package org.apache.hadoop.yarn.server.webproxy;

import com.google.common.annotations.VisibleForTesting;
import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.math.BigInteger;
import java.net.Socket;
import java.security.GeneralSecurityException;
import java.security.InvalidKeyException;
import java.security.Key;
import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.KeyStore;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.Principal;
import java.security.PrivateKey;
import java.security.Provider;
import java.security.PublicKey;
import java.security.SecureRandom;
import java.security.Security;
import java.security.Signature;
import java.security.SignatureException;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.Date;
import java.util.GregorianCalendar;
import java.util.Random;
import java.util.UUID;
import javax.net.ssl.HostnameVerifier;
import javax.net.ssl.KeyManager;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLPeerUnverifiedException;
import javax.net.ssl.SSLSession;
import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory;
import javax.net.ssl.X509KeyManager;
import javax.net.ssl.X509TrustManager;
import org.apache.commons.lang3.RandomStringUtils;
import org.apache.hadoop.classification.InterfaceAudience;
import org.apache.hadoop.classification.InterfaceStability;
import org.apache.hadoop.yarn.api.records.ApplicationId;
import org.apache.hadoop.yarn.exceptions.YarnRuntimeException;
import org.apache.hadoop.yarn.server.utils.YarnServerSecurityUtils;
import org.apache.http.conn.ssl.DefaultHostnameVerifier;
import org.apache.http.conn.util.PublicSuffixMatcherLoader;
import org.bouncycastle.asn1.x500.X500Name;
import org.bouncycastle.asn1.x509.AlgorithmIdentifier;
import org.bouncycastle.asn1.x509.BasicConstraints;
import org.bouncycastle.asn1.x509.Extension;
import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo;
import org.bouncycastle.cert.X509v3CertificateBuilder;
import org.bouncycastle.cert.jcajce.JcaX509CertificateConverter;
import org.bouncycastle.cert.jcajce.JcaX509ExtensionUtils;
import org.bouncycastle.crypto.util.PrivateKeyFactory;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.bouncycastle.operator.ContentSigner;
import org.bouncycastle.operator.DefaultDigestAlgorithmIdentifierFinder;
import org.bouncycastle.operator.DefaultSignatureAlgorithmIdentifierFinder;
import org.bouncycastle.operator.OperatorCreationException;
import org.bouncycastle.operator.bc.BcRSAContentSignerBuilder;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@InterfaceAudience.Private
@InterfaceStability.Unstable
/* loaded from: input_file:org/apache/hadoop/yarn/server/webproxy/ProxyCA.class */
public class ProxyCA {
    private static final String RSA_ALGORITHM = "RSA";
    private static final String CCJ_PROVIDER = "CCJ";
    private static final int KEY_SIZE_BITS = 2048;
    private final String keyStoreType;
    private final Provider securityProvider;
    private X509Certificate caCert;
    private KeyPair caKeyPair;
    private KeyStore childTrustStore;
    private final Random srand = new SecureRandom();
    private X509TrustManager defaultTrustManager;
    private X509KeyManager x509KeyManager;
    private HostnameVerifier hostnameVerifier;
    private static final Logger LOG = LoggerFactory.getLogger(ProxyCA.class);
    private static final String SIGNATURE_ALGORITHM_NAME = "SHA512WITHRSA";
    private static final AlgorithmIdentifier SIG_ALG_ID = new DefaultSignatureAlgorithmIdentifierFinder().find(SIGNATURE_ALGORITHM_NAME);

    public ProxyCA() {
        if (YarnServerSecurityUtils.isFipsEnabled()) {
            LOG.debug("FIPS-mode is enabled");
            LOG.debug("Found security providers: {}", Arrays.toString(Security.getProviders()));
            this.securityProvider = Security.getProvider(CCJ_PROVIDER);
            this.keyStoreType = "BCFKS";
            if (LOG.isTraceEnabled()) {
                YarnServerSecurityUtils.printSecurityProviders();
                LOG.trace("Provider of SecureRandom: {}", ((SecureRandom) this.srand).getProvider());
            }
            int providerIndex = YarnServerSecurityUtils.getProviderIndex(CCJ_PROVIDER);
            if (providerIndex != 1) {
                throw new YarnRuntimeException(String.format("The provider with name '%s' should be at first index. Actual index is: %d", CCJ_PROVIDER, Integer.valueOf(providerIndex)));
            }
        } else {
            LOG.debug("FIPS-mode is disabled");
            this.securityProvider = new BouncyCastleProvider();
            Security.addProvider(this.securityProvider);
            this.keyStoreType = "JKS";
        }
        LOG.debug("Active Security Provider is: {}", this.securityProvider);
        LOG.debug("Using Keystore type: {}", this.keyStoreType);
    }

    public void init() throws GeneralSecurityException, IOException {
        createCACertAndKeyPair();
        initInternal();
    }

    public void init(X509Certificate x509Certificate, PrivateKey privateKey) throws GeneralSecurityException, IOException {
        if (x509Certificate == null || privateKey == null || !verifyCertAndKeys(x509Certificate, privateKey)) {
            LOG.warn("Could not verify Certificate, Public Key, and Private Key: regenerating");
            createCACertAndKeyPair();
        } else {
            this.caCert = x509Certificate;
            this.caKeyPair = new KeyPair(x509Certificate.getPublicKey(), privateKey);
        }
        initInternal();
    }

    private void initInternal() throws GeneralSecurityException, IOException {
        this.defaultTrustManager = null;
        String defaultAlgorithm = TrustManagerFactory.getDefaultAlgorithm();
        LOG.debug("Using algorithm for TrustManager: {}", defaultAlgorithm);
        TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(defaultAlgorithm);
        if (LOG.isTraceEnabled()) {
            LOG.trace("TrustManagerFactory instance: {}, provider: {}", trustManagerFactory, trustManagerFactory.getProvider());
        }
        trustManagerFactory.init((KeyStore) null);
        TrustManager[] trustManagers = trustManagerFactory.getTrustManagers();
        int length = trustManagers.length;
        int i = 0;
        while (true) {
            if (i >= length) {
                break;
            }
            TrustManager trustManager = trustManagers[i];
            if (trustManager instanceof X509TrustManager) {
                this.defaultTrustManager = (X509TrustManager) trustManager;
                break;
            }
            i++;
        }
        if (this.defaultTrustManager == null) {
            throw new YarnRuntimeException("Could not find default X509 Trust Manager");
        }
        if (LOG.isTraceEnabled()) {
            LOG.trace("TrustManager instance: {}", this.defaultTrustManager.getClass().getCanonicalName());
        }
        this.x509KeyManager = createKeyManager();
        this.hostnameVerifier = createHostnameVerifier();
        this.childTrustStore = createTrustStore("client", this.caCert);
    }

    private X509Certificate createCert(boolean z, String str, String str2, Date date, Date date2, PublicKey publicKey, PrivateKey privateKey) throws GeneralSecurityException, IOException {
        X500Name x500Name = new X500Name(str);
        X500Name x500Name2 = new X500Name(str2);
        X509v3CertificateBuilder x509v3CertificateBuilder = new X509v3CertificateBuilder(x500Name, new BigInteger(64, this.srand), date, date2, x500Name2, SubjectPublicKeyInfo.getInstance(publicKey.getEncoded()));
        try {
            ContentSigner build = new BcRSAContentSignerBuilder(SIG_ALG_ID, new DefaultDigestAlgorithmIdentifierFinder().find(SIG_ALG_ID)).build(PrivateKeyFactory.createKey(privateKey.getEncoded()));
            if (z) {
                x509v3CertificateBuilder.addExtension(Extension.basicConstraints, true, new BasicConstraints(0));
            } else {
                x509v3CertificateBuilder.addExtension(Extension.basicConstraints, true, new BasicConstraints(false));
                x509v3CertificateBuilder.addExtension(Extension.authorityKeyIdentifier, false, new JcaX509ExtensionUtils().createAuthorityKeyIdentifier(this.caCert));
            }
            X509Certificate certificate = new JcaX509CertificateConverter().setProvider(this.securityProvider).getCertificate(x509v3CertificateBuilder.build(build));
            LOG.info("Created Certificate for {}", x500Name2);
            return certificate;
        } catch (OperatorCreationException e) {
            throw new GeneralSecurityException((Throwable) e);
        }
    }

    private void createCACertAndKeyPair() throws GeneralSecurityException, IOException {
        Date date = new Date();
        Date time = new GregorianCalendar(2037, 11, 31).getTime();
        KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance(RSA_ALGORITHM);
        if (LOG.isTraceEnabled()) {
            LOG.trace("KeyPairGenerator instance: {}, provider: {}", keyPairGenerator.getClass().getCanonicalName(), keyPairGenerator.getProvider());
        }
        keyPairGenerator.initialize(KEY_SIZE_BITS);
        this.caKeyPair = keyPairGenerator.genKeyPair();
        String str = "OU=YARN-" + UUID.randomUUID();
        this.caCert = createCert(true, str, str, date, time, this.caKeyPair.getPublic(), this.caKeyPair.getPrivate());
        if (LOG.isDebugEnabled()) {
            LOG.debug("CA Certificate: \n{}", this.caCert);
        }
    }

    public byte[] createChildKeyStore(ApplicationId applicationId, String str) throws Exception {
        Date date = new Date();
        KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance(RSA_ALGORITHM);
        if (LOG.isTraceEnabled()) {
            LOG.trace("KeyPairGenerator instance: {}, provider: {}", keyPairGenerator.getClass().getCanonicalName(), keyPairGenerator.getProvider());
        }
        keyPairGenerator.initialize(KEY_SIZE_BITS);
        KeyPair genKeyPair = keyPairGenerator.genKeyPair();
        X509Certificate createCert = createCert(false, this.caCert.getSubjectX500Principal().getName(), "CN=" + applicationId, date, date, genKeyPair.getPublic(), this.caKeyPair.getPrivate());
        if (LOG.isTraceEnabled()) {
            LOG.trace("Certificate for {}: \n{}", applicationId, createCert);
        }
        return keyStoreToBytes(createChildKeyStore(str, "server", genKeyPair.getPrivate(), createCert), str);
    }

    public byte[] getChildTrustStore(String str) throws GeneralSecurityException, IOException {
        return keyStoreToBytes(this.childTrustStore, str);
    }

    private KeyStore createEmptyKeyStore() throws GeneralSecurityException, IOException {
        KeyStore keyStore = KeyStore.getInstance(this.keyStoreType);
        if (LOG.isTraceEnabled()) {
            LOG.trace("KeyStore instance: {}, provider: {}", keyStore.getClass().getCanonicalName(), keyStore.getProvider());
        }
        keyStore.load(null, null);
        return keyStore;
    }

    private KeyStore createChildKeyStore(String str, String str2, Key key, Certificate certificate) throws GeneralSecurityException, IOException {
        KeyStore createEmptyKeyStore = createEmptyKeyStore();
        createEmptyKeyStore.setKeyEntry(str2, key, str.toCharArray(), new Certificate[]{certificate, this.caCert});
        return createEmptyKeyStore;
    }

    public String generateKeyStorePassword() {
        return RandomStringUtils.random(16, 0, 0, true, true, (char[]) null, this.srand);
    }

    private byte[] keyStoreToBytes(KeyStore keyStore, String str) throws GeneralSecurityException, IOException {
        ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
        Throwable th = null;
        try {
            try {
                keyStore.store(byteArrayOutputStream, str.toCharArray());
                byte[] byteArray = byteArrayOutputStream.toByteArray();
                if (byteArrayOutputStream != null) {
                    if (0 != 0) {
                        try {
                            byteArrayOutputStream.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    } else {
                        byteArrayOutputStream.close();
                    }
                }
                return byteArray;
            } finally {
            }
        } catch (Throwable th3) {
            if (byteArrayOutputStream != null) {
                if (th != null) {
                    try {
                        byteArrayOutputStream.close();
                    } catch (Throwable th4) {
                        th.addSuppressed(th4);
                    }
                } else {
                    byteArrayOutputStream.close();
                }
            }
            throw th3;
        }
    }

    private KeyStore createTrustStore(String str, Certificate certificate) throws GeneralSecurityException, IOException {
        KeyStore createEmptyKeyStore = createEmptyKeyStore();
        createEmptyKeyStore.setCertificateEntry(str, certificate);
        return createEmptyKeyStore;
    }

    public SSLContext createSSLContext(ApplicationId applicationId) throws GeneralSecurityException {
        TrustManager[] trustManagerArr = {createTrustManager(applicationId)};
        KeyManager[] keyManagerArr = {this.x509KeyManager};
        SSLContext sSLContext = SSLContext.getInstance("SSL");
        if (LOG.isTraceEnabled()) {
            LOG.trace("SSLContext instance: {}, provider: {}", sSLContext.getClass().getCanonicalName(), sSLContext.getProvider());
        }
        SecureRandom secureRandom = new SecureRandom();
        if (LOG.isTraceEnabled()) {
            LOG.trace("Provider of SecureRandom used for SSL Context: {}", secureRandom.getProvider());
        }
        sSLContext.init(keyManagerArr, trustManagerArr, secureRandom);
        return sSLContext;
    }

    @VisibleForTesting
    X509TrustManager createTrustManager(final ApplicationId applicationId) {
        return new X509TrustManager() { // from class: org.apache.hadoop.yarn.server.webproxy.ProxyCA.1
            @Override // javax.net.ssl.X509TrustManager
            public X509Certificate[] getAcceptedIssuers() {
                return ProxyCA.this.defaultTrustManager.getAcceptedIssuers();
            }

            @Override // javax.net.ssl.X509TrustManager
            public void checkClientTrusted(X509Certificate[] x509CertificateArr, String str) {
            }

            @Override // javax.net.ssl.X509TrustManager
            public void checkServerTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
                boolean z = false;
                if (x509CertificateArr.length == 2) {
                    try {
                        x509CertificateArr[0].verify(ProxyCA.this.caKeyPair.getPublic());
                        x509CertificateArr[1].verify(ProxyCA.this.caKeyPair.getPublic());
                        z = true;
                    } catch (InvalidKeyException | NoSuchAlgorithmException | NoSuchProviderException | SignatureException | CertificateException e) {
                        ProxyCA.LOG.debug("Could not verify certificate with RM CA, falling back to default", e);
                        ProxyCA.this.defaultTrustManager.checkServerTrusted(x509CertificateArr, str);
                    }
                } else {
                    ProxyCA.LOG.debug("Certificate not issued by RM CA, falling back to default");
                    ProxyCA.this.defaultTrustManager.checkServerTrusted(x509CertificateArr, str);
                }
                if (z) {
                    if (!x509CertificateArr[0].getSubjectX500Principal().getName().equals("CN=" + applicationId)) {
                        throw new CertificateException("Expected to find Subject X500 Principal with CN=" + applicationId + " but found " + x509CertificateArr[0].getSubjectX500Principal().getName());
                    }
                    ProxyCA.LOG.debug("Verified certificate signed by RM CA");
                }
            }
        };
    }

    @VisibleForTesting
    X509KeyManager getX509KeyManager() {
        return this.x509KeyManager;
    }

    private X509KeyManager createKeyManager() {
        return new X509KeyManager() { // from class: org.apache.hadoop.yarn.server.webproxy.ProxyCA.2
            @Override // javax.net.ssl.X509KeyManager
            public String[] getClientAliases(String str, Principal[] principalArr) {
                return new String[]{"client"};
            }

            @Override // javax.net.ssl.X509KeyManager
            public String chooseClientAlias(String[] strArr, Principal[] principalArr, Socket socket) {
                return "client";
            }

            @Override // javax.net.ssl.X509KeyManager
            public String[] getServerAliases(String str, Principal[] principalArr) {
                return null;
            }

            @Override // javax.net.ssl.X509KeyManager
            public String chooseServerAlias(String str, Principal[] principalArr, Socket socket) {
                return null;
            }

            @Override // javax.net.ssl.X509KeyManager
            public X509Certificate[] getCertificateChain(String str) {
                return new X509Certificate[]{ProxyCA.this.caCert};
            }

            @Override // javax.net.ssl.X509KeyManager
            public PrivateKey getPrivateKey(String str) {
                return ProxyCA.this.caKeyPair.getPrivate();
            }
        };
    }

    public HostnameVerifier getHostnameVerifier() {
        return this.hostnameVerifier;
    }

    private HostnameVerifier createHostnameVerifier() {
        final DefaultHostnameVerifier defaultHostnameVerifier = new DefaultHostnameVerifier(PublicSuffixMatcherLoader.getDefault());
        return new HostnameVerifier() { // from class: org.apache.hadoop.yarn.server.webproxy.ProxyCA.3
            @Override // javax.net.ssl.HostnameVerifier
            public boolean verify(String str, SSLSession sSLSession) {
                try {
                    Certificate[] peerCertificates = sSLSession.getPeerCertificates();
                    if (peerCertificates.length == 2) {
                        peerCertificates[0].verify(ProxyCA.this.caKeyPair.getPublic());
                        ProxyCA.LOG.debug("Verified certificate signed by RM CA, skipping hostname verification");
                        return true;
                    }
                } catch (InvalidKeyException | NoSuchAlgorithmException | NoSuchProviderException | SignatureException | CertificateException e) {
                    ProxyCA.LOG.debug("Could not verify certificate with RM CA, falling back to default hostname verification", e);
                } catch (SSLPeerUnverifiedException e2) {
                    return false;
                }
                return defaultHostnameVerifier.verify(str, sSLSession);
            }
        };
    }

    @VisibleForTesting
    void setDefaultTrustManager(X509TrustManager x509TrustManager) {
        this.defaultTrustManager = x509TrustManager;
    }

    @VisibleForTesting
    public X509Certificate getCaCert() {
        return this.caCert;
    }

    @VisibleForTesting
    public KeyPair getCaKeyPair() {
        return this.caKeyPair;
    }

    private boolean verifyCertAndKeys(X509Certificate x509Certificate, PrivateKey privateKey) throws GeneralSecurityException {
        PublicKey publicKey = x509Certificate.getPublicKey();
        byte[] bArr = new byte[2000];
        this.srand.nextBytes(bArr);
        Signature signature = Signature.getInstance(SIGNATURE_ALGORITHM_NAME);
        if (LOG.isTraceEnabled()) {
            LOG.trace("Signer 1 instance: {}, provider: {}", signature.getClass().getCanonicalName(), signature.getProvider());
        }
        signature.initSign(privateKey);
        signature.update(bArr);
        byte[] sign = signature.sign();
        Signature signature2 = Signature.getInstance(SIGNATURE_ALGORITHM_NAME);
        if (LOG.isTraceEnabled()) {
            LOG.trace("Signer 2 instance: {}, provider: {}", signature2.getClass().getCanonicalName(), signature2.getProvider());
        }
        signature2.initVerify(publicKey);
        signature2.update(bArr);
        return signature2.verify(sign);
    }
}
