresponding to private key.");
                return false;
            }
            this.keyCodec.writePublicKey(publicKey);
            this.publicKey = publicKey;
            return true;
        } catch (IOException e) {
            throw new CertificateException("Error while trying to recover public key.", e, CertificateException.ErrorCode.BOOTSTRAP_ERROR);
        }
    }

    protected boolean recoverPublicKeyFromPrivateKey() throws CertificateException {
        PrivateKey privateKey = getPrivateKey();
        if (privateKey != null) {
            try {
                if (privateKey instanceof RSAPrivateCrtKey) {
                    RSAPrivateCrtKey rSAPrivateCrtKey = (RSAPrivateCrtKey) privateKey;
                    PublicKey generatePublic = KeyFactory.getInstance(this.securityConfig.getKeyAlgo()).generatePublic(new RSAPublicKeySpec(rSAPrivateCrtKey.getModulus(), rSAPrivateCrtKey.getPublicExponent()));
                    if (validateKeyPair(generatePublic)) {
                        this.keyCodec.writePublicKey(generatePublic);
                        this.publicKey = generatePublic;
                        getLogger().info("Public key is recovered from the private key.");
                        return true;
                    }
                }
            } catch (IOException | NoSuchAlgorithmException | InvalidKeySpecException e) {
                throw new CertificateException("Error while trying to recover public key.", e, CertificateException.ErrorCode.BOOTSTRAP_ERROR);
            }
        }
        getLogger().error("Can't recover public key corresponding to private key.");
        return false;
    }

    protected boolean validateKeyPair(PublicKey publicKey) throws CertificateException {
        byte[] bytes = RandomStringUtils.random(FakeScmBlockLocationProtocolClient.BLOCK_PER_CONTAINER, 0, 0, false, false, (char[]) null, new SecureRandom()).getBytes(StandardCharsets.UTF_8);
        return verifySignature(bytes, signData(bytes), publicKey);
    }

    protected void bootstrapClientKeys() throws CertificateException {
        Path keyLocation = this.securityConfig.getKeyLocation(this.component);
        if (Files.notExists(keyLocation, new LinkOption[0])) {
            try {
                Files.createDirectories(keyLocation, new FileAttribute[0]);
            } catch (IOException e) {
                throw new CertificateException("Error while creating directories for certificate storage.", CertificateException.ErrorCode.BOOTSTRAP_ERROR);
            }
        }
        KeyPair createKeyPair = createKeyPair(this.keyCodec);
        this.privateKey = createKeyPair.getPrivate();
        this.publicKey = createKeyPair.getPublic();
    }

    protected KeyPair createKeyPair(KeyCodec keyCodec) throws CertificateException {
        try {
            KeyPair generateKey = new HDDSKeyGenerator(this.securityConfig).generateKey();
            keyCodec.writePublicKey(generateKey.getPublic());
            keyCodec.writePrivateKey(generateKey.getPrivate());
            return generateKey;
        } catch (IOException | NoSuchAlgorithmException | NoSuchProviderException e) {
            getLogger().error("Error while bootstrapping certificate client.", e);
            throw new CertificateException("Error while bootstrapping certificate.", CertificateException.ErrorCode.BOOTSTRAP_ERROR);
        }
    }

    public Logger getLogger() {
        return this.logger;
    }

    public String getComponentName() {
        return this.component;
    }

    public synchronized X509Certificate getRootCACertificate() {
        if (this.rootCaCertId != null) {
            return firstCertificateFrom(this.certificateMap.get(this.rootCaCertId));
        }
        return null;
    }

    public Set<X509Certificate> getAllRootCaCerts() {
        Set<X509Certificate> unmodifiableSet = Collections.unmodifiableSet(this.rootCaCertificates);
        getLogger().info("{} has {} Root CA certificates", this.component, Integer.valueOf(unmodifiableSet.size()));
        return unmodifiableSet;
    }

    public Set<X509Certificate> getAllCaCerts() {
        Set<X509Certificate> unmodifiableSet = Collections.unmodifiableSet(this.caCertificates);
        getLogger().info("{} has {} CA certificates", this.component, Integer.valueOf(unmodifiableSet.size()));
        return unmodifiableSet;
    }

    public List<String> getCAList() {
        this.pemEncodedCACertsLock.lock();
        try {
            return this.pemEncodedCACerts;
        } finally {
            this.pemEncodedCACertsLock.unlock();
        }
    }

    public List<String> listCA() throws IOException {
        this.pemEncodedCACertsLock.lock();
        try {
            if (this.pemEncodedCACerts == null) {
                updateCAList();
            }
            return this.pemEncodedCACerts;
        } finally {
            this.pemEncodedCACertsLock.unlock();
        }
    }

    public List<String> updateCAList() throws IOException {
        this.pemEncodedCACertsLock.lock();
        try {
            try {
                this.pemEncodedCACerts = getScmSecureClient().listCACertificate();
                List<String> list = this.pemEncodedCACerts;
                this.pemEncodedCACertsLock.unlock();
                return list;
            } catch (Exception e) {
                getLogger().error("Error during updating CA list", e);
                throw new CertificateException("Error during updating CA list", e, CertificateException.ErrorCode.CERTIFICATE_ERROR);
            }
        } catch (Throwable th) {
            this.pemEncodedCACertsLock.unlock();
            throw th;
        }
    }

    public synchronized KeyStoresFactory getServerKeyStoresFactory() throws CertificateException {
        if (this.serverKeyStoresFactory == null) {
            this.serverKeyStoresFactory = SecurityUtil.getServerKeyStoresFactory(this.securityConfig, this, true);
        }
        return this.serverKeyStoresFactory;
    }

    public KeyStoresFactory getClientKeyStoresFactory() throws CertificateException {
        if (this.clientKeyStoresFactory == null) {
            this.clientKeyStoresFactory = SecurityUtil.getClientKeyStoresFactory(this.securityConfig, this, true);
        }
        return this.clientKeyStoresFactory;
    }

    public void registerNotificationReceiver(CertificateNotification certificateNotification) {
        synchronized (this.notificationReceivers) {
            this.notificationReceivers.add(certificateNotification);
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void notifyNotificationReceivers(String str, String str2) {
        synchronized (this.notificationReceivers) {
            this.notificationReceivers.forEach(certificateNotification -> {
                certificateNotification.notifyCertificateRenewed(this, str, str2);
            });
        }
    }

    public synchronized void close() throws IOException {
        if (this.executorService != null) {
            this.executorService.shutdownNow();
            this.executorService = null;
        }
        if (this.rootCaRotationPoller != null) {
            this.rootCaRotationPoller.close();
        }
        if (this.serverKeyStoresFactory != null) {
            this.serverKeyStoresFactory.destroy();
        }
        if (this.clientKeyStoresFactory != null) {
            this.clientKeyStoresFactory.destroy();
        }
    }

    /* JADX WARN: Type inference failed for: r0v9, types: [java.time.LocalDateTime, java.time.temporal.Temporal] */
    public Duration timeBeforeExpiryGracePeriod(X509Certificate x509Certificate) {
        ?? localDateTime = x509Certificate.getNotAfter().toInstant().minus((TemporalAmount) this.securityConfig.getRenewalGracePeriod()).atZone(ZoneId.systemDefault()).toLocalDateTime();
        LocalDateTime now = LocalDateTime.now();
        return localDateTime.isBefore(now) ? Duration.ZERO : Duration.between(now, localDateTime);
    }

    public String renewAndStoreKeyAndCertificate(boolean z) throws CertificateException {
        if (!z) {
            synchronized (this) {
                Preconditions.checkArgument(timeBeforeExpiryGracePeriod(firstCertificateFrom(this.certPath)).isZero());
            }
        }
        String str = this.securityConfig.getKeyLocation(this.component).toString() + "-next";
        String str2 = this.securityConfig.getCertificateLocation(this.component).toString() + "-next";
        File file = new File(str);
        File file2 = new File(str2);
        try {
            FileUtils.deleteDirectory(file);
            FileUtils.deleteDirectory(file2);
            Files.createDirectories(file.toPath(), new FileAttribute[0]);
            Files.createDirectories(file2.toPath(), new FileAttribute[0]);
            try {
                KeyPair createKeyPair = createKeyPair(new KeyCodec(this.securityConfig, file.toPath()));
                try {
                    CertificateSignRequest.Builder cSRBuilder = getCSRBuilder();
                    cSRBuilder.setKey(createKeyPair);
                    String signAndStoreCertificate = signAndStoreCertificate(cSRBuilder.build(), Paths.get(str2, new String[0]), true);
                    File file3 = new File(this.securityConfig.getKeyLocation(this.component).toString());
                    File file4 = new File(this.securityConfig.getCertificateLocation(this.component).toString());
                    File file5 = new File(this.securityConfig.getKeyLocation(this.component).toString() + "-previous");
                    File file6 = new File(this.securityConfig.getCertificateLocation(this.component).toString() + "-previous");
                    try {
                        Files.move(file3.toPath(), file5.toPath(), StandardCopyOption.ATOMIC_MOVE, StandardCopyOption.REPLACE_EXISTING);
                        try {
                            Files.move(file4.toPath(), file6.toPath(), StandardCopyOption.ATOMIC_MOVE, StandardCopyOption.REPLACE_EXISTING);
                            try {
                                Files.move(file.toPath(), file3.toPath(), StandardCopyOption.ATOMIC_MOVE, StandardCopyOption.REPLACE_EXISTING);
                                try {
                                    Files.move(file2.toPath(), file4.toPath(), StandardCopyOption.ATOMIC_MOVE, StandardCopyOption.REPLACE_EXISTING);
                                    getLogger().info("Successful renew key and certificate. New certificate {}.", signAndStoreCertificate);
                                    return signAndStoreCertificate;
                                } catch (IOException e) {
                                    String str3 = "Failed to move " + file2.getAbsolutePath() + " to " + file4.getAbsolutePath() + " during certificate renew.";
                                    try {
                                        FileUtils.deleteDirectory(new File(file3.toString()));
                                        rollbackBackupDir(file3, file4, file5, file6);
                                        throw new CertificateException(str3, CertificateException.ErrorCode.RENEW_ERROR);
                                    } catch (IOException e2) {
                                        getLogger().error("Failed to delete current KeyDir {} which is moved  from the newly generated KeyDir {}", new Object[]{file3, file, e});
                                        throw new CertificateException(str3, CertificateException.ErrorCode.RENEW_ERROR);
                                    }
                                }
                            } catch (IOException e3) {
                                String str4 = "Failed to move " + file.getAbsolutePath() + " to " + file3.getAbsolutePath() + " during certificate renew.";
                                rollbackBackupDir(file3, file4, file5, file6);
                                throw new CertificateException(str4, CertificateException.ErrorCode.RENEW_ERROR);
                            }
                        } catch (IOException e4) {
                            rollbackBackupDir(file3, file4, file5, file6);
                            throw new CertificateException("Failed to move " + file4.getAbsolutePath() + " to " + file6.getAbsolutePath() + " during certificate renew.", CertificateException.ErrorCode.RENEW_ERROR);
                        }
                    } catch (IOException e5) {
                        throw new CertificateException("Failed to move " + file3.getAbsolutePath() + " to " + file5.getAbsolutePath() + " during certificate renew.", CertificateException.ErrorCode.RENEW_ERROR);
                    }
                } catch (Exception e6) {
                    throw new CertificateException("Error while signing and storing new certificates.", e6, CertificateException.ErrorCode.RENEW_ERROR);
                }
            } catch (CertificateException e7) {
                throw new CertificateException("Error while creating new key pair.", e7, CertificateException.ErrorCode.RENEW_ERROR);
            }
        } catch (IOException e8) {
            throw new CertificateException("Error while deleting/creating " + str + " or " + str2 + " directories to cleanup  certificate storage. ", e8, CertificateException.ErrorCode.RENEW_ERROR);
        }
    }

    private void rollbackBackupDir(File file, File file2, File file3, File file4) throws CertificateException {
        try {
            Files.move(file3.toPath(), file.toPath(), StandardCopyOption.ATOMIC_MOVE, StandardCopyOption.REPLACE_EXISTING);
            try {
                Files.move(file4.toPath(), file2.toPath(), StandardCopyOption.ATOMIC_MOVE, StandardCopyOption.REPLACE_EXISTING);
                Preconditions.checkArgument(file2.exists());
                Preconditions.checkArgument(file.exists());
            } catch (IOException e) {
                throw new CertificateException("Failed to move " + file4.getAbsolutePath() + " back to " + file2.getAbsolutePath() + " during rollback.", CertificateException.ErrorCode.ROLLBACK_ERROR);
            }
        } catch (IOException e2) {
            throw new CertificateException("Failed to move " + file3.getAbsolutePath() + " back to " + file.getAbsolutePath() + " during rollback.", CertificateException.ErrorCode.ROLLBACK_ERROR);
        }
    }

    public void cleanBackupDir() {
        File file = new File(this.securityConfig.getKeyLocation(this.component).toString() + "-previous");
        File file2 = new File(this.securityConfig.getCertificateLocation(this.component).toString() + "-previous");
        if (file.exists()) {
            try {
                FileUtils.deleteDirectory(file);
            } catch (IOException e) {
                getLogger().error("Error while deleting {} directories for certificate storage cleanup.", file, e);
            }
        }
        if (file2.exists()) {
            try {
                FileUtils.deleteDirectory(file2);
            } catch (IOException e2) {
                getLogger().error("Error while deleting {} directories for certificate storage cleanup.", file2, e2);
            }
        }
    }

    public synchronized void reloadKeyAndCertificate(String str) {
        this.privateKey = null;
        this.publicKey = null;
        this.certPath = null;
        this.caCertId = null;
        this.rootCaCertId = null;
        String updateCertSerialId = updateCertSerialId(str);
        getLogger().info("Reset and reloaded key and all certificates for new certificate {}.", str);
        notifyNotificationReceivers(updateCertSerialId, str);
    }

    public SecurityConfig getSecurityConfig() {
        return this.securityConfig;
    }

    private synchronized String updateCertSerialId(String str) {
        this.certSerialId = str;
        getLogger().info("Certificate serial ID set to {}", this.certSerialId);
        loadAllCertificates();
        return this.certSerialId;
    }

    protected String signAndStoreCertificate(PKCS10CertificationRequest pKCS10CertificationRequest, Path path) throws CertificateException {
        return signAndStoreCertificate(pKCS10CertificationRequest, path, false);
    }

    protected abstract SCMSecurityProtocolProtos.SCMGetCertResponseProto getCertificateSignResponse(PKCS10CertificationRequest pKCS10CertificationRequest) throws IOException;

    protected String signAndStoreCertificate(PKCS10CertificationRequest pKCS10CertificationRequest, Path path, boolean z) throws CertificateException {
        try {
            SCMSecurityProtocolProtos.SCMGetCertResponseProto certificateSignResponse = getCertificateSignResponse(pKCS10CertificationRequest);
            if (!certificateSignResponse.hasX509CACertificate()) {
                throw new CertificateException("Unable to retrieve certificate chain.");
            }
            String x509Certificate = certificateSignResponse.getX509Certificate();
            CertificateCodec certificateCodec = new CertificateCodec(getSecurityConfig(), path);
            storeCertificate(x509Certificate, CAType.NONE, certificateCodec, false, !z);
            storeCertificate(certificateSignResponse.getX509CACertificate(), CAType.SUBORDINATE, certificateCodec, false, !z);
            getAndStoreAllRootCAs(certificateCodec, z);
            return updateCertSerialId(CertificateCodec.getX509Certificate(x509Certificate).getSerialNumber().toString());
        } catch (IOException | java.security.cert.CertificateException e) {
            this.logger.error("Error while signing and storing SCM signed certificate.", e);
            throw new CertificateException("Error while signing and storing SCM signed certificate.", e);
        }
    }

    private void getAndStoreAllRootCAs(CertificateCodec certificateCodec, boolean z) throws IOException {
        Iterator<String> it = this.scmSecurityClient.getAllRootCaCertificates().iterator();
        while (it.hasNext()) {
            storeCertificate(it.next(), CAType.ROOT, certificateCodec, false, !z);
        }
    }

    public String signAndStoreCertificate(PKCS10CertificationRequest pKCS10CertificationRequest) throws CertificateException {
        return updateCertSerialId(signAndStoreCertificate(pKCS10CertificationRequest, this.securityConfig.getCertificateLocation(getComponentName())));
    }

    public SCMSecurityProtocolClientSideTranslatorPB getScmSecureClient() {
        return this.scmSecurityClient;
    }

    protected boolean shouldStartCertificateRenewerService() {
        return true;
    }

    public synchronized CompletableFuture<Void> getRootCaRotationListener(List<X509Certificate> list) {
        if (this.rootCaCertificates.containsAll(list)) {
            return CompletableFuture.completedFuture(null);
        }
        RootCaRotationPoller rootCaRotationPoller = this.rootCaRotationPoller;
        rootCaRotationPoller.getClass();
        return CompletableFuture.runAsync(new CertificateRenewerService(true, rootCaRotationPoller::setCertificateRenewalError), this.executorService);
    }

    public synchronized void startCertificateRenewerService() {
        Preconditions.checkNotNull(getCertificate(), "Component certificate should not be empty");
        Duration renewalGracePeriod = this.securityConfig.getRenewalGracePeriod();
        long millis = timeBeforeExpiryGracePeriod(firstCertificateFrom(this.certPath)).toMillis();
        long min = Math.min(renewalGracePeriod.toMillis() / 3, TimeUnit.DAYS.toMillis(1L));
        if (this.executorService == null) {
            this.executorService = Executors.newScheduledThreadPool(1, new ThreadFactoryBuilder().setNameFormat(this.threadNamePrefix + getComponentName() + "-CertificateRenewerService").setDaemon(true).build());
        }
        this.executorService.scheduleAtFixedRate(new CertificateRenewerService(false, () -> {
        }), millis + 1, min, TimeUnit.MILLISECONDS);
        getLogger().info("CertificateRenewerService for {} is started with first delay {} ms and interval {} ms.", new Object[]{this.component, Long.valueOf(millis), Long.valueOf(min)});
    }

    @VisibleForTesting
    public synchronized void setCACertificate(X509Certificate x509Certificate) throws Exception {
        this.caCertId = x509Certificate.getSerialNumber().toString();
        String pEMEncodedString = CertificateCodec.getPEMEncodedString(x509Certificate);
        this.certificateMap.put(this.caCertId, CertificateCodec.getCertPathFromPemEncodedString(pEMEncodedString));
        this.pemEncodedCACerts = Arrays.asList(pEMEncodedString);
    }
}
