package de.fzj.unicore.wsrflite.security;

import eu.unicore.security.util.Log;
import java.io.ByteArrayInputStream;
import java.io.FileOutputStream;
import java.io.IOException;
import java.io.StringWriter;
import java.io.Writer;
import java.math.BigInteger;
import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.KeyStore;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.Security;
import java.security.cert.Certificate;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.util.Date;
import java.util.Random;
import org.apache.log4j.Logger;
import org.bouncycastle.asn1.ASN1EncodableVector;
import org.bouncycastle.asn1.ASN1InputStream;
import org.bouncycastle.asn1.ASN1OctetString;
import org.bouncycastle.asn1.ASN1Sequence;
import org.bouncycastle.asn1.ASN1Set;
import org.bouncycastle.asn1.DERObjectIdentifier;
import org.bouncycastle.asn1.DERPrintableString;
import org.bouncycastle.asn1.DERSequence;
import org.bouncycastle.asn1.DERSet;
import org.bouncycastle.asn1.x509.X509Name;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.bouncycastle.jce.provider.X509CertificateObject;
import org.bouncycastle.openssl.PEMWriter;
import org.bouncycastle.x509.X509V3CertificateGenerator;

/* loaded from: input_file:de/fzj/unicore/wsrflite/security/ProxyCertificate.class */
public class ProxyCertificate {
    private static X509V3CertificateGenerator v3CertGen;
    private static PrivateKey privateKey;
    private static PublicKey publicKey;
    private boolean limited;
    private X509Certificate proxyCertificate;
    private X509Certificate userCertificate;
    private final long validFrom;
    private final long validTo;
    private final int keyLength;
    private final String signatureAlgName;
    public static final String BEGIN_CERT = "-----BEGIN CERTIFICATE-----";
    public static final String END_CERT = "-----END CERTIFICATE-----";
    public static final String BEGIN_PRIVATE = "-----BEGIN RSA PRIVATE KEY-----";
    public static final String END_PRIVATE = "-----END RSA PRIVATE KEY-----";
    public static final String PROXY_JKS_PASSWORD = "unicore";
    public static final String PROXY_JKS_ALIAS = "mykey";
    public static final String PROXY_SIGNATURE = "unicore.proxy.signature.algorithm";
    private static final Logger logger = Log.getLogger("unicore.security", ProxyCertificate.class);
    private static boolean initialized = false;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:de/fzj/unicore/wsrflite/security/ProxyCertificate$X509NameHelper.class */
    public static class X509NameHelper {
        private ASN1Sequence seq;

        public X509NameHelper(ASN1Sequence aSN1Sequence) {
            this.seq = aSN1Sequence;
        }

        public X509NameHelper(X509Name x509Name) {
            this.seq = x509Name.getDERObject();
        }

        public X509Name getAsName() {
            return new X509Name(this.seq);
        }

        public void add(DERObjectIdentifier dERObjectIdentifier, String str) {
            ASN1EncodableVector aSN1EncodableVector = new ASN1EncodableVector();
            aSN1EncodableVector.add(dERObjectIdentifier);
            aSN1EncodableVector.add(new DERPrintableString(str));
            add(new DERSet(new DERSequence(aSN1EncodableVector)));
        }

        public void add(ASN1Set aSN1Set) {
            ASN1EncodableVector aSN1EncodableVector = new ASN1EncodableVector();
            int size = this.seq.size();
            for (int i = 0; i < size; i++) {
                aSN1EncodableVector.add(this.seq.getObjectAt(i));
            }
            aSN1EncodableVector.add(aSN1Set);
            this.seq = new DERSequence(aSN1EncodableVector);
        }
    }

    private ProxyCertificate(ISecurityProperties iSecurityProperties, boolean z, long j, long j2, int i) throws Exception {
        this.limited = false;
        X509Certificate x509Certificate = iSecurityProperties.getCertificateChain()[0];
        this.userCertificate = x509Certificate instanceof X509CertificateObject ? x509Certificate : (X509Certificate) CertificateFactory.getInstance("X.509", "BC").generateCertificate(new ByteArrayInputStream(x509Certificate.getEncoded()));
        this.limited = z;
        this.validFrom = j;
        this.validTo = j2;
        this.keyLength = i;
        String property = iSecurityProperties.getProperty(PROXY_SIGNATURE);
        if (property == null) {
            property = "SHA1WITHRSAENCRYPTION";
            if (iSecurityProperties.getPrivateKey().getAlgorithm().toLowerCase().contains("dsa")) {
                property = "SHA256WITHDSA";
            }
        }
        this.signatureAlgName = property;
        try {
            if (!initialized) {
                v3CertGen = new X509V3CertificateGenerator();
                KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance(iSecurityProperties.getPrivateKey().getAlgorithm());
                keyPairGenerator.initialize(i);
                KeyPair generateKeyPair = keyPairGenerator.generateKeyPair();
                privateKey = generateKeyPair.getPrivate();
                publicKey = generateKeyPair.getPublic();
                initialized = true;
            }
            this.proxyCertificate = newproxyCertificate(iSecurityProperties.getPrivateKey());
        } catch (Exception e) {
            Log.logException("Problems generating Proxy certificate", e, logger);
            throw e;
        }
    }

    public X509Certificate getProxyCertificate() {
        return this.proxyCertificate;
    }

    public PrivateKey getPrivateKey() {
        if (privateKey == null) {
            return null;
        }
        return privateKey;
    }

    public PublicKey getPublicKey() {
        if (publicKey == null) {
            return null;
        }
        return publicKey;
    }

    public Certificate[] getCertChain() {
        return new Certificate[]{getProxyCertificate(), getUserCertificate()};
    }

    public long getValidFrom() {
        return this.validFrom;
    }

    public long getValidTo() {
        return this.validTo;
    }

    public X509Certificate getUserCertificate() {
        return this.userCertificate;
    }

    public boolean isLimited() {
        return this.limited;
    }

    public int getKeyLength() {
        return this.keyLength;
    }

    public static ProxyCertificate getInstance(ISecurityProperties iSecurityProperties, boolean z, long j, int i) throws Exception {
        logger.debug("Limited: " + z + " valid: " + j + " key size: " + i);
        long currentTimeMillis = System.currentTimeMillis() - 300000;
        long currentTimeMillis2 = System.currentTimeMillis() + j;
        if (currentTimeMillis2 <= currentTimeMillis) {
            throw new IllegalArgumentException("Invalid lifetime for proxy certificate");
        }
        if (i == 512 || i == 1024 || i == 2048 || i == 4096) {
            return new ProxyCertificate(iSecurityProperties, z, currentTimeMillis, currentTimeMillis2, i);
        }
        throw new IllegalArgumentException("Invalid key length for proxy certificate");
    }

    private X509Certificate newproxyCertificate(PrivateKey privateKey2) throws Exception {
        String str = this.limited ? "limited proxy" : "proxy";
        X509Name subjectDN = this.userCertificate.getSubjectDN();
        X509NameHelper x509NameHelper = new X509NameHelper(subjectDN);
        X509NameHelper x509NameHelper2 = new X509NameHelper(subjectDN);
        x509NameHelper2.add(X509Name.CN, str);
        v3CertGen.reset();
        v3CertGen.setIssuerDN(x509NameHelper.getAsName());
        v3CertGen.setSubjectDN(x509NameHelper2.getAsName());
        v3CertGen.setSerialNumber(new BigInteger(20, new Random()));
        v3CertGen.setNotBefore(new Date(this.validFrom));
        v3CertGen.setNotAfter(new Date(this.validTo));
        v3CertGen.setPublicKey(publicKey);
        v3CertGen.setSignatureAlgorithm(this.signatureAlgName);
        X509Certificate generate = v3CertGen.generate(privateKey2);
        generate.checkValidity(new Date());
        generate.verify(this.userCertificate.getPublicKey());
        logger.debug("Generated proxyCert for: \n" + generate.getSubjectDN());
        return generate;
    }

    public String getPEMEncoded() throws Exception {
        StringWriter stringWriter = new StringWriter();
        writePEM(stringWriter);
        return stringWriter.toString();
    }

    public void writePEM(Writer writer) throws IOException {
        PEMWriter pEMWriter = new PEMWriter(writer);
        pEMWriter.writeObject(getProxyCertificate());
        pEMWriter.writeObject(privateKey);
        pEMWriter.writeObject(this.userCertificate);
        pEMWriter.flush();
    }

    public void writeJKS(String str) throws IOException {
        char[] charArray = PROXY_JKS_PASSWORD.toCharArray();
        FileOutputStream fileOutputStream = null;
        try {
            try {
                fileOutputStream = new FileOutputStream(str);
                KeyStore keyStore = KeyStore.getInstance("JKS");
                keyStore.load(null, charArray);
                keyStore.setKeyEntry(PROXY_JKS_ALIAS, getPrivateKey(), charArray, getCertChain());
                keyStore.store(fileOutputStream, charArray);
                if (fileOutputStream != null) {
                    fileOutputStream.close();
                }
            } catch (Exception e) {
                IOException iOException = new IOException("Can't write keystore.");
                iOException.initCause(e);
                throw iOException;
            }
        } catch (Throwable th) {
            if (fileOutputStream != null) {
                fileOutputStream.close();
            }
            throw th;
        }
    }

    private static byte[] getExtensionValue(byte[] bArr) throws IOException {
        ASN1OctetString readObject = new ASN1InputStream(new ByteArrayInputStream(bArr)).readObject();
        if (readObject instanceof ASN1OctetString) {
            return readObject.getOctets();
        }
        throw new IOException();
    }

    static {
        Security.addProvider(new BouncyCastleProvider());
    }
}
