package org.apache.qpid.server.security;

import com.google.common.util.concurrent.Futures;
import com.google.common.util.concurrent.ListenableFuture;
import java.io.File;
import java.io.IOException;
import java.net.MalformedURLException;
import java.net.URL;
import java.security.GeneralSecurityException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.UnrecoverableKeyException;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.Date;
import java.util.Enumeration;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.stream.Collectors;
import javax.net.ssl.KeyManager;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.X509KeyManager;
import org.apache.qpid.server.configuration.IllegalConfigurationException;
import org.apache.qpid.server.model.Broker;
import org.apache.qpid.server.model.ConfiguredObject;
import org.apache.qpid.server.model.ManagedAttributeField;
import org.apache.qpid.server.model.ManagedObject;
import org.apache.qpid.server.model.ManagedObjectFactoryConstructor;
import org.apache.qpid.server.model.State;
import org.apache.qpid.server.model.StateTransition;
import org.apache.qpid.server.transport.network.security.ssl.QpidBestFitX509KeyManager;
import org.apache.qpid.server.transport.network.security.ssl.QpidServerX509KeyManager;
import org.apache.qpid.server.transport.network.security.ssl.SSLUtil;
import org.apache.qpid.server.util.StringUtil;
import org.apache.qpid.server.util.urlstreamhandler.data.Handler;

@ManagedObject(category = false)
/* loaded from: input_file:org/apache/qpid/server/security/FileKeyStoreImpl.class */
public class FileKeyStoreImpl extends AbstractKeyStore<FileKeyStoreImpl> implements FileKeyStore<FileKeyStoreImpl> {

    @ManagedAttributeField
    private String _type;

    @ManagedAttributeField
    private String _keyStoreType;

    @ManagedAttributeField
    private String _certificateAlias;

    @ManagedAttributeField
    private String _keyManagerFactoryAlgorithm;

    @ManagedAttributeField(afterSet = "postSetStoreUrl")
    private String _storeUrl;

    @ManagedAttributeField
    private boolean _useHostNameMatching;
    private String _path;

    @ManagedAttributeField
    private String _password;
    private volatile Map<String, Certificate> _certificates;

    @ManagedObjectFactoryConstructor
    public FileKeyStoreImpl(Map<String, Object> map, Broker<?> broker) {
        super(map, broker);
        this._certificates = Map.of();
    }

    @Override // org.apache.qpid.server.model.AbstractConfiguredObject
    public void onValidate() {
        super.onValidate();
        validateKeyStoreAttributes(this);
    }

    @StateTransition(currentState = {State.UNINITIALIZED, State.ERRORED}, desiredState = State.ACTIVE)
    protected ListenableFuture<Void> doActivate() {
        initializeExpiryChecking();
        setState(State.ACTIVE);
        return Futures.immediateFuture((Object) null);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.apache.qpid.server.model.AbstractConfiguredObject
    public void onOpen() {
        super.onOpen();
        initialize();
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.apache.qpid.server.model.AbstractConfiguredObject
    public void changeAttributes(Map<String, Object> map) {
        super.changeAttributes(map);
        if (map.containsKey("storeUrl") || map.containsKey("password") || map.containsKey(FileKeyStore.KEY_STORE_TYPE) || map.containsKey(FileKeyStore.KEY_MANAGER_FACTORY_ALGORITHM)) {
            initialize();
        }
    }

    private void initialize() {
        try {
            this._certificates = Collections.unmodifiableMap(SSLUtil.getCertificates(getInitializedKeyStore(this)));
        } catch (IOException | GeneralSecurityException e) {
            throw new IllegalConfigurationException(String.format("Cannot instantiate keystore '%s'", getName()), e);
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.apache.qpid.server.model.AbstractConfiguredObject
    public void validateChange(ConfiguredObject<?> configuredObject, Set<String> set) {
        super.validateChange(configuredObject, set);
        FileKeyStore<?> fileKeyStore = (FileKeyStore) configuredObject;
        if (set.contains(ConfiguredObject.DESIRED_STATE) && fileKeyStore.getDesiredState() == State.DELETED) {
            return;
        }
        if (set.contains("name") && !getName().equals(fileKeyStore.getName())) {
            throw new IllegalConfigurationException("Changing the key store name is not allowed");
        }
        validateKeyStoreAttributes(fileKeyStore);
    }

    private void validateKeyStoreAttributes(FileKeyStore<?> fileKeyStore) {
        String elideDataUrl = StringUtil.elideDataUrl(fileKeyStore.getStoreUrl());
        try {
            KeyStore initializedKeyStore = getInitializedKeyStore(fileKeyStore);
            String certificateAlias = fileKeyStore.getCertificateAlias();
            if (certificateAlias != null) {
                if (initializedKeyStore.getCertificate(certificateAlias) == null) {
                    throw new IllegalConfigurationException(String.format("Cannot find a certificate with alias '%s' in key store '%s'.", certificateAlias, elideDataUrl));
                }
                if (!initializedKeyStore.entryInstanceOf(certificateAlias, KeyStore.PrivateKeyEntry.class)) {
                    throw new IllegalConfigurationException(String.format("Alias '%s' in key store '%s' does not identify a private key.", certificateAlias, elideDataUrl));
                }
            } else if (!containsPrivateKey(initializedKeyStore)) {
                throw new IllegalConfigurationException(String.format("Keystore '%s' must contain at least one private key.", elideDataUrl));
            }
            try {
                KeyManagerFactory.getInstance(fileKeyStore.getKeyManagerFactoryAlgorithm());
                if (!fileKeyStore.isDurable()) {
                    throw new IllegalArgumentException(getClass().getSimpleName() + " must be durable");
                }
                checkCertificateExpiry();
            } catch (NoSuchAlgorithmException e) {
                throw new IllegalConfigurationException(String.format("Unknown keyManagerFactoryAlgorithm: '%s'", fileKeyStore.getKeyManagerFactoryAlgorithm()));
            }
        } catch (IOException | GeneralSecurityException e2) {
            throw new IllegalConfigurationException(String.format("Cannot instantiate key store from '%s'.", elideDataUrl), e2);
        } catch (UnrecoverableKeyException e3) {
            throw new IllegalConfigurationException(String.format("Check key store password. Cannot instantiate key store from '%s'.", elideDataUrl), e3);
        }
    }

    private KeyStore getInitializedKeyStore(FileKeyStore<?> fileKeyStore) throws GeneralSecurityException, IOException {
        return SSLUtil.getInitializedKeyStore(getUrlFromString(fileKeyStore.getStoreUrl()), fileKeyStore.getPassword(), fileKeyStore.getKeyStoreType());
    }

    @Override // org.apache.qpid.server.security.FileKeyStore
    public String getStoreUrl() {
        return this._storeUrl;
    }

    @Override // org.apache.qpid.server.security.FileKeyStore
    public String getPath() {
        return this._path;
    }

    @Override // org.apache.qpid.server.security.FileKeyStore
    public String getCertificateAlias() {
        return this._certificateAlias;
    }

    @Override // org.apache.qpid.server.security.FileKeyStore
    public String getKeyManagerFactoryAlgorithm() {
        return this._keyManagerFactoryAlgorithm;
    }

    @Override // org.apache.qpid.server.security.FileKeyStore
    public String getKeyStoreType() {
        return this._keyStoreType;
    }

    @Override // org.apache.qpid.server.security.FileKeyStore
    public String getPassword() {
        return this._password;
    }

    @Override // org.apache.qpid.server.security.FileKeyStore
    public boolean isUseHostNameMatching() {
        return this._useHostNameMatching;
    }

    @Override // org.apache.qpid.server.security.FileKeyStore
    public void reload() {
        initialize();
    }

    public void setPassword(String str) {
        this._password = str;
    }

    @Override // org.apache.qpid.server.model.KeyStore
    public KeyManager[] getKeyManagers() throws GeneralSecurityException {
        try {
            URL urlFromString = getUrlFromString(this._storeUrl);
            if (isUseHostNameMatching()) {
                return new KeyManager[]{new QpidBestFitX509KeyManager(this._certificateAlias, urlFromString, this._keyStoreType, getPassword(), this._keyManagerFactoryAlgorithm)};
            }
            if (this._certificateAlias != null) {
                return new KeyManager[]{new QpidServerX509KeyManager(this._certificateAlias, urlFromString, this._keyStoreType, getPassword(), this._keyManagerFactoryAlgorithm)};
            }
            KeyStore initializedKeyStore = SSLUtil.getInitializedKeyStore(urlFromString, getPassword(), this._keyStoreType);
            char[] charArray = getPassword() == null ? null : getPassword().toCharArray();
            KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(this._keyManagerFactoryAlgorithm);
            keyManagerFactory.init(initializedKeyStore, charArray);
            KeyManager[] keyManagers = keyManagerFactory.getKeyManagers();
            return keyManagers == null ? new KeyManager[0] : (KeyManager[]) Arrays.copyOf(keyManagers, keyManagers.length);
        } catch (IOException e) {
            throw new GeneralSecurityException(e);
        }
    }

    private static URL getUrlFromString(String str) throws MalformedURLException {
        URL url;
        try {
            url = new URL(str);
        } catch (MalformedURLException e) {
            url = new File(str).toURI().toURL();
        }
        return url;
    }

    private void postSetStoreUrl() {
        if (this._storeUrl == null || this._storeUrl.startsWith("data:")) {
            this._path = null;
        } else {
            this._path = this._storeUrl;
        }
    }

    @Override // org.apache.qpid.server.security.AbstractKeyStore
    protected void checkCertificateExpiry() {
        int certificateExpiryWarnPeriod = getCertificateExpiryWarnPeriod();
        if (certificateExpiryWarnPeriod > 0) {
            long currentTimeMillis = System.currentTimeMillis();
            Date date = new Date(currentTimeMillis + (86400000 * certificateExpiryWarnPeriod));
            try {
                KeyStore initializedKeyStore = getInitializedKeyStore(this);
                char[] charArray = getPassword() == null ? null : getPassword().toCharArray();
                KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(this._keyManagerFactoryAlgorithm);
                keyManagerFactory.init(initializedKeyStore, charArray);
                for (KeyManager keyManager : keyManagerFactory.getKeyManagers()) {
                    if (keyManager instanceof X509KeyManager) {
                        X509KeyManager x509KeyManager = (X509KeyManager) keyManager;
                        Iterator it = Collections.list(initializedKeyStore.aliases()).iterator();
                        while (it.hasNext()) {
                            checkCertificatesExpiry(currentTimeMillis, date, x509KeyManager.getCertificateChain((String) it.next()));
                        }
                    }
                }
            } catch (IOException | GeneralSecurityException e) {
            }
        }
    }

    @Override // org.apache.qpid.server.security.AbstractKeyStore, org.apache.qpid.server.model.KeyStore
    public List<CertificateDetails> getCertificateDetails() {
        return this._certificates.isEmpty() ? List.of() : (List) this._certificates.entrySet().stream().filter(entry -> {
            return entry.getValue() instanceof X509Certificate;
        }).map(entry2 -> {
            return new CertificateDetailsImpl((X509Certificate) entry2.getValue(), (String) entry2.getKey());
        }).collect(Collectors.toList());
    }

    @Override // org.apache.qpid.server.security.AbstractKeyStore
    protected Collection<Certificate> getCertificates() {
        return this._certificates.values();
    }

    private boolean containsPrivateKey(KeyStore keyStore) throws KeyStoreException {
        Enumeration<String> aliases = keyStore.aliases();
        boolean z = false;
        while (true) {
            if (!aliases.hasMoreElements()) {
                break;
            }
            if (keyStore.entryInstanceOf(aliases.nextElement(), KeyStore.PrivateKeyEntry.class)) {
                z = true;
                break;
            }
        }
        return z;
    }

    static {
        Handler.register();
    }
}
