package org.apache.nifi.toolkit.tls.service.server;

import com.fasterxml.jackson.databind.ObjectMapper;
import java.io.IOException;
import java.nio.charset.StandardCharsets;
import java.security.KeyPair;
import java.security.MessageDigest;
import java.security.cert.X509Certificate;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.io.input.BoundedReader;
import org.apache.nifi.security.util.CertificateUtils;
import org.apache.nifi.toolkit.tls.service.dto.TlsCertificateAuthorityRequest;
import org.apache.nifi.toolkit.tls.service.dto.TlsCertificateAuthorityResponse;
import org.apache.nifi.toolkit.tls.util.TlsHelper;
import org.bouncycastle.pkcs.jcajce.JcaPKCS10CertificationRequest;
import org.eclipse.jetty.server.Request;
import org.eclipse.jetty.server.handler.AbstractHandler;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/nifi/toolkit/tls/service/server/TlsCertificateAuthorityServiceHandler.class */
public class TlsCertificateAuthorityServiceHandler extends AbstractHandler {
    public static final String CSR_FIELD_MUST_BE_SET = "csr field must be set";
    public static final String HMAC_FIELD_MUST_BE_SET = "hmac field must be set";
    public static final String FORBIDDEN = "forbidden";
    private final Logger logger = LoggerFactory.getLogger(TlsCertificateAuthorityServiceHandler.class);
    private final String signingAlgorithm;
    private final int days;
    private final String token;
    private final X509Certificate caCert;
    private final KeyPair keyPair;
    private final ObjectMapper objectMapper;

    public TlsCertificateAuthorityServiceHandler(String str, int i, String str2, X509Certificate x509Certificate, KeyPair keyPair, ObjectMapper objectMapper) {
        this.signingAlgorithm = str;
        this.days = i;
        this.token = str2;
        this.caCert = x509Certificate;
        this.keyPair = keyPair;
        this.objectMapper = objectMapper;
    }

    public void handle(String str, Request request, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException, ServletException {
        try {
            try {
                TlsCertificateAuthorityRequest tlsCertificateAuthorityRequest = (TlsCertificateAuthorityRequest) this.objectMapper.readValue(new BoundedReader(httpServletRequest.getReader(), 1048576), TlsCertificateAuthorityRequest.class);
                if (!tlsCertificateAuthorityRequest.hasHmac()) {
                    writeResponse(this.objectMapper, httpServletRequest, httpServletResponse, new TlsCertificateAuthorityResponse(HMAC_FIELD_MUST_BE_SET), 400);
                    request.setHandled(true);
                    return;
                }
                if (!tlsCertificateAuthorityRequest.hasCsr()) {
                    writeResponse(this.objectMapper, httpServletRequest, httpServletResponse, new TlsCertificateAuthorityResponse(CSR_FIELD_MUST_BE_SET), 400);
                    request.setHandled(true);
                    return;
                }
                JcaPKCS10CertificationRequest parseCsr = TlsHelper.parseCsr(tlsCertificateAuthorityRequest.getCsr());
                if (!MessageDigest.isEqual(TlsHelper.calculateHMac(this.token, parseCsr.getPublicKey()), tlsCertificateAuthorityRequest.getHmac())) {
                    writeResponse(this.objectMapper, httpServletRequest, httpServletResponse, new TlsCertificateAuthorityResponse(FORBIDDEN), 403);
                    request.setHandled(true);
                } else {
                    writeResponse(this.objectMapper, httpServletRequest, httpServletResponse, new TlsCertificateAuthorityResponse(TlsHelper.calculateHMac(this.token, this.caCert.getPublicKey()), TlsHelper.pemEncodeJcaObject(CertificateUtils.generateIssuedCertificate(parseCsr.getSubject().toString(), parseCsr.getPublicKey(), this.caCert, this.keyPair, this.signingAlgorithm, this.days))), 200);
                    request.setHandled(true);
                }
            } catch (Exception e) {
                throw new ServletException("Server error");
            }
        } catch (Throwable th) {
            request.setHandled(true);
            throw th;
        }
    }

    private void writeResponse(ObjectMapper objectMapper, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, TlsCertificateAuthorityResponse tlsCertificateAuthorityResponse, int i) throws IOException {
        if (this.logger.isInfoEnabled()) {
            this.logger.info("Returning code:" + i + " payload " + objectMapper.writeValueAsString(tlsCertificateAuthorityResponse) + " to " + httpServletRequest.getRemoteHost());
        }
        if (i == 200) {
            objectMapper.writeValue(httpServletResponse.getWriter(), tlsCertificateAuthorityResponse);
            httpServletResponse.setStatus(i);
        } else {
            httpServletResponse.setStatus(i);
            httpServletResponse.setContentType("application/json");
            httpServletResponse.setCharacterEncoding(StandardCharsets.UTF_8.name());
            objectMapper.writeValue(httpServletResponse.getWriter(), tlsCertificateAuthorityResponse);
        }
    }
}
