package org.apache.dubbo.security.cert;

import io.grpc.Channel;
import io.grpc.ClientInterceptor;
import io.grpc.Metadata;
import io.grpc.netty.shaded.io.grpc.netty.GrpcSslContexts;
import io.grpc.netty.shaded.io.grpc.netty.NettyChannelBuilder;
import io.grpc.netty.shaded.io.netty.handler.ssl.util.InsecureTrustManagerFactory;
import io.grpc.stub.MetadataUtils;
import java.io.File;
import java.io.FileReader;
import java.io.IOException;
import java.io.StringWriter;
import java.security.InvalidAlgorithmParameterException;
import java.security.KeyPairGenerator;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.SecureRandom;
import java.security.spec.ECGenParameterSpec;
import java.util.concurrent.ScheduledFuture;
import java.util.concurrent.TimeUnit;
import org.apache.dubbo.auth.v1alpha1.DubboCertificateRequest;
import org.apache.dubbo.auth.v1alpha1.DubboCertificateResponse;
import org.apache.dubbo.auth.v1alpha1.DubboCertificateServiceGrpc;
import org.apache.dubbo.common.constants.LoggerCodeConstants;
import org.apache.dubbo.common.logger.ErrorTypeAwareLogger;
import org.apache.dubbo.common.logger.LoggerFactory;
import org.apache.dubbo.common.threadpool.manager.FrameworkExecutorRepository;
import org.apache.dubbo.common.utils.IOUtils;
import org.apache.dubbo.common.utils.StringUtils;
import org.apache.dubbo.rpc.model.FrameworkModel;
import org.bouncycastle.asn1.x500.X500Name;
import org.bouncycastle.openssl.jcajce.JcaPEMWriter;
import org.bouncycastle.operator.ContentSigner;
import org.bouncycastle.operator.OperatorCreationException;
import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder;
import org.bouncycastle.pkcs.jcajce.JcaPKCS10CertificationRequestBuilder;
import org.bouncycastle.util.io.pem.PemObject;

/* loaded from: input_file:org/apache/dubbo/security/cert/DubboCertManager.class */
public class DubboCertManager {
    private static final ErrorTypeAwareLogger logger = LoggerFactory.getErrorTypeAwareLogger((Class<?>) DubboCertManager.class);
    private final FrameworkModel frameworkModel;
    protected volatile Channel channel;
    protected volatile CertPair certPair;
    protected volatile CertConfig certConfig;
    protected volatile ScheduledFuture<?> refreshFuture;

    /* JADX INFO: Access modifiers changed from: protected */
    /* loaded from: input_file:org/apache/dubbo/security/cert/DubboCertManager$KeyPair.class */
    public static class KeyPair {
        private final PublicKey publicKey;
        private final PrivateKey privateKey;
        private final ContentSigner signer;

        public KeyPair(PublicKey publicKey, PrivateKey privateKey, ContentSigner contentSigner) {
            this.publicKey = publicKey;
            this.privateKey = privateKey;
            this.signer = contentSigner;
        }

        public PublicKey getPublicKey() {
            return this.publicKey;
        }

        public PrivateKey getPrivateKey() {
            return this.privateKey;
        }

        public ContentSigner getSigner() {
            return this.signer;
        }
    }

    public DubboCertManager(FrameworkModel frameworkModel) {
        this.frameworkModel = frameworkModel;
    }

    public synchronized void connect(CertConfig certConfig) {
        if (this.channel != null) {
            logger.error(LoggerCodeConstants.INTERNAL_ERROR, "", "", "Dubbo Cert Authority server is already connected.");
            return;
        }
        if (certConfig == null || StringUtils.isEmpty(certConfig.getRemoteAddress())) {
            return;
        }
        if (StringUtils.isNotEmpty(certConfig.getEnvType()) && !"Kubernetes".equalsIgnoreCase(certConfig.getEnvType())) {
            throw new IllegalArgumentException("Only support Kubernetes env now.");
        }
        connect0(certConfig);
        this.certConfig = certConfig;
        generateCert();
        scheduleRefresh();
    }

    protected void scheduleRefresh() {
        this.refreshFuture = ((FrameworkExecutorRepository) this.frameworkModel.getBeanFactory().getBean(FrameworkExecutorRepository.class)).getSharedScheduledExecutor().scheduleAtFixedRate(this::generateCert, this.certConfig.getRefreshInterval(), this.certConfig.getRefreshInterval(), TimeUnit.MILLISECONDS);
    }

    protected void connect0(CertConfig certConfig) {
        String caCertPath = certConfig.getCaCertPath();
        String remoteAddress = certConfig.getRemoteAddress();
        logger.info("Try to connect to Dubbo Cert Authority server: " + remoteAddress + ", caCertPath: " + remoteAddress);
        try {
            if (StringUtils.isNotEmpty(caCertPath)) {
                this.channel = NettyChannelBuilder.forTarget(remoteAddress).sslContext(GrpcSslContexts.forClient().trustManager(new File(caCertPath)).build()).build();
            } else {
                logger.warn(LoggerCodeConstants.CONFIG_SSL_CONNECT_INSECURE, "", "", "No caCertPath is provided, will use insecure connection.");
                this.channel = NettyChannelBuilder.forTarget(remoteAddress).sslContext(GrpcSslContexts.forClient().trustManager(InsecureTrustManagerFactory.INSTANCE).build()).build();
            }
        } catch (Exception e) {
            logger.error(LoggerCodeConstants.CONFIG_SSL_PATH_LOAD_FAILED, "", "", "Failed to load SSL cert file.", e);
            throw new RuntimeException(e);
        }
    }

    public synchronized void disConnect() {
        if (this.refreshFuture != null) {
            this.refreshFuture.cancel(true);
            this.refreshFuture = null;
        }
        if (this.channel != null) {
            this.channel = null;
        }
    }

    public boolean isConnected() {
        return (this.certConfig == null || this.channel == null || this.certPair == null) ? false : true;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public CertPair generateCert() {
        if (this.certPair != null && !this.certPair.isExpire()) {
            return this.certPair;
        }
        synchronized (this) {
            if (this.certPair == null || this.certPair.isExpire()) {
                try {
                    logger.info("Try to generate cert from Dubbo Certificate Authority.");
                    CertPair refreshCert = refreshCert();
                    if (refreshCert != null) {
                        this.certPair = refreshCert;
                    } else {
                        logger.error(LoggerCodeConstants.CONFIG_SSL_CERT_GENERATE_FAILED, "", "", "Generate Cert from Dubbo Certificate Authority failed.");
                    }
                } catch (Exception e) {
                    logger.error(LoggerCodeConstants.REGISTRY_FAILED_GENERATE_CERT_ISTIO, "", "", "Generate Cert from Istio failed.", e);
                }
            }
        }
        return this.certPair;
    }

    protected CertPair refreshCert() throws IOException {
        KeyPair signWithEcdsa = signWithEcdsa();
        if (signWithEcdsa == null) {
            signWithEcdsa = signWithRsa();
        }
        if (signWithEcdsa == null) {
            logger.error(LoggerCodeConstants.CONFIG_SSL_CERT_GENERATE_FAILED, "", "", "Generate Key failed. Please check if your system support.");
            return null;
        }
        String generateCsr = generateCsr(signWithEcdsa);
        DubboCertificateServiceGrpc.DubboCertificateServiceBlockingStub headerIfNeed = setHeaderIfNeed(DubboCertificateServiceGrpc.newBlockingStub(this.channel));
        String generatePrivatePemKey = generatePrivatePemKey(signWithEcdsa);
        DubboCertificateResponse createCertificate = headerIfNeed.createCertificate(generateRequest(generateCsr));
        if (createCertificate == null || !createCertificate.getSuccess()) {
            logger.error(LoggerCodeConstants.CONFIG_SSL_CERT_GENERATE_FAILED, "", "", "Failed to generate cert from Dubbo Certificate Authority. Message: " + (createCertificate == null ? "null" : createCertificate.getMessage()));
            return null;
        }
        logger.info("Successfully generate cert from Dubbo Certificate Authority. Cert expire time: " + createCertificate.getExpireTime());
        return new CertPair(generatePrivatePemKey, createCertificate.getCertPem(), String.join("\n", (Iterable<? extends CharSequence>) createCertificate.mo1228getTrustCertsList()), createCertificate.getExpireTime());
    }

    private DubboCertificateServiceGrpc.DubboCertificateServiceBlockingStub setHeaderIfNeed(DubboCertificateServiceGrpc.DubboCertificateServiceBlockingStub dubboCertificateServiceBlockingStub) throws IOException {
        String oidcTokenPath = this.certConfig.getOidcTokenPath();
        if (StringUtils.isNotEmpty(oidcTokenPath)) {
            Metadata metadata = new Metadata();
            metadata.put(Metadata.Key.of(org.apache.dubbo.auth.Constants.AUTHORIZATION_HEADER_LOWER, Metadata.ASCII_STRING_MARSHALLER), "Bearer " + IOUtils.read(new FileReader(oidcTokenPath)).replace("\n", "").replace("\t", "").replace("\r", "").trim());
            dubboCertificateServiceBlockingStub = (DubboCertificateServiceGrpc.DubboCertificateServiceBlockingStub) dubboCertificateServiceBlockingStub.withInterceptors(new ClientInterceptor[]{MetadataUtils.newAttachHeadersInterceptor(metadata)});
            logger.info("Use oidc token from " + oidcTokenPath + " to connect to Dubbo Certificate Authority.");
        } else {
            logger.warn(LoggerCodeConstants.CONFIG_SSL_CONNECT_INSECURE, "", "", "Use insecure connection to connect to Dubbo Certificate Authority. Reason: No oidc token is provided.");
        }
        return dubboCertificateServiceBlockingStub;
    }

    protected static KeyPair signWithRsa() {
        KeyPair keyPair = null;
        try {
            KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA");
            keyPairGenerator.initialize(4096);
            java.security.KeyPair generateKeyPair = keyPairGenerator.generateKeyPair();
            keyPair = new KeyPair(generateKeyPair.getPublic(), generateKeyPair.getPrivate(), new JcaContentSignerBuilder("SHA256WithRSA").build(generateKeyPair.getPrivate()));
        } catch (NoSuchAlgorithmException | OperatorCreationException e) {
            logger.error(LoggerCodeConstants.CONFIG_SSL_CERT_GENERATE_FAILED, "", "", "Generate Key with SHA256WithRSA algorithm failed. Please check if your system support.", e);
        }
        return keyPair;
    }

    protected static KeyPair signWithEcdsa() {
        KeyPair keyPair = null;
        try {
            ECGenParameterSpec eCGenParameterSpec = new ECGenParameterSpec("secp256r1");
            KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("EC");
            keyPairGenerator.initialize(eCGenParameterSpec, new SecureRandom());
            java.security.KeyPair generateKeyPair = keyPairGenerator.generateKeyPair();
            PublicKey publicKey = generateKeyPair.getPublic();
            PrivateKey privateKey = generateKeyPair.getPrivate();
            keyPair = new KeyPair(publicKey, privateKey, new JcaContentSignerBuilder("SHA256withECDSA").build(privateKey));
        } catch (InvalidAlgorithmParameterException | NoSuchAlgorithmException | OperatorCreationException e) {
            logger.error(LoggerCodeConstants.CONFIG_SSL_CERT_GENERATE_FAILED, "", "", "Generate Key with secp256r1 algorithm failed. Please check if your system support. Will attempt to generate with RSA2048.", e);
        }
        return keyPair;
    }

    private DubboCertificateRequest generateRequest(String str) {
        return DubboCertificateRequest.newBuilder().setCsr(str).setType("CONNECTION").m1215build();
    }

    private String generatePrivatePemKey(KeyPair keyPair) throws IOException {
        String generatePemKey = generatePemKey("RSA PRIVATE KEY", keyPair.getPrivateKey().getEncoded());
        if (logger.isDebugEnabled()) {
            logger.debug("Generated Private Key. \n" + generatePemKey);
        }
        return generatePemKey;
    }

    private String generatePemKey(String str, byte[] bArr) throws IOException {
        PemObject pemObject = new PemObject(str, bArr);
        StringWriter stringWriter = new StringWriter();
        JcaPEMWriter jcaPEMWriter = new JcaPEMWriter(stringWriter);
        jcaPEMWriter.writeObject(pemObject);
        jcaPEMWriter.close();
        stringWriter.close();
        return stringWriter.toString();
    }

    private String generateCsr(KeyPair keyPair) throws IOException {
        String generatePemKey = generatePemKey("CERTIFICATE REQUEST", new JcaPKCS10CertificationRequestBuilder(new X500Name("O=cluster.domain"), keyPair.getPublicKey()).build(keyPair.getSigner()).getEncoded());
        if (logger.isDebugEnabled()) {
            logger.debug("CSR Request to Dubbo Certificate Authorization. \n" + generatePemKey);
        }
        return generatePemKey;
    }
}
