package com.yahoo.vespa.hosted.node.admin.configserver.certificate;

import com.yahoo.net.HostName;
import com.yahoo.vespa.hosted.node.admin.configserver.ConfigServerApi;
import com.yahoo.vespa.hosted.node.admin.util.KeyStoreOptions;
import java.io.FileOutputStream;
import java.io.IOException;
import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.time.Clock;
import java.util.concurrent.Executors;
import java.util.concurrent.ScheduledExecutorService;
import java.util.concurrent.TimeUnit;
import java.util.logging.Level;
import java.util.logging.Logger;
import org.bouncycastle.asn1.x500.X500Name;
import org.bouncycastle.operator.OperatorCreationException;
import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder;
import org.bouncycastle.pkcs.PKCS10CertificationRequest;
import org.bouncycastle.pkcs.jcajce.JcaPKCS10CertificationRequestBuilder;

/* loaded from: input_file:com/yahoo/vespa/hosted/node/admin/configserver/certificate/ConfigServerKeyStoreRefresher.class */
public class ConfigServerKeyStoreRefresher {
    private static final Logger logger = Logger.getLogger(ConfigServerKeyStoreRefresher.class.getName());
    private static final String KEY_STORE_ALIAS = "alias";
    static final long MINIMUM_SECONDS_BETWEEN_REFRESH_RETRY = 3600;
    static final String SIGNER_ALGORITHM = "SHA256withRSA";
    static final String CONFIG_SERVER_CERTIFICATE_SIGNING_PATH = "/athenz/v1/provider/sign";
    private final ScheduledExecutorService executor;
    private final KeyStoreOptions keyStoreOptions;
    private final Runnable keyStoreUpdatedCallback;
    private final ConfigServerApi configServerApi;
    private final Clock clock;
    private final String hostname;

    public ConfigServerKeyStoreRefresher(KeyStoreOptions keyStoreOptions, Runnable runnable, ConfigServerApi configServerApi) {
        this(keyStoreOptions, runnable, configServerApi, Executors.newScheduledThreadPool(0), Clock.systemUTC(), HostName.getLocalhost());
    }

    ConfigServerKeyStoreRefresher(KeyStoreOptions keyStoreOptions, Runnable runnable, ConfigServerApi configServerApi, ScheduledExecutorService scheduledExecutorService, Clock clock, String str) {
        this.keyStoreOptions = keyStoreOptions;
        this.keyStoreUpdatedCallback = runnable;
        this.configServerApi = configServerApi;
        this.executor = scheduledExecutorService;
        this.clock = clock;
        this.hostname = str;
    }

    public void start() {
        this.executor.schedule(this::refresh, getSecondsUntilNextRefresh(), TimeUnit.SECONDS);
    }

    void refresh() {
        try {
            if (refreshKeyStoreIfNeeded()) {
                this.keyStoreUpdatedCallback.run();
            }
            long secondsUntilNextRefresh = getSecondsUntilNextRefresh();
            this.executor.schedule(this::refresh, secondsUntilNextRefresh, TimeUnit.SECONDS);
            logger.log(Level.INFO, "Successfully updated keystore, scheduled next refresh in " + secondsUntilNextRefresh + "sec");
        } catch (Exception e) {
            logger.log(Level.WARNING, "Failed to update keystore on schedule, will try again in 3600sec", (Throwable) e);
            this.executor.schedule(this::refresh, MINIMUM_SECONDS_BETWEEN_REFRESH_RETRY, TimeUnit.SECONDS);
        }
    }

    public void stop() {
        this.executor.shutdownNow();
        do {
            try {
                this.executor.awaitTermination(Long.MAX_VALUE, TimeUnit.NANOSECONDS);
            } catch (InterruptedException e) {
                logger.info("Interrupted while waiting for ConfigServerKeyStoreRefresher thread to shutdown");
            }
        } while (!this.executor.isTerminated());
    }

    public boolean refreshKeyStoreIfNeeded() throws IOException, NoSuchAlgorithmException, OperatorCreationException, CertificateException, KeyStoreException, NoSuchProviderException {
        if (!shouldRefreshCertificate()) {
            return false;
        }
        KeyPair generateKeyPair = generateKeyPair();
        storeCertificate(generateKeyPair, sendCsr(generateCsr(generateKeyPair, this.hostname)));
        return true;
    }

    private long getSecondsUntilNextRefresh() {
        long j = 0;
        try {
            j = getSecondsUntilCertificateShouldBeRefreshed();
        } catch (Exception e) {
            logger.log(Level.WARNING, "Failed to get remaining certificate lifetime", (Throwable) e);
        }
        return Math.max(MINIMUM_SECONDS_BETWEEN_REFRESH_RETRY, j);
    }

    private boolean shouldRefreshCertificate() {
        try {
            return getSecondsUntilCertificateShouldBeRefreshed() <= 0;
        } catch (Exception e) {
            return true;
        }
    }

    private long getSecondsUntilCertificateShouldBeRefreshed() throws NoSuchAlgorithmException, CertificateException, NoSuchProviderException, KeyStoreException, IOException {
        X509Certificate configServerCertificate = getConfigServerCertificate();
        long time = configServerCertificate.getNotBefore().getTime() / 1000;
        long time2 = configServerCertificate.getNotAfter().getTime() / 1000;
        return Math.max(0L, (time + ((time2 - time) / 3)) - (this.clock.millis() / 1000));
    }

    X509Certificate getConfigServerCertificate() throws NoSuchAlgorithmException, CertificateException, NoSuchProviderException, KeyStoreException, IOException {
        return (X509Certificate) this.keyStoreOptions.loadKeyStore().getCertificate(KEY_STORE_ALIAS);
    }

    private void storeCertificate(KeyPair keyPair, X509Certificate x509Certificate) throws KeyStoreException, CertificateException, NoSuchAlgorithmException, IOException, NoSuchProviderException {
        this.keyStoreOptions.path.getParent().toFile().mkdirs();
        X509Certificate[] x509CertificateArr = {x509Certificate};
        FileOutputStream fileOutputStream = new FileOutputStream(this.keyStoreOptions.path.toFile());
        Throwable th = null;
        try {
            try {
                KeyStore keyStoreInstance = this.keyStoreOptions.getKeyStoreInstance();
                keyStoreInstance.load(null, null);
                keyStoreInstance.setKeyEntry(KEY_STORE_ALIAS, keyPair.getPrivate(), this.keyStoreOptions.password, x509CertificateArr);
                keyStoreInstance.store(fileOutputStream, this.keyStoreOptions.password);
                if (fileOutputStream != null) {
                    if (0 == 0) {
                        fileOutputStream.close();
                        return;
                    }
                    try {
                        fileOutputStream.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                }
            } catch (Throwable th3) {
                th = th3;
                throw th3;
            }
        } catch (Throwable th4) {
            if (fileOutputStream != null) {
                if (th != null) {
                    try {
                        fileOutputStream.close();
                    } catch (Throwable th5) {
                        th.addSuppressed(th5);
                    }
                } else {
                    fileOutputStream.close();
                }
            }
            throw th4;
        }
    }

    private X509Certificate sendCsr(PKCS10CertificationRequest pKCS10CertificationRequest) {
        return ((CertificateSerializedPayload) this.configServerApi.post(CONFIG_SERVER_CERTIFICATE_SIGNING_PATH, new CsrSerializedPayload(pKCS10CertificationRequest), CertificateSerializedPayload.class)).certificate;
    }

    static KeyPair generateKeyPair() throws NoSuchAlgorithmException {
        KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA");
        keyPairGenerator.initialize(2048);
        return keyPairGenerator.genKeyPair();
    }

    private static PKCS10CertificationRequest generateCsr(KeyPair keyPair, String str) throws NoSuchAlgorithmException, OperatorCreationException {
        return new JcaPKCS10CertificationRequestBuilder(new X500Name("CN=" + str), keyPair.getPublic()).build(new JcaContentSignerBuilder(SIGNER_ALGORITHM).build(keyPair.getPrivate()));
    }
}
