package org.graylog.security.certutil;

import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.io.InputStream;
import java.nio.charset.StandardCharsets;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.cert.CertificateException;
import java.time.Duration;
import java.util.Iterator;
import java.util.List;
import java.util.Optional;
import javax.inject.Inject;
import javax.inject.Named;
import javax.inject.Singleton;
import org.glassfish.jersey.media.multipart.FormDataBodyPart;
import org.graylog.security.certutil.ca.CACreator;
import org.graylog.security.certutil.ca.PemCaReader;
import org.graylog.security.certutil.ca.exceptions.CACreationException;
import org.graylog.security.certutil.ca.exceptions.KeyStoreStorageException;
import org.graylog.security.certutil.keystore.storage.SmartKeystoreStorage;
import org.graylog.security.certutil.keystore.storage.location.KeystoreFileLocation;
import org.graylog.security.certutil.keystore.storage.location.KeystoreMongoCollections;
import org.graylog.security.certutil.keystore.storage.location.KeystoreMongoLocation;
import org.graylog2.Configuration;
import org.graylog2.bootstrap.preflight.web.resources.model.CA;
import org.graylog2.bootstrap.preflight.web.resources.model.CAType;
import org.graylog2.cluster.certificates.CertificatesService;
import org.graylog2.events.ClusterEventBus;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@Singleton
/* loaded from: input_file:org/graylog/security/certutil/CaServiceImpl.class */
public class CaServiceImpl implements CaService {
    private static final Logger LOG = LoggerFactory.getLogger(CaServiceImpl.class);
    public final String KEYSTORE_ID = "GRAYLOG CA";
    private final SmartKeystoreStorage keystoreStorage;
    private final KeystoreMongoLocation mongoDbCaLocation;
    private final KeystoreFileLocation manuallyProvidedCALocation;
    private final CACreator caCreator;
    private final PemCaReader pemCaReader;
    private final CaConfiguration configuration;
    private final CertificatesService certificatesService;
    private final String passwordSecret;
    private final ClusterEventBus eventBus;

    @Inject
    public CaServiceImpl(Configuration configuration, SmartKeystoreStorage smartKeystoreStorage, CACreator cACreator, PemCaReader pemCaReader, CertificatesService certificatesService, @Named("password_secret") String str, ClusterEventBus clusterEventBus) {
        this.keystoreStorage = smartKeystoreStorage;
        this.caCreator = cACreator;
        this.pemCaReader = pemCaReader;
        this.configuration = configuration;
        this.certificatesService = certificatesService;
        this.passwordSecret = configuration.getCaPassword() != null ? configuration.getCaPassword() : str;
        this.mongoDbCaLocation = new KeystoreMongoLocation("GRAYLOG CA", KeystoreMongoCollections.GRAYLOG_CA_KEYSTORE_COLLECTION);
        this.manuallyProvidedCALocation = new KeystoreFileLocation(configuration.getCaKeystoreFile());
        this.eventBus = clusterEventBus;
    }

    @Override // org.graylog.security.certutil.CaService
    public CA get() throws KeyStoreStorageException {
        return this.configuration.configuredCaExists() ? new CA("local CA", CAType.LOCAL) : (CA) this.keystoreStorage.readKeyStore(this.mongoDbCaLocation, this.passwordSecret.toCharArray()).map(keyStore -> {
            return new CA("GRAYLOG CA", CAType.GENERATED);
        }).orElse(null);
    }

    @Override // org.graylog.security.certutil.CaService
    public void create(Integer num, char[] cArr) throws CACreationException, KeyStoreStorageException, KeyStoreException {
        this.keystoreStorage.writeKeyStore(this.mongoDbCaLocation, this.caCreator.createCA(this.passwordSecret.toCharArray(), Duration.ofDays((num == null || num.intValue() == 0) ? 3650L : num.intValue())), this.passwordSecret.toCharArray(), cArr);
        LOG.debug("Generated a new CA.");
        triggerCaChangedEvent();
    }

    @Override // org.graylog.security.certutil.CaService
    public void upload(String str, List<FormDataBodyPart> list) throws CACreationException {
        char[] charArray = str == null ? null : str.toCharArray();
        try {
            KeyStore keyStore = KeyStore.getInstance(CertConstants.PKCS12);
            Iterator<FormDataBodyPart> it = list.iterator();
            while (it.hasNext()) {
                byte[] readAllBytes = ((InputStream) it.next().getEntityAs(InputStream.class)).readAllBytes();
                String str2 = new String(readAllBytes, StandardCharsets.UTF_8);
                if (str2.contains("-----BEGIN CERTIFICATE")) {
                    this.pemCaReader.readCA(keyStore, charArray, str2);
                } else {
                    keyStore.load(new ByteArrayInputStream(readAllBytes), charArray);
                }
            }
            this.keystoreStorage.writeKeyStore(this.mongoDbCaLocation, keyStore, charArray, this.passwordSecret.toCharArray());
            triggerCaChangedEvent();
        } catch (IOException | KeyStoreException | NoSuchAlgorithmException | CertificateException | KeyStoreStorageException e) {
            LOG.error("Could not write CA: " + e.getMessage(), e);
            throw new CACreationException("Could not write CA: " + e.getMessage(), e);
        }
    }

    @Override // org.graylog.security.certutil.CaService
    public void startOver() {
        this.certificatesService.removeCert(this.mongoDbCaLocation);
    }

    private void triggerCaChangedEvent() {
        this.eventBus.post(new CertificateAuthorityChangedEvent());
    }

    @Override // org.graylog.security.certutil.CaService
    public Optional<KeyStore> loadKeyStore() throws KeyStoreStorageException {
        return this.configuration.configuredCaExists() ? this.keystoreStorage.readKeyStore(this.manuallyProvidedCALocation, this.configuration.getCaPassword().toCharArray()) : this.keystoreStorage.readKeyStore(this.mongoDbCaLocation, this.passwordSecret.toCharArray());
    }
}
