package com.cloudera.keytrustee.util;

import com.cloudera.keytrustee.hsm.HsmHelper;
import com.google.common.base.Preconditions;
import java.io.File;
import java.io.FileInputStream;
import java.io.FileNotFoundException;
import java.io.IOException;
import java.net.MalformedURLException;
import java.net.URL;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.SecureRandom;
import java.security.cert.CertificateException;
import org.apache.hadoop.conf.Configuration;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/cloudera/keytrustee/util/TLSConfiguration.class */
public class TLSConfiguration {
    public static final String HSMKP_MSG_SSL_ENABLED_CM = "cloudera.hsmkp.ssl.enabled";
    public static final String HSMKP_MSG_SSL_ENABLED_CM_ENV = "SSL_ENABLED";
    private static final String HSMKP_MSG_KEYSTORE_FILE = "ssl.server.keystore.location";
    private static final String HSMKP_MSG_KEYSTORE_FILE_ENV = "KMS_SSL_KEYSTORE_FILE";
    private static final String HSMKP_MSG_KEYSTORE_PASSWORD = "ssl.server.keystore.password";
    private static final String HSMKP_MSG_KEYSTORE_PASSWORD_ENV = "KMS_SSL_KEYSTORE_PASS";
    private static final String HSMKP_MSG_KEYSTORE_PASSWORD_PLAIN = "ssl.server.keystore.password";
    private static final String HSMKP_MSG_KEYSTORE_KEY_PASSWORD = "ssl.server.keystore.keypassword";
    private static final String HSMKP_MSG_KEYSTORE_KEY_PASSWORD_ENV = "KMS_SSL_KEYSTORE_KEYPASS";
    private static final String HSMKP_MSG_KEYSTORE_KEY_PASSWORD_PLAIN = "ssl.server.keystore.keypassword";
    private static final String HSMKP_MSG_TRUSTSTORE_FILE = "ssl.server.truststore.location";
    private static final String HSMKP_MSG_TRUSTSTORE_FILE_ENV = "KMS_SSL_TRUSTSTORE_FILE";
    private static final String HSMKP_MSG_TRUSTSTORE_PASSWORD = "ssl.server.truststore.password";
    private static final String HSMKP_MSG_TRUSTSTORE_PASSWORD_ENV = "KMS_SSL_TRUSTSTORE_PASS";
    private static final String HSMKP_MSG_TRUSTSTORE_PASSWORD_PLAIN = "ssl.server.truststore.password";
    private static final String HSMKP_USE_HSM_SECURE_RANDOM = "cloudera.hsmkp.use.hsm.securerandom";
    private static final String HSMKP_USE_HSM_SECURE_RANDOM_ENV = "HSMKP_SSL_USE_HSM_SECURERANDOM";
    private static final String HSMKP_SSL_VERSION = "cloudera.hsmkp.ssl.version";
    private static final String HSMKP_SSL_VERSION_ENV = "HSMKP_SSL_VERSION";
    private static final String HSMKP_SSL_HOSTNAME_VERIFICATION = "cloudera.hsmkp.ssl.verify.hostnames";
    private static final String HSMKP_SSL_HOSTNAME_VERIFICATION_ENV = "HSMKP_SSL_VERIFY_HOSTNAMES";
    private static final String HSMKP_TRUST_MANAGER_FACTORY_NAME = "cloudera.hsmkp.trust.manager.factory";
    private static final String HSMKP_TRUST_MANAGER_FACTORY_NAME_ENV = "HSMKP_TRUST_MANAGER_FACTORY";
    public static final String HSMKP_SSL_VERSION_DEFAULT = "TLSv1.2";
    public static final boolean HSMKP_SSL_HOSTNAME_VERIFICATION_DEFAULT = true;
    public static final String HSMKP_KEYSTORE_FILENAME_DEFAULT = "hsmkp.keystore";
    public static final String HSMKP_KEYSTORE_PASSWORD_DEFAULT = "0923847";
    public static final String HSMKP_TRUST_MANAGER_FACTORY_NAME_DEFAULT = "SunX509";
    private Environment env;
    private Configuration conf;
    private SecureRandom secureRandom;
    private static final String[] CONFIG_FILE = {"kms-site.xml", "ssl-server.xml"};
    private static final Logger LOG = LoggerFactory.getLogger(TLSConfiguration.class);

    static Configuration getConfiguration(boolean z, String... strArr) {
        Configuration configuration = new Configuration(z);
        String property = System.getProperty("kms.config.dir");
        if (LOG.isDebugEnabled()) {
            LOG.debug("Will load the properties from the directory " + property);
        }
        if (property != null) {
            try {
                if (!property.startsWith("/")) {
                    throw new RuntimeException("System property 'kms.config.dir' must be an absolute path: " + property);
                }
                if (!property.endsWith("/")) {
                    property = property + "/";
                }
                for (String str : strArr) {
                    if (LOG.isDebugEnabled()) {
                        LOG.debug("Loading from file : " + str);
                    }
                    configuration.addResource(new URL("file://" + property + str));
                    System.err.println(property);
                }
            } catch (MalformedURLException e) {
                throw new RuntimeException(e);
            }
        } else {
            for (String str2 : strArr) {
                configuration.addResource(str2);
            }
        }
        return configuration;
    }

    private static Configuration getTLSConfigs() {
        return getConfiguration(true, CONFIG_FILE);
    }

    public TLSConfiguration(Environment environment, Configuration configuration) {
        if (null == environment) {
            this.env = new Environment();
        } else {
            this.env = environment;
        }
        Preconditions.checkNotNull(configuration, "Null configuration passed to constructor.");
        this.conf = new Configuration(configuration);
        this.conf.addResource(getTLSConfigs());
        this.secureRandom = new SecureRandom();
    }

    public static String Value(Configuration configuration, Environment environment, String str, String str2) {
        return Value(configuration, environment, str, str2, false);
    }

    public static String Value(Configuration configuration, Environment environment, String str, String str2, boolean z) {
        String str3 = null;
        if (environment.containsKey(str)) {
            str3 = environment.get(str);
        } else if (!z) {
            str3 = configuration.get(str2);
        } else if (null != str2) {
            try {
                char[] password = configuration.getPassword(str2);
                if (null != password) {
                    str3 = String.valueOf(password);
                }
            } catch (IOException e) {
                LOG.error("Could not read configuration value [{}]", str2, e);
            }
        }
        return str3;
    }

    public String getLocalDataDir() {
        String Value = Value(this.conf, this.env, HSMKeyProviderConfiguration.HSMKP_DATA_DIR_ENV, HSMKeyProviderConfiguration.HSMKP_DATA_DIR);
        if (Value == null) {
            Value = HSMKeyProviderConfiguration.HSMKP_DATA_DIR_DEFAULT;
            LOG.debug("No local HSMKP Data Dir set. Will use default : /var/lib/hsmkp");
        }
        return Value;
    }

    public String getSSLVersion() {
        String Value = Value(this.conf, this.env, HSMKP_SSL_VERSION_ENV, HSMKP_SSL_VERSION);
        if (Value == null) {
            Value = "TLSv1.2";
            LOG.info("Using default SSL version [{}]. Set [{}] config value or [{}] environment variable to override.", new Object[]{Value, HSMKP_SSL_VERSION, HSMKP_SSL_VERSION_ENV});
        }
        return Value;
    }

    public String getTrustManagerFactoryName() {
        String Value = Value(this.conf, this.env, HSMKP_TRUST_MANAGER_FACTORY_NAME_ENV, HSMKP_TRUST_MANAGER_FACTORY_NAME);
        if (Value == null) {
            Value = "SunX509";
            LOG.info("Using default Trust Manager Factory [{}]. Set [{}] config value or [{}] environment variable to override.", new Object[]{Value, HSMKP_TRUST_MANAGER_FACTORY_NAME, HSMKP_TRUST_MANAGER_FACTORY_NAME_ENV});
        }
        return Value;
    }

    public String getTLSKeyStoreFile() {
        String Value = Value(this.conf, this.env, HSMKP_MSG_KEYSTORE_FILE_ENV, HSMKP_MSG_KEYSTORE_FILE);
        if (Value == null) {
            Value = getLocalDataDir() + File.separator + HSMKP_KEYSTORE_FILENAME_DEFAULT;
            LOG.debug("Key store file for HSM key provider TLS unspecified. Using default : " + Value);
        }
        return Value;
    }

    public String getTLSKeyStorePassword() {
        String Value = Value(this.conf, this.env, HSMKP_MSG_KEYSTORE_PASSWORD_ENV, "ssl.server.keystore.password", true);
        if (Value == null) {
            LOG.debug("No callback. Will use password if present.");
            Value = Value(this.conf, this.env, HSMKP_MSG_KEYSTORE_PASSWORD_ENV, "ssl.server.keystore.password");
            if (Value == null) {
                if (getTLSKeyStoreFile().equals(getLocalDataDir() + File.separator + HSMKP_KEYSTORE_FILENAME_DEFAULT)) {
                    Value = HSMKP_KEYSTORE_PASSWORD_DEFAULT;
                    LOG.warn("Key store password for HSM key provider unspecified. Using default");
                } else {
                    Value = HSMKeyProviderConfiguration.DB_PASSWORD_DEFAULT;
                    LOG.warn("Key store password for HSM key provider unspecified but key store is specified. Assuming empty string for password.");
                }
            }
        }
        return Value;
    }

    public String getTLSKeyStoreKeyPassword() {
        String Value = Value(this.conf, this.env, HSMKP_MSG_KEYSTORE_KEY_PASSWORD_ENV, "ssl.server.keystore.keypassword", true);
        if (Value == null) {
            LOG.debug("No callback. Will use password if present.");
            Value = Value(this.conf, this.env, HSMKP_MSG_KEYSTORE_KEY_PASSWORD_ENV, "ssl.server.keystore.keypassword");
            if (Value == null) {
                if (getTLSKeyStoreFile().equals(getLocalDataDir() + File.separator + HSMKP_KEYSTORE_FILENAME_DEFAULT)) {
                    Value = HSMKP_KEYSTORE_PASSWORD_DEFAULT;
                    LOG.warn("Key store key password for HSM key provider unspecified. Using default");
                } else {
                    Value = HSMKeyProviderConfiguration.DB_PASSWORD_DEFAULT;
                    LOG.warn("Key store key password for HSM key provider unspecified but key store is specified. Assuming empty string for password.");
                }
            }
        }
        return Value;
    }

    public String getTLSTrustStoreFile() {
        String Value = Value(this.conf, this.env, HSMKP_MSG_TRUSTSTORE_FILE_ENV, HSMKP_MSG_TRUSTSTORE_FILE);
        if (Value == null) {
            LOG.debug("Key store file for HSM key provider TLS unspecified. Passing null.");
        }
        return Value;
    }

    public String getTLSTrustStorePassword() {
        String Value = Value(this.conf, this.env, HSMKP_MSG_TRUSTSTORE_PASSWORD_ENV, "ssl.server.truststore.password", true);
        if (Value == null) {
            LOG.debug("No callback. Will use password if present.");
            Value = Value(this.conf, this.env, HSMKP_MSG_TRUSTSTORE_PASSWORD_ENV, "ssl.server.truststore.password");
            if (Value == null) {
                LOG.debug("Key store password for HSM key provider TLS unspecified. Passing null.");
            }
        }
        return Value;
    }

    public boolean isTLSEnabledInCM() {
        boolean z = false;
        String Value = Value(this.conf, this.env, HSMKP_MSG_SSL_ENABLED_CM_ENV, HSMKP_MSG_SSL_ENABLED_CM);
        if (Value == null) {
            LOG.info("TLS not set in Cloudera Manager.");
        } else {
            z = Boolean.parseBoolean(Value);
            LOG.info("TLS set to [" + z + "] in Cloudera Manager.");
        }
        return z;
    }

    public boolean isTLSHostnameVerificationDesired() {
        boolean parseBoolean;
        String Value = Value(this.conf, this.env, HSMKP_SSL_HOSTNAME_VERIFICATION_ENV, HSMKP_SSL_HOSTNAME_VERIFICATION);
        if (Value == null) {
            parseBoolean = true;
            LOG.info("Hostname verification set to default [true].");
        } else {
            parseBoolean = Boolean.parseBoolean(Value);
            LOG.info("Hostname verification set to [" + parseBoolean + "].");
        }
        return parseBoolean;
    }

    public boolean getUseHSMSecureRandom() {
        boolean z = false;
        String Value = Value(this.conf, this.env, HSMKP_USE_HSM_SECURE_RANDOM_ENV, HSMKP_USE_HSM_SECURE_RANDOM);
        if (Value == null) {
            LOG.info("SecureRandom option not set. Using JVM default secure random number generator.");
        } else {
            z = Boolean.parseBoolean(Value);
            if (z) {
                LOG.info("SecureRandom option set to false. Using JVM default secure random number generator.");
            } else {
                LOG.info("SecureRandom option set to true. Using HSM vendor secure random number generator.");
            }
        }
        return z;
    }

    public void initSecureRandom(HsmHelper hsmHelper) {
        if (getUseHSMSecureRandom()) {
            try {
                this.secureRandom = hsmHelper.getHSMSecureRandom();
            } catch (NoSuchAlgorithmException | NoSuchProviderException e) {
                LOG.error("Could not get HSM Secure Random. Using JVM default secure random.", e);
            }
        }
    }

    public SecureRandom getSecureRandom() {
        return this.secureRandom;
    }

    public String validate() {
        String str = HSMKeyProviderConfiguration.DB_PASSWORD_DEFAULT;
        File file = new File(getTLSKeyStoreFile());
        if (file.exists()) {
            if (file.canRead()) {
                try {
                    KeyStore.getInstance("jks").load(new FileInputStream(file), getTLSKeyStorePassword().toCharArray());
                } catch (FileNotFoundException e) {
                    str = "Cannot find TLS Key Store File: [" + file + "]";
                } catch (IOException | KeyStoreException | NoSuchAlgorithmException | CertificateException e2) {
                    LOG.error("Cannot load TLS Key Store [" + file + "] : ", e2);
                    str = "Cannot load TLS Key Store [" + file + "] : " + e2.getMessage();
                }
            } else {
                str = "Cannot read TLS Key Store File: [" + file + "]";
            }
        }
        return str;
    }
}
