package org.apache.hadoop.yarn.server.resourcemanager.security;

import com.google.common.annotations.VisibleForTesting;
import com.google.common.util.concurrent.ThreadFactoryBuilder;
import java.io.File;
import java.io.FileInputStream;
import java.io.FileOutputStream;
import java.io.IOException;
import java.net.URISyntaxException;
import java.nio.ByteBuffer;
import java.nio.file.Files;
import java.nio.file.Paths;
import java.security.GeneralSecurityException;
import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.KeyStore;
import java.security.PrivateKey;
import java.security.SecureRandom;
import java.security.Security;
import java.security.cert.X509Certificate;
import java.time.Instant;
import java.time.temporal.ChronoUnit;
import java.time.temporal.TemporalUnit;
import java.util.ArrayList;
import java.util.Enumeration;
import java.util.HashMap;
import java.util.Iterator;
import java.util.Map;
import java.util.concurrent.ArrayBlockingQueue;
import java.util.concurrent.BlockingQueue;
import java.util.concurrent.ConcurrentHashMap;
import java.util.concurrent.Executors;
import java.util.concurrent.ScheduledExecutorService;
import java.util.concurrent.ScheduledFuture;
import java.util.concurrent.TimeUnit;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import org.apache.commons.io.FileUtils;
import org.apache.commons.lang.RandomStringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.commons.math3.util.Pair;
import org.apache.hadoop.classification.InterfaceAudience;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.security.ssl.FileBasedKeyStoresFactory;
import org.apache.hadoop.security.ssl.SSLFactory;
import org.apache.hadoop.service.AbstractService;
import org.apache.hadoop.util.BackOff;
import org.apache.hadoop.util.ExponentialBackOff;
import org.apache.hadoop.yarn.api.records.ApplicationId;
import org.apache.hadoop.yarn.conf.YarnConfiguration;
import org.apache.hadoop.yarn.event.EventHandler;
import org.apache.hadoop.yarn.server.resourcemanager.RMContext;
import org.apache.hadoop.yarn.server.resourcemanager.rmapp.RMApp;
import org.apache.hadoop.yarn.server.resourcemanager.rmapp.RMAppCertificateGeneratedEvent;
import org.apache.hadoop.yarn.server.resourcemanager.rmapp.RMAppEvent;
import org.apache.hadoop.yarn.server.resourcemanager.rmapp.RMAppEventType;
import org.apache.hadoop.yarn.server.resourcemanager.rmapp.RMAppImpl;
import org.apache.hadoop.yarn.server.resourcemanager.scheduler.fair.AllocationFileLoaderService;
import org.apache.hadoop.yarn.server.security.CertificateLocalizationService;
import org.bouncycastle.asn1.x500.X500Name;
import org.bouncycastle.asn1.x500.X500NameBuilder;
import org.bouncycastle.asn1.x500.style.BCStyle;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.bouncycastle.operator.OperatorCreationException;
import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder;
import org.bouncycastle.pkcs.PKCS10CertificationRequest;
import org.bouncycastle.pkcs.jcajce.JcaPKCS10CertificationRequestBuilder;

/* loaded from: input_file:org/apache/hadoop/yarn/server/resourcemanager/security/RMAppCertificateManager.class */
public class RMAppCertificateManager extends AbstractService implements EventHandler<RMAppCertificateManagerEvent> {
    private static final String SECURITY_PROVIDER = "BC";
    private static final String KEY_ALGORITHM = "RSA";
    private static final String SIGNATURE_ALGORITHM = "SHA256withRSA";
    private static final int KEY_SIZE = 1024;
    private static final int REVOCATION_QUEUE_SIZE = 100;
    private static final Pattern CONF_TIME_PATTERN;
    private final SecureRandom rng;
    private final String TMP;
    private final BlockingQueue<CertificateRevocationEvent> revocationEvents;
    private RMContext rmContext;
    private Configuration conf;
    private EventHandler handler;
    private CertificateLocalizationService certificateLocalizationService;
    private KeyPairGenerator keyPairGenerator;
    private RMAppCertificateActions rmAppCertificateActions;
    private Thread revocationEventsHandler;
    private boolean isRPCTLSEnabled;
    private final int RENEWER_THREAD_POOL = 5;
    private final ScheduledExecutorService scheduler;
    private final Map<ApplicationId, ScheduledFuture> renewalTasks;
    private Long amountOfTimeToSubtractFromExpiration;
    private TemporalUnit renewalUnitOfTime;
    private Long revocationMonitorInterval;
    private TemporalUnit revocationUnitOfInterval;
    private Thread revocationMonitor;
    private static final Log LOG = LogFactory.getLog(RMAppCertificateManager.class);
    private static final Map<String, ChronoUnit> CHRONOUNITS = new HashMap();

    @InterfaceAudience.Private
    @VisibleForTesting
    /* loaded from: input_file:org/apache/hadoop/yarn/server/resourcemanager/security/RMAppCertificateManager$CertificateRenewer.class */
    public class CertificateRenewer implements Runnable {
        protected final ApplicationId appId;
        protected final String appUser;
        protected Integer currentCryptoVersion;
        protected long backOffTime = 0;
        protected final BackOff backOff = createBackOffPolicy();

        public CertificateRenewer(ApplicationId applicationId, String str, Integer num) {
            this.appId = applicationId;
            this.appUser = str;
            this.currentCryptoVersion = num;
        }

        private BackOff createBackOffPolicy() {
            return new ExponentialBackOff.Builder().setInitialIntervalMillis(200L).setMaximumIntervalMillis(AllocationFileLoaderService.ALLOC_RELOAD_WAIT_MS).setMultiplier(1.5d).setMaximumRetries(4).build();
        }

        @Override // java.lang.Runnable
        public void run() {
            try {
                RMAppCertificateManager.LOG.debug("Renewing certificate for application " + this.appId);
                KeyPair generateKeyPair = RMAppCertificateManager.this.generateKeyPair();
                RMAppCertificateManager rMAppCertificateManager = RMAppCertificateManager.this;
                ApplicationId applicationId = this.appId;
                String str = this.appUser;
                Integer valueOf = Integer.valueOf(this.currentCryptoVersion.intValue() + 1);
                this.currentCryptoVersion = valueOf;
                X509Certificate sendCSRAndGetSigned = RMAppCertificateManager.this.sendCSRAndGetSigned(rMAppCertificateManager.generateCSR(applicationId, str, generateKeyPair, valueOf));
                long time = sendCSRAndGetSigned.getNotAfter().getTime();
                KeyStoresWrapper createApplicationStores = RMAppCertificateManager.this.createApplicationStores(sendCSRAndGetSigned, generateKeyPair.getPrivate(), this.appUser, this.appId);
                byte[] rawKeyStore = createApplicationStores.getRawKeyStore(TYPE.KEYSTORE);
                byte[] rawKeyStore2 = createApplicationStores.getRawKeyStore(TYPE.TRUSTSTORE);
                RMAppCertificateManager.this.rmContext.getCertificateLocalizationService().updateCryptoMaterial(this.appUser, this.appId.toString(), ByteBuffer.wrap(rawKeyStore), String.valueOf(createApplicationStores.keyStorePassword), ByteBuffer.wrap(rawKeyStore2), String.valueOf(createApplicationStores.trustStorePassword));
                RMAppCertificateManager.this.renewalTasks.remove(this.appId);
                RMAppCertificateManager.this.handler.handle(new RMAppCertificateGeneratedEvent(this.appId, rawKeyStore, createApplicationStores.keyStorePassword, rawKeyStore2, createApplicationStores.trustStorePassword, time, RMAppEventType.CERTS_RENEWED));
                RMAppCertificateManager.LOG.debug("Renewed certificate for application " + this.appId);
            } catch (Exception e) {
                RMAppCertificateManager.LOG.error(e, e);
                RMAppCertificateManager.this.renewalTasks.remove(this.appId);
                this.backOffTime = this.backOff.getBackOffInMillis();
                if (this.backOffTime == -1) {
                    RMAppCertificateManager.LOG.error("Failed to renew certificate for application " + this.appId + ". Failed more than 4 times, giving up");
                    return;
                }
                RMAppCertificateManager.LOG.warn("Failed to renew certificate for application " + this.appId + ". Retrying in " + this.backOffTime + " ms");
                RMAppCertificateManager.this.renewalTasks.put(this.appId, RMAppCertificateManager.this.scheduler.schedule(this, this.backOffTime, TimeUnit.MILLISECONDS));
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/apache/hadoop/yarn/server/resourcemanager/security/RMAppCertificateManager$CertificateRevocationEvent.class */
    public class CertificateRevocationEvent {
        private final String identifier;

        private CertificateRevocationEvent(String str) {
            this.identifier = str;
        }
    }

    /* loaded from: input_file:org/apache/hadoop/yarn/server/resourcemanager/security/RMAppCertificateManager$CertificateRevocationMonitor.class */
    private class CertificateRevocationMonitor extends Thread {
        private final Map<ChronoUnit, TimeUnit> CHRONO_MAPPING;
        private final TimeUnit intervalForSleep;

        private CertificateRevocationMonitor() {
            this.CHRONO_MAPPING = new HashMap();
            this.CHRONO_MAPPING.put(ChronoUnit.MILLIS, TimeUnit.MILLISECONDS);
            this.CHRONO_MAPPING.put(ChronoUnit.SECONDS, TimeUnit.SECONDS);
            this.CHRONO_MAPPING.put(ChronoUnit.MINUTES, TimeUnit.MINUTES);
            this.CHRONO_MAPPING.put(ChronoUnit.HOURS, TimeUnit.HOURS);
            this.CHRONO_MAPPING.put(ChronoUnit.DAYS, TimeUnit.DAYS);
            this.intervalForSleep = this.CHRONO_MAPPING.get(RMAppCertificateManager.this.revocationUnitOfInterval);
        }

        @Override // java.lang.Thread, java.lang.Runnable
        public void run() {
            while (!Thread.currentThread().isInterrupted()) {
                try {
                    Instant now = Instant.now();
                    for (Map.Entry<ApplicationId, RMApp> entry : RMAppCertificateManager.this.rmContext.getRMApps().entrySet()) {
                        RMApp value = entry.getValue();
                        if (value.isAppRotatingCryptoMaterial() && Instant.ofEpochMilli(value.getMaterialRotationStartTime()).minus(RMAppCertificateManager.this.revocationMonitorInterval.longValue(), RMAppCertificateManager.this.revocationUnitOfInterval).isBefore(now)) {
                            Integer valueOf = Integer.valueOf(value.getCryptoMaterialVersion().intValue() - 1);
                            RMAppCertificateManager.LOG.debug("Revoking certificate for app " + entry.getKey() + " with version " + valueOf);
                            RMAppCertificateManager.this.putToQueue(value.getApplicationId(), value.getUser(), valueOf);
                            ((RMAppImpl) value).resetCryptoRotationMetrics();
                        }
                    }
                    this.intervalForSleep.sleep(RMAppCertificateManager.this.revocationMonitorInterval.longValue());
                } catch (InterruptedException e) {
                    RMAppCertificateManager.LOG.info("Certificate revocation monitor stopping");
                    Thread.currentThread().interrupt();
                }
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    /* loaded from: input_file:org/apache/hadoop/yarn/server/resourcemanager/security/RMAppCertificateManager$KeyStoresWrapper.class */
    public class KeyStoresWrapper {
        private final KeyStore keystore;
        private final char[] keyStorePassword;
        private final KeyStore trustStore;
        private final char[] trustStorePassword;
        private final String appUser;
        private final ApplicationId appId;

        private KeyStoresWrapper(KeyStore keyStore, char[] cArr, KeyStore keyStore2, char[] cArr2, String str, ApplicationId applicationId) {
            this.keystore = keyStore;
            this.keyStorePassword = cArr;
            this.trustStore = keyStore2;
            this.trustStorePassword = cArr2;
            this.appUser = str;
            this.appId = applicationId;
        }

        protected KeyStore getKeystore() {
            return this.keystore;
        }

        protected char[] getKeyStorePassword() {
            return this.keyStorePassword;
        }

        protected KeyStore getTrustStore() {
            return this.trustStore;
        }

        protected char[] getTrustStorePassword() {
            return this.trustStorePassword;
        }

        protected byte[] getRawKeyStore(TYPE type) throws GeneralSecurityException, IOException {
            File file;
            char[] cArr;
            KeyStore keyStore;
            if (type.equals(TYPE.KEYSTORE)) {
                file = Paths.get(RMAppCertificateManager.this.TMP, this.appUser + "-" + this.appId.toString() + "_kstore.jks").toFile();
                cArr = this.keyStorePassword;
                keyStore = this.keystore;
            } else {
                file = Paths.get(RMAppCertificateManager.this.TMP, this.appUser + "-" + this.appId.toString() + "_tstore.jks").toFile();
                cArr = this.trustStorePassword;
                keyStore = this.trustStore;
            }
            FileOutputStream fileOutputStream = new FileOutputStream(file, false);
            Throwable th = null;
            try {
                keyStore.store(fileOutputStream, cArr);
                if (fileOutputStream != null) {
                    if (0 != 0) {
                        try {
                            fileOutputStream.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    } else {
                        fileOutputStream.close();
                    }
                }
                byte[] readAllBytes = Files.readAllBytes(file.toPath());
                FileUtils.deleteQuietly(file);
                return readAllBytes;
            } catch (Throwable th3) {
                if (fileOutputStream != null) {
                    if (0 != 0) {
                        try {
                            fileOutputStream.close();
                        } catch (Throwable th4) {
                            th.addSuppressed(th4);
                        }
                    } else {
                        fileOutputStream.close();
                    }
                }
                throw th3;
            }
        }
    }

    /* loaded from: input_file:org/apache/hadoop/yarn/server/resourcemanager/security/RMAppCertificateManager$RevocationEventsHandler.class */
    private class RevocationEventsHandler extends Thread {
        private RevocationEventsHandler() {
        }

        private void drain() {
            ArrayList arrayList = new ArrayList(RMAppCertificateManager.this.revocationEvents.size());
            RMAppCertificateManager.this.revocationEvents.drainTo(arrayList);
            Iterator it = arrayList.iterator();
            while (it.hasNext()) {
                RMAppCertificateManager.this.revokeInternal(((CertificateRevocationEvent) it.next()).identifier);
            }
        }

        @Override // java.lang.Thread, java.lang.Runnable
        public void run() {
            while (!Thread.currentThread().isInterrupted()) {
                try {
                    RMAppCertificateManager.this.revokeInternal(((CertificateRevocationEvent) RMAppCertificateManager.this.revocationEvents.take()).identifier);
                } catch (InterruptedException e) {
                    RMAppCertificateManager.LOG.info("RevocationEventsHandler interrupted. Exiting...");
                    drain();
                    Thread.currentThread().interrupt();
                }
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    /* loaded from: input_file:org/apache/hadoop/yarn/server/resourcemanager/security/RMAppCertificateManager$TYPE.class */
    public enum TYPE {
        KEYSTORE,
        TRUSTSTORE
    }

    public RMAppCertificateManager(RMContext rMContext) {
        super(RMAppCertificateManager.class.getName());
        this.TMP = System.getProperty("java.io.tmpdir");
        this.isRPCTLSEnabled = false;
        this.RENEWER_THREAD_POOL = 5;
        this.amountOfTimeToSubtractFromExpiration = 2L;
        this.renewalUnitOfTime = ChronoUnit.DAYS;
        this.revocationMonitorInterval = 10L;
        this.revocationUnitOfInterval = ChronoUnit.HOURS;
        Security.addProvider(new BouncyCastleProvider());
        this.rmContext = rMContext;
        this.rng = new SecureRandom();
        this.revocationEvents = new ArrayBlockingQueue(100);
        this.renewalTasks = new ConcurrentHashMap();
        this.scheduler = Executors.newScheduledThreadPool(5, new ThreadFactoryBuilder().setDaemon(true).setNameFormat("X509 app certificate renewal thread #%d").build());
    }

    protected void serviceInit(Configuration configuration) throws Exception {
        LOG.debug("Initializing RMAppCertificateManager");
        this.conf = configuration;
        this.handler = this.rmContext.getDispatcher().getEventHandler();
        this.certificateLocalizationService = this.rmContext.getCertificateLocalizationService();
        Pair<Long, TemporalUnit> parseInterval = parseInterval(configuration.get("yarn.resourcemanager.certificate.expiration-safety-period", YarnConfiguration.DEFAULT_RM_APP_CERTIFICATE_RENEWER_DELAY), "yarn.resourcemanager.certificate.expiration-safety-period");
        this.amountOfTimeToSubtractFromExpiration = (Long) parseInterval.getFirst();
        this.renewalUnitOfTime = (TemporalUnit) parseInterval.getSecond();
        Pair<Long, TemporalUnit> parseInterval2 = parseInterval(configuration.get("yarn.resourcemanager.certificate.revocation-monitor-interval", YarnConfiguration.DEFAULT_RM_APP_CERTIFICATE_REVOCATION_MONITOR_INTERVAL), "yarn.resourcemanager.certificate.revocation-monitor-interval");
        this.revocationMonitorInterval = (Long) parseInterval2.getFirst();
        this.revocationUnitOfInterval = (TemporalUnit) parseInterval2.getSecond();
        this.rmAppCertificateActions = RMAppCertificateActionsFactory.getInstance().getActor(configuration);
        this.keyPairGenerator = KeyPairGenerator.getInstance(KEY_ALGORITHM, SECURITY_PROVIDER);
        this.keyPairGenerator.initialize(1024);
        this.isRPCTLSEnabled = configuration.getBoolean("ipc.server.ssl.enabled", false);
        super.serviceInit(configuration);
    }

    private Pair<Long, TemporalUnit> parseInterval(String str, String str2) {
        Matcher matcher = CONF_TIME_PATTERN.matcher(str);
        if (!matcher.matches()) {
            throw new IllegalArgumentException("Could not parse value " + str + " of " + str2);
        }
        Long valueOf = Long.valueOf(Long.parseLong(matcher.group(1)));
        String group = matcher.group(2);
        ChronoUnit chronoUnit = CHRONOUNITS.get(group.toUpperCase());
        if (chronoUnit != null) {
            return new Pair<>(valueOf, chronoUnit);
        }
        StringBuilder sb = new StringBuilder();
        Iterator<String> it = CHRONOUNITS.keySet().iterator();
        while (it.hasNext()) {
            sb.append(it.next()).append(", ");
        }
        sb.append("\b\b");
        throw new IllegalArgumentException("Could not parse ChronoUnit: " + group + ". Valid values are " + sb.toString());
    }

    protected void serviceStart() throws Exception {
        LOG.info("Starting RMAppCertificateManager");
        if (isRPCTLSEnabled()) {
            this.revocationEventsHandler = new RevocationEventsHandler();
            this.revocationEventsHandler.setDaemon(false);
            this.revocationEventsHandler.setName("RevocationEventsHandler");
            this.revocationEventsHandler.start();
            this.revocationMonitor = new CertificateRevocationMonitor();
            this.revocationMonitor.setDaemon(true);
            this.revocationMonitor.setName("CertificateRevocationMonitor");
            this.revocationMonitor.start();
        }
        super.serviceStart();
    }

    protected void serviceStop() throws Exception {
        LOG.info("Stopping RMAppCertificateManager");
        if (this.revocationMonitor != null) {
            this.revocationMonitor.interrupt();
        }
        if (this.revocationEventsHandler != null) {
            this.revocationEventsHandler.interrupt();
        }
        if (this.scheduler != null) {
            this.scheduler.shutdownNow();
        }
    }

    public void handle(RMAppCertificateManagerEvent rMAppCertificateManagerEvent) {
        ApplicationId applicationId = rMAppCertificateManagerEvent.getApplicationId();
        LOG.info("Processing event type: " + rMAppCertificateManagerEvent.getType() + " for application: " + applicationId);
        if (((RMAppCertificateManagerEventType) rMAppCertificateManagerEvent.getType()).equals(RMAppCertificateManagerEventType.GENERATE_CERTIFICATE)) {
            generateCertificate(applicationId, rMAppCertificateManagerEvent.getApplicationUser(), rMAppCertificateManagerEvent.getCryptoMaterialVersion());
            return;
        }
        if (((RMAppCertificateManagerEventType) rMAppCertificateManagerEvent.getType()).equals(RMAppCertificateManagerEventType.REVOKE_CERTIFICATE)) {
            revokeCertificate(applicationId, rMAppCertificateManagerEvent.getApplicationUser(), rMAppCertificateManagerEvent.getCryptoMaterialVersion());
            return;
        }
        if (((RMAppCertificateManagerEventType) rMAppCertificateManagerEvent.getType()).equals(RMAppCertificateManagerEventType.REVOKE_CERTIFICATE_AFTER_ROTATION)) {
            revokeCertificate(applicationId, rMAppCertificateManagerEvent.getApplicationUser(), rMAppCertificateManagerEvent.getCryptoMaterialVersion(), true);
        } else if (((RMAppCertificateManagerEventType) rMAppCertificateManagerEvent.getType()).equals(RMAppCertificateManagerEventType.REVOKE_GENERATE_CERTIFICATE)) {
            revokeAndGenerateCertificates(applicationId, rMAppCertificateManagerEvent.getApplicationUser(), rMAppCertificateManagerEvent.getCryptoMaterialVersion());
        } else {
            LOG.warn("Unknown event type " + rMAppCertificateManagerEvent.getType());
        }
    }

    @VisibleForTesting
    public RMAppCertificateActions getRmAppCertificateActions() {
        return this.rmAppCertificateActions;
    }

    @VisibleForTesting
    protected RMContext getRmContext() {
        return this.rmContext;
    }

    @VisibleForTesting
    public Map<ApplicationId, ScheduledFuture> getRenewalTasks() {
        return this.renewalTasks;
    }

    public void registerWithCertificateRenewer(ApplicationId applicationId, String str, Integer num, Long l) {
        if (isRPCTLSEnabled() && !this.renewalTasks.containsKey(applicationId)) {
            this.renewalTasks.put(applicationId, this.scheduler.schedule(createCertificateRenewerTask(applicationId, str, num), Instant.ofEpochMilli(l.longValue()).minus(Instant.now().toEpochMilli(), (TemporalUnit) ChronoUnit.MILLIS).minus(this.amountOfTimeToSubtractFromExpiration.longValue(), this.renewalUnitOfTime).toEpochMilli(), TimeUnit.MILLISECONDS));
        }
    }

    @InterfaceAudience.Private
    @VisibleForTesting
    protected Runnable createCertificateRenewerTask(ApplicationId applicationId, String str, Integer num) {
        return new CertificateRenewer(applicationId, str, num);
    }

    public void deregisterFromCertificateRenewer(ApplicationId applicationId) {
        ScheduledFuture remove;
        if (isRPCTLSEnabled() && (remove = this.renewalTasks.remove(applicationId)) != null) {
            remove.cancel(true);
        }
    }

    @VisibleForTesting
    protected ScheduledExecutorService getScheduler() {
        return this.scheduler;
    }

    @InterfaceAudience.Private
    @VisibleForTesting
    public void revokeAndGenerateCertificates(ApplicationId applicationId, String str, Integer num) {
        if (revokeInternal(getCertificateIdentifier(applicationId, str, num))) {
            generateCertificate(applicationId, str, num);
        } else {
            this.handler.handle(new RMAppEvent(applicationId, RMAppEventType.KILL, "Could not revoke previously generated certificate"));
        }
    }

    @InterfaceAudience.Private
    @VisibleForTesting
    public boolean isRPCTLSEnabled() {
        return this.isRPCTLSEnabled;
    }

    @InterfaceAudience.Private
    @VisibleForTesting
    public void generateCertificate(ApplicationId applicationId, String str, Integer num) {
        try {
            if (isRPCTLSEnabled()) {
                KeyPair generateKeyPair = generateKeyPair();
                X509Certificate sendCSRAndGetSigned = sendCSRAndGetSigned(generateCSR(applicationId, str, generateKeyPair, num));
                long time = sendCSRAndGetSigned.getNotAfter().getTime();
                KeyStoresWrapper createApplicationStores = createApplicationStores(sendCSRAndGetSigned, generateKeyPair.getPrivate(), str, applicationId);
                byte[] rawKeyStore = createApplicationStores.getRawKeyStore(TYPE.KEYSTORE);
                byte[] rawKeyStore2 = createApplicationStores.getRawKeyStore(TYPE.TRUSTSTORE);
                this.rmContext.getCertificateLocalizationService().materializeCertificates(str, applicationId.toString(), str, ByteBuffer.wrap(rawKeyStore), String.valueOf(createApplicationStores.keyStorePassword), ByteBuffer.wrap(rawKeyStore2), String.valueOf(createApplicationStores.trustStorePassword));
                this.handler.handle(new RMAppCertificateGeneratedEvent(applicationId, rawKeyStore, createApplicationStores.keyStorePassword, rawKeyStore2, createApplicationStores.trustStorePassword, time, RMAppEventType.CERTS_GENERATED));
            } else {
                this.handler.handle(new RMAppEvent(applicationId, RMAppEventType.CERTS_GENERATED));
            }
        } catch (Exception e) {
            LOG.error("Error while generating certificate for application " + applicationId, e);
            this.handler.handle(new RMAppEvent(applicationId, RMAppEventType.KILL, "Error while generating application certificate"));
        }
    }

    @InterfaceAudience.Private
    @VisibleForTesting
    protected X509Certificate sendCSRAndGetSigned(PKCS10CertificationRequest pKCS10CertificationRequest) throws URISyntaxException, IOException, GeneralSecurityException {
        return this.rmAppCertificateActions.sign(pKCS10CertificationRequest);
    }

    @InterfaceAudience.Private
    @VisibleForTesting
    protected PKCS10CertificationRequest generateCSR(ApplicationId applicationId, String str, KeyPair keyPair, Integer num) throws OperatorCreationException {
        LOG.info("Generating certificate for application: " + applicationId);
        return createCSR(createX500Subject(applicationId, str, num), keyPair);
    }

    @InterfaceAudience.Private
    @VisibleForTesting
    public KeyStore loadSystemTrustStore(Configuration configuration) throws GeneralSecurityException, IOException {
        String str = configuration.get("hadoop.ssl.server.conf", "ssl-server.xml");
        Configuration configuration2 = new Configuration();
        configuration2.addResource(str);
        String str2 = configuration2.get(FileBasedKeyStoresFactory.resolvePropertyName(SSLFactory.Mode.SERVER, "ssl.{0}.truststore.location"));
        String str3 = configuration2.get(FileBasedKeyStoresFactory.resolvePropertyName(SSLFactory.Mode.SERVER, "ssl.{0}.truststore.password"));
        KeyStore keyStore = KeyStore.getInstance(configuration2.get(FileBasedKeyStoresFactory.resolvePropertyName(SSLFactory.Mode.SERVER, "ssl.{0}.truststore.type"), "jks"));
        FileInputStream fileInputStream = new FileInputStream(str2);
        Throwable th = null;
        try {
            keyStore.load(fileInputStream, str3.toCharArray());
            if (fileInputStream != null) {
                if (0 != 0) {
                    try {
                        fileInputStream.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                } else {
                    fileInputStream.close();
                }
            }
            return keyStore;
        } catch (Throwable th3) {
            if (fileInputStream != null) {
                if (0 != 0) {
                    try {
                        fileInputStream.close();
                    } catch (Throwable th4) {
                        th.addSuppressed(th4);
                    }
                } else {
                    fileInputStream.close();
                }
            }
            throw th3;
        }
    }

    @InterfaceAudience.Private
    @VisibleForTesting
    protected KeyStoresWrapper createApplicationStores(X509Certificate x509Certificate, PrivateKey privateKey, String str, ApplicationId applicationId) throws GeneralSecurityException, IOException {
        char[] generateRandomPassword = generateRandomPassword();
        KeyStore keyStore = KeyStore.getInstance("JKS");
        keyStore.load(null, null);
        keyStore.setKeyEntry(str, privateKey, generateRandomPassword, new X509Certificate[]{x509Certificate});
        KeyStore loadSystemTrustStore = loadSystemTrustStore(this.conf);
        KeyStore keyStore2 = KeyStore.getInstance("JKS");
        keyStore2.load(null, null);
        Enumeration<String> aliases = loadSystemTrustStore.aliases();
        while (aliases.hasMoreElements()) {
            String nextElement = aliases.nextElement();
            keyStore2.setCertificateEntry(nextElement, (X509Certificate) loadSystemTrustStore.getCertificate(nextElement));
        }
        return new KeyStoresWrapper(keyStore, generateRandomPassword, keyStore2, generateRandomPassword, str, applicationId);
    }

    @InterfaceAudience.Private
    @VisibleForTesting
    protected KeyPair generateKeyPair() {
        return this.keyPairGenerator.genKeyPair();
    }

    public char[] generateRandomPassword() {
        return RandomStringUtils.random(20, 0, 0, true, true, (char[]) null, this.rng).toCharArray();
    }

    private X500Name createX500Subject(ApplicationId applicationId, String str, Integer num) {
        if (applicationId == null || str == null) {
            throw new IllegalArgumentException("ApplicationID and application user cannot be null");
        }
        X500NameBuilder x500NameBuilder = new X500NameBuilder(BCStyle.INSTANCE);
        x500NameBuilder.addRDN(BCStyle.CN, str);
        x500NameBuilder.addRDN(BCStyle.O, applicationId.toString());
        x500NameBuilder.addRDN(BCStyle.OU, num.toString());
        return x500NameBuilder.build();
    }

    private PKCS10CertificationRequest createCSR(X500Name x500Name, KeyPair keyPair) throws OperatorCreationException {
        return new JcaPKCS10CertificationRequestBuilder(x500Name, keyPair.getPublic()).build(new JcaContentSignerBuilder(SIGNATURE_ALGORITHM).setProvider(SECURITY_PROVIDER).build(keyPair.getPrivate()));
    }

    @InterfaceAudience.Private
    @VisibleForTesting
    public void revokeCertificate(ApplicationId applicationId, String str, Integer num) {
        revokeCertificate(applicationId, str, num, false);
    }

    @InterfaceAudience.Private
    @VisibleForTesting
    public void revokeCertificate(ApplicationId applicationId, String str, Integer num, boolean z) {
        if (isRPCTLSEnabled()) {
            LOG.info("Revoking certificate for application: " + applicationId + " with version " + num);
            if (!z) {
                try {
                    deregisterFromCertificateRenewer(applicationId);
                    if (this.certificateLocalizationService != null) {
                        this.certificateLocalizationService.removeMaterial(str, applicationId.toString());
                    }
                } catch (InterruptedException e) {
                    LOG.warn("Could not remove material for user " + str + " and application " + applicationId, e);
                    return;
                }
            }
            putToQueue(applicationId, str, num);
        }
    }

    public void revokeCertificateSynchronously(ApplicationId applicationId, String str, Integer num) {
        if (isRPCTLSEnabled()) {
            LOG.info("Revoking certificate for application: " + applicationId + " with version " + num);
            revokeInternal(getCertificateIdentifier(applicationId, str, num));
        }
    }

    @InterfaceAudience.Private
    @VisibleForTesting
    protected void putToQueue(ApplicationId applicationId, String str, Integer num) throws InterruptedException {
        this.revocationEvents.put(new CertificateRevocationEvent(getCertificateIdentifier(applicationId, str, num)));
    }

    @VisibleForTesting
    protected void waitForQueueToDrain() throws InterruptedException {
        while (this.revocationEvents.peek() != null) {
            TimeUnit.MILLISECONDS.sleep(10L);
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    public boolean revokeInternal(String str) {
        if (!isRPCTLSEnabled()) {
            return true;
        }
        try {
            this.rmAppCertificateActions.revoke(str);
            return true;
        } catch (IOException | URISyntaxException | GeneralSecurityException e) {
            LOG.error("Could not revoke certificate " + str, e);
            return false;
        }
    }

    public static String getCertificateIdentifier(ApplicationId applicationId, String str, Integer num) {
        return str + "__" + applicationId.toString() + "__" + num;
    }

    static {
        CHRONOUNITS.put("MS", ChronoUnit.MILLIS);
        CHRONOUNITS.put("S", ChronoUnit.SECONDS);
        CHRONOUNITS.put("M", ChronoUnit.MINUTES);
        CHRONOUNITS.put("H", ChronoUnit.HOURS);
        CHRONOUNITS.put("D", ChronoUnit.DAYS);
        CONF_TIME_PATTERN = Pattern.compile("(^[0-9]+)(\\p{Alpha}+)");
    }
}
