package org.opendaylight.netconf.sal.connect.netconf.sal;

import ch.qos.logback.core.net.ssl.SSL;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.nio.charset.StandardCharsets;
import java.security.GeneralSecurityException;
import java.security.KeyFactory;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.security.spec.InvalidKeySpecException;
import java.security.spec.PKCS8EncodedKeySpec;
import java.util.ArrayList;
import java.util.Base64;
import java.util.Collection;
import java.util.Collections;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Optional;
import javax.annotation.Nonnull;
import org.opendaylight.controller.md.sal.binding.api.ClusteredDataTreeChangeListener;
import org.opendaylight.controller.md.sal.binding.api.DataBroker;
import org.opendaylight.controller.md.sal.binding.api.DataObjectModification;
import org.opendaylight.controller.md.sal.binding.api.DataTreeIdentifier;
import org.opendaylight.controller.md.sal.binding.api.DataTreeModification;
import org.opendaylight.controller.md.sal.common.api.data.LogicalDatastoreType;
import org.opendaylight.yang.gen.v1.urn.opendaylight.netconf.keystore.rev171017.Keystore;
import org.opendaylight.yang.gen.v1.urn.opendaylight.netconf.keystore.rev171017._private.keys.PrivateKey;
import org.opendaylight.yang.gen.v1.urn.opendaylight.netconf.keystore.rev171017.keystore.entry.KeyCredential;
import org.opendaylight.yang.gen.v1.urn.opendaylight.netconf.keystore.rev171017.trusted.certificates.TrustedCertificate;
import org.opendaylight.yangtools.yang.binding.DataObject;
import org.opendaylight.yangtools.yang.binding.InstanceIdentifier;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/opendaylight/netconf/sal/connect/netconf/sal/NetconfKeystoreAdapter.class */
public class NetconfKeystoreAdapter implements ClusteredDataTreeChangeListener<Keystore> {
    private static final Logger LOG = LoggerFactory.getLogger((Class<?>) NetconfKeystoreAdapter.class);
    private final DataBroker dataBroker;
    private final InstanceIdentifier<Keystore> keystoreIid = InstanceIdentifier.create(Keystore.class);
    private final Map<String, KeyCredential> pairs = Collections.synchronizedMap(new HashMap());
    private final Map<String, PrivateKey> privateKeys = Collections.synchronizedMap(new HashMap());
    private final Map<String, TrustedCertificate> trustedCertificates = Collections.synchronizedMap(new HashMap());

    public NetconfKeystoreAdapter(DataBroker dataBroker) {
        this.dataBroker = dataBroker;
        dataBroker.registerDataTreeChangeListener(new DataTreeIdentifier(LogicalDatastoreType.CONFIGURATION, this.keystoreIid), this);
    }

    public Optional<KeyCredential> getKeypairFromId(String str) {
        return Optional.ofNullable(this.pairs.get(str));
    }

    public KeyStore getJavaKeyStore() throws GeneralSecurityException, IOException {
        KeyStore keyStore = KeyStore.getInstance(SSL.DEFAULT_KEYSTORE_TYPE);
        keyStore.load(null, null);
        synchronized (this.privateKeys) {
            if (this.privateKeys.isEmpty()) {
                throw new KeyStoreException("No keystore private key found");
            }
            for (Map.Entry<String, PrivateKey> entry : this.privateKeys.entrySet()) {
                java.security.PrivateKey javaPrivateKey = getJavaPrivateKey(entry.getValue().getData());
                List<X509Certificate> certificateChain = getCertificateChain((String[]) entry.getValue().getCertificateChain().toArray(new String[0]));
                if (certificateChain.isEmpty()) {
                    throw new CertificateException("No certificate chain associated with private key found");
                }
                keyStore.setKeyEntry(entry.getKey(), javaPrivateKey, "".toCharArray(), (Certificate[]) certificateChain.stream().toArray(i -> {
                    return new Certificate[i];
                }));
            }
        }
        synchronized (this.trustedCertificates) {
            for (Map.Entry<String, TrustedCertificate> entry2 : this.trustedCertificates.entrySet()) {
                keyStore.setCertificateEntry(entry2.getKey(), getCertificateChain(new String[]{entry2.getValue().getCertificate()}).get(0));
            }
        }
        return keyStore;
    }

    private static java.security.PrivateKey getJavaPrivateKey(String str) throws GeneralSecurityException {
        java.security.PrivateKey generatePrivate;
        PKCS8EncodedKeySpec pKCS8EncodedKeySpec = new PKCS8EncodedKeySpec(base64Decode(str));
        try {
            generatePrivate = KeyFactory.getInstance("RSA").generatePrivate(pKCS8EncodedKeySpec);
        } catch (InvalidKeySpecException e) {
            generatePrivate = KeyFactory.getInstance("DSA").generatePrivate(pKCS8EncodedKeySpec);
        }
        return generatePrivate;
    }

    private static List<X509Certificate> getCertificateChain(String[] strArr) throws GeneralSecurityException {
        CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509");
        ArrayList arrayList = new ArrayList();
        for (String str : strArr) {
            arrayList.add((X509Certificate) certificateFactory.generateCertificate(new ByteArrayInputStream(base64Decode(str))));
        }
        return arrayList;
    }

    private static byte[] base64Decode(String str) {
        return Base64.getMimeDecoder().decode(str.getBytes(StandardCharsets.US_ASCII));
    }

    @Override // org.opendaylight.controller.md.sal.binding.api.DataTreeChangeListener
    public void onDataTreeChanged(@Nonnull Collection<DataTreeModification<Keystore>> collection) {
        LOG.debug("Keystore updated: {}", collection);
        Iterator<DataTreeModification<Keystore>> it = collection.iterator();
        while (it.hasNext()) {
            DataObjectModification<Keystore> rootNode = it.next().getRootNode();
            Iterator<? extends DataObjectModification<? extends DataObject>> it2 = rootNode.getModifiedChildren().iterator();
            while (it2.hasNext()) {
                DataObjectModification<TrustedCertificate> dataObjectModification = (DataObjectModification) it2.next();
                if (dataObjectModification.getDataType().equals(KeyCredential.class)) {
                    Keystore dataAfter = rootNode.getDataAfter();
                    this.pairs.clear();
                    if (dataAfter != null) {
                        dataAfter.getKeyCredential().forEach(keyCredential -> {
                            this.pairs.put(keyCredential.key().getKeyId(), keyCredential);
                        });
                    }
                } else if (dataObjectModification.getDataType().equals(PrivateKey.class)) {
                    onPrivateKeyChanged(dataObjectModification);
                } else if (dataObjectModification.getDataType().equals(TrustedCertificate.class)) {
                    onTrustedCertificateChanged(dataObjectModification);
                }
            }
        }
    }

    private void onPrivateKeyChanged(DataObjectModification<PrivateKey> dataObjectModification) {
        switch (dataObjectModification.getModificationType()) {
            case SUBTREE_MODIFIED:
            case WRITE:
                PrivateKey dataAfter = dataObjectModification.getDataAfter();
                this.privateKeys.put(dataAfter.getName(), dataAfter);
                return;
            case DELETE:
                this.privateKeys.remove(dataObjectModification.getDataBefore().getName());
                return;
            default:
                return;
        }
    }

    private void onTrustedCertificateChanged(DataObjectModification<TrustedCertificate> dataObjectModification) {
        switch (dataObjectModification.getModificationType()) {
            case SUBTREE_MODIFIED:
            case WRITE:
                TrustedCertificate dataAfter = dataObjectModification.getDataAfter();
                this.trustedCertificates.put(dataAfter.getName(), dataAfter);
                return;
            case DELETE:
                this.trustedCertificates.remove(dataObjectModification.getDataBefore().getName());
                return;
            default:
                return;
        }
    }
}
