package org.apache.qpid.server.security;

import com.google.common.util.concurrent.Futures;
import com.google.common.util.concurrent.ListenableFuture;
import java.io.IOException;
import java.security.GeneralSecurityException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.UnrecoverableKeyException;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
import java.util.Enumeration;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.stream.Collectors;
import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory;
import javax.net.ssl.X509TrustManager;
import org.apache.qpid.server.configuration.IllegalConfigurationException;
import org.apache.qpid.server.model.Broker;
import org.apache.qpid.server.model.ConfiguredObject;
import org.apache.qpid.server.model.ManagedAttributeField;
import org.apache.qpid.server.model.ManagedObjectFactoryConstructor;
import org.apache.qpid.server.model.State;
import org.apache.qpid.server.model.StateTransition;
import org.apache.qpid.server.transport.network.security.ssl.QpidMultipleTrustManager;
import org.apache.qpid.server.transport.network.security.ssl.QpidPeersOnlyTrustManager;
import org.apache.qpid.server.transport.network.security.ssl.SSLUtil;
import org.apache.qpid.server.util.StringUtil;
import org.apache.qpid.server.util.urlstreamhandler.data.Handler;

/* loaded from: input_file:org/apache/qpid/server/security/FileTrustStoreImpl.class */
public class FileTrustStoreImpl extends AbstractTrustStore<FileTrustStoreImpl> implements FileTrustStore<FileTrustStoreImpl> {

    @ManagedAttributeField
    private volatile String _trustStoreType;

    @ManagedAttributeField
    private volatile String _trustManagerFactoryAlgorithm;

    @ManagedAttributeField(afterSet = "postSetStoreUrl")
    private volatile String _storeUrl;
    private volatile String _path;

    @ManagedAttributeField
    private volatile boolean _peersOnly;

    @ManagedAttributeField
    private volatile String _password;
    private volatile TrustManager[] _trustManagers;
    private volatile Map<String, Certificate> _certificates;

    @ManagedObjectFactoryConstructor
    public FileTrustStoreImpl(Map<String, Object> map, Broker<?> broker) {
        super(map, broker);
        this._certificates = Map.of();
    }

    @Override // org.apache.qpid.server.security.AbstractTrustStore, org.apache.qpid.server.model.AbstractConfiguredObject
    public void onValidate() {
        super.onValidate();
        validateTrustStore(this);
        if (!isDurable()) {
            throw new IllegalArgumentException(getClass().getSimpleName() + " must be durable");
        }
    }

    @StateTransition(currentState = {State.UNINITIALIZED, State.ERRORED}, desiredState = State.ACTIVE)
    protected ListenableFuture<Void> doActivate() {
        initializeExpiryChecking();
        setState(State.ACTIVE);
        return Futures.immediateFuture((Object) null);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.apache.qpid.server.security.AbstractTrustStore, org.apache.qpid.server.model.AbstractConfiguredObject
    public void validateChange(ConfiguredObject<?> configuredObject, Set<String> set) {
        super.validateChange(configuredObject, set);
        FileTrustStore fileTrustStore = (FileTrustStore) configuredObject;
        if (set.contains(ConfiguredObject.DESIRED_STATE) && fileTrustStore.getDesiredState() == State.DELETED) {
            return;
        }
        validateTrustStore(fileTrustStore);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.apache.qpid.server.model.AbstractConfiguredObject
    public void onOpen() {
        super.onOpen();
        initialize();
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.apache.qpid.server.security.AbstractTrustStore, org.apache.qpid.server.model.AbstractConfiguredObject
    public void changeAttributes(Map<String, Object> map) {
        super.changeAttributes(map);
        if (map.containsKey("storeUrl") || map.containsKey("password") || map.containsKey(FileTrustStore.TRUST_STORE_TYPE) || map.containsKey(FileTrustStore.TRUST_MANAGER_FACTORY_ALGORITHM) || map.containsKey(FileTrustStore.PEERS_ONLY)) {
            initialize();
        }
    }

    private static KeyStore initializeKeyStore(FileTrustStore fileTrustStore) throws GeneralSecurityException, IOException {
        return SSLUtil.getInitializedKeyStore(getUrlFromString(fileTrustStore.getStoreUrl()), fileTrustStore.getPassword(), fileTrustStore.getTrustStoreType());
    }

    private static void validateTrustStore(FileTrustStore fileTrustStore) {
        String elideDataUrl = StringUtil.elideDataUrl(fileTrustStore.getStoreUrl());
        try {
            KeyStore initializeKeyStore = initializeKeyStore(fileTrustStore);
            Enumeration<String> aliases = initializeKeyStore.aliases();
            boolean z = false;
            while (true) {
                if (!aliases.hasMoreElements()) {
                    break;
                } else if (initializeKeyStore.isCertificateEntry(aliases.nextElement())) {
                    z = true;
                    break;
                }
            }
            if (!z) {
                throw new IllegalConfigurationException(String.format("Trust store '%s' must contain at least one certificate.", elideDataUrl));
            }
            try {
                TrustManagerFactory.getInstance(fileTrustStore.getTrustManagerFactoryAlgorithm());
            } catch (NoSuchAlgorithmException e) {
                throw new IllegalConfigurationException(String.format("Unknown trustManagerFactoryAlgorithm '%s'", fileTrustStore.getTrustManagerFactoryAlgorithm()));
            }
        } catch (IOException | GeneralSecurityException e2) {
            throw new IllegalConfigurationException(String.format("Cannot instantiate trust store from '%s'.", elideDataUrl), e2);
        } catch (UnrecoverableKeyException e3) {
            throw new IllegalConfigurationException(String.format("Check trust store password. Cannot instantiate trust store from '%s'.", elideDataUrl), e3);
        }
    }

    @Override // org.apache.qpid.server.security.FileTrustStore
    public String getStoreUrl() {
        return this._storeUrl;
    }

    @Override // org.apache.qpid.server.security.FileTrustStore
    public String getPath() {
        return this._path;
    }

    @Override // org.apache.qpid.server.security.FileTrustStore
    public String getTrustManagerFactoryAlgorithm() {
        return this._trustManagerFactoryAlgorithm;
    }

    @Override // org.apache.qpid.server.security.FileTrustStore
    public String getTrustStoreType() {
        return this._trustStoreType;
    }

    @Override // org.apache.qpid.server.security.FileTrustStore
    public boolean isPeersOnly() {
        return this._peersOnly;
    }

    @Override // org.apache.qpid.server.security.FileTrustStore
    public String getPassword() {
        return this._password;
    }

    @Override // org.apache.qpid.server.security.FileTrustStore
    public void setPassword(String str) {
        this._password = str;
    }

    @Override // org.apache.qpid.server.security.FileTrustStore
    public void reload() {
        initialize();
    }

    @Override // org.apache.qpid.server.security.AbstractTrustStore
    protected TrustManager[] getTrustManagersInternal() {
        TrustManager[] trustManagerArr = this._trustManagers;
        if (trustManagerArr == null || trustManagerArr.length == 0) {
            throw new IllegalStateException("Truststore " + this + " defines no trust managers");
        }
        return (TrustManager[]) Arrays.copyOf(trustManagerArr, trustManagerArr.length);
    }

    @Override // org.apache.qpid.server.model.TrustStore
    public Certificate[] getCertificates() {
        return (Certificate[]) this._certificates.values().toArray(new Certificate[0]);
    }

    @Override // org.apache.qpid.server.security.AbstractTrustStore, org.apache.qpid.server.model.TrustStore
    public List<CertificateDetails> getCertificateDetails() {
        return this._certificates.isEmpty() ? Collections.emptyList() : (List) this._certificates.entrySet().stream().filter(entry -> {
            return entry.getValue() instanceof X509Certificate;
        }).map(entry2 -> {
            return new CertificateDetailsImpl((X509Certificate) entry2.getValue(), (String) entry2.getKey());
        }).collect(Collectors.toList());
    }

    private void postSetStoreUrl() {
        if (this._storeUrl == null || this._storeUrl.startsWith("data:")) {
            this._path = null;
        } else {
            this._path = this._storeUrl;
        }
    }

    @Override // org.apache.qpid.server.security.AbstractTrustStore
    protected void initialize() {
        try {
            KeyStore initializeKeyStore = initializeKeyStore(this);
            TrustManager[] createTrustManagers = createTrustManagers(initializeKeyStore);
            Map<String, Certificate> unmodifiableMap = Collections.unmodifiableMap(SSLUtil.getCertificates(initializeKeyStore));
            this._trustManagers = createTrustManagers;
            this._certificates = unmodifiableMap;
        } catch (Exception e) {
            throw new IllegalConfigurationException(String.format("Cannot instantiate trust store '%s'", getName()), e);
        }
    }

    private TrustManager[] createTrustManagers(KeyStore keyStore) throws KeyStoreException {
        TrustManager[] trustManagers = getTrustManagers(keyStore);
        if (trustManagers.length == 0) {
            throw new IllegalStateException("Truststore " + this + " defines no trust managers");
        }
        if (trustManagers.length == 1) {
            return (this._peersOnly && (trustManagers[0] instanceof X509TrustManager)) ? new TrustManager[]{new QpidPeersOnlyTrustManager(keyStore, (X509TrustManager) trustManagers[0])} : trustManagers;
        }
        ArrayList arrayList = new ArrayList();
        QpidMultipleTrustManager qpidMultipleTrustManager = new QpidMultipleTrustManager();
        for (TrustManager trustManager : trustManagers) {
            if (!(trustManager instanceof X509TrustManager)) {
                arrayList.add(trustManager);
            } else if (this._peersOnly) {
                qpidMultipleTrustManager.addTrustManager(new QpidPeersOnlyTrustManager(keyStore, (X509TrustManager) trustManager));
            } else {
                qpidMultipleTrustManager.addTrustManager((X509TrustManager) trustManager);
            }
        }
        if (!qpidMultipleTrustManager.isEmpty()) {
            arrayList.add(qpidMultipleTrustManager);
        }
        return (TrustManager[]) arrayList.toArray(new TrustManager[arrayList.size()]);
    }

    static {
        Handler.register();
    }
}
