package org.dataone.auth;

import java.io.BufferedReader;
import java.io.File;
import java.io.FileInputStream;
import java.io.FileNotFoundException;
import java.io.FileOutputStream;
import java.io.FileWriter;
import java.io.IOException;
import java.io.InputStreamReader;
import java.math.BigInteger;
import java.security.InvalidKeyException;
import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.SecureRandom;
import java.security.Security;
import java.security.SignatureException;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.Calendar;
import java.util.Date;
import javax.security.auth.x500.X500Principal;
import org.apache.commons.io.IOUtils;
import org.apache.log4j.Logger;
import org.bouncycastle.asn1.ASN1ObjectIdentifier;
import org.bouncycastle.asn1.DERTaggedObject;
import org.bouncycastle.asn1.DERUTF8String;
import org.bouncycastle.asn1.x500.X500Name;
import org.bouncycastle.asn1.x500.X500NameBuilder;
import org.bouncycastle.asn1.x500.style.RFC4519Style;
import org.bouncycastle.asn1.x509.BasicConstraints;
import org.bouncycastle.asn1.x509.ExtendedKeyUsage;
import org.bouncycastle.asn1.x509.KeyPurposeId;
import org.bouncycastle.asn1.x509.KeyUsage;
import org.bouncycastle.asn1.x509.X509Extension;
import org.bouncycastle.cert.jcajce.JcaX509CertificateConverter;
import org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder;
import org.bouncycastle.jce.X509Principal;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.bouncycastle.openssl.PEMReader;
import org.bouncycastle.openssl.PEMWriter;
import org.bouncycastle.openssl.PasswordFinder;
import org.bouncycastle.operator.ContentSigner;
import org.bouncycastle.operator.OperatorCreationException;
import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder;
import org.bouncycastle.x509.extension.AuthorityKeyIdentifierStructure;
import org.dataone.client.auth.CertificateManager;
import org.dataone.configuration.Settings;

/* loaded from: input_file:org/dataone/auth/X509CertificateGenerator.class */
public class X509CertificateGenerator {
    private static Logger logger = Logger.getLogger(X509CertificateGenerator.class);
    private static final String BC = BouncyCastleProvider.PROVIDER_NAME;
    private static String CILOGON_OID_SUBJECT_INFO = Settings.getConfiguration().getString("cilogon.oid.subjectinfo", "1.3.6.1.4.1.34998.2.1");
    private static final int validityDays = 36525;
    SecureRandom sr;
    String password = "changeit";
    String dataOneCaAlias = "caDataONE";
    String d1CertStore = "/tmp/d1CertKeyStore";
    String d1D1CAdir = "";
    String d1D1CaKeyFile = "/var/local/dataone/test.dataone.org/ca.key";
    String d1D1CaCertFile = "/var/local/dataone//test.dataone.org/ca.crt";

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/dataone/auth/X509CertificateGenerator$Password.class */
    public static class Password implements PasswordFinder {
        char[] password;

        Password(char[] cArr) {
            this.password = cArr;
        }

        public char[] getPassword() {
            return this.password;
        }
    }

    public X509CertificateGenerator() {
        this.sr = null;
        this.sr = new SecureRandom();
        this.sr.setSeed(System.currentTimeMillis());
        this.sr.nextInt();
        if (Security.getProvider(BC) == null || Security.getProvider(BC).isEmpty()) {
            Security.addProvider(new BouncyCastleProvider());
        }
    }

    private KeyPair createKeys() throws NoSuchAlgorithmException {
        KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA");
        keyPairGenerator.initialize(1024, this.sr);
        return keyPairGenerator.generateKeyPair();
    }

    public static String getSubjectHash(X509Certificate x509Certificate) throws NoSuchAlgorithmException, IOException {
        return String.format("%08x", Long.valueOf(getX509NameHash(x509Certificate.getSubjectX500Principal())));
    }

    public static String getIssuerHash(X509Certificate x509Certificate) throws NoSuchAlgorithmException, IOException {
        return String.format("%08x", Long.valueOf(getX509NameHash(x509Certificate.getIssuerX500Principal())));
    }

    public static long getX509NameHash(X509Principal x509Principal) throws NoSuchAlgorithmException, IOException {
        byte[] digest = MessageDigest.getInstance("MD5").digest(x509Principal.getEncoded());
        return 0 | (digest[0] & 255) | ((digest[1] & 255) << 8) | ((digest[2] & 255) << 16) | ((digest[3] & 255) << 24);
    }

    public static long getX509NameHash(X500Principal x500Principal) throws NoSuchAlgorithmException, IOException {
        return getX509NameHash(new X509Principal(x500Principal.getEncoded()));
    }

    public X509Certificate generateSelfSignedCertificate(KeyPair keyPair, X500NameBuilder x500NameBuilder) throws NoSuchAlgorithmException, OperatorCreationException, CertificateException, InvalidKeyException, NoSuchProviderException, SignatureException, IOException {
        Calendar calendar = Calendar.getInstance();
        calendar.add(6, validityDays);
        Date date = new Date(System.currentTimeMillis());
        Date date2 = new Date(calendar.getTimeInMillis());
        BigInteger valueOf = BigInteger.valueOf(System.currentTimeMillis());
        BigInteger valueOf2 = BigInteger.valueOf(this.sr.nextLong());
        valueOf2.add(valueOf);
        ContentSigner build = new JcaContentSignerBuilder("MD5WithRSAEncryption").setProvider(BC).build(keyPair.getPrivate());
        JcaX509v3CertificateBuilder jcaX509v3CertificateBuilder = new JcaX509v3CertificateBuilder(x500NameBuilder.build(), valueOf2, date, date2, x500NameBuilder.build(), keyPair.getPublic());
        jcaX509v3CertificateBuilder.addExtension(X509Extension.basicConstraints, true, new BasicConstraints(false));
        jcaX509v3CertificateBuilder.addExtension(X509Extension.keyUsage, true, new KeyUsage(176));
        jcaX509v3CertificateBuilder.addExtension(X509Extension.extendedKeyUsage, false, new ExtendedKeyUsage(KeyPurposeId.id_kp_clientAuth));
        X509Certificate certificate = new JcaX509CertificateConverter().setProvider(BC).getCertificate(jcaX509v3CertificateBuilder.build(build));
        certificate.checkValidity(new Date());
        certificate.verify(certificate.getPublicKey());
        if (!getIssuerHash(certificate).equals(getSubjectHash(certificate))) {
            throw new CertificateException("Issuer Hash comparison fails");
        }
        CertificateManager.getInstance().displayCertificate(certificate);
        return certificate;
    }

    public X509Certificate generateCASignedCertificate(PublicKey publicKey, KeyPair keyPair, X509Certificate x509Certificate, String str, String str2) throws NoSuchAlgorithmException, OperatorCreationException, CertificateException, InvalidKeyException, NoSuchProviderException, SignatureException, IOException {
        X500NameBuilder buildD1Name = buildD1Name(str);
        Calendar calendar = Calendar.getInstance();
        calendar.add(6, validityDays);
        Date date = new Date(System.currentTimeMillis());
        Date date2 = new Date(calendar.getTimeInMillis());
        BigInteger valueOf = BigInteger.valueOf(System.currentTimeMillis());
        BigInteger valueOf2 = BigInteger.valueOf(this.sr.nextLong());
        valueOf2.add(valueOf);
        X509Principal x509Principal = new X509Principal(x509Certificate.getIssuerX500Principal().getEncoded());
        ContentSigner build = new JcaContentSignerBuilder("MD5WithRSAEncryption").setProvider(BC).build(keyPair.getPrivate());
        JcaX509v3CertificateBuilder jcaX509v3CertificateBuilder = new JcaX509v3CertificateBuilder(X500Name.getInstance(x509Principal.getDERObject()), valueOf2, date, date2, buildD1Name.build(), publicKey);
        jcaX509v3CertificateBuilder.addExtension(X509Extension.basicConstraints, true, new BasicConstraints(false));
        jcaX509v3CertificateBuilder.addExtension(X509Extension.keyUsage, true, new KeyUsage(176));
        jcaX509v3CertificateBuilder.addExtension(X509Extension.extendedKeyUsage, false, new ExtendedKeyUsage(KeyPurposeId.id_kp_clientAuth));
        jcaX509v3CertificateBuilder.addExtension(X509Extension.authorityKeyIdentifier, false, new AuthorityKeyIdentifierStructure(x509Certificate));
        if (str2 != null) {
            CILOGON_OID_SUBJECT_INFO = Settings.getConfiguration().getString("cilogon.oid.subjectinfo", "1.3.6.1.4.1.34998.2.1");
            ASN1ObjectIdentifier aSN1ObjectIdentifier = new ASN1ObjectIdentifier(CILOGON_OID_SUBJECT_INFO);
            DERUTF8String dERUTF8String = new DERUTF8String(IOUtils.toString(new FileInputStream(new File(str2))));
            DERTaggedObject dERTaggedObject = new DERTaggedObject(12, dERUTF8String.getDERObject());
            jcaX509v3CertificateBuilder.addExtension(aSN1ObjectIdentifier, false, dERUTF8String);
            logger.info(DERUTF8String.getInstance(DERUTF8String.getInstance(dERTaggedObject, true)).getString());
        }
        X509Certificate certificate = new JcaX509CertificateConverter().setProvider(BC).getCertificate(jcaX509v3CertificateBuilder.build(build));
        certificate.checkValidity(new Date());
        certificate.verify(x509Certificate.getPublicKey());
        CertificateManager.getInstance().displayCertificate(certificate);
        return certificate;
    }

    public void storeCASignedPEM(String str, String str2, String str3, String str4) throws NoSuchAlgorithmException, OperatorCreationException, CertificateException, InvalidKeyException, NoSuchProviderException, SignatureException, IOException, KeyStoreException, Exception {
        int indexOf = str.indexOf(".", 1);
        String str5 = str;
        if (indexOf > 0) {
            str5 = str.substring(0, indexOf);
        }
        storeCASignedPEM(str, str2, new File(str3 + File.separator + str5 + ".crt"), str4);
    }

    public void storeCASignedPEM(String str, String str2) throws NoSuchAlgorithmException, OperatorCreationException, CertificateException, InvalidKeyException, NoSuchProviderException, SignatureException, IOException, KeyStoreException, Exception {
        storeCASignedPEM(str, str2, new File(locateCertificate()), (String) null);
    }

    public void storeCASignedPEM(String str, String str2, String str3) throws NoSuchAlgorithmException, OperatorCreationException, CertificateException, InvalidKeyException, NoSuchProviderException, SignatureException, IOException, KeyStoreException, Exception {
        storeCASignedPEM(str, str2, new File(locateCertificate()), str3);
    }

    public void storeCASignedPEM(String str, String str2, File file, String str3) throws NoSuchAlgorithmException, OperatorCreationException, CertificateException, InvalidKeyException, NoSuchProviderException, SignatureException, IOException, KeyStoreException, Exception {
        X509Certificate cACert = getCACert();
        KeyPair cAPrivateKey = getCAPrivateKey(str2);
        KeyPair createKeys = createKeys();
        X509Certificate generateCASignedCertificate = generateCASignedCertificate(createKeys.getPublic(), cAPrivateKey, cACert, str, str3);
        PEMWriter pEMWriter = new PEMWriter(new FileWriter(file));
        pEMWriter.writeObject(createKeys.getPrivate());
        pEMWriter.writeObject(generateCASignedCertificate);
        pEMWriter.flush();
        pEMWriter.close();
        logger.info("completed writing certificate to " + file.getAbsolutePath());
    }

    public void storeSelfSignedPEM(String str, String str2) throws NoSuchAlgorithmException, OperatorCreationException, CertificateException, InvalidKeyException, NoSuchProviderException, SignatureException, IOException, KeyStoreException, Exception {
        X500NameBuilder buildD1Name = buildD1Name(str);
        KeyPair createKeys = createKeys();
        X509Certificate generateSelfSignedCertificate = generateSelfSignedCertificate(createKeys, buildD1Name);
        PEMWriter pEMWriter = new PEMWriter(new FileWriter(new File(locateCertificate())));
        pEMWriter.writeObject(createKeys.getPrivate());
        pEMWriter.writeObject(generateSelfSignedCertificate);
        pEMWriter.flush();
        pEMWriter.close();
    }

    public void storeCert(String str, PrivateKey privateKey, Certificate[] certificateArr) throws KeyStoreException, IOException, NoSuchAlgorithmException, CertificateException {
        KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
        File file = new File(this.d1CertStore);
        if (file.exists()) {
            keyStore.load(new FileInputStream(file), this.password.toCharArray());
        } else {
            file.createNewFile();
            keyStore.load(null, this.password.toCharArray());
        }
        keyStore.setKeyEntry(str, privateKey, this.password.toCharArray(), certificateArr);
        keyStore.store(new FileOutputStream(file), this.password.toCharArray());
    }

    public X509Certificate getCACert() throws FileNotFoundException, IOException {
        return (X509Certificate) openPEMResource(this.d1D1CaCertFile, null).readObject();
    }

    private PEMReader openPEMResource(String str, PasswordFinder passwordFinder) throws FileNotFoundException {
        return new PEMReader(new BufferedReader(new InputStreamReader(new FileInputStream(str))), passwordFinder);
    }

    public KeyPair getCAPrivateKey(String str) throws FileNotFoundException, IOException {
        return (KeyPair) openPEMResource(this.d1D1CaKeyFile, new Password(str.toCharArray())).readObject();
    }

    private X500NameBuilder buildD1Name(String str) {
        X500NameBuilder x500NameBuilder = new X500NameBuilder(RFC4519Style.INSTANCE);
        x500NameBuilder.addRDN(RFC4519Style.dc, "org");
        x500NameBuilder.addRDN(RFC4519Style.dc, "dataone");
        x500NameBuilder.addRDN(RFC4519Style.cn, str);
        return x500NameBuilder;
    }

    private String locateCertificate() throws FileNotFoundException {
        StringBuffer stringBuffer = new StringBuffer();
        String property = System.getProperty("tmpdir");
        if (property == null) {
            property = "/tmp";
        }
        String str = null;
        try {
            Process exec = Runtime.getRuntime().exec("id -u");
            if (exec.waitFor() == 0) {
                str = String.valueOf(Integer.parseInt(new BufferedReader(new InputStreamReader(exec.getInputStream())).readLine()));
            }
        } catch (Exception e) {
            logger.warn("No UID found, using user.name");
        }
        if (str == null) {
            str = System.getProperty("user.name");
        }
        stringBuffer.append(property);
        stringBuffer.append("/");
        stringBuffer.append("x509up_u");
        stringBuffer.append(str);
        logger.debug("Calculated certificate location: " + stringBuffer.toString());
        return stringBuffer.toString();
    }

    public void removeSelfSigned() throws FileNotFoundException {
        new File(locateCertificate()).delete();
    }

    public void removeCA() throws FileNotFoundException {
        new File(this.d1CertStore).delete();
    }
}
