package org.apache.qpid.server.security;

import java.io.File;
import java.io.IOException;
import java.io.InputStream;
import java.net.MalformedURLException;
import java.net.URL;
import java.security.AccessControlException;
import java.security.GeneralSecurityException;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.EnumMap;
import java.util.List;
import java.util.Map;
import java.util.Set;
import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory;
import org.apache.log4j.Logger;
import org.apache.qpid.server.configuration.IllegalConfigurationException;
import org.apache.qpid.server.model.AbstractConfiguredObject;
import org.apache.qpid.server.model.Broker;
import org.apache.qpid.server.model.ConfiguredObject;
import org.apache.qpid.server.model.IntegrityViolationException;
import org.apache.qpid.server.model.KeyStore;
import org.apache.qpid.server.model.ManagedAttributeField;
import org.apache.qpid.server.model.ManagedObject;
import org.apache.qpid.server.model.ManagedObjectFactoryConstructor;
import org.apache.qpid.server.model.Port;
import org.apache.qpid.server.model.State;
import org.apache.qpid.server.security.NonJavaTrustStore;
import org.apache.qpid.server.security.access.Operation;
import org.apache.qpid.server.util.urlstreamhandler.data.Handler;

@ManagedObject(category = false)
/* loaded from: input_file:org/apache/qpid/server/security/NonJavaTrustStoreImpl.class */
public class NonJavaTrustStoreImpl extends AbstractConfiguredObject<NonJavaTrustStoreImpl> implements NonJavaTrustStore<NonJavaTrustStoreImpl> {
    private static final Logger LOGGER = Logger.getLogger(NonJavaTrustStoreImpl.class);
    private final Broker<?> _broker;

    @ManagedAttributeField(afterSet = "updateTrustManagers")
    private String _certificatesUrl;
    private volatile TrustManager[] _trustManagers;
    private X509Certificate[] _certificates;

    @ManagedObjectFactoryConstructor
    public NonJavaTrustStoreImpl(Map<String, Object> map, Broker<?> broker) {
        super(parentsMap(broker), map);
        this._trustManagers = new TrustManager[0];
        this._broker = broker;
    }

    @Override // org.apache.qpid.server.security.NonJavaTrustStore
    public String getCertificatesUrl() {
        return this._certificatesUrl;
    }

    @Override // org.apache.qpid.server.security.NonJavaTrustStore
    public List<Map<NonJavaTrustStore.CertificateDetails, Object>> getCertificateDetails() {
        ArrayList arrayList = new ArrayList();
        if (this._certificates != null) {
            for (X509Certificate x509Certificate : this._certificates) {
                EnumMap enumMap = new EnumMap(NonJavaTrustStore.CertificateDetails.class);
                enumMap.put((EnumMap) NonJavaTrustStore.CertificateDetails.SUBJECT_NAME, (NonJavaTrustStore.CertificateDetails) getNameFromCertificate(x509Certificate));
                enumMap.put((EnumMap) NonJavaTrustStore.CertificateDetails.ISSUER_NAME, (NonJavaTrustStore.CertificateDetails) x509Certificate.getIssuerX500Principal().getName());
                enumMap.put((EnumMap) NonJavaTrustStore.CertificateDetails.VALID_START, (NonJavaTrustStore.CertificateDetails) x509Certificate.getNotBefore());
                enumMap.put((EnumMap) NonJavaTrustStore.CertificateDetails.VALID_END, (NonJavaTrustStore.CertificateDetails) x509Certificate.getNotAfter());
                arrayList.add(enumMap);
            }
        }
        return arrayList;
    }

    private String getNameFromCertificate(X509Certificate x509Certificate) {
        return getCommonNameFromPrincipal(x509Certificate.getSubjectX500Principal());
    }

    /* JADX WARN: Code restructure failed: missing block: B:10:0x0040, code lost:
    
        r6 = java.lang.String.valueOf(r0.getValue());
     */
    /*
        Code decompiled incorrectly, please refer to instructions dump.
        To view partially-correct add '--show-bad-code' argument
    */
    private java.lang.String getCommonNameFromPrincipal(javax.security.auth.x500.X500Principal r5) {
        /*
            r4 = this;
            r0 = r5
            java.lang.String r0 = r0.getName()
            r7 = r0
            javax.naming.ldap.LdapName r0 = new javax.naming.ldap.LdapName     // Catch: javax.naming.InvalidNameException -> L52
            r1 = r0
            r2 = r7
            r1.<init>(r2)     // Catch: javax.naming.InvalidNameException -> L52
            r8 = r0
            r0 = r7
            r6 = r0
            r0 = r8
            java.util.List r0 = r0.getRdns()     // Catch: javax.naming.InvalidNameException -> L52
            java.util.Iterator r0 = r0.iterator()     // Catch: javax.naming.InvalidNameException -> L52
            r9 = r0
        L1d:
            r0 = r9
            boolean r0 = r0.hasNext()     // Catch: javax.naming.InvalidNameException -> L52
            if (r0 == 0) goto L4f
            r0 = r9
            java.lang.Object r0 = r0.next()     // Catch: javax.naming.InvalidNameException -> L52
            javax.naming.ldap.Rdn r0 = (javax.naming.ldap.Rdn) r0     // Catch: javax.naming.InvalidNameException -> L52
            r10 = r0
            r0 = r10
            java.lang.String r0 = r0.getType()     // Catch: javax.naming.InvalidNameException -> L52
            java.lang.String r1 = "CN"
            boolean r0 = r0.equalsIgnoreCase(r1)     // Catch: javax.naming.InvalidNameException -> L52
            if (r0 == 0) goto L4c
            r0 = r10
            java.lang.Object r0 = r0.getValue()     // Catch: javax.naming.InvalidNameException -> L52
            java.lang.String r0 = java.lang.String.valueOf(r0)     // Catch: javax.naming.InvalidNameException -> L52
            r6 = r0
            goto L4f
        L4c:
            goto L1d
        L4f:
            goto L5e
        L52:
            r8 = move-exception
            org.apache.log4j.Logger r0 = org.apache.qpid.server.security.NonJavaTrustStoreImpl.LOGGER
            java.lang.String r1 = "Error getting subject name from certificate"
            r0.error(r1)
            r0 = 0
            r6 = r0
        L5e:
            r0 = r6
            return r0
        */
        throw new UnsupportedOperationException("Method not decompiled: org.apache.qpid.server.security.NonJavaTrustStoreImpl.getCommonNameFromPrincipal(javax.security.auth.x500.X500Principal):java.lang.String");
    }

    @Override // org.apache.qpid.server.model.TrustStore
    public TrustManager[] getTrustManagers() throws GeneralSecurityException {
        return this._trustManagers;
    }

    @Override // org.apache.qpid.server.model.AbstractConfiguredObject
    public void onValidate() {
        super.onValidate();
        validateTrustStoreAttributes(this);
    }

    @Override // org.apache.qpid.server.model.ConfiguredObject
    public State getState() {
        return State.ACTIVE;
    }

    @Override // org.apache.qpid.server.model.AbstractConfiguredObject, org.apache.qpid.server.model.ConfiguredObject
    public Object getAttribute(String str) {
        return "state".equals(str) ? getState() : super.getAttribute(str);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.apache.qpid.server.model.AbstractConfiguredObject
    public boolean setState(State state) {
        if (state != State.DELETED) {
            return false;
        }
        String name = getName();
        for (Port port : new ArrayList(this._broker.getPorts())) {
            if (port.getKeyStore() == this) {
                throw new IntegrityViolationException("Key store '" + name + "' can't be deleted as it is in use by a port:" + port.getName());
            }
        }
        deleted();
        return true;
    }

    @Override // org.apache.qpid.server.model.AbstractConfiguredObject
    protected void authoriseSetDesiredState(State state) throws AccessControlException {
        if (state == State.DELETED && !this._broker.getSecurityManager().authoriseConfiguringBroker(getName(), KeyStore.class, Operation.DELETE)) {
            throw new AccessControlException("Deletion of key store is denied");
        }
    }

    @Override // org.apache.qpid.server.model.AbstractConfiguredObject
    protected void authoriseSetAttributes(ConfiguredObject<?> configuredObject, Set<String> set) throws AccessControlException {
        if (!this._broker.getSecurityManager().authoriseConfiguringBroker(getName(), KeyStore.class, Operation.UPDATE)) {
            throw new AccessControlException("Setting key store attributes is denied");
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.apache.qpid.server.model.AbstractConfiguredObject
    public void validateChange(ConfiguredObject<?> configuredObject, Set<String> set) {
        super.validateChange(configuredObject, set);
        NonJavaTrustStore<?> nonJavaTrustStore = (NonJavaTrustStore) configuredObject;
        if (set.contains(ConfiguredObject.NAME) && !getName().equals(nonJavaTrustStore.getName())) {
            throw new IllegalConfigurationException("Changing the key store name is not allowed");
        }
        validateTrustStoreAttributes(nonJavaTrustStore);
    }

    private void validateTrustStoreAttributes(NonJavaTrustStore<?> nonJavaTrustStore) {
        try {
            getUrlFromString(nonJavaTrustStore.getCertificatesUrl()).openStream();
        } catch (IOException e) {
            throw new IllegalArgumentException(e);
        }
    }

    private void updateTrustManagers() {
        try {
            if (this._certificatesUrl != null) {
                X509Certificate[] readCertificates = readCertificates(getUrlFromString(this._certificatesUrl));
                java.security.KeyStore keyStore = java.security.KeyStore.getInstance(java.security.KeyStore.getDefaultType());
                keyStore.load(null, null);
                int i = 1;
                for (X509Certificate x509Certificate : readCertificates) {
                    int i2 = i;
                    i++;
                    keyStore.setCertificateEntry(String.valueOf(i2), x509Certificate);
                }
                TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
                trustManagerFactory.init(keyStore);
                this._trustManagers = trustManagerFactory.getTrustManagers();
                this._certificates = readCertificates;
            }
        } catch (IOException | GeneralSecurityException e) {
            LOGGER.error("Error attempting to create KeyStore from private key and certificates", e);
            this._trustManagers = new TrustManager[0];
        }
    }

    private URL getUrlFromString(String str) throws MalformedURLException {
        URL url;
        try {
            url = new URL(str);
        } catch (MalformedURLException e) {
            url = new File(str).toURI().toURL();
        }
        return url;
    }

    public static X509Certificate[] readCertificates(URL url) throws IOException, GeneralSecurityException {
        ArrayList arrayList = new ArrayList();
        try {
            InputStream openStream = url.openStream();
            Throwable th = null;
            do {
                try {
                    try {
                        arrayList.add((X509Certificate) CertificateFactory.getInstance("X.509").generateCertificate(openStream));
                    } finally {
                    }
                } finally {
                }
            } while (openStream.available() != 0);
            if (openStream != null) {
                if (0 != 0) {
                    try {
                        openStream.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                } else {
                    openStream.close();
                }
            }
        } catch (CertificateException e) {
            if (arrayList.isEmpty()) {
                throw e;
            }
        }
        return (X509Certificate[]) arrayList.toArray(new X509Certificate[arrayList.size()]);
    }

    static {
        Handler.register();
    }
}
