package net.maritimeconnectivity.pki;

import java.io.BufferedReader;
import java.io.FileInputStream;
import java.io.FileNotFoundException;
import java.io.FileOutputStream;
import java.io.FileReader;
import java.io.IOException;
import java.math.BigInteger;
import java.nio.file.Files;
import java.nio.file.LinkOption;
import java.nio.file.Path;
import java.security.KeyPair;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.UnrecoverableEntryException;
import java.security.cert.CRLReason;
import java.security.cert.Certificate;
import java.security.cert.CertificateEncodingException;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.text.ParseException;
import java.text.SimpleDateFormat;
import java.util.ArrayList;
import java.util.Date;
import java.util.List;
import net.maritimeconnectivity.pki.exception.PKIRuntimeException;
import net.maritimeconnectivity.pki.pkcs11.P11PKIConfiguration;
import org.bouncycastle.asn1.x500.X500Name;
import org.bouncycastle.asn1.x500.style.BCStyle;
import org.bouncycastle.cert.jcajce.JcaX509CertificateHolder;
import org.bouncycastle.operator.OperatorCreationException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:net/maritimeconnectivity/pki/CAHandler.class */
public class CAHandler {
    private static final Logger log = LoggerFactory.getLogger((Class<?>) CAHandler.class);
    private static final String HSM_EXCEPTION_MESSAGE = "This function can only be called when used with an HSM";
    private final CertificateBuilder certificateBuilder;
    private final PKIConfiguration pkiConfiguration;

    public void createSubCa(String str, String str2, int i) {
        try {
            FileInputStream fileInputStream = new FileInputStream(this.pkiConfiguration.getRootCaKeystorePath());
            try {
                FileInputStream fileInputStream2 = new FileInputStream(this.pkiConfiguration.getTruststorePath());
                try {
                    KeyStore keyStore = KeyStore.getInstance(PKIConstants.KEYSTORE_TYPE);
                    keyStore.load(fileInputStream, this.pkiConfiguration.getRootCaKeystorePassword().toCharArray());
                    KeyStore keyStore2 = KeyStore.getInstance(PKIConstants.KEYSTORE_TYPE);
                    if (Files.exists(Path.of(this.pkiConfiguration.getSubCaKeystorePath(), new String[0]), new LinkOption[0])) {
                        fileInputStream2 = new FileInputStream(this.pkiConfiguration.getSubCaKeystorePath());
                        try {
                            keyStore2.load(fileInputStream2, this.pkiConfiguration.getSubCaKeystorePassword().toCharArray());
                            fileInputStream2.close();
                        } finally {
                            try {
                                fileInputStream2.close();
                            } catch (Throwable th) {
                                th.addSuppressed(th);
                            }
                        }
                    } else {
                        keyStore2.load(null, this.pkiConfiguration.getSubCaKeystorePassword().toCharArray());
                    }
                    KeyStore keyStore3 = KeyStore.getInstance(KeyStore.getDefaultType());
                    keyStore3.load(fileInputStream2, this.pkiConfiguration.getTruststorePassword().toCharArray());
                    fileInputStream2.close();
                    fileInputStream.close();
                    try {
                        KeyStore.PrivateKeyEntry privateKeyEntry = (KeyStore.PrivateKeyEntry) keyStore.getEntry(str2, new KeyStore.PasswordProtection(this.pkiConfiguration.getRootCaKeystorePassword().toCharArray()));
                        X500Name subject = new JcaX509CertificateHolder((X509Certificate) privateKeyEntry.getCertificate()).getSubject();
                        try {
                            String str3 = CRLVerifier.getCrlDistributionPoints((X509Certificate) privateKeyEntry.getCertificate()).get(0);
                            KeyPair generateKeyPair = CertificateBuilder.generateKeyPair(null);
                            X500Name x500Name = new X500Name(str);
                            String element = CertificateHandler.getElement(x500Name, BCStyle.UID);
                            if (element == null || element.trim().isEmpty()) {
                                throw new PKIRuntimeException("UID must be defined for sub CA! It will be used as the sub CA alias.");
                            }
                            try {
                                X509Certificate buildAndSignCert = this.certificateBuilder.buildAndSignCert(this.certificateBuilder.generateSerialNumber(null), privateKeyEntry.getPrivateKey(), privateKeyEntry.getCertificate().getPublicKey(), generateKeyPair.getPublic(), subject, x500Name, null, "INTERMEDIATE", null, str3, null, i);
                                try {
                                    FileOutputStream fileOutputStream = new FileOutputStream(this.pkiConfiguration.getTruststorePath());
                                    try {
                                        FileOutputStream fileOutputStream2 = new FileOutputStream(this.pkiConfiguration.getSubCaKeystorePath());
                                        try {
                                            keyStore2.setKeyEntry(element, generateKeyPair.getPrivate(), this.pkiConfiguration.getSubCaKeyPassword().toCharArray(), new Certificate[]{buildAndSignCert, privateKeyEntry.getCertificate()});
                                            keyStore2.store(fileOutputStream2, this.pkiConfiguration.getSubCaKeystorePassword().toCharArray());
                                            keyStore3.setCertificateEntry(element, buildAndSignCert);
                                            keyStore3.store(fileOutputStream, this.pkiConfiguration.getTruststorePassword().toCharArray());
                                            fileOutputStream2.close();
                                            fileOutputStream.close();
                                        } catch (Throwable th2) {
                                            try {
                                                fileOutputStream2.close();
                                            } catch (Throwable th3) {
                                                th2.addSuppressed(th3);
                                            }
                                            throw th2;
                                        }
                                    } finally {
                                    }
                                } catch (IOException | KeyStoreException | NoSuchAlgorithmException | CertificateException e) {
                                    throw new PKIRuntimeException(e.getMessage(), e);
                                }
                            } catch (Exception e2) {
                                throw new PKIRuntimeException("Could not create sub CA certificate!", e2);
                            }
                        } catch (IOException e3) {
                            throw new PKIRuntimeException(e3.getMessage(), e3);
                        }
                    } catch (KeyStoreException | NoSuchAlgorithmException | UnrecoverableEntryException | CertificateEncodingException e4) {
                        throw new PKIRuntimeException(e4.getMessage(), e4);
                    }
                } catch (Throwable th4) {
                    throw th4;
                }
            } finally {
            }
        } catch (IOException | KeyStoreException | NoSuchAlgorithmException | CertificateException e5) {
            throw new PKIRuntimeException(e5.getMessage(), e5);
        }
    }

    public void createSubCAPKCS11(String str, String str2, PKIConfiguration pKIConfiguration, int i) {
        PKIConfiguration pKIConfiguration2 = this.pkiConfiguration;
        if (pKIConfiguration2 instanceof P11PKIConfiguration) {
            P11PKIConfiguration p11PKIConfiguration = (P11PKIConfiguration) pKIConfiguration2;
            if (pKIConfiguration instanceof P11PKIConfiguration) {
                P11PKIConfiguration p11PKIConfiguration2 = (P11PKIConfiguration) pKIConfiguration;
                p11PKIConfiguration.providerLogin();
                p11PKIConfiguration2.providerLogin();
                try {
                    FileInputStream fileInputStream = new FileInputStream(p11PKIConfiguration.getTruststorePath());
                    try {
                        KeyStore keyStore = KeyStore.getInstance(PKIConstants.PKCS11, p11PKIConfiguration.getProvider());
                        keyStore.load(null, p11PKIConfiguration.getPkcs11Pin());
                        KeyStore keyStore2 = KeyStore.getInstance(PKIConstants.PKCS11, ((P11PKIConfiguration) pKIConfiguration).getProvider());
                        keyStore2.load(null, p11PKIConfiguration2.getPkcs11Pin());
                        KeyStore keyStore3 = KeyStore.getInstance(KeyStore.getDefaultType());
                        keyStore3.load(fileInputStream, this.pkiConfiguration.getTruststorePassword().toCharArray());
                        fileInputStream.close();
                        try {
                            KeyStore.PrivateKeyEntry privateKeyEntry = (KeyStore.PrivateKeyEntry) keyStore.getEntry(str2, null);
                            X500Name subject = new JcaX509CertificateHolder((X509Certificate) privateKeyEntry.getCertificate()).getSubject();
                            try {
                                String str3 = CRLVerifier.getCrlDistributionPoints((X509Certificate) privateKeyEntry.getCertificate()).get(0);
                                KeyPair generateKeyPairPKCS11 = CertificateBuilder.generateKeyPairPKCS11(p11PKIConfiguration2);
                                X500Name x500Name = new X500Name(str);
                                String element = CertificateHandler.getElement(x500Name, BCStyle.UID);
                                if (element == null || element.trim().isEmpty()) {
                                    p11PKIConfiguration.providerLogout();
                                    p11PKIConfiguration2.providerLogout();
                                    throw new PKIRuntimeException("UID must be defined for sub CA! It will be used as the sub CA alias.");
                                }
                                try {
                                    X509Certificate buildAndSignCert = this.certificateBuilder.buildAndSignCert(this.certificateBuilder.generateSerialNumber(p11PKIConfiguration), privateKeyEntry.getPrivateKey(), privateKeyEntry.getCertificate().getPublicKey(), generateKeyPairPKCS11.getPublic(), subject, x500Name, null, "INTERMEDIATE", null, str3, p11PKIConfiguration.getProvider(), i);
                                    try {
                                        FileOutputStream fileOutputStream = new FileOutputStream(this.pkiConfiguration.getTruststorePath());
                                        try {
                                            keyStore2.setKeyEntry(element, generateKeyPairPKCS11.getPrivate(), null, new Certificate[]{buildAndSignCert, privateKeyEntry.getCertificate()});
                                            keyStore3.setCertificateEntry(element, buildAndSignCert);
                                            keyStore3.store(fileOutputStream, this.pkiConfiguration.getTruststorePassword().toCharArray());
                                            fileOutputStream.close();
                                            p11PKIConfiguration.providerLogout();
                                            p11PKIConfiguration2.providerLogout();
                                            return;
                                        } finally {
                                        }
                                    } catch (IOException | KeyStoreException | NoSuchAlgorithmException | CertificateException e) {
                                        p11PKIConfiguration.providerLogout();
                                        p11PKIConfiguration2.providerLogout();
                                        throw new PKIRuntimeException(e.getMessage(), e);
                                    }
                                } catch (Exception e2) {
                                    p11PKIConfiguration.providerLogout();
                                    p11PKIConfiguration2.providerLogout();
                                    throw new PKIRuntimeException("Could not create sub CA certificate!", e2);
                                }
                            } catch (IOException e3) {
                                p11PKIConfiguration.providerLogout();
                                p11PKIConfiguration2.providerLogout();
                                throw new PKIRuntimeException(e3.getMessage(), e3);
                            }
                        } catch (KeyStoreException | NoSuchAlgorithmException | UnrecoverableEntryException | CertificateEncodingException e4) {
                            p11PKIConfiguration.providerLogout();
                            p11PKIConfiguration2.providerLogout();
                            throw new PKIRuntimeException(e4.getMessage(), e4);
                        }
                    } finally {
                    }
                } catch (IOException | KeyStoreException | NoSuchAlgorithmException | CertificateException e5) {
                    p11PKIConfiguration.providerLogout();
                    p11PKIConfiguration2.providerLogout();
                    throw new PKIRuntimeException(e5.getMessage(), e5);
                }
            }
        }
        throw new PKIRuntimeException(HSM_EXCEPTION_MESSAGE);
    }

    public void initRootCA(String str, String str2, String str3, int i) {
        KeyPair generateKeyPair = CertificateBuilder.generateKeyPair(null);
        try {
            FileOutputStream fileOutputStream = new FileOutputStream(this.pkiConfiguration.getRootCaKeystorePath());
            try {
                FileOutputStream fileOutputStream2 = new FileOutputStream(this.pkiConfiguration.getTruststorePath());
                try {
                    KeyStore keyStore = KeyStore.getInstance(PKIConstants.KEYSTORE_TYPE);
                    keyStore.load(null, this.pkiConfiguration.getRootCaKeystorePassword().toCharArray());
                    X509Certificate buildAndSignCert = this.certificateBuilder.buildAndSignCert(this.certificateBuilder.generateSerialNumber(null), generateKeyPair.getPrivate(), generateKeyPair.getPublic(), generateKeyPair.getPublic(), new X500Name(str), new X500Name(str), null, "ROOTCA", null, str2, null, i);
                    keyStore.setKeyEntry(str3, generateKeyPair.getPrivate(), this.pkiConfiguration.getRootCaKeyPassword().toCharArray(), new Certificate[]{buildAndSignCert});
                    keyStore.store(fileOutputStream, this.pkiConfiguration.getRootCaKeystorePassword().toCharArray());
                    KeyStore.getInstance(KeyStore.getDefaultType()).load(null, this.pkiConfiguration.getRootCaKeystorePassword().toCharArray());
                    KeyStore keyStore2 = KeyStore.getInstance(KeyStore.getDefaultType());
                    keyStore2.load(null, this.pkiConfiguration.getTruststorePassword().toCharArray());
                    keyStore2.setCertificateEntry(str3, buildAndSignCert);
                    keyStore2.store(fileOutputStream2, this.pkiConfiguration.getTruststorePassword().toCharArray());
                    fileOutputStream2.close();
                    fileOutputStream.close();
                } catch (Throwable th) {
                    try {
                        fileOutputStream2.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                    throw th;
                }
            } finally {
            }
        } catch (IOException | KeyStoreException | NoSuchAlgorithmException | CertificateException | OperatorCreationException e) {
            throw new PKIRuntimeException(e.getMessage(), e);
        }
    }

    public void initRootCAPKCS11(String str, String str2, String str3, int i) {
        PKIConfiguration pKIConfiguration = this.pkiConfiguration;
        if (!(pKIConfiguration instanceof P11PKIConfiguration)) {
            throw new PKIRuntimeException(HSM_EXCEPTION_MESSAGE);
        }
        P11PKIConfiguration p11PKIConfiguration = (P11PKIConfiguration) pKIConfiguration;
        p11PKIConfiguration.providerLogin();
        KeyPair generateKeyPairPKCS11 = CertificateBuilder.generateKeyPairPKCS11(p11PKIConfiguration);
        try {
            FileOutputStream fileOutputStream = new FileOutputStream(this.pkiConfiguration.getTruststorePath());
            try {
                KeyStore keyStore = KeyStore.getInstance(PKIConstants.PKCS11, p11PKIConfiguration.getProvider());
                keyStore.load(null, p11PKIConfiguration.getPkcs11Pin());
                X509Certificate buildAndSignCert = this.certificateBuilder.buildAndSignCert(this.certificateBuilder.generateSerialNumber(p11PKIConfiguration), generateKeyPairPKCS11.getPrivate(), generateKeyPairPKCS11.getPublic(), generateKeyPairPKCS11.getPublic(), new X500Name(str), new X500Name(str), null, "ROOTCA", null, str2, p11PKIConfiguration.getProvider(), i);
                keyStore.setKeyEntry(str3, generateKeyPairPKCS11.getPrivate(), null, new Certificate[]{buildAndSignCert});
                KeyStore keyStore2 = KeyStore.getInstance(KeyStore.getDefaultType());
                keyStore2.load(null, this.pkiConfiguration.getTruststorePassword().toCharArray());
                keyStore2.setCertificateEntry(str3, buildAndSignCert);
                keyStore2.store(fileOutputStream, this.pkiConfiguration.getTruststorePassword().toCharArray());
                p11PKIConfiguration.providerLogout();
                fileOutputStream.close();
            } finally {
            }
        } catch (IOException | KeyStoreException | NoSuchAlgorithmException | CertificateException | OperatorCreationException e) {
            p11PKIConfiguration.providerLogout();
            throw new PKIRuntimeException(e.getMessage(), e);
        }
    }

    public List<RevocationInfo> loadRevocationFile(String str) {
        ArrayList arrayList = new ArrayList();
        SimpleDateFormat simpleDateFormat = new SimpleDateFormat("yyyy-MM-dd");
        try {
            BufferedReader bufferedReader = new BufferedReader(new FileReader(str));
            while (true) {
                try {
                    String readLine = bufferedReader.readLine();
                    if (readLine == null) {
                        bufferedReader.close();
                        return arrayList;
                    }
                    if (!readLine.trim().isEmpty()) {
                        String[] split = readLine.split(";");
                        if (split.length != 3) {
                            throw new PKIRuntimeException("Missing info from line: " + readLine);
                        }
                        RevocationInfo revocationInfo = new RevocationInfo();
                        revocationInfo.setSerialNumber(new BigInteger(split[0].trim()));
                        revocationInfo.setRevokeReason(CRLReason.values()[Revocation.getCRLReasonFromString(split[1].trim().toLowerCase())]);
                        Date parse = simpleDateFormat.parse(split[2].trim());
                        if (parse == null) {
                            throw new PKIRuntimeException("Invalid date format!");
                        }
                        revocationInfo.setRevokedAt(parse);
                        arrayList.add(revocationInfo);
                    }
                } catch (Throwable th) {
                    try {
                        bufferedReader.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                    throw th;
                }
            }
        } catch (FileNotFoundException e) {
            throw new PKIRuntimeException("Could not find the revocation info file!", e);
        } catch (IOException e2) {
            throw new PKIRuntimeException(e2);
        } catch (ParseException e3) {
            throw new PKIRuntimeException("Invalid date format!", e3);
        }
    }

    public void generateRootCRL(String str, String str2, String str3) {
        List<RevocationInfo> loadRevocationFile = loadRevocationFile(str2);
        try {
            FileInputStream fileInputStream = new FileInputStream(this.pkiConfiguration.getRootCaKeystorePath());
            try {
                KeyStore keyStore = KeyStore.getInstance(PKIConstants.KEYSTORE_TYPE);
                keyStore.load(fileInputStream, this.pkiConfiguration.getRootCaKeystorePassword().toCharArray());
                KeyStore.PrivateKeyEntry privateKeyEntry = (KeyStore.PrivateKeyEntry) keyStore.getEntry(str3, new KeyStore.PasswordProtection(this.pkiConfiguration.getRootCaKeystorePassword().toCharArray()));
                Revocation.generateRootCACRL(new JcaX509CertificateHolder((X509Certificate) privateKeyEntry.getCertificate()).getSubject().toString(), loadRevocationFile, privateKeyEntry, str, null);
                fileInputStream.close();
            } catch (Throwable th) {
                try {
                    fileInputStream.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
                throw th;
            }
        } catch (FileNotFoundException e) {
            throw new PKIRuntimeException("Could not find root keystore!", e);
        } catch (IOException e2) {
            throw new PKIRuntimeException("Could not load root keystore!", e2);
        } catch (KeyStoreException | NoSuchAlgorithmException | UnrecoverableEntryException e3) {
            throw new PKIRuntimeException("Unable to generate RootCACRL", e3);
        } catch (CertificateException e4) {
            throw new PKIRuntimeException("Could not load root certificate!", e4);
        }
    }

    public void generateRootCRLP11(String str, String str2, String str3) {
        PKIConfiguration pKIConfiguration = this.pkiConfiguration;
        if (!(pKIConfiguration instanceof P11PKIConfiguration)) {
            throw new PKIRuntimeException(HSM_EXCEPTION_MESSAGE);
        }
        P11PKIConfiguration p11PKIConfiguration = (P11PKIConfiguration) pKIConfiguration;
        List<RevocationInfo> loadRevocationFile = loadRevocationFile(str2);
        p11PKIConfiguration.providerLogin();
        try {
            KeyStore keyStore = KeyStore.getInstance(PKIConstants.PKCS11, p11PKIConfiguration.getProvider());
            keyStore.load(null, p11PKIConfiguration.getPkcs11Pin());
            KeyStore.PrivateKeyEntry privateKeyEntry = (KeyStore.PrivateKeyEntry) keyStore.getEntry(str3, null);
            Revocation.generateRootCACRL(new JcaX509CertificateHolder((X509Certificate) privateKeyEntry.getCertificate()).getSubject().toString(), loadRevocationFile, privateKeyEntry, str, p11PKIConfiguration.getProvider());
            p11PKIConfiguration.providerLogout();
        } catch (IOException | KeyStoreException | NoSuchAlgorithmException | UnrecoverableEntryException | CertificateException e) {
            p11PKIConfiguration.providerLogout();
            throw new PKIRuntimeException("Could not generate CRL", e);
        }
    }

    public CAHandler(CertificateBuilder certificateBuilder, PKIConfiguration pKIConfiguration) {
        this.certificateBuilder = certificateBuilder;
        this.pkiConfiguration = pKIConfiguration;
    }
}
