package com.codeloom.cert.bc;

import com.codeloom.cert.CRLContent;
import com.codeloom.cert.CertificateContent;
import com.codeloom.cert.CertificateStore;
import com.codeloom.cert.PemCertificateContent;
import com.codeloom.crypt.util.RSATools;
import com.codeloom.settings.Properties;
import com.codeloom.settings.PropertiesConstants;
import com.codeloom.settings.Settings;
import com.codeloom.settings.XmlElementProperties;
import com.codeloom.uid.IdGenerator;
import com.codeloom.uid.impl.Simple;
import com.codeloom.util.Constants;
import com.codeloom.util.Factory;
import com.codeloom.util.XmlTools;
import com.codeloom.xscript.Logiclet;
import com.codeloom.xscript.LogicletContext;
import com.codeloom.xscript.dom.json.JsonObject;
import java.math.BigInteger;
import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.SecureRandom;
import java.security.Security;
import java.security.cert.X509Certificate;
import java.util.Date;
import java.util.HashMap;
import org.apache.commons.lang3.StringUtils;
import org.bouncycastle.asn1.ASN1EncodableVector;
import org.bouncycastle.asn1.DERSequence;
import org.bouncycastle.asn1.x500.X500Name;
import org.bouncycastle.asn1.x509.BasicConstraints;
import org.bouncycastle.asn1.x509.Extension;
import org.bouncycastle.asn1.x509.KeyPurposeId;
import org.bouncycastle.asn1.x509.KeyUsage;
import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo;
import org.bouncycastle.cert.CertIOException;
import org.bouncycastle.cert.X509v2CRLBuilder;
import org.bouncycastle.cert.X509v3CertificateBuilder;
import org.bouncycastle.cert.jcajce.JcaX509CRLConverter;
import org.bouncycastle.cert.jcajce.JcaX509CertificateConverter;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.w3c.dom.Element;

/* loaded from: input_file:com/codeloom/cert/bc/AbstractCAStore.class */
public abstract class AbstractCAStore implements CertificateStore {
    protected static final Logger LOG = LoggerFactory.getLogger(AbstractCAStore.class);
    protected static final String PROVIDER = "BC";
    protected String rootX500Name = "CN=codeloom-ca";
    protected SecureRandom secureRandom = null;
    protected X509Certificate rootCert = null;
    protected PrivateKey rootKey = null;
    protected long rootTTL = 10;
    protected int keyLength = 2048;
    protected KeyPairGenerator keyPairGenerator = null;
    protected IdGenerator idGenerator = null;
    protected String algorithm = "SHA512WithRSA";
    public static final String XSCRIPT_OBJECT_ID = "$cert-builder";

    protected String getRootX500Name() {
        return this.rootX500Name;
    }

    protected String getX500Name(String str) {
        return str;
    }

    protected String getX500Name(Properties properties) {
        return PropertiesConstants.getString(properties, "x500Name", this.rootX500Name);
    }

    @Override // com.codeloom.util.XMLConfigurable
    public void configure(Element element, Properties properties) {
        XmlElementProperties xmlElementProperties = new XmlElementProperties(element, properties);
        Element firstElementByPath = XmlTools.getFirstElementByPath(element, Constants.ATTR_ID);
        if (firstElementByPath != null) {
            try {
                this.idGenerator = (IdGenerator) new Factory().newInstance(firstElementByPath, xmlElementProperties);
            } catch (Exception e) {
                LOG.error("Failed to create id generator to generate cert id:{}", XmlTools.node2String(firstElementByPath), e);
            }
        }
        configure(xmlElementProperties);
    }

    @Override // com.codeloom.util.Configurable
    public void configure(Properties properties) {
        this.algorithm = PropertiesConstants.getString(properties, "algorithm", this.algorithm);
        this.rootTTL = PropertiesConstants.getLong(properties, "ttl", this.rootTTL);
        this.rootX500Name = PropertiesConstants.getString(properties, "x500Name", this.rootX500Name);
        this.keyLength = PropertiesConstants.getInt(properties, "keyLength", this.keyLength);
        try {
            this.secureRandom = SecureRandom.getInstance("SHA1PRNG", "SUN");
        } catch (NoSuchAlgorithmException | NoSuchProviderException e) {
            LOG.error("Can not create a secure random.", e);
        }
        if (this.idGenerator == null) {
            this.idGenerator = new Simple();
        }
        init(properties);
    }

    @Override // com.codeloom.cert.CertificateStore
    public BigInteger newSerialNumber() {
        return BigInteger.valueOf(this.idGenerator.nextLong());
    }

    protected abstract void loadRootCA();

    protected abstract void saveRootCA();

    protected void init(Properties properties) {
        try {
            if (Security.getProvider(PROVIDER) == null) {
                Security.addProvider(new BouncyCastleProvider());
            }
            if (this.keyPairGenerator == null) {
                this.keyPairGenerator = KeyPairGenerator.getInstance(RSATools.KEY_ALGORITHM);
                this.keyPairGenerator.initialize(this.keyLength, this.secureRandom);
            }
            loadRootCA();
            if (this.rootCert == null || this.rootKey == null) {
                KeyPair generateKeyPair = this.keyPairGenerator.generateKeyPair();
                PublicKey publicKey = generateKeyPair.getPublic();
                PrivateKey privateKey = generateKeyPair.getPrivate();
                long currentTimeMillis = System.currentTimeMillis();
                X509v3CertificateBuilder x509v3CertificateBuilder = new X509v3CertificateBuilder(new X500Name(getRootX500Name()), BigInteger.valueOf(this.idGenerator.nextLong()), new Date(currentTimeMillis), new Date(currentTimeMillis + (this.rootTTL * 365 * 24 * 60 * 60 * 1000)), new X500Name(getRootX500Name()), SubjectPublicKeyInfo.getInstance(publicKey.getEncoded()));
                addExtension(x509v3CertificateBuilder);
                x509v3CertificateBuilder.addExtension(Extension.basicConstraints, true, new BasicConstraints(true));
                this.rootCert = new JcaX509CertificateConverter().getCertificate(x509v3CertificateBuilder.build(new JcaContentSignerBuilder(this.algorithm).setSecureRandom(this.secureRandom).setProvider(PROVIDER).build(privateKey)));
                this.rootKey = privateKey;
                saveRootCA();
            }
        } catch (Exception e) {
            LOG.error("Failed to init ca store.", e);
        }
    }

    @Override // com.codeloom.cert.CertificateStore
    public CertificateContent getRoot(CertificateContent certificateContent) {
        certificateContent.setContent(this.rootCert.getSerialNumber(), this.rootCert, this.rootKey);
        return certificateContent;
    }

    @Override // com.codeloom.cert.CertificateStore
    public CertificateContent newCertificate(BigInteger bigInteger, CertificateContent certificateContent, String str) {
        PemCertificateContent pemCertificateContent = new PemCertificateContent();
        pemCertificateContent.setContent(this.rootCert.getSerialNumber(), this.rootCert, this.rootKey);
        return newCertificate(bigInteger, certificateContent, pemCertificateContent, getX500Name(str), (Logiclet) null, (Properties) null);
    }

    @Override // com.codeloom.cert.CertificateStore
    public CertificateContent newCertificate(BigInteger bigInteger, CertificateContent certificateContent, CertificateContent certificateContent2, String str) {
        return newCertificate(bigInteger, certificateContent, certificateContent2, getX500Name(str), (Logiclet) null, (Properties) null);
    }

    @Override // com.codeloom.cert.CertificateStore
    public CertificateContent newCertificate(BigInteger bigInteger, CertificateContent certificateContent, CertificateContent certificateContent2, Logiclet logiclet, String str) {
        return newCertificate(bigInteger, certificateContent, certificateContent2, getX500Name(str), logiclet, (Properties) null);
    }

    @Override // com.codeloom.cert.CertificateStore
    public CertificateContent newCertificate(BigInteger bigInteger, CertificateContent certificateContent, String str, Properties properties) {
        PemCertificateContent pemCertificateContent = new PemCertificateContent();
        pemCertificateContent.setContent(this.rootCert.getSerialNumber(), this.rootCert, this.rootKey);
        return newCertificate(bigInteger, certificateContent, pemCertificateContent, StringUtils.isNotEmpty(str) ? str : getX500Name(properties), (Logiclet) null, properties);
    }

    @Override // com.codeloom.cert.CertificateStore
    public CertificateContent newCertificate(BigInteger bigInteger, CertificateContent certificateContent, CertificateContent certificateContent2, String str, Properties properties) {
        return newCertificate(bigInteger, certificateContent, certificateContent2, StringUtils.isNotEmpty(str) ? str : getX500Name(properties), (Logiclet) null, properties);
    }

    @Override // com.codeloom.cert.CertificateStore
    public CertificateContent newCertificate(BigInteger bigInteger, CertificateContent certificateContent, CertificateContent certificateContent2, Logiclet logiclet, String str, Properties properties) {
        return newCertificate(bigInteger, certificateContent, certificateContent2, StringUtils.isNotEmpty(str) ? str : getX500Name(properties), logiclet, properties);
    }

    @Override // com.codeloom.cert.CertificateStore
    public CRLContent revokeCertificate(CRLContent cRLContent, BigInteger... bigIntegerArr) {
        PemCertificateContent pemCertificateContent = new PemCertificateContent();
        pemCertificateContent.setContent(this.rootCert.getSerialNumber(), this.rootCert, this.rootKey);
        return revokeCertificate(cRLContent, pemCertificateContent, bigIntegerArr);
    }

    @Override // com.codeloom.cert.CertificateStore
    public CRLContent revokeCertificate(CRLContent cRLContent, CertificateContent certificateContent, BigInteger... bigIntegerArr) {
        PrivateKey privateKey = certificateContent.getPrivateKey();
        X509v2CRLBuilder x509v2CRLBuilder = new X509v2CRLBuilder(new X500Name(certificateContent.getCertificate().getSubjectX500Principal().getName()), new Date());
        x509v2CRLBuilder.setNextUpdate(new Date(System.currentTimeMillis() + 86400000));
        Date date = new Date();
        for (BigInteger bigInteger : bigIntegerArr) {
            x509v2CRLBuilder.addCRLEntry(bigInteger, date, 9);
        }
        try {
            cRLContent.setContent(new JcaX509CRLConverter().setProvider(PROVIDER).getCRL(x509v2CRLBuilder.build(new JcaContentSignerBuilder(this.algorithm).setProvider(PROVIDER).build(privateKey))));
        } catch (Exception e) {
            LOG.error("Failed to build CRL.", e);
        }
        return cRLContent;
    }

    protected CertificateContent newCertificate(BigInteger bigInteger, CertificateContent certificateContent, CertificateContent certificateContent2, String str, Logiclet logiclet, Properties properties) {
        try {
            long j = properties == null ? this.rootTTL : PropertiesConstants.getLong(properties, "ttl", this.rootTTL);
            long currentTimeMillis = System.currentTimeMillis();
            KeyPair generateKeyPair = this.keyPairGenerator.generateKeyPair();
            PublicKey publicKey = generateKeyPair.getPublic();
            PrivateKey privateKey = generateKeyPair.getPrivate();
            X509v3CertificateBuilder x509v3CertificateBuilder = new X509v3CertificateBuilder(new X500Name(certificateContent2 == null ? str : certificateContent2.getX500Name()), bigInteger, new Date(currentTimeMillis), new Date(currentTimeMillis + (j * 365 * 24 * 60 * 60 * 1000)), new X500Name(str), SubjectPublicKeyInfo.getInstance(publicKey.getEncoded()));
            addExtension(x509v3CertificateBuilder, logiclet, properties);
            X509Certificate certificate = new JcaX509CertificateConverter().getCertificate(x509v3CertificateBuilder.build(new JcaContentSignerBuilder(this.algorithm).setSecureRandom(this.secureRandom).setProvider(PROVIDER).build(certificateContent2 == null ? privateKey : certificateContent2.getPrivateKey())));
            certificateContent.setContent(certificate.getSerialNumber(), certificate, privateKey);
        } catch (Exception e) {
            LOG.error("Failed to build new certificate.", e);
        }
        return certificateContent;
    }

    public void addExtension(X509v3CertificateBuilder x509v3CertificateBuilder, Logiclet logiclet, Properties properties) throws CertIOException {
        if (logiclet == null) {
            addExtension(x509v3CertificateBuilder);
            return;
        }
        LogicletContext logicletContext = new LogicletContext(properties == null ? Settings.get() : properties);
        try {
            try {
                logicletContext.setObject(XSCRIPT_OBJECT_ID, x509v3CertificateBuilder);
                JsonObject jsonObject = new JsonObject("root", new HashMap());
                logiclet.execute(jsonObject, jsonObject, logicletContext, null);
                logicletContext.removeObject(XSCRIPT_OBJECT_ID);
            } catch (Exception e) {
                LOG.info("Failed to execute on build script", e);
                logicletContext.removeObject(XSCRIPT_OBJECT_ID);
            }
        } catch (Throwable th) {
            logicletContext.removeObject(XSCRIPT_OBJECT_ID);
            throw th;
        }
    }

    public void addExtension(X509v3CertificateBuilder x509v3CertificateBuilder) throws CertIOException {
        x509v3CertificateBuilder.addExtension(Extension.keyUsage, true, new KeyUsage(128 + 64 + 32 + 16 + 8 + 4 + 2 + 1 + 32768));
        ASN1EncodableVector aSN1EncodableVector = new ASN1EncodableVector();
        aSN1EncodableVector.add(KeyPurposeId.anyExtendedKeyUsage);
        aSN1EncodableVector.add(KeyPurposeId.id_kp_clientAuth);
        aSN1EncodableVector.add(KeyPurposeId.id_kp_serverAuth);
        aSN1EncodableVector.add(KeyPurposeId.id_kp_scvpClient);
        aSN1EncodableVector.add(KeyPurposeId.id_kp_scvpServer);
        aSN1EncodableVector.add(KeyPurposeId.id_kp_codeSigning);
        aSN1EncodableVector.add(KeyPurposeId.id_kp_emailProtection);
        aSN1EncodableVector.add(KeyPurposeId.id_kp_timeStamping);
        x509v3CertificateBuilder.addExtension(Extension.extendedKeyUsage, false, new DERSequence(aSN1EncodableVector));
    }
}
