package com.atlassian.bamboo.grpc.util;

import com.atlassian.bamboo.crypto.BouncyCastleProviderUtils;
import com.atlassian.bamboo.utils.Pair;
import com.atlassian.bamboo.utils.SystemProperty;
import com.atlassian.security.random.SecureRandomFactory;
import io.atlassian.fugue.Checked;
import io.grpc.ChannelCredentials;
import io.grpc.ServerCredentials;
import io.grpc.TlsChannelCredentials;
import io.grpc.TlsServerCredentials;
import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.io.File;
import java.io.FileReader;
import java.io.FileWriter;
import java.io.IOException;
import java.io.InputStream;
import java.math.BigInteger;
import java.nio.charset.Charset;
import java.nio.file.Files;
import java.security.KeyFactory;
import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.Security;
import java.security.cert.CertificateEncodingException;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.security.spec.InvalidKeySpecException;
import java.security.spec.PKCS8EncodedKeySpec;
import java.util.Date;
import java.util.Optional;
import java.util.stream.Stream;
import org.apache.commons.lang3.time.DateUtils;
import org.apache.log4j.Logger;
import org.bouncycastle.asn1.ASN1Encodable;
import org.bouncycastle.asn1.DERSequence;
import org.bouncycastle.asn1.x500.X500Name;
import org.bouncycastle.asn1.x509.BasicConstraints;
import org.bouncycastle.asn1.x509.Extension;
import org.bouncycastle.asn1.x509.GeneralName;
import org.bouncycastle.cert.CertIOException;
import org.bouncycastle.cert.X509CertificateHolder;
import org.bouncycastle.cert.X509v3CertificateBuilder;
import org.bouncycastle.cert.jcajce.JcaX509CertificateConverter;
import org.bouncycastle.cert.jcajce.JcaX509ExtensionUtils;
import org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.bouncycastle.openssl.jcajce.JcaPEMWriter;
import org.bouncycastle.operator.ContentSigner;
import org.bouncycastle.operator.OperatorCreationException;
import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder;
import org.bouncycastle.pkcs.PKCS10CertificationRequest;
import org.bouncycastle.pkcs.jcajce.JcaPKCS10CertificationRequestBuilder;
import org.bouncycastle.util.encoders.Base64;
import org.bouncycastle.util.io.pem.PemReader;

/* loaded from: input_file:com/atlassian/bamboo/grpc/util/GrpcCertificateUtils.class */
public class GrpcCertificateUtils {
    private static final String SIGNATURE_ALGORITHM_NAME = "SHA256WITHRSAENCRYPTION";
    private static final String KEY_ALGORITHM_NAME = "RSA";
    private static final KeyPairGenerator keyPairGenerator;
    private static final int KEY_SIZE = 4096;
    private static final Logger log = Logger.getLogger(GrpcCertificateUtils.class);
    private static final int CERTIFICATE_VALIDITY_YEARS = (int) SystemProperty.GRPC_CERTIFICATE_VALIDITY_DURATION.getTypedValue();
    private static final X500Name caName = new X500Name("CN=Bamboo GRPC Root CA");

    private GrpcCertificateUtils() {
    }

    public static KeyPair generateKeyPair() {
        return keyPairGenerator.generateKeyPair();
    }

    public static X509Certificate generateRootCa(KeyPair keyPair) throws OperatorCreationException, NoSuchAlgorithmException, CertIOException, CertificateException {
        long currentTimeMillis = System.currentTimeMillis();
        Date addMinutes = DateUtils.addMinutes(new Date(currentTimeMillis), -5);
        Date addYears = DateUtils.addYears(new Date(currentTimeMillis), CERTIFICATE_VALIDITY_YEARS);
        BigInteger valueOf = BigInteger.valueOf(System.nanoTime());
        ContentSigner build = new JcaContentSignerBuilder(SIGNATURE_ALGORITHM_NAME).setProvider("BC").build(keyPair.getPrivate());
        JcaX509v3CertificateBuilder jcaX509v3CertificateBuilder = new JcaX509v3CertificateBuilder(caName, valueOf, addMinutes, addYears, caName, keyPair.getPublic());
        JcaX509ExtensionUtils jcaX509ExtensionUtils = new JcaX509ExtensionUtils();
        jcaX509v3CertificateBuilder.addExtension(Extension.basicConstraints, true, new BasicConstraints(true));
        jcaX509v3CertificateBuilder.addExtension(Extension.subjectKeyIdentifier, false, jcaX509ExtensionUtils.createSubjectKeyIdentifier(keyPair.getPublic()));
        return new JcaX509CertificateConverter().setProvider("BC").getCertificate(jcaX509v3CertificateBuilder.build(build));
    }

    public static void saveCertificateToFile(X509Certificate x509Certificate, File file) throws IOException {
        JcaPEMWriter jcaPEMWriter = new JcaPEMWriter(new FileWriter(file));
        jcaPEMWriter.writeObject(x509Certificate);
        jcaPEMWriter.close();
    }

    public static InputStream toInputStream(X509Certificate x509Certificate) throws CertificateEncodingException, IOException {
        ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
        byteArrayOutputStream.write("-----BEGIN CERTIFICATE-----\n".getBytes());
        byteArrayOutputStream.write(Base64.encode(x509Certificate.getEncoded()));
        byteArrayOutputStream.write("\n-----END CERTIFICATE-----".getBytes());
        return new ByteArrayInputStream(byteArrayOutputStream.toByteArray());
    }

    public static InputStream toInputStream(PrivateKey privateKey) throws CertificateEncodingException, IOException {
        ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
        byteArrayOutputStream.write("-----BEGIN PRIVATE KEY-----\n".getBytes());
        byteArrayOutputStream.write(Base64.encode(privateKey.getEncoded()));
        byteArrayOutputStream.write("\n-----END PRIVATE KEY-----".getBytes());
        return new ByteArrayInputStream(byteArrayOutputStream.toByteArray());
    }

    public static void saveKeyToFile(PrivateKey privateKey, File file) throws IOException {
        JcaPEMWriter jcaPEMWriter = new JcaPEMWriter(new FileWriter(file));
        jcaPEMWriter.writeObject(privateKey);
        jcaPEMWriter.close();
    }

    public static PrivateKey getKeyFromFile(File file) throws IOException, NoSuchAlgorithmException, InvalidKeySpecException {
        PemReader pemReader = new PemReader(new FileReader(file));
        byte[] content = pemReader.readPemObject().getContent();
        pemReader.close();
        return KeyFactory.getInstance(KEY_ALGORITHM_NAME).generatePrivate(new PKCS8EncodedKeySpec(content));
    }

    public static X509Certificate getCertificateFromFile(File file) throws IOException, CertificateException {
        return new JcaX509CertificateConverter().setProvider("BC").getCertificate(new X509CertificateHolder(Base64.decode(new String(Files.readAllBytes(file.toPath()), Charset.defaultCharset()).replace("-----BEGIN CERTIFICATE-----", "").replaceAll(System.lineSeparator(), "").replace("-----END CERTIFICATE-----", "").getBytes())));
    }

    public static X509Certificate generateLocalCert(PrivateKey privateKey, KeyPair keyPair, X509Certificate x509Certificate, String str) throws OperatorCreationException, NoSuchAlgorithmException, CertIOException, CertificateException {
        X500Name x500Name = new X500Name("CN=Local node");
        long currentTimeMillis = System.currentTimeMillis();
        Date addMinutes = DateUtils.addMinutes(new Date(currentTimeMillis), -5);
        Date addYears = DateUtils.addYears(new Date(currentTimeMillis), CERTIFICATE_VALIDITY_YEARS);
        BigInteger valueOf = BigInteger.valueOf(System.nanoTime());
        JcaPKCS10CertificationRequestBuilder jcaPKCS10CertificationRequestBuilder = new JcaPKCS10CertificationRequestBuilder(x500Name, keyPair.getPublic());
        ContentSigner build = new JcaContentSignerBuilder(SIGNATURE_ALGORITHM_NAME).setProvider("BC").build(privateKey);
        PKCS10CertificationRequest build2 = jcaPKCS10CertificationRequestBuilder.build(build);
        X509v3CertificateBuilder x509v3CertificateBuilder = new X509v3CertificateBuilder(caName, valueOf, addMinutes, addYears, build2.getSubject(), build2.getSubjectPublicKeyInfo());
        JcaX509ExtensionUtils jcaX509ExtensionUtils = new JcaX509ExtensionUtils();
        x509v3CertificateBuilder.addExtension(Extension.basicConstraints, true, new BasicConstraints(false));
        x509v3CertificateBuilder.addExtension(Extension.authorityKeyIdentifier, false, jcaX509ExtensionUtils.createAuthorityKeyIdentifier(x509Certificate));
        x509v3CertificateBuilder.addExtension(Extension.subjectKeyIdentifier, false, jcaX509ExtensionUtils.createSubjectKeyIdentifier(build2.getSubjectPublicKeyInfo()));
        x509v3CertificateBuilder.addExtension(Extension.subjectAlternativeName, false, new DERSequence(getApplicableGeneralNames(str)));
        return new JcaX509CertificateConverter().setProvider("BC").getCertificate(x509v3CertificateBuilder.build(build));
    }

    private static ASN1Encodable[] getApplicableGeneralNames(String str) {
        return (ASN1Encodable[]) Stream.of((Object[]) new Optional[]{Checked.now(() -> {
            return new GeneralName(2, str);
        }).toOptional(), Checked.now(() -> {
            return new GeneralName(7, str);
        }).toOptional(), Checked.now(() -> {
            return new GeneralName(2, "localhost");
        }).toOptional()}).filter((v0) -> {
            return v0.isPresent();
        }).map((v0) -> {
            return v0.get();
        }).toArray(i -> {
            return new ASN1Encodable[i];
        });
    }

    public static void regenerateCaIfNeeded(String str) throws CertificateException, NoSuchAlgorithmException, IOException, OperatorCreationException, InterruptedException {
        int i;
        File file = new File(str + "/ssl/ca.crt");
        File file2 = new File(str + "/ssl/ca.key");
        int i2 = 3;
        do {
            try {
                if (file.exists() && file2.exists()) {
                    return;
                }
                file.delete();
                file2.delete();
                File file3 = new File(str + "/ssl");
                if (!file3.exists()) {
                    file3.mkdirs();
                }
                KeyPair generateKeyPair = generateKeyPair();
                X509Certificate generateRootCa = generateRootCa(generateKeyPair);
                saveKeyToFile(generateKeyPair.getPrivate(), file2);
                saveCertificateToFile(generateRootCa, file);
                return;
            } catch (Exception e) {
                log.warn("Failed to generate root CA, retrying...", e);
                file.delete();
                file2.delete();
                Thread.sleep(3000L);
                i = i2;
                i2--;
            }
        } while (i > 0);
        throw new CertificateException("Permanently failed to generate root CA");
    }

    public static synchronized ServerCredentials generateServerCredentials(String str, String str2, String str3) throws IOException, NoSuchAlgorithmException, InvalidKeySpecException, CertificateException, OperatorCreationException {
        File file = new File(str + "/ssl/ca.crt");
        Pair<InputStream, InputStream> certificateWithPrivateKey = getCertificateWithPrivateKey(str, str2, str3, "server");
        return TlsServerCredentials.newBuilder().keyManager((InputStream) certificateWithPrivateKey.getFirst(), (InputStream) certificateWithPrivateKey.getSecond()).trustManager(file).clientAuth(TlsServerCredentials.ClientAuth.REQUIRE).build();
    }

    private static Pair<InputStream, InputStream> getCertificateWithPrivateKey(String str, String str2, String str3, String str4) throws IOException, CertificateException, NoSuchAlgorithmException, OperatorCreationException, InvalidKeySpecException {
        File file = new File(str + "/ssl/ca.crt");
        File file2 = new File(str + "/ssl/ca.key");
        KeyPair generateKeyPair = generateKeyPair();
        X509Certificate generateLocalCert = generateLocalCert(getKeyFromFile(file2), generateKeyPair, getCertificateFromFile(file), str3);
        InputStream inputStream = toInputStream(generateLocalCert);
        InputStream inputStream2 = toInputStream(generateKeyPair.getPrivate());
        if (SystemProperty.BAMBOO_GRPC_AUTHENTICATION_SAVE_CLIENT_CERTIFICATES_TO_DISK.getTypedValue()) {
            new File(str2 + "/ssl").mkdirs();
            saveCertificateToFile(generateLocalCert, new File(str2 + "/ssl/" + str4 + ".crt"));
            saveKeyToFile(generateKeyPair.getPrivate(), new File(str2 + "/ssl/" + str4 + ".key"));
        }
        return Pair.make(inputStream, inputStream2);
    }

    public static synchronized ChannelCredentials generateClientCredentials(String str, String str2, String str3) throws IOException, CertificateException, NoSuchAlgorithmException, OperatorCreationException, InvalidKeySpecException {
        File file = new File(str + "/ssl/ca.crt");
        Pair<InputStream, InputStream> certificateWithPrivateKey = getCertificateWithPrivateKey(str, str2, str3, "client");
        return TlsChannelCredentials.newBuilder().trustManager(file).keyManager((InputStream) certificateWithPrivateKey.getFirst(), (InputStream) certificateWithPrivateKey.getSecond()).build();
    }

    static {
        if (Security.getProvider("BC") == null) {
            Security.addProvider(new BouncyCastleProvider());
        } else {
            log.info("Bouncy Castle provider already present");
        }
        try {
            keyPairGenerator = KeyPairGenerator.getInstance(KEY_ALGORITHM_NAME, BouncyCastleProviderUtils.getProvider());
            keyPairGenerator.initialize(KEY_SIZE, SecureRandomFactory.newInstance());
        } catch (NoSuchAlgorithmException e) {
            throw new IllegalStateException(e);
        }
    }
}
