package io.hops.hopsworks.ca.controllers;

import com.google.common.base.Strings;
import io.hops.hopsworks.ca.configuration.CAConf;
import io.hops.hopsworks.ca.persistence.PKICertificateFacade;
import io.hops.hopsworks.persistence.entity.pki.CAType;
import io.hops.hopsworks.persistence.entity.pki.PKICertificate;
import io.hops.hopsworks.restutils.RESTCodes;
import java.io.ByteArrayOutputStream;
import java.io.FileReader;
import java.io.IOException;
import java.io.OutputStream;
import java.io.Reader;
import java.io.StringReader;
import java.io.StringWriter;
import java.io.UnsupportedEncodingException;
import java.nio.file.Path;
import java.security.GeneralSecurityException;
import java.security.KeyException;
import java.security.KeyPair;
import java.security.KeyStore;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.Security;
import java.security.SignatureException;
import java.security.cert.CRLException;
import java.security.cert.CertificateEncodingException;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.security.cert.X509Extension;
import java.time.Duration;
import java.time.temporal.ChronoUnit;
import java.time.temporal.TemporalAmount;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.concurrent.TimeUnit;
import java.util.logging.Level;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import javax.annotation.PostConstruct;
import javax.ejb.EJB;
import javax.ejb.Stateless;
import javax.naming.InvalidNameException;
import org.apache.commons.codec.binary.Base64;
import org.apache.commons.lang3.RandomStringUtils;
import org.apache.hadoop.security.LdapGroupsMapping;
import org.bouncycastle.asn1.pkcs.PrivateKeyInfo;
import org.bouncycastle.asn1.x500.X500Name;
import org.bouncycastle.asn1.x500.X500NameBuilder;
import org.bouncycastle.asn1.x500.style.BCStrictStyle;
import org.bouncycastle.asn1.x500.style.BCStyle;
import org.bouncycastle.cert.CertIOException;
import org.bouncycastle.cert.X509CertificateHolder;
import org.bouncycastle.cert.jcajce.JcaX509CertificateConverter;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.bouncycastle.openssl.PEMEncryptedKeyPair;
import org.bouncycastle.openssl.PEMKeyPair;
import org.bouncycastle.openssl.PEMParser;
import org.bouncycastle.openssl.jcajce.JcaMiscPEMGenerator;
import org.bouncycastle.openssl.jcajce.JcaPEMKeyConverter;
import org.bouncycastle.openssl.jcajce.JcaPEMWriter;
import org.bouncycastle.openssl.jcajce.JcePEMDecryptorProviderBuilder;
import org.bouncycastle.operator.OperatorCreationException;
import org.bouncycastle.util.io.pem.PemObjectGenerator;
import org.locationtech.proj4j.parser.Proj4Keyword;
import org.locationtech.proj4j.units.AngleFormat;

@Stateless
/* loaded from: input_file:WEB-INF/classes/io/hops/hopsworks/ca/controllers/PKIUtils.class */
public class PKIUtils {

    @EJB
    private CAConf CAConf;

    @EJB
    private PKICertificateFacade pkiCertificateFacade;
    protected static final long TEN_YEARS = 3650;
    private static final String CERTIFICATE_TYPE_NOT_RECOGNIZED_ERR = "Certificate type not recognized";
    private static final Pattern TIME_CONF_PATTERN;
    private static final Base64 B64;
    private JcaPEMKeyConverter pemKeyConverter;
    private JcaX509CertificateConverter x509Converter;
    private static final Pattern HOST_CERTIFICATE_SUBJECT = Pattern.compile("^(?<cn>.+)__(?<l>.+)__(?<ou>\\d+)$");
    private static final Pattern APP_CERTIFICATE_SUBJECT = Pattern.compile("^(?<cn>.+)__(?<o>app.+)__(?<ou>\\d+)$");
    private static final Map<String, ChronoUnit> TIME_SUFFIXES = new HashMap(5);

    /* loaded from: input_file:WEB-INF/classes/io/hops/hopsworks/ca/controllers/PKIUtils$KeyStores.class */
    public static class KeyStores<T> {
        private final T keyStore;
        private final T trustStore;
        private final char[] password;

        public KeyStores(T t, T t2, char[] cArr) {
            this.keyStore = t;
            this.trustStore = t2;
            this.password = cArr;
        }

        public T getKeyStore() {
            return this.keyStore;
        }

        public T getTrustStore() {
            return this.trustStore;
        }

        public char[] getPassword() {
            return this.password;
        }
    }

    @PostConstruct
    public void init() {
        Security.addProvider(new BouncyCastleProvider());
        this.pemKeyConverter = new JcaPEMKeyConverter().setProvider(new BouncyCastleProvider());
        this.x509Converter = new JcaX509CertificateConverter().setProvider(new BouncyCastleProvider());
    }

    public X500Name parseCertificateSubjectName(String str, CertificateType certificateType) throws InvalidNameException {
        switch (certificateType) {
            case APP:
                return parseApplicationCertificateSubjectName(str);
            case HOST:
                return parseHostCertificateSubjectName(str);
            default:
                return parseGenericCertificateSubjectName(str);
        }
    }

    public X500Name parseHostCertificateSubjectName(String str) throws InvalidNameException {
        Matcher matcher = HOST_CERTIFICATE_SUBJECT.matcher(str);
        if (!matcher.matches()) {
            throw new InvalidNameException("Cannot parse Host certificate subject: " + str);
        }
        X500NameBuilder x500NameBuilder = new X500NameBuilder(BCStrictStyle.INSTANCE);
        x500NameBuilder.addRDN(BCStyle.CN, matcher.group(LdapGroupsMapping.GROUP_NAME_ATTR_DEFAULT));
        x500NameBuilder.addRDN(BCStyle.L, matcher.group("l"));
        x500NameBuilder.addRDN(BCStyle.OU, matcher.group("ou"));
        return x500NameBuilder.build();
    }

    public X500Name parseGenericCertificateSubjectName(String str) throws InvalidNameException {
        if (Strings.isNullOrEmpty(str)) {
            throw new InvalidNameException("Certificate subject cannot be null or empty");
        }
        X500NameBuilder x500NameBuilder = new X500NameBuilder(BCStrictStyle.INSTANCE);
        x500NameBuilder.addRDN(BCStyle.CN, str);
        return x500NameBuilder.build();
    }

    public X500Name parseApplicationCertificateSubjectName(String str) throws InvalidNameException {
        Matcher matcher = APP_CERTIFICATE_SUBJECT.matcher(str);
        if (!matcher.matches()) {
            throw new InvalidNameException("Cannot parse Application certificate subject: " + str);
        }
        X500NameBuilder x500NameBuilder = new X500NameBuilder(BCStrictStyle.INSTANCE);
        x500NameBuilder.addRDN(BCStyle.CN, matcher.group(LdapGroupsMapping.GROUP_NAME_ATTR_DEFAULT));
        x500NameBuilder.addRDN(BCStyle.O, matcher.group("o"));
        x500NameBuilder.addRDN(BCStyle.OU, matcher.group("ou"));
        return x500NameBuilder.build();
    }

    public TemporalAmount getValidityPeriod(CertificateType certificateType) {
        switch (certificateType) {
            case APP:
                return getAppCertificateValidityPeriod();
            case HOST:
                return getServiceCertificateValidityPeriod();
            case KUBE:
            case PROJECT:
                return Duration.ofSeconds(TimeUnit.SECONDS.convert(TEN_YEARS, TimeUnit.DAYS));
            default:
                throw new IllegalArgumentException(CERTIFICATE_TYPE_NOT_RECOGNIZED_ERR);
        }
    }

    private TemporalAmount getServiceCertificateValidityPeriod() {
        return Duration.ofSeconds(!this.CAConf.getBoolean(CAConf.CAConfKeys.SERVICE_KEY_ROTATION_ENABLED).booleanValue() ? TimeUnit.SECONDS.convert(TEN_YEARS, TimeUnit.DAYS) : getCertificateValidityInS(this.CAConf.getString(CAConf.CAConfKeys.SERVICE_KEY_ROTATION_INTERVAL) + TimeUnit.SECONDS.convert(4L, TimeUnit.DAYS)));
    }

    private TemporalAmount getAppCertificateValidityPeriod() {
        return Duration.ofSeconds(getCertificateValidityInS(this.CAConf.getString(CAConf.CAConfKeys.APPLICATION_CERTIFICATE_VALIDITY_PERIOD)));
    }

    protected long getCertificateValidityInS(String str) {
        Long confTimeValue = getConfTimeValue(str);
        return Duration.of(confTimeValue.longValue(), getConfTimeTimeUnit(str)).getSeconds();
    }

    public CAType getResponsibleCA(CertificateType certificateType) {
        switch (certificateType) {
            case APP:
            case HOST:
            case PROJECT:
                return CAType.INTERMEDIATE;
            case KUBE:
                return CAType.KUBECA;
            default:
                throw new IllegalArgumentException(CERTIFICATE_TYPE_NOT_RECOGNIZED_ERR);
        }
    }

    public List<String> findAllHostCertificateSubjectsForHost(String str) {
        return this.pkiCertificateFacade.findAllSubjectsWithStatusAndPartialSubject(String.format("CN=%s", str), PKICertificate.Status.VALID);
    }

    public List<String> findAllValidSubjectsWithPartialMatch(String str) {
        return this.pkiCertificateFacade.findAllSubjectsWithStatusAndPartialSubject(str, PKICertificate.Status.VALID);
    }

    public String convertToPEM(X509Extension x509Extension) throws IOException {
        StringWriter stringWriter = new StringWriter();
        Throwable th = null;
        try {
            try {
                JcaPEMWriter jcaPEMWriter = new JcaPEMWriter(stringWriter);
                jcaPEMWriter.writeObject((PemObjectGenerator) new JcaMiscPEMGenerator(x509Extension).generate());
                jcaPEMWriter.flush();
                stringWriter.flush();
                jcaPEMWriter.close();
                String stringWriter2 = stringWriter.toString();
                if (stringWriter != null) {
                    if (0 != 0) {
                        try {
                            stringWriter.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    } else {
                        stringWriter.close();
                    }
                }
                return stringWriter2;
            } finally {
            }
        } catch (Throwable th3) {
            if (stringWriter != null) {
                if (th != null) {
                    try {
                        stringWriter.close();
                    } catch (Throwable th4) {
                        th.addSuppressed(th4);
                    }
                } else {
                    stringWriter.close();
                }
            }
            throw th3;
        }
    }

    public CAException csrSigningExceptionConvertToCAException(Throwable th, CertificateType certificateType) {
        return th instanceof CAInitializationException ? new CAException(RESTCodes.CAErrorCode.CA_INITIALIZATION_ERROR, Level.SEVERE, certificateType, "Failed to initialize CA", "Failed to initialize CA", th.getCause()) : th instanceof CertificateEncodingException ? new CAException(RESTCodes.CAErrorCode.BADSIGNREQUEST, Level.FINE, certificateType, "Empty or malformed CSR", "Could not parse CSR to PKCS10CertificationRequest", th) : th instanceof CertificationRequestValidationException ? new CAException(RESTCodes.CAErrorCode.BADSIGNREQUEST, Level.FINE, certificateType, th.getMessage(), th.getMessage(), th) : ((th instanceof KeyException) || (th instanceof SignatureException) || (th instanceof CACertificateNotFoundException)) ? new CAException(RESTCodes.CAErrorCode.CSR_GENERIC_ERROR, Level.SEVERE, certificateType, "Generic PKI error", "Error while signing CSR. Check logs", th) : th instanceof CertificateAlreadyExistsException ? new CAException(RESTCodes.CAErrorCode.CERTEXISTS, Level.FINE, certificateType, "Certificate with the same X.509 Subject name already exists", "Certificat with same Subject", th) : ((th instanceof NoSuchAlgorithmException) || (th instanceof CertIOException) || (th instanceof OperatorCreationException) || (th instanceof CertificateException)) ? new CAException(RESTCodes.CAErrorCode.CSR_SIGNING_ERROR, Level.SEVERE, certificateType, "Failed to sign CSR", "Failed to sign CSR. Check logs", th) : new CAException(RESTCodes.CAErrorCode.CSR_GENERIC_ERROR, Level.SEVERE, certificateType, "Unknown error while signing CSR", "Unknown error while signing CSR. Check logs", th);
    }

    public CAException certificateRevocationExceptionConvertToCAException(Throwable th, CertificateType certificateType) {
        return th instanceof CAInitializationException ? new CAException(RESTCodes.CAErrorCode.CA_INITIALIZATION_ERROR, Level.SEVERE, certificateType, "Failed to initialize CA", "Failed to initialize CA", th.getCause()) : th instanceof InvalidNameException ? new CAException(RESTCodes.CAErrorCode.BAD_SUBJECT_NAME, Level.FINE, CertificateType.APP, "Bad certificate identifier to revoke", th.getMessage(), th) : th instanceof CertificateNotFoundException ? new CAException(RESTCodes.CAErrorCode.CERTNOTFOUND, Level.FINE, CertificateType.APP, th.getMessage(), th.getMessage(), th) : th instanceof CertificateException ? new CAException(RESTCodes.CAErrorCode.CERTIFICATE_DECODING_ERROR, Level.FINE, CertificateType.APP, th.getMessage(), th.getMessage(), th) : ((th instanceof CRLException) || (th instanceof KeyException)) ? new CAException(RESTCodes.CAErrorCode.CERTIFICATE_REVOCATION_FAILURE, Level.SEVERE, CertificateType.APP, "Failed to revoke certificate", th.getMessage(), th) : new CAException(RESTCodes.CAErrorCode.CERTIFICATE_REVOCATION_FAILURE, Level.SEVERE, certificateType, "Unknown error while revoking certificate", th.getMessage(), th);
    }

    public CAException certificateLoadingExceptionConvertToCAException(Throwable th) {
        return th instanceof CertificateNotFoundException ? new CAException(RESTCodes.CAErrorCode.CERTNOTFOUND, Level.FINE, null, th.getMessage(), th.getMessage(), th) : th instanceof CertificateException ? new CAException(RESTCodes.CAErrorCode.CERTIFICATE_DECODING_ERROR, Level.SEVERE, null, "Could not decode certificate", th.getMessage(), th) : new CAException(RESTCodes.CAErrorCode.PKI_GENERIC_ERROR, Level.SEVERE, null, "Generic PKI error", th.getMessage(), th);
    }

    public Duration parseDuration(String str) {
        return Duration.of(getConfTimeValue(str).longValue(), getConfTimeTimeUnit(str));
    }

    private Long getConfTimeValue(String str) {
        Matcher matcher = TIME_CONF_PATTERN.matcher(str.toLowerCase());
        if (matcher.matches()) {
            return Long.valueOf(Long.parseLong(matcher.group(1)));
        }
        throw new IllegalArgumentException("Invalid time in configuration: " + str);
    }

    private ChronoUnit getConfTimeTimeUnit(String str) {
        Matcher matcher = TIME_CONF_PATTERN.matcher(str.toLowerCase());
        if (!matcher.matches()) {
            throw new IllegalArgumentException("Invalid time in configuration: " + str);
        }
        String group = matcher.group(2);
        if (null == group || TIME_SUFFIXES.containsKey(group.toLowerCase())) {
            return group == null ? ChronoUnit.MINUTES : TIME_SUFFIXES.get(group.toLowerCase());
        }
        throw new IllegalArgumentException("Invalid time suffix in configuration: " + str);
    }

    public KeyPair loadKeyPair(String str, String str2) throws IOException {
        return loadKeyPair(new StringReader(str), str2);
    }

    public KeyPair loadKeyPair(Path path, String str) throws IOException {
        return loadKeyPair(new FileReader(path.toFile()), str);
    }

    private KeyPair loadKeyPair(Reader reader, String str) throws IOException {
        KeyPair keyPair;
        PEMParser pEMParser = new PEMParser(reader);
        Throwable th = null;
        try {
            Object readObject = pEMParser.readObject();
            if (readObject instanceof PEMEncryptedKeyPair) {
                keyPair = this.pemKeyConverter.getKeyPair(((PEMEncryptedKeyPair) readObject).decryptKeyPair(new JcePEMDecryptorProviderBuilder().build(str.toCharArray())));
            } else if (readObject instanceof PEMKeyPair) {
                keyPair = this.pemKeyConverter.getKeyPair((PEMKeyPair) readObject);
            } else {
                if (!(readObject instanceof PrivateKeyInfo)) {
                    throw new UnsupportedEncodingException("Unsupported keypair encoding");
                }
                keyPair = new KeyPair(null, this.pemKeyConverter.getPrivateKey((PrivateKeyInfo) readObject));
            }
            return keyPair;
        } finally {
            if (pEMParser != null) {
                if (0 != 0) {
                    try {
                        pEMParser.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                } else {
                    pEMParser.close();
                }
            }
        }
    }

    public X509Certificate loadCertificate(Path path) throws IOException, CertificateException {
        return loadCertificate(new FileReader(path.toFile()));
    }

    public X509Certificate loadCertificate(String str) throws IOException, CertificateException {
        return loadCertificate(new StringReader(str));
    }

    private X509Certificate loadCertificate(Reader reader) throws IOException, CertificateException {
        PEMParser pEMParser = new PEMParser(reader);
        Throwable th = null;
        try {
            try {
                Object readObject = pEMParser.readObject();
                if (!(readObject instanceof X509CertificateHolder)) {
                    if (pEMParser != null) {
                        if (0 != 0) {
                            try {
                                pEMParser.close();
                            } catch (Throwable th2) {
                                th.addSuppressed(th2);
                            }
                        } else {
                            pEMParser.close();
                        }
                    }
                    return null;
                }
                X509Certificate certificate = this.x509Converter.getCertificate((X509CertificateHolder) readObject);
                if (pEMParser != null) {
                    if (0 != 0) {
                        try {
                            pEMParser.close();
                        } catch (Throwable th3) {
                            th.addSuppressed(th3);
                        }
                    } else {
                        pEMParser.close();
                    }
                }
                return certificate;
            } finally {
            }
        } catch (Throwable th4) {
            if (pEMParser != null) {
                if (th != null) {
                    try {
                        pEMParser.close();
                    } catch (Throwable th5) {
                        th.addSuppressed(th5);
                    }
                } else {
                    pEMParser.close();
                }
            }
            throw th4;
        }
    }

    public KeyStores<String> createB64Keystores(String str, X509Certificate x509Certificate, X509Certificate x509Certificate2, X509Certificate x509Certificate3) throws GeneralSecurityException, IOException {
        ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
        Throwable th = null;
        try {
            ByteArrayOutputStream byteArrayOutputStream2 = new ByteArrayOutputStream();
            Throwable th2 = null;
            try {
                try {
                    KeyStores<String> keyStores = new KeyStores<>(B64.encodeToString(byteArrayOutputStream.toByteArray()), B64.encodeToString(byteArrayOutputStream2.toByteArray()), createKeystores(str, x509Certificate, x509Certificate2, x509Certificate3, byteArrayOutputStream, byteArrayOutputStream2));
                    if (byteArrayOutputStream2 != null) {
                        if (0 != 0) {
                            try {
                                byteArrayOutputStream2.close();
                            } catch (Throwable th3) {
                                th2.addSuppressed(th3);
                            }
                        } else {
                            byteArrayOutputStream2.close();
                        }
                    }
                    return keyStores;
                } finally {
                }
            } catch (Throwable th4) {
                if (byteArrayOutputStream2 != null) {
                    if (th2 != null) {
                        try {
                            byteArrayOutputStream2.close();
                        } catch (Throwable th5) {
                            th2.addSuppressed(th5);
                        }
                    } else {
                        byteArrayOutputStream2.close();
                    }
                }
                throw th4;
            }
        } finally {
            if (byteArrayOutputStream != null) {
                if (0 != 0) {
                    try {
                        byteArrayOutputStream.close();
                    } catch (Throwable th6) {
                        th.addSuppressed(th6);
                    }
                } else {
                    byteArrayOutputStream.close();
                }
            }
        }
    }

    public char[] createKeystores(String str, X509Certificate x509Certificate, X509Certificate x509Certificate2, X509Certificate x509Certificate3, OutputStream outputStream, OutputStream outputStream2) throws GeneralSecurityException, IOException {
        PrivateKey privateKey = loadKeyPair(new StringReader(str), "").getPrivate();
        char[] charArray = RandomStringUtils.randomAlphanumeric(15, 20).toCharArray();
        KeyStore keyStore = KeyStore.getInstance("JKS");
        keyStore.load(null, null);
        keyStore.setKeyEntry("own", privateKey, charArray, new X509Certificate[]{x509Certificate, x509Certificate2});
        keyStore.store(outputStream, charArray);
        KeyStore keyStore2 = KeyStore.getInstance("JKS");
        keyStore2.load(null, null);
        keyStore2.setCertificateEntry("hw_root_ca", x509Certificate3);
        keyStore2.store(outputStream2, charArray);
        outputStream.flush();
        outputStream2.flush();
        return charArray;
    }

    static {
        TIME_SUFFIXES.put(AngleFormat.STR_SEC_ABBREV, ChronoUnit.SECONDS);
        TIME_SUFFIXES.put("m", ChronoUnit.MINUTES);
        TIME_SUFFIXES.put(Proj4Keyword.h, ChronoUnit.HOURS);
        TIME_SUFFIXES.put("d", ChronoUnit.DAYS);
        TIME_CONF_PATTERN = Pattern.compile("([0-9]+)([a-z]+)?");
        B64 = new Base64();
    }
}
