package org.wso2.carbon.certificate.mgt.core.impl;

import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.io.InputStream;
import java.math.BigInteger;
import java.security.InvalidKeyException;
import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.PrivateKey;
import java.security.SecureRandom;
import java.security.Security;
import java.security.SignatureException;
import java.security.cert.Certificate;
import java.security.cert.CertificateEncodingException;
import java.security.cert.CertificateException;
import java.security.cert.CertificateExpiredException;
import java.security.cert.CertificateFactory;
import java.security.cert.CertificateNotYetValidException;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Date;
import java.util.Iterator;
import java.util.List;
import javax.naming.InvalidNameException;
import javax.naming.ldap.LdapName;
import javax.naming.ldap.Rdn;
import javax.security.auth.x500.X500Principal;
import javax.xml.bind.DatatypeConverter;
import org.apache.commons.codec.binary.Base64;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.bouncycastle.asn1.ASN1Encodable;
import org.bouncycastle.asn1.pkcs.Attribute;
import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers;
import org.bouncycastle.asn1.x500.X500Name;
import org.bouncycastle.asn1.x500.style.BCStyle;
import org.bouncycastle.asn1.x509.KeyUsage;
import org.bouncycastle.asn1.x509.X509Extension;
import org.bouncycastle.cert.CertIOException;
import org.bouncycastle.cert.X509CertificateHolder;
import org.bouncycastle.cert.X509v3CertificateBuilder;
import org.bouncycastle.cert.jcajce.JcaCertStore;
import org.bouncycastle.cert.jcajce.JcaX509CertificateConverter;
import org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder;
import org.bouncycastle.cms.CMSAbsentContent;
import org.bouncycastle.cms.CMSException;
import org.bouncycastle.cms.CMSSignedData;
import org.bouncycastle.cms.CMSSignedDataGenerator;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.bouncycastle.operator.OperatorCreationException;
import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder;
import org.bouncycastle.pkcs.PKCS10CertificationRequest;
import org.bouncycastle.util.Selector;
import org.jscep.message.CertRep;
import org.jscep.message.MessageDecodingException;
import org.jscep.message.MessageEncodingException;
import org.jscep.message.PkcsPkiEnvelopeDecoder;
import org.jscep.message.PkcsPkiEnvelopeEncoder;
import org.jscep.message.PkiMessage;
import org.jscep.message.PkiMessageDecoder;
import org.jscep.message.PkiMessageEncoder;
import org.jscep.transaction.FailInfo;
import org.jscep.transaction.Nonce;
import org.jscep.transaction.TransactionId;
import org.wso2.carbon.certificate.mgt.core.dao.CertificateDAO;
import org.wso2.carbon.certificate.mgt.core.dao.CertificateManagementDAOException;
import org.wso2.carbon.certificate.mgt.core.dao.CertificateManagementDAOFactory;
import org.wso2.carbon.certificate.mgt.core.dto.CAStatus;
import org.wso2.carbon.certificate.mgt.core.dto.CertificateResponse;
import org.wso2.carbon.certificate.mgt.core.dto.SCEPResponse;
import org.wso2.carbon.certificate.mgt.core.exception.KeystoreException;
import org.wso2.carbon.certificate.mgt.core.exception.TransactionManagementException;
import org.wso2.carbon.certificate.mgt.core.util.CertificateManagementConstants;
import org.wso2.carbon.certificate.mgt.core.util.CommonUtil;
import org.wso2.carbon.certificate.mgt.core.util.Serializer;
import org.wso2.carbon.context.PrivilegedCarbonContext;

/* loaded from: input_file:org/wso2/carbon/certificate/mgt/core/impl/CertificateGenerator.class */
public class CertificateGenerator {
    private static final Log log = LogFactory.getLog(CertificateGenerator.class);

    public static String getCommonName(X509Certificate x509Certificate) {
        String name = x509Certificate.getSubjectDN().getName();
        if (name == null || name.isEmpty()) {
            return null;
        }
        for (String str : name.split(",")) {
            if (str.contains("CN=")) {
                String[] split = str.split("=");
                if (split[1] != null) {
                    return split[1];
                }
            }
        }
        return null;
    }

    public static void extractCertificateDetails(byte[] bArr, CertificateResponse certificateResponse) throws CertificateManagementDAOException {
        if (bArr != null) {
            try {
                Certificate certificate = (Certificate) Serializer.deserialize(bArr);
                if (certificate instanceof X509Certificate) {
                    X509Certificate x509Certificate = (X509Certificate) certificate;
                    certificateResponse.setNotAfter(x509Certificate.getNotAfter().getTime());
                    certificateResponse.setNotBefore(x509Certificate.getNotBefore().getTime());
                    certificateResponse.setCertificateserial(x509Certificate.getSerialNumber());
                    certificateResponse.setIssuer(x509Certificate.getIssuerDN().getName());
                    certificateResponse.setSubject(x509Certificate.getSubjectDN().getName());
                    certificateResponse.setCertificateVersion(x509Certificate.getVersion());
                }
            } catch (IOException | ClassNotFoundException e) {
                throw new CertificateManagementDAOException("Error while during deserialization of the certificate.", e);
            }
        }
    }

    public List<X509Certificate> getRootCertificates(byte[] bArr, byte[] bArr2) throws KeystoreException {
        if (bArr == null) {
            throw new KeystoreException("CA certificate is mandatory");
        }
        if (bArr2 == null) {
            throw new KeystoreException("RA certificate is mandatory");
        }
        ArrayList arrayList = new ArrayList();
        ByteArrayInputStream byteArrayInputStream = null;
        ByteArrayInputStream byteArrayInputStream2 = null;
        try {
            try {
                CertificateFactory certificateFactory = CertificateFactory.getInstance(CertificateManagementConstants.X_509);
                byteArrayInputStream = new ByteArrayInputStream(bArr);
                byteArrayInputStream2 = new ByteArrayInputStream(bArr2);
                X509Certificate x509Certificate = (X509Certificate) certificateFactory.generateCertificate(byteArrayInputStream);
                X509Certificate x509Certificate2 = (X509Certificate) certificateFactory.generateCertificate(byteArrayInputStream2);
                arrayList.add(x509Certificate);
                arrayList.add(x509Certificate2);
                if (byteArrayInputStream != null) {
                    try {
                        byteArrayInputStream.close();
                    } catch (IOException e) {
                        log.error("Error occurred when closing CA input stream");
                    }
                }
                if (byteArrayInputStream2 != null) {
                    try {
                        byteArrayInputStream2.close();
                    } catch (IOException e2) {
                        log.error("Error occurred when closing RA input stream");
                    }
                }
                return arrayList;
            } catch (Throwable th) {
                if (byteArrayInputStream != null) {
                    try {
                        byteArrayInputStream.close();
                    } catch (IOException e3) {
                        log.error("Error occurred when closing CA input stream");
                    }
                }
                if (byteArrayInputStream2 != null) {
                    try {
                        byteArrayInputStream2.close();
                    } catch (IOException e4) {
                        log.error("Error occurred when closing RA input stream");
                    }
                }
                throw th;
            }
        } catch (CertificateException e5) {
            throw new KeystoreException("Error occurred while fetching root certificates", (Exception) e5);
        }
    }

    public X509Certificate generateX509Certificate() throws KeystoreException {
        CommonUtil commonUtil = new CommonUtil();
        Date validityStartDate = commonUtil.getValidityStartDate();
        Date validityEndDate = commonUtil.getValidityEndDate();
        Security.addProvider(new BouncyCastleProvider());
        try {
            KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance(CertificateManagementConstants.RSA, CertificateManagementConstants.PROVIDER);
            keyPairGenerator.initialize(CertificateManagementConstants.RSA_KEY_LENGTH, new SecureRandom());
            KeyPair generateKeyPair = keyPairGenerator.generateKeyPair();
            X500Principal x500Principal = new X500Principal(CertificateManagementConstants.DEFAULT_PRINCIPAL);
            X509Certificate certificate = new JcaX509CertificateConverter().setProvider(CertificateManagementConstants.PROVIDER).getCertificate(new JcaX509v3CertificateBuilder(x500Principal, CommonUtil.generateSerialNumber(), validityStartDate, validityEndDate, x500Principal, generateKeyPair.getPublic()).build(new JcaContentSignerBuilder(CertificateManagementConstants.SHA256_RSA).setProvider(CertificateManagementConstants.PROVIDER).build(generateKeyPair.getPrivate())));
            certificate.verify(certificate.getPublicKey());
            ArrayList arrayList = new ArrayList();
            org.wso2.carbon.certificate.mgt.core.bean.Certificate certificate2 = new org.wso2.carbon.certificate.mgt.core.bean.Certificate();
            certificate2.setTenantId(PrivilegedCarbonContext.getThreadLocalCarbonContext().getTenantId());
            certificate2.setCertificate(certificate);
            arrayList.add(certificate2);
            saveCertInKeyStore(arrayList);
            return certificate;
        } catch (CertificateException e) {
            throw new KeystoreException("Certificate issue occurred when generating certificate", (Exception) e);
        } catch (OperatorCreationException e2) {
            throw new KeystoreException("Issue in operator creation when generating certificate", (Exception) e2);
        } catch (InvalidKeyException e3) {
            throw new KeystoreException("Invalid key used when generating certificate", (Exception) e3);
        } catch (NoSuchAlgorithmException e4) {
            throw new KeystoreException("No such algorithm found when generating certificate", (Exception) e4);
        } catch (NoSuchProviderException e5) {
            throw new KeystoreException("No such provider found when generating certificate", (Exception) e5);
        } catch (SignatureException e6) {
            throw new KeystoreException("Signature related issue occurred when generating certificate", (Exception) e6);
        } catch (CertificateExpiredException e7) {
            throw new KeystoreException("Certificate expired after generating certificate", (Exception) e7);
        } catch (CertificateNotYetValidException e8) {
            throw new KeystoreException("Certificate not yet valid when generating certificate", (Exception) e8);
        }
    }

    public byte[] getPKIMessage(InputStream inputStream) throws KeystoreException {
        try {
            CMSSignedData cMSSignedData = new CMSSignedData(inputStream);
            Collection matches = cMSSignedData.getCertificates().getMatches((Selector) null);
            KeyStoreReader keyStoreReader = new KeyStoreReader();
            PrivateKey rAPrivateKey = keyStoreReader.getRAPrivateKey();
            PrivateKey cAPrivateKey = keyStoreReader.getCAPrivateKey();
            X509Certificate x509Certificate = (X509Certificate) keyStoreReader.getRACertificate();
            X509Certificate x509Certificate2 = (X509Certificate) keyStoreReader.getCACertificate();
            X509Certificate x509Certificate3 = (X509Certificate) CertificateFactory.getInstance(CertificateManagementConstants.X_509).generateCertificate(new ByteArrayInputStream(((X509CertificateHolder) matches.iterator().next()).getEncoded()));
            PkiMessage decode = new PkiMessageDecoder(x509Certificate3, new PkcsPkiEnvelopeDecoder(x509Certificate, rAPrivateKey)).decode(cMSSignedData);
            Object messageData = decode.getMessageData();
            Nonce nextNonce = Nonce.nextNonce();
            TransactionId transactionId = decode.getTransactionId();
            Nonce senderNonce = decode.getSenderNonce();
            X509Certificate generateCertificateFromCSR = generateCertificateFromCSR(cAPrivateKey, (PKCS10CertificationRequest) messageData, x509Certificate2.getIssuerX500Principal().getName());
            ArrayList arrayList = new ArrayList();
            arrayList.add(generateCertificateFromCSR);
            return new PkiMessageEncoder(rAPrivateKey, x509Certificate, new PkcsPkiEnvelopeEncoder(x509Certificate3, CertificateManagementConstants.DES_EDE)).encode(arrayList.size() == 0 ? new CertRep(transactionId, nextNonce, senderNonce, FailInfo.badCertId) : new CertRep(transactionId, nextNonce, senderNonce, getMessageData(arrayList))).getEncoded();
        } catch (CertificateException e) {
            throw new KeystoreException("Certificate issue occurred when generating getPKIMessage", (Exception) e);
        } catch (CMSException e2) {
            throw new KeystoreException("CMS issue occurred when generating getPKIMessage", (Exception) e2);
        } catch (IOException e3) {
            throw new KeystoreException("Input output issue occurred when generating getPKIMessage", (Exception) e3);
        } catch (MessageEncodingException e4) {
            throw new KeystoreException("Message encoding issue occurred when generating getPKIMessage", (Exception) e4);
        } catch (MessageDecodingException e5) {
            throw new KeystoreException("Message decoding issue occurred when generating getPKIMessage", (Exception) e5);
        }
    }

    public boolean verifySignature(String str) throws KeystoreException {
        return extractCertificateFromSignature(str) != null;
    }

    public CertificateResponse verifyPEMSignature(X509Certificate x509Certificate) throws KeystoreException {
        if (x509Certificate == null) {
            throw new IllegalArgumentException("Certificate of which the signature needs to be validated cannot be null");
        }
        return new KeyStoreReader().getCertificateBySerial(getCommonName(x509Certificate));
    }

    public CertificateResponse verifyCertificateDN(String str) throws KeystoreException {
        CertificateResponse certificateResponse = null;
        KeyStoreReader keyStoreReader = new KeyStoreReader();
        if (str != null && !str.isEmpty()) {
            try {
                Iterator it = new LdapName(str).getRdns().iterator();
                while (true) {
                    if (!it.hasNext()) {
                        break;
                    }
                    Rdn rdn = (Rdn) it.next();
                    if (rdn.getType().equalsIgnoreCase("CN")) {
                        System.err.println("CN is: " + rdn.getValue());
                        certificateResponse = keyStoreReader.getCertificateBySerial(String.valueOf(rdn.getValue()));
                        break;
                    }
                }
            } catch (InvalidNameException e) {
                throw new KeystoreException("Invalid name exception while trying to create a LDAP name using the distinguished name ", (Exception) e);
            }
        }
        return certificateResponse;
    }

    public X509Certificate pemToX509Certificate(String str) throws KeystoreException {
        ByteArrayInputStream byteArrayInputStream = null;
        try {
            try {
                byteArrayInputStream = new ByteArrayInputStream(Base64.decodeBase64(str.getBytes()));
                X509Certificate x509Certificate = (X509Certificate) CertificateFactory.getInstance(CertificateManagementConstants.X_509).generateCertificate(byteArrayInputStream);
                if (byteArrayInputStream != null) {
                    try {
                        byteArrayInputStream.close();
                    } catch (IOException e) {
                        log.error("Error closing Certificate input stream", e);
                    }
                }
                return x509Certificate;
            } catch (CertificateException e2) {
                log.error("Certificate issue occurred when generating converting PEM to x509Certificate", e2);
                throw new KeystoreException("Certificate issue occurred when generating converting PEM to x509Certificate", (Exception) e2);
            }
        } catch (Throwable th) {
            if (byteArrayInputStream != null) {
                try {
                    byteArrayInputStream.close();
                } catch (IOException e3) {
                    log.error("Error closing Certificate input stream", e3);
                    throw th;
                }
            }
            throw th;
        }
    }

    public X509Certificate extractCertificateFromSignature(String str) throws KeystoreException {
        X509Certificate x509Certificate;
        if (str == null || str.isEmpty()) {
            return null;
        }
        try {
            KeyStoreReader keyStoreReader = new KeyStoreReader();
            Collection matches = new CMSSignedData(Base64.decodeBase64(str.getBytes())).getCertificates().getMatches((Selector) null);
            if (matches == null || matches.size() <= 0 || (x509Certificate = (X509Certificate) CertificateFactory.getInstance(CertificateManagementConstants.X_509).generateCertificate(new ByteArrayInputStream(((X509CertificateHolder) matches.iterator().next()).getEncoded()))) == null || x509Certificate.getSerialNumber() == null) {
                return null;
            }
            Certificate certificateByAlias = keyStoreReader.getCertificateByAlias(x509Certificate.getSerialNumber().toString());
            if (certificateByAlias instanceof X509Certificate) {
                return (X509Certificate) certificateByAlias;
            }
            return null;
        } catch (IOException e) {
            throw new KeystoreException("IOException when decoding certificate signature", (Exception) e);
        } catch (CertificateException e2) {
            throw new KeystoreException("CertificateException when decoding certificate signature", (Exception) e2);
        } catch (CMSException e3) {
            throw new KeystoreException("CMSException when decoding certificate signature", (Exception) e3);
        }
    }

    public X509Certificate generateCertificateFromCSR(PrivateKey privateKey, PKCS10CertificationRequest pKCS10CertificationRequest, String str) throws KeystoreException {
        ASN1Encodable challengePassword;
        CommonUtil commonUtil = new CommonUtil();
        Date validityStartDate = commonUtil.getValidityStartDate();
        Date validityEndDate = commonUtil.getValidityEndDate();
        X500Name x500Name = new X500Name(CertificateManagementConstants.DEFAULT_PRINCIPAL);
        Attribute[] attributes = pKCS10CertificationRequest.getAttributes();
        X509v3CertificateBuilder x509v3CertificateBuilder = new X509v3CertificateBuilder(new X500Name(str), pKCS10CertificationRequest.getSubject().getRDNs(BCStyle.UNIQUE_IDENTIFIER).length != 0 ? BigInteger.valueOf(pKCS10CertificationRequest.getSubject().getRDNs(BCStyle.UNIQUE_IDENTIFIER)[0].getFirst().getValue().toString().hashCode()) : pKCS10CertificationRequest.getSubject().getRDNs(BCStyle.SERIALNUMBER).length != 0 ? BigInteger.valueOf(pKCS10CertificationRequest.getSubject().getRDNs(BCStyle.SERIALNUMBER)[0].getFirst().getValue().toString().hashCode()) : CommonUtil.generateSerialNumber(), validityStartDate, validityEndDate, x500Name, pKCS10CertificationRequest.getSubjectPublicKeyInfo());
        try {
            x509v3CertificateBuilder.addExtension(X509Extension.keyUsage, true, new KeyUsage(160));
            if (attributes != null && (challengePassword = getChallengePassword(attributes)) != null) {
                x509v3CertificateBuilder.addExtension(PKCSObjectIdentifiers.pkcs_9_at_challengePassword, true, challengePassword);
            }
            X509Certificate certificate = new JcaX509CertificateConverter().setProvider(CertificateManagementConstants.PROVIDER).getCertificate(x509v3CertificateBuilder.build(new JcaContentSignerBuilder(CertificateManagementConstants.SHA256_RSA).setProvider(CertificateManagementConstants.PROVIDER).build(privateKey)));
            org.wso2.carbon.certificate.mgt.core.bean.Certificate certificate2 = new org.wso2.carbon.certificate.mgt.core.bean.Certificate();
            ArrayList arrayList = new ArrayList();
            certificate2.setTenantId(PrivilegedCarbonContext.getThreadLocalCarbonContext().getTenantId());
            certificate2.setCertificate(certificate);
            arrayList.add(certificate2);
            saveCertInKeyStore(arrayList);
            return certificate;
        } catch (CertIOException e) {
            throw new KeystoreException("Certificate Input output issue occurred when generating generateCertificateFromCSR", (Exception) e);
        } catch (CertificateException e2) {
            throw new KeystoreException("Certificate issue occurred when generating generateCertificateFromCSR", (Exception) e2);
        } catch (OperatorCreationException e3) {
            throw new KeystoreException("Operator creation issue occurred when generating generateCertificateFromCSR", (Exception) e3);
        }
    }

    private ASN1Encodable getChallengePassword(Attribute[] attributeArr) {
        for (Attribute attribute : attributeArr) {
            if (PKCSObjectIdentifiers.pkcs_9_at_challengePassword.equals(attribute.getAttrType()) && attribute.getAttrValues() != null && attribute.getAttrValues().size() > 0) {
                return attribute.getAttrValues().getObjectAt(0);
            }
        }
        return null;
    }

    private CMSSignedData getMessageData(List<X509Certificate> list) throws KeystoreException {
        CMSSignedDataGenerator cMSSignedDataGenerator = new CMSSignedDataGenerator();
        try {
            cMSSignedDataGenerator.addCertificates(new JcaCertStore(list));
            return cMSSignedDataGenerator.generate(new CMSAbsentContent());
        } catch (CMSException e) {
            throw new KeystoreException("Message decoding issue occurred when generating getMessageData", (Exception) e);
        } catch (CertificateEncodingException e2) {
            throw new KeystoreException("Certificate encoding issue occurred when generating getMessageData", (Exception) e2);
        }
    }

    public SCEPResponse getCACert() throws KeystoreException {
        byte[] encoded;
        try {
            SCEPResponse sCEPResponse = new SCEPResponse();
            KeyStoreReader keyStoreReader = new KeyStoreReader();
            List<X509Certificate> rootCertificates = getRootCertificates(keyStoreReader.getCACertificate().getEncoded(), keyStoreReader.getRACertificate().getEncoded());
            if (rootCertificates.size() == 0) {
                sCEPResponse.setResultCriteria(CAStatus.CA_CERT_FAILED);
                encoded = new byte[0];
            } else if (rootCertificates.size() == 1) {
                sCEPResponse.setResultCriteria(CAStatus.CA_CERT_RECEIVED);
                encoded = rootCertificates.get(0).getEncoded();
            } else {
                sCEPResponse.setResultCriteria(CAStatus.CA_RA_CERT_RECEIVED);
                CMSSignedDataGenerator cMSSignedDataGenerator = new CMSSignedDataGenerator();
                cMSSignedDataGenerator.addCertificates(new JcaCertStore(rootCertificates));
                encoded = cMSSignedDataGenerator.generate(new CMSAbsentContent()).getEncoded();
            }
            sCEPResponse.setEncodedResponse(encoded);
            return sCEPResponse;
        } catch (CMSException e) {
            throw new KeystoreException("CMS issue occurred in getCACert", (Exception) e);
        } catch (IOException e2) {
            throw new KeystoreException("Input output issue occurred in getCACert", (Exception) e2);
        } catch (CertificateEncodingException e3) {
            throw new KeystoreException("Certificate encoding issue occurred in getCACert", (Exception) e3);
        }
    }

    public void saveCertInKeyStore(List<org.wso2.carbon.certificate.mgt.core.bean.Certificate> list) throws KeystoreException {
        if (list == null) {
            return;
        }
        try {
            CertificateDAO certificateDAO = CertificateManagementDAOFactory.getCertificateDAO();
            CertificateManagementDAOFactory.beginTransaction();
            certificateDAO.addCertificate(list);
            CertificateManagementDAOFactory.commitTransaction();
        } catch (CertificateManagementDAOException e) {
            CertificateManagementDAOFactory.rollbackTransaction();
            throw new KeystoreException("Error occurred when saving the generated certificate", (Exception) e);
        } catch (TransactionManagementException e2) {
            throw new KeystoreException("Error occurred when saving the generated certificate", (Exception) e2);
        }
    }

    public String extractChallengeToken(X509Certificate x509Certificate) {
        byte[] extensionValue = x509Certificate.getExtensionValue(PKCSObjectIdentifiers.pkcs_9_at_challengePassword.toString());
        if (extensionValue != null) {
            return new String(extensionValue);
        }
        return null;
    }

    public X509Certificate getSignedCertificateFromCSR(String str) throws KeystoreException {
        byte[] parseBase64Binary = DatatypeConverter.parseBase64Binary(str);
        KeyStoreReader keyStoreReader = new KeyStoreReader();
        PrivateKey cAPrivateKey = keyStoreReader.getCAPrivateKey();
        X509Certificate x509Certificate = (X509Certificate) keyStoreReader.getCACertificate();
        try {
            return generateCertificateFromCSR(cAPrivateKey, new PKCS10CertificationRequest(parseBase64Binary), x509Certificate.getIssuerX500Principal().getName());
        } catch (IOException e) {
            throw new KeystoreException("CSR cannot be recovered.", (Exception) e);
        }
    }
}
