package net.solarnetwork.node.setup.impl;

import java.io.BufferedOutputStream;
import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.io.File;
import java.io.FileOutputStream;
import java.io.IOException;
import java.io.UnsupportedEncodingException;
import java.security.GeneralSecurityException;
import java.security.Key;
import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.SecureRandom;
import java.security.UnrecoverableKeyException;
import java.security.cert.Certificate;
import java.security.cert.CertificateExpiredException;
import java.security.cert.CertificateNotYetValidException;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Collections;
import java.util.Locale;
import javax.security.auth.x500.X500Principal;
import net.solarnetwork.node.backup.BackupResource;
import net.solarnetwork.node.backup.BackupResourceInfo;
import net.solarnetwork.node.backup.BackupResourceProvider;
import net.solarnetwork.node.backup.BackupResourceProviderInfo;
import net.solarnetwork.node.backup.ResourceBackupResource;
import net.solarnetwork.node.backup.SimpleBackupResourceInfo;
import net.solarnetwork.node.backup.SimpleBackupResourceProviderInfo;
import net.solarnetwork.node.service.PKIService;
import net.solarnetwork.service.CertificateException;
import net.solarnetwork.service.CertificateService;
import net.solarnetwork.service.support.ConfigurableSSLService;
import org.apache.commons.codec.binary.Base64;
import org.apache.commons.codec.binary.Base64OutputStream;
import org.springframework.context.MessageSource;
import org.springframework.core.io.FileSystemResource;
import org.springframework.util.FileCopyUtils;

/* loaded from: input_file:net/solarnetwork/node/setup/impl/DefaultKeystoreService.class */
public class DefaultKeystoreService extends ConfigurableSSLService implements PKIService, BackupResourceProvider {
    private static final String BACKUP_RESOURCE_NAME_KEYSTORE = "node.jks";
    public static final String DEFAULT_KEY_STORE_PATH = "conf/tls/node.jks";
    private static final String PKCS12_KEYSTORE_TYPE = "pkcs12";
    private static final int PASSWORD_LENGTH = 20;
    private String nodeAlias = "node";
    private String caAlias = "ca";
    private int keySize = 2048;
    private MessageSource messageSource;
    private final SetupIdentityDao setupIdentityDao;
    private final CertificateService certificateService;
    static final /* synthetic */ boolean $assertionsDisabled;

    public DefaultKeystoreService(SetupIdentityDao setupIdentityDao, CertificateService certificateService) {
        this.setupIdentityDao = setupIdentityDao;
        this.certificateService = certificateService;
        setKeyStorePath(DEFAULT_KEY_STORE_PATH);
        setTrustStorePassword("solarnode");
        setKeyStorePassword(null);
    }

    public String getKey() {
        return DefaultKeystoreService.class.getName();
    }

    public Iterable<BackupResource> getBackupResources() {
        File file = new File(getKeyStorePath());
        if (!file.isFile() || !file.canRead()) {
            return Collections.emptyList();
        }
        ArrayList arrayList = new ArrayList(1);
        arrayList.add(new ResourceBackupResource(new FileSystemResource(file), BACKUP_RESOURCE_NAME_KEYSTORE, getKey()));
        return arrayList;
    }

    public boolean restoreBackupResource(BackupResource backupResource) {
        if (backupResource == null || !BACKUP_RESOURCE_NAME_KEYSTORE.equalsIgnoreCase(backupResource.getBackupPath())) {
            return false;
        }
        File file = new File(getKeyStorePath());
        File parentFile = file.getParentFile();
        if (!parentFile.isDirectory() && !parentFile.mkdirs()) {
            this.log.warn("Error creating keystore directory {}", parentFile.getAbsolutePath());
            return false;
        }
        synchronized (this) {
            try {
                FileCopyUtils.copy(backupResource.getInputStream(), new FileOutputStream(file));
                file.setLastModified(backupResource.getModificationDate());
            } catch (IOException e) {
                this.log.error("IO error restoring keystore resource {}: {}", file.getAbsolutePath(), e.getMessage());
                return false;
            }
        }
        return true;
    }

    public BackupResourceProviderInfo providerInfo(Locale locale) {
        String str = "Certificate Backup Provider";
        String str2 = "Backs up the SolarNode certificates.";
        MessageSource messageSource = this.messageSource;
        if (messageSource != null) {
            str = messageSource.getMessage("title", (Object[]) null, str, locale);
            str2 = messageSource.getMessage("desc", (Object[]) null, str2, locale);
        }
        return new SimpleBackupResourceProviderInfo(getKey(), str, str2);
    }

    public BackupResourceInfo resourceInfo(BackupResource backupResource, Locale locale) {
        return new SimpleBackupResourceInfo(backupResource.getProviderKey(), backupResource.getBackupPath(), (String) null);
    }

    protected String getKeyStorePassword() {
        String keyStorePassword = super.getKeyStorePassword();
        if (keyStorePassword != null && keyStorePassword.length() > 0) {
            return keyStorePassword;
        }
        SetupIdentityInfo setupIdentityInfo = this.setupIdentityDao.getSetupIdentityInfo();
        String keyStorePassword2 = setupIdentityInfo.getKeyStorePassword();
        if (keyStorePassword2 == null) {
            keyStorePassword2 = generateNewKeyStorePassword();
            this.setupIdentityDao.saveSetupIdentityInfo(setupIdentityInfo.withKeyStorePassword(keyStorePassword2));
        }
        return keyStorePassword2;
    }

    private String generateNewKeyStorePassword() {
        String keyStorePassword = super.getKeyStorePassword();
        if (keyStorePassword != null && keyStorePassword.length() > 0) {
            return keyStorePassword;
        }
        try {
            SecureRandom secureRandom = SecureRandom.getInstance("SHA1PRNG");
            char[] cArr = new char[PASSWORD_LENGTH];
            for (int i = 0; i < PASSWORD_LENGTH; i++) {
                cArr[i] = (char) (secureRandom.nextInt(94) + 32);
            }
            return new String(cArr);
        } catch (NoSuchAlgorithmException e) {
            throw new CertificateException("Error creating random password", e);
        }
    }

    public boolean isNodeCertificateValid(String str) throws CertificateException {
        KeyStore loadKeyStore = loadKeyStore();
        X509Certificate x509Certificate = null;
        if (loadKeyStore == null) {
            return false;
        }
        try {
            if (!loadKeyStore.containsAlias(this.nodeAlias)) {
                return false;
            }
            Certificate certificate = loadKeyStore.getCertificate(this.nodeAlias);
            if (!(certificate instanceof X509Certificate)) {
                return false;
            }
            x509Certificate = (X509Certificate) certificate;
            x509Certificate.checkValidity();
            X500Principal x500Principal = new X500Principal(str);
            if (x509Certificate.getIssuerX500Principal().equals(x500Principal)) {
                return true;
            }
            this.log.debug("Certificate issuer {} not same as expected {}", x509Certificate.getIssuerX500Principal().getName(), x500Principal.getName());
            return false;
        } catch (KeyStoreException e) {
            throw new CertificateException("Error checking for node certificate", e);
        } catch (CertificateExpiredException e2) {
            this.log.debug("Certificate {} has expired", x509Certificate.getSubjectDN().getName());
            return false;
        } catch (CertificateNotYetValidException e3) {
            this.log.debug("Certificate {} not valid yet", x509Certificate.getSubjectDN().getName());
            return false;
        }
    }

    public X509Certificate generateNodeSelfSignedCertificate(String str) throws CertificateException {
        Throwable th;
        KeyStore keyStore = null;
        try {
            keyStore = loadKeyStore();
        } catch (CertificateException e) {
            Throwable th2 = e;
            while (true) {
                th = th2;
                if (th.getCause() == null) {
                    break;
                }
                th2 = th.getCause();
            }
            if (th instanceof UnrecoverableKeyException) {
                File file = new File(getKeyStorePath());
                if (file.isFile()) {
                    this.log.info("Deleting existing certificate store due to invalid password, will create new store");
                    if (file.delete()) {
                        this.setupIdentityDao.saveSetupIdentityInfo(this.setupIdentityDao.getSetupIdentityInfo().withKeyStorePassword(null));
                        keyStore = loadKeyStore();
                    }
                }
            }
            if (keyStore == null) {
                throw e;
            }
        }
        return createSelfSignedCertificate(keyStore, str, this.nodeAlias);
    }

    private X509Certificate createSelfSignedCertificate(KeyStore keyStore, String str, String str2) {
        try {
            KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA");
            keyPairGenerator.initialize(this.keySize, new SecureRandom());
            KeyPair generateKeyPair = keyPairGenerator.generateKeyPair();
            PublicKey publicKey = generateKeyPair.getPublic();
            PrivateKey privateKey = generateKeyPair.getPrivate();
            Certificate generateCertificate = this.certificateService.generateCertificate(str, publicKey, privateKey);
            keyStore.setKeyEntry(str2, privateKey, getKeyStorePassword().toCharArray(), new Certificate[]{generateCertificate});
            saveKeyStore(keyStore);
            return (X509Certificate) generateCertificate;
        } catch (KeyStoreException e) {
            throw new CertificateException("Error setting up node key pair", e);
        } catch (NoSuchAlgorithmException e2) {
            throw new CertificateException("Error setting up node key pair", e2);
        }
    }

    private void saveTrustedCertificate(X509Certificate x509Certificate, String str) {
        KeyStore loadKeyStore = loadKeyStore();
        try {
            this.log.info("Installing trusted CA certificate {}", x509Certificate.getSubjectDN());
            loadKeyStore.setCertificateEntry(str, x509Certificate);
            saveKeyStore(loadKeyStore);
        } catch (KeyStoreException e) {
            throw new CertificateException("Error saving trusted certificate", e);
        }
    }

    public void saveCACertificate(X509Certificate x509Certificate) throws CertificateException {
        saveTrustedCertificate(x509Certificate, this.caAlias);
    }

    public String generateNodePKCS10CertificateRequestString() throws CertificateException {
        KeyStore loadKeyStore = loadKeyStore();
        try {
            Key key = loadKeyStore.getKey(this.nodeAlias, getKeyStorePassword().toCharArray());
            if (!$assertionsDisabled && !(key instanceof PrivateKey)) {
                throw new AssertionError();
            }
            try {
                Certificate certificate = loadKeyStore.getCertificate(this.nodeAlias);
                if ($assertionsDisabled || (certificate instanceof X509Certificate)) {
                    return this.certificateService.generatePKCS10CertificateRequestString((X509Certificate) certificate, (PrivateKey) key);
                }
                throw new AssertionError();
            } catch (KeyStoreException e) {
                throw new CertificateException("Error opening node certificate", e);
            }
        } catch (KeyStoreException e2) {
            throw new CertificateException("Error opening node private key", e2);
        } catch (NoSuchAlgorithmException e3) {
            throw new CertificateException("Error opening node private key", e3);
        } catch (UnrecoverableKeyException e4) {
            throw new CertificateException("Error opening node private key", e4);
        }
    }

    public String generateNodePKCS7CertificateString() throws CertificateException {
        KeyStore loadKeyStore = loadKeyStore();
        try {
            Key key = loadKeyStore.getKey(this.nodeAlias, getKeyStorePassword().toCharArray());
            if (!$assertionsDisabled && !(key instanceof PrivateKey)) {
                throw new AssertionError();
            }
            try {
                Certificate certificate = loadKeyStore.getCertificate(this.nodeAlias);
                if ($assertionsDisabled || (certificate instanceof X509Certificate)) {
                    return this.certificateService.generatePKCS7CertificateChainString(new X509Certificate[]{(X509Certificate) certificate});
                }
                throw new AssertionError();
            } catch (KeyStoreException e) {
                throw new CertificateException("Error opening node certificate", e);
            }
        } catch (KeyStoreException e2) {
            throw new CertificateException("Error opening node private key", e2);
        } catch (NoSuchAlgorithmException e3) {
            throw new CertificateException("Error opening node private key", e3);
        } catch (UnrecoverableKeyException e4) {
            throw new CertificateException("Error opening node private key", e4);
        }
    }

    public String generateNodePKCS7CertificateChainString() throws CertificateException {
        KeyStore loadKeyStore = loadKeyStore();
        try {
            Key key = loadKeyStore.getKey(this.nodeAlias, getKeyStorePassword().toCharArray());
            if (!$assertionsDisabled && !(key instanceof PrivateKey)) {
                throw new AssertionError();
            }
            try {
                Certificate[] certificateChain = loadKeyStore.getCertificateChain(this.nodeAlias);
                X509Certificate[] x509CertificateArr = new X509Certificate[certificateChain.length];
                for (int i = 0; i < certificateChain.length; i++) {
                    if (!$assertionsDisabled && !(certificateChain[i] instanceof X509Certificate)) {
                        throw new AssertionError();
                    }
                    x509CertificateArr[i] = (X509Certificate) certificateChain[i];
                }
                return this.certificateService.generatePKCS7CertificateChainString(x509CertificateArr);
            } catch (KeyStoreException e) {
                throw new CertificateException("Error opening node certificate", e);
            }
        } catch (KeyStoreException e2) {
            throw new CertificateException("Error opening node private key", e2);
        } catch (NoSuchAlgorithmException e3) {
            throw new CertificateException("Error opening node private key", e3);
        } catch (UnrecoverableKeyException e4) {
            throw new CertificateException("Error opening node private key", e4);
        }
    }

    public X509Certificate getNodeCertificate() throws CertificateException {
        return getNodeCertificate(loadKeyStore());
    }

    private X509Certificate getNodeCertificate(KeyStore keyStore) {
        try {
            return (X509Certificate) keyStore.getCertificate(this.nodeAlias);
        } catch (KeyStoreException e) {
            throw new CertificateException("Error opening node certificate", e);
        }
    }

    public X509Certificate getCACertificate() throws CertificateException {
        return getCACertificate(loadKeyStore());
    }

    private X509Certificate getCACertificate(KeyStore keyStore) {
        try {
            return (X509Certificate) keyStore.getCertificate(this.caAlias);
        } catch (KeyStoreException e) {
            throw new CertificateException("Error opening node certificate", e);
        }
    }

    public void savePKCS12Keystore(String str, String str2) throws CertificateException {
        KeyStore loadKeyStore = loadKeyStore(PKCS12_KEYSTORE_TYPE, new ByteArrayInputStream(Base64.decodeBase64(str)), str2);
        String generateNewKeyStorePassword = generateNewKeyStorePassword();
        KeyStore loadKeyStore2 = loadKeyStore(KeyStore.getDefaultType(), null, generateNewKeyStorePassword);
        copyNodeChain(loadKeyStore, str2, loadKeyStore2, generateNewKeyStorePassword);
        File file = new File(getKeyStorePath());
        if (file.isFile()) {
            file.delete();
        }
        saveKeyStore(loadKeyStore2, generateNewKeyStorePassword);
        this.setupIdentityDao.saveSetupIdentityInfo(this.setupIdentityDao.getSetupIdentityInfo().withKeyStorePassword(generateNewKeyStorePassword));
    }

    private void copyNodeChain(KeyStore keyStore, String str, KeyStore keyStore2, String str2) {
        try {
            Key key = keyStore.getKey(this.nodeAlias, str.toCharArray());
            Certificate[] certificateChain = keyStore.getCertificateChain(this.nodeAlias);
            X509Certificate[] x509CertificateArr = new X509Certificate[certificateChain.length];
            for (int i = 0; i < certificateChain.length; i++) {
                x509CertificateArr[i] = (X509Certificate) certificateChain[i];
            }
            saveNodeCertificateChain(keyStore2, key, str2, x509CertificateArr[0], x509CertificateArr);
        } catch (GeneralSecurityException e) {
            throw new CertificateException(e);
        }
    }

    public String generatePKCS12KeystoreString(String str) throws CertificateException {
        KeyStore loadKeyStore = loadKeyStore();
        KeyStore loadKeyStore2 = loadKeyStore(PKCS12_KEYSTORE_TYPE, null, str);
        copyNodeChain(loadKeyStore, getKeyStorePassword(), loadKeyStore2, str);
        ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
        saveKeyStore(loadKeyStore2, str, new Base64OutputStream(byteArrayOutputStream));
        try {
            return byteArrayOutputStream.toString("US-ASCII");
        } catch (UnsupportedEncodingException e) {
            throw new RuntimeException(e);
        }
    }

    public void saveNodeSignedCertificate(String str) throws CertificateException {
        KeyStore loadKeyStore = loadKeyStore();
        try {
            Key key = loadKeyStore.getKey(this.nodeAlias, getKeyStorePassword().toCharArray());
            X509Certificate nodeCertificate = getNodeCertificate(loadKeyStore);
            if (nodeCertificate == null) {
                throw new CertificateException("The node does not have a private key, start the association process over.");
            }
            saveNodeCertificateChain(loadKeyStore, key, getKeyStorePassword(), nodeCertificate, this.certificateService.parsePKCS7CertificateChainString(str));
            saveKeyStore(loadKeyStore);
        } catch (KeyStoreException e) {
            throw new CertificateException("Error opening node private key", e);
        } catch (NoSuchAlgorithmException e2) {
            throw new CertificateException("Error opening node private key", e2);
        } catch (UnrecoverableKeyException e3) {
            throw new CertificateException("Error opening node private key", e3);
        }
    }

    private void saveNodeCertificateChain(KeyStore keyStore, Key key, String str, X509Certificate x509Certificate, X509Certificate[] x509CertificateArr) {
        if (str == null) {
            str = "";
        }
        X509Certificate cACertificate = getCACertificate(keyStore);
        if (x509CertificateArr.length < 1) {
            throw new CertificateException("No certificates avaialble");
        }
        if (x509CertificateArr.length > 1) {
            try {
                int length = x509CertificateArr.length - 1;
                if (cACertificate == null) {
                    this.log.info("Installing trusted CA certificate {}", x509CertificateArr[length].getSubjectDN());
                    keyStore.setCertificateEntry(this.caAlias, x509CertificateArr[length]);
                    X509Certificate x509Certificate2 = x509CertificateArr[length];
                } else {
                    if (!x509CertificateArr[length].getSubjectDN().equals(cACertificate.getSubjectDN())) {
                        throw new CertificateException("Chain CA " + x509CertificateArr[length].getSubjectDN().getName() + " does not match expected " + cACertificate.getSubjectDN().getName());
                    }
                    if (!x509CertificateArr[length].getIssuerDN().equals(cACertificate.getIssuerDN())) {
                        throw new CertificateException("Chain CA " + x509CertificateArr[length].getIssuerDN().getName() + " does not match expected " + cACertificate.getIssuerDN().getName());
                    }
                }
                int i = length - 1;
                int i2 = 1;
                while (i > 0) {
                    String str2 = this.caAlias + "sub" + i2;
                    this.log.info("Installing trusted intermediate certificate {}", x509CertificateArr[i].getSubjectDN());
                    keyStore.setCertificateEntry(str2, x509CertificateArr[i]);
                    i--;
                    i2++;
                }
            } catch (KeyStoreException e) {
                throw new CertificateException("Error storing CA chain", e);
            }
        } else {
            if (cACertificate == null) {
                throw new CertificateException("No CA certificate available");
            }
            x509CertificateArr = new X509Certificate[]{x509CertificateArr[0], cACertificate};
        }
        if (!x509CertificateArr[0].getIssuerDN().equals(x509CertificateArr[1].getSubjectDN())) {
            throw new CertificateException("Issuer " + x509CertificateArr[0].getIssuerDN().getName() + " does not match expected " + x509CertificateArr[1].getSubjectDN().getName());
        }
        if (!x509CertificateArr[0].getSubjectDN().equals(x509Certificate.getSubjectDN())) {
            throw new CertificateException("Subject " + x509CertificateArr[0].getIssuerDN().getName() + " does not match expected " + x509Certificate.getSubjectDN().getName());
        }
        this.log.info("Installing node certificate {} reply {} issued by {}", new Object[]{x509CertificateArr[0].getSerialNumber(), x509CertificateArr[0].getSubjectDN().getName(), x509CertificateArr[0].getIssuerDN().getName()});
        try {
            keyStore.setKeyEntry(this.nodeAlias, key, str.toCharArray(), x509CertificateArr);
        } catch (KeyStoreException e2) {
            throw new CertificateException("Error opening node certificate", e2);
        }
    }

    private synchronized void saveKeyStore(KeyStore keyStore) {
        saveKeyStore(keyStore, getKeyStorePassword());
    }

    private synchronized void saveKeyStore(KeyStore keyStore, String str) {
        if (keyStore == null) {
            return;
        }
        File file = new File(getKeyStorePath());
        File parentFile = file.getParentFile();
        if (!parentFile.isDirectory() && !parentFile.mkdirs()) {
            throw new RuntimeException("Unable to create KeyStore directory: " + file.getParent());
        }
        try {
            saveKeyStore(keyStore, str, new BufferedOutputStream(new FileOutputStream(file)));
            resetSocketFactory();
        } catch (IOException e) {
            throw new CertificateException("Error saving certificate key store to " + file.getPath(), e);
        }
    }

    public void setNodeAlias(String str) {
        this.nodeAlias = str;
    }

    public void setCaAlias(String str) {
        this.caAlias = str;
    }

    public void setKeySize(int i) {
        this.keySize = i;
    }

    public void setMessageSource(MessageSource messageSource) {
        this.messageSource = messageSource;
    }

    static {
        $assertionsDisabled = !DefaultKeystoreService.class.desiredAssertionStatus();
    }
}
