package org.apache.qpid.server.security;

import com.google.common.util.concurrent.Futures;
import com.google.common.util.concurrent.ListenableFuture;
import java.io.File;
import java.io.IOException;
import java.net.MalformedURLException;
import java.net.URL;
import java.nio.ByteBuffer;
import java.nio.charset.StandardCharsets;
import java.security.GeneralSecurityException;
import java.security.KeyStore;
import java.security.PrivateKey;
import java.security.SecureRandom;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Map;
import java.util.Set;
import javax.net.ssl.KeyManager;
import javax.net.ssl.KeyManagerFactory;
import org.apache.qpid.server.configuration.IllegalConfigurationException;
import org.apache.qpid.server.logging.EventLogger;
import org.apache.qpid.server.logging.messages.KeyStoreMessages;
import org.apache.qpid.server.model.AbstractConfiguredObject;
import org.apache.qpid.server.model.Broker;
import org.apache.qpid.server.model.ConfiguredObject;
import org.apache.qpid.server.model.IntegrityViolationException;
import org.apache.qpid.server.model.ManagedAttributeField;
import org.apache.qpid.server.model.ManagedObject;
import org.apache.qpid.server.model.ManagedObjectFactoryConstructor;
import org.apache.qpid.server.model.Port;
import org.apache.qpid.server.model.State;
import org.apache.qpid.server.model.StateTransition;
import org.apache.qpid.server.queue.AbstractQueue;
import org.apache.qpid.server.util.urlstreamhandler.data.Handler;
import org.apache.qpid.transport.network.security.ssl.SSLUtil;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@ManagedObject(category = false)
/* loaded from: input_file:org/apache/qpid/server/security/NonJavaKeyStoreImpl.class */
public class NonJavaKeyStoreImpl extends AbstractConfiguredObject<NonJavaKeyStoreImpl> implements NonJavaKeyStore<NonJavaKeyStoreImpl> {
    private final Broker<?> _broker;
    private final EventLogger _eventLogger;

    @ManagedAttributeField(afterSet = "updateKeyManagers")
    private String _privateKeyUrl;

    @ManagedAttributeField(afterSet = "updateKeyManagers")
    private String _certificateUrl;

    @ManagedAttributeField(afterSet = "updateKeyManagers")
    private String _intermediateCertificateUrl;
    private volatile KeyManager[] _keyManagers;
    private X509Certificate _certificate;
    private static final Logger LOGGER = LoggerFactory.getLogger(NonJavaKeyStoreImpl.class);
    private static final SecureRandom RANDOM = new SecureRandom();

    @ManagedObjectFactoryConstructor
    public NonJavaKeyStoreImpl(Map<String, Object> map, Broker<?> broker) {
        super(parentsMap(broker), map);
        this._keyManagers = new KeyManager[0];
        this._broker = broker;
        this._eventLogger = this._broker.getEventLogger();
        this._eventLogger.message(KeyStoreMessages.CREATE(getName()));
    }

    @Override // org.apache.qpid.server.security.NonJavaKeyStore
    public String getPrivateKeyUrl() {
        return this._privateKeyUrl;
    }

    @Override // org.apache.qpid.server.security.NonJavaKeyStore
    public String getCertificateUrl() {
        return this._certificateUrl;
    }

    @Override // org.apache.qpid.server.security.NonJavaKeyStore
    public String getIntermediateCertificateUrl() {
        return this._intermediateCertificateUrl;
    }

    /* JADX WARN: Code restructure failed: missing block: B:13:0x004b, code lost:
    
        r7 = java.lang.String.valueOf(r0.getValue());
     */
    @Override // org.apache.qpid.server.security.NonJavaKeyStore
    /*
        Code decompiled incorrectly, please refer to instructions dump.
        To view partially-correct add '--show-bad-code' argument
    */
    public java.lang.String getSubjectName() {
        /*
            r4 = this;
            r0 = r4
            java.security.cert.X509Certificate r0 = r0._certificate
            if (r0 == 0) goto L69
            r0 = r4
            java.security.cert.X509Certificate r0 = r0._certificate     // Catch: javax.naming.InvalidNameException -> L5c
            javax.security.auth.x500.X500Principal r0 = r0.getSubjectX500Principal()     // Catch: javax.naming.InvalidNameException -> L5c
            java.lang.String r0 = r0.getName()     // Catch: javax.naming.InvalidNameException -> L5c
            r5 = r0
            javax.naming.ldap.LdapName r0 = new javax.naming.ldap.LdapName     // Catch: javax.naming.InvalidNameException -> L5c
            r1 = r0
            r2 = r5
            r1.<init>(r2)     // Catch: javax.naming.InvalidNameException -> L5c
            r6 = r0
            r0 = r5
            r7 = r0
            r0 = r6
            java.util.List r0 = r0.getRdns()     // Catch: javax.naming.InvalidNameException -> L5c
            java.util.Iterator r0 = r0.iterator()     // Catch: javax.naming.InvalidNameException -> L5c
            r8 = r0
        L28:
            r0 = r8
            boolean r0 = r0.hasNext()     // Catch: javax.naming.InvalidNameException -> L5c
            if (r0 == 0) goto L5a
            r0 = r8
            java.lang.Object r0 = r0.next()     // Catch: javax.naming.InvalidNameException -> L5c
            javax.naming.ldap.Rdn r0 = (javax.naming.ldap.Rdn) r0     // Catch: javax.naming.InvalidNameException -> L5c
            r9 = r0
            r0 = r9
            java.lang.String r0 = r0.getType()     // Catch: javax.naming.InvalidNameException -> L5c
            java.lang.String r1 = "CN"
            boolean r0 = r0.equalsIgnoreCase(r1)     // Catch: javax.naming.InvalidNameException -> L5c
            if (r0 == 0) goto L57
            r0 = r9
            java.lang.Object r0 = r0.getValue()     // Catch: javax.naming.InvalidNameException -> L5c
            java.lang.String r0 = java.lang.String.valueOf(r0)     // Catch: javax.naming.InvalidNameException -> L5c
            r7 = r0
            goto L5a
        L57:
            goto L28
        L5a:
            r0 = r7
            return r0
        L5c:
            r5 = move-exception
            org.slf4j.Logger r0 = org.apache.qpid.server.security.NonJavaKeyStoreImpl.LOGGER
            java.lang.String r1 = "Error getting subject name from certificate"
            r0.error(r1)
            r0 = 0
            return r0
        L69:
            r0 = 0
            return r0
        */
        throw new UnsupportedOperationException("Method not decompiled: org.apache.qpid.server.security.NonJavaKeyStoreImpl.getSubjectName():java.lang.String");
    }

    @Override // org.apache.qpid.server.security.NonJavaKeyStore
    public long getCertificateValidEnd() {
        if (this._certificate == null) {
            return 0L;
        }
        return this._certificate.getNotAfter().getTime();
    }

    @Override // org.apache.qpid.server.security.NonJavaKeyStore
    public long getCertificateValidStart() {
        if (this._certificate == null) {
            return 0L;
        }
        return this._certificate.getNotBefore().getTime();
    }

    @Override // org.apache.qpid.server.model.KeyStore
    public KeyManager[] getKeyManagers() throws GeneralSecurityException {
        return this._keyManagers;
    }

    @Override // org.apache.qpid.server.model.AbstractConfiguredObject
    public void onValidate() {
        super.onValidate();
        validateKeyStoreAttributes(this);
    }

    @StateTransition(currentState = {State.ACTIVE, State.ERRORED}, desiredState = State.DELETED)
    protected ListenableFuture<Void> doDelete() {
        String name = getName();
        for (Port port : new ArrayList(this._broker.getPorts())) {
            if (port.getKeyStore() == this) {
                throw new IntegrityViolationException("Key store '" + name + "' can't be deleted as it is in use by a port:" + port.getName());
            }
        }
        deleted();
        setState(State.DELETED);
        this._eventLogger.message(KeyStoreMessages.DELETE(getName()));
        return Futures.immediateFuture((Object) null);
    }

    @StateTransition(currentState = {State.UNINITIALIZED, State.ERRORED}, desiredState = State.ACTIVE)
    protected ListenableFuture<Void> doActivate() {
        setState(State.ACTIVE);
        return Futures.immediateFuture((Object) null);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.apache.qpid.server.model.AbstractConfiguredObject
    public void validateChange(ConfiguredObject<?> configuredObject, Set<String> set) {
        super.validateChange(configuredObject, set);
        NonJavaKeyStore<?> nonJavaKeyStore = (NonJavaKeyStore) configuredObject;
        if (set.contains(ConfiguredObject.NAME) && !getName().equals(nonJavaKeyStore.getName())) {
            throw new IllegalConfigurationException("Changing the key store name is not allowed");
        }
        validateKeyStoreAttributes(nonJavaKeyStore);
    }

    private void validateKeyStoreAttributes(NonJavaKeyStore<?> nonJavaKeyStore) {
        try {
            SSLUtil.readPrivateKey(getUrlFromString(nonJavaKeyStore.getPrivateKeyUrl()));
            SSLUtil.readCertificates(getUrlFromString(nonJavaKeyStore.getCertificateUrl()));
            if (nonJavaKeyStore.getIntermediateCertificateUrl() != null) {
                SSLUtil.readCertificates(getUrlFromString(nonJavaKeyStore.getIntermediateCertificateUrl()));
            }
        } catch (IOException | GeneralSecurityException e) {
            throw new IllegalConfigurationException("Cannot validate private key or certificate(s):" + e, e);
        }
    }

    private void updateKeyManagers() {
        try {
            if (this._privateKeyUrl != null && this._certificateUrl != null) {
                PrivateKey readPrivateKey = SSLUtil.readPrivateKey(getUrlFromString(this._privateKeyUrl));
                X509Certificate[] readCertificates = SSLUtil.readCertificates(getUrlFromString(this._certificateUrl));
                if (this._intermediateCertificateUrl != null) {
                    ArrayList arrayList = new ArrayList(Arrays.asList(readCertificates));
                    arrayList.addAll(Arrays.asList(SSLUtil.readCertificates(getUrlFromString(this._intermediateCertificateUrl))));
                    readCertificates = (X509Certificate[]) arrayList.toArray(new X509Certificate[arrayList.size()]);
                }
                KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
                byte[] bArr = new byte[64];
                char[] cArr = new char[64];
                RANDOM.nextBytes(bArr);
                StandardCharsets.US_ASCII.decode(ByteBuffer.wrap(bArr)).get(cArr);
                keyStore.load(null, cArr);
                keyStore.setKeyEntry(AbstractQueue.SHARED_MSG_GROUP_ARG_VALUE, readPrivateKey, cArr, readCertificates);
                KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
                keyManagerFactory.init(keyStore, cArr);
                this._keyManagers = keyManagerFactory.getKeyManagers();
                this._certificate = readCertificates[0];
            }
        } catch (IOException | GeneralSecurityException e) {
            throw new IllegalConfigurationException("Cannot load private key or certificate(s): " + e, e);
        }
    }

    private URL getUrlFromString(String str) throws MalformedURLException {
        URL url;
        try {
            url = new URL(str);
        } catch (MalformedURLException e) {
            url = new File(str).toURI().toURL();
        }
        return url;
    }

    static {
        Handler.register();
    }
}
