package org.apache.qpid.server.security;

import com.google.common.util.concurrent.Futures;
import com.google.common.util.concurrent.ListenableFuture;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.net.URL;
import java.security.GeneralSecurityException;
import java.security.KeyStore;
import java.security.cert.Certificate;
import java.security.cert.CertificateEncodingException;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.text.SimpleDateFormat;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.TimeZone;
import javax.net.ssl.KeyManager;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLSocket;
import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory;
import javax.net.ssl.X509TrustManager;
import javax.xml.bind.DatatypeConverter;
import org.apache.qpid.server.configuration.IllegalConfigurationException;
import org.apache.qpid.server.logging.EventLogger;
import org.apache.qpid.server.logging.messages.TrustStoreMessages;
import org.apache.qpid.server.model.AbstractConfiguredObject;
import org.apache.qpid.server.model.AuthenticationProvider;
import org.apache.qpid.server.model.Broker;
import org.apache.qpid.server.model.ConfiguredObject;
import org.apache.qpid.server.model.IntegrityViolationException;
import org.apache.qpid.server.model.ManagedAttributeField;
import org.apache.qpid.server.model.ManagedObject;
import org.apache.qpid.server.model.ManagedObjectFactoryConstructor;
import org.apache.qpid.server.model.Port;
import org.apache.qpid.server.model.State;
import org.apache.qpid.server.model.StateTransition;
import org.apache.qpid.server.model.TrustStore;
import org.apache.qpid.server.model.VirtualHost;
import org.apache.qpid.server.queue.AbstractQueue;
import org.apache.qpid.server.security.auth.manager.SimpleLDAPAuthenticationManager;
import org.apache.qpid.transport.util.Functions;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@ManagedObject(category = false)
/* loaded from: input_file:org/apache/qpid/server/security/SiteSpecificTrustStoreImpl.class */
public class SiteSpecificTrustStoreImpl extends AbstractConfiguredObject<SiteSpecificTrustStoreImpl> implements SiteSpecificTrustStore<SiteSpecificTrustStoreImpl> {
    private static final Logger LOGGER = LoggerFactory.getLogger(SiteSpecificTrustStoreImpl.class);
    private final Broker<?> _broker;
    private final EventLogger _eventLogger;

    @ManagedAttributeField
    private String _siteUrl;

    @ManagedAttributeField
    private boolean _exposedAsMessageSource;

    @ManagedAttributeField
    private List<VirtualHost> _includedVirtualHostMessageSources;

    @ManagedAttributeField
    private List<VirtualHost> _excludedVirtualHostMessageSources;
    private volatile TrustManager[] _trustManagers;
    private X509Certificate _x509Certificate;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/apache/qpid/server/security/SiteSpecificTrustStoreImpl$AlwaysTrustManager.class */
    public static class AlwaysTrustManager implements X509TrustManager {
        private AlwaysTrustManager() {
        }

        @Override // javax.net.ssl.X509TrustManager
        public void checkClientTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
        }

        @Override // javax.net.ssl.X509TrustManager
        public void checkServerTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
        }

        @Override // javax.net.ssl.X509TrustManager
        public X509Certificate[] getAcceptedIssuers() {
            return new X509Certificate[0];
        }
    }

    @ManagedObjectFactoryConstructor
    public SiteSpecificTrustStoreImpl(Map<String, Object> map, Broker<?> broker) {
        super(parentsMap(broker), map);
        this._trustManagers = new TrustManager[0];
        this._broker = broker;
        this._eventLogger = this._broker.getEventLogger();
        this._eventLogger.message(TrustStoreMessages.CREATE(getName()));
    }

    @Override // org.apache.qpid.server.security.SiteSpecificTrustStore
    public String getSiteUrl() {
        return this._siteUrl;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.apache.qpid.server.model.AbstractConfiguredObject
    public void postResolve() {
        if (getActualAttributes().containsKey(SiteSpecificTrustStore.CERTIFICATE)) {
            decodeCertificate();
        }
    }

    @Override // org.apache.qpid.server.security.SiteSpecificTrustStore
    public String getCertificate() {
        if (this._x509Certificate == null) {
            return null;
        }
        try {
            return DatatypeConverter.printBase64Binary(this._x509Certificate.getEncoded());
        } catch (CertificateEncodingException e) {
            throw new IllegalConfigurationException("Unable to encode certificate");
        }
    }

    @Override // org.apache.qpid.server.model.TrustStore
    public TrustManager[] getTrustManagers() throws GeneralSecurityException {
        return this._trustManagers;
    }

    @Override // org.apache.qpid.server.model.TrustStore
    public Certificate[] getCertificates() throws GeneralSecurityException {
        return new Certificate[]{this._x509Certificate};
    }

    @StateTransition(currentState = {State.ACTIVE, State.ERRORED}, desiredState = State.DELETED)
    protected ListenableFuture<Void> doDelete() {
        String name = getName();
        for (Port port : new ArrayList(this._broker.getPorts())) {
            Collection<TrustStore> trustStores = port.getTrustStores();
            if (trustStores != null) {
                Iterator<TrustStore> it = trustStores.iterator();
                while (it.hasNext()) {
                    if (name.equals(it.next().getAttribute(ConfiguredObject.NAME))) {
                        throw new IntegrityViolationException("Trust store '" + name + "' can't be deleted as it is in use by a port: " + port.getName());
                    }
                }
            }
        }
        for (AuthenticationProvider authenticationProvider : new ArrayList(this._broker.getAuthenticationProviders())) {
            if (authenticationProvider.getAttributeNames().contains(SimpleLDAPAuthenticationManager.TRUST_STORE)) {
                Object attribute = authenticationProvider.getAttribute(ConfiguredObject.TYPE);
                Object attribute2 = authenticationProvider.getAttribute(SimpleLDAPAuthenticationManager.TRUST_STORE);
                if (SimpleLDAPAuthenticationManager.PROVIDER_TYPE.equals(attribute) && name.equals(attribute2)) {
                    throw new IntegrityViolationException("Trust store '" + name + "' can't be deleted as it is in use by an authentication manager: " + authenticationProvider.getName());
                }
            }
        }
        deleted();
        setState(State.DELETED);
        this._eventLogger.message(TrustStoreMessages.DELETE(getName()));
        return Futures.immediateFuture((Object) null);
    }

    @StateTransition(currentState = {State.UNINITIALIZED, State.ERRORED}, desiredState = State.ACTIVE)
    protected ListenableFuture<Void> doActivate() {
        if (this._x509Certificate == null) {
            downloadCertificate();
        }
        if (this._x509Certificate != null) {
            generateTrustManagers();
            setState(State.ACTIVE);
        } else {
            setState(State.ERRORED);
        }
        return Futures.immediateFuture((Object) null);
    }

    /* JADX WARN: Failed to calculate best type for var: r12v0 ??
    java.lang.NullPointerException: Cannot invoke "jadx.core.dex.instructions.args.InsnArg.getType()" because "changeArg" is null
    	at jadx.core.dex.visitors.typeinference.TypeUpdate.moveListener(TypeUpdate.java:439)
    	at jadx.core.dex.visitors.typeinference.TypeUpdate.runListeners(TypeUpdate.java:232)
    	at jadx.core.dex.visitors.typeinference.TypeUpdate.requestUpdate(TypeUpdate.java:212)
    	at jadx.core.dex.visitors.typeinference.TypeUpdate.updateTypeForSsaVar(TypeUpdate.java:183)
    	at jadx.core.dex.visitors.typeinference.TypeUpdate.updateTypeChecked(TypeUpdate.java:112)
    	at jadx.core.dex.visitors.typeinference.TypeUpdate.apply(TypeUpdate.java:83)
    	at jadx.core.dex.visitors.typeinference.TypeUpdate.apply(TypeUpdate.java:56)
    	at jadx.core.dex.visitors.typeinference.FixTypesVisitor.calculateFromBounds(FixTypesVisitor.java:156)
    	at jadx.core.dex.visitors.typeinference.FixTypesVisitor.setBestType(FixTypesVisitor.java:133)
    	at jadx.core.dex.visitors.typeinference.FixTypesVisitor.deduceType(FixTypesVisitor.java:238)
    	at jadx.core.dex.visitors.typeinference.FixTypesVisitor.tryDeduceTypes(FixTypesVisitor.java:221)
    	at jadx.core.dex.visitors.typeinference.FixTypesVisitor.visit(FixTypesVisitor.java:91)
     */
    /* JADX WARN: Failed to calculate best type for var: r12v0 ??
    java.lang.NullPointerException: Cannot invoke "jadx.core.dex.instructions.args.InsnArg.getType()" because "changeArg" is null
    	at jadx.core.dex.visitors.typeinference.TypeUpdate.moveListener(TypeUpdate.java:439)
    	at jadx.core.dex.visitors.typeinference.TypeUpdate.runListeners(TypeUpdate.java:232)
    	at jadx.core.dex.visitors.typeinference.TypeUpdate.requestUpdate(TypeUpdate.java:212)
    	at jadx.core.dex.visitors.typeinference.TypeUpdate.updateTypeForSsaVar(TypeUpdate.java:183)
    	at jadx.core.dex.visitors.typeinference.TypeUpdate.updateTypeChecked(TypeUpdate.java:112)
    	at jadx.core.dex.visitors.typeinference.TypeUpdate.apply(TypeUpdate.java:83)
    	at jadx.core.dex.visitors.typeinference.TypeUpdate.apply(TypeUpdate.java:56)
    	at jadx.core.dex.visitors.typeinference.TypeInferenceVisitor.calculateFromBounds(TypeInferenceVisitor.java:145)
    	at jadx.core.dex.visitors.typeinference.TypeInferenceVisitor.setBestType(TypeInferenceVisitor.java:123)
    	at jadx.core.dex.visitors.typeinference.TypeInferenceVisitor.lambda$runTypePropagation$2(TypeInferenceVisitor.java:101)
    	at java.base/java.util.ArrayList.forEach(ArrayList.java:1596)
    	at jadx.core.dex.visitors.typeinference.TypeInferenceVisitor.runTypePropagation(TypeInferenceVisitor.java:101)
    	at jadx.core.dex.visitors.typeinference.TypeInferenceVisitor.visit(TypeInferenceVisitor.java:75)
     */
    /* JADX WARN: Failed to calculate best type for var: r13v0 ??
    java.lang.NullPointerException: Cannot invoke "jadx.core.dex.instructions.args.InsnArg.getType()" because "changeArg" is null
    	at jadx.core.dex.visitors.typeinference.TypeUpdate.moveListener(TypeUpdate.java:439)
    	at jadx.core.dex.visitors.typeinference.TypeUpdate.runListeners(TypeUpdate.java:232)
    	at jadx.core.dex.visitors.typeinference.TypeUpdate.requestUpdate(TypeUpdate.java:212)
    	at jadx.core.dex.visitors.typeinference.TypeUpdate.updateTypeForSsaVar(TypeUpdate.java:183)
    	at jadx.core.dex.visitors.typeinference.TypeUpdate.updateTypeChecked(TypeUpdate.java:112)
    	at jadx.core.dex.visitors.typeinference.TypeUpdate.apply(TypeUpdate.java:83)
    	at jadx.core.dex.visitors.typeinference.TypeUpdate.apply(TypeUpdate.java:56)
    	at jadx.core.dex.visitors.typeinference.FixTypesVisitor.calculateFromBounds(FixTypesVisitor.java:156)
    	at jadx.core.dex.visitors.typeinference.FixTypesVisitor.setBestType(FixTypesVisitor.java:133)
    	at jadx.core.dex.visitors.typeinference.FixTypesVisitor.deduceType(FixTypesVisitor.java:238)
    	at jadx.core.dex.visitors.typeinference.FixTypesVisitor.tryDeduceTypes(FixTypesVisitor.java:221)
    	at jadx.core.dex.visitors.typeinference.FixTypesVisitor.visit(FixTypesVisitor.java:91)
     */
    /* JADX WARN: Failed to calculate best type for var: r13v0 ??
    java.lang.NullPointerException: Cannot invoke "jadx.core.dex.instructions.args.InsnArg.getType()" because "changeArg" is null
    	at jadx.core.dex.visitors.typeinference.TypeUpdate.moveListener(TypeUpdate.java:439)
    	at jadx.core.dex.visitors.typeinference.TypeUpdate.runListeners(TypeUpdate.java:232)
    	at jadx.core.dex.visitors.typeinference.TypeUpdate.requestUpdate(TypeUpdate.java:212)
    	at jadx.core.dex.visitors.typeinference.TypeUpdate.updateTypeForSsaVar(TypeUpdate.java:183)
    	at jadx.core.dex.visitors.typeinference.TypeUpdate.updateTypeChecked(TypeUpdate.java:112)
    	at jadx.core.dex.visitors.typeinference.TypeUpdate.apply(TypeUpdate.java:83)
    	at jadx.core.dex.visitors.typeinference.TypeUpdate.apply(TypeUpdate.java:56)
    	at jadx.core.dex.visitors.typeinference.TypeInferenceVisitor.calculateFromBounds(TypeInferenceVisitor.java:145)
    	at jadx.core.dex.visitors.typeinference.TypeInferenceVisitor.setBestType(TypeInferenceVisitor.java:123)
    	at jadx.core.dex.visitors.typeinference.TypeInferenceVisitor.lambda$runTypePropagation$2(TypeInferenceVisitor.java:101)
    	at java.base/java.util.ArrayList.forEach(ArrayList.java:1596)
    	at jadx.core.dex.visitors.typeinference.TypeInferenceVisitor.runTypePropagation(TypeInferenceVisitor.java:101)
    	at jadx.core.dex.visitors.typeinference.TypeInferenceVisitor.visit(TypeInferenceVisitor.java:75)
     */
    /* JADX WARN: Multi-variable type inference failed. Error: java.lang.NullPointerException: Cannot invoke "jadx.core.dex.instructions.args.RegisterArg.getSVar()" because the return value of "jadx.core.dex.nodes.InsnNode.getResult()" is null
    	at jadx.core.dex.visitors.typeinference.AbstractTypeConstraint.collectRelatedVars(AbstractTypeConstraint.java:31)
    	at jadx.core.dex.visitors.typeinference.AbstractTypeConstraint.<init>(AbstractTypeConstraint.java:19)
    	at jadx.core.dex.visitors.typeinference.TypeSearch$1.<init>(TypeSearch.java:376)
    	at jadx.core.dex.visitors.typeinference.TypeSearch.makeMoveConstraint(TypeSearch.java:376)
    	at jadx.core.dex.visitors.typeinference.TypeSearch.makeConstraint(TypeSearch.java:361)
    	at jadx.core.dex.visitors.typeinference.TypeSearch.collectConstraints(TypeSearch.java:341)
    	at java.base/java.util.ArrayList.forEach(ArrayList.java:1596)
    	at jadx.core.dex.visitors.typeinference.TypeSearch.run(TypeSearch.java:60)
    	at jadx.core.dex.visitors.typeinference.FixTypesVisitor.runMultiVariableSearch(FixTypesVisitor.java:116)
    	at jadx.core.dex.visitors.typeinference.FixTypesVisitor.visit(FixTypesVisitor.java:91)
     */
    /* JADX WARN: Not initialized variable reg: 12, insn: 0x00ce: MOVE (r0 I:??[int, float, boolean, short, byte, char, OBJECT, ARRAY]) = (r12 I:??[int, float, boolean, short, byte, char, OBJECT, ARRAY]) A[TRY_LEAVE], block:B:32:0x00ce */
    /* JADX WARN: Not initialized variable reg: 13, insn: 0x00d2: MOVE (r0 I:??[int, float, boolean, short, byte, char, OBJECT, ARRAY]) = (r13 I:??[int, float, boolean, short, byte, char, OBJECT, ARRAY]), block:B:34:0x00d2 */
    /* JADX WARN: Type inference failed for: r12v0, types: [javax.net.ssl.SSLSocket] */
    /* JADX WARN: Type inference failed for: r13v0, types: [java.lang.Throwable] */
    private void downloadCertificate() {
        try {
            try {
                URL url = new URL(getSiteUrl());
                SSLContext sSLContext = SSLContext.getInstance("TLS");
                sSLContext.init(new KeyManager[0], new TrustManager[]{new AlwaysTrustManager()}, null);
                SSLSocket sSLSocket = (SSLSocket) sSLContext.getSocketFactory().createSocket(url.getHost(), url.getPort());
                Throwable th = null;
                sSLSocket.startHandshake();
                Certificate[] peerCertificates = sSLSocket.getSession().getPeerCertificates();
                if (peerCertificates == null || peerCertificates.length == 0 || !(peerCertificates[0] instanceof X509Certificate)) {
                    LOGGER.info("No valid certificates available from " + getSiteUrl());
                } else {
                    this._x509Certificate = (X509Certificate) peerCertificates[0];
                    String certificate = getCertificate();
                    attributeSet(SiteSpecificTrustStore.CERTIFICATE, certificate, certificate);
                }
                if (sSLSocket != null) {
                    if (0 != 0) {
                        try {
                            sSLSocket.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    } else {
                        sSLSocket.close();
                    }
                }
            } finally {
            }
        } catch (IOException | GeneralSecurityException e) {
            LOGGER.info("Unable to download certificate from " + getSiteUrl(), e);
        }
    }

    private void decodeCertificate() {
        try {
            ByteArrayInputStream byteArrayInputStream = new ByteArrayInputStream(DatatypeConverter.parseBase64Binary((String) getActualAttributes().get(SiteSpecificTrustStore.CERTIFICATE)));
            Throwable th = null;
            try {
                try {
                    this._x509Certificate = (X509Certificate) CertificateFactory.getInstance("X.509").generateCertificate(byteArrayInputStream);
                    if (byteArrayInputStream != null) {
                        if (0 != 0) {
                            try {
                                byteArrayInputStream.close();
                            } catch (Throwable th2) {
                                th.addSuppressed(th2);
                            }
                        } else {
                            byteArrayInputStream.close();
                        }
                    }
                } finally {
                }
            } finally {
            }
        } catch (IOException | CertificateException e) {
            throw new IllegalConfigurationException("Could not decode certificate", e);
        }
    }

    private void generateTrustManagers() {
        try {
            KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
            keyStore.load(null, null);
            keyStore.setCertificateEntry(AbstractQueue.SHARED_MSG_GROUP_ARG_VALUE, this._x509Certificate);
            TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
            trustManagerFactory.init(keyStore);
            this._trustManagers = trustManagerFactory.getTrustManagers();
        } catch (IOException | GeneralSecurityException e) {
            throw new IllegalConfigurationException("Cannot load certificate(s) :" + e, e);
        }
    }

    @Override // org.apache.qpid.server.model.TrustStore
    public boolean isExposedAsMessageSource() {
        return this._exposedAsMessageSource;
    }

    @Override // org.apache.qpid.server.model.TrustStore
    public List<VirtualHost> getIncludedVirtualHostMessageSources() {
        return this._includedVirtualHostMessageSources;
    }

    @Override // org.apache.qpid.server.model.TrustStore
    public List<VirtualHost> getExcludedVirtualHostMessageSources() {
        return this._excludedVirtualHostMessageSources;
    }

    @Override // org.apache.qpid.server.security.SiteSpecificTrustStore
    public String getCertificateIssuer() {
        if (this._x509Certificate == null) {
            return null;
        }
        return this._x509Certificate.getIssuerX500Principal().toString();
    }

    @Override // org.apache.qpid.server.security.SiteSpecificTrustStore
    public String getCertificateSubject() {
        if (this._x509Certificate == null) {
            return null;
        }
        return this._x509Certificate.getSubjectX500Principal().toString();
    }

    @Override // org.apache.qpid.server.security.SiteSpecificTrustStore
    public String getCertificateSerialNumber() {
        if (this._x509Certificate == null) {
            return null;
        }
        return this._x509Certificate.getSerialNumber().toString();
    }

    @Override // org.apache.qpid.server.security.SiteSpecificTrustStore
    public String getCertificateSignature() {
        if (this._x509Certificate == null) {
            return null;
        }
        return Functions.hex(this._x509Certificate.getSignature(), 4096, " ");
    }

    @Override // org.apache.qpid.server.security.SiteSpecificTrustStore
    public String getCertificateValidFromDate() {
        SimpleDateFormat simpleDateFormat = new SimpleDateFormat("EEE, MMM d, YYYY 'at' HH:mm:ss z");
        simpleDateFormat.setTimeZone(TimeZone.getTimeZone("UTC"));
        if (this._x509Certificate == null) {
            return null;
        }
        return simpleDateFormat.format(this._x509Certificate.getNotBefore());
    }

    @Override // org.apache.qpid.server.security.SiteSpecificTrustStore
    public String getCertificateValidUntilDate() {
        SimpleDateFormat simpleDateFormat = new SimpleDateFormat("EEE, MMM d, YYYY 'at' HH:mm:ss z");
        simpleDateFormat.setTimeZone(TimeZone.getTimeZone("UTC"));
        if (this._x509Certificate == null) {
            return null;
        }
        return simpleDateFormat.format(this._x509Certificate.getNotAfter());
    }

    @Override // org.apache.qpid.server.security.SiteSpecificTrustStore
    public void refreshCertificate() {
        downloadCertificate();
    }
}
