package org.sonatype.nexus.ssl;

import com.google.common.annotations.VisibleForTesting;
import com.google.common.base.Preconditions;
import com.google.common.base.Throwables;
import com.google.common.collect.ImmutableMap;
import com.google.common.collect.Lists;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.util.ArrayList;
import java.util.Collection;
import javax.net.ssl.KeyManager;
import javax.net.ssl.TrustManager;
import org.sonatype.goodies.common.ComponentSupport;
import org.sonatype.nexus.crypto.CryptoHelper;
import org.sonatype.nexus.ssl.internal.ReloadableX509KeyManager;
import org.sonatype.nexus.ssl.internal.ReloadableX509TrustManager;
import org.sonatype.nexus.ssl.internal.geronimo.FileKeystoreInstance;
import org.sonatype.nexus.ssl.internal.geronimo.KeystoreInstance;
import org.sonatype.nexus.ssl.spi.KeyStoreStorage;
import org.sonatype.nexus.ssl.spi.KeyStoreStorageManager;

/* loaded from: input_file:org/sonatype/nexus/ssl/KeyStoreManagerImpl.class */
public class KeyStoreManagerImpl extends ComponentSupport implements KeyStoreManager {
    private static final String PRIVATE_KEY_STORE_NAME = "private.ks";
    private static final String TRUSTED_KEY_STORE_NAME = "trusted.ks";
    private static final String DEFAULT00_KEY_ALIAS = "__default00";

    @VisibleForTesting
    static final String PRIVATE_KEY_ALIAS = "identity";
    private final CryptoHelper crypto;
    private final KeyStoreManagerConfiguration config;
    private final KeystoreInstance privateKeyStore;
    private final KeystoreInstance trustedKeyStore;
    private ReloadableX509TrustManager reloadableX509TrustManager;
    private ReloadableX509KeyManager reloadableX509KeyManager;
    static final /* synthetic */ boolean $assertionsDisabled;

    static {
        $assertionsDisabled = !KeyStoreManagerImpl.class.desiredAssertionStatus();
    }

    public KeyStoreManagerImpl(CryptoHelper cryptoHelper, KeyStoreStorageManager keyStoreStorageManager, KeyStoreManagerConfiguration keyStoreManagerConfiguration) {
        this.crypto = (CryptoHelper) Preconditions.checkNotNull(cryptoHelper);
        this.config = (KeyStoreManagerConfiguration) Preconditions.checkNotNull(keyStoreManagerConfiguration);
        this.privateKeyStore = initializePrivateKeyStore(keyStoreStorageManager.createStorage(PRIVATE_KEY_STORE_NAME));
        this.trustedKeyStore = initializeTrustedKeyStore(keyStoreStorageManager.createStorage(TRUSTED_KEY_STORE_NAME));
    }

    private KeystoreInstance initializePrivateKeyStore(KeyStoreStorage keyStoreStorage) {
        this.log.debug("Initializing private key-store: {}", keyStoreStorage);
        FileKeystoreInstance fileKeystoreInstance = new FileKeystoreInstance(this.crypto, keyStoreStorage, PRIVATE_KEY_STORE_NAME, this.config.getPrivateKeyStorePassword(), this.config.getKeyStoreType(), ImmutableMap.of(PRIVATE_KEY_ALIAS, this.config.getPrivateKeyPassword()));
        if (!isKeyPairInstalled(fileKeystoreInstance, DEFAULT00_KEY_ALIAS)) {
            try {
                this.log.debug("Initializing private key-store");
                fileKeystoreInstance.generateKeyPair(DEFAULT00_KEY_ALIAS, this.config.getPrivateKeyStorePassword(), this.config.getPrivateKeyPassword(), this.config.getKeyAlgorithm(), this.config.getKeyAlgorithmSize(), this.config.getSignatureAlgorithm(), this.config.getCertificateValidity().toDaysI(), DEFAULT00_KEY_ALIAS, "Nexus", "Sonatype", "Silver Spring", "MD", "US");
                this.log.trace("Generated default certificate:\n{}", fileKeystoreInstance.getCertificate(DEFAULT00_KEY_ALIAS, this.config.getPrivateKeyStorePassword()));
            } catch (KeystoreException e) {
                this.log.error("Failed to install default certificate", e);
                throw Throwables.propagate(e);
            }
        }
        if (this.log.isTraceEnabled()) {
            try {
                String[] listPrivateKeys = fileKeystoreInstance.listPrivateKeys(this.config.getPrivateKeyStorePassword());
                if (listPrivateKeys != null && listPrivateKeys.length != 0) {
                    this.log.trace("Private key aliases:");
                    for (String str : listPrivateKeys) {
                        this.log.trace("  {}", str);
                    }
                }
            } catch (KeystoreException e2) {
                this.log.error("Failed to list key aliases", e2);
            }
        }
        this.log.debug("Private key-store initialized");
        return fileKeystoreInstance;
    }

    private KeystoreInstance initializeTrustedKeyStore(KeyStoreStorage keyStoreStorage) {
        this.log.debug("Initializing trusted key-store: {}", keyStoreStorage);
        FileKeystoreInstance fileKeystoreInstance = new FileKeystoreInstance(this.crypto, keyStoreStorage, TRUSTED_KEY_STORE_NAME, this.config.getTrustedKeyStorePassword(), this.config.getKeyStoreType(), ImmutableMap.of(TRUSTED_KEY_STORE_NAME, this.config.getTrustedKeyStorePassword()));
        logTrustedCertificateAliases(fileKeystoreInstance);
        try {
            if (fileKeystoreInstance.listTrustCertificates(this.config.getTrustedKeyStorePassword()).length != 0) {
                this.log.warn("Trusted key-store should have been empty when initialized but was not");
            }
        } catch (KeystoreException unused) {
        }
        this.log.debug("Trusted key-store initialized");
        return fileKeystoreInstance;
    }

    private void logTrustedCertificateAliases(KeystoreInstance keystoreInstance) {
        if (!$assertionsDisabled && keystoreInstance == null) {
            throw new AssertionError();
        }
        if (this.log.isTraceEnabled()) {
            try {
                String[] listTrustCertificates = keystoreInstance.listTrustCertificates(this.config.getTrustedKeyStorePassword());
                if (listTrustCertificates == null || listTrustCertificates.length == 0) {
                    return;
                }
                this.log.trace("Trusted certificate aliases:");
                for (String str : listTrustCertificates) {
                    this.log.trace("  {}", str);
                }
            } catch (KeystoreException e) {
                this.log.error("Failed to list aliases", e);
            }
        }
    }

    @Override // org.sonatype.nexus.ssl.KeyStoreManager
    public TrustManager[] getTrustManagers() throws KeystoreException {
        TrustManager[] trustManager = this.trustedKeyStore.getTrustManager(this.config.getTrustManagerAlgorithm(), this.config.getTrustedKeyStorePassword());
        try {
            this.reloadableX509TrustManager = ReloadableX509TrustManager.replaceX509TrustManager(this.reloadableX509TrustManager, trustManager);
            return trustManager;
        } catch (NoSuchAlgorithmException e) {
            throw new KeystoreException("A ReloadableX509TrustManager could not be created.", e);
        }
    }

    @Override // org.sonatype.nexus.ssl.KeyStoreManager
    public KeyManager[] getKeyManagers() throws KeystoreException {
        KeyManager[] keyManager = this.privateKeyStore.getKeyManager(this.config.getKeyManagerAlgorithm(), PRIVATE_KEY_ALIAS, this.config.getPrivateKeyStorePassword());
        try {
            this.reloadableX509KeyManager = ReloadableX509KeyManager.replaceX509KeyManager(this.reloadableX509KeyManager, keyManager);
            return keyManager;
        } catch (NoSuchAlgorithmException e) {
            throw new KeystoreException("A ReloadableX509KeyManager could not be created.", e);
        }
    }

    @Override // org.sonatype.nexus.ssl.KeyStoreManager
    public void importTrustCertificate(Certificate certificate, String str) throws KeystoreException {
        this.log.debug("Importing trust certificate w/alias: {}", str);
        if (this.trustedKeyStore.getCertificate(str) != null) {
            this.log.warn("Certificate already exists in trust-store w/alias: {}; replacing certificate", str);
            this.trustedKeyStore.deleteEntry(str, this.config.getTrustedKeyStorePassword());
        }
        this.trustedKeyStore.importTrustCertificate(certificate, str, this.config.getTrustedKeyStorePassword());
        logTrustedCertificateAliases(this.trustedKeyStore);
        getTrustManagers();
    }

    @Override // org.sonatype.nexus.ssl.KeyStoreManager
    public void importTrustCertificate(String str, String str2) throws KeystoreException, CertificateException {
        importTrustCertificate(CertificateUtil.decodePEMFormattedCertificate(str), str2);
    }

    @Override // org.sonatype.nexus.ssl.KeyStoreManager
    public Certificate getTrustedCertificate(String str) throws KeystoreException {
        return this.trustedKeyStore.getCertificate((String) Preconditions.checkNotNull(str, "'alias' cannot be null when looking up a trusted Certificate."), this.config.getTrustedKeyStorePassword());
    }

    @Override // org.sonatype.nexus.ssl.KeyStoreManager
    public Collection<Certificate> getTrustedCertificates() throws KeystoreException {
        String[] listTrustCertificates = this.trustedKeyStore.listTrustCertificates(this.config.getTrustedKeyStorePassword());
        ArrayList newArrayListWithCapacity = Lists.newArrayListWithCapacity(listTrustCertificates.length);
        for (String str : listTrustCertificates) {
            Certificate certificate = this.trustedKeyStore.getCertificate(str);
            if (certificate == null) {
                this.log.warn("Trust-store reports it contains certificate for alias '{}' but certificate is null", str);
            } else {
                newArrayListWithCapacity.add(certificate);
            }
        }
        return newArrayListWithCapacity;
    }

    @Override // org.sonatype.nexus.ssl.KeyStoreManager
    public void removeTrustCertificate(String str) throws KeystoreException {
        this.log.debug("Removing trust certificate w/alias: {}", str);
        this.trustedKeyStore.deleteEntry(str, this.config.getTrustedKeyStorePassword());
        logTrustedCertificateAliases(this.trustedKeyStore);
        getTrustManagers();
    }

    @Override // org.sonatype.nexus.ssl.KeyStoreManager
    public void generateAndStoreKeyPair(String str, String str2, String str3, String str4, String str5, String str6) throws KeystoreException {
        this.privateKeyStore.generateKeyPair(PRIVATE_KEY_ALIAS, this.config.getPrivateKeyStorePassword(), this.config.getPrivateKeyPassword(), this.config.getKeyAlgorithm(), this.config.getKeyAlgorithmSize(), this.config.getSignatureAlgorithm(), this.config.getCertificateValidity().toDaysI(), str, str2, str3, str4, str5, str6);
        getKeyManagers();
    }

    private boolean isKeyPairInstalled(KeystoreInstance keystoreInstance, String str) {
        try {
            keystoreInstance.getCertificate(str, this.config.getPrivateKeyStorePassword());
            return true;
        } catch (KeystoreException unused) {
            this.log.trace("Key-pair not installed w/alias: {}", str);
            return false;
        }
    }

    @Override // org.sonatype.nexus.ssl.KeyStoreManager
    public boolean isKeyPairInitialized() {
        return isKeyPairInstalled(this.privateKeyStore, PRIVATE_KEY_ALIAS);
    }

    @Override // org.sonatype.nexus.ssl.KeyStoreManager
    public Certificate getCertificate() throws KeystoreException {
        return this.privateKeyStore.getCertificate(PRIVATE_KEY_ALIAS, this.config.getPrivateKeyStorePassword());
    }

    @Override // org.sonatype.nexus.ssl.KeyStoreManager
    public PrivateKey getPrivateKey() throws KeystoreException {
        return this.privateKeyStore.getPrivateKey(PRIVATE_KEY_ALIAS, this.config.getPrivateKeyStorePassword(), this.config.getPrivateKeyPassword());
    }

    @Override // org.sonatype.nexus.ssl.KeyStoreManager
    public void removePrivateKey() throws KeystoreException {
        this.privateKeyStore.deleteEntry(PRIVATE_KEY_ALIAS, this.config.getPrivateKeyStorePassword());
    }
}
