package org.eclipse.kura.core.keystore;

import java.io.File;
import java.io.IOException;
import java.io.StringWriter;
import java.math.BigInteger;
import java.net.URI;
import java.security.GeneralSecurityException;
import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.SecureRandom;
import java.security.Security;
import java.security.cert.CRL;
import java.security.cert.CertStore;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.CollectionCertStoreParameters;
import java.security.cert.X509CRL;
import java.security.cert.X509Certificate;
import java.security.spec.AlgorithmParameterSpec;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Calendar;
import java.util.Collection;
import java.util.Collections;
import java.util.Date;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Optional;
import javax.net.ssl.KeyManager;
import javax.net.ssl.KeyManagerFactory;
import javax.security.auth.x500.X500Principal;
import org.bouncycastle.asn1.x500.X500Name;
import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo;
import org.bouncycastle.cert.X509v3CertificateBuilder;
import org.bouncycastle.cert.jcajce.JcaX509CertificateConverter;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.bouncycastle.openssl.jcajce.JcaPEMWriter;
import org.bouncycastle.operator.OperatorCreationException;
import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder;
import org.bouncycastle.pkcs.PKCS10CertificationRequestBuilder;
import org.bouncycastle.pkcs.jcajce.JcaPKCS10CertificationRequestBuilder;
import org.bouncycastle.util.io.pem.PemObject;
import org.eclipse.kura.KuraErrorCode;
import org.eclipse.kura.KuraException;
import org.eclipse.kura.configuration.ConfigurableComponent;
import org.eclipse.kura.core.keystore.crl.CRLManager;
import org.eclipse.kura.core.keystore.crl.CRLManagerOptions;
import org.eclipse.kura.core.keystore.crl.StoredCRL;
import org.eclipse.kura.security.keystore.KeystoreChangedEvent;
import org.eclipse.kura.security.keystore.KeystoreService;
import org.osgi.service.component.ComponentContext;
import org.osgi.service.event.EventAdmin;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/eclipse/kura/core/keystore/BaseKeystoreService.class */
public abstract class BaseKeystoreService implements KeystoreService, ConfigurableComponent {
    private static final Logger logger = LoggerFactory.getLogger(BaseKeystoreService.class);
    protected static final String NULL_INPUT_PARAMS_MESSAGE = "Input parameters cannot be null!";
    protected static final String KURA_SERVICE_PID = "kura.service.pid";
    protected static final String PEM_CERTIFICATE_REQUEST_TYPE = "CERTIFICATE REQUEST";
    protected EventAdmin eventAdmin;
    protected Optional<CRLManager> crlManager = Optional.empty();
    protected String ownPid;
    protected ComponentContext componentContext;
    private CRLManagerOptions crlManagerOptions;

    public void setEventAdmin(EventAdmin eventAdmin) {
        this.eventAdmin = eventAdmin;
    }

    protected abstract KeystoreInstance loadKeystore() throws KuraException;

    protected abstract void saveKeystore(KeystoreInstance keystoreInstance) throws IOException, KeyStoreException, NoSuchAlgorithmException, CertificateException;

    protected abstract String getCrlStorePath();

    public KeyStore getKeyStore() throws KuraException {
        return loadKeystore().getKeystore();
    }

    public void activate(ComponentContext componentContext, Map<String, Object> map) {
        this.componentContext = componentContext;
        this.ownPid = (String) map.get(KURA_SERVICE_PID);
        this.crlManagerOptions = new CRLManagerOptions(map);
        updateCRLManager(this.crlManagerOptions);
    }

    public void updated(Map<String, Object> map) {
        logger.info("Bundle {} is updating!", map.get(KURA_SERVICE_PID));
        CRLManagerOptions cRLManagerOptions = new CRLManagerOptions(map);
        if (this.crlManagerOptions.equals(cRLManagerOptions)) {
            return;
        }
        this.crlManagerOptions = cRLManagerOptions;
        updateCRLManager(cRLManagerOptions);
    }

    public void deactivate() {
        shutdownCRLManager();
    }

    public KeyStore.Entry getEntry(String str) throws KuraException {
        if (Objects.isNull(str)) {
            throw new IllegalArgumentException("Key Pair alias cannot be null!");
        }
        KeystoreInstance loadKeystore = loadKeystore();
        try {
            return (loadKeystore.getKeystore().entryInstanceOf(str, KeyStore.PrivateKeyEntry.class) || loadKeystore.getKeystore().entryInstanceOf(str, KeyStore.SecretKeyEntry.class)) ? loadKeystore.getKeystore().getEntry(str, new KeyStore.PasswordProtection(loadKeystore.getPassword())) : loadKeystore.getKeystore().getEntry(str, null);
        } catch (GeneralSecurityException e) {
            throw new KuraException(KuraErrorCode.BAD_REQUEST, e, new Object[]{"Failed to get the entry " + str});
        }
    }

    public void setEntry(String str, KeyStore.Entry entry) throws KuraException {
        if (Objects.isNull(str) || str.trim().isEmpty() || Objects.isNull(entry)) {
            throw new IllegalArgumentException("Input cannot be null or empty!");
        }
        KeystoreInstance loadKeystore = loadKeystore();
        try {
            loadKeystore.getKeystore().setEntry(str, entry, entry instanceof KeyStore.TrustedCertificateEntry ? null : new KeyStore.PasswordProtection(loadKeystore.getPassword()));
            saveKeystore(loadKeystore);
            if (tryAddToCrlManagement(entry)) {
                return;
            }
            postChangedEvent();
        } catch (IOException | GeneralSecurityException e) {
            throw new KuraException(KuraErrorCode.BAD_REQUEST, e, new Object[]{"Failed to set the entry " + str});
        }
    }

    public Map<String, KeyStore.Entry> getEntries() throws KuraException {
        HashMap hashMap = new HashMap();
        try {
            for (String str : Collections.list(getKeyStore().aliases())) {
                hashMap.put(str, getEntry(str));
            }
            return hashMap;
        } catch (GeneralSecurityException e) {
            throw new KuraException(KuraErrorCode.BAD_REQUEST, e, new Object[]{"Failed to get the entries"});
        }
    }

    public void deleteEntry(String str) throws KuraException {
        if (Objects.isNull(str)) {
            throw new IllegalArgumentException("Alias cannot be null!");
        }
        Optional ofNullable = Optional.ofNullable(getEntry(str));
        if (ofNullable.isPresent()) {
            KeystoreInstance loadKeystore = loadKeystore();
            try {
                loadKeystore.getKeystore().deleteEntry(str);
                saveKeystore(loadKeystore);
                if (tryRemoveFromCrlManagement((KeyStore.Entry) ofNullable.get())) {
                    return;
                }
                postChangedEvent();
            } catch (IOException | GeneralSecurityException e) {
                throw new KuraException(KuraErrorCode.BAD_REQUEST, e, new Object[]{"Failed to delete entry " + str});
            }
        }
    }

    public List<KeyManager> getKeyManagers(String str) throws KuraException {
        if (Objects.isNull(str)) {
            throw new IllegalArgumentException("Algorithm cannot be null!");
        }
        KeystoreInstance loadKeystore = loadKeystore();
        try {
            KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(str);
            keyManagerFactory.init(loadKeystore.getKeystore(), loadKeystore.getPassword());
            return Arrays.asList(keyManagerFactory.getKeyManagers());
        } catch (GeneralSecurityException e) {
            throw new KuraException(KuraErrorCode.BAD_REQUEST, e, new Object[]{"Failed to get the key managers for algorithm " + str});
        }
    }

    public void createKeyPair(String str, String str2, int i, String str3, String str4) throws KuraException {
        createKeyPair(str, str2, i, str3, str4, new SecureRandom());
    }

    public void createKeyPair(String str, String str2, int i, String str3, String str4, SecureRandom secureRandom) throws KuraException {
        if (Objects.isNull(str2) || str2.trim().isEmpty() || Objects.isNull(secureRandom) || Objects.isNull(str) || Objects.isNull(str4) || str4.trim().isEmpty() || Objects.isNull(str3) || str3.trim().isEmpty()) {
            throw new IllegalArgumentException("Parameters cannot be null or empty!");
        }
        try {
            KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance(str2, "BC");
            keyPairGenerator.initialize(i, secureRandom);
            KeyPair generateKeyPair = keyPairGenerator.generateKeyPair();
            setEntry(str, new KeyStore.PrivateKeyEntry(generateKeyPair.getPrivate(), generateCertificateChain(generateKeyPair, str3, str4)));
        } catch (GeneralSecurityException | OperatorCreationException unused) {
            throw new KuraException(KuraErrorCode.BAD_REQUEST);
        }
    }

    public void createKeyPair(String str, String str2, AlgorithmParameterSpec algorithmParameterSpec, String str3, String str4, SecureRandom secureRandom) throws KuraException {
        if (Objects.isNull(str2) || str2.trim().isEmpty() || Objects.isNull(secureRandom) || Objects.isNull(str) || Objects.isNull(str4) || str4.trim().isEmpty() || Objects.isNull(str3) || str3.trim().isEmpty() || Objects.isNull(algorithmParameterSpec)) {
            throw new IllegalArgumentException("Parameters cannot be null or empty!");
        }
        try {
            KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance(str2, "BC");
            keyPairGenerator.initialize(algorithmParameterSpec, secureRandom);
            KeyPair generateKeyPair = keyPairGenerator.generateKeyPair();
            setEntry(str, new KeyStore.PrivateKeyEntry(generateKeyPair.getPrivate(), generateCertificateChain(generateKeyPair, str3, str4)));
        } catch (GeneralSecurityException | OperatorCreationException unused) {
            throw new KuraException(KuraErrorCode.BAD_REQUEST);
        }
    }

    public void createKeyPair(String str, String str2, AlgorithmParameterSpec algorithmParameterSpec, String str3, String str4) throws KuraException {
        createKeyPair(str, str2, algorithmParameterSpec, str3, str4, new SecureRandom());
    }

    public String getCSR(KeyPair keyPair, X500Principal x500Principal, String str) throws KuraException {
        if (Objects.isNull(x500Principal) || Objects.isNull(keyPair) || Objects.isNull(str) || str.trim().isEmpty()) {
            throw new IllegalArgumentException(NULL_INPUT_PARAMS_MESSAGE);
        }
        Throwable th = null;
        try {
            try {
                StringWriter stringWriter = new StringWriter();
                try {
                    JcaPEMWriter jcaPEMWriter = new JcaPEMWriter(stringWriter);
                    try {
                        jcaPEMWriter.writeObject(new PemObject(PEM_CERTIFICATE_REQUEST_TYPE, getCSRAsPKCS10Builder(keyPair, x500Principal).build(new JcaContentSignerBuilder(str).build(keyPair.getPrivate())).getEncoded()));
                        jcaPEMWriter.flush();
                        String stringWriter2 = stringWriter.toString();
                        if (jcaPEMWriter != null) {
                            jcaPEMWriter.close();
                        }
                        if (stringWriter != null) {
                            stringWriter.close();
                        }
                        return stringWriter2;
                    } catch (Throwable th2) {
                        if (jcaPEMWriter != null) {
                            jcaPEMWriter.close();
                        }
                        throw th2;
                    }
                } catch (Throwable th3) {
                    if (0 == 0) {
                        th = th3;
                    } else if (null != th3) {
                        th.addSuppressed(th3);
                    }
                    if (stringWriter != null) {
                        stringWriter.close();
                    }
                    throw th;
                }
            } catch (Throwable th4) {
                if (0 == 0) {
                    th = th4;
                } else if (null != th4) {
                    th.addSuppressed(th4);
                }
                throw th;
            }
        } catch (OperatorCreationException e) {
            throw new KuraException(KuraErrorCode.BAD_REQUEST, e, new Object[]{"Failed to get CSR"});
        } catch (IOException e2) {
            throw new KuraException(KuraErrorCode.ENCODE_ERROR, e2, new Object[]{"Failed to get CSR"});
        }
    }

    public String getCSR(String str, X500Principal x500Principal, String str2) throws KuraException {
        if (Objects.isNull(x500Principal) || Objects.isNull(str) || str.trim().isEmpty() || Objects.isNull(str2) || str2.trim().isEmpty()) {
            throw new IllegalArgumentException(NULL_INPUT_PARAMS_MESSAGE);
        }
        KeyStore.Entry entry = getEntry(str);
        if (entry == null) {
            throw new KuraException(KuraErrorCode.NOT_FOUND);
        }
        if (!(entry instanceof KeyStore.PrivateKeyEntry)) {
            throw new KuraException(KuraErrorCode.BAD_REQUEST);
        }
        return getCSR(new KeyPair(((KeyStore.PrivateKeyEntry) entry).getCertificate().getPublicKey(), ((KeyStore.PrivateKeyEntry) entry).getPrivateKey()), x500Principal, str2);
    }

    protected PKCS10CertificationRequestBuilder getCSRAsPKCS10Builder(KeyPair keyPair, X500Principal x500Principal) {
        if (Objects.isNull(x500Principal) || Objects.isNull(keyPair)) {
            throw new IllegalArgumentException(NULL_INPUT_PARAMS_MESSAGE);
        }
        return new JcaPKCS10CertificationRequestBuilder(x500Principal, keyPair.getPublic());
    }

    public List<String> getAliases() throws KuraException {
        try {
            return Collections.list(getKeyStore().aliases());
        } catch (GeneralSecurityException e) {
            throw new KuraException(KuraErrorCode.BAD_REQUEST, e, new Object[]{"Failed to get aliases"});
        }
    }

    public Collection<CRL> getCRLs() {
        Optional<CRLManager> optional = this.crlManager;
        return !optional.isPresent() ? Collections.emptyList() : new ArrayList(optional.get().getCrls());
    }

    public CertStore getCRLStore() throws KuraException {
        Optional<CRLManager> optional = this.crlManager;
        try {
            return !optional.isPresent() ? CertStore.getInstance("Collection", new CollectionCertStoreParameters()) : optional.get().getCertStore();
        } catch (Exception e) {
            throw new KuraException(KuraErrorCode.CONFIGURATION_ERROR, e, new Object[0]);
        }
    }

    public void addCRL(X509CRL x509crl) throws KuraException {
        this.crlManager.ifPresent(cRLManager -> {
            cRLManager.getCRLStore().storeCRL(new StoredCRL(Collections.emptySet(), x509crl));
        });
    }

    protected void postChangedEvent() {
        this.eventAdmin.postEvent(new KeystoreChangedEvent(this.ownPid));
    }

    protected X509Certificate[] generateCertificateChain(KeyPair keyPair, String str, String str2) throws OperatorCreationException, CertificateException {
        BouncyCastleProvider bouncyCastleProvider = new BouncyCastleProvider();
        Security.addProvider(bouncyCastleProvider);
        long currentTimeMillis = System.currentTimeMillis();
        Date date = new Date(currentTimeMillis);
        X500Name x500Name = new X500Name(str2);
        BigInteger bigInteger = new BigInteger(Long.toString(currentTimeMillis));
        Calendar calendar = Calendar.getInstance();
        calendar.setTime(date);
        calendar.add(1, 1);
        return new X509Certificate[]{new JcaX509CertificateConverter().getCertificate(new X509v3CertificateBuilder(x500Name, bigInteger, date, calendar.getTime(), x500Name, SubjectPublicKeyInfo.getInstance(keyPair.getPublic().getEncoded())).build(new JcaContentSignerBuilder(str).setProvider(bouncyCastleProvider).build(keyPair.getPrivate())))};
    }

    protected Optional<X509Certificate> extractCertificate(KeyStore.Entry entry) {
        if (!(entry instanceof KeyStore.TrustedCertificateEntry)) {
            return Optional.empty();
        }
        Certificate trustedCertificate = ((KeyStore.TrustedCertificateEntry) entry).getTrustedCertificate();
        return !(trustedCertificate instanceof X509Certificate) ? Optional.empty() : Optional.of((X509Certificate) trustedCertificate);
    }

    protected boolean tryAddToCrlManagement(KeyStore.Entry entry) {
        Optional<X509Certificate> extractCertificate = extractCertificate(entry);
        Optional<CRLManager> optional = this.crlManager;
        if (extractCertificate.isPresent() && optional.isPresent()) {
            return optional.get().addTrustedCertificate(extractCertificate.get());
        }
        return false;
    }

    protected boolean tryRemoveFromCrlManagement(KeyStore.Entry entry) {
        Optional<X509Certificate> extractCertificate = extractCertificate(entry);
        Optional<CRLManager> optional = this.crlManager;
        if (extractCertificate.isPresent() && optional.isPresent()) {
            return optional.get().removeTrustedCertificate(extractCertificate.get());
        }
        return false;
    }

    protected void updateCRLManager(CRLManagerOptions cRLManagerOptions) {
        shutdownCRLManager();
        if (this.crlManagerOptions.isCrlManagementEnabled()) {
            CRLManager cRLManager = new CRLManager(this.crlManagerOptions.getStoreFile().orElseGet(() -> {
                return new File(getCrlStorePath());
            }), 5000L, cRLManagerOptions.getCrlCheckIntervalMs(), cRLManagerOptions.getCrlUpdateIntervalMs(), getCRLVerifier(cRLManagerOptions));
            cRLManager.setListener(Optional.of(this::postChangedEvent));
            Iterator<URI> it = cRLManagerOptions.getCrlURIs().iterator();
            while (it.hasNext()) {
                cRLManager.addDistributionPoint(Collections.singleton(it.next()));
            }
            try {
                for (KeyStore.Entry entry : getEntries().values()) {
                    if (entry instanceof KeyStore.TrustedCertificateEntry) {
                        Certificate trustedCertificate = ((KeyStore.TrustedCertificateEntry) entry).getTrustedCertificate();
                        if (trustedCertificate instanceof X509Certificate) {
                            cRLManager.addTrustedCertificate((X509Certificate) trustedCertificate);
                        }
                    }
                }
            } catch (Exception e) {
                logger.warn("failed to add current trusted certificates to CRL manager", e);
            }
            this.crlManager = Optional.of(cRLManager);
        }
    }

    protected CRLManager.CRLVerifier getCRLVerifier(CRLManagerOptions cRLManagerOptions) {
        return !cRLManagerOptions.isCRLVerificationEnabled() ? x509crl -> {
            return true;
        } : x509crl2 -> {
            try {
                for (KeyStore.Entry entry : getEntries().values()) {
                    if ((entry instanceof KeyStore.TrustedCertificateEntry) && verifyCRL(x509crl2, (KeyStore.TrustedCertificateEntry) entry)) {
                        return true;
                    }
                }
                return false;
            } catch (Exception e) {
                logger.warn("Exception verifying CRL", e);
                return false;
            }
        };
    }

    protected void shutdownCRLManager() {
        if (this.crlManager.isPresent()) {
            this.crlManager.get().close();
            this.crlManager = Optional.empty();
        }
    }

    protected boolean verifyCRL(X509CRL x509crl, KeyStore.TrustedCertificateEntry trustedCertificateEntry) {
        try {
            x509crl.verify(trustedCertificateEntry.getTrustedCertificate().getPublicKey());
            return true;
        } catch (Exception unused) {
            return false;
        }
    }
}
