package org.apache.qpid.server.security;

import com.google.common.util.concurrent.Futures;
import com.google.common.util.concurrent.ListenableFuture;
import java.io.IOException;
import java.math.BigInteger;
import java.security.GeneralSecurityException;
import java.security.KeyStore;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.LinkedHashSet;
import java.util.List;
import java.util.Map;
import java.util.Set;
import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory;
import javax.net.ssl.X509TrustManager;
import org.apache.qpid.server.configuration.IllegalConfigurationException;
import org.apache.qpid.server.model.Broker;
import org.apache.qpid.server.model.ManagedAttributeField;
import org.apache.qpid.server.model.ManagedObject;
import org.apache.qpid.server.model.ManagedObjectFactoryConstructor;
import org.apache.qpid.server.model.State;
import org.apache.qpid.server.model.StateTransition;
import org.apache.qpid.server.transport.network.security.ssl.QpidMultipleTrustManager;
import org.apache.qpid.server.transport.network.security.ssl.QpidPeersOnlyTrustManager;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@ManagedObject(category = false)
/* loaded from: input_file:org/apache/qpid/server/security/ManagedPeerCertificateTrustStoreImpl.class */
public class ManagedPeerCertificateTrustStoreImpl extends AbstractTrustStore<ManagedPeerCertificateTrustStoreImpl> implements ManagedPeerCertificateTrustStore<ManagedPeerCertificateTrustStoreImpl> {
    private static final Logger LOGGER = LoggerFactory.getLogger(ManagedPeerCertificateTrustStoreImpl.class);
    private volatile TrustManager[] _trustManagers;

    @ManagedAttributeField(afterSet = "updateTrustManagers")
    private final List<Certificate> _storedCertificates;

    @ManagedObjectFactoryConstructor
    public ManagedPeerCertificateTrustStoreImpl(Map<String, Object> map, Broker<?> broker) {
        super(map, broker);
        this._trustManagers = new TrustManager[0];
        this._storedCertificates = new ArrayList();
    }

    @Override // org.apache.qpid.server.security.AbstractTrustStore
    protected TrustManager[] getTrustManagersInternal() {
        TrustManager[] trustManagerArr = this._trustManagers;
        if (trustManagerArr == null || trustManagerArr.length == 0) {
            throw new IllegalStateException("Truststore " + this + " defines no trust managers");
        }
        return (TrustManager[]) Arrays.copyOf(trustManagerArr, trustManagerArr.length);
    }

    @Override // org.apache.qpid.server.model.TrustStore
    public Certificate[] getCertificates() {
        ArrayList arrayList = new ArrayList(this._storedCertificates);
        return (Certificate[]) arrayList.toArray(new Certificate[arrayList.size()]);
    }

    @StateTransition(currentState = {State.UNINITIALIZED, State.ERRORED}, desiredState = State.ACTIVE)
    protected ListenableFuture<Void> doActivate() {
        initializeExpiryChecking();
        setState(State.ACTIVE);
        return Futures.immediateFuture((Object) null);
    }

    private void updateTrustManagers() {
        try {
            KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
            keyStore.load(null, null);
            int i = 1;
            Iterator<Certificate> it = this._storedCertificates.iterator();
            while (it.hasNext()) {
                int i2 = i;
                i++;
                keyStore.setCertificateEntry(String.valueOf(i2), it.next());
            }
            TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
            trustManagerFactory.init(keyStore);
            ArrayList arrayList = new ArrayList();
            QpidMultipleTrustManager qpidMultipleTrustManager = new QpidMultipleTrustManager();
            for (TrustManager trustManager : trustManagerFactory.getTrustManagers()) {
                if (trustManager instanceof X509TrustManager) {
                    qpidMultipleTrustManager.addTrustManager(new QpidPeersOnlyTrustManager(keyStore, (X509TrustManager) trustManager));
                } else {
                    arrayList.add(trustManager);
                }
            }
            if (!qpidMultipleTrustManager.isEmpty()) {
                arrayList.add(qpidMultipleTrustManager);
            }
            if (arrayList.isEmpty()) {
                this._trustManagers = null;
            } else {
                this._trustManagers = (TrustManager[]) arrayList.toArray(new TrustManager[arrayList.size()]);
            }
        } catch (IOException | GeneralSecurityException e) {
            throw new IllegalConfigurationException("Cannot load certificate(s) :" + e, e);
        }
    }

    @Override // org.apache.qpid.server.security.ManagedPeerCertificateTrustStore
    public List<Certificate> getStoredCertificates() {
        return this._storedCertificates;
    }

    @Override // org.apache.qpid.server.security.ManagedPeerCertificateTrustStore
    public void addCertificate(Certificate certificate) {
        LinkedHashSet linkedHashSet = new LinkedHashSet(this._storedCertificates);
        if (linkedHashSet.add(certificate)) {
            setAttributes(Collections.singletonMap(ManagedPeerCertificateTrustStore.STORED_CERTIFICATES, linkedHashSet));
        }
    }

    @Override // org.apache.qpid.server.security.ManagedPeerCertificateTrustStore
    public void removeCertificates(List<CertificateDetails> list) {
        HashMap hashMap = new HashMap();
        for (CertificateDetails certificateDetails : list) {
            if (!hashMap.containsKey(certificateDetails.getIssuerName())) {
                hashMap.put(certificateDetails.getIssuerName(), new HashSet());
            }
            ((Set) hashMap.get(certificateDetails.getIssuerName())).add(new BigInteger(certificateDetails.getSerialNumber()));
        }
        boolean z = false;
        LinkedHashSet linkedHashSet = new LinkedHashSet(this._storedCertificates);
        Iterator it = linkedHashSet.iterator();
        while (it.hasNext()) {
            Certificate certificate = (Certificate) it.next();
            if (certificate instanceof X509Certificate) {
                X509Certificate x509Certificate = (X509Certificate) certificate;
                String name = x509Certificate.getIssuerX500Principal().getName();
                if (hashMap.containsKey(name) && ((Set) hashMap.get(name)).contains(x509Certificate.getSerialNumber())) {
                    it.remove();
                    z = true;
                }
            }
        }
        if (z) {
            setAttributes(Collections.singletonMap(ManagedPeerCertificateTrustStore.STORED_CERTIFICATES, linkedHashSet));
        }
    }
}
