package org.apache.hadoop.hdds.security.x509.certificates.utils;

import com.google.common.annotations.VisibleForTesting;
import com.google.common.base.Preconditions;
import java.io.IOException;
import java.math.BigInteger;
import java.security.KeyPair;
import java.time.Duration;
import java.time.LocalDate;
import java.time.LocalTime;
import java.time.ZoneOffset;
import java.util.Date;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.hdds.security.exception.SCMSecurityException;
import org.apache.hadoop.hdds.security.x509.SecurityConfig;
import org.apache.hadoop.hdds.security.x509.exceptions.CertificateException;
import org.apache.hadoop.util.Time;
import org.apache.logging.log4j.util.Strings;
import org.bouncycastle.asn1.DEROctetString;
import org.bouncycastle.asn1.x500.X500Name;
import org.bouncycastle.asn1.x509.BasicConstraints;
import org.bouncycastle.asn1.x509.Extension;
import org.bouncycastle.asn1.x509.KeyUsage;
import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo;
import org.bouncycastle.cert.CertIOException;
import org.bouncycastle.cert.X509CertificateHolder;
import org.bouncycastle.cert.X509v3CertificateBuilder;
import org.bouncycastle.operator.ContentSigner;
import org.bouncycastle.operator.OperatorCreationException;
import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder;

/* loaded from: input_file:org/apache/hadoop/hdds/security/x509/certificates/utils/SelfSignedCertificate.class */
public final class SelfSignedCertificate {
    private static final String NAME_FORMAT = "CN=%s,OU=%s,O=%s";
    private String subject;
    private String clusterID;
    private String scmID;
    private LocalDate beginDate;
    private LocalDate endDate;
    private KeyPair key;
    private SecurityConfig config;

    /* loaded from: input_file:org/apache/hadoop/hdds/security/x509/certificates/utils/SelfSignedCertificate$Builder.class */
    public static class Builder {
        private String subject;
        private String clusterID;
        private String scmID;
        private LocalDate beginDate;
        private LocalDate endDate;
        private KeyPair key;
        private SecurityConfig config;
        private boolean isCA;

        public Builder setConfiguration(Configuration configuration) {
            this.config = new SecurityConfig(configuration);
            return this;
        }

        public Builder setKey(KeyPair keyPair) {
            this.key = keyPair;
            return this;
        }

        public Builder setSubject(String str) {
            this.subject = str;
            return this;
        }

        public Builder setClusterID(String str) {
            this.clusterID = str;
            return this;
        }

        public Builder setScmID(String str) {
            this.scmID = str;
            return this;
        }

        public Builder setBeginDate(LocalDate localDate) {
            this.beginDate = localDate;
            return this;
        }

        public Builder setEndDate(LocalDate localDate) {
            this.endDate = localDate;
            return this;
        }

        public Builder makeCA() {
            this.isCA = true;
            return this;
        }

        public X509CertificateHolder build() throws SCMSecurityException, IOException {
            Preconditions.checkNotNull(this.key, "Key cannot be null");
            Preconditions.checkArgument(Strings.isNotBlank(this.subject), "Subject cannot be blank");
            Preconditions.checkArgument(Strings.isNotBlank(this.clusterID), "Cluster ID cannot be blank");
            Preconditions.checkArgument(Strings.isNotBlank(this.scmID), "SCM ID cannot be blank");
            Preconditions.checkArgument(this.beginDate.isBefore(this.endDate), "Certificate begin date should be before end date");
            Duration between = Duration.between(this.beginDate.atStartOfDay(), this.endDate.atStartOfDay());
            Duration maxCertificateDuration = this.config.getMaxCertificateDuration();
            if (between.compareTo(maxCertificateDuration) > 0) {
                throw new SCMSecurityException("The cert duration violates the maximum configured value. Please check the hdds.x509.max.duration config key. Current Value: " + between + " config: " + maxCertificateDuration);
            }
            try {
                return new SelfSignedCertificate(this.subject, this.scmID, this.clusterID, this.beginDate, this.endDate, this.config, this.key).generateCertificate(this.isCA);
            } catch (OperatorCreationException | CertIOException e) {
                throw new CertificateException("Unable to create root certificate.", e.getCause());
            }
        }
    }

    private SelfSignedCertificate(String str, String str2, String str3, LocalDate localDate, LocalDate localDate2, SecurityConfig securityConfig, KeyPair keyPair) {
        this.subject = str;
        this.clusterID = str3;
        this.scmID = str2;
        this.beginDate = localDate;
        this.endDate = localDate2;
        this.config = securityConfig;
        this.key = keyPair;
    }

    @VisibleForTesting
    public static String getNameFormat() {
        return NAME_FORMAT;
    }

    public static Builder newBuilder() {
        return new Builder();
    }

    /* JADX INFO: Access modifiers changed from: private */
    public X509CertificateHolder generateCertificate(boolean z) throws OperatorCreationException, IOException {
        X500Name x500Name = new X500Name(String.format(getNameFormat(), this.subject, this.scmID, this.clusterID));
        SubjectPublicKeyInfo subjectPublicKeyInfo = SubjectPublicKeyInfo.getInstance(this.key.getPublic().getEncoded());
        ContentSigner build = new JcaContentSignerBuilder(this.config.getSignatureAlgo()).setProvider(this.config.getProvider()).build(this.key.getPrivate());
        BigInteger bigInteger = BigInteger.ONE;
        if (!z) {
            bigInteger = new BigInteger(Long.toString(Time.monotonicNow()));
        }
        ZoneOffset offset = this.beginDate.atStartOfDay(ZoneOffset.systemDefault()).getOffset();
        X509v3CertificateBuilder x509v3CertificateBuilder = new X509v3CertificateBuilder(x500Name, bigInteger, Date.from(this.beginDate.atTime(LocalTime.MIN).toInstant(offset)), Date.from(this.endDate.atTime(LocalTime.MAX).toInstant(offset)), x500Name, subjectPublicKeyInfo);
        if (z) {
            x509v3CertificateBuilder.addExtension(Extension.basicConstraints, true, new BasicConstraints(true));
            x509v3CertificateBuilder.addExtension(Extension.keyUsage, false, new DEROctetString(new KeyUsage(6)));
        }
        return x509v3CertificateBuilder.build(build);
    }
}
