package org.forgerock.openidm.security;

import java.io.ByteArrayInputStream;
import java.io.File;
import java.io.FileInputStream;
import java.io.FileOutputStream;
import java.io.IOException;
import java.io.InputStream;
import java.io.StringReader;
import java.io.StringWriter;
import java.math.BigInteger;
import java.security.Key;
import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.KeyStore;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.SecureRandom;
import java.security.Security;
import java.security.Signature;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import java.text.ParseException;
import java.util.ArrayList;
import java.util.Date;
import java.util.Dictionary;
import java.util.Enumeration;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import javax.crypto.SecretKey;
import javax.net.ssl.KeyManager;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.SSLContext;
import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory;
import org.bouncycastle.asn1.ASN1Set;
import org.bouncycastle.jce.PKCS10CertificationRequest;
import org.bouncycastle.jce.X509Principal;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.bouncycastle.openssl.PEMReader;
import org.bouncycastle.openssl.PEMWriter;
import org.bouncycastle.x509.X509V3CertificateGenerator;
import org.forgerock.json.fluent.JsonValue;
import org.forgerock.json.resource.JsonResourceException;
import org.forgerock.json.resource.SimpleJsonResource;
import org.forgerock.openidm.core.IdentityServer;
import org.forgerock.openidm.crypto.factory.CryptoUpdateService;
import org.forgerock.openidm.jetty.Config;
import org.forgerock.openidm.jetty.Param;
import org.forgerock.openidm.objset.JsonResourceObjectSet;
import org.forgerock.openidm.objset.NotFoundException;
import org.forgerock.openidm.objset.ObjectSet;
import org.forgerock.openidm.repo.RepositoryService;
import org.forgerock.openidm.util.DateUtil;
import org.forgerock.util.encode.Base64;
import org.joda.time.DateTime;
import org.osgi.service.component.ComponentContext;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/forgerock/openidm/security/SecurityManager.class */
public class SecurityManager extends SimpleJsonResource {
    private static final Logger logger = LoggerFactory.getLogger(SecurityManager.class);
    public static final String PID = "org.forgerock.openidm.security";
    public static final String ACTION_GENERATE_CERT = "generateCert";
    public static final String ACTION_GENERATE_CSR = "generateCSR";
    public static final String TRUSTSTORE = "truststore";
    public static final String KEYSTORE = "keystore";
    public static final String DEFAULT_SIGNATURE_ALGORITHM = "SHA512WithRSAEncryption";
    public static final String DEFAULT_ALGORITHM = "RSA";
    public static final String DEFAULT_CERTIFICATE_TYPE = "X509";
    public static final int DEFAULT_KEY_SIZE = 2048;
    protected ObjectSet router;
    protected RepositoryService repo;
    private CryptoUpdateService cryptoUpdateService;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/forgerock/openidm/security/SecurityManager$CertificateWrapper.class */
    public class CertificateWrapper {
        private Certificate certificate;
        private PrivateKey privateKey;

        public CertificateWrapper(Certificate certificate, PrivateKey privateKey) {
            this.certificate = certificate;
            this.privateKey = privateKey;
        }

        public Certificate getCertificate() {
            return this.certificate;
        }

        public PrivateKey getPrivateKey() {
            return this.privateKey;
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/forgerock/openidm/security/SecurityManager$CertificationRequestWrapper.class */
    public class CertificationRequestWrapper {
        private PKCS10CertificationRequest certificationRequest;
        private PrivateKey privateKey;

        public CertificationRequestWrapper(PKCS10CertificationRequest pKCS10CertificationRequest, PrivateKey privateKey) {
            this.certificationRequest = pKCS10CertificationRequest;
            this.privateKey = privateKey;
        }

        public PKCS10CertificationRequest getCertificationRequest() {
            return this.certificationRequest;
        }

        public PrivateKey getPrivateKey() {
            return this.privateKey;
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/forgerock/openidm/security/SecurityManager$StoreWrapper.class */
    public class StoreWrapper {
        private String name;
        private String location;
        private String password;
        private String type;
        private KeyStore store;

        public StoreWrapper(String str, String str2, String str3, String str4) {
            this.name = str;
            this.location = str2;
            this.password = str3;
            this.type = str4;
            this.store = null;
        }

        public StoreWrapper(String str, String str2, String str3, String str4, KeyStore keyStore) {
            this.name = str;
            this.location = str2;
            this.password = str3;
            this.type = str4;
            this.store = keyStore;
        }

        public String getName() {
            return this.name;
        }

        public KeyStore getStore() {
            return this.store;
        }

        public void setStore(KeyStore keyStore) {
            this.store = keyStore;
        }

        public String getLocation() {
            return this.location;
        }

        public String getPassword() {
            return this.password;
        }

        public String getType() {
            return this.type;
        }

        public void addCert(String str, Certificate certificate) throws Exception {
            this.store.setCertificateEntry(str, certificate);
        }

        public void addPrivateKey(String str, PrivateKey privateKey, Certificate[] certificateArr) throws Exception {
            this.store.setEntry(str, new KeyStore.PrivateKeyEntry(privateKey, certificateArr), new KeyStore.PasswordProtection(this.password.toCharArray()));
        }

        public void addSecretKey(String str, SecretKey secretKey) throws Exception {
            this.store.setEntry(str, new KeyStore.SecretKeyEntry(secretKey), new KeyStore.PasswordProtection(this.password.toCharArray()));
        }

        public void store() throws Exception {
            FileOutputStream fileOutputStream = new FileOutputStream(this.location);
            try {
                this.store.store(fileOutputStream, this.password.toCharArray());
                fileOutputStream.close();
            } catch (Throwable th) {
                fileOutputStream.close();
                throw th;
            }
        }
    }

    protected void bindRepo(RepositoryService repositoryService) {
        logger.debug("binding RepositoryService");
        this.router = new JsonResourceObjectSet(repositoryService);
    }

    protected void unbindRepo(RepositoryService repositoryService) {
        logger.debug("unbinding RepositoryService");
        this.router = null;
    }

    void activate(ComponentContext componentContext) throws ParseException {
        logger.debug("Activating Security Management Service {}", componentContext);
        Security.addProvider(new BouncyCastleProvider());
        String property = System.getProperty("javax.net.ssl.keyStore");
        String property2 = System.getProperty("javax.net.ssl.trustStore");
        String keystorePassword = Param.getKeystorePassword(false);
        if (property == null) {
            System.setProperty("javax.net.ssl.keyStore", Param.getKeystoreLocation());
            System.setProperty("javax.net.ssl.keyStorePassword", keystorePassword);
            System.setProperty("javax.net.ssl.keyStoreType", Param.getKeystoreType());
        }
        if (property2 == null) {
            System.setProperty("javax.net.ssl.trustStore", Param.getTruststoreLocation());
            System.setProperty("javax.net.ssl.trustStorePassword", Param.getTruststorePassword(false));
            System.setProperty("javax.net.ssl.trustStoreType", Param.getTruststoreType());
        }
        String property3 = IdentityServer.getInstance().getProperty("openidm.instance.type", "standalone");
        String property4 = Param.getProperty("openidm.https.keystore.cert.alias");
        try {
            if (property3.equals("clustered-additional")) {
                StoreWrapper readKeystore = readKeystore();
                readKeystore.store();
                reloadStore(readKeystore);
                this.cryptoUpdateService.updateKeySelector(readKeystore.getStore(), keystorePassword);
            } else {
                StoreWrapper createStore = createStore(KEYSTORE);
                if (createStore.getStore().getKey(property4, keystorePassword.toCharArray()) == null) {
                    CertificateWrapper generateCertificate = generateCertificate("CN=local.openidm.forgerock.org, OU=None, O=OpenIDM Self-Signed Certificate L=None, C=None", DEFAULT_ALGORITHM, DEFAULT_KEY_SIZE, DEFAULT_SIGNATURE_ALGORITHM, null, null);
                    createStore.addPrivateKey(property4, generateCertificate.getPrivateKey(), new Certificate[]{generateCertificate.getCertificate()});
                    createStore.store();
                    reloadStore(createStore);
                    generateCertificate.getPrivateKey();
                    try {
                        Config.updateConfig((Dictionary) null);
                    } catch (NullPointerException e) {
                        e.printStackTrace();
                    }
                }
                if (property3.equals("clustered-first")) {
                    storeKeystore(createStore.getLocation());
                }
            }
        } catch (Exception e2) {
            logger.warn("Error initializing keys", e2);
        }
    }

    void deactivate(ComponentContext componentContext) {
        logger.debug("Deactivating Security Management Service {}", componentContext);
    }

    public JsonValue create(JsonValue jsonValue) throws JsonResourceException {
        HashMap hashMap = new HashMap();
        try {
            JsonValue jsonValue2 = jsonValue.get("id");
            if (jsonValue2.isNull()) {
                throw new JsonResourceException(400, "A valid resource ID must be specified in the request");
            }
            StoreWrapper storeFromResourceId = getStoreFromResourceId(jsonValue2.asString());
            String alias = getAlias(jsonValue2.asString());
            if (alias == null) {
                throw new JsonResourceException(400, "A valid resource ID must be specified in the request");
            }
            try {
                storeCert(jsonValue.get("value"), storeFromResourceId, alias);
                hashMap.put("_id", alias);
                return new JsonValue(hashMap);
            } catch (Exception e) {
                throw new JsonResourceException(500, "Failed to store certificate: " + e.getMessage(), e);
            }
        } catch (JsonResourceException e2) {
            throw e2;
        } catch (Exception e3) {
            throw new JsonResourceException(500, "Failed to create certificate: " + e3.getMessage(), e3);
        }
    }

    public JsonValue update(JsonValue jsonValue) throws JsonResourceException {
        HashMap hashMap = new HashMap();
        try {
            JsonValue jsonValue2 = jsonValue.get("id");
            if (jsonValue2.isNull()) {
                throw new JsonResourceException(400, "A valid resource ID must be specified in the request");
            }
            StoreWrapper storeFromResourceId = getStoreFromResourceId(jsonValue2.asString());
            String alias = getAlias(jsonValue2.asString());
            if (!storeFromResourceId.getStore().containsAlias(alias)) {
                throw new JsonResourceException(404);
            }
            if (alias == null) {
                throw new JsonResourceException(400, "A valid resource ID must be specified in the request");
            }
            try {
                storeCert(jsonValue.get("value"), storeFromResourceId, alias);
                hashMap.put("_id", alias);
                return new JsonValue(hashMap);
            } catch (Exception e) {
                throw new JsonResourceException(500, "Failed to store certificate: " + e.getMessage(), e);
            } catch (JsonResourceException e2) {
                throw e2;
            }
        } catch (JsonResourceException e3) {
            throw e3;
        } catch (Exception e4) {
            throw new JsonResourceException(500, "Failed to update certificate: " + e4.getMessage(), e4);
        }
    }

    private void storeCert(JsonValue jsonValue, StoreWrapper storeWrapper, String str) throws Exception {
        boolean booleanValue = jsonValue.get("fromCSR").defaultTo(false).asBoolean().booleanValue();
        String asString = jsonValue.get("type").defaultTo(DEFAULT_CERTIFICATE_TYPE).asString();
        if (booleanValue) {
            String asString2 = jsonValue.get("privateKey").asString();
            PrivateKey privateKey = asString2 == null ? getCsrKeyPair(str).getPrivate() : ((KeyPair) fromPem(asString2)).getPrivate();
            if (privateKey == null) {
                throw new JsonResourceException(404, "No private key exists for the supplied signed certificate");
            }
            Certificate[] readCertificateChain = readCertificateChain(jsonValue.get("certs").required().asList(String.class), asString);
            verify(privateKey, readCertificateChain[0]);
            storeWrapper.addPrivateKey(str, privateKey, readCertificateChain);
        } else {
            storeWrapper.addCert(str, readCertificate(jsonValue.get("cert").required().asString(), asString));
        }
        storeWrapper.store();
        reloadStore(storeWrapper);
        Config.updateConfig((Dictionary) null);
    }

    public JsonValue delete(JsonValue jsonValue) throws JsonResourceException {
        try {
            JsonValue jsonValue2 = jsonValue.get("id");
            if (jsonValue2.isNull()) {
                throw new JsonResourceException(400, "A valid resource ID must be specified in the request");
            }
            StoreWrapper storeFromResourceId = getStoreFromResourceId(jsonValue2.asString());
            String alias = getAlias(jsonValue2.asString());
            if (alias == null) {
                throw new JsonResourceException(400, "A valid alias must be specified");
            }
            if (!storeFromResourceId.getStore().containsAlias(alias)) {
                throw new JsonResourceException(404);
            }
            storeFromResourceId.getStore().deleteEntry(alias);
            storeFromResourceId.store();
            reloadStore(storeFromResourceId);
            Config.updateConfig((Dictionary) null);
            return new JsonValue((Object) null);
        } catch (JsonResourceException e) {
            throw e;
        } catch (Exception e2) {
            throw new JsonResourceException(500, "Failed to delete certificate: " + e2.getMessage(), e2);
        }
    }

    public JsonValue read(JsonValue jsonValue) throws JsonResourceException {
        HashMap hashMap = new HashMap();
        try {
            JsonValue jsonValue2 = jsonValue.get("id");
            if (!jsonValue2.isNull() && (TRUSTSTORE.equals(jsonValue2.asString()) || KEYSTORE.equals(jsonValue2.asString()))) {
                StoreWrapper createStore = createStore(jsonValue2.asString());
                hashMap.put("name", jsonValue2.asString());
                hashMap.put("type", createStore.getStore().getType());
                hashMap.put("provider", createStore.getStore().getProvider());
                hashMap.put("location", createStore.getLocation());
                Enumeration<String> aliases = createStore.getStore().aliases();
                ArrayList arrayList = new ArrayList();
                while (aliases.hasMoreElements()) {
                    arrayList.add(aliases.nextElement());
                }
                hashMap.put("aliases", arrayList);
            } else {
                if (jsonValue2.isNull()) {
                    throw new JsonResourceException(400, "A valid resource ID must be specified in the request");
                }
                StoreWrapper storeFromResourceId = getStoreFromResourceId(jsonValue2.asString());
                String alias = getAlias(jsonValue2.asString());
                if (alias == null) {
                    throw new JsonResourceException(400, "A valid alias must be specified");
                }
                if (!storeFromResourceId.getStore().containsAlias(alias)) {
                    throw new JsonResourceException(404, "No alias " + alias + " exists in " + storeFromResourceId.getType());
                }
                Certificate certificate = storeFromResourceId.getStore().getCertificate(alias);
                if (certificate == null) {
                    throw new JsonResourceException(404, "No certificate exists for alias " + alias + " in " + storeFromResourceId.getType());
                }
                hashMap.put("_id", alias);
                hashMap.put("type", certificate.getType());
                hashMap.put("cert", getCertString(certificate));
                hashMap.put("publicKey", getKeyMap(certificate.getPublicKey()));
            }
            return new JsonValue(hashMap);
        } catch (Exception e) {
            throw new JsonResourceException(500, "Failed to read certificate: " + e.getMessage(), e);
        } catch (JsonResourceException e2) {
            throw e2;
        }
    }

    public JsonValue action(JsonValue jsonValue) throws JsonResourceException {
        HashMap hashMap = new HashMap();
        try {
            JsonValue jsonValue2 = jsonValue.get("params").get("_action");
            JsonValue jsonValue3 = jsonValue.get("id");
            JsonValue jsonValue4 = jsonValue.get("value");
            if (jsonValue3.isNull()) {
                throw new JsonResourceException(400, "A valid resource ID must be specified in the request");
            }
            if (jsonValue2.isNull()) {
                throw new JsonResourceException(400, "A valid action must be specified in the request");
            }
            if (!ACTION_GENERATE_CERT.equalsIgnoreCase(jsonValue2.asString()) && !ACTION_GENERATE_CSR.equalsIgnoreCase(jsonValue2.asString())) {
                throw new JsonResourceException(400, "Unsupported action " + jsonValue2.asString());
            }
            StoreWrapper storeFromResourceId = getStoreFromResourceId(jsonValue3.asString());
            String alias = getAlias(jsonValue3.asString());
            if (alias == null) {
                throw new JsonResourceException(400, "A valid resource ID must be specified in the request");
            }
            String asString = jsonValue4.get("algorithm").defaultTo(DEFAULT_ALGORITHM).asString();
            String asString2 = jsonValue4.get("signatureAlgorithm").defaultTo(DEFAULT_SIGNATURE_ALGORITHM).asString();
            int intValue = jsonValue4.get("keySize").defaultTo(Integer.valueOf(DEFAULT_KEY_SIZE)).asInteger().intValue();
            if (ACTION_GENERATE_CERT.equalsIgnoreCase(jsonValue2.asString())) {
                CertificateWrapper generateCertificate = generateCertificate("CN=" + jsonValue4.get("domainName").required().asString() + ", OU=None, O=None L=None, C=None", asString, intValue, asString2, jsonValue4.get("validFrom").asString(), jsonValue4.get("validTo").asString());
                storeFromResourceId.addCert(alias, generateCertificate.getCertificate());
                storeFromResourceId.addPrivateKey(alias, generateCertificate.getPrivateKey(), new Certificate[]{generateCertificate.getCertificate()});
                storeFromResourceId.store();
                reloadStore(storeFromResourceId);
                hashMap.put("_id", alias);
                hashMap.put("type", generateCertificate.getCertificate().getType());
                hashMap.put("cert", getCertString(generateCertificate.getCertificate()));
                hashMap.put("publicKey", getKeyMap(generateCertificate.getCertificate().getPublicKey()));
            } else {
                if (!ACTION_GENERATE_CSR.equalsIgnoreCase(jsonValue2.asString())) {
                    throw new JsonResourceException(400, "Unsupported action " + jsonValue2.asString());
                }
                CertificationRequestWrapper generateCSR = generateCSR(alias, asString, asString2, intValue, jsonValue4, storeFromResourceId);
                PublicKey publicKey = generateCSR.getCertificationRequest().getPublicKey();
                hashMap.put("_id", alias);
                hashMap.put("csr", getCertString(generateCSR.getCertificationRequest()));
                hashMap.put("publicKey", getKeyMap(publicKey));
                if (jsonValue4.get("returnPrivateKey").defaultTo(false).asBoolean().booleanValue()) {
                    hashMap.put("privateKey", getKeyMap(generateCSR.getPrivateKey()));
                }
            }
            return new JsonValue(hashMap);
        } catch (JsonResourceException e) {
            throw e;
        } catch (Exception e2) {
            throw new JsonResourceException(500, "Failed to execute action: " + e2.getMessage(), e2);
        }
    }

    private StoreWrapper getStoreFromResourceId(String str) throws Exception, JsonResourceException {
        String storeName = getStoreName(str);
        if (storeName != null) {
            return createStore(storeName);
        }
        throw new JsonResourceException(400, "A valid resource ID must be specified in the request");
    }

    private String getStoreName(String str) {
        if (str.equals(TRUSTSTORE) || str.equals(KEYSTORE)) {
            return str;
        }
        if (str.startsWith("truststore/") || str.startsWith("keystore/")) {
            return str.substring(0, str.indexOf("/"));
        }
        return null;
    }

    private String getAlias(String str) {
        try {
            return str.substring(str.indexOf("/") + 1);
        } catch (Exception e) {
            return null;
        }
    }

    private Map<String, Object> getKeyMap(Key key) throws Exception {
        HashMap hashMap = new HashMap();
        hashMap.put("algorithm", key.getAlgorithm());
        hashMap.put("format", key.getFormat());
        hashMap.put("encoded", toPem(key));
        return hashMap;
    }

    private String getCertString(Object obj) throws Exception {
        PEMWriter pEMWriter = null;
        try {
            StringWriter stringWriter = new StringWriter();
            pEMWriter = new PEMWriter(stringWriter);
            pEMWriter.writeObject(obj);
            pEMWriter.flush();
            pEMWriter.close();
            return stringWriter.getBuffer().toString();
        } catch (Throwable th) {
            pEMWriter.close();
            throw th;
        }
    }

    private void storeCsrKeyPair(String str, KeyPair keyPair) throws JsonResourceException {
        String str2 = "security/keys/" + str;
        try {
            String pem = toPem(keyPair);
            JsonValue jsonValue = new JsonValue(new HashMap());
            jsonValue.put("encoded", pem);
            storeInRepo(str2, jsonValue);
        } catch (Exception e) {
            throw new JsonResourceException(500, e);
        }
    }

    private StoreWrapper readKeystore() throws JsonResourceException {
        try {
            return createKeyStore(new ByteArrayInputStream(Base64.decode(readFromRepo("security/keystore").get("keystoreString").asString().getBytes())));
        } catch (Exception e) {
            throw new JsonResourceException(500, "Error creating keystore from store bytes");
        }
    }

    private void storeKeystore(String str) throws IOException, JsonResourceException {
        FileInputStream fileInputStream = null;
        File file = new File(str);
        try {
            fileInputStream = new FileInputStream(file);
            byte[] bArr = new byte[(int) file.length()];
            fileInputStream.read(bArr);
            fileInputStream.close();
            String str2 = new String(Base64.encode(bArr));
            JsonValue jsonValue = new JsonValue(new HashMap());
            jsonValue.add("keystoreString", str2);
            storeInRepo("security/keystore", jsonValue);
        } catch (Throwable th) {
            fileInputStream.close();
            throw th;
        }
    }

    private JsonValue readFromRepo(String str) throws JsonResourceException {
        if (this.router == null) {
            throw new JsonResourceException(500, "Repo router is null");
        }
        return new JsonValue(this.router.read(str));
    }

    private void storeInRepo(String str, JsonValue jsonValue) throws JsonResourceException {
        if (this.router == null) {
            throw new JsonResourceException(500, "Repo router is null");
        }
        try {
            this.router.update(str, new JsonValue(this.router.read(str)).get("_rev").asString(), jsonValue.asMap());
        } catch (NotFoundException e) {
            logger.debug("creating object " + str);
            this.router.create(str, jsonValue.asMap());
        }
    }

    private KeyPair getCsrKeyPair(String str) throws JsonResourceException {
        if (this.router == null) {
            throw new JsonResourceException(500, "Repo router is null");
        }
        JsonValue jsonValue = new JsonValue(this.router.read("security/keys/" + str));
        if (jsonValue.isNull()) {
            throw new JsonResourceException(404, "Cannot find stored key for alias " + str);
        }
        try {
            return (KeyPair) fromPem(jsonValue.get("encoded").asString());
        } catch (Exception e) {
            throw new JsonResourceException(500, e);
        }
    }

    private String toPem(Object obj) throws Exception {
        StringWriter stringWriter = new StringWriter();
        PEMWriter pEMWriter = new PEMWriter(stringWriter);
        pEMWriter.writeObject(obj);
        pEMWriter.flush();
        return stringWriter.toString();
    }

    private <T> T fromPem(String str) throws Exception {
        return (T) new PEMReader(new StringReader(str)).readObject();
    }

    private Certificate readCertificate(String str, String str2) throws Exception {
        Object readObject = new PEMReader(new StringReader(str)).readObject();
        if (readObject instanceof X509Certificate) {
            return (X509Certificate) readObject;
        }
        throw new JsonResourceException(400, "Unsupported certificate format");
    }

    private Certificate[] readCertificateChain(List<String> list, String str) throws Exception {
        Certificate[] certificateArr = new Certificate[list.size()];
        for (int i = 0; i < certificateArr.length; i++) {
            certificateArr[i] = readCertificate(list.get(i), str);
        }
        return certificateArr;
    }

    private CertificationRequestWrapper generateCSR(String str, String str2, String str3, int i, JsonValue jsonValue, StoreWrapper storeWrapper) throws Exception {
        StringBuilder sb = new StringBuilder();
        sb.append("CN=").append(jsonValue.get("CN").required().asString().replaceAll(",", "\\\\,"));
        sb.append(", OU=").append(jsonValue.get("OU").defaultTo("None").asString().replaceAll(",", "\\\\,"));
        sb.append(", O=").append(jsonValue.get("O").defaultTo("None").asString().replaceAll(",", "\\\\,"));
        sb.append(", L=").append(jsonValue.get("L").defaultTo("None").asString().replaceAll(",", "\\\\,"));
        sb.append(", C=").append(jsonValue.get("C").defaultTo("None").asString().replaceAll(",", "\\\\,"));
        X509Principal x509Principal = new X509Principal(sb.toString());
        KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance(str2);
        keyPairGenerator.initialize(i);
        KeyPair generateKeyPair = keyPairGenerator.generateKeyPair();
        PublicKey publicKey = generateKeyPair.getPublic();
        PrivateKey privateKey = generateKeyPair.getPrivate();
        PKCS10CertificationRequest pKCS10CertificationRequest = new PKCS10CertificationRequest(str3, x509Principal, publicKey, (ASN1Set) null, privateKey);
        logger.debug("Storing private key with alias {}", str);
        storeCsrKeyPair(str, generateKeyPair);
        return new CertificationRequestWrapper(pKCS10CertificationRequest, privateKey);
    }

    private CertificateWrapper generateCertificate(String str, String str2, int i, String str3, String str4, String str5) throws Exception {
        Date date;
        Date date2;
        KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance(str2);
        keyPairGenerator.initialize(i);
        KeyPair generateKeyPair = keyPairGenerator.generateKeyPair();
        X509V3CertificateGenerator x509V3CertificateGenerator = new X509V3CertificateGenerator();
        if (str4 == null) {
            date = new Date(System.currentTimeMillis() - 2592000000L);
        } else {
            DateTime parseIfDate = DateUtil.getDateUtil().parseIfDate(str4);
            if (parseIfDate == null) {
                throw new JsonResourceException(500, "Invalid date format for 'validFrom' property");
            }
            date = parseIfDate.toDate();
        }
        if (str5 == null) {
            date2 = new Date(System.currentTimeMillis() + 315360000000L);
        } else {
            DateTime parseIfDate2 = DateUtil.getDateUtil().parseIfDate(str5);
            if (parseIfDate2 == null) {
                throw new JsonResourceException(500, "Invalid date format for 'validTo' property");
            }
            date2 = parseIfDate2.toDate();
        }
        x509V3CertificateGenerator.setSerialNumber(BigInteger.valueOf(Math.abs(new SecureRandom().nextLong())));
        x509V3CertificateGenerator.setIssuerDN(new X509Principal(str));
        x509V3CertificateGenerator.setNotBefore(date);
        x509V3CertificateGenerator.setNotAfter(date2);
        x509V3CertificateGenerator.setSubjectDN(new X509Principal(str));
        x509V3CertificateGenerator.setPublicKey(generateKeyPair.getPublic());
        x509V3CertificateGenerator.setSignatureAlgorithm(str3);
        PrivateKey privateKey = generateKeyPair.getPrivate();
        return new CertificateWrapper(x509V3CertificateGenerator.generateX509Certificate(privateKey), privateKey);
    }

    public StoreWrapper createStore(String str) throws Exception {
        StoreWrapper createDefaultStore = createDefaultStore(str);
        createDefaultStore.setStore(createKeyStore(createDefaultStore.getType(), createDefaultStore.getPassword(), new FileInputStream(createDefaultStore.getLocation())));
        return createDefaultStore;
    }

    public StoreWrapper createKeyStore(InputStream inputStream) throws Exception {
        StoreWrapper createDefaultStore = createDefaultStore(KEYSTORE);
        createDefaultStore.setStore(createKeyStore(createDefaultStore.getType(), createDefaultStore.getPassword(), inputStream));
        return createDefaultStore;
    }

    private KeyStore createKeyStore(String str, String str2, InputStream inputStream) throws Exception {
        try {
            KeyStore keyStore = KeyStore.getInstance(str);
            keyStore.load(inputStream, str2.toCharArray());
            inputStream.close();
            return keyStore;
        } catch (Throwable th) {
            inputStream.close();
            throw th;
        }
    }

    private StoreWrapper createDefaultStore(String str) {
        String keystoreType;
        String keystoreLocation;
        String keystorePassword;
        if (str.equals(TRUSTSTORE)) {
            keystoreType = Param.getTruststoreType();
            keystoreLocation = Param.getTruststoreLocation();
            keystorePassword = Param.getTruststorePassword(false);
        } else {
            if (!str.equals(KEYSTORE)) {
                return null;
            }
            keystoreType = Param.getKeystoreType();
            keystoreLocation = Param.getKeystoreLocation();
            keystorePassword = Param.getKeystorePassword(false);
        }
        return new StoreWrapper(str, keystoreLocation, keystorePassword, keystoreType);
    }

    private void reloadStore(StoreWrapper storeWrapper) throws Exception {
        if (storeWrapper != null && storeWrapper.getName().equals(TRUSTSTORE)) {
            reloadStores(storeWrapper, null);
        } else if (storeWrapper == null || !storeWrapper.getName().equals(KEYSTORE)) {
            reloadStores(null, null);
        } else {
            reloadStores(null, storeWrapper);
        }
    }

    private void reloadStores(StoreWrapper storeWrapper, StoreWrapper storeWrapper2) throws Exception {
        TrustManager[] trustManagerArr = null;
        KeyManager[] keyManagerArr = null;
        if (storeWrapper != null) {
            TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
            trustManagerFactory.init(storeWrapper.getStore());
            trustManagerArr = trustManagerFactory.getTrustManagers();
        }
        if (storeWrapper2 != null) {
            KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
            keyManagerFactory.init(storeWrapper2.getStore(), storeWrapper2.getPassword().toCharArray());
            keyManagerArr = keyManagerFactory.getKeyManagers();
        }
        SSLContext sSLContext = SSLContext.getInstance("SSL");
        sSLContext.init(keyManagerArr, trustManagerArr, null);
        SSLContext.setDefault(sSLContext);
    }

    private void verify(PrivateKey privateKey, Certificate certificate) throws JsonResourceException {
        PublicKey publicKey = certificate.getPublicKey();
        byte[] bArr = {65, 66, 67, 68, 69, 70, 71, 72, 73, 74};
        try {
            Signature signature = Signature.getInstance(privateKey.getAlgorithm());
            signature.initSign(privateKey);
            signature.update(bArr);
            byte[] sign = signature.sign();
            Signature signature2 = Signature.getInstance(publicKey.getAlgorithm());
            signature2.initVerify(publicKey);
            signature2.update(bArr);
            if (!signature2.verify(sign)) {
                throw new JsonResourceException(400, "Private key does not match signed certificate");
            }
        } catch (Exception e) {
            throw new JsonResourceException(500, "Error verifying private key and signed certificate", e);
        }
    }

    protected void bindCryptoUpdateService(CryptoUpdateService cryptoUpdateService) {
        this.cryptoUpdateService = cryptoUpdateService;
    }

    protected void unbindCryptoUpdateService(CryptoUpdateService cryptoUpdateService) {
        if (this.cryptoUpdateService == cryptoUpdateService) {
            this.cryptoUpdateService = null;
        }
    }
}
