package org.apache.hadoop.hdds.security.x509.certificate.authority;

import com.google.common.annotations.VisibleForTesting;
import com.google.common.base.Preconditions;
import com.google.common.base.Strings;
import java.io.IOException;
import java.math.BigInteger;
import java.nio.file.Files;
import java.nio.file.LinkOption;
import java.nio.file.Path;
import java.nio.file.Paths;
import java.security.KeyPair;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.PublicKey;
import java.security.cert.CertPath;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.security.spec.InvalidKeySpecException;
import java.time.LocalDateTime;
import java.time.ZoneId;
import java.time.temporal.TemporalAmount;
import java.util.Date;
import java.util.List;
import java.util.Optional;
import java.util.concurrent.CompletableFuture;
import java.util.concurrent.Future;
import java.util.concurrent.locks.Lock;
import java.util.concurrent.locks.ReentrantLock;
import java.util.function.Consumer;
import org.apache.commons.collections.CollectionUtils;
import org.apache.hadoop.hdds.protocol.proto.HddsProtos;
import org.apache.hadoop.hdds.scm.metadata.SCMMetadataStore;
import org.apache.hadoop.hdds.security.SecurityConfig;
import org.apache.hadoop.hdds.security.exception.SCMSecurityException;
import org.apache.hadoop.hdds.security.x509.certificate.authority.CertificateApprover;
import org.apache.hadoop.hdds.security.x509.certificate.authority.CertificateStore;
import org.apache.hadoop.hdds.security.x509.certificate.authority.profile.PKIProfile;
import org.apache.hadoop.hdds.security.x509.certificate.utils.CertificateCodec;
import org.apache.hadoop.hdds.security.x509.certificate.utils.SelfSignedCertificate;
import org.apache.hadoop.hdds.security.x509.crl.CRLInfo;
import org.apache.hadoop.hdds.security.x509.keys.HDDSKeyGenerator;
import org.apache.hadoop.hdds.security.x509.keys.KeyCodec;
import org.bouncycastle.asn1.x509.CRLReason;
import org.bouncycastle.cert.X509CertificateHolder;
import org.bouncycastle.operator.OperatorCreationException;
import org.bouncycastle.pkcs.PKCS10CertificationRequest;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/hadoop/hdds/security/x509/certificate/authority/DefaultCAServer.class */
public class DefaultCAServer implements CertificateServer {
    private static final Logger LOG = LoggerFactory.getLogger(DefaultCAServer.class);
    private final String subject;
    private final String clusterID;
    private final String scmID;
    private String componentName;
    private Path caKeysPath;
    private Path caRootX509Path;
    private SecurityConfig config;
    private PKIProfile profile;
    private CertificateApprover approver;
    private CRLApprover crlApprover;
    private CertificateStore store;
    private Lock lock;
    private static boolean testSecureFlag;
    private BigInteger rootCertificateId;

    /* JADX INFO: Access modifiers changed from: package-private */
    @VisibleForTesting
    /* loaded from: input_file:org/apache/hadoop/hdds/security/x509/certificate/authority/DefaultCAServer$VerificationStatus.class */
    public enum VerificationStatus {
        SUCCESS,
        MISSING_KEYS,
        MISSING_CERTIFICATE,
        INITIALIZE
    }

    public DefaultCAServer(String str, String str2, String str3, CertificateStore certificateStore, BigInteger bigInteger, PKIProfile pKIProfile, String str4) {
        this.subject = str;
        this.clusterID = str2;
        this.scmID = str3;
        this.store = certificateStore;
        this.rootCertificateId = bigInteger;
        this.profile = pKIProfile;
        this.componentName = str4;
        this.lock = new ReentrantLock();
    }

    public DefaultCAServer(String str, String str2, String str3, CertificateStore certificateStore, PKIProfile pKIProfile, String str4) {
        this(str, str2, str3, certificateStore, BigInteger.ONE, pKIProfile, str4);
    }

    @Override // org.apache.hadoop.hdds.security.x509.certificate.authority.CertificateServer
    public void init(SecurityConfig securityConfig, CAType cAType) throws IOException {
        this.caKeysPath = securityConfig.getKeyLocation(this.componentName);
        this.caRootX509Path = securityConfig.getCertificateLocation(this.componentName);
        this.config = securityConfig;
        this.approver = new DefaultApprover(this.profile, this.config);
        processVerificationStatus(verifySelfSignedCA(securityConfig), cAType).accept(securityConfig);
        this.crlApprover = new DefaultCRLApprover(securityConfig, getCAKeys().getPrivate());
    }

    @Override // org.apache.hadoop.hdds.security.x509.certificate.authority.CertificateServer
    public X509CertificateHolder getCACertificate() throws IOException {
        try {
            return new CertificateCodec(this.config, this.componentName).getTargetCertHolder();
        } catch (CertificateException e) {
            throw new IOException(e);
        }
    }

    @Override // org.apache.hadoop.hdds.security.x509.certificate.authority.CertificateServer
    public CertPath getCaCertPath() throws CertificateException, IOException {
        return new CertificateCodec(this.config, this.componentName).getCertPath();
    }

    @Override // org.apache.hadoop.hdds.security.x509.certificate.authority.CertificateServer
    public X509Certificate getCertificate(String str) throws IOException {
        return this.store.getCertificateByID(new BigInteger(str), CertificateStore.CertType.VALID_CERTS);
    }

    private KeyPair getCAKeys() throws IOException {
        KeyCodec keyCodec = new KeyCodec(this.config, this.componentName);
        try {
            return new KeyPair(keyCodec.readPublicKey(), keyCodec.readPrivateKey());
        } catch (NoSuchAlgorithmException | InvalidKeySpecException e) {
            throw new IOException(e);
        }
    }

    /* JADX WARN: Failed to find 'out' block for switch in B:9:0x005f. Please report as an issue. */
    @Override // org.apache.hadoop.hdds.security.x509.certificate.authority.CertificateServer
    public Future<CertPath> requestCertificate(PKCS10CertificationRequest pKCS10CertificationRequest, CertificateApprover.ApprovalType approvalType, HddsProtos.NodeType nodeType, String str) {
        X509CertificateHolder signAndStoreCertificate;
        LocalDateTime now = LocalDateTime.now();
        LocalDateTime plus = nodeType == HddsProtos.NodeType.SCM ? now.plus((TemporalAmount) this.config.getMaxCertificateDuration()) : now.plus((TemporalAmount) this.config.getDefaultCertDuration());
        CompletableFuture<X509CertificateHolder> inspectCSR = this.approver.inspectCSR(pKCS10CertificationRequest);
        CompletableFuture completableFuture = new CompletableFuture();
        if (inspectCSR.isCompletedExceptionally()) {
            completableFuture.completeExceptionally(new SCMSecurityException("Failed to verify the CSR."));
        }
        try {
        } catch (IOException | CertificateException | OperatorCreationException e) {
            LOG.error("Unable to issue a certificate.", e);
            completableFuture.completeExceptionally(new SCMSecurityException(e, SCMSecurityException.ErrorCode.UNABLE_TO_ISSUE_CERTIFICATE));
        }
        switch (approvalType) {
            case MANUAL:
                completableFuture.completeExceptionally(new SCMSecurityException("Manual approval is not yet implemented."));
                return completableFuture;
            case KERBEROS_TRUSTED:
            case TESTING_AUTOMATIC:
                try {
                    signAndStoreCertificate = signAndStoreCertificate(now, plus, pKCS10CertificationRequest, nodeType, str);
                } catch (SCMSecurityException e2) {
                    LOG.error("Certificate storage failed, retrying one more time.", e2);
                    signAndStoreCertificate = signAndStoreCertificate(now, plus, pKCS10CertificationRequest, nodeType, str);
                }
                CertificateCodec certificateCodec = new CertificateCodec(this.config, this.componentName);
                completableFuture.complete(certificateCodec.prependCertToCertPath(signAndStoreCertificate, certificateCodec.getCertPath()));
                return completableFuture;
            default:
                return null;
        }
    }

    /* JADX WARN: Type inference failed for: r4v1, types: [java.time.ZonedDateTime] */
    /* JADX WARN: Type inference failed for: r5v2, types: [java.time.ZonedDateTime] */
    private X509CertificateHolder signAndStoreCertificate(LocalDateTime localDateTime, LocalDateTime localDateTime2, PKCS10CertificationRequest pKCS10CertificationRequest, HddsProtos.NodeType nodeType, String str) throws IOException, OperatorCreationException, CertificateException {
        this.lock.lock();
        try {
            Preconditions.checkState(!Strings.isNullOrEmpty(str));
            X509CertificateHolder sign = this.approver.sign(this.config, getCAKeys().getPrivate(), getCACertificate(), Date.from(localDateTime.atZone(ZoneId.systemDefault()).toInstant()), Date.from(localDateTime2.atZone(ZoneId.systemDefault()).toInstant()), pKCS10CertificationRequest, this.scmID, this.clusterID, str);
            if (this.store != null) {
                this.store.checkValidCertID(sign.getSerialNumber());
                this.store.storeValidCertificate(sign.getSerialNumber(), CertificateCodec.getX509Certificate(sign), nodeType);
            }
            return sign;
        } finally {
            this.lock.unlock();
        }
    }

    @Override // org.apache.hadoop.hdds.security.x509.certificate.authority.CertificateServer
    public Future<Optional<Long>> revokeCertificates(List<BigInteger> list, CRLReason cRLReason, Date date) {
        CompletableFuture completableFuture = new CompletableFuture();
        if (CollectionUtils.isEmpty(list)) {
            completableFuture.completeExceptionally(new SCMSecurityException("Certificates cannot be null or empty"));
            return completableFuture;
        }
        try {
            completableFuture.complete(this.store.revokeCertificates(list, getCACertificate(), cRLReason, date, this.crlApprover));
        } catch (IOException e) {
            LOG.error("Revoking the certificate failed.", e.getCause());
            completableFuture.completeExceptionally(new SCMSecurityException(e));
        }
        return completableFuture;
    }

    @Override // org.apache.hadoop.hdds.security.x509.certificate.authority.CertificateServer
    public List<X509Certificate> listCertificate(HddsProtos.NodeType nodeType, long j, int i, boolean z) throws IOException {
        return this.store.listCertificate(nodeType, BigInteger.valueOf(j), i, z ? CertificateStore.CertType.REVOKED_CERTS : CertificateStore.CertType.VALID_CERTS);
    }

    @Override // org.apache.hadoop.hdds.security.x509.certificate.authority.CertificateServer
    public void reinitialize(SCMMetadataStore sCMMetadataStore) {
        this.store.reinitialize(sCMMetadataStore);
    }

    @Override // org.apache.hadoop.hdds.security.x509.certificate.authority.CertificateServer
    public List<CRLInfo> getCrls(List<Long> list) throws IOException {
        return this.store.getCrls(list);
    }

    @Override // org.apache.hadoop.hdds.security.x509.certificate.authority.CertificateServer
    public long getLatestCrlId() {
        return this.store.getLatestCrlId();
    }

    private void generateSelfSignedCA(SecurityConfig securityConfig) throws NoSuchAlgorithmException, NoSuchProviderException, IOException {
        generateRootCertificate(securityConfig, generateKeys(securityConfig));
    }

    private VerificationStatus verifySelfSignedCA(SecurityConfig securityConfig) {
        boolean checkIfKeysExist = checkIfKeysExist();
        boolean checkIfCertificatesExist = checkIfCertificatesExist();
        return (checkIfCertificatesExist == checkIfKeysExist && checkIfCertificatesExist) ? VerificationStatus.SUCCESS : checkIfCertificatesExist == checkIfKeysExist ? VerificationStatus.INITIALIZE : checkIfCertificatesExist ? VerificationStatus.MISSING_KEYS : VerificationStatus.MISSING_CERTIFICATE;
    }

    private boolean checkIfKeysExist() {
        if (Files.exists(this.caKeysPath, new LinkOption[0])) {
            return Files.exists(Paths.get(this.caKeysPath.toString(), this.config.getPrivateKeyFileName()), new LinkOption[0]);
        }
        return false;
    }

    private boolean checkIfCertificatesExist() {
        if (Files.exists(this.caRootX509Path, new LinkOption[0])) {
            return Files.exists(Paths.get(this.caRootX509Path.toString(), this.config.getCertificateFileName()), new LinkOption[0]);
        }
        return false;
    }

    @VisibleForTesting
    Consumer<SecurityConfig> processVerificationStatus(VerificationStatus verificationStatus, CAType cAType) {
        Consumer<SecurityConfig> consumer = null;
        switch (verificationStatus) {
            case SUCCESS:
                consumer = securityConfig -> {
                    LOG.info("CertificateServer validation is successful");
                };
                break;
            case MISSING_KEYS:
                consumer = securityConfig2 -> {
                    LOG.error("We have found the Certificate for this CertificateServer, but keys used by this CertificateServer is missing. This is a non-recoverable error. Please restart the system after locating the Keys used by the CertificateServer.");
                    LOG.error("Exiting due to unrecoverable CertificateServer error.");
                    throw new IllegalStateException("Missing Keys, cannot continue.");
                };
                break;
            case MISSING_CERTIFICATE:
                consumer = securityConfig3 -> {
                    LOG.error("We found the keys, but the root certificate for this CertificateServer is missing. Please restart SCM after locating the Certificates.");
                    LOG.error("Exiting due to unrecoverable CertificateServer error.");
                    throw new IllegalStateException("Missing Root Certs, cannot continue.");
                };
                break;
            case INITIALIZE:
                if (cAType != CAType.ROOT) {
                    if (cAType == CAType.SUBORDINATE) {
                        consumer = securityConfig4 -> {
                            LOG.error("Sub SCM CA Server is missing keys/certs. SCM is started with out init/bootstrap");
                            throw new IllegalStateException("INTERMEDIARY_CA Should not be in Initialize State during startup.");
                        };
                        break;
                    }
                } else {
                    consumer = this::initRootCa;
                    break;
                }
                break;
        }
        return consumer;
    }

    private void initRootCa(SecurityConfig securityConfig) {
        if (isExternalCaSpecified(securityConfig)) {
            initWithExternalRootCa(securityConfig);
        } else {
            try {
                generateSelfSignedCA(securityConfig);
            } catch (IOException | NoSuchAlgorithmException | NoSuchProviderException e) {
                LOG.error("Unable to initialize CertificateServer.", e);
            }
        }
        if (verifySelfSignedCA(securityConfig) != VerificationStatus.SUCCESS) {
            LOG.error("Unable to initialize CertificateServer, failed in verification.");
        }
    }

    private boolean isExternalCaSpecified(SecurityConfig securityConfig) {
        return (securityConfig.getExternalRootCaCert().isEmpty() || securityConfig.getExternalRootCaPrivateKeyPath().isEmpty()) ? false : true;
    }

    private KeyPair generateKeys(SecurityConfig securityConfig) throws NoSuchProviderException, NoSuchAlgorithmException, IOException {
        KeyPair generateKey = new HDDSKeyGenerator(securityConfig).generateKey();
        new KeyCodec(securityConfig, this.componentName).writeKey(generateKey);
        return generateKey;
    }

    private void generateRootCertificate(SecurityConfig securityConfig, KeyPair keyPair) throws IOException, SCMSecurityException {
        Preconditions.checkNotNull(this.config);
        LocalDateTime now = LocalDateTime.now();
        SelfSignedCertificate.Builder key = SelfSignedCertificate.newBuilder().setSubject(this.subject).setScmID(this.scmID).setClusterID(this.clusterID).setBeginDate(now).setEndDate(now.plus((TemporalAmount) securityConfig.getMaxCertificateDuration())).makeCA(this.rootCertificateId).setConfiguration(securityConfig).setKey(keyPair);
        key.addInetAddresses();
        new CertificateCodec(this.config, this.componentName).writeCertificate(key.build());
    }

    private void initWithExternalRootCa(SecurityConfig securityConfig) {
        Path path = Paths.get(securityConfig.getExternalRootCaCert(), new String[0]);
        Path path2 = Paths.get(securityConfig.getExternalRootCaPrivateKeyPath(), new String[0]);
        String externalRootCaPublicKeyPath = securityConfig.getExternalRootCaPublicKeyPath();
        KeyCodec keyCodec = new KeyCodec(this.config, this.componentName);
        CertificateCodec certificateCodec = new CertificateCodec(this.config, this.componentName);
        try {
            Path parent = path.getParent();
            Path fileName = path.getFileName();
            if (parent == null || fileName == null) {
                throw new IOException("External cert path is not correct: " + path);
            }
            X509CertificateHolder targetCertHolder = certificateCodec.getTargetCertHolder(parent, fileName.toString());
            Path parent2 = path2.getParent();
            Path fileName2 = path2.getFileName();
            if (parent2 == null || fileName2 == null) {
                throw new IOException("External private key path is not correct: " + path2);
            }
            keyCodec.writeKey(new KeyPair(readPublicKeyWithExternalData(externalRootCaPublicKeyPath, keyCodec, targetCertHolder), keyCodec.readPrivateKey(parent2, fileName2.toString())));
            certificateCodec.writeCertificate(targetCertHolder);
        } catch (IOException | NoSuchAlgorithmException | CertificateException | InvalidKeySpecException e) {
            LOG.error("External root CA certificate initialization failed", e);
        }
    }

    private PublicKey readPublicKeyWithExternalData(String str, KeyCodec keyCodec, X509CertificateHolder x509CertificateHolder) throws CertificateException, NoSuchAlgorithmException, InvalidKeySpecException, IOException {
        PublicKey readPublicKey;
        if (str.isEmpty()) {
            readPublicKey = CertificateCodec.getX509Certificate(x509CertificateHolder).getPublicKey();
        } else {
            Path path = Paths.get(str, new String[0]);
            Path fileName = path.getFileName();
            Path parent = path.getParent();
            if (fileName == null || parent == null) {
                throw new IOException("Public key path incorrect: " + parent);
            }
            readPublicKey = keyCodec.readPublicKey(parent, fileName.toString());
        }
        return readPublicKey;
    }

    @VisibleForTesting
    public static void setTestSecureFlag(boolean z) {
        testSecureFlag = z;
    }
}
