package eu.arrowhead.common;

import eu.arrowhead.common.dto.shared.CertificateCreationRequestDTO;
import eu.arrowhead.common.dto.shared.CertificateCreationResponseDTO;
import eu.arrowhead.common.dto.shared.CertificateType;
import eu.arrowhead.common.dto.shared.KeyPairDTO;
import eu.arrowhead.common.exception.ArrowheadException;
import eu.arrowhead.common.exception.AuthException;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.security.KeyFactory;
import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.Principal;
import java.security.PublicKey;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.security.spec.EncodedKeySpec;
import java.security.spec.InvalidKeySpecException;
import java.security.spec.PKCS8EncodedKeySpec;
import java.security.spec.X509EncodedKeySpec;
import java.util.Base64;
import java.util.Objects;
import java.util.ServiceConfigurationError;
import javax.servlet.http.HttpServletRequest;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.bouncycastle.asn1.DEROctetString;
import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers;
import org.bouncycastle.asn1.x500.X500Name;
import org.bouncycastle.asn1.x509.Extension;
import org.bouncycastle.asn1.x509.Extensions;
import org.bouncycastle.asn1.x509.GeneralName;
import org.bouncycastle.asn1.x509.GeneralNamesBuilder;
import org.bouncycastle.operator.OperatorCreationException;
import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder;
import org.bouncycastle.pkcs.jcajce.JcaPKCS10CertificationRequestBuilder;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.http.server.ServletServerHttpRequest;
import org.springframework.stereotype.Component;
import org.springframework.util.Assert;
import org.springframework.util.Base64Utils;
import org.springframework.util.StringUtils;

@Component
/* loaded from: input_file:eu/arrowhead/common/SecurityUtilities.class */
public class SecurityUtilities {
    private static final String SIGNATURE_ALGORITHM = "SHA256WithRSA";
    private static final String X509_FORMAT = "X.509";
    private static final String PKCS8_FORMAT = "PKCS#8";
    private static final String PKCS1_FORMAT = "PKCS#1";
    private final Logger logger = LogManager.getLogger(SecurityUtilities.class);
    private final KeyFactory keyFactory;
    private final KeyPairGenerator keyPairGenerator;
    private final SSLProperties sslProperties;

    @Autowired
    public SecurityUtilities(@Value("${security.key.algorithm:RSA}") String str, @Value("${security.key.size:2048}") Integer num, SSLProperties sSLProperties) throws NoSuchAlgorithmException {
        Assert.hasText(str, "keyFactoryAlgorithm must not be null");
        Assert.notNull(num, "keyFactoryAlgorithm keySize not be null");
        Assert.notNull(sSLProperties, "sslProperties must not be null");
        this.sslProperties = sSLProperties;
        this.keyFactory = KeyFactory.getInstance(str);
        this.keyPairGenerator = KeyPairGenerator.getInstance(str);
        this.keyPairGenerator.initialize(num.intValue());
    }

    public static String getCertificateCNFromRequest(HttpServletRequest httpServletRequest) {
        Assert.notNull(httpServletRequest, "request must not be null");
        X509Certificate[] x509CertificateArr = (X509Certificate[]) httpServletRequest.getAttribute(CommonConstants.ATTR_JAVAX_SERVLET_REQUEST_X509_CERTIFICATE);
        if (x509CertificateArr == null || x509CertificateArr.length == 0) {
            return null;
        }
        for (X509Certificate x509Certificate : x509CertificateArr) {
            String certCNFromSubject = Utilities.getCertCNFromSubject(x509Certificate.getSubjectDN().getName());
            if (!Objects.isNull(certCNFromSubject) && certCNFromSubject.split("\\.").length == 5) {
                return certCNFromSubject;
            }
        }
        return null;
    }

    public static String getCertificateCNFromServerRequest(ServletServerHttpRequest servletServerHttpRequest) {
        Assert.notNull(servletServerHttpRequest, "request must not be null");
        return getCertificateCNFromRequest(servletServerHttpRequest.getServletRequest());
    }

    private static String getCommonNameFromCloudCertificate(Principal principal) {
        Assert.notNull(principal, "Principal must not be null");
        return Utilities.getCertCNFromSubject(principal.getName());
    }

    private static String getOperatorNameFromCloudCertificate(Principal principal) {
        return extractCNPart(principal, 2);
    }

    private static String getOrganizationFromCloudCertificate(Principal principal) {
        return extractCNPart(principal, 1);
    }

    private static String getCountryFromCloudCertificate(Principal principal) {
        return extractCNPart(principal, 0);
    }

    private static String extractCNPart(Principal principal, int i) {
        Assert.notNull(principal, "Principal must not be null");
        Assert.isTrue(i >= 0, "tailIndex must not be negative");
        String name = principal.getName();
        Assert.hasText(name, "Empty common name is not allowed");
        String[] split = name.split("\\.");
        if (i >= split.length) {
            throw new IllegalArgumentException("Internal error: Unable to extract information from cloud certificate");
        }
        return split[split.length - (i + 1)];
    }

    public void authenticateCertificate(HttpServletRequest httpServletRequest, CertificateType certificateType) {
        Assert.notNull(httpServletRequest, "httpServletRequest must not be null");
        Assert.notNull(certificateType, "minimumStrength must not be null");
        X509Certificate[] x509CertificateArr = (X509Certificate[]) httpServletRequest.getAttribute(CommonConstants.ATTR_JAVAX_SERVLET_REQUEST_X509_CERTIFICATE);
        if (this.sslProperties.isSslEnabled()) {
            if (!Objects.nonNull(x509CertificateArr) || x509CertificateArr.length <= 0) {
                this.logger.debug("No client certificate given!");
                throw new AuthException("Client certificate in needed!");
            }
            authenticateCertificate(getCertificateCNFromRequest(httpServletRequest), Utilities.stripEndSlash(httpServletRequest.getRequestURL().toString()), certificateType);
        }
    }

    public void authenticateCertificate(String str, String str2, CertificateType certificateType) {
        Assert.notNull(str, "clientCN must not be null");
        Assert.notNull(str2, "requestTarget must not be null");
        Assert.notNull(certificateType, "minimumStrength must not be null");
        if (!this.sslProperties.isSslEnabled() || CertificateType.getTypeFromCN(str).hasMinimumStrength(certificateType)) {
            return;
        }
        this.logger.debug("{} is not a valid common name, access denied!", str);
        throw new AuthException(str + " is unauthorized to access " + str2);
    }

    public KeyStore getKeyStore() {
        try {
            KeyStore keyStore = KeyStore.getInstance(this.sslProperties.getKeyStoreType());
            keyStore.load(this.sslProperties.getKeyStore().getInputStream(), this.sslProperties.getKeyStorePassword().toCharArray());
            return keyStore;
        } catch (IOException | KeyStoreException | NoSuchAlgorithmException | CertificateException e) {
            throw new ServiceConfigurationError("Cannot open keystore: " + e.getMessage());
        }
    }

    public String createCertificateSigningRequest(String str, KeyPair keyPair, CertificateType certificateType, String str2, String str3) throws IOException, CertificateException, NoSuchAlgorithmException, KeyStoreException, OperatorCreationException {
        Assert.hasText(str, "baseCommonName must not be null or empty!");
        Assert.notNull(keyPair, "keyPair must not be null");
        Assert.notNull(this.sslProperties.getKeyStore(), "KeyStore property must not be null!");
        Assert.hasText(this.sslProperties.getKeyStorePassword(), "KeyStore password property must not be null or empty!");
        Assert.notNull(certificateType, "type must not be null");
        this.logger.debug("Preparing Certificate Signing Request ...");
        X509Certificate cloudCertFromKeyStore = Utilities.getCloudCertFromKeyStore(getKeyStore());
        X500Name x500Name = new X500Name(String.format("CN=%s.%s, OU=%s, O=%s, C=%s", certificateType.appendTypeToCN(str), getCommonNameFromCloudCertificate(cloudCertFromKeyStore.getSubjectDN()), getOperatorNameFromCloudCertificate(cloudCertFromKeyStore.getSubjectDN()), getOrganizationFromCloudCertificate(cloudCertFromKeyStore.getSubjectDN()), getCountryFromCloudCertificate(cloudCertFromKeyStore.getSubjectDN())));
        this.logger.debug("Building and Signing Certificate Signing Request for {}", x500Name);
        JcaPKCS10CertificationRequestBuilder jcaPKCS10CertificationRequestBuilder = new JcaPKCS10CertificationRequestBuilder(x500Name, keyPair.getPublic());
        GeneralNamesBuilder generalNamesBuilder = new GeneralNamesBuilder();
        generalNamesBuilder.addName(new GeneralName(2, "localhost"));
        generalNamesBuilder.addName(new GeneralName(2, str));
        generalNamesBuilder.addName(new GeneralName(7, "127.0.0.1"));
        if (StringUtils.hasText(str2)) {
            generalNamesBuilder.addName(new GeneralName(2, str2));
        }
        if (StringUtils.hasText(str3)) {
            generalNamesBuilder.addName(new GeneralName(7, str3));
        }
        jcaPKCS10CertificationRequestBuilder.addAttribute(PKCSObjectIdentifiers.pkcs_9_at_extensionRequest, new Extensions(new Extension(Extension.subjectAlternativeName, false, new DEROctetString(generalNamesBuilder.build()))));
        return Base64.getEncoder().encodeToString(jcaPKCS10CertificationRequestBuilder.build(new JcaContentSignerBuilder(SIGNATURE_ALGORITHM).build(keyPair.getPrivate())).getEncoded());
    }

    public void extractAndSetPublicKey(CertificateCreationResponseDTO certificateCreationResponseDTO) {
        Assert.notNull(certificateCreationResponseDTO, "creationResponseDTO must not be null");
        try {
            try {
                ByteArrayInputStream byteArrayInputStream = new ByteArrayInputStream(Base64Utils.decodeFromString(certificateCreationResponseDTO.getCertificate()));
                try {
                    Certificate generateCertificate = CertificateFactory.getInstance(certificateCreationResponseDTO.getCertificateFormat()).generateCertificate(byteArrayInputStream);
                    byteArrayInputStream.close();
                    certificateCreationResponseDTO.setKeyPairDTO(encodePublicKey(generateCertificate.getPublicKey()));
                } catch (Throwable th) {
                    try {
                        byteArrayInputStream.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                    throw th;
                }
            } catch (CertificateException e) {
                this.logger.error("Unable to generate certificate from Base64: {}", certificateCreationResponseDTO.getCertificate());
                throw new ArrowheadException("Unable to decode signed certificate", 500);
            }
        } catch (IOException e2) {
            this.logger.fatal("ByteArrayInputStream should never throw an IOException, but it just did : {}", e2.getMessage());
            throw new ArrowheadException(e2.getMessage());
        }
    }

    public KeyPair extractOrGenerateKeyPair(CertificateCreationRequestDTO certificateCreationRequestDTO) {
        KeyPair generateKeyPair;
        Assert.notNull(certificateCreationRequestDTO, "creationRequestDTO must not be null");
        Assert.isTrue(Utilities.notEmpty(certificateCreationRequestDTO.getCommonName()), "CommonName is null or blank");
        KeyPairDTO keyPairDTO = certificateCreationRequestDTO.getKeyPairDTO();
        if (Objects.nonNull(keyPairDTO) && Objects.nonNull(keyPairDTO.getPublicKey()) && Objects.nonNull(keyPairDTO.getPrivateKey())) {
            String publicKey = keyPairDTO.getPublicKey();
            String privateKey = keyPairDTO.getPrivateKey();
            String keyFormat = keyPairDTO.getKeyFormat();
            if (Objects.nonNull(keyFormat)) {
                generateKeyPair = getKeyPairFromBase64EncodedStringsForFormat(publicKey, privateKey, keyFormat);
            } else {
                try {
                    generateKeyPair = getKeyPairFromBase64EncodedStringsForFormat(publicKey, privateKey, PKCS8_FORMAT);
                } catch (AuthException e) {
                    try {
                        generateKeyPair = getKeyPairFromBase64EncodedStringsForFormat(publicKey, privateKey, PKCS1_FORMAT);
                    } catch (AuthException e2) {
                        generateKeyPair = getKeyPairFromBase64EncodedStringsForFormat(publicKey, privateKey, X509_FORMAT);
                    }
                }
            }
        } else {
            generateKeyPair = generateKeyPair();
        }
        return generateKeyPair;
    }

    public KeyPairDTO encodePublicKey(PublicKey publicKey) {
        Assert.notNull(publicKey, "PublicKey must not be null");
        return new KeyPairDTO(publicKey.getAlgorithm(), publicKey.getFormat(), Base64.getEncoder().encodeToString(publicKey.getEncoded()), null);
    }

    public KeyPairDTO encodeKeyPair(KeyPair keyPair) {
        Assert.notNull(keyPair, "KeyPair must not be null");
        KeyPairDTO encodePublicKey = encodePublicKey(keyPair.getPublic());
        if (Objects.nonNull(keyPair.getPrivate())) {
            encodePublicKey.setPrivateKey(Base64.getEncoder().encodeToString(keyPair.getPrivate().getEncoded()));
        }
        return encodePublicKey;
    }

    private KeyPair generateKeyPair() {
        return this.keyPairGenerator.generateKeyPair();
    }

    private KeyPair getKeyPairFromBase64EncodedStringsForFormat(String str, String str2, String str3) {
        EncodedKeySpec pKCS8EncodedKeySpec;
        Assert.notNull(str3, "KeyFormat must not be null");
        byte[] decode = Base64.getDecoder().decode(str);
        byte[] decode2 = Base64.getDecoder().decode(str2);
        X509EncodedKeySpec x509EncodedKeySpec = new X509EncodedKeySpec(decode);
        if (str3.equalsIgnoreCase(X509_FORMAT)) {
            pKCS8EncodedKeySpec = new X509EncodedKeySpec(decode2);
        } else if (str3.equalsIgnoreCase(PKCS8_FORMAT)) {
            pKCS8EncodedKeySpec = new PKCS8EncodedKeySpec(decode2);
        } else {
            if (!str3.equalsIgnoreCase(PKCS1_FORMAT)) {
                this.logger.error("getKeyPairFromBase64EncodedStringsForFormat: Unknown or unsupported key format.");
                throw new AuthException("Unknown or unsupported key format.");
            }
            pKCS8EncodedKeySpec = new PKCS8EncodedKeySpec(convertPkcs1ToPkcs8(decode2));
        }
        return generateKeyPairFromSpec(pKCS8EncodedKeySpec, x509EncodedKeySpec);
    }

    private KeyPair generateKeyPairFromSpec(EncodedKeySpec encodedKeySpec, EncodedKeySpec encodedKeySpec2) {
        try {
            try {
                return new KeyPair(this.keyFactory.generatePublic(encodedKeySpec2), this.keyFactory.generatePrivate(encodedKeySpec));
            } catch (InvalidKeySpecException e) {
                this.logger.warn("generateKeyPairFromSpec: Unable to generate private key from key spec format '{}'.", encodedKeySpec.getFormat());
                throw new AuthException("Private key decoding failed due to wrong key format", e);
            }
        } catch (InvalidKeySpecException e2) {
            this.logger.warn("generateKeyPairFromSpec: Unable to generate public key from key spec format '{}'.", encodedKeySpec2.getFormat());
            throw new AuthException("Public key decoding failed due to wrong key format", e2);
        }
    }

    private byte[] convertPkcs1ToPkcs8(byte[] bArr) {
        int length = bArr.length;
        int i = length + 22;
        return join(new byte[]{48, -126, (byte) ((i >> 8) & 255), (byte) (i & 255), 2, 1, 0, 48, 13, 6, 9, 42, -122, 72, -122, -9, 13, 1, 1, 1, 5, 0, 4, -126, (byte) ((length >> 8) & 255), (byte) (length & 255)}, bArr);
    }

    private byte[] join(byte[] bArr, byte[] bArr2) {
        byte[] bArr3 = new byte[bArr.length + bArr2.length];
        System.arraycopy(bArr, 0, bArr3, 0, bArr.length);
        System.arraycopy(bArr2, 0, bArr3, bArr.length, bArr2.length);
        return bArr3;
    }
}
