package org.apache.qpid.server.security;

import com.google.common.util.concurrent.Futures;
import com.google.common.util.concurrent.ListenableFuture;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.io.OutputStream;
import java.io.OutputStreamWriter;
import java.net.NetworkInterface;
import java.net.SocketException;
import java.nio.ByteBuffer;
import java.nio.charset.StandardCharsets;
import java.security.GeneralSecurityException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.SecureRandom;
import java.security.cert.Certificate;
import java.security.cert.CertificateEncodingException;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.security.spec.InvalidKeySpecException;
import java.time.Instant;
import java.time.LocalDateTime;
import java.time.ZoneOffset;
import java.util.Arrays;
import java.util.Base64;
import java.util.Collection;
import java.util.Collections;
import java.util.Date;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Set;
import java.util.stream.Collectors;
import javax.net.ssl.KeyManager;
import javax.net.ssl.KeyManagerFactory;
import org.apache.qpid.server.configuration.IllegalConfigurationException;
import org.apache.qpid.server.model.Broker;
import org.apache.qpid.server.model.Content;
import org.apache.qpid.server.model.CustomRestHeaders;
import org.apache.qpid.server.model.ManagedAttributeField;
import org.apache.qpid.server.model.ManagedObjectFactoryConstructor;
import org.apache.qpid.server.model.RestContentHeader;
import org.apache.qpid.server.model.State;
import org.apache.qpid.server.model.StateTransition;
import org.apache.qpid.server.transport.network.security.ssl.SSLUtil;
import org.apache.qpid.server.util.Strings;
import org.bouncycastle.cert.CertIOException;
import org.bouncycastle.operator.OperatorCreationException;

/* loaded from: input_file:org/apache/qpid/server/security/AutoGeneratedSelfSignedKeyStoreImpl.class */
public class AutoGeneratedSelfSignedKeyStoreImpl extends AbstractKeyStore<AutoGeneratedSelfSignedKeyStoreImpl> implements AutoGeneratedSelfSignedKeyStore<AutoGeneratedSelfSignedKeyStoreImpl> {
    private static final SecureRandom RANDOM = new SecureRandom();

    @ManagedAttributeField
    private volatile String _keyAlgorithm;

    @ManagedAttributeField
    private volatile String _signatureAlgorithm;

    @ManagedAttributeField
    private volatile int _keyLength;

    @ManagedAttributeField
    private volatile int _durationInMonths;
    private volatile PrivateKey _privateKey;
    private volatile X509Certificate _certificate;
    private volatile KeyManager[] _keyManagers;
    private volatile boolean _generated;
    private volatile boolean _created;

    /* loaded from: input_file:org/apache/qpid/server/security/AutoGeneratedSelfSignedKeyStoreImpl$CertificateContent.class */
    private static class CertificateContent implements Content, CustomRestHeaders {
        private final String _disposition;
        private final String _certString;

        public CertificateContent(X509Certificate x509Certificate, String str) throws CertificateEncodingException {
            this._disposition = "attachment; filename=\"" + str + ".pem\"";
            StringBuilder sb = new StringBuilder("-----BEGIN CERTIFICATE-----\n");
            String encodeToString = Base64.getEncoder().encodeToString(x509Certificate.getEncoded());
            int i = 0;
            while (encodeToString.length() - i > 64) {
                sb.append((CharSequence) encodeToString, i, i + 64);
                i += 64;
                sb.append("\n");
            }
            sb.append(encodeToString.substring(i));
            sb.append("\n-----END CERTIFICATE-----\n");
            this._certString = sb.toString();
        }

        @Override // org.apache.qpid.server.model.Content
        public void write(OutputStream outputStream) throws IOException {
            OutputStreamWriter outputStreamWriter = new OutputStreamWriter(outputStream);
            outputStreamWriter.write(this._certString);
            outputStreamWriter.flush();
        }

        @Override // org.apache.qpid.server.model.Content
        public void release() {
        }

        @RestContentHeader("Content-Type")
        public String getContentType() {
            return "text/plain";
        }

        @RestContentHeader("Content-Disposition")
        public String getContentDisposition() {
            return this._disposition;
        }
    }

    /* loaded from: input_file:org/apache/qpid/server/security/AutoGeneratedSelfSignedKeyStoreImpl$TrustStoreContent.class */
    private static class TrustStoreContent implements Content, CustomRestHeaders {
        private final KeyStore _keyStore;
        private final char[] _password;
        private final String _disposition;

        public TrustStoreContent(KeyStore keyStore, String str, char[] cArr) {
            this._keyStore = keyStore;
            this._password = cArr;
            this._disposition = "attachment; filename=\"" + str + ".jks\"";
        }

        @Override // org.apache.qpid.server.model.Content
        public void write(OutputStream outputStream) throws IOException {
            try {
                this._keyStore.store(outputStream, this._password);
            } catch (KeyStoreException | NoSuchAlgorithmException | CertificateException e) {
                throw new IllegalArgumentException(e);
            }
        }

        @Override // org.apache.qpid.server.model.Content
        public void release() {
        }

        @RestContentHeader("Content-Type")
        public String getContentType() {
            return "application/octet-stream";
        }

        @RestContentHeader("Content-Disposition")
        public String getContentDisposition() {
            return this._disposition;
        }
    }

    @ManagedObjectFactoryConstructor(conditionallyAvailable = true)
    public AutoGeneratedSelfSignedKeyStoreImpl(Map<String, Object> map, Broker<?> broker) {
        super(map, broker);
    }

    @Override // org.apache.qpid.server.model.KeyStore
    public KeyManager[] getKeyManagers() throws GeneralSecurityException {
        KeyManager[] keyManagerArr = this._keyManagers;
        return keyManagerArr == null ? new KeyManager[0] : (KeyManager[]) Arrays.copyOf(keyManagerArr, keyManagerArr.length);
    }

    @Override // org.apache.qpid.server.security.AutoGeneratedSelfSignedKeyStore
    public String getKeyAlgorithm() {
        return this._keyAlgorithm;
    }

    @Override // org.apache.qpid.server.security.AutoGeneratedSelfSignedKeyStore
    public String getSignatureAlgorithm() {
        return this._signatureAlgorithm;
    }

    @Override // org.apache.qpid.server.security.AutoGeneratedSelfSignedKeyStore
    public int getKeyLength() {
        return this._keyLength;
    }

    @Override // org.apache.qpid.server.security.AutoGeneratedSelfSignedKeyStore
    public int getDurationInMonths() {
        return this._durationInMonths;
    }

    @Override // org.apache.qpid.server.security.AutoGeneratedSelfSignedKeyStore
    public String getEncodedCertificate() {
        try {
            return Base64.getEncoder().encodeToString(this._certificate.getEncoded());
        } catch (CertificateEncodingException e) {
            throw new IllegalConfigurationException("Cannot encode certificate", e);
        }
    }

    @Override // org.apache.qpid.server.security.AutoGeneratedSelfSignedKeyStore
    public String getEncodedPrivateKey() {
        return Base64.getEncoder().encodeToString(this._privateKey.getEncoded());
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.apache.qpid.server.model.AbstractConfiguredObject
    public void postResolve() {
        super.postResolve();
        if (getActualAttributes().containsKey(AutoGeneratedSelfSignedKeyStore.ENCODED_PRIVATE_KEY) && getActualAttributes().containsKey(AutoGeneratedSelfSignedKeyStore.ENCODED_CERTIFICATE)) {
            loadPrivateKeyAndCertificate();
        } else {
            generatePrivateKeyAndCertificate();
        }
        generateKeyManagers();
    }

    private void loadPrivateKeyAndCertificate() {
        byte[] decodeBase64 = Strings.decodeBase64((String) getActualAttributes().get(AutoGeneratedSelfSignedKeyStore.ENCODED_PRIVATE_KEY));
        try {
            ByteArrayInputStream byteArrayInputStream = new ByteArrayInputStream(Strings.decodeBase64((String) getActualAttributes().get(AutoGeneratedSelfSignedKeyStore.ENCODED_CERTIFICATE)));
            try {
                this._certificate = (X509Certificate) SSLUtil.getCertificateFactory().generateCertificate(byteArrayInputStream);
                byteArrayInputStream.close();
                try {
                    this._privateKey = SSLUtil.readPrivateKey(decodeBase64, this._keyAlgorithm);
                } catch (NoSuchAlgorithmException | InvalidKeySpecException e) {
                    throw new IllegalConfigurationException("Could not decode private key", e);
                }
            } finally {
            }
        } catch (IOException | CertificateException e2) {
            throw new IllegalConfigurationException("Could not decode certificate", e2);
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.apache.qpid.server.model.AbstractConfiguredObject
    public void onCreate() {
        super.onCreate();
        this._created = true;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.apache.qpid.server.model.AbstractConfiguredObject
    public void onOpen() {
        super.onOpen();
        initializeExpiryChecking();
    }

    @StateTransition(currentState = {State.UNINITIALIZED, State.STOPPED, State.ERRORED}, desiredState = State.ACTIVE)
    protected ListenableFuture<Void> activate() {
        if (!this._created) {
            saveDerivedAttributesIfNecessary();
        }
        setState(State.ACTIVE);
        return Futures.immediateFuture((Object) null);
    }

    private void saveDerivedAttributesIfNecessary() {
        if (this._generated) {
            String encodedCertificate = getEncodedCertificate();
            attributeSet(AutoGeneratedSelfSignedKeyStore.ENCODED_CERTIFICATE, encodedCertificate, encodedCertificate);
            String encodedPrivateKey = getEncodedPrivateKey();
            attributeSet(AutoGeneratedSelfSignedKeyStore.ENCODED_PRIVATE_KEY, encodedPrivateKey, encodedPrivateKey);
            this._generated = false;
        }
    }

    private void generatePrivateKeyAndCertificate() {
        try {
            Set set = (Set) Collections.list(NetworkInterface.getNetworkInterfaces()).stream().flatMap(networkInterface -> {
                return networkInterface.getInterfaceAddresses().stream();
            }).map((v0) -> {
                return v0.getAddress();
            }).collect(Collectors.toSet());
            SSLUtil.KeyCertPair generateSelfSignedCertificate = SSLUtil.generateSelfSignedCertificate(this._keyAlgorithm, this._signatureAlgorithm, this._keyLength, Instant.now().toEpochMilli(), LocalDateTime.now().plusMonths(this._durationInMonths).toInstant(ZoneOffset.UTC).toEpochMilli(), "CN=Qpid", (Set) set.stream().map(inetAddress -> {
                return inetAddress.getHostName() != null ? inetAddress.getHostName() : inetAddress.getCanonicalHostName();
            }).filter((v0) -> {
                return Objects.nonNull(v0);
            }).collect(Collectors.toSet()), set);
            this._privateKey = generateSelfSignedCertificate.getPrivateKey();
            this._certificate = generateSelfSignedCertificate.getCertificate();
            this._generated = true;
        } catch (SocketException | NoSuchAlgorithmException | OperatorCreationException | CertificateException | CertIOException e) {
            throw new IllegalConfigurationException("Unable to construct keystore", e);
        }
    }

    @Override // org.apache.qpid.server.security.AbstractKeyStore, org.apache.qpid.server.model.KeyStore
    public List<CertificateDetails> getCertificateDetails() {
        return List.of(new CertificateDetailsImpl(this._certificate, getName()));
    }

    @Override // org.apache.qpid.server.security.AbstractKeyStore
    protected void checkCertificateExpiry() {
        int certificateExpiryWarnPeriod = getCertificateExpiryWarnPeriod();
        if (certificateExpiryWarnPeriod > 0) {
            long currentTimeMillis = System.currentTimeMillis();
            checkCertificatesExpiry(currentTimeMillis, new Date(currentTimeMillis + (86400000 * certificateExpiryWarnPeriod)), new X509Certificate[]{this._certificate});
        }
    }

    @Override // org.apache.qpid.server.security.AbstractKeyStore
    protected Collection<Certificate> getCertificates() {
        return Collections.singleton(this._certificate);
    }

    private void generateKeyManagers() {
        try {
            X509Certificate[] x509CertificateArr = {this._certificate};
            KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
            byte[] bArr = new byte[64];
            char[] charArray = "".toCharArray();
            RANDOM.nextBytes(bArr);
            StandardCharsets.US_ASCII.decode(ByteBuffer.wrap(bArr)).get(charArray);
            keyStore.load(null, charArray);
            keyStore.setKeyEntry("1", this._privateKey, charArray, x509CertificateArr);
            KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
            keyManagerFactory.init(keyStore, charArray);
            this._keyManagers = keyManagerFactory.getKeyManagers();
        } catch (IOException | GeneralSecurityException e) {
            throw new IllegalConfigurationException("Cannot load private key or certificate(s): " + e, e);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static boolean isAvailable() {
        return SSLUtil.canGenerateCerts();
    }

    @Override // org.apache.qpid.server.security.AutoGeneratedSelfSignedKeyStore
    public void regenerateCertificate() {
        generatePrivateKeyAndCertificate();
        saveDerivedAttributesIfNecessary();
    }

    @Override // org.apache.qpid.server.security.AutoGeneratedSelfSignedKeyStore
    public Content getClientTrustStore(String str) {
        try {
            KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
            keyStore.load(null, null);
            keyStore.setCertificateEntry(getName(), this._certificate);
            return new TrustStoreContent(keyStore, getName(), str == null ? new char[0] : str.toCharArray());
        } catch (IOException | KeyStoreException | NoSuchAlgorithmException | CertificateException e) {
            throw new IllegalArgumentException(e);
        }
    }

    @Override // org.apache.qpid.server.security.AutoGeneratedSelfSignedKeyStore
    public Content getCertificate() {
        try {
            return new CertificateContent(this._certificate, getName());
        } catch (CertificateEncodingException e) {
            throw new IllegalArgumentException("Cannot decode encode the certificate");
        }
    }
}
