package org.apache.hadoop.hdds.security.x509.certificate.utils;

import java.io.IOException;
import java.math.BigInteger;
import java.net.InetAddress;
import java.security.KeyPair;
import java.time.Duration;
import java.time.LocalDateTime;
import java.time.ZoneId;
import java.util.ArrayList;
import java.util.Date;
import java.util.List;
import org.apache.hadoop.hdds.security.SecurityConfig;
import org.apache.hadoop.hdds.security.exception.SCMSecurityException;
import org.apache.hadoop.hdds.security.x509.exception.CertificateException;
import org.apache.hadoop.ozone.OzoneSecurityUtil;
import org.apache.hadoop.ozone.shaded.com.google.common.annotations.VisibleForTesting;
import org.apache.hadoop.ozone.shaded.com.google.common.base.Preconditions;
import org.apache.hadoop.ozone.shaded.org.apache.commons.lang3.StringUtils;
import org.apache.hadoop.ozone.shaded.org.apache.commons.validator.routines.DomainValidator;
import org.apache.hadoop.ozone.shaded.org.bouncycastle.asn1.ASN1Encodable;
import org.apache.hadoop.ozone.shaded.org.bouncycastle.asn1.ASN1EncodableVector;
import org.apache.hadoop.ozone.shaded.org.bouncycastle.asn1.ASN1Object;
import org.apache.hadoop.ozone.shaded.org.bouncycastle.asn1.ASN1ObjectIdentifier;
import org.apache.hadoop.ozone.shaded.org.bouncycastle.asn1.DERSequence;
import org.apache.hadoop.ozone.shaded.org.bouncycastle.asn1.DERTaggedObject;
import org.apache.hadoop.ozone.shaded.org.bouncycastle.asn1.DERUTF8String;
import org.apache.hadoop.ozone.shaded.org.bouncycastle.asn1.x500.X500Name;
import org.apache.hadoop.ozone.shaded.org.bouncycastle.asn1.x509.BasicConstraints;
import org.apache.hadoop.ozone.shaded.org.bouncycastle.asn1.x509.Extension;
import org.apache.hadoop.ozone.shaded.org.bouncycastle.asn1.x509.GeneralName;
import org.apache.hadoop.ozone.shaded.org.bouncycastle.asn1.x509.GeneralNames;
import org.apache.hadoop.ozone.shaded.org.bouncycastle.asn1.x509.KeyUsage;
import org.apache.hadoop.ozone.shaded.org.bouncycastle.asn1.x509.SubjectPublicKeyInfo;
import org.apache.hadoop.ozone.shaded.org.bouncycastle.cert.CertIOException;
import org.apache.hadoop.ozone.shaded.org.bouncycastle.cert.X509CertificateHolder;
import org.apache.hadoop.ozone.shaded.org.bouncycastle.cert.X509v3CertificateBuilder;
import org.apache.hadoop.ozone.shaded.org.bouncycastle.operator.ContentSigner;
import org.apache.hadoop.ozone.shaded.org.bouncycastle.operator.OperatorCreationException;
import org.apache.hadoop.ozone.shaded.org.bouncycastle.operator.jcajce.JcaContentSignerBuilder;
import org.apache.hadoop.util.Time;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/hadoop/hdds/security/x509/certificate/utils/SelfSignedCertificate.class */
public final class SelfSignedCertificate {
    private String subject;
    private String clusterID;
    private String scmID;
    private LocalDateTime beginDate;
    private LocalDateTime endDate;
    private KeyPair key;
    private SecurityConfig config;
    private List<GeneralName> altNames;
    private static final Logger LOG = LoggerFactory.getLogger(SelfSignedCertificate.class);

    /* loaded from: input_file:org/apache/hadoop/hdds/security/x509/certificate/utils/SelfSignedCertificate$Builder.class */
    public static class Builder {
        private String subject;
        private String clusterID;
        private String scmID;
        private LocalDateTime beginDate;
        private LocalDateTime endDate;
        private KeyPair key;
        private SecurityConfig config;
        private BigInteger caCertSerialId;
        private List<GeneralName> altNames;

        public Builder setConfiguration(SecurityConfig securityConfig) {
            this.config = securityConfig;
            return this;
        }

        public Builder setKey(KeyPair keyPair) {
            this.key = keyPair;
            return this;
        }

        public Builder setSubject(String str) {
            this.subject = str;
            return this;
        }

        public Builder setClusterID(String str) {
            this.clusterID = str;
            return this;
        }

        public Builder setScmID(String str) {
            this.scmID = str;
            return this;
        }

        public Builder setBeginDate(LocalDateTime localDateTime) {
            this.beginDate = localDateTime;
            return this;
        }

        public Builder setEndDate(LocalDateTime localDateTime) {
            this.endDate = localDateTime;
            return this;
        }

        public Builder makeCA() {
            return makeCA(BigInteger.ONE);
        }

        public Builder makeCA(BigInteger bigInteger) {
            this.caCertSerialId = bigInteger;
            return this;
        }

        public Builder addInetAddresses() throws CertificateException {
            try {
                addInetAddresses(OzoneSecurityUtil.getValidInetsForCurrentHost(), DomainValidator.getInstance());
                return this;
            } catch (IOException e) {
                throw new CertificateException("Error while getting Inet addresses for the CSR builder", e, CertificateException.ErrorCode.CSR_ERROR);
            }
        }

        public Builder addInetAddresses(List<InetAddress> list, DomainValidator domainValidator) {
            list.forEach(inetAddress -> {
                addIpAddress(inetAddress.getHostAddress());
                if (domainValidator.isValid(inetAddress.getCanonicalHostName())) {
                    addDnsName(inetAddress.getCanonicalHostName());
                } else {
                    SelfSignedCertificate.LOG.error("Invalid domain {}", inetAddress.getCanonicalHostName());
                }
            });
            return this;
        }

        public Builder addDnsName(String str) {
            Preconditions.checkNotNull(str, "dnsName cannot be null");
            addAltName(2, str);
            return this;
        }

        public Builder addIpAddress(String str) {
            Preconditions.checkNotNull(str, "Ip address cannot be null");
            addAltName(7, str);
            return this;
        }

        public Builder addServiceName(String str) {
            Preconditions.checkNotNull(str, "Service Name cannot be null");
            addAltName(0, str);
            return this;
        }

        private Builder addAltName(int i, String str) {
            if (this.altNames == null) {
                this.altNames = new ArrayList();
            }
            if (i == 0) {
                this.altNames.add(new GeneralName(i, addOtherNameAsn1Object(str)));
            } else {
                this.altNames.add(new GeneralName(i, str));
            }
            return this;
        }

        private ASN1Object addOtherNameAsn1Object(String str) {
            ASN1EncodableVector aSN1EncodableVector = new ASN1EncodableVector();
            aSN1EncodableVector.add(new ASN1ObjectIdentifier("2.16.840.1.113730.3.1.34"));
            aSN1EncodableVector.add(new DERTaggedObject(true, 0, new DERUTF8String(str)));
            return new DERTaggedObject(false, 0, new DERSequence(aSN1EncodableVector));
        }

        public X509CertificateHolder build() throws SCMSecurityException, IOException {
            Preconditions.checkNotNull(this.key, "Key cannot be null");
            Preconditions.checkArgument(StringUtils.isNotBlank(this.subject), "Subject cannot be blank");
            Preconditions.checkArgument(StringUtils.isNotBlank(this.clusterID), "Cluster ID cannot be blank");
            Preconditions.checkArgument(StringUtils.isNotBlank(this.scmID), "SCM ID cannot be blank");
            Preconditions.checkArgument(this.beginDate.isBefore(this.endDate), "Certificate begin date should be before end date");
            Duration between = Duration.between(this.beginDate, this.endDate);
            Duration maxCertificateDuration = this.config.getMaxCertificateDuration();
            if (between.compareTo(maxCertificateDuration) > 0) {
                throw new SCMSecurityException("The cert duration violates the maximum configured value. Please check the hdds.x509.max.duration config key. Current Value: " + between + " config: " + maxCertificateDuration);
            }
            try {
                return new SelfSignedCertificate(this).generateCertificate(this.caCertSerialId);
            } catch (CertIOException | OperatorCreationException e) {
                throw new CertificateException("Unable to create root certificate.", e.getCause());
            }
        }
    }

    private SelfSignedCertificate(Builder builder) {
        this.subject = builder.subject;
        this.clusterID = builder.clusterID;
        this.scmID = builder.scmID;
        this.beginDate = builder.beginDate;
        this.endDate = builder.endDate;
        this.config = builder.config;
        this.key = builder.key;
        this.altNames = builder.altNames;
    }

    @VisibleForTesting
    public static String getNameFormat() {
        return CertificateSignRequest.getDistinguishedNameFormatWithSN();
    }

    public static Builder newBuilder() {
        return new Builder();
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* JADX WARN: Type inference failed for: r0v16, types: [java.time.ZonedDateTime] */
    /* JADX WARN: Type inference failed for: r0v21, types: [java.time.ZonedDateTime] */
    public X509CertificateHolder generateCertificate(BigInteger bigInteger) throws OperatorCreationException, IOException {
        SubjectPublicKeyInfo subjectPublicKeyInfo = SubjectPublicKeyInfo.getInstance(this.key.getPublic().getEncoded());
        ContentSigner build = new JcaContentSignerBuilder(this.config.getSignatureAlgo()).setProvider(this.config.getProvider()).build(this.key.getPrivate());
        BigInteger bigInteger2 = bigInteger == null ? new BigInteger(Long.toString(Time.monotonicNow())) : bigInteger;
        X500Name x500Name = new X500Name(String.format(getNameFormat(), this.subject, this.scmID, this.clusterID, bigInteger2));
        X509v3CertificateBuilder x509v3CertificateBuilder = new X509v3CertificateBuilder(x500Name, bigInteger2, Date.from(this.beginDate.atZone(ZoneId.systemDefault()).toInstant()), Date.from(this.endDate.atZone(ZoneId.systemDefault()).toInstant()), x500Name, subjectPublicKeyInfo);
        if (bigInteger != null) {
            x509v3CertificateBuilder.addExtension(Extension.basicConstraints, true, (ASN1Encodable) new BasicConstraints(true));
            x509v3CertificateBuilder.addExtension(Extension.keyUsage, true, (ASN1Encodable) new KeyUsage(6));
            if (this.altNames != null && this.altNames.size() >= 1) {
                x509v3CertificateBuilder.addExtension(new Extension(Extension.subjectAlternativeName, false, new GeneralNames((GeneralName[]) this.altNames.toArray(new GeneralName[this.altNames.size()])).getEncoded()));
            }
        }
        X509CertificateHolder build2 = x509v3CertificateBuilder.build(build);
        LOG.info("Certificate {} is issued by {} to {}, valid from {} to {}", new Object[]{build2.getSerialNumber(), build2.getIssuer(), build2.getSubject(), build2.getNotBefore(), build2.getNotAfter()});
        return build2;
    }
}
