package org.apache.qpid.server.security;

import com.google.common.collect.Sets;
import com.google.common.util.concurrent.Futures;
import com.google.common.util.concurrent.ListenableFuture;
import java.io.File;
import java.io.IOException;
import java.io.InputStream;
import java.net.MalformedURLException;
import java.net.URL;
import java.security.GeneralSecurityException;
import java.security.InvalidAlgorithmParameterException;
import java.security.InvalidKeyException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.SignatureException;
import java.security.cert.CRL;
import java.security.cert.CRLException;
import java.security.cert.CertPathBuilder;
import java.security.cert.CertPathParameters;
import java.security.cert.CertStore;
import java.security.cert.Certificate;
import java.security.cert.CertificateExpiredException;
import java.security.cert.CertificateNotYetValidException;
import java.security.cert.CollectionCertStoreParameters;
import java.security.cert.PKIXBuilderParameters;
import java.security.cert.PKIXRevocationChecker;
import java.security.cert.TrustAnchor;
import java.security.cert.X509CertSelector;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.Date;
import java.util.HashSet;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.concurrent.ScheduledFuture;
import java.util.concurrent.TimeUnit;
import java.util.stream.Collectors;
import javax.net.ssl.CertPathTrustManagerParameters;
import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory;
import javax.net.ssl.X509TrustManager;
import org.apache.qpid.server.configuration.IllegalConfigurationException;
import org.apache.qpid.server.logging.EventLogger;
import org.apache.qpid.server.logging.messages.TrustStoreMessages;
import org.apache.qpid.server.model.AbstractConfigurationChangeListener;
import org.apache.qpid.server.model.AbstractConfiguredObject;
import org.apache.qpid.server.model.Broker;
import org.apache.qpid.server.model.ConfiguredObject;
import org.apache.qpid.server.model.ManagedAttributeField;
import org.apache.qpid.server.model.State;
import org.apache.qpid.server.model.TrustStore;
import org.apache.qpid.server.model.VirtualHostNode;
import org.apache.qpid.server.security.AbstractTrustStore;
import org.apache.qpid.server.transport.network.security.ssl.SSLUtil;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/qpid/server/security/AbstractTrustStore.class */
public abstract class AbstractTrustStore<X extends AbstractTrustStore<X>> extends AbstractConfiguredObject<X> implements TrustStore<X> {
    private static Logger LOGGER = LoggerFactory.getLogger(AbstractTrustStore.class);
    protected static final long ONE_DAY = 86400000;
    private final Broker<?> _broker;
    private final EventLogger _eventLogger;

    @ManagedAttributeField
    private boolean _exposedAsMessageSource;

    @ManagedAttributeField
    private List<VirtualHostNode<?>> _includedVirtualHostNodeMessageSources;

    @ManagedAttributeField
    private List<VirtualHostNode<?>> _excludedVirtualHostNodeMessageSources;

    @ManagedAttributeField
    private boolean _trustAnchorValidityEnforced;

    @ManagedAttributeField
    private boolean _certificateRevocationCheckEnabled;

    @ManagedAttributeField
    private boolean _certificateRevocationCheckOfOnlyEndEntityCertificates;

    @ManagedAttributeField
    private boolean _certificateRevocationCheckWithPreferringCertificateRevocationList;

    @ManagedAttributeField
    private boolean _certificateRevocationCheckWithNoFallback;

    @ManagedAttributeField
    private boolean _certificateRevocationCheckWithIgnoringSoftFailures;

    @ManagedAttributeField(afterSet = "postSetCertificateRevocationListUrl")
    private volatile String _certificateRevocationListUrl;
    private volatile String _certificateRevocationListPath;
    private ScheduledFuture<?> _checkExpiryTaskFuture;

    /* JADX INFO: Access modifiers changed from: package-private */
    public AbstractTrustStore(Map<String, Object> map, Broker<?> broker) {
        super(broker, map);
        this._broker = broker;
        this._eventLogger = broker.getEventLogger();
        this._eventLogger.message(TrustStoreMessages.CREATE(getName()));
    }

    public final Broker<?> getBroker() {
        return this._broker;
    }

    final EventLogger getEventLogger() {
        return this._eventLogger;
    }

    protected abstract void initialize();

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.apache.qpid.server.model.AbstractConfiguredObject
    public void changeAttributes(Map<String, Object> map) {
        super.changeAttributes(map);
        if (map.containsKey(TrustStore.CERTIFICATE_REVOCATION_LIST_URL)) {
            initialize();
        }
    }

    @Override // org.apache.qpid.server.model.AbstractConfiguredObject
    public void onValidate() {
        super.onValidate();
        getCRLs();
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.apache.qpid.server.model.AbstractConfiguredObject
    public void validateChange(ConfiguredObject<?> configuredObject, Set<String> set) {
        super.validateChange(configuredObject, set);
        if (set.contains(TrustStore.CERTIFICATE_REVOCATION_LIST_URL)) {
            getCRLs((String) configuredObject.getAttribute(TrustStore.CERTIFICATE_REVOCATION_LIST_URL));
        }
    }

    @Override // org.apache.qpid.server.model.AbstractConfiguredObject
    protected ListenableFuture<Void> onClose() {
        onCloseOrDelete();
        return Futures.immediateFuture((Object) null);
    }

    private void onCloseOrDelete() {
        if (this._checkExpiryTaskFuture != null) {
            this._checkExpiryTaskFuture.cancel(false);
            this._checkExpiryTaskFuture = null;
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.apache.qpid.server.model.AbstractConfiguredObject
    public void logOperation(String str) {
        this._broker.getEventLogger().message(TrustStoreMessages.OPERATION(str));
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void initializeExpiryChecking() {
        final int certificateExpiryCheckFrequency = getCertificateExpiryCheckFrequency();
        if (getBroker().getState() == State.ACTIVE) {
            this._checkExpiryTaskFuture = getBroker().scheduleHouseKeepingTask(certificateExpiryCheckFrequency, TimeUnit.DAYS, this::checkCertificateExpiry);
        } else {
            getBroker().addChangeListener(new AbstractConfigurationChangeListener() { // from class: org.apache.qpid.server.security.AbstractTrustStore.1
                @Override // org.apache.qpid.server.model.AbstractConfigurationChangeListener, org.apache.qpid.server.model.ConfigurationChangeListener
                public void stateChanged(ConfiguredObject<?> configuredObject, State state, State state2) {
                    if (state2 == State.ACTIVE) {
                        AbstractTrustStore.this._checkExpiryTaskFuture = AbstractTrustStore.this.getBroker().scheduleHouseKeepingTask(certificateExpiryCheckFrequency, TimeUnit.DAYS, () -> {
                            AbstractTrustStore.this.checkCertificateExpiry();
                        });
                        AbstractTrustStore.this.getBroker().removeChangeListener(this);
                    }
                }
            });
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.apache.qpid.server.model.AbstractConfiguredObject
    public ListenableFuture<Void> onDelete() {
        onCloseOrDelete();
        this._eventLogger.message(TrustStoreMessages.DELETE(getName()));
        return super.onDelete();
    }

    /* JADX INFO: Access modifiers changed from: private */
    public void checkCertificateExpiry() {
        int certificateExpiryWarnPeriod = getCertificateExpiryWarnPeriod();
        if (certificateExpiryWarnPeriod > 0) {
            long currentTimeMillis = System.currentTimeMillis();
            Date date = new Date(currentTimeMillis + (ONE_DAY * certificateExpiryWarnPeriod));
            try {
                Certificate[] certificates = getCertificates();
                if (certificates.length > 0) {
                    Arrays.stream(certificates).filter(certificate -> {
                        return certificate instanceof X509Certificate;
                    }).forEach(certificate2 -> {
                        checkCertificateExpiry(currentTimeMillis, date, (X509Certificate) certificate2);
                    });
                }
            } catch (GeneralSecurityException e) {
                LOGGER.debug("Unexpected exception whilst checking certificate expiry", e);
            }
        }
    }

    private void checkCertificateExpiry(long j, Date date, X509Certificate x509Certificate) {
        try {
            x509Certificate.checkValidity(date);
        } catch (CertificateExpiredException e) {
            getEventLogger().message(TrustStoreMessages.EXPIRING(getName(), String.valueOf(Math.max(0, (int) ((x509Certificate.getNotAfter().getTime() - j) / ONE_DAY))), x509Certificate.getSubjectDN().toString()));
        } catch (CertificateNotYetValidException e2) {
        }
    }

    @Override // org.apache.qpid.server.model.TrustStore
    public final TrustManager[] getTrustManagers() throws GeneralSecurityException {
        if (!isTrustAnchorValidityEnforced()) {
            return getTrustManagersInternal();
        }
        HashSet<Certificate> newHashSet = Sets.newHashSet(getCertificates());
        HashSet hashSet = new HashSet();
        HashSet hashSet2 = new HashSet();
        for (Certificate certificate : newHashSet) {
            if ((certificate instanceof X509Certificate) && isSelfSigned((X509Certificate) certificate)) {
                hashSet.add(new TrustAnchor((X509Certificate) certificate, null));
            } else {
                hashSet2.add(certificate);
            }
        }
        TrustManager[] trustManagersInternal = getTrustManagersInternal();
        TrustManager[] trustManagerArr = new TrustManager[trustManagersInternal.length];
        for (int i = 0; i < trustManagersInternal.length; i++) {
            TrustManager trustManager = trustManagersInternal[i];
            if (trustManager instanceof X509TrustManager) {
                trustManagerArr[i] = new TrustAnchorValidatingTrustManager(getName(), (X509TrustManager) trustManager, hashSet, hashSet2);
            } else {
                trustManagerArr[i] = trustManager;
            }
        }
        return trustManagerArr;
    }

    protected abstract TrustManager[] getTrustManagersInternal() throws GeneralSecurityException;

    /* JADX INFO: Access modifiers changed from: protected */
    public TrustManager[] getTrustManagers(KeyStore keyStore) {
        try {
            TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
            trustManagerFactory.init(new CertPathTrustManagerParameters(getParameters(keyStore)));
            return trustManagerFactory.getTrustManagers();
        } catch (InvalidAlgorithmParameterException | NoSuchAlgorithmException e) {
            throw new IllegalConfigurationException("Cannot create trust manager factory for truststore '" + getName() + "' :" + e, e);
        }
    }

    private CertPathParameters getParameters(KeyStore keyStore) {
        try {
            PKIXBuilderParameters pKIXBuilderParameters = new PKIXBuilderParameters(keyStore, new X509CertSelector());
            pKIXBuilderParameters.setRevocationEnabled(this._certificateRevocationCheckEnabled);
            if (this._certificateRevocationCheckEnabled) {
                if (this._certificateRevocationListUrl != null) {
                    pKIXBuilderParameters.addCertStore(CertStore.getInstance("Collection", new CollectionCertStoreParameters(getCRLs())));
                }
                PKIXRevocationChecker pKIXRevocationChecker = (PKIXRevocationChecker) CertPathBuilder.getInstance(TrustManagerFactory.getDefaultAlgorithm()).getRevocationChecker();
                HashSet hashSet = new HashSet();
                if (this._certificateRevocationCheckOfOnlyEndEntityCertificates) {
                    hashSet.add(PKIXRevocationChecker.Option.ONLY_END_ENTITY);
                }
                if (this._certificateRevocationCheckWithPreferringCertificateRevocationList) {
                    hashSet.add(PKIXRevocationChecker.Option.PREFER_CRLS);
                }
                if (this._certificateRevocationCheckWithNoFallback) {
                    hashSet.add(PKIXRevocationChecker.Option.NO_FALLBACK);
                }
                if (this._certificateRevocationCheckWithIgnoringSoftFailures) {
                    hashSet.add(PKIXRevocationChecker.Option.SOFT_FAIL);
                }
                pKIXRevocationChecker.setOptions(hashSet);
                pKIXBuilderParameters.addCertPathChecker(pKIXRevocationChecker);
            }
            return pKIXBuilderParameters;
        } catch (InvalidAlgorithmParameterException | KeyStoreException | NoSuchAlgorithmException e) {
            throw new IllegalConfigurationException("Cannot create trust manager factory parameters for truststore '" + getName() + "' :" + e, e);
        }
    }

    private Collection<? extends CRL> getCRLs() {
        return getCRLs(this._certificateRevocationListUrl);
    }

    /* JADX WARN: Multi-variable type inference failed */
    private Collection<? extends CRL> getCRLs(String str) {
        Collection emptyList = Collections.emptyList();
        if (str != null) {
            try {
                InputStream openStream = getUrlFromString(str).openStream();
                Throwable th = null;
                try {
                    try {
                        emptyList = SSLUtil.getCertificateFactory().generateCRLs(openStream);
                        if (openStream != null) {
                            if (0 != 0) {
                                try {
                                    openStream.close();
                                } catch (Throwable th2) {
                                    th.addSuppressed(th2);
                                }
                            } else {
                                openStream.close();
                            }
                        }
                    } finally {
                    }
                } finally {
                }
            } catch (IOException | CRLException e) {
                throw new IllegalConfigurationException("Unable to load certificate revocation list '" + str + "' for truststore '" + getName() + "' :" + e, e);
            }
        }
        return emptyList;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public static URL getUrlFromString(String str) throws MalformedURLException {
        URL url;
        try {
            url = new URL(str);
        } catch (MalformedURLException e) {
            url = new File(str).toURI().toURL();
        }
        return url;
    }

    @Override // org.apache.qpid.server.model.TrustStore
    public final int getCertificateExpiryWarnPeriod() {
        try {
            return ((Integer) getContextValue(Integer.class, TrustStore.CERTIFICATE_EXPIRY_WARN_PERIOD)).intValue();
        } catch (IllegalArgumentException | NullPointerException e) {
            LOGGER.warn("The value of the context variable '{}' for truststore {} cannot be converted to an integer. The value {} will be used as a default", new Object[]{TrustStore.CERTIFICATE_EXPIRY_WARN_PERIOD, getName(), 30});
            return 30;
        }
    }

    @Override // org.apache.qpid.server.model.TrustStore
    public int getCertificateExpiryCheckFrequency() {
        int i;
        try {
            i = ((Integer) getContextValue(Integer.class, TrustStore.CERTIFICATE_EXPIRY_CHECK_FREQUENCY)).intValue();
        } catch (IllegalArgumentException | NullPointerException e) {
            LOGGER.warn("Cannot parse the context variable {} ", TrustStore.CERTIFICATE_EXPIRY_CHECK_FREQUENCY, e);
            i = 1;
        }
        return i;
    }

    @Override // org.apache.qpid.server.model.TrustStore
    public boolean isTrustAnchorValidityEnforced() {
        return this._trustAnchorValidityEnforced;
    }

    @Override // org.apache.qpid.server.model.TrustStore
    public boolean isCertificateRevocationCheckEnabled() {
        return this._certificateRevocationCheckEnabled;
    }

    @Override // org.apache.qpid.server.model.TrustStore
    public boolean isCertificateRevocationCheckOfOnlyEndEntityCertificates() {
        return this._certificateRevocationCheckOfOnlyEndEntityCertificates;
    }

    @Override // org.apache.qpid.server.model.TrustStore
    public boolean isCertificateRevocationCheckWithPreferringCertificateRevocationList() {
        return this._certificateRevocationCheckWithPreferringCertificateRevocationList;
    }

    @Override // org.apache.qpid.server.model.TrustStore
    public boolean isCertificateRevocationCheckWithNoFallback() {
        return this._certificateRevocationCheckWithNoFallback;
    }

    @Override // org.apache.qpid.server.model.TrustStore
    public boolean isCertificateRevocationCheckWithIgnoringSoftFailures() {
        return this._certificateRevocationCheckWithIgnoringSoftFailures;
    }

    @Override // org.apache.qpid.server.model.TrustStore
    public String getCertificateRevocationListUrl() {
        return this._certificateRevocationListUrl;
    }

    @Override // org.apache.qpid.server.model.TrustStore
    public String getCertificateRevocationListPath() {
        return this._certificateRevocationListPath;
    }

    private void postSetCertificateRevocationListUrl() {
        if (this._certificateRevocationListUrl == null || this._certificateRevocationListUrl.startsWith("data:")) {
            this._certificateRevocationListPath = null;
        } else {
            this._certificateRevocationListPath = this._certificateRevocationListUrl;
        }
    }

    @Override // org.apache.qpid.server.model.TrustStore
    public boolean isExposedAsMessageSource() {
        return this._exposedAsMessageSource;
    }

    @Override // org.apache.qpid.server.model.TrustStore
    public List<VirtualHostNode<?>> getIncludedVirtualHostNodeMessageSources() {
        return this._includedVirtualHostNodeMessageSources;
    }

    @Override // org.apache.qpid.server.model.TrustStore
    public List<VirtualHostNode<?>> getExcludedVirtualHostNodeMessageSources() {
        return this._excludedVirtualHostNodeMessageSources;
    }

    @Override // org.apache.qpid.server.model.TrustStore
    public List<CertificateDetails> getCertificateDetails() {
        try {
            Certificate[] certificates = getCertificates();
            return certificates.length > 0 ? (List) Arrays.stream(certificates).filter(certificate -> {
                return certificate instanceof X509Certificate;
            }).map(certificate2 -> {
                return new CertificateDetailsImpl((X509Certificate) certificate2);
            }).collect(Collectors.toList()) : Collections.emptyList();
        } catch (GeneralSecurityException e) {
            throw new IllegalConfigurationException("Failed to extract certificate details", e);
        }
    }

    private boolean isSelfSigned(X509Certificate x509Certificate) throws GeneralSecurityException {
        try {
            x509Certificate.verify(x509Certificate.getPublicKey());
            return true;
        } catch (InvalidKeyException | SignatureException e) {
            return false;
        }
    }
}
