package com.floragunn.searchguard.tools.tlstool.tasks;

import com.floragunn.searchguard.tools.tlstool.Config;
import com.floragunn.searchguard.tools.tlstool.Context;
import com.floragunn.searchguard.tools.tlstool.ToolException;
import java.io.File;
import java.security.KeyPair;
import java.util.Date;
import org.bouncycastle.asn1.DERSequence;
import org.bouncycastle.asn1.x500.X500Name;
import org.bouncycastle.asn1.x509.BasicConstraints;
import org.bouncycastle.asn1.x509.ExtendedKeyUsage;
import org.bouncycastle.asn1.x509.Extension;
import org.bouncycastle.asn1.x509.KeyPurposeId;
import org.bouncycastle.asn1.x509.KeyUsage;
import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo;
import org.bouncycastle.cert.CertIOException;
import org.bouncycastle.cert.X509CertificateHolder;
import org.bouncycastle.cert.X509v3CertificateBuilder;
import org.bouncycastle.cert.jcajce.JcaX509ExtensionUtils;
import org.bouncycastle.operator.OperatorCreationException;
import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder;

/* loaded from: input_file:com/floragunn/searchguard/tools/tlstool/tasks/CreateNodeCertificate.class */
public class CreateNodeCertificate extends CreateNodeCertificateBase {
    private static int generatedCertificateCount = 0;
    private static boolean passwordAutoGenerated = false;
    private Config.Node nodeConfig;
    private File certificateFile;
    private File httpCertificateFile;

    public CreateNodeCertificate(Context context, Config.Node node) {
        super(context, node);
        this.nodeConfig = node;
    }

    @Override // com.floragunn.searchguard.tools.tlstool.tasks.Task
    public void run() throws ToolException {
        this.privateKeyFile = new File(this.ctx.getTargetDirectory(), getNodeFileName(this.nodeConfig) + ".key");
        this.certificateFile = new File(this.ctx.getTargetDirectory(), getNodeFileName(this.nodeConfig) + ".pem");
        this.httpPrivateKeyFile = new File(this.ctx.getTargetDirectory(), getNodeFileName(this.nodeConfig) + "_http.key");
        this.httpCertificateFile = new File(this.ctx.getTargetDirectory(), getNodeFileName(this.nodeConfig) + "_http.pem");
        this.configSnippetFile = new File(this.ctx.getTargetDirectory(), getNodeFileName(this.nodeConfig) + "_elasticsearch_config_snippet.yml");
        if (checkFileOverwrite("certificate", this.nodeConfig.getDn(), this.privateKeyFile, this.certificateFile, this.httpPrivateKeyFile, this.httpCertificateFile)) {
            createTransportCertificate();
            if (!this.ctx.getConfig().getDefaults().isHttpsEnabled()) {
                this.nodeResultConfig.setHttpsEnabled(false);
            } else if (this.ctx.getConfig().getDefaults().isReuseTransportCertificatesForHttp()) {
                addTransportCertificateToConfigAsHttpCertificate();
            } else {
                createRestCertificate();
            }
            addOutputFile(this.configSnippetFile, createConfigSnippetComment(), createConfigSnippet());
        }
    }

    private String createConfigSnippetComment() {
        return "# This is a configuration snippet for the node " + getNodeFileName(this.nodeConfig) + "\n# This snippet needs to be inserted into the file config/elasticsearch.yml of the respective node.\n# If the config file already contains SearchGuard configuration, this needs to be replaced.\n# Furthermore, you need to copy the files referenced below into the same directory.\n# Please refer to http://docs.search-guard.com/latest/configuring-tls for further configuration of your installation.\n\n\n";
    }

    private void createTransportCertificate() throws ToolException {
        try {
            KeyPair generateKeyPair = generateKeyPair(this.nodeConfig);
            SubjectPublicKeyInfo subjectPublicKeyInfo = SubjectPublicKeyInfo.getInstance(generateKeyPair.getPublic().getEncoded());
            X500Name createDn = createDn(this.nodeConfig.getDn(), "node");
            Date date = new Date(System.currentTimeMillis());
            X509v3CertificateBuilder x509v3CertificateBuilder = new X509v3CertificateBuilder(this.ctx.getSigningCertificate().getSubject(), this.ctx.nextId(), date, getEndDate(date, this.nodeConfig.getValidityDays().intValue()), createDn, subjectPublicKeyInfo);
            JcaX509ExtensionUtils extUtils = getExtUtils();
            x509v3CertificateBuilder.addExtension(Extension.authorityKeyIdentifier, false, extUtils.createAuthorityKeyIdentifier(this.ctx.getSigningCertificate())).addExtension(Extension.subjectKeyIdentifier, false, extUtils.createSubjectKeyIdentifier(generateKeyPair.getPublic())).addExtension(Extension.basicConstraints, true, new BasicConstraints(false)).addExtension(Extension.keyUsage, true, new KeyUsage(224)).addExtension(Extension.extendedKeyUsage, true, new ExtendedKeyUsage(new KeyPurposeId[]{KeyPurposeId.id_kp_serverAuth, KeyPurposeId.id_kp_clientAuth}));
            x509v3CertificateBuilder.addExtension(Extension.subjectAlternativeName, false, new DERSequence(createSubjectAlternativeNameList(true)));
            X509CertificateHolder build = x509v3CertificateBuilder.build(new JcaContentSignerBuilder(this.ctx.getConfig().getDefaults().getSignatureAlgorithm()).setProvider(this.ctx.getSecurityProvider()).build(this.ctx.getSigningPrivateKey()));
            String password = getPassword(this.nodeConfig.getPkPassword());
            addEncryptedOutputFile(this.privateKeyFile, password, generateKeyPair.getPrivate());
            if (this.ctx.getConfig().getCa().getIntermediate() == null) {
                addOutputFile(this.certificateFile, build);
            } else {
                addOutputFile(this.certificateFile, build, this.ctx.getSigningCertificate());
            }
            this.nodeResultConfig.setTransportPemCertFilePath(this.certificateFile.getName());
            this.nodeResultConfig.setTransportPemKeyFilePath(this.privateKeyFile.getName());
            this.nodeResultConfig.setTransportPemKeyPassword(password);
            this.nodeResultConfig.setTransportPemTrustedCasFilePath(this.ctx.getRootCaFile().getName());
            generatedCertificateCount++;
            if (isPasswordAutoGenerationEnabled(this.nodeConfig.getPkPassword())) {
                passwordAutoGenerated = true;
            }
        } catch (CertIOException | OperatorCreationException e) {
            throw new ToolException("Error while composing certificate for " + this.nodeConfig, e);
        }
    }

    private void createRestCertificate() throws ToolException {
        try {
            KeyPair generateKeyPair = generateKeyPair(this.nodeConfig);
            SubjectPublicKeyInfo subjectPublicKeyInfo = SubjectPublicKeyInfo.getInstance(generateKeyPair.getPublic().getEncoded());
            X500Name createDn = createDn(this.nodeConfig.getDn(), "node");
            Date date = new Date(System.currentTimeMillis());
            X509v3CertificateBuilder x509v3CertificateBuilder = new X509v3CertificateBuilder(this.ctx.getSigningCertificate().getSubject(), this.ctx.nextId(), date, getEndDate(date, this.nodeConfig.getValidityDays().intValue()), createDn, subjectPublicKeyInfo);
            JcaX509ExtensionUtils extUtils = getExtUtils();
            x509v3CertificateBuilder.addExtension(Extension.authorityKeyIdentifier, false, extUtils.createAuthorityKeyIdentifier(this.ctx.getSigningCertificate())).addExtension(Extension.subjectKeyIdentifier, false, extUtils.createSubjectKeyIdentifier(generateKeyPair.getPublic())).addExtension(Extension.basicConstraints, true, new BasicConstraints(false)).addExtension(Extension.keyUsage, true, new KeyUsage(224)).addExtension(Extension.extendedKeyUsage, true, new ExtendedKeyUsage(new KeyPurposeId[]{KeyPurposeId.id_kp_serverAuth, KeyPurposeId.id_kp_clientAuth}));
            x509v3CertificateBuilder.addExtension(Extension.subjectAlternativeName, false, new DERSequence(createSubjectAlternativeNameList(false)));
            X509CertificateHolder build = x509v3CertificateBuilder.build(new JcaContentSignerBuilder(this.ctx.getConfig().getDefaults().getSignatureAlgorithm()).setProvider(this.ctx.getSecurityProvider()).build(this.ctx.getSigningPrivateKey()));
            String password = getPassword(this.nodeConfig.getPkPassword());
            addEncryptedOutputFile(this.httpPrivateKeyFile, password, generateKeyPair.getPrivate());
            if (this.ctx.getConfig().getCa().getIntermediate() == null) {
                addOutputFile(this.httpCertificateFile, build);
            } else {
                addOutputFile(this.httpCertificateFile, build, this.ctx.getSigningCertificate());
            }
            this.nodeResultConfig.setHttpPemCertFilePath(this.httpCertificateFile.getName());
            this.nodeResultConfig.setHttpPemKeyFilePath(this.httpPrivateKeyFile.getName());
            this.nodeResultConfig.setHttpPemKeyPassword(password);
            this.nodeResultConfig.setHttpPemTrustedCasFilePath(this.ctx.getRootCaFile().getName());
            generatedCertificateCount++;
            if (isPasswordAutoGenerationEnabled(this.nodeConfig.getPkPassword())) {
                passwordAutoGenerated = true;
            }
        } catch (CertIOException | OperatorCreationException e) {
            throw new ToolException("Error while composing HTTP certificate for " + this.nodeConfig, e);
        }
    }

    private void addTransportCertificateToConfigAsHttpCertificate() {
        this.nodeResultConfig.setHttpPemCertFilePath(this.nodeResultConfig.getTransportPemCertFilePath());
        this.nodeResultConfig.setHttpPemKeyFilePath(this.nodeResultConfig.getTransportPemKeyFilePath());
        this.nodeResultConfig.setHttpPemKeyPassword(this.nodeResultConfig.getTransportPemKeyPassword());
        this.nodeResultConfig.setHttpPemTrustedCasFilePath(this.nodeResultConfig.getTransportPemTrustedCasFilePath());
    }

    public static int getGeneratedCertificateCount() {
        return generatedCertificateCount;
    }

    public static boolean isPasswordAutoGenerated() {
        return passwordAutoGenerated;
    }
}
