package org.graylog.security.certutil;

import com.github.rvesse.airline.annotations.Command;
import com.github.rvesse.airline.annotations.Option;
import java.io.FileInputStream;
import java.io.FileOutputStream;
import java.io.FileWriter;
import java.io.IOException;
import java.net.InetAddress;
import java.nio.charset.StandardCharsets;
import java.nio.file.Path;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.UnrecoverableKeyException;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.time.Duration;
import java.util.Arrays;
import java.util.Locale;
import java.util.Objects;
import java.util.stream.Stream;
import javax.security.auth.x500.X500Principal;
import org.apache.logging.log4j.util.Strings;
import org.bouncycastle.openssl.jcajce.JcaPEMWriter;
import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder;
import org.bouncycastle.pkcs.PKCS10CertificationRequest;
import org.bouncycastle.pkcs.jcajce.JcaPKCS10CertificationRequestBuilder;
import org.graylog.security.certutil.console.CommandLineConsole;
import org.graylog.security.certutil.console.SystemConsole;
import org.graylog2.bootstrap.CliCommand;
import org.graylog2.plugin.Tools;
import org.graylog2.shared.SuppressForbidden;

@Command(name = "http", description = "Manage certificates for data-node", groupNames = {"certutil"})
/* loaded from: input_file:org/graylog/security/certutil/CertutilHttp.class */
public class CertutilHttp implements CliCommand {
    public static final String DATANODE_KEY_ALIAS = "datanode";

    @Option(name = {"--ca"}, description = "Filename for the CA keystore")
    protected String caKeystoreFilename;

    @Option(name = {"--keystore"}, description = "Filename for the generated HTTP keystore")
    protected String nodeKeystoreFilename;
    private final CommandLineConsole console;

    public CertutilHttp() {
        this.caKeystoreFilename = "datanode-ca.p12";
        this.nodeKeystoreFilename = "datanode-http-certificates.p12";
        this.console = new SystemConsole();
    }

    public CertutilHttp(String str, String str2, CommandLineConsole commandLineConsole) {
        this.caKeystoreFilename = "datanode-ca.p12";
        this.nodeKeystoreFilename = "datanode-http-certificates.p12";
        this.caKeystoreFilename = str;
        this.nodeKeystoreFilename = str2;
        this.console = commandLineConsole;
    }

    @Override // java.lang.Runnable
    @SuppressForbidden("DNS Lookup intentional.")
    public void run() {
        this.console.printLine("This tool will generate a data-node certificate for HTTP communication (REST API)");
        if (this.console.readBoolean("Do you want to use your own certificate authority? Respond with y/n?", new Object[0])) {
            try {
                this.console.printLine("Generating certificate signing request for this datanode");
                KeyPair generate = CertificateGenerator.generate(CertRequest.selfSigned("localhost"));
                PKCS10CertificationRequest build = new JcaPKCS10CertificationRequestBuilder(new X500Principal("CN=Requested Test Certificate"), generate.publicKey()).build(new JcaContentSignerBuilder("SHA256withRSA").build(generate.privateKey()));
                Path of = Path.of("datanode.csr", new String[0]);
                writePem(of, build);
                this.console.printLine("CSR written to file " + of.toAbsolutePath());
                return;
            } catch (Exception e) {
                throw new RuntimeException(e);
            }
        }
        this.console.printLine("Generating a HTTP certificate signed by the datanode CA");
        this.console.printLine("Using certificate authority " + Path.of(this.caKeystoreFilename, new String[0]).toAbsolutePath());
        try {
            char[] readPassword = this.console.readPassword("Enter CA password: ", new Object[0]);
            KeyStore keyStore = KeyStore.getInstance("PKCS12");
            keyStore.load(new FileInputStream(this.caKeystoreFilename), readPassword);
            PrivateKey privateKey = (PrivateKey) keyStore.getKey("ca", readPassword);
            X509Certificate x509Certificate = (X509Certificate) keyStore.getCertificate("ca");
            X509Certificate x509Certificate2 = (X509Certificate) keyStore.getCertificate("root");
            KeyPair keyPair = new KeyPair(privateKey, null, x509Certificate);
            CertRequest validity = CertRequest.signed("localhost", keyPair).withSubjectAlternativeName("localhost").withSubjectAlternativeName(Tools.getLocalHostname()).withSubjectAlternativeName(String.valueOf(InetAddress.getLocalHost())).validity(Duration.ofDays(this.console.readInt("Enter certificate validity in days: ", new Object[0])));
            Stream filter = Arrays.stream(this.console.readLine("Enter alternative names (addresses) of this node [comma separated]: ", new Object[0]).split(",")).filter(Strings::isNotBlank);
            Objects.requireNonNull(validity);
            filter.forEach(validity::withSubjectAlternativeName);
            this.console.printLine(String.format(Locale.ROOT, "Generating certificate for CN=%s, with validity %d days and subject alternative names %s", "localhost", Long.valueOf(validity.validity().toDays()), validity.subjectAlternativeNames()));
            KeyPair generate2 = CertificateGenerator.generate(validity);
            this.console.printLine("Successfully generated CA from the keystore");
            KeyStore keyStore2 = KeyStore.getInstance("PKCS12");
            keyStore2.load(null, null);
            char[] readPassword2 = this.console.readPassword("Enter HTTP certificate password: ", new Object[0]);
            keyStore2.setKeyEntry("datanode", generate2.privateKey(), readPassword2, new X509Certificate[]{generate2.certificate(), keyPair.certificate(), x509Certificate2});
            Path of2 = Path.of(this.nodeKeystoreFilename, new String[0]);
            FileOutputStream fileOutputStream = new FileOutputStream(of2.toFile());
            try {
                keyStore2.store(fileOutputStream, readPassword2);
                this.console.printLine("Private key and certificate for this datanode HTTP successfully saved into " + of2.toAbsolutePath());
                fileOutputStream.close();
            } finally {
            }
        } catch (IOException | KeyStoreException | NoSuchAlgorithmException | UnrecoverableKeyException | CertificateException e2) {
            throw new RuntimeException(e2);
        } catch (Exception e3) {
            throw new RuntimeException(e3);
        }
    }

    private static void writePem(Path path, Object obj) throws IOException {
        JcaPEMWriter jcaPEMWriter = new JcaPEMWriter(new FileWriter(path.toFile(), StandardCharsets.UTF_8));
        jcaPEMWriter.writeObject(obj);
        jcaPEMWriter.flush();
        jcaPEMWriter.close();
    }
}
