package org.apache.geronimo.security.ca;

import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.math.BigInteger;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.Signature;
import java.security.cert.Certificate;
import java.security.cert.CertificateFactory;
import java.util.Date;
import javax.security.auth.x500.X500Principal;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.geronimo.crypto.CaUtils;
import org.apache.geronimo.crypto.asn1.ASN1InputStream;
import org.apache.geronimo.crypto.asn1.DERBitString;
import org.apache.geronimo.crypto.asn1.DEREncodableVector;
import org.apache.geronimo.crypto.asn1.DERInteger;
import org.apache.geronimo.crypto.asn1.DERSequence;
import org.apache.geronimo.crypto.asn1.pkcs.PKCSObjectIdentifiers;
import org.apache.geronimo.crypto.asn1.x509.AlgorithmIdentifier;
import org.apache.geronimo.crypto.asn1.x509.SubjectPublicKeyInfo;
import org.apache.geronimo.crypto.asn1.x509.TBSCertificateStructure;
import org.apache.geronimo.crypto.asn1.x509.Time;
import org.apache.geronimo.crypto.asn1.x509.V3TBSCertificateGenerator;
import org.apache.geronimo.crypto.asn1.x509.X509Name;
import org.apache.geronimo.gbean.AbstractName;
import org.apache.geronimo.gbean.GBeanInfo;
import org.apache.geronimo.gbean.GBeanInfoBuilder;
import org.apache.geronimo.gbean.GBeanLifecycle;
import org.apache.geronimo.j2ee.j2eeobjectnames.NameFactory;
import org.apache.geronimo.kernel.Kernel;
import org.apache.geronimo.management.geronimo.CertificateRequestStore;
import org.apache.geronimo.management.geronimo.CertificateStore;
import org.apache.geronimo.management.geronimo.CertificateStoreException;
import org.apache.geronimo.management.geronimo.CertificationAuthority;
import org.apache.geronimo.management.geronimo.CertificationAuthorityException;
import org.apache.geronimo.management.geronimo.KeystoreException;
import org.apache.geronimo.management.geronimo.KeystoreInstance;
import org.apache.geronimo.system.serverinfo.ServerInfo;

/* loaded from: input_file:WEB-INF/lib/geronimo-security-2.1.4.jar:org/apache/geronimo/security/ca/GeronimoCertificationAuthority.class */
public class GeronimoCertificationAuthority implements CertificationAuthority, GBeanLifecycle {
    private static final Log log = LogFactory.getLog(GeronimoCertificationAuthority.class);
    private ServerInfo serverInfo;
    private Kernel kernel;
    private AbstractName abstractName;
    private KeystoreInstance caKeystore;
    private CertificateStore certStore;
    private char[] password;
    private CertificateRequestStore certReqStore;
    private String alias;
    private PrivateKey caPrivateKey;
    private PublicKey caPublicKey;
    private Certificate caCert;
    private X509Name caName;
    public static final GBeanInfo GBEAN_INFO;

    public GeronimoCertificationAuthority(ServerInfo serverInfo, KeystoreInstance keystoreInstance, CertificateStore certificateStore, CertificateRequestStore certificateRequestStore, Kernel kernel, AbstractName abstractName) {
        this.caKeystore = null;
        this.certStore = null;
        this.certReqStore = null;
        if (keystoreInstance == null) {
            throw new IllegalArgumentException("caKeystore is null.");
        }
        if (certificateStore == null) {
            throw new IllegalArgumentException("certStore is null");
        }
        if (certificateRequestStore == null) {
            throw new IllegalArgumentException("certReqStore is null");
        }
        this.serverInfo = serverInfo;
        this.kernel = kernel;
        this.abstractName = abstractName;
        this.caKeystore = keystoreInstance;
        this.certStore = certificateStore;
        this.certReqStore = certificateRequestStore;
    }

    @Override // org.apache.geronimo.management.geronimo.CertificationAuthority
    public boolean isLocked() {
        return this.password == null;
    }

    @Override // org.apache.geronimo.management.geronimo.CertificationAuthority
    public void lock() {
        try {
            this.caKeystore.lockKeystore(this.password);
        } catch (KeystoreException e) {
            log.error("Error locking CA.", e);
        }
        this.password = null;
        this.caName = null;
        this.caCert = null;
        this.caPrivateKey = null;
        this.alias = null;
    }

    @Override // org.apache.geronimo.management.geronimo.CertificationAuthority
    public void unlock(char[] cArr) throws CertificationAuthorityException {
        try {
            this.password = cArr;
            this.caKeystore.unlockKeystore(cArr);
            this.alias = this.caKeystore.listPrivateKeys(cArr)[0];
            this.caKeystore.unlockPrivateKey(this.alias, cArr, cArr);
            this.caCert = this.caKeystore.getCertificate(this.alias, cArr);
            this.caName = CaUtils.getSubjectX509Name(this.caCert);
            this.caPrivateKey = this.caKeystore.getPrivateKey(this.alias, cArr, cArr);
            this.caPublicKey = this.caCert.getPublicKey();
        } catch (Exception e) {
            throw new CertificationAuthorityException("Errors in unlocking CA.", e);
        }
    }

    @Override // org.apache.geronimo.management.geronimo.CertificationAuthority
    public X500Principal getName() throws CertificationAuthorityException {
        if (isLocked()) {
            throw new CertificationAuthorityException("CA is locked.");
        }
        try {
            return new X500Principal(this.caName.getEncoded());
        } catch (IOException e) {
            throw new CertificationAuthorityException("Error in getting CA name.", e);
        }
    }

    @Override // org.apache.geronimo.management.geronimo.CertificationAuthority
    public Certificate getCertificate() throws CertificationAuthorityException {
        if (this.caCert == null) {
            throw new CertificationAuthorityException("CA Certificate is null. CA may be locked.");
        }
        try {
            Certificate certificate = this.caKeystore.getCertificate(this.alias, this.password);
            this.caCert = certificate;
            return certificate;
        } catch (KeystoreException e) {
            log.error("Error getting CA's certificate.", e);
            return null;
        }
    }

    @Override // org.apache.geronimo.management.geronimo.CertificationAuthority
    public void issueOwnCertificate(BigInteger bigInteger, Date date, Date date2, String str) throws CertificationAuthorityException {
        if (isLocked()) {
            throw new CertificationAuthorityException("CA is locked.");
        }
        try {
            Certificate issueCertificate = issueCertificate(getName(), this.caCert.getPublicKey(), bigInteger, date, date2, str);
            this.caKeystore.importPKCS7Certificate(this.alias, CaUtils.base64Certificate(issueCertificate), this.password);
            this.caCert = issueCertificate;
        } catch (Exception e) {
            throw new CertificationAuthorityException("Error in issuing own certificate.", e);
        }
    }

    @Override // org.apache.geronimo.management.geronimo.CertificationAuthority
    public Certificate issueCertificate(X500Principal x500Principal, PublicKey publicKey, BigInteger bigInteger, Date date, Date date2, String str) throws CertificationAuthorityException {
        if (isLocked()) {
            throw new CertificationAuthorityException("CA is locked.");
        }
        try {
            Certificate issueCertificate = issueCertificate(CaUtils.getX509Name(x500Principal), this.caName, bigInteger, publicKey, this.caPrivateKey, date, date2, str);
            issueCertificate.verify(this.caPublicKey);
            this.certStore.storeCertificate(issueCertificate);
            return issueCertificate;
        } catch (Exception e) {
            throw new CertificationAuthorityException("Error in issuing certificate.", e);
        }
    }

    @Override // org.apache.geronimo.management.geronimo.CertificationAuthority
    public BigInteger getHighestSerialNumber() throws CertificationAuthorityException {
        if (isLocked()) {
            throw new CertificationAuthorityException("CA is locked.");
        }
        try {
            return this.certStore.getHighestSerialNumber();
        } catch (CertificateStoreException e) {
            throw new CertificationAuthorityException("Error in getting highest serial number for CA.", e);
        }
    }

    @Override // org.apache.geronimo.management.geronimo.CertificationAuthority
    public boolean isCertificateIssued(BigInteger bigInteger) throws CertificationAuthorityException {
        if (isLocked()) {
            throw new CertificationAuthorityException("CA is locked.");
        }
        return this.certStore.containsCertificate(bigInteger);
    }

    @Override // org.apache.geronimo.management.geronimo.CertificationAuthority
    public BigInteger getNextSerialNumber() throws CertificationAuthorityException {
        if (isLocked()) {
            throw new CertificationAuthorityException("CA is locked.");
        }
        try {
            return this.certStore.getNextSerialNumber();
        } catch (CertificateStoreException e) {
            throw new CertificationAuthorityException("Error in getting next serial number for CA.", e);
        }
    }

    @Override // org.apache.geronimo.management.geronimo.CertificationAuthority
    public Certificate getCertificate(BigInteger bigInteger) throws CertificationAuthorityException {
        if (isLocked()) {
            throw new CertificationAuthorityException("CA is locked.");
        }
        try {
            return this.certStore.getCertificate(bigInteger);
        } catch (CertificateStoreException e) {
            throw new CertificationAuthorityException("Error getting certificate. serial number = " + bigInteger, e);
        }
    }

    @Override // org.apache.geronimo.management.geronimo.CertificationAuthority
    public String getCertificateBase64Text(BigInteger bigInteger) throws CertificationAuthorityException {
        if (isLocked()) {
            throw new CertificationAuthorityException("CA is locked.");
        }
        try {
            return this.certStore.getCertificateBase64Text(bigInteger);
        } catch (CertificateStoreException e) {
            throw new CertificationAuthorityException("Error getting certificate. serial number = " + bigInteger, e);
        }
    }

    private Certificate issueCertificate(X509Name x509Name, X509Name x509Name2, BigInteger bigInteger, PublicKey publicKey, PrivateKey privateKey, Date date, Date date2, String str) throws Exception {
        AlgorithmIdentifier algorithmIdentifier;
        if ("MD2withRSA".equalsIgnoreCase(str)) {
            algorithmIdentifier = new AlgorithmIdentifier(PKCSObjectIdentifiers.md2WithRSAEncryption);
        } else if ("MD5withRSA".equalsIgnoreCase(str)) {
            algorithmIdentifier = new AlgorithmIdentifier(PKCSObjectIdentifiers.md5WithRSAEncryption);
        } else {
            if (!"SHA1withRSA".equalsIgnoreCase(str)) {
                throw new CertificationAuthorityException("Signature algorithm " + str + " is not supported.");
            }
            algorithmIdentifier = new AlgorithmIdentifier(PKCSObjectIdentifiers.sha1WithRSAEncryption);
        }
        SubjectPublicKeyInfo subjectPublicKeyInfo = SubjectPublicKeyInfo.getInstance(new ASN1InputStream(publicKey.getEncoded()).readObject());
        V3TBSCertificateGenerator v3TBSCertificateGenerator = new V3TBSCertificateGenerator();
        v3TBSCertificateGenerator.setSubject(x509Name);
        v3TBSCertificateGenerator.setSubjectPublicKeyInfo(subjectPublicKeyInfo);
        v3TBSCertificateGenerator.setIssuer(x509Name2);
        v3TBSCertificateGenerator.setSerialNumber(new DERInteger(bigInteger));
        v3TBSCertificateGenerator.setStartDate(new Time(date));
        v3TBSCertificateGenerator.setEndDate(new Time(date2));
        v3TBSCertificateGenerator.setSignature(algorithmIdentifier);
        TBSCertificateStructure generateTBSCertificate = v3TBSCertificateGenerator.generateTBSCertificate();
        byte[] encoded = generateTBSCertificate.getEncoded();
        Signature signature = Signature.getInstance(str);
        signature.initSign(privateKey);
        signature.update(encoded);
        byte[] sign = signature.sign();
        DEREncodableVector dEREncodableVector = new DEREncodableVector();
        dEREncodableVector.add(generateTBSCertificate);
        dEREncodableVector.add(algorithmIdentifier);
        dEREncodableVector.add(new DERBitString(sign));
        return CertificateFactory.getInstance("X.509").generateCertificate(new ByteArrayInputStream(new DERSequence(dEREncodableVector).getEncoded()));
    }

    @Override // org.apache.geronimo.gbean.GBeanLifecycle
    public void doFail() {
    }

    @Override // org.apache.geronimo.gbean.GBeanLifecycle
    public void doStart() throws Exception {
        if (this.caKeystore.isKeystoreLocked()) {
            lock();
        }
    }

    @Override // org.apache.geronimo.gbean.GBeanLifecycle
    public void doStop() throws Exception {
    }

    public static GBeanInfo getGBeanInfo() {
        return GBEAN_INFO;
    }

    static {
        GBeanInfoBuilder createStatic = GBeanInfoBuilder.createStatic(GeronimoCertificationAuthority.class, NameFactory.CERTIFICATION_AUTHORITY);
        createStatic.addAttribute("kernel", Kernel.class, false);
        createStatic.addAttribute("abstractName", AbstractName.class, false);
        createStatic.addReference("ServerInfo", ServerInfo.class, "GBean");
        createStatic.addReference("KeystoreInstance", KeystoreInstance.class, NameFactory.KEYSTORE_INSTANCE);
        createStatic.addReference(NameFactory.CERTIFICATE_STORE, CertificateStore.class, NameFactory.CERTIFICATE_STORE);
        createStatic.addReference(NameFactory.CERTIFICATE_REQUEST_STORE, CertificateRequestStore.class, NameFactory.CERTIFICATE_REQUEST_STORE);
        createStatic.addInterface(CertificationAuthority.class);
        createStatic.setConstructor(new String[]{"ServerInfo", "KeystoreInstance", NameFactory.CERTIFICATE_STORE, NameFactory.CERTIFICATE_REQUEST_STORE, "kernel", "abstractName"});
        GBEAN_INFO = createStatic.getBeanInfo();
    }
}
