package org.nuxeo.ecm.platform.signature.core.pki;

import java.io.IOException;
import java.io.InputStream;
import java.io.OutputStream;
import java.math.BigInteger;
import java.security.GeneralSecurityException;
import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.Security;
import java.security.UnrecoverableKeyException;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.Calendar;
import java.util.Date;
import java.util.List;
import javax.security.auth.x500.X500Principal;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.bouncycastle.asn1.x509.BasicConstraints;
import org.bouncycastle.asn1.x509.ExtendedKeyUsage;
import org.bouncycastle.asn1.x509.Extension;
import org.bouncycastle.asn1.x509.GeneralName;
import org.bouncycastle.asn1.x509.GeneralNames;
import org.bouncycastle.asn1.x509.KeyPurposeId;
import org.bouncycastle.asn1.x509.KeyUsage;
import org.bouncycastle.cert.jcajce.JcaX509CertificateConverter;
import org.bouncycastle.cert.jcajce.JcaX509ExtensionUtils;
import org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.bouncycastle.operator.OperatorException;
import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder;
import org.bouncycastle.x509.extension.X509ExtensionUtil;
import org.nuxeo.ecm.platform.signature.api.exception.CertException;
import org.nuxeo.ecm.platform.signature.api.pki.CertService;
import org.nuxeo.ecm.platform.signature.api.pki.RootService;
import org.nuxeo.ecm.platform.signature.api.user.AliasType;
import org.nuxeo.ecm.platform.signature.api.user.AliasWrapper;
import org.nuxeo.ecm.platform.signature.api.user.CNField;
import org.nuxeo.ecm.platform.signature.api.user.UserInfo;
import org.nuxeo.runtime.api.Framework;
import org.nuxeo.runtime.model.DefaultComponent;

/* loaded from: input_file:org/nuxeo/ecm/platform/signature/core/pki/CertServiceImpl.class */
public class CertServiceImpl extends DefaultComponent implements CertService {
    protected RootService rootService;
    private static final Log LOG = LogFactory.getLog(CertServiceImpl.class);
    protected X509Certificate rootCertificate;
    private static final int CERTIFICATE_DURATION_IN_MONTHS = 12;
    private static final String CERT_SIGNATURE_ALGORITHM = "SHA256WithRSAEncryption";
    private static final String KEY_ALGORITHM = "RSA";
    private static final int KEY_SIZE = 1024;
    private static final String KEYSTORE_TYPE = "JKS";

    public void setRootService(RootService rootService) {
        this.rootService = rootService;
    }

    public X509Certificate getRootCertificate() throws CertException {
        if (this.rootCertificate == null) {
            this.rootCertificate = getCertificate(getRootService().getRootKeyStore(), getRootService().getRootCertificateAlias());
        }
        return this.rootCertificate;
    }

    protected Date getCertStartDate() {
        return Calendar.getInstance().getTime();
    }

    protected Date getCertEndDate() {
        Calendar calendar = Calendar.getInstance();
        calendar.add(2, CERTIFICATE_DURATION_IN_MONTHS);
        return calendar.getTime();
    }

    public KeyStore initializeUser(UserInfo userInfo, String str) throws CertException {
        char[] charArray = str.toCharArray();
        AliasWrapper aliasWrapper = new AliasWrapper((String) userInfo.getUserFields().get(CNField.UserID));
        try {
            KeyStore keyStore = KeyStore.getInstance(KEYSTORE_TYPE);
            keyStore.load(null, charArray);
            KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance(KEY_ALGORITHM);
            keyPairGenerator.initialize(KEY_SIZE);
            KeyPair genKeyPair = keyPairGenerator.genKeyPair();
            keyStore.setKeyEntry(aliasWrapper.getId(AliasType.KEY), genKeyPair.getPrivate(), charArray, new Certificate[]{getRootCertificate()});
            keyStore.setCertificateEntry(aliasWrapper.getId(AliasType.CERT), getCertificate(genKeyPair, userInfo));
            return keyStore;
        } catch (IOException e) {
            throw new CertException(e);
        } catch (KeyStoreException e2) {
            throw new CertException(e2);
        } catch (NoSuchAlgorithmException e3) {
            throw new CertException(e3);
        } catch (CertificateException e4) {
            throw new CertException(e4);
        }
    }

    public KeyPair getKeyPair(KeyStore keyStore, String str, String str2, String str3) throws CertException {
        try {
            if (!keyStore.containsAlias(str)) {
                throw new CertException("Missing keystore key entry for key alias:" + str);
            }
            if (!keyStore.containsAlias(str2)) {
                throw new CertException("Missing keystore certificate entry for :" + str2);
            }
            return new KeyPair(((X509Certificate) keyStore.getCertificate(str2)).getPublicKey(), (PrivateKey) keyStore.getKey(str, str3.toCharArray()));
        } catch (KeyStoreException e) {
            throw new CertException(e);
        } catch (NoSuchAlgorithmException e2) {
            throw new CertException(e2);
        } catch (UnrecoverableKeyException e3) {
            throw new CertException(e3);
        }
    }

    public X509Certificate getCertificate(KeyStore keyStore, String str) throws CertException {
        try {
            if (keyStore == null) {
                throw new CertException("Keystore missing for " + str);
            }
            if (keyStore.containsAlias(str)) {
                return (X509Certificate) keyStore.getCertificate(str);
            }
            throw new CertException("Certificate not found");
        } catch (KeyStoreException e) {
            throw new CertException(e);
        }
    }

    protected X509Certificate getCertificate(KeyPair keyPair, UserInfo userInfo) throws CertException {
        X509Certificate rootCertificate = getRootCertificate();
        X500Principal issuerX500Principal = rootCertificate.getIssuerX500Principal();
        BigInteger valueOf = BigInteger.valueOf(System.currentTimeMillis());
        X500Principal x500Principal = userInfo.getX500Principal();
        String str = (String) userInfo.getUserFields().get(CNField.Email);
        try {
            JcaX509ExtensionUtils jcaX509ExtensionUtils = new JcaX509ExtensionUtils();
            JcaX509v3CertificateBuilder jcaX509v3CertificateBuilder = new JcaX509v3CertificateBuilder(issuerX500Principal, valueOf, getCertStartDate(), getCertEndDate(), x500Principal, keyPair.getPublic());
            jcaX509v3CertificateBuilder.addExtension(Extension.authorityKeyIdentifier, false, jcaX509ExtensionUtils.createAuthorityKeyIdentifier(rootCertificate)).addExtension(Extension.subjectKeyIdentifier, false, jcaX509ExtensionUtils.createSubjectKeyIdentifier(keyPair.getPublic())).addExtension(Extension.basicConstraints, true, new BasicConstraints(false)).addExtension(Extension.keyUsage, true, new KeyUsage(128)).addExtension(Extension.extendedKeyUsage, true, new ExtendedKeyUsage(KeyPurposeId.id_kp_serverAuth)).addExtension(Extension.subjectAlternativeName, false, new GeneralNames(new GeneralName(1, str)));
            return new JcaX509CertificateConverter().setProvider("BC").getCertificate(jcaX509v3CertificateBuilder.build(new JcaContentSignerBuilder(CERT_SIGNATURE_ALGORITHM).setProvider("BC").build(keyPair.getPrivate())));
        } catch (GeneralSecurityException | OperatorException | IOException e) {
            throw new CertException(e);
        }
    }

    public KeyStore getKeyStore(InputStream inputStream, String str) throws CertException {
        try {
            KeyStore keyStore = KeyStore.getInstance(KEYSTORE_TYPE);
            keyStore.load(inputStream, str.toCharArray());
            return keyStore;
        } catch (IOException e) {
            if (String.valueOf(e.getMessage()).contains("password was incorrect")) {
                throw new CertException("Incorrect password");
            }
            throw new CertException(e);
        } catch (KeyStoreException e2) {
            throw new CertException(e2);
        } catch (NoSuchAlgorithmException e3) {
            throw new CertException(e3);
        } catch (CertificateException e4) {
            throw new CertException(e4);
        }
    }

    public String getCertificateEmail(X509Certificate x509Certificate) throws CertException {
        try {
            for (List list : X509ExtensionUtil.getSubjectAlternativeNames(x509Certificate)) {
                Integer num = 1;
                if (num.equals(list.get(0))) {
                    return (String) list.get(1);
                }
            }
            return null;
        } catch (GeneralSecurityException e) {
            throw new CertException(e);
        }
    }

    public void storeCertificate(KeyStore keyStore, OutputStream outputStream, String str) throws CertException {
        try {
            keyStore.store(outputStream, str.toCharArray());
        } catch (IOException e) {
            throw new CertException(e);
        } catch (KeyStoreException e2) {
            throw new CertException(e2);
        } catch (NoSuchAlgorithmException e3) {
            throw new CertException(e3);
        } catch (CertificateException e4) {
            throw new CertException(e4);
        }
    }

    protected RootService getRootService() throws CertException {
        if (this.rootService == null) {
            this.rootService = (RootService) Framework.getService(RootService.class);
        }
        return this.rootService;
    }

    static {
        if (Security.getProvider("BC") == null) {
            Security.addProvider(new BouncyCastleProvider());
        }
    }
}
