package org.apache.brooklyn.entity.java;

import com.google.common.base.Preconditions;
import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.security.KeyPair;
import java.security.KeyStore;
import java.security.PrivateKey;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import org.apache.brooklyn.location.ssh.SshMachineLocation;
import org.apache.brooklyn.util.collections.MutableMap;
import org.apache.brooklyn.util.core.crypto.FluentKeySigner;
import org.apache.brooklyn.util.core.crypto.SecureKeys;
import org.apache.brooklyn.util.core.task.Tasks;
import org.apache.brooklyn.util.exceptions.Exceptions;
import org.apache.brooklyn.util.jmx.jmxmp.JmxmpAgent;
import org.apache.brooklyn.util.net.Urls;

/* loaded from: input_file:org/apache/brooklyn/entity/java/JmxmpSslSupport.class */
public class JmxmpSslSupport {
    static final String BROOKLYN_VERSION = "1.2.0--7.2.0-beta4g";
    private final JmxSupport jmxSupport;
    private KeyStore agentTrustStore;
    private KeyStore agentKeyStore;

    public JmxmpSslSupport(JmxSupport jmxSupport) {
        this.jmxSupport = (JmxSupport) Preconditions.checkNotNull(jmxSupport);
    }

    public String getJmxSslKeyStoreFilePath() {
        return Urls.mergePaths(new String[]{this.jmxSupport.getRunDir(), "jmx-keystore"});
    }

    public String getJmxSslTrustStoreFilePath() {
        return Urls.mergePaths(new String[]{this.jmxSupport.getRunDir(), "jmx-truststore"});
    }

    public void applyAgentJmxJavaSystemProperties(MutableMap.Builder<String, Object> builder) {
        builder.put(JmxmpAgent.USE_SSL_PROPERTY, true).put(JmxmpAgent.AUTHENTICATE_CLIENTS_PROPERTY, true).put("com.sun.management.jmxremote.authenticate", false);
        builder.put(JmxmpAgent.JMXMP_KEYSTORE_FILE_PROPERTY, getJmxSslKeyStoreFilePath()).put(JmxmpAgent.JMXMP_TRUSTSTORE_FILE_PROPERTY, getJmxSslTrustStoreFilePath());
    }

    public FluentKeySigner getBrooklynRootSigner() {
        return new FluentKeySigner("brooklyn-root");
    }

    public void install() {
        try {
            FluentKeySigner brooklynRootSigner = getBrooklynRootSigner();
            KeyPair newKeyPair = SecureKeys.newKeyPair();
            X509Certificate newCertificateFor = brooklynRootSigner.newCertificateFor("jmxmp-agent", newKeyPair);
            this.agentKeyStore = SecureKeys.newKeyStore();
            this.agentKeyStore.setKeyEntry("jmxmp-agent", newKeyPair.getPrivate(), "".toCharArray(), new Certificate[]{newCertificateFor});
            ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
            this.agentKeyStore.store(byteArrayOutputStream, "".toCharArray());
            this.agentTrustStore = SecureKeys.newKeyStore();
            this.agentTrustStore.setCertificateEntry("brooklyn", getJmxAccessCert());
            ByteArrayOutputStream byteArrayOutputStream2 = new ByteArrayOutputStream();
            this.agentTrustStore.store(byteArrayOutputStream2, "".toCharArray());
            Tasks.setBlockingDetails("Copying keystore and truststore to the server.");
            try {
                ((SshMachineLocation) this.jmxSupport.getMachine().get()).copyTo(new ByteArrayInputStream(byteArrayOutputStream.toByteArray()), getJmxSslKeyStoreFilePath());
                ((SshMachineLocation) this.jmxSupport.getMachine().get()).copyTo(new ByteArrayInputStream(byteArrayOutputStream2.toByteArray()), getJmxSslTrustStoreFilePath());
                Tasks.resetBlockingDetails();
            } finally {
            }
        } catch (Exception e) {
            throw Exceptions.propagate(e);
        }
    }

    public synchronized Certificate getJmxAccessCert() {
        Certificate certificate = (Certificate) this.jmxSupport.getConfig(UsesJmx.JMX_SSL_ACCESS_CERT);
        if (certificate != null) {
            return certificate;
        }
        KeyPair newKeyPair = SecureKeys.newKeyPair();
        X509Certificate newCertificateFor = getBrooklynRootSigner().newCertificateFor("brooklyn-jmx-access", newKeyPair);
        this.jmxSupport.setConfig(UsesJmx.JMX_SSL_ACCESS_CERT, newCertificateFor);
        this.jmxSupport.setConfig(UsesJmx.JMX_SSL_ACCESS_KEY, newKeyPair.getPrivate());
        return newCertificateFor;
    }

    public synchronized PrivateKey getJmxAccessKey() {
        PrivateKey privateKey = (PrivateKey) this.jmxSupport.getConfig(UsesJmx.JMX_SSL_ACCESS_KEY);
        if (privateKey != null) {
            return privateKey;
        }
        getJmxAccessCert();
        return (PrivateKey) this.jmxSupport.getConfig(UsesJmx.JMX_SSL_ACCESS_KEY);
    }
}
