package com.floragunn.searchguard.tools.tlstool.tasks;

import com.floragunn.searchguard.tools.tlstool.Config;
import com.floragunn.searchguard.tools.tlstool.Context;
import com.floragunn.searchguard.tools.tlstool.ToolException;
import java.io.File;
import java.io.IOException;
import java.security.KeyPair;
import javax.security.auth.x500.X500Principal;
import org.bouncycastle.asn1.DERSequence;
import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers;
import org.bouncycastle.asn1.x509.ExtendedKeyUsage;
import org.bouncycastle.asn1.x509.Extension;
import org.bouncycastle.asn1.x509.ExtensionsGenerator;
import org.bouncycastle.asn1.x509.KeyPurposeId;
import org.bouncycastle.asn1.x509.KeyUsage;
import org.bouncycastle.operator.OperatorCreationException;
import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder;
import org.bouncycastle.pkcs.PKCS10CertificationRequest;
import org.bouncycastle.pkcs.jcajce.JcaPKCS10CertificationRequestBuilder;

/* loaded from: input_file:com/floragunn/searchguard/tools/tlstool/tasks/CreateNodeCsr.class */
public class CreateNodeCsr extends CreateNodeCertificateBase {
    private static int generatedCsrCount = 0;
    private static boolean passwordAutoGenerated = false;
    private Config.Node nodeConfig;
    private File transportCsrFile;
    private File httpCsrFile;

    public CreateNodeCsr(Context context, Config.Node node) {
        super(context, node);
        this.nodeConfig = node;
    }

    @Override // com.floragunn.searchguard.tools.tlstool.tasks.Task
    public void run() throws ToolException {
        this.privateKeyFile = new File(this.ctx.getTargetDirectory(), getNodeFileName(this.nodeConfig) + ".key");
        this.transportCsrFile = new File(this.ctx.getTargetDirectory(), getNodeFileName(this.nodeConfig) + ".csr");
        this.httpPrivateKeyFile = new File(this.ctx.getTargetDirectory(), getNodeFileName(this.nodeConfig) + "_http.key");
        this.httpCsrFile = new File(this.ctx.getTargetDirectory(), getNodeFileName(this.nodeConfig) + "_http.csr");
        this.configSnippetFile = new File(this.ctx.getTargetDirectory(), getNodeFileName(this.nodeConfig) + "_elasticsearch_config_snippet.yml");
        if (checkFileOverwrite("certificate", this.nodeConfig.getDn(), this.privateKeyFile, this.transportCsrFile, this.httpPrivateKeyFile, this.httpCsrFile)) {
            createTransportCsr();
            if (!this.ctx.getConfig().getDefaults().isHttpsEnabled()) {
                this.nodeResultConfig.setHttpsEnabled(false);
            } else if (this.ctx.getConfig().getDefaults().isReuseTransportCertificatesForHttp()) {
                addTransportCertificateToConfigAsHttpCertificate();
            } else {
                createHttpCsr();
            }
            addOutputFile(this.configSnippetFile, createConfigSnippetComment(), createConfigSnippet());
        }
    }

    private String createConfigSnippetComment() {
        return "# This is a configuration snippet for the node " + getNodeFileName(this.nodeConfig) + "\n# Before you can proceed with configuration, you need to pass the generated signing request which can be found in the\n# file " + this.transportCsrFile.getName() + (this.ctx.getConfig().getDefaults().isHttpsEnabled() ? " and " + this.httpCsrFile.getName() : "") + " to your PKI in order to get the actual certificates.\n# If you do not have a PKI, you can use this tool with the options --create-ca and --create-cert to create a self signed CA\n# and sign the certificates with that CA.\n\n# The generated certificates need to be copied to the config directory of the node's ElasticSearch installation.\n# Furthermore, the private key files (with the suffix .key) generated by this tool need to be copied to that directory\n# as well.\n\n# This config snippet needs to be inserted into the file elasticsearch.yml which can be also found in the config dir.\n# If the config file already contains SearchGuard configuration, this needs to be replaced.\n# References to the PEM files for certificates need to be adjusted to match the names of the generated certificates.\n\n# Please refer to http://docs.search-guard.com/latest/configuring-tls for further configuration of your installation.\n\n\n";
    }

    private void createTransportCsr() throws ToolException {
        try {
            KeyPair generateKeyPair = generateKeyPair(this.nodeConfig);
            JcaPKCS10CertificationRequestBuilder jcaPKCS10CertificationRequestBuilder = new JcaPKCS10CertificationRequestBuilder(new X500Principal(this.nodeConfig.getDn()), generateKeyPair.getPublic());
            ExtensionsGenerator extensionsGenerator = new ExtensionsGenerator();
            extensionsGenerator.addExtension(Extension.keyUsage, true, new KeyUsage(224));
            extensionsGenerator.addExtension(Extension.extendedKeyUsage, true, new ExtendedKeyUsage(new KeyPurposeId[]{KeyPurposeId.id_kp_serverAuth, KeyPurposeId.id_kp_clientAuth}));
            extensionsGenerator.addExtension(Extension.subjectAlternativeName, false, new DERSequence(createSubjectAlternativeNameList(true)));
            jcaPKCS10CertificationRequestBuilder.addAttribute(PKCSObjectIdentifiers.pkcs_9_at_extensionRequest, extensionsGenerator.generate());
            PKCS10CertificationRequest build = jcaPKCS10CertificationRequestBuilder.build(new JcaContentSignerBuilder(this.ctx.getConfig().getDefaults().getSignatureAlgorithm()).build(generateKeyPair.getPrivate()));
            String password = getPassword(this.nodeConfig.getPkPassword());
            addEncryptedOutputFile(this.privateKeyFile, password, generateKeyPair.getPrivate());
            addOutputFile(this.transportCsrFile, build);
            this.nodeResultConfig.setTransportPemKeyFilePath(this.privateKeyFile.getPath());
            this.nodeResultConfig.setTransportPemKeyPassword(password);
            this.nodeResultConfig.setTransportPemTrustedCasFilePath("<add path to trusted ca>");
            this.nodeResultConfig.setTransportPemCertFilePath("<path to transport certificate for " + getNodeFileName(this.nodeConfig) + ">");
            generatedCsrCount++;
            if (isPasswordAutoGenerationEnabled(this.nodeConfig.getPkPassword())) {
                passwordAutoGenerated = true;
            }
        } catch (OperatorCreationException | IOException e) {
            throw new ToolException("Error while composing certificate signing reguest", e);
        }
    }

    private void createHttpCsr() throws ToolException {
        try {
            KeyPair generateKeyPair = generateKeyPair(this.nodeConfig);
            JcaPKCS10CertificationRequestBuilder jcaPKCS10CertificationRequestBuilder = new JcaPKCS10CertificationRequestBuilder(createDn(this.nodeConfig.getDn(), "node"), generateKeyPair.getPublic());
            ExtensionsGenerator extensionsGenerator = new ExtensionsGenerator();
            extensionsGenerator.addExtension(Extension.keyUsage, true, new KeyUsage(224));
            extensionsGenerator.addExtension(Extension.extendedKeyUsage, true, new ExtendedKeyUsage(new KeyPurposeId[]{KeyPurposeId.id_kp_serverAuth}));
            extensionsGenerator.addExtension(Extension.subjectAlternativeName, false, new DERSequence(createSubjectAlternativeNameList(false)));
            jcaPKCS10CertificationRequestBuilder.addAttribute(PKCSObjectIdentifiers.pkcs_9_at_extensionRequest, extensionsGenerator.generate());
            PKCS10CertificationRequest build = jcaPKCS10CertificationRequestBuilder.build(new JcaContentSignerBuilder(this.ctx.getConfig().getDefaults().getSignatureAlgorithm()).build(generateKeyPair.getPrivate()));
            String password = getPassword(this.nodeConfig.getPkPassword());
            addEncryptedOutputFile(this.httpPrivateKeyFile, password, generateKeyPair.getPrivate());
            addOutputFile(this.httpCsrFile, build);
            this.nodeResultConfig.setHttpPemKeyFilePath(this.httpPrivateKeyFile.getPath());
            this.nodeResultConfig.setHttpPemKeyPassword(password);
            this.nodeResultConfig.setHttpPemTrustedCasFilePath("<add path to trusted ca>");
            this.nodeResultConfig.setHttpPemCertFilePath("<path to HTTP certificate for " + getNodeFileName(this.nodeConfig) + ">");
            generatedCsrCount++;
            if (isPasswordAutoGenerationEnabled(this.nodeConfig.getPkPassword())) {
                passwordAutoGenerated = true;
            }
        } catch (OperatorCreationException | IOException e) {
            throw new ToolException("Error while composing HTTP certificate for " + this.nodeConfig, e);
        }
    }

    public static int getGeneratedCsrCount() {
        return generatedCsrCount;
    }

    public static boolean isPasswordAutoGenerated() {
        return passwordAutoGenerated;
    }

    private void addTransportCertificateToConfigAsHttpCertificate() {
        this.nodeResultConfig.setHttpPemCertFilePath(this.nodeResultConfig.getTransportPemCertFilePath());
        this.nodeResultConfig.setHttpPemKeyFilePath(this.nodeResultConfig.getTransportPemKeyFilePath());
        this.nodeResultConfig.setHttpPemKeyPassword(this.nodeResultConfig.getTransportPemKeyPassword());
        this.nodeResultConfig.setHttpPemTrustedCasFilePath(this.nodeResultConfig.getTransportPemCertFilePath());
    }
}
