package org.apache.hadoop.security.ssl;

import java.io.ByteArrayInputStream;
import java.io.File;
import java.io.FileOutputStream;
import java.io.FileWriter;
import java.io.IOException;
import java.math.BigInteger;
import java.net.Socket;
import java.security.GeneralSecurityException;
import java.security.Key;
import java.security.KeyManagementException;
import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.KeyStore;
import java.security.NoSuchAlgorithmException;
import java.security.Principal;
import java.security.PrivateKey;
import java.security.SecureRandom;
import java.security.Security;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.Calendar;
import java.util.Date;
import java.util.HashMap;
import java.util.Map;
import javax.net.ssl.HttpsURLConnection;
import javax.net.ssl.KeyManager;
import javax.net.ssl.SSLContext;
import javax.net.ssl.TrustManager;
import javax.net.ssl.X509KeyManager;
import javax.net.ssl.X509TrustManager;
import org.apache.commons.cli.HelpFormatter;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.fs.Path;
import org.apache.hadoop.security.alias.CredentialProvider;
import org.apache.hadoop.security.alias.CredentialProviderFactory;
import org.apache.hadoop.security.ssl.SSLFactory;
import org.apache.hadoop.test.GenericTestUtils;
import org.apache.hadoop.yarn.conf.YarnConfiguration;
import org.apache.http.conn.ssl.NoopHostnameVerifier;
import org.bouncycastle.asn1.ASN1ObjectIdentifier;
import org.bouncycastle.asn1.x500.X500Name;
import org.bouncycastle.asn1.x509.BasicConstraints;
import org.bouncycastle.cert.CertIOException;
import org.bouncycastle.cert.jcajce.JcaX509CertificateConverter;
import org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder;
import org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider;
import org.bouncycastle.operator.ContentSigner;
import org.bouncycastle.operator.OperatorCreationException;
import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder;

/* loaded from: input_file:WEB-INF/lib/hadoop-common-3.4.1.0-eep-940-tests.jar:org/apache/hadoop/security/ssl/KeyStoreTestUtil.class */
public class KeyStoreTestUtil {
    public static final String SERVER_KEY_STORE_PASSWORD_DEFAULT = "serverP";
    public static final String CLIENT_KEY_STORE_PASSWORD_DEFAULT = "clientP";
    public static final String TRUST_STORE_PASSWORD_DEFAULT = "trustP";

    public static String getClasspathDir(Class cls) throws Exception {
        String str = cls.getName().replace('.', '/') + YarnConfiguration.NM_CSI_ADAPTOR_CLASS;
        String path = Thread.currentThread().getContextClassLoader().getResource(str).toURI().getPath();
        return path.substring(0, (path.length() - str.length()) - 1);
    }

    public static X509Certificate generateCertificate(String str, KeyPair keyPair, int i, String str2) throws CertificateException, IllegalStateException, OperatorCreationException, CertIOException {
        new Date(new Date().getTime() + (i * 86400000));
        new BigInteger(64, new SecureRandom());
        BouncyCastleFipsProvider bouncyCastleFipsProvider = new BouncyCastleFipsProvider();
        Security.addProvider(bouncyCastleFipsProvider);
        long currentTimeMillis = System.currentTimeMillis();
        Date date = new Date(currentTimeMillis);
        X500Name x500Name = new X500Name(str);
        BigInteger bigInteger = new BigInteger(Long.toString(currentTimeMillis));
        Calendar calendar = Calendar.getInstance();
        calendar.setTime(date);
        calendar.add(1, 1);
        Date time = calendar.getTime();
        ContentSigner build = new JcaContentSignerBuilder(str2).build(keyPair.getPrivate());
        JcaX509v3CertificateBuilder jcaX509v3CertificateBuilder = new JcaX509v3CertificateBuilder(x500Name, bigInteger, date, time, x500Name, keyPair.getPublic());
        jcaX509v3CertificateBuilder.addExtension(new ASN1ObjectIdentifier("2.5.29.19"), true, new BasicConstraints(true));
        return new JcaX509CertificateConverter().setProvider(bouncyCastleFipsProvider).getCertificate(jcaX509v3CertificateBuilder.build(build));
    }

    public static KeyPair generateKeyPair(String str) throws NoSuchAlgorithmException {
        KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance(str);
        keyPairGenerator.initialize(1024);
        return keyPairGenerator.genKeyPair();
    }

    private static KeyStore createEmptyKeyStore() throws GeneralSecurityException, IOException {
        KeyStore keyStore = KeyStore.getInstance("JKS");
        keyStore.load(null, null);
        return keyStore;
    }

    private static void saveKeyStore(KeyStore keyStore, String str, String str2) throws GeneralSecurityException, IOException {
        FileOutputStream fileOutputStream = new FileOutputStream(str);
        try {
            keyStore.store(fileOutputStream, str2.toCharArray());
            fileOutputStream.close();
        } catch (Throwable th) {
            fileOutputStream.close();
            throw th;
        }
    }

    public static void createKeyStore(String str, String str2, String str3, Key key, Certificate certificate) throws GeneralSecurityException, IOException {
        createKeyStore(str, str2, str3, key, new Certificate[]{certificate});
    }

    public static void createKeyStore(String str, String str2, String str3, Key key, Certificate[] certificateArr) throws GeneralSecurityException, IOException {
        KeyStore createEmptyKeyStore = createEmptyKeyStore();
        createEmptyKeyStore.setKeyEntry(str3, key, str2.toCharArray(), certificateArr);
        saveKeyStore(createEmptyKeyStore, str, str2);
    }

    public static void createKeyStore(String str, String str2, String str3, String str4, Key key, Certificate certificate) throws GeneralSecurityException, IOException {
        KeyStore createEmptyKeyStore = createEmptyKeyStore();
        createEmptyKeyStore.setKeyEntry(str4, key, str3.toCharArray(), new Certificate[]{certificate});
        saveKeyStore(createEmptyKeyStore, str, str2);
    }

    public static void createTrustStore(String str, String str2, String str3, Certificate certificate) throws GeneralSecurityException, IOException {
        KeyStore createEmptyKeyStore = createEmptyKeyStore();
        createEmptyKeyStore.setCertificateEntry(str3, certificate);
        saveKeyStore(createEmptyKeyStore, str, str2);
    }

    public static <T extends Certificate> void createTrustStore(String str, String str2, Map<String, T> map) throws GeneralSecurityException, IOException {
        KeyStore createEmptyKeyStore = createEmptyKeyStore();
        for (Map.Entry<String, T> entry : map.entrySet()) {
            createEmptyKeyStore.setCertificateEntry(entry.getKey(), entry.getValue());
        }
        saveKeyStore(createEmptyKeyStore, str, str2);
    }

    public static KeyStore bytesToKeyStore(byte[] bArr, String str) throws GeneralSecurityException, IOException {
        KeyStore createEmptyKeyStore = createEmptyKeyStore();
        createEmptyKeyStore.load(new ByteArrayInputStream(bArr), str.toCharArray());
        return createEmptyKeyStore;
    }

    public static void cleanupSSLConfig(String str, String str2) throws Exception {
        new File(str + "/clientKS.jks").delete();
        new File(str + "/serverKS.jks").delete();
        new File(str + "/trustKS.jks").delete();
        new File(str2 + "/ssl-client.xml").delete();
        new File(str2 + "/ssl-server.xml").delete();
    }

    public static void setupSSLConfig(String str, String str2, Configuration configuration, boolean z) throws Exception {
        setupSSLConfig(str, str2, configuration, z, true);
    }

    public static void setupSSLConfig(String str, String str2, Configuration configuration, boolean z, boolean z2) throws Exception {
        setupSSLConfig(str, str2, configuration, z, true, "");
    }

    public static void setupSSLConfig(String str, String str2, Configuration configuration, boolean z, boolean z2, String str3) throws Exception {
        setupSSLConfig(str, str2, configuration, z, z2, str3, SERVER_KEY_STORE_PASSWORD_DEFAULT, CLIENT_KEY_STORE_PASSWORD_DEFAULT, TRUST_STORE_PASSWORD_DEFAULT);
    }

    public static void setupSSLConfig(String str, String str2, Configuration configuration, boolean z, boolean z2, String str3, String str4, String str5, String str6) throws Exception {
        String str7 = str + "/clientKS.jks";
        String str8 = str + "/serverKS.jks";
        String str9 = null;
        File file = new File(str2, getClientSSLConfigFileName());
        File file2 = new File(str2, getServerSSLConfigFileName());
        HashMap hashMap = new HashMap();
        if (z) {
            KeyPair generateKeyPair = generateKeyPair("RSA");
            X509Certificate generateCertificate = generateCertificate("CN=localhost, O=client", generateKeyPair, 30, "SHA256WithRSA");
            createKeyStore(str7, str5, "client", generateKeyPair.getPrivate(), generateCertificate);
            hashMap.put("client", generateCertificate);
        }
        KeyPair generateKeyPair2 = generateKeyPair("RSA");
        X509Certificate generateCertificate2 = generateCertificate("CN=localhost, O=server", generateKeyPair2, 30, "SHA256WithRSA");
        createKeyStore(str8, str4, "server", generateKeyPair2.getPrivate(), generateCertificate2);
        hashMap.put("server", generateCertificate2);
        if (z2) {
            str9 = str + "/trustKS.jks";
            createTrustStore(str9, str6, hashMap);
        }
        Configuration createClientSSLConfig = createClientSSLConfig(str7, str5, str5, str9, str6, str3);
        Configuration createServerSSLConfig = createServerSSLConfig(str8, str4, str4, str9, str6, str3);
        saveConfig(file, createClientSSLConfig);
        saveConfig(file2, createServerSSLConfig);
        configuration.set(SSLFactory.SSL_HOSTNAME_VERIFIER_KEY, "ALLOW_ALL");
        configuration.set(SSLFactory.SSL_CLIENT_CONF_KEY, file.getName());
        configuration.set(SSLFactory.SSL_SERVER_CONF_KEY, file2.getName());
        configuration.setBoolean(SSLFactory.SSL_REQUIRE_CLIENT_CERT_KEY, z);
    }

    public static Configuration createClientSSLConfig(String str, String str2, String str3, String str4, String str5) {
        return createSSLConfig(SSLFactory.Mode.CLIENT, str, str2, str3, str4, str5, "");
    }

    public static Configuration createClientSSLConfig(String str, String str2, String str3, String str4, String str5, String str6) {
        return createSSLConfig(SSLFactory.Mode.CLIENT, str, str2, str3, str4, str5, str6);
    }

    public static Configuration createServerSSLConfig(String str, String str2, String str3, String str4, String str5) throws IOException {
        return createSSLConfig(SSLFactory.Mode.SERVER, str, str2, str3, str4, str5, "");
    }

    public static Configuration createServerSSLConfig(String str, String str2, String str3, String str4, String str5, String str6) throws IOException {
        return createSSLConfig(SSLFactory.Mode.SERVER, str, str2, str3, str4, str5, str6);
    }

    public static String getClientSSLConfigFileName() {
        return getSSLConfigFileName("ssl-client");
    }

    public static String getServerSSLConfigFileName() {
        return getSSLConfigFileName("ssl-server");
    }

    private static String getSSLConfigFileName(String str) {
        String property = System.getProperty("test.unique.fork.id");
        return str + (property != null ? HelpFormatter.DEFAULT_OPT_PREFIX + property : "") + ".xml";
    }

    private static Configuration createSSLConfig(SSLFactory.Mode mode, String str, String str2, String str3, String str4, String str5, String str6) {
        Configuration configuration = new Configuration(false);
        if (str != null) {
            configuration.set(FileBasedKeyStoresFactory.resolvePropertyName(mode, FileBasedKeyStoresFactory.SSL_KEYSTORE_LOCATION_TPL_KEY), str);
        }
        if (str2 != null) {
            configuration.set(FileBasedKeyStoresFactory.resolvePropertyName(mode, FileBasedKeyStoresFactory.SSL_KEYSTORE_PASSWORD_TPL_KEY), str2);
        }
        if (str3 != null) {
            configuration.set(FileBasedKeyStoresFactory.resolvePropertyName(mode, FileBasedKeyStoresFactory.SSL_KEYSTORE_KEYPASSWORD_TPL_KEY), str3);
        }
        if (str4 != null) {
            configuration.set(FileBasedKeyStoresFactory.resolvePropertyName(mode, FileBasedKeyStoresFactory.SSL_TRUSTSTORE_LOCATION_TPL_KEY), str4);
        }
        if (str5 != null) {
            configuration.set(FileBasedKeyStoresFactory.resolvePropertyName(mode, FileBasedKeyStoresFactory.SSL_TRUSTSTORE_PASSWORD_TPL_KEY), str5);
        }
        if (null != str6 && !str6.isEmpty()) {
            configuration.set(FileBasedKeyStoresFactory.resolvePropertyName(mode, FileBasedKeyStoresFactory.SSL_EXCLUDE_CIPHER_LIST), str6);
        }
        configuration.set(FileBasedKeyStoresFactory.resolvePropertyName(mode, FileBasedKeyStoresFactory.SSL_TRUSTSTORE_RELOAD_INTERVAL_TPL_KEY), "1000");
        return configuration;
    }

    public static void saveConfig(File file, Configuration configuration) throws IOException {
        FileWriter fileWriter = new FileWriter(file);
        try {
            configuration.writeXml(fileWriter);
        } finally {
            fileWriter.close();
        }
    }

    public static void provisionPasswordsToCredentialProvider() throws Exception {
        File testDir = GenericTestUtils.getTestDir();
        Configuration configuration = new Configuration();
        String str = "jceks://file" + new Path(testDir.toString(), "test.jks").toUri();
        new File(testDir, "test.jks").delete();
        configuration.set("hadoop.security.credential.provider.path", str);
        CredentialProvider credentialProvider = CredentialProviderFactory.getProviders(configuration).get(0);
        char[] cArr = {'k', 'e', 'y', 'p', 'a', 's', 's'};
        try {
            credentialProvider.createCredentialEntry(FileBasedKeyStoresFactory.resolvePropertyName(SSLFactory.Mode.SERVER, FileBasedKeyStoresFactory.SSL_KEYSTORE_PASSWORD_TPL_KEY), new char[]{'s', 't', 'o', 'r', 'e', 'p', 'a', 's', 's'});
            credentialProvider.createCredentialEntry(FileBasedKeyStoresFactory.resolvePropertyName(SSLFactory.Mode.SERVER, FileBasedKeyStoresFactory.SSL_KEYSTORE_KEYPASSWORD_TPL_KEY), cArr);
            credentialProvider.flush();
        } catch (Exception e) {
            e.printStackTrace();
            throw e;
        }
    }

    public static Configuration getSslConfig() {
        Configuration configuration = new Configuration(false);
        String serverSSLConfigFileName = getServerSSLConfigFileName();
        String clientSSLConfigFileName = getClientSSLConfigFileName();
        configuration.addResource(serverSSLConfigFileName);
        configuration.addResource(clientSSLConfigFileName);
        configuration.set(SSLFactory.SSL_SERVER_CONF_KEY, serverSSLConfigFileName);
        configuration.set(SSLFactory.SSL_CLIENT_CONF_KEY, clientSSLConfigFileName);
        return configuration;
    }

    public static void setAllowAllSSL(HttpsURLConnection httpsURLConnection) throws KeyManagementException, NoSuchAlgorithmException {
        setAllowAllSSL(httpsURLConnection, null);
    }

    public static void setAllowAllSSL(HttpsURLConnection httpsURLConnection, final X509Certificate x509Certificate, final KeyPair keyPair) throws KeyManagementException, NoSuchAlgorithmException {
        setAllowAllSSL(httpsURLConnection, new X509KeyManager() { // from class: org.apache.hadoop.security.ssl.KeyStoreTestUtil.1
            @Override // javax.net.ssl.X509KeyManager
            public String[] getClientAliases(String str, Principal[] principalArr) {
                return new String[]{"client"};
            }

            @Override // javax.net.ssl.X509KeyManager
            public String chooseClientAlias(String[] strArr, Principal[] principalArr, Socket socket) {
                return "client";
            }

            @Override // javax.net.ssl.X509KeyManager
            public String[] getServerAliases(String str, Principal[] principalArr) {
                return null;
            }

            @Override // javax.net.ssl.X509KeyManager
            public String chooseServerAlias(String str, Principal[] principalArr, Socket socket) {
                return null;
            }

            @Override // javax.net.ssl.X509KeyManager
            public X509Certificate[] getCertificateChain(String str) {
                return new X509Certificate[]{x509Certificate};
            }

            @Override // javax.net.ssl.X509KeyManager
            public PrivateKey getPrivateKey(String str) {
                return keyPair.getPrivate();
            }
        });
    }

    private static void setAllowAllSSL(HttpsURLConnection httpsURLConnection, KeyManager keyManager) throws KeyManagementException, NoSuchAlgorithmException {
        TrustManager[] trustManagerArr = {new X509TrustManager() { // from class: org.apache.hadoop.security.ssl.KeyStoreTestUtil.2
            @Override // javax.net.ssl.X509TrustManager
            public X509Certificate[] getAcceptedIssuers() {
                return new X509Certificate[0];
            }

            @Override // javax.net.ssl.X509TrustManager
            public void checkClientTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
            }

            @Override // javax.net.ssl.X509TrustManager
            public void checkServerTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
            }
        }};
        KeyManager[] keyManagerArr = keyManager == null ? null : new KeyManager[]{keyManager};
        SSLContext sSLContext = SSLContext.getInstance("SSL");
        sSLContext.init(keyManagerArr, trustManagerArr, new SecureRandom());
        httpsURLConnection.setSSLSocketFactory(sSLContext.getSocketFactory());
        httpsURLConnection.setHostnameVerifier(new NoopHostnameVerifier());
    }
}
