package org.apache.qpid.server.security;

import com.google.common.util.concurrent.Futures;
import com.google.common.util.concurrent.ListenableFuture;
import java.io.IOException;
import java.math.BigInteger;
import java.security.GeneralSecurityException;
import java.security.KeyStore;
import java.security.cert.Certificate;
import java.security.cert.CertificateParsingException;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.concurrent.Callable;
import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory;
import javax.net.ssl.X509TrustManager;
import org.apache.qpid.server.configuration.IllegalConfigurationException;
import org.apache.qpid.server.configuration.updater.Task;
import org.apache.qpid.server.logging.EventLogger;
import org.apache.qpid.server.logging.messages.TrustStoreMessages;
import org.apache.qpid.server.model.AbstractConfiguredObject;
import org.apache.qpid.server.model.AuthenticationProvider;
import org.apache.qpid.server.model.Broker;
import org.apache.qpid.server.model.ConfiguredObject;
import org.apache.qpid.server.model.IntegrityViolationException;
import org.apache.qpid.server.model.ManagedAttributeField;
import org.apache.qpid.server.model.ManagedAttributeValue;
import org.apache.qpid.server.model.ManagedObject;
import org.apache.qpid.server.model.ManagedObjectFactoryConstructor;
import org.apache.qpid.server.model.Port;
import org.apache.qpid.server.model.State;
import org.apache.qpid.server.model.StateTransition;
import org.apache.qpid.server.model.TrustStore;
import org.apache.qpid.server.model.VirtualHost;
import org.apache.qpid.server.security.auth.manager.SimpleLDAPAuthenticationManager;
import org.apache.qpid.transport.network.security.ssl.QpidMultipleTrustManager;
import org.apache.qpid.transport.network.security.ssl.QpidPeersOnlyTrustManager;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@ManagedObject(category = false)
/* loaded from: input_file:org/apache/qpid/server/security/ManagedPeerCertificateTrustStoreImpl.class */
public class ManagedPeerCertificateTrustStoreImpl extends AbstractConfiguredObject<ManagedPeerCertificateTrustStoreImpl> implements ManagedPeerCertificateTrustStore<ManagedPeerCertificateTrustStoreImpl> {
    private static final Logger LOGGER = LoggerFactory.getLogger(ManagedPeerCertificateTrustStoreImpl.class);
    private final Broker<?> _broker;
    private final EventLogger _eventLogger;

    @ManagedAttributeField
    private boolean _exposedAsMessageSource;

    @ManagedAttributeField
    private List<VirtualHost> _includedVirtualHostMessageSources;

    @ManagedAttributeField
    private List<VirtualHost> _excludedVirtualHostMessageSources;
    private volatile TrustManager[] _trustManagers;

    @ManagedAttributeField(afterSet = "updateTrustManagers")
    private final List<Certificate> _storedCertificates;

    /* loaded from: input_file:org/apache/qpid/server/security/ManagedPeerCertificateTrustStoreImpl$CertificateDetailsImpl.class */
    public static class CertificateDetailsImpl implements CertificateDetails, ManagedAttributeValue {
        private final X509Certificate _x509cert;

        public CertificateDetailsImpl(X509Certificate x509Certificate) {
            this._x509cert = x509Certificate;
        }

        @Override // org.apache.qpid.server.security.CertificateDetails
        public String getSerialNumber() {
            return this._x509cert.getSerialNumber().toString();
        }

        @Override // org.apache.qpid.server.security.CertificateDetails
        public int getVersion() {
            return this._x509cert.getVersion();
        }

        @Override // org.apache.qpid.server.security.CertificateDetails
        public String getSignatureAlgorithm() {
            return this._x509cert.getSigAlgName();
        }

        @Override // org.apache.qpid.server.security.CertificateDetails
        public String getIssuerName() {
            return this._x509cert.getIssuerX500Principal().getName();
        }

        @Override // org.apache.qpid.server.security.CertificateDetails
        public String getSubjectName() {
            return this._x509cert.getSubjectX500Principal().getName();
        }

        @Override // org.apache.qpid.server.security.CertificateDetails
        public List<String> getSubjectAltNames() {
            try {
                ArrayList arrayList = new ArrayList();
                Collection<List<?>> subjectAlternativeNames = this._x509cert.getSubjectAlternativeNames();
                if (subjectAlternativeNames != null) {
                    for (List<?> list : subjectAlternativeNames) {
                        int intValue = ((Integer) list.get(0)).intValue();
                        if (intValue == 1 || intValue == 2) {
                            arrayList.add(list.get(1).toString().trim());
                        }
                    }
                }
                return arrayList;
            } catch (CertificateParsingException e) {
                return Collections.emptyList();
            }
        }

        @Override // org.apache.qpid.server.security.CertificateDetails
        public long getValidFrom() {
            return this._x509cert.getNotBefore().getTime();
        }

        @Override // org.apache.qpid.server.security.CertificateDetails
        public long getValidUntil() {
            return this._x509cert.getNotAfter().getTime();
        }
    }

    @ManagedObjectFactoryConstructor
    public ManagedPeerCertificateTrustStoreImpl(Map<String, Object> map, Broker<?> broker) {
        super(parentsMap(broker), map);
        this._trustManagers = new TrustManager[0];
        this._storedCertificates = new ArrayList();
        this._broker = broker;
        this._eventLogger = this._broker.getEventLogger();
        this._eventLogger.message(TrustStoreMessages.CREATE(getName()));
    }

    @Override // org.apache.qpid.server.model.TrustStore
    public TrustManager[] getTrustManagers() {
        return this._trustManagers;
    }

    @Override // org.apache.qpid.server.model.TrustStore
    public Certificate[] getCertificates() {
        return (Certificate[]) this._storedCertificates.toArray(new Certificate[this._storedCertificates.size()]);
    }

    @StateTransition(currentState = {State.ACTIVE, State.ERRORED}, desiredState = State.DELETED)
    protected ListenableFuture<Void> doDelete() {
        String name = getName();
        for (Port port : new ArrayList(this._broker.getPorts())) {
            Collection<TrustStore> trustStores = port.getTrustStores();
            if (trustStores != null) {
                Iterator<TrustStore> it = trustStores.iterator();
                while (it.hasNext()) {
                    if (name.equals(it.next().getAttribute(ConfiguredObject.NAME))) {
                        throw new IntegrityViolationException("Trust store '" + name + "' can't be deleted as it is in use by a port: " + port.getName());
                    }
                }
            }
        }
        for (AuthenticationProvider authenticationProvider : new ArrayList(this._broker.getAuthenticationProviders())) {
            if (authenticationProvider.getAttributeNames().contains(SimpleLDAPAuthenticationManager.TRUST_STORE)) {
                Object attribute = authenticationProvider.getAttribute(ConfiguredObject.TYPE);
                Object attribute2 = authenticationProvider.getAttribute(SimpleLDAPAuthenticationManager.TRUST_STORE);
                if (SimpleLDAPAuthenticationManager.PROVIDER_TYPE.equals(attribute) && name.equals(attribute2)) {
                    throw new IntegrityViolationException("Trust store '" + name + "' can't be deleted as it is in use by an authentication manager: " + authenticationProvider.getName());
                }
            }
        }
        deleted();
        setState(State.DELETED);
        this._eventLogger.message(TrustStoreMessages.DELETE(getName()));
        return Futures.immediateFuture((Object) null);
    }

    @StateTransition(currentState = {State.UNINITIALIZED, State.ERRORED}, desiredState = State.ACTIVE)
    protected ListenableFuture<Void> doActivate() {
        setState(State.ACTIVE);
        return Futures.immediateFuture((Object) null);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.apache.qpid.server.model.AbstractConfiguredObject
    public void validateChange(ConfiguredObject<?> configuredObject, Set<String> set) {
        super.validateChange(configuredObject, set);
        ManagedPeerCertificateTrustStore managedPeerCertificateTrustStore = (ManagedPeerCertificateTrustStore) configuredObject;
        if (set.contains(ConfiguredObject.NAME) && !getName().equals(managedPeerCertificateTrustStore.getName())) {
            throw new IllegalConfigurationException("Changing the key store name is not allowed");
        }
    }

    private void updateTrustManagers() {
        try {
            KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
            keyStore.load(null, null);
            int i = 1;
            Iterator<Certificate> it = this._storedCertificates.iterator();
            while (it.hasNext()) {
                int i2 = i;
                i++;
                keyStore.setCertificateEntry(String.valueOf(i2), it.next());
            }
            TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
            trustManagerFactory.init(keyStore);
            ArrayList arrayList = new ArrayList();
            QpidMultipleTrustManager qpidMultipleTrustManager = new QpidMultipleTrustManager();
            for (TrustManager trustManager : trustManagerFactory.getTrustManagers()) {
                if (trustManager instanceof X509TrustManager) {
                    qpidMultipleTrustManager.addTrustManager(new QpidPeersOnlyTrustManager(keyStore, (X509TrustManager) trustManager));
                } else {
                    arrayList.add(trustManager);
                }
            }
            if (!qpidMultipleTrustManager.isEmpty()) {
                arrayList.add(qpidMultipleTrustManager);
            }
            if (arrayList.isEmpty()) {
                this._trustManagers = null;
            } else {
                this._trustManagers = (TrustManager[]) arrayList.toArray(new TrustManager[arrayList.size()]);
            }
        } catch (IOException | GeneralSecurityException e) {
            throw new IllegalConfigurationException("Cannot load certificate(s) :" + e, e);
        }
    }

    @Override // org.apache.qpid.server.security.ManagedPeerCertificateTrustStore, org.apache.qpid.server.model.TrustStore
    public boolean isExposedAsMessageSource() {
        return this._exposedAsMessageSource;
    }

    @Override // org.apache.qpid.server.model.TrustStore
    public List<VirtualHost> getIncludedVirtualHostMessageSources() {
        return this._includedVirtualHostMessageSources;
    }

    @Override // org.apache.qpid.server.model.TrustStore
    public List<VirtualHost> getExcludedVirtualHostMessageSources() {
        return this._excludedVirtualHostMessageSources;
    }

    @Override // org.apache.qpid.server.security.ManagedPeerCertificateTrustStore
    public List<Certificate> getStoredCertificates() {
        return this._storedCertificates;
    }

    @Override // org.apache.qpid.server.security.ManagedPeerCertificateTrustStore
    public void addCertificate(final Certificate certificate) {
        final HashMap hashMap = new HashMap();
        doAfter(doOnConfigThread(new Task<ListenableFuture<Void>, RuntimeException>() { // from class: org.apache.qpid.server.security.ManagedPeerCertificateTrustStoreImpl.1
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // org.apache.qpid.server.configuration.updater.Task
            /* renamed from: execute */
            public ListenableFuture<Void> execute2() {
                HashSet hashSet = new HashSet(ManagedPeerCertificateTrustStoreImpl.this._storedCertificates);
                if (hashSet.add(certificate)) {
                    hashMap.put("storedCertificates", new ArrayList(hashSet));
                }
                return Futures.immediateFuture((Object) null);
            }

            @Override // org.apache.qpid.server.configuration.updater.Task
            public String getObject() {
                return ManagedPeerCertificateTrustStoreImpl.this.toString();
            }

            @Override // org.apache.qpid.server.configuration.updater.Task
            public String getAction() {
                return "add certificate";
            }

            @Override // org.apache.qpid.server.configuration.updater.Task
            public String getArguments() {
                return String.valueOf(certificate);
            }
        }), new Callable<ListenableFuture<Void>>() { // from class: org.apache.qpid.server.security.ManagedPeerCertificateTrustStoreImpl.2
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // java.util.concurrent.Callable
            public ListenableFuture<Void> call() throws Exception {
                return hashMap.isEmpty() ? Futures.immediateFuture((Object) null) : ManagedPeerCertificateTrustStoreImpl.this.setAttributesAsync(hashMap);
            }
        });
    }

    @Override // org.apache.qpid.server.security.ManagedPeerCertificateTrustStore
    public List<CertificateDetails> getCertificateDetails() {
        ArrayList arrayList = new ArrayList();
        for (Certificate certificate : this._storedCertificates) {
            if (certificate instanceof X509Certificate) {
                arrayList.add(new CertificateDetailsImpl((X509Certificate) certificate));
            }
        }
        return arrayList;
    }

    @Override // org.apache.qpid.server.security.ManagedPeerCertificateTrustStore
    public void removeCertificates(final List<CertificateDetails> list) {
        final HashMap hashMap = new HashMap();
        for (CertificateDetails certificateDetails : list) {
            if (!hashMap.containsKey(certificateDetails.getIssuerName())) {
                hashMap.put(certificateDetails.getIssuerName(), new HashSet());
            }
            ((Set) hashMap.get(certificateDetails.getIssuerName())).add(new BigInteger(certificateDetails.getSerialNumber()));
        }
        final HashMap hashMap2 = new HashMap();
        doAfter(doOnConfigThread(new Task<ListenableFuture<Void>, RuntimeException>() { // from class: org.apache.qpid.server.security.ManagedPeerCertificateTrustStoreImpl.3
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // org.apache.qpid.server.configuration.updater.Task
            /* renamed from: execute */
            public ListenableFuture<Void> execute2() {
                HashSet hashSet = new HashSet(ManagedPeerCertificateTrustStoreImpl.this._storedCertificates);
                boolean z = false;
                Iterator it = hashSet.iterator();
                while (it.hasNext()) {
                    Certificate certificate = (Certificate) it.next();
                    if (certificate instanceof X509Certificate) {
                        X509Certificate x509Certificate = (X509Certificate) certificate;
                        String name = x509Certificate.getIssuerX500Principal().getName();
                        if (hashMap.containsKey(name) && ((Set) hashMap.get(name)).contains(x509Certificate.getSerialNumber())) {
                            it.remove();
                            z = true;
                        }
                    }
                }
                if (z) {
                    hashMap2.put("storedCertificates", new ArrayList(hashSet));
                }
                return Futures.immediateFuture((Object) null);
            }

            @Override // org.apache.qpid.server.configuration.updater.Task
            public String getObject() {
                return ManagedPeerCertificateTrustStoreImpl.this.toString();
            }

            @Override // org.apache.qpid.server.configuration.updater.Task
            public String getAction() {
                return "remove certificates";
            }

            @Override // org.apache.qpid.server.configuration.updater.Task
            public String getArguments() {
                return String.valueOf(list);
            }
        }), new Callable<ListenableFuture<Void>>() { // from class: org.apache.qpid.server.security.ManagedPeerCertificateTrustStoreImpl.4
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // java.util.concurrent.Callable
            public ListenableFuture<Void> call() throws Exception {
                return hashMap2.isEmpty() ? Futures.immediateFuture((Object) null) : ManagedPeerCertificateTrustStoreImpl.this.setAttributesAsync(hashMap2);
            }
        });
    }
}
