package io.hops.hopsworks.ca.controllers;

import com.google.common.annotations.VisibleForTesting;
import com.google.common.base.Strings;
import com.hazelcast.core.HazelcastInstance;
import com.hazelcast.cp.lock.FencedLock;
import io.hops.hadoop.shaded.com.google.gson.Gson;
import io.hops.hopsworks.ca.configuration.CAConf;
import io.hops.hopsworks.ca.configuration.CAConfiguration;
import io.hops.hopsworks.ca.configuration.CAsConfiguration;
import io.hops.hopsworks.ca.configuration.KubeCAConfiguration;
import io.hops.hopsworks.ca.configuration.SubjectAlternativeName;
import io.hops.hopsworks.ca.configuration.UsernamesConfiguration;
import io.hops.hopsworks.ca.persistence.CRLFacade;
import io.hops.hopsworks.ca.persistence.KeyFacade;
import io.hops.hopsworks.ca.persistence.PKICertificateFacade;
import io.hops.hopsworks.ca.persistence.SerialNumberFacade;
import io.hops.hopsworks.persistence.entity.pki.CAType;
import io.hops.hopsworks.persistence.entity.pki.KeyIdentifier;
import io.hops.hopsworks.persistence.entity.pki.PKICertificate;
import io.hops.hopsworks.persistence.entity.pki.PKICertificateId;
import io.hops.hopsworks.persistence.entity.pki.PKICrl;
import io.hops.hopsworks.persistence.entity.pki.PKIKey;
import io.hops.hopsworks.servicediscovery.HopsworksService;
import io.hops.hopsworks.servicediscovery.Utilities;
import io.hops.hopsworks.servicediscovery.tags.MysqlTags;
import jakarta.annotation.PostConstruct;
import jakarta.ejb.DependsOn;
import jakarta.ejb.EJB;
import jakarta.ejb.Singleton;
import jakarta.ejb.TransactionAttribute;
import jakarta.ejb.TransactionAttributeType;
import jakarta.inject.Inject;
import java.io.FileNotFoundException;
import java.io.FileReader;
import java.io.IOException;
import java.io.StringReader;
import java.math.BigInteger;
import java.nio.charset.Charset;
import java.nio.file.Path;
import java.nio.file.Paths;
import java.security.GeneralSecurityException;
import java.security.KeyException;
import java.security.KeyFactory;
import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.NoSuchAlgorithmException;
import java.security.Security;
import java.security.SignatureException;
import java.security.cert.CRLException;
import java.security.cert.CertificateEncodingException;
import java.security.cert.CertificateException;
import java.security.cert.X509CRL;
import java.security.cert.X509Certificate;
import java.security.spec.InvalidKeySpecException;
import java.security.spec.PKCS8EncodedKeySpec;
import java.security.spec.RSAKeyGenParameterSpec;
import java.security.spec.X509EncodedKeySpec;
import java.time.Duration;
import java.time.Instant;
import java.time.temporal.ChronoUnit;
import java.time.temporal.TemporalAmount;
import java.time.temporal.TemporalUnit;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Date;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Optional;
import java.util.Set;
import java.util.concurrent.TimeUnit;
import java.util.concurrent.atomic.AtomicBoolean;
import java.util.function.Function;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.naming.InvalidNameException;
import org.apache.commons.io.FileUtils;
import org.apache.commons.lang3.tuple.Pair;
import org.apache.hadoop.hdfs.protocol.HdfsConstants;
import org.apache.hadoop.mapreduce.MRConfig;
import org.bouncycastle.asn1.ASN1Encodable;
import org.bouncycastle.asn1.ASN1ObjectIdentifier;
import org.bouncycastle.asn1.pkcs.Attribute;
import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers;
import org.bouncycastle.asn1.x500.RDN;
import org.bouncycastle.asn1.x500.X500Name;
import org.bouncycastle.asn1.x500.X500NameBuilder;
import org.bouncycastle.asn1.x500.style.BCStrictStyle;
import org.bouncycastle.asn1.x500.style.BCStyle;
import org.bouncycastle.asn1.x500.style.IETFUtils;
import org.bouncycastle.asn1.x509.BasicConstraints;
import org.bouncycastle.asn1.x509.CRLReason;
import org.bouncycastle.asn1.x509.Extension;
import org.bouncycastle.asn1.x509.Extensions;
import org.bouncycastle.asn1.x509.ExtensionsGenerator;
import org.bouncycastle.asn1.x509.GeneralName;
import org.bouncycastle.asn1.x509.GeneralNames;
import org.bouncycastle.asn1.x509.KeyUsage;
import org.bouncycastle.asn1.x509.SubjectKeyIdentifier;
import org.bouncycastle.cert.CertIOException;
import org.bouncycastle.cert.X509CRLHolder;
import org.bouncycastle.cert.X509CertificateHolder;
import org.bouncycastle.cert.X509v3CertificateBuilder;
import org.bouncycastle.cert.jcajce.JcaX509CRLConverter;
import org.bouncycastle.cert.jcajce.JcaX509CertificateConverter;
import org.bouncycastle.cert.jcajce.JcaX509CertificateHolder;
import org.bouncycastle.cert.jcajce.JcaX509ExtensionUtils;
import org.bouncycastle.cert.jcajce.JcaX509v2CRLBuilder;
import org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.bouncycastle.openssl.PEMParser;
import org.bouncycastle.operator.OperatorCreationException;
import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder;
import org.bouncycastle.pkcs.PKCS10CertificationRequest;

@Singleton
@DependsOn({"CAConf"})
@TransactionAttribute(TransactionAttributeType.NOT_SUPPORTED)
/* loaded from: input_file:WEB-INF/classes/io/hops/hopsworks/ca/controllers/PKI.class */
public class PKI {
    public static final String SIGNATURE_ALGORITHM = "SHA256WithRSAEncryption";

    @EJB
    private SerialNumberFacade serialNumberFacade;

    @EJB
    private KeyFacade keyFacade;

    @EJB
    private PKICertificateFacade pkiCertificateFacade;

    @EJB
    private PKIUtils pkiUtils;

    @EJB
    private CRLFacade crlFacade;

    @EJB
    private CAConf caConf;

    @EJB
    private UsernamesConfiguration usernamesConfiguration;

    @Inject
    private HazelcastInstance hazelcastInstance;
    private KeyPairGenerator keyPairGenerator;
    private KeyFactory keyFactory;
    private JcaX509CertificateConverter converter;
    private JcaX509CRLConverter crlConverter;
    private CAsConfiguration conf;
    private static final String CA_INIT_LOCK = "caInitLock";
    protected static final CAsConfiguration EMPTY_CONFIGURATION;
    protected static final Function<ExtensionsBuilderParameter, Void> EMPTY_CERTIFICATE_EXTENSIONS_BUILDER;
    private static final Function<X509v3CertificateBuilder, Void> INTERMEDIATE_EXTENSIONS;
    private static final Logger LOGGER = Logger.getLogger(PKI.class.getName());
    private static final CRLReason REVOCATION_REASON = CRLReason.lookup(9);
    private static final GeneralName[] EMTPY_GENERAL_NAMES = new GeneralName[0];
    private static final Map<CAType, X500Name> CA_SUBJECT_NAME = new HashMap(3);
    private final RSAKeyGenParameterSpec keyGenSpecs = new RSAKeyGenParameterSpec(4096, RSAKeyGenParameterSpec.F4);
    private final Map<CAType, KeyPair> caKeys = new HashMap(3);
    private final Map<CAType, X509Certificate> caCertificates = new HashMap(3);
    private final AtomicBoolean CA_INITIALIZED = new AtomicBoolean(false);
    private final Duration ROOT_CA_DEFAULT_VALIDITY_PERIOD = Duration.of(3650, ChronoUnit.DAYS);
    private final Duration INTERMEDIATE_CA_DEFAULT_VALIDITY_PERIOD = Duration.of(3650, ChronoUnit.DAYS);
    private final Duration KUBERNETES_CA_DEFAULT_VALIDITY_PERIOD = Duration.of(3650, ChronoUnit.DAYS);
    protected final Function<ExtensionsBuilderParameter, Void> KUBE_CERTIFICATE_EXTENSIONS_BUILDER = extensionsBuilderParameter -> {
        if (this.conf.getKubernetesCA().isPresent()) {
            KubeCAConfiguration kubeCAConfiguration = (KubeCAConfiguration) this.conf.getKubernetesCA().get();
            if (kubeCAConfiguration.getSubjectAlternativeName().isPresent()) {
                SubjectAlternativeName subjectAlternativeName = kubeCAConfiguration.getSubjectAlternativeName().get();
                ArrayList arrayList = null;
                if (subjectAlternativeName.getDns().isPresent()) {
                    List<String> list = subjectAlternativeName.getDns().get();
                    if (!list.isEmpty()) {
                        arrayList = new ArrayList();
                        Iterator<String> it = list.iterator();
                        while (it.hasNext()) {
                            arrayList.add(new GeneralName(2, it.next()));
                        }
                    }
                }
                if (subjectAlternativeName.getIp().isPresent()) {
                    List<String> list2 = subjectAlternativeName.getIp().get();
                    if (!list2.isEmpty()) {
                        if (arrayList == null) {
                            arrayList = new ArrayList();
                        }
                        Iterator<String> it2 = list2.iterator();
                        while (it2.hasNext()) {
                            arrayList.add(new GeneralName(7, it2.next()));
                        }
                    }
                }
                if (arrayList != null) {
                    try {
                        appendSubjectAlternativeNames(extensionsBuilderParameter.certificateBuilder, (GeneralName[]) arrayList.toArray(new GeneralName[0]));
                    } catch (CertIOException e) {
                        throw new RuntimeException(e);
                    }
                }
            }
        }
        Optional<String> parseX509Locality = parseX509Locality(extensionsBuilderParameter.certificationRequest);
        if (!parseX509Locality.isPresent() || !parseX509Locality.get().equals("strimzica")) {
            return null;
        }
        try {
            extensionsBuilderParameter.certificateBuilder.replaceExtension(Extension.basicConstraints, true, (ASN1Encodable) new BasicConstraints(3));
            extensionsBuilderParameter.certificateBuilder.replaceExtension(Extension.keyUsage, true, (ASN1Encodable) new KeyUsage(180));
            return null;
        } catch (CertIOException e2) {
            throw new RuntimeException(e2);
        }
    };
    protected final Function<ExtensionsBuilderParameter, Void> SAN_CERTIFICATE_EXTENSIONS_BUILDER = extensionsBuilderParameter -> {
        Attribute[] attributes = extensionsBuilderParameter.certificationRequest.getAttributes(PKCSObjectIdentifiers.pkcs_9_at_extensionRequest);
        if (attributes != null) {
            for (Attribute attribute : attributes) {
                for (ASN1Encodable aSN1Encodable : attribute.getAttributeValues()) {
                    try {
                        appendSubjectAlternativeNames(extensionsBuilderParameter.certificateBuilder, GeneralNames.getInstance(Extensions.getInstance(aSN1Encodable).getExtension(Extension.subjectAlternativeName).getExtnValue().getOctets()).getNames());
                    } catch (CertIOException e) {
                        throw new RuntimeException("Failed to add supplied Subject Alternative Name", e);
                    }
                }
            }
        }
        if (!extensionsBuilderParameter.certificateType.equals(CertificateType.HOST)) {
            return null;
        }
        Optional<String> parseX509CommonName = parseX509CommonName(extensionsBuilderParameter.certificationRequest);
        if (!parseX509CommonName.isPresent()) {
            throw new RuntimeException("x509 subject " + extensionsBuilderParameter.certificationRequest.getSubject().toString() + " does not have CN field");
        }
        try {
            appendSubjectAlternativeNames(extensionsBuilderParameter.certificateBuilder, new GeneralName[]{new GeneralName(2, parseX509CommonName.get())});
            Optional<String> parseX509Locality = parseX509Locality(extensionsBuilderParameter.certificationRequest);
            if (parseX509Locality.isPresent()) {
                appendSubjectAlternativeNames(extensionsBuilderParameter.certificateBuilder, getSanForUsername(parseX509Locality.get(), extensionsBuilderParameter.region));
                HashSet hashSet = new HashSet();
                this.conf.getIntermediateCA().ifPresent(intermediateCAConfiguration -> {
                    SubjectAlternativeName subjectAlternativeName;
                    if (intermediateCAConfiguration.getExtraUsernameSAN() == null || (subjectAlternativeName = intermediateCAConfiguration.getExtraUsernameSAN().get(parseX509Locality.get())) == null) {
                        return;
                    }
                    Optional<List<String>> dns = subjectAlternativeName.getDns();
                    Objects.requireNonNull(hashSet);
                    dns.ifPresent((v1) -> {
                        r1.addAll(v1);
                    });
                });
                if (!hashSet.isEmpty()) {
                    appendSubjectAlternativeNames(extensionsBuilderParameter.certificateBuilder, convertToGeneralNames(hashSet, false, null));
                }
            }
            return null;
        } catch (CertIOException e2) {
            throw new RuntimeException(e2);
        }
    };
    private final Function<ExtensionsBuilderParameter, Void>[] HOST_CERTIFICATES_EXTENSION_BUILDERS = {this.SAN_CERTIFICATE_EXTENSIONS_BUILDER};
    private final Function<ExtensionsBuilderParameter, Void>[] KUBERNETES_CERTIFICATES_EXTENSION_BUILDERS = {this.KUBE_CERTIFICATE_EXTENSIONS_BUILDER, this.SAN_CERTIFICATE_EXTENSIONS_BUILDER};
    private final Function<ExtensionsBuilderParameter, Void>[] EMTPY_CERTIFICATES_EXTENSION_BUILDERS = new Function[0];

    /* loaded from: input_file:WEB-INF/classes/io/hops/hopsworks/ca/controllers/PKI$CertificateGenerationParameters.class */
    public static class CertificateGenerationParameters {
        private final CertificateSigner signer;
        private final KeyPair ownerKeypair;
        private final Long serialNumber;
        private final X500Name x500Name;
        private final CertificateValidityPeriod validityPeriod;
        private final Function<X509v3CertificateBuilder, Void> populateExtensions;

        public CertificateGenerationParameters(CertificateSigner certificateSigner, KeyPair keyPair, Long l, X500Name x500Name, CertificateValidityPeriod certificateValidityPeriod, Function<X509v3CertificateBuilder, Void> function) {
            this.signer = certificateSigner;
            this.ownerKeypair = keyPair;
            this.serialNumber = l;
            this.x500Name = x500Name;
            this.validityPeriod = certificateValidityPeriod;
            this.populateExtensions = function;
        }
    }

    /* loaded from: input_file:WEB-INF/classes/io/hops/hopsworks/ca/controllers/PKI$CertificateSigner.class */
    public static class CertificateSigner {
        private final KeyPair keyPair;
        private final X509Certificate certificate;

        public CertificateSigner(KeyPair keyPair, X509Certificate x509Certificate) {
            this.keyPair = keyPair;
            this.certificate = x509Certificate;
        }

        public KeyPair getKeyPair() {
            return this.keyPair;
        }

        public X509Certificate getCertificate() {
            return this.certificate;
        }
    }

    /* loaded from: input_file:WEB-INF/classes/io/hops/hopsworks/ca/controllers/PKI$CertificateValidityPeriod.class */
    public static class CertificateValidityPeriod {
        private final Instant notBefore;
        private final Instant notAfter;

        public CertificateValidityPeriod(Instant instant, Instant instant2) {
            this.notBefore = instant;
            this.notAfter = instant2;
        }

        public Instant getNotBefore() {
            return this.notBefore;
        }

        public Instant getNotAfter() {
            return this.notAfter;
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:WEB-INF/classes/io/hops/hopsworks/ca/controllers/PKI$ExtensionsBuilderParameter.class */
    public static class ExtensionsBuilderParameter {
        private final X509v3CertificateBuilder certificateBuilder;
        private final PKCS10CertificationRequest certificationRequest;
        private final CertificateType certificateType;
        private final String region;

        private ExtensionsBuilderParameter(X509v3CertificateBuilder x509v3CertificateBuilder, PKCS10CertificationRequest pKCS10CertificationRequest, CertificateType certificateType, String str) {
            this.certificateBuilder = x509v3CertificateBuilder;
            this.certificationRequest = pKCS10CertificationRequest;
            this.certificateType = certificateType;
            this.region = str;
        }

        static ExtensionsBuilderParameter of(X509v3CertificateBuilder x509v3CertificateBuilder, PKCS10CertificationRequest pKCS10CertificationRequest, CertificateType certificateType, String str) {
            return new ExtensionsBuilderParameter(x509v3CertificateBuilder, pKCS10CertificationRequest, certificateType, str);
        }

        @VisibleForTesting
        static ExtensionsBuilderParameter of(X509v3CertificateBuilder x509v3CertificateBuilder) {
            return new ExtensionsBuilderParameter(x509v3CertificateBuilder, null, CertificateType.APP, null);
        }
    }

    @PostConstruct
    public void init() {
        try {
            Security.addProvider(new BouncyCastleProvider());
            Security.getProviders();
            this.keyPairGenerator = KeyPairGenerator.getInstance("RSA", new BouncyCastleProvider());
            this.keyPairGenerator.initialize(this.keyGenSpecs);
            this.keyFactory = KeyFactory.getInstance("RSA");
            this.converter = new JcaX509CertificateConverter().setProvider(new BouncyCastleProvider());
            this.crlConverter = new JcaX509CRLConverter().setProvider(new BouncyCastleProvider());
            configure();
        } catch (GeneralSecurityException e) {
            throw new RuntimeException("Failed to initialize PKI", e);
        }
    }

    private FencedLock getLock() {
        if (this.hazelcastInstance == null || this.hazelcastInstance.getCluster().getMembers().size() <= 1) {
            return null;
        }
        return this.hazelcastInstance.getCPSubsystem().getLock(CA_INIT_LOCK);
    }

    public void configure() {
        this.conf = loadConfiguration();
        overrideCAX500Names(this.conf);
    }

    protected CAsConfiguration loadConfiguration() {
        String string = this.caConf.getString(CAConf.CAConfKeys.CA_CONFIGURATION);
        return string.isEmpty() ? EMPTY_CONFIGURATION : (CAsConfiguration) new Gson().fromJson(string, CAsConfiguration.class);
    }

    protected void overrideCAX500Names(CAsConfiguration cAsConfiguration) {
        cAsConfiguration.getRootCA().flatMap((v0) -> {
            return v0.getX509Name();
        }).ifPresent(str -> {
            CA_SUBJECT_NAME.put(CAType.ROOT, new X500Name(BCStyle.INSTANCE, str));
        });
        cAsConfiguration.getIntermediateCA().flatMap((v0) -> {
            return v0.getX509Name();
        }).ifPresent(str2 -> {
            CA_SUBJECT_NAME.put(CAType.INTERMEDIATE, new X500Name(BCStyle.INSTANCE, str2));
        });
        cAsConfiguration.getKubernetesCA().flatMap((v0) -> {
            return v0.getX509Name();
        }).ifPresent(str3 -> {
            CA_SUBJECT_NAME.put(CAType.KUBECA, new X500Name(BCStyle.INSTANCE, str3));
        });
    }

    protected void maybeInitializeCA() throws GeneralSecurityException, IOException, OperatorCreationException {
        if (this.CA_INITIALIZED.getAndSet(true)) {
            LOGGER.log(Level.FINE, "CAs already initialized");
            return;
        }
        FencedLock lock = getLock();
        if (lock != null && !lock.tryLock(3L, TimeUnit.MINUTES)) {
            this.CA_INITIALIZED.set(false);
            LOGGER.log(Level.WARNING, "Timed out waiting for lock to initializing CAs");
            return;
        }
        try {
            try {
                LOGGER.log(Level.INFO, "Initializing CAs");
                initializeCertificateAuthorities();
                if (lock != null) {
                    lock.unlock();
                }
            } catch (Exception e) {
                this.CA_INITIALIZED.set(false);
                LOGGER.log(Level.SEVERE, "Error initializing CAs", (Throwable) e);
                throw e;
            }
        } catch (Throwable th) {
            if (lock != null) {
                lock.unlock();
            }
            throw th;
        }
    }

    public Pair<String, String> getChainOfTrust(CAType cAType) throws CAInitializationException, IOException, GeneralSecurityException {
        try {
            maybeInitializeCA();
            String str = null;
            if (cAType != CAType.ROOT) {
                str = this.pkiUtils.convertToPEM(this.caCertificates.get(cAType));
            }
            return Pair.of(this.pkiUtils.convertToPEM(this.caCertificates.get(CAType.ROOT)), str);
        } catch (Exception e) {
            LOGGER.log(Level.SEVERE, "Failed to initialize CA", (Throwable) e);
            throw new CAInitializationException(e);
        }
    }

    public String getCertificateRevocationListPEM(CAType cAType) throws CAInitializationException, GeneralSecurityException, IOException {
        try {
            maybeInitializeCA();
            return this.pkiUtils.convertToPEM(loadCRL(cAType));
        } catch (Exception e) {
            LOGGER.log(Level.SEVERE, "Failed to initialize CA", (Throwable) e);
            throw new CAInitializationException(e);
        }
    }

    protected void initializeCertificateAuthorities() throws GeneralSecurityException, IOException, OperatorCreationException {
        for (CAType cAType : CAType.values()) {
            if (!cAType.equals(CAType.KUBECA) || needKubeCAToSign()) {
                initializeCertificateAuthority(cAType);
            }
        }
    }

    private boolean needKubeCAToSign() {
        return this.caConf.getBoolean(CAConf.CAConfKeys.KUBERNETES).booleanValue() && (this.caConf.getString(CAConf.CAConfKeys.KUBERNETES_TYPE).equals(MRConfig.LOCAL_FRAMEWORK_NAME) || this.caConf.getString(CAConf.CAConfKeys.KUBERNETES_TYPE).equals("kube_cluster"));
    }

    private void initializeCertificateAuthority(CAType cAType) throws IOException, GeneralSecurityException, OperatorCreationException {
        caInitializeSerialNumber(cAType);
        caInitializeKeys(cAType);
        caInitializeCertificate(cAType);
        caInitializeCRL(cAType);
    }

    protected void caInitializeSerialNumber(CAType cAType) throws IOException {
        if (this.serialNumberFacade.isInitialized(cAType)) {
            return;
        }
        if (!loadFromFile()) {
            this.serialNumberFacade.initialize(cAType);
            return;
        }
        LOGGER.log(Level.INFO, "Loading serial number from file for: " + cAType);
        try {
            migrateSerialNumber(cAType, getPathToSerialNumber(cAType));
        } catch (FileNotFoundException e) {
            throw new IOException("Bootstrapping serial number of " + cAType + " but openssl file could not be found", e);
        }
    }

    @VisibleForTesting
    protected Path getPathToSerialNumber(CAType cAType) throws FileNotFoundException {
        Path path;
        switch (cAType) {
            case ROOT:
                path = Paths.get(this.caConf.getString(CAConf.CAConfKeys.CERTS_DIR), "serial");
                break;
            case INTERMEDIATE:
                path = Paths.get(this.caConf.getString(CAConf.CAConfKeys.CERTS_DIR), "intermediate/serial");
                break;
            case KUBECA:
                path = Paths.get(this.caConf.getString(CAConf.CAConfKeys.CERTS_DIR), "kube/serial");
                break;
            default:
                throw new IllegalArgumentException("Unknown CA type: " + cAType);
        }
        if (path.toFile().exists()) {
            return path;
        }
        throw new FileNotFoundException("File " + path.toFile() + " does not exist");
    }

    @VisibleForTesting
    protected void migrateSerialNumber(CAType cAType, Path path) throws IOException {
        Long serialNumber = getSerialNumber(path);
        this.serialNumberFacade.initializeWithNumber(cAType, serialNumber);
        LOGGER.log(Level.INFO, "Migrated Serial Number for " + cAType + " with next number " + serialNumber);
    }

    private Long getSerialNumber(Path path) throws IOException {
        return Long.valueOf(Long.parseUnsignedLong(FileUtils.readFileToString(path.toFile(), Charset.defaultCharset()).trim(), 16));
    }

    @VisibleForTesting
    protected boolean loadFromFile() {
        return Paths.get(this.caConf.getString(CAConf.CAConfKeys.CERTS_DIR), "private/ca.key.pem").toFile().exists();
    }

    protected void caInitializeKeys(CAType cAType) throws InvalidKeySpecException, IOException {
        Pair<Boolean, KeyPair> loadOrGenerateKeypair = loadOrGenerateKeypair(cAType.name());
        if (!loadOrGenerateKeypair.getLeft().booleanValue()) {
            LOGGER.log(Level.INFO, "Saving key pair for " + cAType.name());
            saveKeys(new PKIKey(new KeyIdentifier(cAType.name(), PKIKey.Type.PRIVATE), loadOrGenerateKeypair.getRight().getPrivate().getEncoded()), new PKIKey(new KeyIdentifier(cAType.name(), PKIKey.Type.PUBLIC), loadOrGenerateKeypair.getRight().getPublic().getEncoded()));
        }
        this.caKeys.put(cAType, loadOrGenerateKeypair.getRight());
    }

    protected void caInitializeCertificate(CAType cAType) throws IOException, GeneralSecurityException, OperatorCreationException {
        Pair<Boolean, X509Certificate> loadOrGenerateCACertificate = loadOrGenerateCACertificate(cAType);
        X509Certificate right = loadOrGenerateCACertificate.getRight();
        if (!loadOrGenerateCACertificate.getLeft().booleanValue()) {
            LOGGER.log(Level.INFO, "Saving certificate for " + cAType);
            saveNewCertificate(CAType.ROOT, right);
        }
        this.caCertificates.put(cAType, right);
    }

    protected void caInitializeCRL(CAType cAType) throws GeneralSecurityException, CertIOException, IOException {
        LOGGER.log(Level.INFO, "Initializing Certificate Revocation List for " + cAType);
        if (this.crlFacade.exist(cAType)) {
            LOGGER.log(Level.INFO, "Skip CRL initialization for " + cAType + " as it already exists");
            return;
        }
        if (loadFromFile() && cAType.equals(CAType.INTERMEDIATE)) {
            LOGGER.log(Level.INFO, "Loading CRL of " + cAType + " from file");
            X509CRL loadCRL = loadCRL(Paths.get(this.caConf.getString(CAConf.CAConfKeys.CERTS_DIR), "intermediate/crl/intermediate.crl.pem"));
            if (loadCRL != null) {
                initCRL(cAType, loadCRL);
                return;
            }
            LOGGER.log(Level.WARNING, "CRL loaded from file for " + cAType + " is empty, continue generating new one");
        }
        KeyPair cAKeyPair = getCAKeyPair(cAType);
        X509Certificate cACertificate = getCACertificate(cAType);
        Instant now = Instant.now();
        LOGGER.log(Level.INFO, "Generating initial CRL for " + cAType);
        JcaX509v2CRLBuilder jcaX509v2CRLBuilder = new JcaX509v2CRLBuilder(cACertificate, Date.from(now));
        jcaX509v2CRLBuilder.setNextUpdate(Date.from(now.plus(1L, (TemporalUnit) ChronoUnit.DAYS)));
        jcaX509v2CRLBuilder.addExtension(Extension.authorityKeyIdentifier, false, (ASN1Encodable) new JcaX509ExtensionUtils().createAuthorityKeyIdentifier(cACertificate));
        try {
            initCRL(cAType, this.crlConverter.getCRL(jcaX509v2CRLBuilder.build(new JcaContentSignerBuilder(SIGNATURE_ALGORITHM).setProvider(new BouncyCastleProvider()).build(cAKeyPair.getPrivate()))));
            LOGGER.log(Level.INFO, "Finished initializing CRL for " + cAType);
        } catch (OperatorCreationException e) {
            throw new GeneralSecurityException(e);
        }
    }

    protected void initCRL(CAType cAType, X509CRL x509crl) throws CRLException {
        this.crlFacade.init(new PKICrl(cAType, x509crl.getEncoded()));
    }

    protected void updateCRL(CAType cAType, X509CRL x509crl) throws CRLException {
        this.crlFacade.update(new PKICrl(cAType, x509crl.getEncoded()));
    }

    protected void saveNewCertificate(CAType cAType, X509Certificate x509Certificate) throws CertificateEncodingException {
        Long valueOf = Long.valueOf(x509Certificate.getSerialNumber().longValue());
        String principal = x509Certificate.getSubjectDN().toString();
        this.pkiCertificateFacade.saveCertificate(new PKICertificate(new PKICertificateId(PKICertificate.Status.VALID, principal), cAType, valueOf, x509Certificate.getEncoded(), x509Certificate.getNotBefore(), x509Certificate.getNotAfter()));
    }

    protected Pair<Boolean, KeyPair> loadOrGenerateKeypair(String str) throws InvalidKeySpecException, IOException {
        LOGGER.log(Level.INFO, "Loading key pair for " + str);
        Optional<KeyPair> loadKeyPair = loadKeyPair(str);
        if (loadKeyPair.isPresent()) {
            LOGGER.log(Level.INFO, "Loaded key pair for " + str);
            return Pair.of(true, loadKeyPair.get());
        }
        if (!loadFromFile()) {
            LOGGER.log(Level.INFO, "Key pair for " + str + " does NOT exist, generating new");
            return Pair.of(false, generateKeyPair());
        }
        LOGGER.log(Level.INFO, "Key pair for " + str + " does NOT exist but will load from file");
        try {
            return Pair.of(false, loadKeyPairFromFile(str));
        } catch (FileNotFoundException e) {
            throw new InvalidKeySpecException("Bootstrapping private key of " + str + " but openssl file could not be found", e);
        }
    }

    protected KeyPair loadKeyPairFromFile(String str) throws IOException {
        return this.pkiUtils.loadKeyPair(getPathToPrivateKey(str), getPrivateFileKeyPassword(str));
    }

    private String getPrivateFileKeyPassword(String str) {
        return str.toUpperCase().equals(CAType.KUBECA.toString()) ? this.caConf.getString(CAConf.CAConfKeys.KUBE_CA_PASSWORD) : this.caConf.getString(CAConf.CAConfKeys.HOPSWORKS_SSL_MASTER_PASSWORD);
    }

    private Path getPathToPrivateKey(String str) throws FileNotFoundException {
        Path path;
        switch (CAType.valueOf(str)) {
            case ROOT:
                path = Paths.get(this.caConf.getString(CAConf.CAConfKeys.CERTS_DIR), "private/ca.key.pem");
                break;
            case INTERMEDIATE:
                path = Paths.get(this.caConf.getString(CAConf.CAConfKeys.CERTS_DIR), "intermediate/private/intermediate.key.pem");
                break;
            case KUBECA:
                path = Paths.get(this.caConf.getString(CAConf.CAConfKeys.CERTS_DIR), "kube/private/kube-ca.key.pem");
                break;
            default:
                throw new IllegalArgumentException("Unknown private key owner: " + str);
        }
        if (path.toFile().exists()) {
            return path;
        }
        throw new FileNotFoundException("File " + path.toFile() + " does not exist");
    }

    @TransactionAttribute(TransactionAttributeType.NEVER)
    protected KeyPair generateKeyPair() {
        return this.keyPairGenerator.generateKeyPair();
    }

    protected Optional<KeyPair> loadKeyPair(String str) throws InvalidKeySpecException {
        byte[] encodedKey = this.keyFacade.getEncodedKey(str, PKIKey.Type.PRIVATE);
        return encodedKey != null ? Optional.of(restoreKeypair(encodedKey, this.keyFacade.getEncodedKey(str, PKIKey.Type.PUBLIC))) : Optional.empty();
    }

    protected void saveKeys(PKIKey pKIKey, PKIKey pKIKey2) {
        this.keyFacade.saveKey(pKIKey);
        this.keyFacade.saveKey(pKIKey2);
        LOGGER.log(Level.INFO, "Saved keys");
    }

    private KeyPair restoreKeypair(byte[] bArr, byte[] bArr2) throws InvalidKeySpecException {
        return new KeyPair(this.keyFactory.generatePublic(new X509EncodedKeySpec(bArr2)), this.keyFactory.generatePrivate(new PKCS8EncodedKeySpec(bArr)));
    }

    protected Pair<Boolean, X509Certificate> loadOrGenerateCACertificate(CAType cAType) throws IOException, CertificateException, NoSuchAlgorithmException, CertificateException, KeyException, OperatorCreationException {
        LOGGER.log(Level.INFO, "Loading certificate for " + cAType);
        Optional<X509Certificate> loadCertificate = loadCertificate(CA_SUBJECT_NAME.get(cAType).toString());
        if (loadCertificate.isPresent()) {
            LOGGER.log(Level.INFO, "Loaded ROOT CA certificate");
            return Pair.of(true, loadCertificate.get());
        }
        if (loadFromFile()) {
            LOGGER.log(Level.INFO, "Loading certificate of " + cAType + " CA from file");
            try {
                return Pair.of(false, loadCACertificate(cAType));
            } catch (FileNotFoundException e) {
                throw new CertificateException("Bootstrapping certificate of " + cAType + " CA but openssl file could not be found", e);
            }
        }
        switch (cAType) {
            case ROOT:
                LOGGER.log(Level.INFO, "Root CA certificate does not exist, generating...");
                return Pair.of(false, generateRootCACertificate());
            case INTERMEDIATE:
                LOGGER.log(Level.INFO, "Intermediate CA certificate does not exist, generating...");
                return Pair.of(false, generateCertificate(prepareIntermediateCAGenerationParams()));
            case KUBECA:
                LOGGER.log(Level.INFO, "Kubernetes CA certificate does not exist, generating...");
                return Pair.of(false, generateCertificate(prepareKubernetesCAGenerationParams()));
            default:
                throw new RuntimeException("Unknown CA type " + cAType);
        }
    }

    @VisibleForTesting
    protected X509Certificate loadCACertificate(CAType cAType) throws IOException, CertificateException {
        return this.pkiUtils.loadCertificate(getCACertificatePath(cAType));
    }

    private Path getCACertificatePath(CAType cAType) throws FileNotFoundException {
        Path path;
        switch (cAType) {
            case ROOT:
                path = Paths.get(this.caConf.getString(CAConf.CAConfKeys.CERTS_DIR), "certs/ca.cert.pem");
                break;
            case INTERMEDIATE:
                path = Paths.get(this.caConf.getString(CAConf.CAConfKeys.CERTS_DIR), "intermediate/certs/intermediate.cert.pem");
                break;
            case KUBECA:
                path = Paths.get(this.caConf.getString(CAConf.CAConfKeys.CERTS_DIR), "kube/hopsworks/kube-ca.cert.pem");
                break;
            default:
                throw new IllegalArgumentException("Unknown CA type: " + cAType);
        }
        if (path.toFile().exists()) {
            return path;
        }
        throw new FileNotFoundException("File " + path.toFile() + " does not exist");
    }

    protected Optional<X509Certificate> loadCertificate(String str) throws IOException, CertificateException {
        LOGGER.log(Level.INFO, "Loading certificate with subject " + str);
        Optional<PKICertificate> findBySubjectAndStatus = this.pkiCertificateFacade.findBySubjectAndStatus(str, PKICertificate.Status.VALID);
        if (!findBySubjectAndStatus.isPresent()) {
            LOGGER.log(Level.INFO, "There is no certificate with subject: " + str);
            return Optional.empty();
        }
        LOGGER.log(Level.INFO, "Found encoded certificate and decoding it to " + X509Certificate.class.getName());
        return Optional.of(this.converter.getCertificate(new X509CertificateHolder(findBySubjectAndStatus.get().getCertificate())));
    }

    private Duration getCAValidityPeriod(Optional<? extends CAConfiguration> optional, Duration duration) {
        return (optional.isPresent() && optional.get().getValidityDuration().isPresent()) ? this.pkiUtils.parseDuration(optional.get().getValidityDuration().get()) : duration;
    }

    protected X509Certificate generateRootCACertificate() throws KeyException, NoSuchAlgorithmException, CertificateException, CertIOException, OperatorCreationException {
        KeyPair keyPair = this.caKeys.get(CAType.ROOT);
        if (keyPair == null) {
            LOGGER.log(Level.SEVERE, "Could not find Root CA key pair in cache. Have you initialized?");
            throw new KeyException("Could not find Root CA key pair in cache. Have you initialized?");
        }
        Long nextSerialNumber = this.serialNumberFacade.nextSerialNumber(CAType.ROOT);
        Duration cAValidityPeriod = getCAValidityPeriod(this.conf.getRootCA(), this.ROOT_CA_DEFAULT_VALIDITY_PERIOD);
        Instant minus = Instant.now().minus(3L, (TemporalUnit) ChronoUnit.MINUTES);
        Instant plus = minus.plus((TemporalAmount) cAValidityPeriod);
        X500Name x500Name = CA_SUBJECT_NAME.get(CAType.ROOT);
        JcaX509v3CertificateBuilder jcaX509v3CertificateBuilder = new JcaX509v3CertificateBuilder(x500Name, BigInteger.valueOf(nextSerialNumber.longValue()), Date.from(minus), Date.from(plus), x500Name, keyPair.getPublic());
        JcaX509ExtensionUtils jcaX509ExtensionUtils = new JcaX509ExtensionUtils();
        SubjectKeyIdentifier createSubjectKeyIdentifier = jcaX509ExtensionUtils.createSubjectKeyIdentifier(keyPair.getPublic());
        jcaX509v3CertificateBuilder.addExtension(Extension.basicConstraints, true, (ASN1Encodable) new BasicConstraints(10)).addExtension(Extension.keyUsage, true, (ASN1Encodable) new KeyUsage(134)).addExtension(Extension.subjectKeyIdentifier, false, (ASN1Encodable) createSubjectKeyIdentifier).addExtension(Extension.authorityKeyIdentifier, false, (ASN1Encodable) jcaX509ExtensionUtils.createAuthorityKeyIdentifier(keyPair.getPublic()));
        X509Certificate certificate = this.converter.getCertificate(jcaX509v3CertificateBuilder.build(new JcaContentSignerBuilder(SIGNATURE_ALGORITHM).setProvider(new BouncyCastleProvider()).build(keyPair.getPrivate())));
        LOGGER.log(Level.INFO, "Generated ROOT CA certificate");
        return certificate;
    }

    protected CertificateGenerationParameters prepareIntermediateCAGenerationParams() throws KeyException, CertificateException {
        CertificateSigner certificateSigner = new CertificateSigner(getCAKeyPair(CAType.ROOT), getCACertificate(CAType.ROOT));
        KeyPair cAKeyPair = getCAKeyPair(CAType.INTERMEDIATE);
        Long nextSerialNumber = this.serialNumberFacade.nextSerialNumber(CAType.ROOT);
        X500Name x500Name = CA_SUBJECT_NAME.get(CAType.INTERMEDIATE);
        Duration cAValidityPeriod = getCAValidityPeriod(this.conf.getIntermediateCA(), this.INTERMEDIATE_CA_DEFAULT_VALIDITY_PERIOD);
        Instant minus = Instant.now().minus(3L, (TemporalUnit) ChronoUnit.MINUTES);
        return new CertificateGenerationParameters(certificateSigner, cAKeyPair, nextSerialNumber, x500Name, new CertificateValidityPeriod(minus, minus.plus((TemporalAmount) cAValidityPeriod)), INTERMEDIATE_EXTENSIONS);
    }

    protected CertificateGenerationParameters prepareKubernetesCAGenerationParams() throws KeyException, CertificateException {
        CertificateSigner certificateSigner = new CertificateSigner(getCAKeyPair(CAType.ROOT), getCACertificate(CAType.ROOT));
        KeyPair cAKeyPair = getCAKeyPair(CAType.KUBECA);
        Long nextSerialNumber = this.serialNumberFacade.nextSerialNumber(CAType.ROOT);
        X500Name x500Name = CA_SUBJECT_NAME.get(CAType.KUBECA);
        Duration cAValidityPeriod = getCAValidityPeriod(this.conf.getKubernetesCA(), this.KUBERNETES_CA_DEFAULT_VALIDITY_PERIOD);
        Instant minus = Instant.now().minus(3L, (TemporalUnit) ChronoUnit.MINUTES);
        return new CertificateGenerationParameters(certificateSigner, cAKeyPair, nextSerialNumber, x500Name, new CertificateValidityPeriod(minus, minus.plus((TemporalAmount) cAValidityPeriod)), INTERMEDIATE_EXTENSIONS);
    }

    protected X509Certificate generateCertificate(CertificateGenerationParameters certificateGenerationParameters) throws NoSuchAlgorithmException, CertificateException, CertIOException, OperatorCreationException {
        CertificateSigner certificateSigner = certificateGenerationParameters.signer;
        JcaX509v3CertificateBuilder jcaX509v3CertificateBuilder = new JcaX509v3CertificateBuilder(certificateSigner.certificate, BigInteger.valueOf(certificateGenerationParameters.serialNumber.longValue()), Date.from(certificateGenerationParameters.validityPeriod.notBefore), Date.from(certificateGenerationParameters.validityPeriod.notAfter), certificateGenerationParameters.x500Name, certificateGenerationParameters.ownerKeypair.getPublic());
        JcaX509ExtensionUtils jcaX509ExtensionUtils = new JcaX509ExtensionUtils();
        SubjectKeyIdentifier createSubjectKeyIdentifier = jcaX509ExtensionUtils.createSubjectKeyIdentifier(certificateGenerationParameters.ownerKeypair.getPublic());
        jcaX509v3CertificateBuilder.addExtension(Extension.subjectKeyIdentifier, false, (ASN1Encodable) createSubjectKeyIdentifier).addExtension(Extension.authorityKeyIdentifier, false, (ASN1Encodable) jcaX509ExtensionUtils.createAuthorityKeyIdentifier(certificateSigner.keyPair.getPublic()));
        try {
            certificateGenerationParameters.populateExtensions.apply(jcaX509v3CertificateBuilder);
            X509Certificate certificate = this.converter.getCertificate(jcaX509v3CertificateBuilder.build(new JcaContentSignerBuilder(SIGNATURE_ALGORITHM).setProvider(new BouncyCastleProvider()).build(certificateSigner.keyPair.getPrivate())));
            LOGGER.log(Level.INFO, "Generated certificate");
            return certificate;
        } catch (RuntimeException e) {
            throw new CertIOException("Failed to add certificate extensions", e.getCause());
        }
    }

    public X509Certificate signCertificateSigningRequest(String str, CertificateType certificateType, String str2) throws CAInitializationException, IOException, KeyException, NoSuchAlgorithmException, OperatorCreationException, CertificateException, SignatureException, CertificationRequestValidationException {
        try {
            maybeInitializeCA();
            CAType responsibleCA = this.pkiUtils.getResponsibleCA(certificateType);
            X509Certificate signCertificateSigningRequest = signCertificateSigningRequest(str, certificateType, responsibleCA, str2, getExtensionsBuilders(responsibleCA, certificateType));
            LOGGER.log(Level.FINE, "Signed certificate and going to Save");
            saveNewCertificate(responsibleCA, signCertificateSigningRequest);
            LOGGER.log(Level.FINE, "Saved certificate");
            LOGGER.log(Level.INFO, "Generated and saved certificate with name " + signCertificateSigningRequest.getSubjectDN().toString());
            return signCertificateSigningRequest;
        } catch (Exception e) {
            LOGGER.log(Level.SEVERE, "Failed to initialize CA", (Throwable) e);
            throw new CAInitializationException(e);
        }
    }

    GeneralName[] getSanForUsername(String str, String str2) {
        String normalizedUsername = this.usernamesConfiguration.getNormalizedUsername(str);
        if (normalizedUsername == null) {
            return EMTPY_GENERAL_NAMES;
        }
        boolean z = -1;
        switch (normalizedUsername.hashCode()) {
            case -2099080559:
                if (normalizedUsername.equals("glassfishinternal")) {
                    z = true;
                    break;
                }
                break;
            case -2083095968:
                if (normalizedUsername.equals("onlinefs")) {
                    z = 10;
                    break;
                }
                break;
            case -1666338091:
                if (normalizedUsername.equals("elastic")) {
                    z = 11;
                    break;
                }
                break;
            case -1354779256:
                if (normalizedUsername.equals("consul")) {
                    z = 6;
                    break;
                }
                break;
            case -1138897542:
                if (normalizedUsername.equals("kagent")) {
                    z = 13;
                    break;
                }
                break;
            case -926878721:
                if (normalizedUsername.equals("rmyarn")) {
                    z = 9;
                    break;
                }
                break;
            case 3197641:
                if (normalizedUsername.equals(HdfsConstants.HDFS_URI_SCHEME)) {
                    z = 2;
                    break;
                }
                break;
            case 3202928:
                if (normalizedUsername.equals("hive")) {
                    z = 3;
                    break;
                }
                break;
            case 3322112:
                if (normalizedUsername.equals("livy")) {
                    z = 4;
                    break;
                }
                break;
            case 97520992:
                if (normalizedUsername.equals("flink")) {
                    z = 5;
                    break;
                }
                break;
            case 104382626:
                if (normalizedUsername.equals("mysql")) {
                    z = 14;
                    break;
                }
                break;
            case 1095906690:
                if (normalizedUsername.equals("hopsmon")) {
                    z = 7;
                    break;
                }
                break;
            case 1350950868:
                if (normalizedUsername.equals("glassfish")) {
                    z = false;
                    break;
                }
                break;
            case 1600681804:
                if (normalizedUsername.equals("zookeeper")) {
                    z = 8;
                    break;
                }
                break;
            case 1871588296:
                if (normalizedUsername.equals("flyingduck")) {
                    z = 12;
                    break;
                }
                break;
        }
        switch (z) {
            case false:
            case true:
                return convertToGeneralNames(HopsworksService.GLASSFISH.domains(), true, str2);
            case true:
                return convertToGeneralNames(mergeSets(HopsworksService.NAMENODE.domains(), HopsworksService.SPARK_HISTORY_SERVER.domains()), true, str2);
            case true:
                return convertToGeneralNames(HopsworksService.HIVE.domains(), true, str2);
            case true:
                return convertToGeneralNames(HopsworksService.LIVY.domains(), true, str2);
            case true:
                return convertToGeneralNames(HopsworksService.FLINK.domains(), true, str2);
            case true:
                return convertToGeneralNames(HopsworksService.CONSUL.domains(), true, str2);
            case true:
                return convertToGeneralNames(HopsworksService.PROMETHEUS.domains(), true, str2);
            case true:
                return convertToGeneralNames(HopsworksService.ZOOKEEPER.domains(), true, str2);
            case true:
                return convertToGeneralNames(HopsworksService.RESOURCE_MANAGER.domains(), true, str2);
            case true:
                HashSet hashSet = new HashSet();
                hashSet.add(HopsworksService.MYSQL.getNameWithTag(MysqlTags.onlinefs));
                return convertToGeneralNames(hashSet, true, str2);
            case true:
                return convertToGeneralNames(mergeSets(HopsworksService.LOGSTASH.domains(), HopsworksService.OPENSEARCH.domains()), true, str2);
            case true:
                return convertToGeneralNames(HopsworksService.FLYING_DUCK.domains(), true, str2);
            case true:
                return convertToGeneralNames(HopsworksService.DOCKER_REGISTRY.domains(), true, str2);
            case true:
                return convertToGeneralNames(mergeSets(HopsworksService.MYSQL.domains(), HopsworksService.RDRS.domains()), true, str2);
            default:
                return EMTPY_GENERAL_NAMES;
        }
    }

    Set<String> mergeSets(Set<String>... setArr) {
        HashSet hashSet = new HashSet();
        for (Set<String> set : setArr) {
            hashSet.addAll(set);
        }
        return hashSet;
    }

    GeneralName[] convertToGeneralNames(Set<String> set, boolean z, String str) {
        GeneralName[] generalNameArr = new GeneralName[set.size()];
        int i = 0;
        for (String str2 : set) {
            String str3 = str2;
            if (z) {
                str3 = Strings.isNullOrEmpty(str) ? Utilities.constructServiceFQDN(str2, this.caConf.getString(CAConf.CAConfKeys.SERVICE_DISCOVERY_DOMAIN)) : Utilities.constructServiceFQDNWithRegion(str2, str, this.caConf.getString(CAConf.CAConfKeys.SERVICE_DISCOVERY_DOMAIN));
            }
            generalNameArr[i] = new GeneralName(2, str3);
            i++;
        }
        return generalNameArr;
    }

    @VisibleForTesting
    Optional<String> parseX509CommonName(PKCS10CertificationRequest pKCS10CertificationRequest) {
        return parseX509Rdn(pKCS10CertificationRequest, BCStyle.CN);
    }

    @VisibleForTesting
    Optional<String> parseX509Locality(PKCS10CertificationRequest pKCS10CertificationRequest) {
        return pKCS10CertificationRequest == null ? Optional.empty() : parseX509Rdn(pKCS10CertificationRequest, BCStyle.L);
    }

    private Optional<String> parseX509Rdn(PKCS10CertificationRequest pKCS10CertificationRequest, ASN1ObjectIdentifier aSN1ObjectIdentifier) {
        RDN[] rDNs = pKCS10CertificationRequest.getSubject().getRDNs(aSN1ObjectIdentifier);
        return rDNs.length == 0 ? Optional.empty() : Optional.of(IETFUtils.valueToString(rDNs[0].getFirst().getValue()));
    }

    void appendSubjectAlternativeNames(X509v3CertificateBuilder x509v3CertificateBuilder, GeneralName[] generalNameArr) throws CertIOException {
        if (!x509v3CertificateBuilder.hasExtension(Extension.subjectAlternativeName)) {
            x509v3CertificateBuilder.addExtension(Extension.subjectAlternativeName, false, (ASN1Encodable) new GeneralNames(generalNameArr));
            return;
        }
        HashSet hashSet = new HashSet(Arrays.asList(GeneralNames.fromExtensions(new Extensions(x509v3CertificateBuilder.getExtension(Extension.subjectAlternativeName)), Extension.subjectAlternativeName).getNames()));
        hashSet.addAll(Arrays.asList(generalNameArr));
        GeneralName[] generalNameArr2 = new GeneralName[hashSet.size()];
        hashSet.toArray(generalNameArr2);
        x509v3CertificateBuilder.replaceExtension(Extension.subjectAlternativeName, false, (ASN1Encodable) new GeneralNames(generalNameArr2));
    }

    protected Function<ExtensionsBuilderParameter, Void>[] getExtensionsBuilders(CAType cAType, CertificateType certificateType) {
        return certificateType.equals(CertificateType.HOST) ? this.HOST_CERTIFICATES_EXTENSION_BUILDERS : cAType.equals(CAType.KUBECA) ? this.KUBERNETES_CERTIFICATES_EXTENSION_BUILDERS : this.EMTPY_CERTIFICATES_EXTENSION_BUILDERS;
    }

    protected X509Certificate signCertificateSigningRequest(String str, CertificateType certificateType, CAType cAType, String str2, Function<ExtensionsBuilderParameter, Void>[] functionArr) throws IOException, KeyException, NoSuchAlgorithmException, OperatorCreationException, CertificateException, SignatureException, CertificationRequestValidationException {
        LOGGER.log(Level.FINE, "Signing CSR for type " + certificateType);
        PKCS10CertificationRequest parseCertificateRequest = parseCertificateRequest(str);
        if (!certificateType.equals(CertificateType.APP)) {
            LOGGER.log(Level.INFO, "Signing certificate with Subject " + parseCertificateRequest.getSubject().toString());
        }
        validateCertificateSigningRequest(parseCertificateRequest, cAType);
        KeyPair cAKeyPair = getCAKeyPair(cAType);
        X509Certificate cACertificate = getCACertificate(certificateType);
        X500Name subject = new JcaX509CertificateHolder(cACertificate).getSubject();
        if (this.pkiCertificateFacade.findBySubjectAndStatus(parseCertificateRequest.getSubject().toString(), PKICertificate.Status.VALID).isPresent()) {
            if (!certificateType.equals(CertificateType.HOST) || this.caConf.getString(CAConf.CAConfKeys.CLOUD_EVENTS_ENDPOINT).isEmpty()) {
                throw new CertificateAlreadyExistsException("Certificate with Subject name " + parseCertificateRequest.getSubject() + " already exists");
            }
            try {
                revokeCertificate(parseCertificateRequest.getSubject(), certificateType);
            } catch (Exception e) {
                String str3 = "Certificate with Subject " + parseCertificateRequest.getSubject() + " already exists. Because running on Managed Cloud we tried to revoke the previous certificate but we failed";
                LOGGER.log(Level.SEVERE, str3, (Throwable) e);
                throw new CertificateAlreadyExistsException(str3, e);
            }
        }
        LOGGER.log(Level.FINE, "CSR subject: " + parseCertificateRequest.getSubject().toString());
        Long nextSerialNumber = this.serialNumberFacade.nextSerialNumber(cAType);
        Instant minus = Instant.now().minus(3L, (TemporalUnit) ChronoUnit.MINUTES);
        Instant certificateNotAfter = getCertificateNotAfter(certificateType, minus);
        JcaX509ExtensionUtils jcaX509ExtensionUtils = new JcaX509ExtensionUtils();
        X509v3CertificateBuilder x509v3CertificateBuilder = new X509v3CertificateBuilder(subject, BigInteger.valueOf(nextSerialNumber.longValue()), Date.from(minus), Date.from(certificateNotAfter), parseCertificateRequest.getSubject(), parseCertificateRequest.getSubjectPublicKeyInfo());
        x509v3CertificateBuilder.addExtension(Extension.basicConstraints, true, (ASN1Encodable) new BasicConstraints(false)).addExtension(Extension.keyUsage, true, (ASN1Encodable) new KeyUsage(176)).addExtension(Extension.authorityKeyIdentifier, false, (ASN1Encodable) jcaX509ExtensionUtils.createAuthorityKeyIdentifier(cACertificate)).addExtension(Extension.subjectKeyIdentifier, false, (ASN1Encodable) jcaX509ExtensionUtils.createSubjectKeyIdentifier(parseCertificateRequest.getSubjectPublicKeyInfo()));
        try {
            for (Function<ExtensionsBuilderParameter, Void> function : functionArr) {
                function.apply(ExtensionsBuilderParameter.of(x509v3CertificateBuilder, parseCertificateRequest, certificateType, str2));
            }
            LOGGER.log(Level.FINE, "Built Certificate builder");
            X509CertificateHolder build = x509v3CertificateBuilder.build(new JcaContentSignerBuilder(SIGNATURE_ALGORITHM).setProvider(new BouncyCastleProvider()).build(cAKeyPair.getPrivate()));
            LOGGER.log(Level.FINE, "Signed certificate");
            X509Certificate certificate = this.converter.getCertificate(build);
            LOGGER.log(Level.FINE, "Converted to X509Certificate");
            certificate.verify(cAKeyPair.getPublic(), new BouncyCastleProvider());
            LOGGER.log(Level.FINE, "Verified certificate");
            return certificate;
        } catch (Exception e2) {
            throw new CertIOException("Failed to add extension to certificate", e2);
        }
    }

    private Instant getCertificateNotAfter(CertificateType certificateType, Instant instant) {
        return instant.plus(this.pkiUtils.getValidityPeriod(certificateType));
    }

    private KeyPair getCAKeyPair(CAType cAType) throws KeyException {
        KeyPair keyPair = this.caKeys.get(cAType);
        if (keyPair == null) {
            throw new KeyException("Could not load Key pair from cache for " + cAType);
        }
        return keyPair;
    }

    private X509Certificate getCACertificate(CertificateType certificateType) throws CACertificateNotFoundException {
        CAType cAType;
        switch (certificateType) {
            case APP:
            case PROJECT:
            case HOST:
                cAType = CAType.INTERMEDIATE;
                break;
            case KUBE:
                cAType = CAType.KUBECA;
                break;
            default:
                throw new CACertificateNotFoundException("Could not find suitable CA for " + certificateType);
        }
        return getCACertificate(cAType);
    }

    private X509Certificate getCACertificate(CAType cAType) throws CACertificateNotFoundException {
        X509Certificate x509Certificate = this.caCertificates.get(cAType);
        if (x509Certificate == null) {
            throw new CACertificateNotFoundException("Failed to load " + cAType + " X509 certificate");
        }
        return x509Certificate;
    }

    protected void validateCertificateSigningRequest(PKCS10CertificationRequest pKCS10CertificationRequest, CAType cAType) throws CertificationRequestValidationException {
        X500Name subject = pKCS10CertificationRequest.getSubject();
        LOGGER.log(Level.FINE, "Validating CSR name against CA names");
        Iterator<X500Name> it = CA_SUBJECT_NAME.values().iterator();
        while (it.hasNext()) {
            if (it.next().equals(subject)) {
                throw new CertificationRequestValidationException("Requested Name " + subject + " collides with Certificate Authority name");
            }
        }
    }

    private PKCS10CertificationRequest parseCertificateRequest(String str) throws IOException, CertificateEncodingException {
        Object readObject = new PEMParser(new StringReader(str)).readObject();
        if (readObject instanceof PKCS10CertificationRequest) {
            return (PKCS10CertificationRequest) readObject;
        }
        throw new CertificateEncodingException("Failed to parse CSR to " + PKCS10CertificationRequest.class.getName());
    }

    public void revokeCertificate(String str, CertificateType certificateType) throws CAInitializationException, InvalidNameException, CertificateException, KeyException, CRLException {
        revokeCertificate(this.pkiUtils.parseCertificateSubjectName(str, certificateType), certificateType);
    }

    public void revokeCertificate(X500Name x500Name, CertificateType certificateType) throws CAInitializationException, CertificateException, KeyException, CRLException {
        try {
            maybeInitializeCA();
            if (!certificateType.equals(CertificateType.APP)) {
                LOGGER.log(Level.INFO, "Revoking certificate with Subject " + x500Name);
            }
            Optional<PKICertificate> findById = this.pkiCertificateFacade.findById(new PKICertificateId(PKICertificate.Status.VALID, x500Name.toString()));
            if (!findById.isPresent()) {
                throw new CertificateNotFoundException("Could not find certificate with Name " + x500Name.toString() + " to revoke");
            }
            PKICertificate pKICertificate = findById.get();
            LOGGER.log(Level.FINE, "Deleted certificate " + x500Name + " from database");
            try {
                X509Certificate certificate = this.converter.getCertificate(parseToX509CertificateHolder(pKICertificate.getCertificate()));
                if (!shouldCertificateTypeSkipCRL(certificateType)) {
                    CAType responsibleCA = this.pkiUtils.getResponsibleCA(certificateType);
                    updateCRL(responsibleCA, addRevocationToCRL(responsibleCA, certificate));
                    LOGGER.log(Level.FINE, "Updated CRL");
                } else if (certificate != null) {
                    LOGGER.log(Level.FINE, "Certificate " + certificate.getSubjectDN().toString() + " of type " + certificateType + " is not added to CRL");
                }
                updateRevokedCertificate(pKICertificate);
                if (certificate != null) {
                    LOGGER.log(Level.INFO, "Revoked certificate with X.509 name " + certificate.getSubjectDN().toString());
                }
            } catch (IOException e) {
                throw new CertificateException("Failed to decode certificate from CA database", e);
            }
        } catch (Exception e2) {
            LOGGER.log(Level.SEVERE, "Failed to initialize CA", (Throwable) e2);
            throw new CAInitializationException(e2);
        }
    }

    protected boolean shouldCertificateTypeSkipCRL(CertificateType certificateType) {
        return certificateType.equals(CertificateType.APP);
    }

    protected X509CertificateHolder parseToX509CertificateHolder(byte[] bArr) throws IOException {
        return new X509CertificateHolder(bArr);
    }

    @TransactionAttribute(TransactionAttributeType.REQUIRES_NEW)
    protected void updateRevokedCertificate(PKICertificate pKICertificate) {
        Optional<PKICertificate> findById = this.pkiCertificateFacade.findById(pKICertificate.getCertificateId());
        if (!findById.isPresent()) {
            LOGGER.log(Level.WARNING, "Tried to update revoked certificate " + pKICertificate.getCertificateId() + " but certificate does not exist in database. Skip updating");
            return;
        }
        PKICertificate pKICertificate2 = findById.get();
        pKICertificate2.getCertificateId().setStatus(PKICertificate.Status.REVOKED);
        pKICertificate2.setCertificate(null);
        this.pkiCertificateFacade.updateCertificate(pKICertificate2);
        this.pkiCertificateFacade.deleteCertificate(pKICertificate);
    }

    protected X509CRL loadCRL(CAType cAType) throws CRLException, IOException {
        Optional<PKICrl> crl = this.crlFacade.getCRL(cAType);
        if (crl.isPresent()) {
            return this.crlConverter.getCRL(new X509CRLHolder(crl.get().getCrl()));
        }
        throw new CRLException("CRL for " + cAType + " is not present");
    }

    private X509CRL loadCRL(Path path) throws IOException, CRLException {
        PEMParser pEMParser = new PEMParser(new FileReader(path.toFile()));
        try {
            Object readObject = pEMParser.readObject();
            if (!(readObject instanceof X509CRLHolder)) {
                pEMParser.close();
                return null;
            }
            X509CRL crl = this.crlConverter.getCRL((X509CRLHolder) readObject);
            pEMParser.close();
            return crl;
        } catch (Throwable th) {
            try {
                pEMParser.close();
            } catch (Throwable th2) {
                th.addSuppressed(th2);
            }
            throw th;
        }
    }

    protected X509CRL addRevocationToCRL(CAType cAType, X509Certificate x509Certificate) throws CRLException, KeyException {
        try {
            X509CRL loadCRL = loadCRL(cAType);
            KeyPair cAKeyPair = getCAKeyPair(cAType);
            JcaX509v2CRLBuilder jcaX509v2CRLBuilder = new JcaX509v2CRLBuilder(loadCRL);
            jcaX509v2CRLBuilder.setNextUpdate(Date.from(Instant.now().plus(1L, (TemporalUnit) ChronoUnit.DAYS)));
            ExtensionsGenerator extensionsGenerator = new ExtensionsGenerator();
            extensionsGenerator.addExtension(Extension.reasonCode, false, (ASN1Encodable) REVOCATION_REASON);
            jcaX509v2CRLBuilder.addCRLEntry(x509Certificate.getSerialNumber(), new Date(), extensionsGenerator.generate());
            return this.crlConverter.getCRL(jcaX509v2CRLBuilder.build(new JcaContentSignerBuilder(SIGNATURE_ALGORITHM).setProvider(new BouncyCastleProvider()).build(cAKeyPair.getPrivate())));
        } catch (IOException | OperatorCreationException e) {
            throw new CRLException(e);
        }
    }

    public X509Certificate loadCertificate(String str, PKICertificate.Status status) throws CertificateNotFoundException, CertificateException {
        Optional<PKICertificate> findBySubjectAndStatus = this.pkiCertificateFacade.findBySubjectAndStatus(str, status);
        if (!findBySubjectAndStatus.isPresent()) {
            throw new CertificateNotFoundException("Certificate with subject " + str + " and Status " + status + " does not exist");
        }
        try {
            return this.converter.getCertificate(new X509CertificateHolder(findBySubjectAndStatus.get().getCertificate()));
        } catch (IOException e) {
            throw new CertificateException("Failed to decode certificate from CA database", e);
        }
    }

    @VisibleForTesting
    protected void setSerialNumberFacade(SerialNumberFacade serialNumberFacade) {
        this.serialNumberFacade = serialNumberFacade;
    }

    @VisibleForTesting
    protected void setCaConf(CAConf cAConf) {
        this.caConf = cAConf;
    }

    @VisibleForTesting
    protected void setKeyFacade(KeyFacade keyFacade) {
        this.keyFacade = keyFacade;
    }

    @VisibleForTesting
    protected void setPkiCertificateFacade(PKICertificateFacade pKICertificateFacade) {
        this.pkiCertificateFacade = pKICertificateFacade;
    }

    @VisibleForTesting
    protected Map<CAType, X500Name> getCaSubjectNames() {
        return CA_SUBJECT_NAME;
    }

    @VisibleForTesting
    protected Map<CAType, KeyPair> getCaKeys() {
        return this.caKeys;
    }

    @VisibleForTesting
    protected Map<CAType, X509Certificate> getCaCertificates() {
        return this.caCertificates;
    }

    @VisibleForTesting
    protected void setCRLFacade(CRLFacade cRLFacade) {
        this.crlFacade = cRLFacade;
    }

    @VisibleForTesting
    protected void setPKIUtils(PKIUtils pKIUtils) {
        this.pkiUtils = pKIUtils;
    }

    @VisibleForTesting
    protected void setConverter(JcaX509CertificateConverter jcaX509CertificateConverter) {
        this.converter = jcaX509CertificateConverter;
    }

    @VisibleForTesting
    protected void setUsernamesConfiguration(UsernamesConfiguration usernamesConfiguration) {
        this.usernamesConfiguration = usernamesConfiguration;
    }

    static {
        X500NameBuilder x500NameBuilder = new X500NameBuilder(BCStrictStyle.INSTANCE);
        x500NameBuilder.addRDN(BCStyle.C, "SE");
        x500NameBuilder.addRDN(BCStyle.O, "Hopsworks");
        x500NameBuilder.addRDN(BCStyle.OU, "core");
        x500NameBuilder.addRDN(BCStyle.CN, "HopsRootCA");
        CA_SUBJECT_NAME.put(CAType.ROOT, x500NameBuilder.build());
        X500NameBuilder x500NameBuilder2 = new X500NameBuilder(BCStrictStyle.INSTANCE);
        x500NameBuilder2.addRDN(BCStyle.C, "SE");
        x500NameBuilder2.addRDN(BCStyle.O, "Hopsworks");
        x500NameBuilder2.addRDN(BCStyle.OU, "core");
        x500NameBuilder2.addRDN(BCStyle.CN, "HopsIntermediateCA");
        CA_SUBJECT_NAME.put(CAType.INTERMEDIATE, x500NameBuilder2.build());
        X500NameBuilder x500NameBuilder3 = new X500NameBuilder(BCStrictStyle.INSTANCE);
        x500NameBuilder3.addRDN(BCStyle.C, "SE");
        x500NameBuilder3.addRDN(BCStyle.O, "Hopsworks");
        x500NameBuilder3.addRDN(BCStyle.OU, "core");
        x500NameBuilder3.addRDN(BCStyle.CN, "KubeHopsIntermediateCA");
        CA_SUBJECT_NAME.put(CAType.KUBECA, x500NameBuilder3.build());
        EMPTY_CONFIGURATION = new CAsConfiguration(null, null, null);
        EMPTY_CERTIFICATE_EXTENSIONS_BUILDER = extensionsBuilderParameter -> {
            return null;
        };
        INTERMEDIATE_EXTENSIONS = x509v3CertificateBuilder -> {
            try {
                x509v3CertificateBuilder.addExtension(Extension.basicConstraints, true, (ASN1Encodable) new BasicConstraints(5));
                x509v3CertificateBuilder.addExtension(Extension.keyUsage, true, (ASN1Encodable) new KeyUsage(134));
                return null;
            } catch (CertIOException e) {
                throw new RuntimeException(e);
            }
        };
    }
}
