package org.apache.hadoop.security.ssl;

import com.google.common.annotations.VisibleForTesting;
import java.io.File;
import java.io.FileInputStream;
import java.io.IOException;
import java.io.InputStream;
import java.nio.file.Files;
import java.nio.file.Path;
import java.nio.file.Paths;
import java.nio.file.StandardOpenOption;
import java.security.GeneralSecurityException;
import java.security.KeyStore;
import java.security.Security;
import java.security.cert.CRLException;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509CRL;
import java.security.cert.X509CRLEntry;
import java.security.cert.X509Certificate;
import java.util.concurrent.TimeUnit;
import java.util.concurrent.atomic.AtomicReference;
import org.apache.commons.httpclient.HttpState;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.fs.CommonConfigurationKeys;
import org.apache.hadoop.fs.CommonConfigurationKeysPublic;
import org.apache.hadoop.security.ssl.SSLFactory;
import org.apache.log4j.LogManager;
import org.apache.log4j.Logger;

/* loaded from: input_file:WEB-INF/lib/hadoop-common-2.8.2.9.jar:org/apache/hadoop/security/ssl/CRLValidator.class */
public class CRLValidator {
    private static final Logger LOG = LogManager.getLogger(CRLValidator.class);
    private final Configuration conf;
    private final Configuration sslConf;
    private final Path crl;
    private final File trustStoreLocation;
    private final AtomicReference<X509CRL> crlReference;
    private final AtomicReference<KeyStore> trustStoreReference;
    private CertificateFactory certificateFactory;
    private TimeUnit reloadTimeunit;
    private long reloadInterval;
    private long crlLastLoadedTimestamp;
    private long trustStoreLastLoadedTimestamp;
    private Thread reloaderThread;
    private final RetryAction<X509CRL> loadCRLWithRetry;
    private final RetryAction<KeyStore> loadTruststoreWithRetry;

    /* loaded from: input_file:WEB-INF/lib/hadoop-common-2.8.2.9.jar:org/apache/hadoop/security/ssl/CRLValidator$ReloaderThread.class */
    private class ReloaderThread extends Thread {
        private ReloaderThread() {
        }

        @Override // java.lang.Thread, java.lang.Runnable
        public void run() {
            while (!Thread.currentThread().isInterrupted()) {
                try {
                    CRLValidator.this.reloadTimeunit.sleep(CRLValidator.this.reloadInterval);
                } catch (InterruptedException e) {
                    Thread.currentThread().interrupt();
                }
                if (crlNeedsReload()) {
                    try {
                        CRLValidator.this.crlReference.set(CRLValidator.this.loadCRLWithRetry.retry());
                    } catch (IOException | GeneralSecurityException e2) {
                        CRLValidator.LOG.error("Could not reload CRL", e2);
                    }
                }
                if (trustStoreNeedsReload()) {
                    try {
                        CRLValidator.this.trustStoreReference.set(CRLValidator.this.loadTruststoreWithRetry.retry());
                    } catch (IOException | GeneralSecurityException e3) {
                        CRLValidator.LOG.error("Could not reload TrustStore", e3);
                    }
                }
            }
        }

        private boolean crlNeedsReload() {
            return CRLValidator.this.crl.toFile().exists() && CRLValidator.this.crl.toFile().lastModified() > CRLValidator.this.crlLastLoadedTimestamp;
        }

        private boolean trustStoreNeedsReload() {
            return CRLValidator.this.trustStoreLocation.exists() && CRLValidator.this.trustStoreLocation.lastModified() > CRLValidator.this.trustStoreLastLoadedTimestamp;
        }
    }

    /* loaded from: input_file:WEB-INF/lib/hadoop-common-2.8.2.9.jar:org/apache/hadoop/security/ssl/CRLValidator$RetryAction.class */
    private abstract class RetryAction<T> {
        private int numberOfFailures;

        private RetryAction() {
            this.numberOfFailures = 0;
        }

        abstract T operationToPerform() throws GeneralSecurityException, IOException;

        /* JADX INFO: Access modifiers changed from: private */
        public T retry() throws GeneralSecurityException, IOException {
            while (true) {
                try {
                    return operationToPerform();
                } catch (IOException | GeneralSecurityException e) {
                    if (this.numberOfFailures > 5) {
                        throw e;
                    }
                    this.numberOfFailures++;
                    try {
                        TimeUnit.MILLISECONDS.sleep(100L);
                    } catch (InterruptedException e2) {
                        throw new IOException(e2);
                    }
                }
            }
        }
    }

    CRLValidator(Configuration configuration) throws IOException, GeneralSecurityException {
        this(configuration, null);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public CRLValidator(Configuration configuration, Configuration configuration2) throws IOException, GeneralSecurityException {
        this.reloadInterval = -1L;
        this.crlLastLoadedTimestamp = 0L;
        this.trustStoreLastLoadedTimestamp = 0L;
        this.conf = configuration;
        if (configuration2 != null) {
            this.sslConf = configuration2;
        } else {
            this.sslConf = readSSLConfiguration();
        }
        Security.setProperty("ocsp.enable", HttpState.PREEMPTIVE_DEFAULT);
        System.setProperty("com.sun.security.enableCRLDP", HttpState.PREEMPTIVE_DEFAULT);
        this.certificateFactory = CertificateFactory.getInstance("X.509");
        this.loadCRLWithRetry = new RetryAction<X509CRL>() { // from class: org.apache.hadoop.security.ssl.CRLValidator.1
            /* JADX INFO: Access modifiers changed from: package-private */
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // org.apache.hadoop.security.ssl.CRLValidator.RetryAction
            public X509CRL operationToPerform() throws GeneralSecurityException, IOException {
                return CRLValidator.this.loadCRL();
            }
        };
        this.crl = Paths.get(configuration.get(CommonConfigurationKeysPublic.HOPS_CRL_OUTPUT_FILE_KEY, CommonConfigurationKeys.HOPS_CRL_OUTPUT_FILE_DEFAULT), new String[0]);
        this.crlReference = new AtomicReference<>(this.loadCRLWithRetry.retry());
        this.loadTruststoreWithRetry = new RetryAction<KeyStore>() { // from class: org.apache.hadoop.security.ssl.CRLValidator.2
            /* JADX INFO: Access modifiers changed from: package-private */
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // org.apache.hadoop.security.ssl.CRLValidator.RetryAction
            public KeyStore operationToPerform() throws GeneralSecurityException, IOException {
                return CRLValidator.this.loadTruststore();
            }
        };
        this.trustStoreLocation = new File(this.sslConf.get(FileBasedKeyStoresFactory.resolvePropertyName(SSLFactory.Mode.SERVER, FileBasedKeyStoresFactory.SSL_TRUSTSTORE_LOCATION_TPL_KEY)));
        this.trustStoreReference = new AtomicReference<>(this.loadTruststoreWithRetry.retry());
    }

    public void startReloadingThread() {
        if (this.reloadTimeunit == null) {
            this.reloadTimeunit = TimeUnit.MINUTES;
        }
        if (this.reloadInterval == -1) {
            this.reloadInterval = 60L;
        }
        this.reloaderThread = new ReloaderThread();
        this.reloaderThread.setName("CRL Validator reloader thread");
        this.reloaderThread.setDaemon(true);
        this.reloaderThread.start();
    }

    public void stopReloaderThread() {
        if (this.reloaderThread != null) {
            this.reloaderThread.interrupt();
        }
    }

    @VisibleForTesting
    public void setReloadTimeunit(TimeUnit timeUnit) {
        this.reloadTimeunit = timeUnit;
    }

    public void setReloadInterval(long j) {
        this.reloadInterval = j;
    }

    @VisibleForTesting
    public void setCertificateFactory(CertificateFactory certificateFactory) {
        this.certificateFactory = certificateFactory;
    }

    @VisibleForTesting
    public TimeUnit getReloadTimeunit() {
        return this.reloadTimeunit;
    }

    @VisibleForTesting
    public long getReloadInterval() {
        return this.reloadInterval;
    }

    public void validate(Certificate[] certificateArr) throws CertificateException {
        X509CRL x509crl = this.crlReference.get();
        for (Certificate certificate : certificateArr) {
            if (!(certificate instanceof X509Certificate)) {
                throw new CertificateException("Certificate is not X.509");
            }
            X509Certificate x509Certificate = (X509Certificate) certificate;
            X509CRLEntry revokedCertificate = x509crl.getRevokedCertificate(x509Certificate);
            if (revokedCertificate != null) {
                throw new CertificateException("HopsCRLValidator: Certificate " + x509Certificate.getSubjectDN().toString() + " has been revoked by " + x509crl.getIssuerX500Principal().getName() + (revokedCertificate.getRevocationReason() != null ? " REASON: " + revokedCertificate.getRevocationReason().toString() : ""));
            }
        }
        LOG.debug("Certificate " + certificateArr[0] + " is valid");
    }

    private Configuration readSSLConfiguration() {
        Configuration configuration = new Configuration(false);
        configuration.addResource(this.conf.get(SSLFactory.SSL_SERVER_CONF_KEY, "ssl-server.xml"));
        return configuration;
    }

    /* JADX INFO: Access modifiers changed from: private */
    public KeyStore loadTruststore() throws GeneralSecurityException, IOException {
        String str = this.sslConf.get(FileBasedKeyStoresFactory.resolvePropertyName(SSLFactory.Mode.SERVER, FileBasedKeyStoresFactory.SSL_TRUSTSTORE_TYPE_TPL_KEY), FileBasedKeyStoresFactory.DEFAULT_KEYSTORE_TYPE);
        String str2 = this.sslConf.get(FileBasedKeyStoresFactory.resolvePropertyName(SSLFactory.Mode.SERVER, FileBasedKeyStoresFactory.SSL_TRUSTSTORE_PASSWORD_TPL_KEY));
        KeyStore keyStore = KeyStore.getInstance(str);
        FileInputStream fileInputStream = new FileInputStream(this.trustStoreLocation);
        Throwable th = null;
        try {
            keyStore.load(fileInputStream, str2.toCharArray());
            if (fileInputStream != null) {
                if (0 != 0) {
                    try {
                        fileInputStream.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                } else {
                    fileInputStream.close();
                }
            }
            this.trustStoreLastLoadedTimestamp = this.trustStoreLocation.lastModified();
            return keyStore;
        } catch (Throwable th3) {
            if (fileInputStream != null) {
                if (0 != 0) {
                    try {
                        fileInputStream.close();
                    } catch (Throwable th4) {
                        th.addSuppressed(th4);
                    }
                } else {
                    fileInputStream.close();
                }
            }
            throw th3;
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    public X509CRL loadCRL() throws IOException, CertificateException, CRLException {
        InputStream newInputStream = Files.newInputStream(this.crl, StandardOpenOption.READ);
        Throwable th = null;
        try {
            this.crlLastLoadedTimestamp = this.crl.toFile().lastModified();
            X509CRL x509crl = (X509CRL) this.certificateFactory.generateCRL(newInputStream);
            if (newInputStream != null) {
                if (0 != 0) {
                    try {
                        newInputStream.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                } else {
                    newInputStream.close();
                }
            }
            return x509crl;
        } catch (Throwable th3) {
            if (newInputStream != null) {
                if (0 != 0) {
                    try {
                        newInputStream.close();
                    } catch (Throwable th4) {
                        th.addSuppressed(th4);
                    }
                } else {
                    newInputStream.close();
                }
            }
            throw th3;
        }
    }
}
