package org.apache.qpid.server.security;

import com.google.common.util.concurrent.Futures;
import com.google.common.util.concurrent.ListenableFuture;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.io.OutputStream;
import java.io.OutputStreamWriter;
import java.lang.reflect.Constructor;
import java.lang.reflect.InvocationTargetException;
import java.lang.reflect.Method;
import java.net.InetAddress;
import java.net.InterfaceAddress;
import java.net.NetworkInterface;
import java.nio.ByteBuffer;
import java.nio.charset.StandardCharsets;
import java.security.GeneralSecurityException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.SecureRandom;
import java.security.cert.CertificateEncodingException;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.security.spec.InvalidKeySpecException;
import java.util.ArrayList;
import java.util.Calendar;
import java.util.Collections;
import java.util.Date;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Map;
import javax.net.ssl.KeyManager;
import javax.net.ssl.KeyManagerFactory;
import javax.xml.bind.DatatypeConverter;
import org.apache.qpid.server.configuration.IllegalConfigurationException;
import org.apache.qpid.server.logging.EventLogger;
import org.apache.qpid.server.logging.messages.KeyStoreMessages;
import org.apache.qpid.server.model.AbstractConfiguredObject;
import org.apache.qpid.server.model.Broker;
import org.apache.qpid.server.model.Content;
import org.apache.qpid.server.model.CustomRestHeaders;
import org.apache.qpid.server.model.IntegrityViolationException;
import org.apache.qpid.server.model.ManagedAttributeField;
import org.apache.qpid.server.model.ManagedObjectFactoryConstructor;
import org.apache.qpid.server.model.Port;
import org.apache.qpid.server.model.RestContentHeader;
import org.apache.qpid.server.model.State;
import org.apache.qpid.server.model.StateTransition;
import org.apache.qpid.server.queue.AbstractQueue;
import org.apache.qpid.transport.network.security.ssl.SSLUtil;

/* loaded from: input_file:org/apache/qpid/server/security/AutoGeneratedSelfSignedKeyStoreImpl.class */
public class AutoGeneratedSelfSignedKeyStoreImpl extends AbstractConfiguredObject<AutoGeneratedSelfSignedKeyStoreImpl> implements AutoGeneratedSelfSignedKeyStore<AutoGeneratedSelfSignedKeyStoreImpl> {
    private static final SecureRandom RANDOM = new SecureRandom();
    private static Constructor<?> CONSTRUCTOR;
    private static Method GENERATE_METHOD;
    private static Method GET_PRIVATE_KEY_METHOD;
    private static Method GET_SELF_CERTIFICATE_METHOD;
    private static Constructor<?> X500_NAME_CONSTRUCTOR;
    private static Constructor<?> DNS_NAME_CONSTRUCTOR;
    private static Constructor<?> IP_ADDR_NAME_CONSTRUCTOR;
    private static Constructor<?> GENERAL_NAMES_CONSTRUCTOR;
    private static Constructor<?> GENERAL_NAME_CONSTRUCTOR;
    private static Method ADD_NAME_TO_NAMES_METHOD;
    private static Constructor<?> ALT_NAMES_CONSTRUCTOR;
    private static Constructor<?> CERTIFICATE_EXTENSIONS_CONSTRUCTOR;
    private static Method SET_EXTENSION_METHOD;
    private static Method EXTENSION_GET_NAME_METHOD;
    private final Broker<?> _broker;
    private final EventLogger _eventLogger;

    @ManagedAttributeField
    private String _keyAlgorithm;

    @ManagedAttributeField
    private String _signatureAlgorithm;

    @ManagedAttributeField
    private int _keyLength;

    @ManagedAttributeField
    private int _durationInMonths;
    private PrivateKey _privateKey;
    private X509Certificate _certificate;
    private KeyManager[] _keyManagers;
    private boolean _generated;
    private boolean _created;

    /* loaded from: input_file:org/apache/qpid/server/security/AutoGeneratedSelfSignedKeyStoreImpl$CertificateContent.class */
    private static class CertificateContent implements Content, CustomRestHeaders {
        private final String _disposition;
        private final String _certString;

        public CertificateContent(X509Certificate x509Certificate, String str) throws CertificateEncodingException {
            this._disposition = "attachment; filename=\"" + str + ".pem\"";
            StringBuffer stringBuffer = new StringBuffer("-----BEGIN CERTIFICATE-----\n");
            String printBase64Binary = DatatypeConverter.printBase64Binary(x509Certificate.getEncoded());
            int i = 0;
            while (printBase64Binary.length() - i > 64) {
                stringBuffer.append(printBase64Binary.substring(i, i + 64));
                i += 64;
                stringBuffer.append("\n");
            }
            stringBuffer.append(printBase64Binary.substring(i));
            stringBuffer.append("\n-----END CERTIFICATE-----\n");
            this._certString = stringBuffer.toString();
        }

        @Override // org.apache.qpid.server.model.Content
        public void write(OutputStream outputStream) throws IOException {
            OutputStreamWriter outputStreamWriter = new OutputStreamWriter(outputStream);
            outputStreamWriter.write(this._certString);
            outputStreamWriter.flush();
        }

        @RestContentHeader("Content-Type")
        public String getContentType() {
            return "text/plain";
        }

        @RestContentHeader("Content-Disposition")
        public String getContentDisposition() {
            return this._disposition;
        }
    }

    /* loaded from: input_file:org/apache/qpid/server/security/AutoGeneratedSelfSignedKeyStoreImpl$TrustStoreContent.class */
    private static class TrustStoreContent implements Content, CustomRestHeaders {
        private final KeyStore _keyStore;
        private final char[] _password;
        private final String _disposition;

        public TrustStoreContent(KeyStore keyStore, String str, char[] cArr) {
            this._keyStore = keyStore;
            this._password = cArr;
            this._disposition = "attachment; filename=\"" + str + ".jks\"";
        }

        @Override // org.apache.qpid.server.model.Content
        public void write(OutputStream outputStream) throws IOException {
            try {
                this._keyStore.store(outputStream, this._password);
            } catch (KeyStoreException | NoSuchAlgorithmException | CertificateException e) {
                throw new IllegalArgumentException(e);
            }
        }

        @RestContentHeader("Content-Type")
        public String getContentType() {
            return "application/octet-stream";
        }

        @RestContentHeader("Content-Disposition")
        public String getContentDisposition() {
            return this._disposition;
        }
    }

    @ManagedObjectFactoryConstructor(conditionallyAvailable = true)
    public AutoGeneratedSelfSignedKeyStoreImpl(Map<String, Object> map, Broker<?> broker) {
        super(parentsMap(broker), map);
        this._broker = broker;
        this._eventLogger = this._broker.getEventLogger();
        this._eventLogger.message(KeyStoreMessages.CREATE(getName()));
    }

    @Override // org.apache.qpid.server.model.KeyStore
    public KeyManager[] getKeyManagers() throws GeneralSecurityException {
        return this._keyManagers;
    }

    @Override // org.apache.qpid.server.security.AutoGeneratedSelfSignedKeyStore
    public String getKeyAlgorithm() {
        return this._keyAlgorithm;
    }

    @Override // org.apache.qpid.server.security.AutoGeneratedSelfSignedKeyStore
    public String getSignatureAlgorithm() {
        return this._signatureAlgorithm;
    }

    @Override // org.apache.qpid.server.security.AutoGeneratedSelfSignedKeyStore
    public int getKeyLength() {
        return this._keyLength;
    }

    @Override // org.apache.qpid.server.security.AutoGeneratedSelfSignedKeyStore
    public int getDurationInMonths() {
        return this._durationInMonths;
    }

    @Override // org.apache.qpid.server.security.AutoGeneratedSelfSignedKeyStore
    public String getEncodedCertificate() {
        try {
            return DatatypeConverter.printBase64Binary(this._certificate.getEncoded());
        } catch (CertificateEncodingException e) {
            throw new IllegalConfigurationException("Cannot encode certificate", e);
        }
    }

    @Override // org.apache.qpid.server.security.AutoGeneratedSelfSignedKeyStore
    public String getEncodedPrivateKey() {
        return DatatypeConverter.printBase64Binary(this._privateKey.getEncoded());
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.apache.qpid.server.model.AbstractConfiguredObject
    public void postResolve() {
        super.postResolve();
        if (getActualAttributes().containsKey(AutoGeneratedSelfSignedKeyStore.ENCODED_PRIVATE_KEY) && getActualAttributes().containsKey(AutoGeneratedSelfSignedKeyStore.ENCODED_CERTIFICATE)) {
            loadPrivateKeyAndCertificate();
        } else {
            generatePrivateKeyAndCertificate();
        }
        generateKeyManagers();
    }

    private void loadPrivateKeyAndCertificate() {
        byte[] parseBase64Binary = DatatypeConverter.parseBase64Binary((String) getActualAttributes().get(AutoGeneratedSelfSignedKeyStore.ENCODED_PRIVATE_KEY));
        try {
            ByteArrayInputStream byteArrayInputStream = new ByteArrayInputStream(DatatypeConverter.parseBase64Binary((String) getActualAttributes().get(AutoGeneratedSelfSignedKeyStore.ENCODED_CERTIFICATE)));
            Throwable th = null;
            try {
                this._certificate = (X509Certificate) CertificateFactory.getInstance("X.509").generateCertificate(byteArrayInputStream);
                if (byteArrayInputStream != null) {
                    if (0 != 0) {
                        try {
                            byteArrayInputStream.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    } else {
                        byteArrayInputStream.close();
                    }
                }
                try {
                    this._privateKey = SSLUtil.readPrivateKey(parseBase64Binary, this._keyAlgorithm);
                } catch (NoSuchAlgorithmException | InvalidKeySpecException e) {
                    throw new IllegalConfigurationException("Could not decode private key", e);
                }
            } finally {
            }
        } catch (IOException | CertificateException e2) {
            throw new IllegalConfigurationException("Could not decode certificate", e2);
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.apache.qpid.server.model.AbstractConfiguredObject
    public void onCreate() {
        super.onCreate();
        this._created = true;
    }

    @StateTransition(currentState = {State.UNINITIALIZED, State.STOPPED, State.ERRORED}, desiredState = State.ACTIVE)
    protected ListenableFuture<Void> activate() {
        if (!this._created) {
            saveDerivedAttributesIfNecessary();
        }
        setState(State.ACTIVE);
        return Futures.immediateFuture((Object) null);
    }

    private void saveDerivedAttributesIfNecessary() {
        if (this._generated) {
            String encodedCertificate = getEncodedCertificate();
            attributeSet(AutoGeneratedSelfSignedKeyStore.ENCODED_CERTIFICATE, encodedCertificate, encodedCertificate);
            String encodedPrivateKey = getEncodedPrivateKey();
            attributeSet(AutoGeneratedSelfSignedKeyStore.ENCODED_PRIVATE_KEY, encodedPrivateKey, encodedPrivateKey);
            this._generated = false;
        }
    }

    @StateTransition(currentState = {State.UNINITIALIZED, State.ACTIVE, State.ERRORED}, desiredState = State.DELETED)
    protected ListenableFuture<Void> doDelete() {
        String name = getName();
        for (Port port : new ArrayList(this._broker.getPorts())) {
            if (port.getKeyStore() == this) {
                throw new IntegrityViolationException("Key store '" + name + "' can't be deleted as it is in use by a port:" + port.getName());
            }
        }
        deleted();
        setState(State.DELETED);
        this._eventLogger.message(KeyStoreMessages.DELETE(getName()));
        return Futures.immediateFuture((Object) null);
    }

    private void generatePrivateKeyAndCertificate() {
        try {
            Object newInstance = CONSTRUCTOR.newInstance(this._keyAlgorithm, this._signatureAlgorithm);
            GENERATE_METHOD.invoke(newInstance, Integer.valueOf(this._keyLength));
            this._privateKey = (PrivateKey) GET_PRIVATE_KEY_METHOD.invoke(newInstance, new Object[0]);
            Object newInstance2 = GENERAL_NAMES_CONSTRUCTOR.newInstance(new Object[0]);
            HashSet<InetAddress> hashSet = new HashSet();
            Iterator it = Collections.list(NetworkInterface.getNetworkInterfaces()).iterator();
            while (it.hasNext()) {
                Iterator<InterfaceAddress> it2 = ((NetworkInterface) it.next()).getInterfaceAddresses().iterator();
                while (it2.hasNext()) {
                    hashSet.add(it2.next().getAddress());
                }
            }
            HashSet<String> hashSet2 = new HashSet();
            for (InetAddress inetAddress : hashSet) {
                String hostName = inetAddress.getHostName();
                if (hostName != null) {
                    hashSet2.add(hostName);
                }
                String canonicalHostName = inetAddress.getCanonicalHostName();
                if (canonicalHostName != null) {
                    hashSet2.add(canonicalHostName);
                }
            }
            for (String str : hashSet2) {
                if (str.matches("[\\w&&[^\\d]][\\w\\d.-]*")) {
                    ADD_NAME_TO_NAMES_METHOD.invoke(newInstance2, GENERAL_NAME_CONSTRUCTOR.newInstance(DNS_NAME_CONSTRUCTOR.newInstance(str)));
                }
            }
            Iterator it3 = hashSet.iterator();
            while (it3.hasNext()) {
                ADD_NAME_TO_NAMES_METHOD.invoke(newInstance2, GENERAL_NAME_CONSTRUCTOR.newInstance(IP_ADDR_NAME_CONSTRUCTOR.newInstance(((InetAddress) it3.next()).getHostAddress())));
            }
            Object newInstance3 = ALT_NAMES_CONSTRUCTOR.newInstance(newInstance2);
            Object newInstance4 = CERTIFICATE_EXTENSIONS_CONSTRUCTOR.newInstance(new Object[0]);
            SET_EXTENSION_METHOD.invoke(newInstance4, EXTENSION_GET_NAME_METHOD.invoke(newInstance3, new Object[0]), newInstance3);
            long currentTimeMillis = System.currentTimeMillis();
            Calendar calendar = Calendar.getInstance();
            calendar.setTimeInMillis(currentTimeMillis);
            calendar.add(2, this._durationInMonths);
            this._certificate = (X509Certificate) GET_SELF_CERTIFICATE_METHOD.invoke(newInstance, X500_NAME_CONSTRUCTOR.newInstance("CN=Qpid"), new Date(currentTimeMillis), Long.valueOf((calendar.getTimeInMillis() - currentTimeMillis) / 1000), newInstance4);
            this._generated = true;
        } catch (IOException | IllegalAccessException | InstantiationException | InvocationTargetException e) {
            throw new IllegalConfigurationException("Unable to construct keystore", e);
        }
    }

    private void generateKeyManagers() {
        try {
            X509Certificate[] x509CertificateArr = {this._certificate};
            KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
            byte[] bArr = new byte[64];
            char[] cArr = new char[64];
            RANDOM.nextBytes(bArr);
            StandardCharsets.US_ASCII.decode(ByteBuffer.wrap(bArr)).get(cArr);
            keyStore.load(null, cArr);
            keyStore.setKeyEntry(AbstractQueue.SHARED_MSG_GROUP_ARG_VALUE, this._privateKey, cArr, x509CertificateArr);
            KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
            keyManagerFactory.init(keyStore, cArr);
            this._keyManagers = keyManagerFactory.getKeyManagers();
        } catch (IOException | GeneralSecurityException e) {
            throw new IllegalConfigurationException("Cannot load private key or certificate(s): " + e, e);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static boolean isAvailable() {
        Class<?> cls;
        try {
            try {
                cls = Class.forName("sun.security.x509.CertAndKeyGen");
            } catch (ClassNotFoundException e) {
                cls = Class.forName("sun.security.tools.keytool.CertAndKeyGen");
            }
            Class<?> cls2 = Class.forName("sun.security.x509.X500Name");
            Class<?> cls3 = Class.forName("sun.security.x509.CertificateExtensions");
            Class<?> cls4 = Class.forName("sun.security.x509.GeneralNames");
            Class<?> cls5 = Class.forName("sun.security.x509.GeneralName");
            Class<?> cls6 = Class.forName("sun.security.x509.SubjectAlternativeNameExtension");
            CONSTRUCTOR = cls.getConstructor(String.class, String.class);
            GENERATE_METHOD = cls.getMethod("generate", Integer.TYPE);
            GET_PRIVATE_KEY_METHOD = cls.getMethod("getPrivateKey", new Class[0]);
            GET_SELF_CERTIFICATE_METHOD = cls.getMethod("getSelfCertificate", cls2, Date.class, Long.TYPE, cls3);
            X500_NAME_CONSTRUCTOR = cls2.getConstructor(String.class);
            DNS_NAME_CONSTRUCTOR = Class.forName("sun.security.x509.DNSName").getConstructor(String.class);
            IP_ADDR_NAME_CONSTRUCTOR = Class.forName("sun.security.x509.IPAddressName").getConstructor(String.class);
            GENERAL_NAMES_CONSTRUCTOR = cls4.getConstructor(new Class[0]);
            GENERAL_NAME_CONSTRUCTOR = cls5.getConstructor(Class.forName("sun.security.x509.GeneralNameInterface"));
            ADD_NAME_TO_NAMES_METHOD = cls4.getMethod("add", cls5);
            ALT_NAMES_CONSTRUCTOR = cls6.getConstructor(cls4);
            CERTIFICATE_EXTENSIONS_CONSTRUCTOR = cls3.getConstructor(new Class[0]);
            SET_EXTENSION_METHOD = cls3.getMethod("set", String.class, Object.class);
            EXTENSION_GET_NAME_METHOD = cls6.getMethod("getName", new Class[0]);
            return true;
        } catch (ClassNotFoundException | LinkageError | NoSuchMethodException e2) {
            return false;
        }
    }

    @Override // org.apache.qpid.server.security.AutoGeneratedSelfSignedKeyStore
    public void regenerateCertificate() {
        generatePrivateKeyAndCertificate();
        saveDerivedAttributesIfNecessary();
    }

    @Override // org.apache.qpid.server.security.AutoGeneratedSelfSignedKeyStore
    public Content getClientTrustStore(String str) {
        try {
            KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
            keyStore.load(null, null);
            keyStore.setCertificateEntry(getName(), this._certificate);
            return new TrustStoreContent(keyStore, getName(), str == null ? new char[0] : str.toCharArray());
        } catch (IOException | KeyStoreException | NoSuchAlgorithmException | CertificateException e) {
            throw new IllegalArgumentException(e);
        }
    }

    @Override // org.apache.qpid.server.security.AutoGeneratedSelfSignedKeyStore
    public Content getCertificate() {
        try {
            return new CertificateContent(this._certificate, getName());
        } catch (CertificateEncodingException e) {
            throw new IllegalArgumentException("Cannot decode encode the certificate");
        }
    }
}
