package org.forgerock.openidm.security.impl;

import java.io.ByteArrayInputStream;
import java.io.File;
import java.io.FileInputStream;
import java.io.StringReader;
import java.io.StringWriter;
import java.math.BigInteger;
import java.security.Key;
import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.KeyStore;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.Signature;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import java.util.Calendar;
import java.util.Date;
import java.util.HashMap;
import java.util.LinkedHashMap;
import java.util.List;
import java.util.Map;
import javax.crypto.SecretKey;
import org.apache.commons.lang3.tuple.Pair;
import org.bouncycastle.asn1.ASN1ObjectIdentifier;
import org.bouncycastle.asn1.ASN1Set;
import org.bouncycastle.asn1.x500.RDN;
import org.bouncycastle.asn1.x500.X500Name;
import org.bouncycastle.asn1.x500.X500NameBuilder;
import org.bouncycastle.asn1.x500.style.BCStyle;
import org.bouncycastle.cert.jcajce.JcaX509CertificateConverter;
import org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder;
import org.bouncycastle.jce.PKCS10CertificationRequest;
import org.bouncycastle.jce.PrincipalUtil;
import org.bouncycastle.jce.X509Principal;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.bouncycastle.openssl.PEMReader;
import org.bouncycastle.openssl.PEMWriter;
import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder;
import org.forgerock.json.fluent.JsonValue;
import org.forgerock.json.resource.InternalServerErrorException;
import org.forgerock.json.resource.NotFoundException;
import org.forgerock.json.resource.Requests;
import org.forgerock.json.resource.Resource;
import org.forgerock.json.resource.ResourceException;
import org.forgerock.json.resource.UpdateRequest;
import org.forgerock.openidm.core.IdentityServer;
import org.forgerock.openidm.crypto.CryptoService;
import org.forgerock.openidm.crypto.factory.CryptoServiceFactory;
import org.forgerock.openidm.repo.RepositoryService;
import org.forgerock.openidm.security.KeyStoreHandler;
import org.forgerock.openidm.security.KeyStoreManager;
import org.forgerock.openidm.util.DateUtil;
import org.forgerock.util.encode.Base64;
import org.joda.time.DateTime;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/forgerock/openidm/security/impl/SecurityResourceProvider.class */
public class SecurityResourceProvider {
    private static final Logger logger = LoggerFactory.getLogger(SecurityResourceProvider.class);
    public static final String BC = BouncyCastleProvider.PROVIDER_NAME;
    public static final String ACTION_GENERATE_CERT = "generateCert";
    public static final String ACTION_GENERATE_CSR = "generateCSR";
    public static final String DEFAULT_SIGNATURE_ALGORITHM = "SHA512WithRSAEncryption";
    public static final String DEFAULT_ALGORITHM = "RSA";
    public static final String DEFAULT_CERTIFICATE_TYPE = "X509";
    public static final int DEFAULT_KEY_SIZE = 2048;
    public static final String KEYS_CONTAINER = "security/keys";
    protected KeyStoreHandler store;
    protected KeyStoreManager manager;
    protected RepositoryService repoService;
    protected String resourceName;
    private String cryptoAlias = IdentityServer.getInstance().getProperty("openidm.config.crypto.alias");
    private String cryptoCipher = "AES/CBC/PKCS5Padding";
    private String instanceType = IdentityServer.getInstance().getProperty("openidm.instance.type", "standalone");

    public SecurityResourceProvider(String str, KeyStoreHandler keyStoreHandler, KeyStoreManager keyStoreManager, RepositoryService repositoryService) {
        this.store = null;
        this.manager = null;
        this.resourceName = null;
        this.store = keyStoreHandler;
        this.resourceName = str;
        this.manager = keyStoreManager;
        this.repoService = repositoryService;
    }

    protected String toPem(Object obj) throws Exception {
        StringWriter stringWriter = new StringWriter();
        PEMWriter pEMWriter = new PEMWriter(stringWriter);
        pEMWriter.writeObject(obj);
        pEMWriter.flush();
        return stringWriter.toString();
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public <T> T fromPem(String str) throws Exception {
        return (T) new PEMReader(new StringReader(str)).readObject();
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public Certificate readCertificate(String str, String str2) throws Exception {
        Object readObject = new PEMReader(new StringReader(str)).readObject();
        if (readObject instanceof X509Certificate) {
            return (X509Certificate) readObject;
        }
        throw ResourceException.getException(400, "Unsupported certificate format");
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public Certificate[] readCertificateChain(List<String> list, String str) throws Exception {
        Certificate[] certificateArr = new Certificate[list.size()];
        for (int i = 0; i < certificateArr.length; i++) {
            certificateArr[i] = readCertificate(list.get(i), str);
        }
        return certificateArr;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public JsonValue returnCertificate(String str, Certificate certificate) throws Exception {
        JsonValue jsonValue = new JsonValue(new LinkedHashMap());
        jsonValue.put("_id", str);
        jsonValue.put("type", certificate.getType());
        jsonValue.put("cert", getCertString(certificate));
        jsonValue.put("publicKey", getKeyMap(certificate.getPublicKey()));
        if (certificate instanceof X509Certificate) {
            HashMap hashMap = new HashMap();
            X500Name x500Name = X500Name.getInstance(PrincipalUtil.getIssuerX509Principal((X509Certificate) certificate));
            addAttributeToIssuer(hashMap, x500Name, "C", BCStyle.C);
            addAttributeToIssuer(hashMap, x500Name, "ST", BCStyle.ST);
            addAttributeToIssuer(hashMap, x500Name, "L", BCStyle.L);
            addAttributeToIssuer(hashMap, x500Name, "OU", BCStyle.OU);
            addAttributeToIssuer(hashMap, x500Name, "O", BCStyle.O);
            addAttributeToIssuer(hashMap, x500Name, "CN", BCStyle.CN);
            jsonValue.put("issuer", hashMap);
            jsonValue.put("notBefore", ((X509Certificate) certificate).getNotBefore());
            jsonValue.put("notAfter", ((X509Certificate) certificate).getNotAfter());
        }
        return jsonValue;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public JsonValue returnCertificateRequest(String str, PKCS10CertificationRequest pKCS10CertificationRequest) throws Exception {
        JsonValue jsonValue = new JsonValue(new LinkedHashMap());
        jsonValue.put("_id", str);
        jsonValue.put("csr", getCertString(pKCS10CertificationRequest));
        jsonValue.put("publicKey", getKeyMap(pKCS10CertificationRequest.getPublicKey()));
        return jsonValue;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public JsonValue returnKey(String str, Key key) throws Exception {
        JsonValue jsonValue = new JsonValue(new LinkedHashMap());
        jsonValue.put("_id", str);
        if (key instanceof PrivateKey) {
            jsonValue.put("privateKey", getKeyMap(key));
        } else if (key instanceof SecretKey) {
            jsonValue.put("secret", getKeyMap(key));
        }
        return jsonValue;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public Map<String, Object> getKeyMap(Key key) throws Exception {
        HashMap hashMap = new HashMap();
        hashMap.put("algorithm", key.getAlgorithm());
        hashMap.put("format", key.getFormat());
        hashMap.put("encoded", toPem(key));
        return hashMap;
    }

    protected String getCertString(Object obj) throws Exception {
        PEMWriter pEMWriter = null;
        try {
            StringWriter stringWriter = new StringWriter();
            pEMWriter = new PEMWriter(stringWriter);
            pEMWriter.writeObject(obj);
            pEMWriter.flush();
            pEMWriter.close();
            return stringWriter.getBuffer().toString();
        } catch (Throwable th) {
            pEMWriter.close();
            throw th;
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public Pair<X509Certificate, PrivateKey> generateCertificate(String str, String str2, int i, String str3, String str4, String str5) throws Exception {
        return generateCertificate(str, "None", "None", "None", "None", "None", str2, i, str3, str4, str5);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public Pair<X509Certificate, PrivateKey> generateCertificate(String str, String str2, String str3, String str4, String str5, String str6, String str7, int i, String str8, String str9, String str10) throws Exception {
        Date date;
        Date date2;
        KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance(str7);
        keyPairGenerator.initialize(i);
        KeyPair generateKeyPair = keyPairGenerator.generateKeyPair();
        X500NameBuilder x500NameBuilder = new X500NameBuilder(BCStyle.INSTANCE);
        x500NameBuilder.addRDN(BCStyle.C, str5);
        x500NameBuilder.addRDN(BCStyle.ST, str4);
        x500NameBuilder.addRDN(BCStyle.L, str6);
        x500NameBuilder.addRDN(BCStyle.OU, str3);
        x500NameBuilder.addRDN(BCStyle.O, str2);
        x500NameBuilder.addRDN(BCStyle.CN, str);
        if (str9 == null) {
            date = new Date(System.currentTimeMillis() - 2592000000L);
        } else {
            DateTime parseIfDate = DateUtil.getDateUtil().parseIfDate(str9);
            if (parseIfDate == null) {
                throw new InternalServerErrorException("Invalid date format for 'validFrom' property");
            }
            date = parseIfDate.toDate();
        }
        if (str10 == null) {
            Calendar calendar = Calendar.getInstance();
            calendar.setTime(new Date());
            calendar.add(1, 10);
            date2 = calendar.getTime();
        } else {
            DateTime parseIfDate2 = DateUtil.getDateUtil().parseIfDate(str10);
            if (parseIfDate2 == null) {
                throw new InternalServerErrorException("Invalid date format for 'validTo' property");
            }
            date2 = parseIfDate2.toDate();
        }
        X509Certificate certificate = new JcaX509CertificateConverter().setProvider(BC).getCertificate(new JcaX509v3CertificateBuilder(x500NameBuilder.build(), BigInteger.valueOf(System.currentTimeMillis()), date, date2, x500NameBuilder.build(), generateKeyPair.getPublic()).build(new JcaContentSignerBuilder(str8).setProvider(BC).build(generateKeyPair.getPrivate())));
        certificate.checkValidity(new Date());
        certificate.verify(certificate.getPublicKey());
        return Pair.of(certificate, generateKeyPair.getPrivate());
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public Pair<PKCS10CertificationRequest, PrivateKey> generateCSR(String str, String str2, String str3, int i, JsonValue jsonValue) throws Exception {
        StringBuilder sb = new StringBuilder();
        sb.append("CN=").append(jsonValue.get("CN").required().asString().replaceAll(",", "\\\\,"));
        sb.append(", OU=").append(jsonValue.get("OU").defaultTo("None").asString().replaceAll(",", "\\\\,"));
        sb.append(", O=").append(jsonValue.get("O").defaultTo("None").asString().replaceAll(",", "\\\\,"));
        sb.append(", L=").append(jsonValue.get("L").defaultTo("None").asString().replaceAll(",", "\\\\,"));
        sb.append(", ST=").append(jsonValue.get("ST").defaultTo("None").asString().replaceAll(",", "\\\\,"));
        sb.append(", C=").append(jsonValue.get("C").defaultTo("None").asString().replaceAll(",", "\\\\,"));
        X509Principal x509Principal = new X509Principal(sb.toString());
        KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance(str2);
        keyPairGenerator.initialize(i);
        KeyPair generateKeyPair = keyPairGenerator.generateKeyPair();
        PublicKey publicKey = generateKeyPair.getPublic();
        PrivateKey privateKey = generateKeyPair.getPrivate();
        PKCS10CertificationRequest pKCS10CertificationRequest = new PKCS10CertificationRequest(str3, x509Principal, publicKey, (ASN1Set) null, privateKey);
        logger.debug("Storing private key with alias {}", str);
        storeKeyPair(str, generateKeyPair);
        return Pair.of(pKCS10CertificationRequest, privateKey);
    }

    protected void storeKeyPair(String str, KeyPair keyPair) throws ResourceException {
        try {
            JsonValue jsonValue = new JsonValue(new HashMap());
            jsonValue.put("value", toPem(keyPair));
            JsonValue encrypt = getCryptoService().encrypt(jsonValue, this.cryptoCipher, this.cryptoAlias);
            JsonValue jsonValue2 = new JsonValue(new HashMap());
            jsonValue2.put("keyPair", encrypt);
            storeInRepo(KEYS_CONTAINER, str, jsonValue2);
        } catch (Exception e) {
            throw ResourceException.getException(500, e.getMessage(), e);
        }
    }

    protected JsonValue readFromRepo(String str) throws ResourceException {
        return new JsonValue(this.repoService.read(Requests.newReadRequest(str)).getContent());
    }

    protected void storeInRepo(String str, String str2, JsonValue jsonValue) throws ResourceException {
        try {
            Resource read = this.repoService.read(Requests.newReadRequest(str, str2));
            UpdateRequest newUpdateRequest = Requests.newUpdateRequest(str, str2, jsonValue);
            newUpdateRequest.setRevision(read.getRevision());
            this.repoService.update(newUpdateRequest);
        } catch (NotFoundException e) {
            logger.debug("creating object " + str2);
            this.repoService.create(Requests.newCreateRequest(str, str2, jsonValue));
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public KeyPair getKeyPair(String str) throws ResourceException {
        Resource read = this.repoService.read(Requests.newReadRequest("security/keys/" + str));
        if (read.getContent().isNull()) {
            throw ResourceException.getException(404, "Cannot find stored key for alias " + str);
        }
        try {
            return (KeyPair) fromPem(getCryptoService().decrypt(read.getContent().get("keyPair")).get("value").asString());
        } catch (Exception e) {
            throw ResourceException.getException(500, e.getMessage(), e);
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void verify(PrivateKey privateKey, Certificate certificate) throws ResourceException {
        PublicKey publicKey = certificate.getPublicKey();
        byte[] bArr = {65, 66, 67, 68, 69, 70, 71, 72, 73, 74};
        try {
            Signature signature = Signature.getInstance(privateKey.getAlgorithm());
            signature.initSign(privateKey);
            signature.update(bArr);
            byte[] sign = signature.sign();
            Signature signature2 = Signature.getInstance(publicKey.getAlgorithm());
            signature2.initVerify(publicKey);
            signature2.update(bArr);
            if (!signature2.verify(sign)) {
                throw ResourceException.getException(400, "Private key does not match signed certificate");
            }
        } catch (Exception e) {
            throw ResourceException.getException(500, "Error verifying private key and signed certificate", e);
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void saveStore() throws ResourceException {
        if (this.instanceType.equals("standalone")) {
            return;
        }
        saveStoreToRepo();
    }

    public void loadStoreFromRepo() throws ResourceException {
        ByteArrayInputStream byteArrayInputStream = new ByteArrayInputStream(Base64.decode(readFromRepo("security/" + this.resourceName).get("storeString").asString().getBytes()));
        try {
            try {
                KeyStore keyStore = KeyStore.getInstance(this.store.getType());
                keyStore.load(byteArrayInputStream, this.store.getPassword().toCharArray());
                byteArrayInputStream.close();
                this.store.setStore(keyStore);
            } catch (Throwable th) {
                byteArrayInputStream.close();
                throw th;
            }
        } catch (Exception e) {
            throw ResourceException.getException(500, "Error creating keystore from store bytes", e);
        }
    }

    public void saveStoreToRepo() throws ResourceException {
        FileInputStream fileInputStream = null;
        File file = new File(this.store.getLocation());
        try {
            try {
                fileInputStream = new FileInputStream(file);
                byte[] bArr = new byte[(int) file.length()];
                fileInputStream.read(bArr);
                fileInputStream.close();
                String str = new String(Base64.encode(bArr));
                JsonValue jsonValue = new JsonValue(new HashMap());
                jsonValue.add("storeString", str);
                storeInRepo("security", this.resourceName, jsonValue);
            } catch (Throwable th) {
                fileInputStream.close();
                throw th;
            }
        } catch (Exception e) {
            throw ResourceException.getException(500, e.getMessage(), e);
        }
    }

    private CryptoService getCryptoService() {
        return CryptoServiceFactory.getInstance();
    }

    private void addAttributeToIssuer(Map<String, Object> map, X500Name x500Name, String str, ASN1ObjectIdentifier aSN1ObjectIdentifier) throws Exception {
        RDN[] rDNs = x500Name.getRDNs(aSN1ObjectIdentifier);
        if (rDNs == null || rDNs.length <= 0) {
            return;
        }
        map.put(str, rDNs[0].getFirst().getValue().toString());
    }
}
