package org.apache.hadoop.hdds.security.x509.certificate.utils;

import com.google.common.base.Preconditions;
import java.io.IOException;
import java.io.StringReader;
import java.io.StringWriter;
import java.net.InetAddress;
import java.security.KeyPair;
import java.util.ArrayList;
import java.util.Iterator;
import java.util.List;
import java.util.Optional;
import org.apache.commons.lang3.StringUtils;
import org.apache.commons.validator.routines.DomainValidator;
import org.apache.hadoop.hdds.security.SecurityConfig;
import org.apache.hadoop.hdds.security.exception.SCMSecurityException;
import org.apache.hadoop.hdds.security.x509.exception.CertificateException;
import org.apache.hadoop.ozone.OzoneSecurityUtil;
import org.bouncycastle.asn1.ASN1EncodableVector;
import org.bouncycastle.asn1.ASN1Object;
import org.bouncycastle.asn1.ASN1ObjectIdentifier;
import org.bouncycastle.asn1.ASN1Sequence;
import org.bouncycastle.asn1.ASN1Set;
import org.bouncycastle.asn1.DEROctetString;
import org.bouncycastle.asn1.DERSequence;
import org.bouncycastle.asn1.DERTaggedObject;
import org.bouncycastle.asn1.DERUTF8String;
import org.bouncycastle.asn1.pkcs.Attribute;
import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers;
import org.bouncycastle.asn1.x500.X500Name;
import org.bouncycastle.asn1.x509.BasicConstraints;
import org.bouncycastle.asn1.x509.Extension;
import org.bouncycastle.asn1.x509.Extensions;
import org.bouncycastle.asn1.x509.GeneralName;
import org.bouncycastle.asn1.x509.GeneralNames;
import org.bouncycastle.asn1.x509.KeyUsage;
import org.bouncycastle.openssl.jcajce.JcaPEMWriter;
import org.bouncycastle.operator.ContentSigner;
import org.bouncycastle.operator.OperatorCreationException;
import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder;
import org.bouncycastle.pkcs.PKCS10CertificationRequest;
import org.bouncycastle.pkcs.jcajce.JcaPKCS10CertificationRequestBuilder;
import org.bouncycastle.util.io.pem.PemObject;
import org.bouncycastle.util.io.pem.PemReader;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/hadoop/hdds/security/x509/certificate/utils/CertificateSignRequest.class */
public final class CertificateSignRequest {
    private static final String DISTINGUISHED_NAME_FORMAT = "CN=%s,OU=%s,O=%s";
    private static final String DISTINGUISHED_NAME_WITH_SN_FORMAT = "CN=%s,OU=%s,O=%s,SERIALNUMBER=%s";
    private static final Logger LOG = LoggerFactory.getLogger(CertificateSignRequest.class);
    private final KeyPair keyPair;
    private final SecurityConfig config;
    private final Extensions extensions;
    private String subject;
    private String clusterID;
    private String scmID;

    /* loaded from: input_file:org/apache/hadoop/hdds/security/x509/certificate/utils/CertificateSignRequest$Builder.class */
    public static class Builder {
        private String subject;
        private String clusterID;
        private String scmID;
        private KeyPair key;
        private SecurityConfig config;
        private List<GeneralName> altNames;
        private Boolean ca = false;
        private boolean digitalSignature;
        private boolean digitalEncryption;

        public Builder setConfiguration(SecurityConfig securityConfig) {
            this.config = securityConfig;
            return this;
        }

        public Builder setKey(KeyPair keyPair) {
            this.key = keyPair;
            return this;
        }

        public Builder setSubject(String str) {
            this.subject = str;
            return this;
        }

        public Builder setClusterID(String str) {
            this.clusterID = str;
            return this;
        }

        public Builder setScmID(String str) {
            this.scmID = str;
            return this;
        }

        public Builder setDigitalSignature(boolean z) {
            this.digitalSignature = z;
            return this;
        }

        public Builder setDigitalEncryption(boolean z) {
            this.digitalEncryption = z;
            return this;
        }

        public Builder addDnsName(String str) {
            Preconditions.checkNotNull(str, "dnsName cannot be null");
            addAltName(2, str);
            return this;
        }

        public boolean hasDnsName() {
            if (this.altNames == null || this.altNames.isEmpty()) {
                return false;
            }
            Iterator<GeneralName> it = this.altNames.iterator();
            while (it.hasNext()) {
                if (it.next().getTagNo() == 2) {
                    return true;
                }
            }
            return false;
        }

        public Builder addIpAddress(String str) {
            Preconditions.checkNotNull(str, "Ip address cannot be null");
            addAltName(7, str);
            return this;
        }

        public Builder addInetAddresses() throws CertificateException {
            try {
                addInetAddresses(OzoneSecurityUtil.getValidInetsForCurrentHost(), DomainValidator.getInstance());
                return this;
            } catch (IOException e) {
                throw new CertificateException("Error while getting Inet addresses for the CSR builder", e, CertificateException.ErrorCode.CSR_ERROR);
            }
        }

        public Builder addInetAddresses(List<InetAddress> list, DomainValidator domainValidator) {
            list.forEach(inetAddress -> {
                addIpAddress(inetAddress.getHostAddress());
                if (domainValidator.isValid(inetAddress.getCanonicalHostName())) {
                    addDnsName(inetAddress.getCanonicalHostName());
                } else {
                    CertificateSignRequest.LOG.error("Invalid domain {}", inetAddress.getCanonicalHostName());
                }
            });
            return this;
        }

        public Builder addServiceName(String str) {
            Preconditions.checkNotNull(str, "Service Name cannot be null");
            addAltName(0, str);
            return this;
        }

        private Builder addAltName(int i, String str) {
            if (this.altNames == null) {
                this.altNames = new ArrayList();
            }
            if (i == 0) {
                this.altNames.add(new GeneralName(i, addOtherNameAsn1Object(str)));
            } else {
                this.altNames.add(new GeneralName(i, str));
            }
            return this;
        }

        private ASN1Object addOtherNameAsn1Object(String str) {
            ASN1EncodableVector aSN1EncodableVector = new ASN1EncodableVector();
            aSN1EncodableVector.add(new ASN1ObjectIdentifier("2.16.840.1.113730.3.1.34"));
            aSN1EncodableVector.add(new DERTaggedObject(true, 0, new DERUTF8String(str)));
            return new DERTaggedObject(false, 0, new DERSequence(aSN1EncodableVector));
        }

        public Builder setCA(Boolean bool) {
            this.ca = bool;
            return this;
        }

        private Extension getKeyUsageExtension() throws IOException {
            int i = 8;
            if (this.digitalEncryption) {
                i = 8 | 48;
            }
            if (this.digitalSignature) {
                i |= 128;
            }
            if (this.ca.booleanValue()) {
                i |= 6;
            }
            return new Extension(Extension.keyUsage, true, new KeyUsage(i).getEncoded());
        }

        private Optional<Extension> getSubjectAltNameExtension() throws IOException {
            return this.altNames != null ? Optional.of(new Extension(Extension.subjectAlternativeName, false, new DEROctetString(new GeneralNames((GeneralName[]) this.altNames.toArray(new GeneralName[this.altNames.size()]))))) : Optional.empty();
        }

        private Extension getBasicExtension() throws IOException {
            return new Extension(Extension.basicConstraints, true, new DEROctetString(new BasicConstraints(this.ca.booleanValue())));
        }

        private Extensions createExtensions() throws IOException {
            ArrayList arrayList = new ArrayList();
            if (this.ca.booleanValue()) {
                arrayList.add(getBasicExtension());
            }
            arrayList.add(getKeyUsageExtension());
            Optional<Extension> subjectAltNameExtension = getSubjectAltNameExtension();
            if (subjectAltNameExtension.isPresent()) {
                arrayList.add(subjectAltNameExtension.get());
            }
            return new Extensions((Extension[]) arrayList.toArray(new Extension[arrayList.size()]));
        }

        public PKCS10CertificationRequest build() throws SCMSecurityException {
            Preconditions.checkNotNull(this.key, "KeyPair cannot be null");
            Preconditions.checkArgument(StringUtils.isNotBlank(this.subject), "Subject cannot be blank");
            try {
                return new CertificateSignRequest(this.subject, this.scmID, this.clusterID, this.key, this.config, createExtensions()).generateCSR();
            } catch (OperatorCreationException e) {
                throw new CertificateException(String.format("Unable to create certificate sign request for %s.", CertificateSignRequest.getDistinguishedName(this.subject, this.scmID, this.clusterID)), e.getCause());
            } catch (IOException e2) {
                throw new CertificateException(String.format("Unable to create extension for certificate sign request for %s.", CertificateSignRequest.getDistinguishedName(this.subject, this.scmID, this.clusterID)), e2.getCause());
            }
        }
    }

    private CertificateSignRequest(String str, String str2, String str3, KeyPair keyPair, SecurityConfig securityConfig, Extensions extensions) {
        this.subject = str;
        this.clusterID = str3;
        this.scmID = str2;
        this.keyPair = keyPair;
        this.config = securityConfig;
        this.extensions = extensions;
    }

    public static String getDistinguishedNameFormat() {
        return DISTINGUISHED_NAME_FORMAT;
    }

    public static String getDistinguishedNameFormatWithSN() {
        return DISTINGUISHED_NAME_WITH_SN_FORMAT;
    }

    public static X500Name getDistinguishedNameWithSN(String str, String str2, String str3, String str4) {
        return new X500Name(String.format(DISTINGUISHED_NAME_WITH_SN_FORMAT, str, str2, str3, str4));
    }

    public static X500Name getDistinguishedName(String str, String str2, String str3) {
        return new X500Name(String.format(getDistinguishedNameFormat(), str, str2, str3));
    }

    public static Extensions getPkcs9Extensions(PKCS10CertificationRequest pKCS10CertificationRequest) throws CertificateException {
        Object nextElement = getPkcs9ExtRequest(pKCS10CertificationRequest).getObjects().nextElement();
        if (nextElement instanceof Extensions) {
            return (Extensions) nextElement;
        }
        if (nextElement instanceof ASN1Sequence) {
            return Extensions.getInstance((ASN1Sequence) nextElement);
        }
        throw new CertificateException("Unknown element type :" + nextElement.getClass().getSimpleName());
    }

    public static ASN1Set getPkcs9ExtRequest(PKCS10CertificationRequest pKCS10CertificationRequest) throws CertificateException {
        for (Attribute attribute : pKCS10CertificationRequest.getAttributes()) {
            if (attribute.getAttrType().equals(PKCSObjectIdentifiers.pkcs_9_at_extensionRequest)) {
                return attribute.getAttrValues();
            }
        }
        throw new CertificateException("No PKCS#9 extension found in CSR");
    }

    /* JADX INFO: Access modifiers changed from: private */
    public PKCS10CertificationRequest generateCSR() throws OperatorCreationException {
        JcaPKCS10CertificationRequestBuilder jcaPKCS10CertificationRequestBuilder = new JcaPKCS10CertificationRequestBuilder(getDistinguishedName(this.subject, this.scmID, this.clusterID), this.keyPair.getPublic());
        ContentSigner build = new JcaContentSignerBuilder(this.config.getSignatureAlgo()).setProvider(this.config.getProvider()).build(this.keyPair.getPrivate());
        if (this.extensions != null) {
            jcaPKCS10CertificationRequestBuilder.addAttribute(PKCSObjectIdentifiers.pkcs_9_at_extensionRequest, this.extensions);
        }
        return jcaPKCS10CertificationRequestBuilder.build(build);
    }

    public static String getEncodedString(PKCS10CertificationRequest pKCS10CertificationRequest) throws IOException {
        PemObject pemObject = new PemObject("CERTIFICATE REQUEST", pKCS10CertificationRequest.getEncoded());
        StringWriter stringWriter = new StringWriter();
        JcaPEMWriter jcaPEMWriter = new JcaPEMWriter(stringWriter);
        Throwable th = null;
        try {
            try {
                jcaPEMWriter.writeObject(pemObject);
                if (jcaPEMWriter != null) {
                    if (0 != 0) {
                        try {
                            jcaPEMWriter.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    } else {
                        jcaPEMWriter.close();
                    }
                }
                return stringWriter.toString();
            } finally {
            }
        } catch (Throwable th3) {
            if (jcaPEMWriter != null) {
                if (th != null) {
                    try {
                        jcaPEMWriter.close();
                    } catch (Throwable th4) {
                        th.addSuppressed(th4);
                    }
                } else {
                    jcaPEMWriter.close();
                }
            }
            throw th3;
        }
    }

    public static PKCS10CertificationRequest getCertificationRequest(String str) throws IOException {
        PemReader pemReader = new PemReader(new StringReader(str));
        Throwable th = null;
        try {
            PemObject readPemObject = pemReader.readPemObject();
            if (readPemObject.getContent() == null) {
                throw new SCMSecurityException("Invalid Certificate signing request", SCMSecurityException.ErrorCode.INVALID_CSR);
            }
            PKCS10CertificationRequest pKCS10CertificationRequest = new PKCS10CertificationRequest(readPemObject.getContent());
            if (pemReader != null) {
                if (0 != 0) {
                    try {
                        pemReader.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                } else {
                    pemReader.close();
                }
            }
            return pKCS10CertificationRequest;
        } catch (Throwable th3) {
            if (pemReader != null) {
                if (0 != 0) {
                    try {
                        pemReader.close();
                    } catch (Throwable th4) {
                        th.addSuppressed(th4);
                    }
                } else {
                    pemReader.close();
                }
            }
            throw th3;
        }
    }
}
