package org.opendaylight.netconf.keystore.legacy.impl;

import com.google.common.collect.Maps;
import java.lang.invoke.MethodHandles;
import java.lang.invoke.MethodType;
import java.lang.runtime.ObjectMethods;
import java.security.GeneralSecurityException;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Set;
import java.util.concurrent.ConcurrentHashMap;
import java.util.concurrent.atomic.AtomicReference;
import java.util.function.Consumer;
import javax.annotation.PreDestroy;
import javax.inject.Inject;
import javax.inject.Singleton;
import org.eclipse.jdt.annotation.NonNullByDefault;
import org.opendaylight.aaa.encrypt.AAAEncryptionService;
import org.opendaylight.mdsal.binding.api.DataBroker;
import org.opendaylight.mdsal.binding.api.DataTreeIdentifier;
import org.opendaylight.mdsal.binding.api.RpcProviderService;
import org.opendaylight.mdsal.common.api.LogicalDatastoreType;
import org.opendaylight.mdsal.singleton.api.ClusterSingletonServiceProvider;
import org.opendaylight.netconf.keystore.legacy.CertifiedPrivateKey;
import org.opendaylight.netconf.keystore.legacy.NetconfKeystore;
import org.opendaylight.netconf.keystore.legacy.NetconfKeystoreService;
import org.opendaylight.yang.gen.v1.urn.opendaylight.netconf.keystore.rev240708.Keystore;
import org.opendaylight.yang.gen.v1.urn.opendaylight.netconf.keystore.rev240708._private.keys.PrivateKey;
import org.opendaylight.yang.gen.v1.urn.opendaylight.netconf.keystore.rev240708.keystore.entry.KeyCredential;
import org.opendaylight.yang.gen.v1.urn.opendaylight.netconf.keystore.rev240708.trusted.certificates.TrustedCertificate;
import org.opendaylight.yangtools.concepts.AbstractObjectRegistration;
import org.opendaylight.yangtools.concepts.Immutable;
import org.opendaylight.yangtools.concepts.Mutable;
import org.opendaylight.yangtools.concepts.ObjectRegistration;
import org.opendaylight.yangtools.concepts.Registration;
import org.opendaylight.yangtools.yang.binding.InstanceIdentifier;
import org.osgi.service.component.annotations.Activate;
import org.osgi.service.component.annotations.Component;
import org.osgi.service.component.annotations.Deactivate;
import org.osgi.service.component.annotations.Reference;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@Singleton
@Component(service = {NetconfKeystoreService.class})
/* loaded from: input_file:org/opendaylight/netconf/keystore/legacy/impl/DefaultNetconfKeystoreService.class */
public final class DefaultNetconfKeystoreService implements NetconfKeystoreService, AutoCloseable {
    private static final Logger LOG = LoggerFactory.getLogger(DefaultNetconfKeystoreService.class);
    private final Set<ObjectRegistration<Consumer<NetconfKeystore>>> consumers = ConcurrentHashMap.newKeySet();
    private final AtomicReference<NetconfKeystore> keystore = new AtomicReference<>(null);
    private final AtomicReference<ConfigState> config = new AtomicReference<>(ConfigState.EMPTY);
    private final SecurityHelper securityHelper = new SecurityHelper();
    private final AAAEncryptionService encryptionService;
    private final Registration configListener;
    private final Registration rpcSingleton;

    @NonNullByDefault
    /* loaded from: input_file:org/opendaylight/netconf/keystore/legacy/impl/DefaultNetconfKeystoreService$ConfigState.class */
    private static final class ConfigState extends Record implements Immutable {
        private final Map<String, PrivateKey> privateKeys;
        private final Map<String, TrustedCertificate> trustedCertificates;
        private final Map<String, KeyCredential> credentials;
        static final ConfigState EMPTY = new ConfigState(Map.of(), Map.of(), Map.of());

        ConfigState(Map<String, PrivateKey> map, Map<String, TrustedCertificate> map2, Map<String, KeyCredential> map3) {
            Map<String, PrivateKey> copyOf = Map.copyOf(map);
            Map<String, TrustedCertificate> copyOf2 = Map.copyOf(map2);
            Map<String, KeyCredential> copyOf3 = Map.copyOf(map3);
            this.privateKeys = copyOf;
            this.trustedCertificates = copyOf2;
            this.credentials = copyOf3;
        }

        @Override // java.lang.Record
        public final String toString() {
            return (String) ObjectMethods.bootstrap(MethodHandles.lookup(), "toString", MethodType.methodType(String.class, ConfigState.class), ConfigState.class, "privateKeys;trustedCertificates;credentials", "FIELD:Lorg/opendaylight/netconf/keystore/legacy/impl/DefaultNetconfKeystoreService$ConfigState;->privateKeys:Ljava/util/Map;", "FIELD:Lorg/opendaylight/netconf/keystore/legacy/impl/DefaultNetconfKeystoreService$ConfigState;->trustedCertificates:Ljava/util/Map;", "FIELD:Lorg/opendaylight/netconf/keystore/legacy/impl/DefaultNetconfKeystoreService$ConfigState;->credentials:Ljava/util/Map;").dynamicInvoker().invoke(this) /* invoke-custom */;
        }

        @Override // java.lang.Record
        public final int hashCode() {
            return (int) ObjectMethods.bootstrap(MethodHandles.lookup(), "hashCode", MethodType.methodType(Integer.TYPE, ConfigState.class), ConfigState.class, "privateKeys;trustedCertificates;credentials", "FIELD:Lorg/opendaylight/netconf/keystore/legacy/impl/DefaultNetconfKeystoreService$ConfigState;->privateKeys:Ljava/util/Map;", "FIELD:Lorg/opendaylight/netconf/keystore/legacy/impl/DefaultNetconfKeystoreService$ConfigState;->trustedCertificates:Ljava/util/Map;", "FIELD:Lorg/opendaylight/netconf/keystore/legacy/impl/DefaultNetconfKeystoreService$ConfigState;->credentials:Ljava/util/Map;").dynamicInvoker().invoke(this) /* invoke-custom */;
        }

        @Override // java.lang.Record
        public final boolean equals(Object obj) {
            return (boolean) ObjectMethods.bootstrap(MethodHandles.lookup(), "equals", MethodType.methodType(Boolean.TYPE, ConfigState.class, Object.class), ConfigState.class, "privateKeys;trustedCertificates;credentials", "FIELD:Lorg/opendaylight/netconf/keystore/legacy/impl/DefaultNetconfKeystoreService$ConfigState;->privateKeys:Ljava/util/Map;", "FIELD:Lorg/opendaylight/netconf/keystore/legacy/impl/DefaultNetconfKeystoreService$ConfigState;->trustedCertificates:Ljava/util/Map;", "FIELD:Lorg/opendaylight/netconf/keystore/legacy/impl/DefaultNetconfKeystoreService$ConfigState;->credentials:Ljava/util/Map;").dynamicInvoker().invoke(this, obj) /* invoke-custom */;
        }

        public Map<String, PrivateKey> privateKeys() {
            return this.privateKeys;
        }

        public Map<String, TrustedCertificate> trustedCertificates() {
            return this.trustedCertificates;
        }

        public Map<String, KeyCredential> credentials() {
            return this.credentials;
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    @NonNullByDefault
    /* loaded from: input_file:org/opendaylight/netconf/keystore/legacy/impl/DefaultNetconfKeystoreService$ConfigStateBuilder.class */
    public static final class ConfigStateBuilder extends Record implements Mutable {
        private final HashMap<String, PrivateKey> privateKeys;
        private final HashMap<String, TrustedCertificate> trustedCertificates;
        private final HashMap<String, KeyCredential> credentials;

        ConfigStateBuilder(HashMap<String, PrivateKey> hashMap, HashMap<String, TrustedCertificate> hashMap2, HashMap<String, KeyCredential> hashMap3) {
            Objects.requireNonNull(hashMap);
            Objects.requireNonNull(hashMap2);
            Objects.requireNonNull(hashMap3);
            this.privateKeys = hashMap;
            this.trustedCertificates = hashMap2;
            this.credentials = hashMap3;
        }

        @Override // java.lang.Record
        public final String toString() {
            return (String) ObjectMethods.bootstrap(MethodHandles.lookup(), "toString", MethodType.methodType(String.class, ConfigStateBuilder.class), ConfigStateBuilder.class, "privateKeys;trustedCertificates;credentials", "FIELD:Lorg/opendaylight/netconf/keystore/legacy/impl/DefaultNetconfKeystoreService$ConfigStateBuilder;->privateKeys:Ljava/util/HashMap;", "FIELD:Lorg/opendaylight/netconf/keystore/legacy/impl/DefaultNetconfKeystoreService$ConfigStateBuilder;->trustedCertificates:Ljava/util/HashMap;", "FIELD:Lorg/opendaylight/netconf/keystore/legacy/impl/DefaultNetconfKeystoreService$ConfigStateBuilder;->credentials:Ljava/util/HashMap;").dynamicInvoker().invoke(this) /* invoke-custom */;
        }

        @Override // java.lang.Record
        public final int hashCode() {
            return (int) ObjectMethods.bootstrap(MethodHandles.lookup(), "hashCode", MethodType.methodType(Integer.TYPE, ConfigStateBuilder.class), ConfigStateBuilder.class, "privateKeys;trustedCertificates;credentials", "FIELD:Lorg/opendaylight/netconf/keystore/legacy/impl/DefaultNetconfKeystoreService$ConfigStateBuilder;->privateKeys:Ljava/util/HashMap;", "FIELD:Lorg/opendaylight/netconf/keystore/legacy/impl/DefaultNetconfKeystoreService$ConfigStateBuilder;->trustedCertificates:Ljava/util/HashMap;", "FIELD:Lorg/opendaylight/netconf/keystore/legacy/impl/DefaultNetconfKeystoreService$ConfigStateBuilder;->credentials:Ljava/util/HashMap;").dynamicInvoker().invoke(this) /* invoke-custom */;
        }

        @Override // java.lang.Record
        public final boolean equals(Object obj) {
            return (boolean) ObjectMethods.bootstrap(MethodHandles.lookup(), "equals", MethodType.methodType(Boolean.TYPE, ConfigStateBuilder.class, Object.class), ConfigStateBuilder.class, "privateKeys;trustedCertificates;credentials", "FIELD:Lorg/opendaylight/netconf/keystore/legacy/impl/DefaultNetconfKeystoreService$ConfigStateBuilder;->privateKeys:Ljava/util/HashMap;", "FIELD:Lorg/opendaylight/netconf/keystore/legacy/impl/DefaultNetconfKeystoreService$ConfigStateBuilder;->trustedCertificates:Ljava/util/HashMap;", "FIELD:Lorg/opendaylight/netconf/keystore/legacy/impl/DefaultNetconfKeystoreService$ConfigStateBuilder;->credentials:Ljava/util/HashMap;").dynamicInvoker().invoke(this, obj) /* invoke-custom */;
        }

        public HashMap<String, PrivateKey> privateKeys() {
            return this.privateKeys;
        }

        public HashMap<String, TrustedCertificate> trustedCertificates() {
            return this.trustedCertificates;
        }

        public HashMap<String, KeyCredential> credentials() {
            return this.credentials;
        }
    }

    @Inject
    @Activate
    public DefaultNetconfKeystoreService(@Reference DataBroker dataBroker, @Reference RpcProviderService rpcProviderService, @Reference ClusterSingletonServiceProvider clusterSingletonServiceProvider, @Reference AAAEncryptionService aAAEncryptionService) {
        this.encryptionService = (AAAEncryptionService) Objects.requireNonNull(aAAEncryptionService);
        this.configListener = dataBroker.registerTreeChangeListener(DataTreeIdentifier.of(LogicalDatastoreType.CONFIGURATION, InstanceIdentifier.create(Keystore.class)), new ConfigListener(this));
        this.rpcSingleton = clusterSingletonServiceProvider.registerClusterSingletonService(new RpcSingleton(dataBroker, rpcProviderService, aAAEncryptionService));
        LOG.info("NETCONF keystore service started");
    }

    @Override // java.lang.AutoCloseable
    @PreDestroy
    @Deactivate
    public void close() {
        this.rpcSingleton.close();
        this.configListener.close();
        LOG.info("NETCONF keystore service stopped");
    }

    @Override // org.opendaylight.netconf.keystore.legacy.NetconfKeystoreService
    public Registration registerKeystoreConsumer(Consumer<NetconfKeystore> consumer) {
        ObjectRegistration<Consumer<NetconfKeystore>> objectRegistration = new AbstractObjectRegistration<Consumer<NetconfKeystore>>(consumer) { // from class: org.opendaylight.netconf.keystore.legacy.impl.DefaultNetconfKeystoreService.1
            protected void removeRegistration() {
                DefaultNetconfKeystoreService.this.consumers.remove(this);
            }
        };
        this.consumers.add(objectRegistration);
        NetconfKeystore acquire = this.keystore.getAcquire();
        if (acquire != null) {
            consumer.accept(acquire);
        }
        return objectRegistration;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void runUpdate(Consumer<ConfigStateBuilder> consumer) {
        ConfigState acquire = this.config.getAcquire();
        ConfigStateBuilder configStateBuilder = new ConfigStateBuilder(new HashMap(acquire.privateKeys), new HashMap(acquire.trustedCertificates), new HashMap(acquire.credentials));
        consumer.accept(configStateBuilder);
        ConfigState configState = new ConfigState(configStateBuilder.privateKeys, configStateBuilder.trustedCertificates, configStateBuilder.credentials);
        if (this.configListener == null || this.config.compareAndExchangeRelease(acquire, configState) != acquire) {
            return;
        }
        Throwable th = null;
        HashMap newHashMapWithExpectedSize = Maps.newHashMapWithExpectedSize(configState.privateKeys.size());
        for (PrivateKey privateKey : configState.privateKeys.values()) {
            String requireName = privateKey.requireName();
            try {
                try {
                    java.security.PrivateKey generatePrivateKey = SecurityHelper.generatePrivateKey(this.encryptionService.decrypt(privateKey.requireData()), privateKey.requireAlgorithm());
                    List<byte[]> requireCertificateChain = privateKey.requireCertificateChain();
                    if (requireCertificateChain.isEmpty()) {
                        LOG.debug("Key {} has an empty certificate chain", requireName);
                        th = updateFailure(th, new IllegalArgumentException("Empty certificate chain for private key " + requireName));
                    } else {
                        ArrayList arrayList = new ArrayList(requireCertificateChain.size());
                        int size = requireCertificateChain.size();
                        for (int i = 0; i < size; i++) {
                            try {
                                try {
                                    arrayList.add(this.securityHelper.generateCertificate(this.encryptionService.decrypt(requireCertificateChain.get(i))));
                                } catch (GeneralSecurityException e) {
                                    LOG.debug("Failed to generate certificate chain item {} for private key {}", new Object[]{Integer.valueOf(i), requireName, e});
                                    th = updateFailure(th, e);
                                }
                            } catch (GeneralSecurityException e2) {
                                LOG.debug("Failed to decrypt certificate chain item {} for private key {}", new Object[]{Integer.valueOf(i), requireName, e2});
                                th = updateFailure(th, e2);
                            }
                        }
                        newHashMapWithExpectedSize.put(requireName, new CertifiedPrivateKey(generatePrivateKey, arrayList));
                    }
                } catch (GeneralSecurityException e3) {
                    LOG.debug("Failed to generate key for {}", requireName, e3);
                    th = updateFailure(th, e3);
                }
            } catch (GeneralSecurityException e4) {
                LOG.debug("Failed to decrypt private key {}", requireName, e4);
                th = updateFailure(th, e4);
            }
        }
        HashMap newHashMapWithExpectedSize2 = Maps.newHashMapWithExpectedSize(configState.trustedCertificates.size());
        for (TrustedCertificate trustedCertificate : configState.trustedCertificates.values()) {
            String requireName2 = trustedCertificate.requireName();
            try {
                try {
                    newHashMapWithExpectedSize2.put(requireName2, this.securityHelper.generateCertificate(this.encryptionService.decrypt(trustedCertificate.requireCertificate())));
                } catch (GeneralSecurityException e5) {
                    LOG.debug("Failed to generate certificate for {}", requireName2, e5);
                    th = updateFailure(th, e5);
                }
            } catch (GeneralSecurityException e6) {
                LOG.debug("Failed to decrypt certificate for {}", requireName2, e6);
                th = updateFailure(th, e6);
            }
        }
        HashMap newHashMapWithExpectedSize3 = Maps.newHashMapWithExpectedSize(configState.credentials.size());
        for (KeyCredential keyCredential : configState.credentials.values()) {
            String requireKeyId = keyCredential.requireKeyId();
            try {
                try {
                    try {
                        newHashMapWithExpectedSize3.put(requireKeyId, SecurityHelper.generateKeyPair(this.encryptionService.decrypt(keyCredential.getPrivateKey()), this.encryptionService.decrypt(keyCredential.getPublicKey()), keyCredential.requireAlgorithm()));
                    } catch (GeneralSecurityException e7) {
                        LOG.debug("Failed to generate key pair for {}", requireKeyId, e7);
                        th = updateFailure(th, e7);
                    }
                } catch (GeneralSecurityException e8) {
                    LOG.debug("Failed to decrypt public key", e8);
                    th = updateFailure(th, e8);
                }
            } catch (GeneralSecurityException e9) {
                LOG.debug("Failed to decrypt private key", e9);
                th = updateFailure(th, e9);
            }
        }
        if (th != null) {
            LOG.warn("New configuration is invalid, not applying it", th);
            return;
        }
        NetconfKeystore netconfKeystore = new NetconfKeystore(newHashMapWithExpectedSize, newHashMapWithExpectedSize2, newHashMapWithExpectedSize3);
        this.keystore.setRelease(netconfKeystore);
        this.consumers.forEach(objectRegistration -> {
            ((Consumer) objectRegistration.getInstance()).accept(netconfKeystore);
        });
    }

    private static Throwable updateFailure(Throwable th, Exception exc) {
        if (th == null) {
            return exc;
        }
        th.addSuppressed(exc);
        return th;
    }
}
