package io.hops.hopsworks.expat.migrations.x509;

import io.hops.hopsworks.expat.configuration.ConfigurationBuilder;
import io.hops.hopsworks.expat.configuration.ExpatConf;
import io.hops.hopsworks.expat.db.DbConnectionFactory;
import io.hops.hopsworks.expat.db.dao.certificates.CRLFacade;
import io.hops.hopsworks.expat.db.dao.certificates.CertificatesFacade;
import io.hops.hopsworks.expat.db.dao.certificates.KeysFacade;
import io.hops.hopsworks.expat.db.dao.certificates.SerialNumberFacade;
import io.hops.hopsworks.expat.migrations.MigrateStep;
import io.hops.hopsworks.expat.migrations.MigrationException;
import io.hops.hopsworks.expat.migrations.RollbackException;
import java.io.FileReader;
import java.io.IOException;
import java.nio.charset.Charset;
import java.nio.file.FileVisitOption;
import java.nio.file.Files;
import java.nio.file.LinkOption;
import java.nio.file.Path;
import java.nio.file.Paths;
import java.security.KeyPair;
import java.security.Security;
import java.security.cert.CRLException;
import java.security.cert.CertificateException;
import java.security.cert.X509CRL;
import java.security.cert.X509Certificate;
import java.sql.Connection;
import java.sql.SQLException;
import java.util.Date;
import java.util.HashSet;
import java.util.Set;
import java.util.stream.Stream;
import org.apache.commons.configuration2.Configuration;
import org.apache.commons.configuration2.ex.ConfigurationException;
import org.apache.commons.io.FileUtils;
import org.bouncycastle.cert.X509CRLHolder;
import org.bouncycastle.cert.X509CertificateHolder;
import org.bouncycastle.cert.jcajce.JcaX509CRLConverter;
import org.bouncycastle.cert.jcajce.JcaX509CertificateConverter;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.bouncycastle.openssl.PEMEncryptedKeyPair;
import org.bouncycastle.openssl.PEMKeyPair;
import org.bouncycastle.openssl.PEMParser;
import org.bouncycastle.openssl.jcajce.JcaPEMKeyConverter;
import org.bouncycastle.openssl.jcajce.JcePEMDecryptorProviderBuilder;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:io/hops/hopsworks/expat/migrations/x509/MigrateToBouncyCastle.class */
public class MigrateToBouncyCastle implements MigrateStep {
    private static final Logger LOGGER = LoggerFactory.getLogger(MigrateToBouncyCastle.class);
    private Connection dbConnection;
    private KeysFacade keysFacade;
    private SerialNumberFacade serialNumberFacade;
    private CertificatesFacade certificatesFacade;
    private CRLFacade crlFacade;
    private Configuration config;
    private boolean dryRun = true;
    private final Set<String> certificatesToIgnore = new HashSet();
    private final JcaPEMKeyConverter pemKeyConverter = new JcaPEMKeyConverter().setProvider("BC");
    private final JcaX509CertificateConverter x509CertificateConverter = new JcaX509CertificateConverter().setProvider("BC");
    private final JcaX509CRLConverter crlConverter = new JcaX509CRLConverter().setProvider("BC");

    public MigrateToBouncyCastle() {
        this.certificatesToIgnore.add("/srv/hops/certs-dir/intermediate/certs/intermediate.cert.pem");
    }

    @Override // io.hops.hopsworks.expat.migrations.MigrateStep
    public void migrate() throws MigrationException {
        LOGGER.info("Running migrations");
        try {
            setup();
            if (!Paths.get("/srv/hops/certs-dir/private/ca.key.pem", new String[0]).toFile().exists()) {
                LOGGER.info("ROOT CA private key does not exist. Skipping migration " + MigrateToBouncyCastle.class.getName());
                return;
            }
            LOGGER.info("Migrating Certificate Authorities key pairs");
            try {
                migrateKeyPairs();
                LOGGER.info("Finished migrating key pairs");
                LOGGER.info("Migrating Certificate Authorities serial number");
                try {
                    migrateSerialNumbers();
                    LOGGER.info("Finished migrating serial numbers");
                    LOGGER.info("Migrating certificates for Certificate Authorities");
                    try {
                        migrateCertificates();
                        LOGGER.info("Finished migrating certificates");
                        LOGGER.info("Migrating CRL for CAs");
                        try {
                            migrateCRLs();
                            LOGGER.info("Finished migrating CRLs");
                        } catch (Exception e) {
                            LOGGER.error("Failed to migrate CRLs", e);
                            throw new MigrationException("Failed to migrate CRLs", e);
                        }
                    } catch (Exception e2) {
                        LOGGER.error("Failed to migrate certificates");
                        throw new MigrationException("Failed to migrate certificates", e2);
                    }
                } catch (IOException | SQLException e3) {
                    LOGGER.error("Failed to migrated CA serial number", e3);
                    throw new MigrationException("Failed to migrated CA serial number", e3);
                }
            } catch (Exception e4) {
                LOGGER.error("Failed to migrate key pairs", e4);
                throw new MigrationException("Failed to migrate key pairs", e4);
            }
        } catch (ConfigurationException | SQLException e5) {
            LOGGER.error("Failed to setup connection to database", e5);
            throw new MigrationException("Failed to setup connection to database", e5);
        }
    }

    @Override // io.hops.hopsworks.expat.migrations.MigrateStep
    public void rollback() throws RollbackException {
        try {
            if (this.serialNumberFacade != null) {
                this.serialNumberFacade.truncate();
            }
            if (this.keysFacade != null) {
                this.keysFacade.truncate();
            }
            if (this.crlFacade != null) {
                this.crlFacade.truncate();
            }
            if (this.certificatesFacade != null) {
                this.certificatesFacade.truncatePKICertificates(this.dbConnection);
            }
        } catch (Exception e) {
            LOGGER.error("Error while rollback", e);
            throw new RollbackException("Error while rollback", e);
        }
    }

    private void setup() throws ConfigurationException, SQLException {
        this.config = ConfigurationBuilder.getConfiguration();
        this.dryRun = this.config.getBoolean(ExpatConf.DRY_RUN);
        this.dbConnection = DbConnectionFactory.getConnection();
        this.keysFacade = new KeysFacade(this.dbConnection, this.dryRun);
        this.serialNumberFacade = new SerialNumberFacade(this.dbConnection, this.dryRun);
        this.certificatesFacade = new CertificatesFacade();
        this.crlFacade = new CRLFacade(this.dbConnection, this.dryRun);
    }

    private void migrateKeyPairs() throws IOException, SQLException {
        String string = this.config.getString(ExpatConf.CA_PASSWORD);
        LOGGER.info("Migrating ROOT Certificate Authority keys");
        migrateKeyPair("ROOT", Paths.get("/srv/hops/certs-dir/private/ca.key.pem", new String[0]), string);
        LOGGER.info("Finished successfully ROOT CA keys migration");
        LOGGER.info("Migrating INTERMEDIATE Certificate Authority keys");
        migrateKeyPair("INTERMEDIATE", Paths.get("/srv/hops/certs-dir/intermediate/private/intermediate.key.pem", new String[0]), string);
        LOGGER.info("Finished successfully INTERMEDIATE CA keys migration");
        Path path = Paths.get("/srv/hops/certs-dir/kube/private/kube-ca.key.pem", new String[0]);
        if (path.toFile().exists()) {
            LOGGER.info("Migrating Kubernetes Certificate Authority keys");
            migrateKeyPair("KUBECA", path, string);
            LOGGER.info("Finished successfully Kubernetes CA keys migration");
        }
    }

    private void migrateKeyPair(String str, Path path, String str2) throws IOException, SQLException {
        LOGGER.info("Loading keypair for " + str + " from " + path.toString());
        KeyPair loadKeyPair = loadKeyPair(path, str2);
        if (this.keysFacade.exists(str)) {
            LOGGER.info("Key for " + str + " has already been migrated. Skipping...");
            return;
        }
        LOGGER.info("Saving private key");
        this.keysFacade.insertKey(str, 0, loadKeyPair.getPrivate().getEncoded());
        LOGGER.info("Saving public key");
        this.keysFacade.insertKey(str, 1, loadKeyPair.getPublic().getEncoded());
    }

    private KeyPair loadKeyPair(Path path, String str) throws IOException {
        KeyPair keyPair;
        Object readObject = new PEMParser(new FileReader(path.toFile())).readObject();
        if (readObject instanceof PEMEncryptedKeyPair) {
            keyPair = this.pemKeyConverter.getKeyPair(((PEMEncryptedKeyPair) readObject).decryptKeyPair(new JcePEMDecryptorProviderBuilder().build(str.toCharArray())));
        } else {
            keyPair = this.pemKeyConverter.getKeyPair((PEMKeyPair) readObject);
        }
        return keyPair;
    }

    private void migrateSerialNumbers() throws IOException, SQLException {
        LOGGER.info("Migrating Serial Number for ROOT");
        migrateSerialNumber("ROOT", Paths.get("/srv/hops/certs-dir/serial", new String[0]));
        LOGGER.info("Migrating Serial Number for INTERMEDIATE");
        migrateSerialNumber("INTERMEDIATE", Paths.get("/srv/hops/certs-dir/intermediate/serial", new String[0]));
        Path path = Paths.get("/srv/hops/certs-dir/kube/serial", new String[0]);
        if (path.toFile().exists()) {
            LOGGER.info("Migrating Serial Number for Kubernetes");
            migrateSerialNumber("KUBECA", path);
        }
    }

    private void migrateSerialNumber(String str, Path path) throws IOException, SQLException {
        Long serialNumber = getSerialNumber(path);
        if (this.serialNumberFacade.exists(str)) {
            LOGGER.info("Serial number for " + str + " has already been migrated. Skipping...");
        } else {
            this.serialNumberFacade.initializeSerialNumber(str, serialNumber);
            LOGGER.info("Migrated Serial Number for " + str + " with next number " + serialNumber);
        }
    }

    private Long getSerialNumber(Path path) throws IOException {
        return Long.valueOf(Long.parseUnsignedLong(FileUtils.readFileToString(path.toFile(), Charset.defaultCharset()).trim(), 16));
    }

    private void migrateCertificates() throws IOException {
        LOGGER.info("Migrating certificates for ROOT CA");
        migrateCertificatesForCA(Paths.get("/srv/hops/certs-dir/certs", new String[0]), 0);
        LOGGER.info("Finished certificates migration for ROOT CA");
        LOGGER.info("Migrating certificates for INTERMEDIATE CA");
        migrateCertificatesForCA(Paths.get("/srv/hops/certs-dir/intermediate/certs", new String[0]), 1);
        LOGGER.info("Finished certificates migration for INTERMEDIATE CA");
        Path path = Paths.get("/srv/hops/certs-dir/kube/certs", new String[0]);
        if (path.toFile().exists()) {
            LOGGER.info("Migrating certificates for Kubernetes CA");
            migrateCertificatesForCA(path, 2);
            LOGGER.info("Finished certificates migration for Kubernetes CA");
        }
    }

    private void migrateCertificatesForCA(Path path, Integer num) throws IOException {
        Stream<Path> walk = Files.walk(path, 1, new FileVisitOption[0]);
        Throwable th = null;
        try {
            try {
                walk.filter(path2 -> {
                    return Files.isRegularFile(path2, new LinkOption[0]);
                }).filter(path3 -> {
                    return path3.toString().endsWith(".pem");
                }).filter(path4 -> {
                    return !this.certificatesToIgnore.contains(path4.toString());
                }).forEach(path5 -> {
                    try {
                        LOGGER.info("Migrating certificate " + path5);
                        migrateCertificate(path5, num);
                    } catch (IOException | CertificateException | SQLException e) {
                        throw new RuntimeException(e);
                    }
                });
                if (walk != null) {
                    if (0 == 0) {
                        walk.close();
                        return;
                    }
                    try {
                        walk.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                }
            } catch (Throwable th3) {
                th = th3;
                throw th3;
            }
        } catch (Throwable th4) {
            if (walk != null) {
                if (th != null) {
                    try {
                        walk.close();
                    } catch (Throwable th5) {
                        th.addSuppressed(th5);
                    }
                } else {
                    walk.close();
                }
            }
            throw th4;
        }
    }

    private void migrateCertificate(Path path, Integer num) throws IOException, CertificateException, SQLException {
        X509Certificate loadCertificate = loadCertificate(path);
        if (loadCertificate != null) {
            Long valueOf = Long.valueOf(loadCertificate.getSerialNumber().longValue());
            String principal = loadCertificate.getSubjectDN().toString();
            byte[] encoded = loadCertificate.getEncoded();
            Date notBefore = loadCertificate.getNotBefore();
            Date notAfter = loadCertificate.getNotAfter();
            if (this.certificatesFacade.exists(this.dbConnection, principal, this.dryRun)) {
                LOGGER.info("Certificate for " + principal + " has already been migrated. Skipping...");
            } else {
                this.certificatesFacade.insertPKICertificate(this.dbConnection, num, valueOf, 0, principal, encoded, notBefore.toInstant(), notAfter.toInstant(), this.dryRun);
            }
        }
    }

    private X509Certificate loadCertificate(Path path) throws IOException, CertificateException {
        Object readObject = new PEMParser(new FileReader(path.toFile())).readObject();
        if (readObject instanceof X509CertificateHolder) {
            return this.x509CertificateConverter.getCertificate((X509CertificateHolder) readObject);
        }
        return null;
    }

    private void migrateCRLs() throws IOException, CRLException, SQLException {
        LOGGER.info("Migrating CRL for INTERMEDIATE CA");
        migrateCRL(Paths.get("/srv/hops/certs-dir/intermediate/crl/intermediate.crl.pem", new String[0]), "INTERMEDIATE");
    }

    private void migrateCRL(Path path, String str) throws IOException, CRLException, SQLException {
        X509CRL loadCRL = loadCRL(path);
        if (loadCRL != null) {
            LOGGER.info("Migrating " + str + " CRL from " + path);
            if (this.crlFacade.exists(str)) {
                LOGGER.info("CRL for " + str + " has already been migrated. Skipping...");
            } else {
                this.crlFacade.insertCRL(str, loadCRL.getEncoded());
            }
        }
    }

    private X509CRL loadCRL(Path path) throws IOException, CRLException {
        Object readObject = new PEMParser(new FileReader(path.toFile())).readObject();
        if (readObject instanceof X509CRLHolder) {
            return this.crlConverter.getCRL((X509CRLHolder) readObject);
        }
        return null;
    }

    static {
        Security.addProvider(new BouncyCastleProvider());
    }
}
