package org.apache.hadoop.hdds.scm.server;

import java.io.IOException;
import java.math.BigInteger;
import java.security.cert.CRLException;
import java.security.cert.X509CRL;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Date;
import java.util.Iterator;
import java.util.List;
import java.util.Optional;
import java.util.concurrent.atomic.AtomicLong;
import java.util.concurrent.locks.Lock;
import java.util.concurrent.locks.ReentrantLock;
import org.apache.hadoop.hdds.protocol.proto.HddsProtos;
import org.apache.hadoop.hdds.scm.metadata.SCMMetadataStore;
import org.apache.hadoop.hdds.security.exception.SCMSecurityException;
import org.apache.hadoop.hdds.security.x509.certificate.authority.CRLApprover;
import org.apache.hadoop.hdds.security.x509.certificate.authority.CertificateStore;
import org.apache.hadoop.hdds.security.x509.crl.CRLInfo;
import org.apache.hadoop.hdds.utils.MetadataKeyFilters;
import org.apache.hadoop.hdds.utils.db.BatchOperation;
import org.apache.hadoop.hdds.utils.db.Table;
import org.bouncycastle.asn1.x509.CRLReason;
import org.bouncycastle.cert.X509CertificateHolder;
import org.bouncycastle.cert.X509v2CRLBuilder;
import org.bouncycastle.operator.OperatorCreationException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/hadoop/hdds/scm/server/SCMCertStore.class */
public class SCMCertStore implements CertificateStore {
    private static final Logger LOG = LoggerFactory.getLogger(SCMCertStore.class);
    private final SCMMetadataStore scmMetadataStore;
    private final Lock lock = new ReentrantLock();
    private AtomicLong crlSequenceId;

    public SCMCertStore(SCMMetadataStore sCMMetadataStore, long j) {
        this.scmMetadataStore = sCMMetadataStore;
        this.crlSequenceId = new AtomicLong(j);
    }

    public void storeValidCertificate(BigInteger bigInteger, X509Certificate x509Certificate) throws IOException {
        this.lock.lock();
        try {
            if (getCertificateByID(bigInteger, CertificateStore.CertType.VALID_CERTS) != null || getCertificateByID(bigInteger, CertificateStore.CertType.REVOKED_CERTS) != null) {
                throw new SCMSecurityException("Conflicting certificate ID");
            }
            this.scmMetadataStore.getValidCertsTable().put(bigInteger, x509Certificate);
        } finally {
            this.lock.unlock();
        }
    }

    public Optional<Long> revokeCertificates(List<BigInteger> list, X509CertificateHolder x509CertificateHolder, CRLReason cRLReason, Date date, CRLApprover cRLApprover) throws IOException {
        Date date2 = new Date();
        X509v2CRLBuilder x509v2CRLBuilder = new X509v2CRLBuilder(x509CertificateHolder.getIssuer(), date2);
        ArrayList<X509Certificate> arrayList = new ArrayList();
        Optional<Long> empty = Optional.empty();
        this.lock.lock();
        try {
            for (BigInteger bigInteger : list) {
                X509Certificate certificateByID = getCertificateByID(bigInteger, CertificateStore.CertType.VALID_CERTS);
                if (certificateByID == null && LOG.isWarnEnabled()) {
                    LOG.warn("Trying to revoke a certificate that is not valid. Serial ID: {}", bigInteger.toString());
                } else if (getCertificateByID(bigInteger, CertificateStore.CertType.REVOKED_CERTS) != null) {
                    LOG.warn("Trying to revoke a certificate that is already revoked.");
                } else {
                    x509v2CRLBuilder.addCRLEntry(bigInteger, date, cRLReason.getValue().intValue());
                    arrayList.add(certificateByID);
                }
            }
            if (!arrayList.isEmpty()) {
                try {
                    X509CRL sign = cRLApprover.sign(x509v2CRLBuilder);
                    BatchOperation initBatchOperation = this.scmMetadataStore.getStore().initBatchOperation();
                    Throwable th = null;
                    try {
                        try {
                            if (date2.after(date) || date2.equals(date)) {
                                for (X509Certificate x509Certificate : arrayList) {
                                    this.scmMetadataStore.getRevokedCertsTable().putWithBatch(initBatchOperation, x509Certificate.getSerialNumber(), x509Certificate);
                                    this.scmMetadataStore.getValidCertsTable().deleteWithBatch(initBatchOperation, x509Certificate.getSerialNumber());
                                }
                            }
                            long incrementAndGet = this.crlSequenceId.incrementAndGet();
                            this.scmMetadataStore.getCRLInfoTable().putWithBatch(initBatchOperation, Long.valueOf(incrementAndGet), new CRLInfo.Builder().setX509CRL(sign).setCreationTimestamp(date2.getTime()).build());
                            this.scmMetadataStore.getCRLSequenceIdTable().putWithBatch(initBatchOperation, "CRL_SEQUENCE_ID", Long.valueOf(incrementAndGet));
                            this.scmMetadataStore.getStore().commitBatchOperation(initBatchOperation);
                            empty = Optional.of(Long.valueOf(incrementAndGet));
                            if (initBatchOperation != null) {
                                if (0 != 0) {
                                    try {
                                        initBatchOperation.close();
                                    } catch (Throwable th2) {
                                        th.addSuppressed(th2);
                                    }
                                } else {
                                    initBatchOperation.close();
                                }
                            }
                        } finally {
                        }
                    } finally {
                    }
                } catch (OperatorCreationException | CRLException e) {
                    throw new SCMSecurityException("Unable to create Certificate Revocation List.", e);
                }
            }
            return empty;
        } finally {
            this.lock.unlock();
        }
    }

    public void removeExpiredCertificate(BigInteger bigInteger) throws IOException {
    }

    public X509Certificate getCertificateByID(BigInteger bigInteger, CertificateStore.CertType certType) throws IOException {
        return certType == CertificateStore.CertType.VALID_CERTS ? (X509Certificate) this.scmMetadataStore.getValidCertsTable().get(bigInteger) : (X509Certificate) this.scmMetadataStore.getRevokedCertsTable().get(bigInteger);
    }

    public List<X509Certificate> listCertificate(HddsProtos.NodeType nodeType, BigInteger bigInteger, int i, CertificateStore.CertType certType) throws IOException {
        if (bigInteger.longValue() == 0) {
            bigInteger = null;
        }
        List rangeKVs = certType == CertificateStore.CertType.VALID_CERTS ? this.scmMetadataStore.getValidCertsTable().getRangeKVs(bigInteger, i, new MetadataKeyFilters.MetadataKeyFilter[0]) : this.scmMetadataStore.getRevokedCertsTable().getRangeKVs(bigInteger, i, new MetadataKeyFilters.MetadataKeyFilter[0]);
        ArrayList arrayList = new ArrayList(rangeKVs.size());
        Iterator it = rangeKVs.iterator();
        while (it.hasNext()) {
            try {
                arrayList.add((X509Certificate) ((Table.KeyValue) it.next()).getValue());
            } catch (IOException e) {
                LOG.error("Fail to list certificate from SCM metadata store", e);
                throw new SCMSecurityException("Fail to list certificate from SCM metadata store.");
            }
        }
        return arrayList;
    }
}
