package org.graylog.security.certutil;

import com.github.rvesse.airline.annotations.Command;
import com.github.rvesse.airline.annotations.Option;
import java.io.FileInputStream;
import java.io.FileOutputStream;
import java.io.IOException;
import java.net.InetAddress;
import java.nio.file.Path;
import java.security.Key;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.UnrecoverableKeyException;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.time.Duration;
import java.util.Arrays;
import java.util.Objects;
import java.util.stream.Stream;
import org.apache.commons.lang3.StringUtils;
import org.graylog.security.certutil.console.CommandLineConsole;
import org.graylog.security.certutil.console.SystemConsole;
import org.graylog2.bootstrap.CliCommand;
import org.graylog2.plugin.Tools;

@Command(name = "cert", description = "Manage certificates for data-node", groupNames = {"certutil"})
/* loaded from: input_file:org/graylog/security/certutil/CertutilCert.class */
public class CertutilCert implements CliCommand {

    @Deprecated
    public static final String DATANODE_KEY_ALIAS = "datanode";

    @Option(name = {"--ca"}, description = "Filename for the CA keystore")
    protected String caKeystoreFilename;

    @Option(name = {"--keystore"}, description = "Filename for the generated keystore")
    protected String nodeKeystoreFilename;
    private final CommandLineConsole console;
    public static final CommandLineConsole.Prompt PROMPT_ENTER_CA_PASSWORD = CommandLineConsole.prompt("Enter CA password: ");
    public static final CommandLineConsole.Prompt PROMPT_ENTER_CERT_ALTERNATIVE_NAMES = CommandLineConsole.prompt("Enter alternative names (addresses) of this node [comma separated]: ");
    public static final CommandLineConsole.Prompt PROMPT_ENTER_CERTIFICATE_PASSWORD = CommandLineConsole.prompt("Enter datanode certificate password: ");

    public CertutilCert() {
        this.caKeystoreFilename = "datanode-ca.p12";
        this.nodeKeystoreFilename = "datanode-transport-certificates.p12";
        this.console = new SystemConsole();
    }

    public CertutilCert(String str, String str2, CommandLineConsole commandLineConsole) {
        this.caKeystoreFilename = "datanode-ca.p12";
        this.nodeKeystoreFilename = "datanode-transport-certificates.p12";
        this.caKeystoreFilename = str;
        this.nodeKeystoreFilename = str2;
        this.console = commandLineConsole;
    }

    @Override // java.lang.Runnable
    public void run() {
        this.console.printLine("This tool will generate a data-node certificate signed by provided certificate authority");
        Path of = Path.of(this.caKeystoreFilename, new String[0]);
        this.console.printLine("Using certificate authority " + of.toAbsolutePath());
        try {
            char[] readPassword = this.console.readPassword(PROMPT_ENTER_CA_PASSWORD);
            KeyStore keyStore = KeyStore.getInstance(CertConstants.PKCS12);
            keyStore.load(new FileInputStream(of.toFile()), readPassword);
            Key key = keyStore.getKey("ca", readPassword);
            X509Certificate x509Certificate = (X509Certificate) keyStore.getCertificate("ca");
            X509Certificate x509Certificate2 = (X509Certificate) keyStore.getCertificate("root");
            this.console.printLine("Successfully read CA from the keystore");
            KeyPair keyPair = new KeyPair((PrivateKey) key, null, x509Certificate);
            this.console.printLine("Generating private key and certificate for this datanode");
            CertRequest validity = CertRequest.signed(Tools.getLocalCanonicalHostname(), keyPair).withSubjectAlternativeName("localhost").withSubjectAlternativeName(Tools.getLocalHostname()).withSubjectAlternativeName(String.valueOf(InetAddress.getLocalHost())).withSubjectAlternativeName("127.0.0.1").withSubjectAlternativeName("ip6-localhost").validity(Duration.ofDays(3650L));
            Stream filter = Arrays.stream(this.console.readLine(PROMPT_ENTER_CERT_ALTERNATIVE_NAMES).split(",")).filter((v0) -> {
                return StringUtils.isNotBlank(v0);
            });
            Objects.requireNonNull(validity);
            filter.forEach(validity::withSubjectAlternativeName);
            KeyPair generate = CertificateGenerator.generate(validity);
            KeyStore keyStore2 = KeyStore.getInstance(CertConstants.PKCS12);
            keyStore2.load(null, null);
            char[] readPassword2 = this.console.readPassword(PROMPT_ENTER_CERTIFICATE_PASSWORD);
            keyStore2.setKeyEntry("datanode", generate.privateKey(), readPassword2, new X509Certificate[]{generate.certificate(), keyPair.certificate(), x509Certificate2});
            Path of2 = Path.of(this.nodeKeystoreFilename, new String[0]);
            FileOutputStream fileOutputStream = new FileOutputStream(of2.toFile());
            try {
                keyStore2.store(fileOutputStream, readPassword2);
                this.console.printLine("Private key and certificate for this datanode successfully saved into " + of2.toAbsolutePath());
                fileOutputStream.close();
            } catch (Throwable th) {
                try {
                    fileOutputStream.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
                throw th;
            }
        } catch (IOException | KeyStoreException | NoSuchAlgorithmException | UnrecoverableKeyException | CertificateException e) {
            throw new RuntimeException(e);
        } catch (Exception e2) {
            throw new RuntimeException(e2);
        }
    }
}
