package org.jenkinsci.plugins.saml;

import hudson.XmlFile;
import hudson.util.Secret;
import java.io.File;
import java.io.FileInputStream;
import java.io.FileOutputStream;
import java.io.IOException;
import java.math.BigInteger;
import java.nio.file.Paths;
import java.security.InvalidKeyException;
import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.SecureRandom;
import java.security.SignatureException;
import java.security.UnrecoverableKeyException;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.Base64;
import java.util.Calendar;
import java.util.Date;
import java.util.concurrent.TimeUnit;
import java.util.logging.Level;
import java.util.logging.Logger;
import jenkins.model.Jenkins;
import org.apache.bcel.Constants;
import org.apache.commons.lang.math.NumberUtils;
import org.bouncycastle.asn1.ASN1Encodable;
import org.bouncycastle.asn1.DERSequence;
import org.bouncycastle.asn1.x500.X500Name;
import org.bouncycastle.asn1.x509.Extension;
import org.bouncycastle.asn1.x509.GeneralName;
import org.bouncycastle.asn1.x509.GeneralNames;
import org.bouncycastle.cert.CertIOException;
import org.bouncycastle.cert.jcajce.JcaX509CertificateConverter;
import org.bouncycastle.cert.jcajce.JcaX509ExtensionUtils;
import org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder;
import org.bouncycastle.operator.OperatorCreationException;
import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder;

/* loaded from: input_file:WEB-INF/lib/saml.jar:org/jenkinsci/plugins/saml/BundleKeyStore.class */
public class BundleKeyStore {
    public static final String PAC4J_DEMO_PASSWD = "pac4j-demo-passwd";
    public static final String PAC4J_DEMO_KEYSTORE = "resource:samlKeystore.jks";
    public static final String PAC4J_DEMO_ALIAS = "pac4j-demo";
    public static final String DEFAULT_KEY_ALIAS = "SAML-generated-keyPair";
    public static final String KEY_ALG = "RSA";
    public static final String SIGNATURE_ALGORITHM = "SHA256withRSA";
    public static final String PROVIDER = "BC";
    public static final String KEY_VALIDITY_PROPERTY = BundleKeyStore.class.getName() + ".validity";
    public static final Long KEY_VALIDITY = 365L;
    private static final Logger LOG = Logger.getLogger(BundleKeyStore.class.getName());
    public static final String SAML_JENKINS_KEYSTORE_XML = "saml-jenkins-keystore.xml";
    public static final String SAML_JENKINS_KEYSTORE_JKS = "saml-jenkins-keystore.jks";
    private String keystorePath = PAC4J_DEMO_KEYSTORE;
    private Secret ksPassword = Secret.fromString(PAC4J_DEMO_PASSWD);
    private Secret ksPkPassword = Secret.fromString(PAC4J_DEMO_PASSWD);
    private String ksPkAlias = PAC4J_DEMO_ALIAS;
    private Date dateValidity;
    private File keystore;
    private transient XmlFile config;

    public BundleKeyStore() {
        this.config = null;
        this.config = new XmlFile(new File(Jenkins.getInstance().getRootDir(), SAML_JENKINS_KEYSTORE_XML));
        try {
            if (this.config.exists()) {
                this.config.unmarshal(this);
            }
        } catch (IOException e) {
            LOG.log(Level.WARNING, "It is not possible to write the configuration file " + this.config.getFile().getAbsolutePath(), (Throwable) e);
        }
    }

    public synchronized void init() {
        try {
            if (this.keystore == null || !keystoreFileExists()) {
                this.keystore = Paths.get(Jenkins.getInstance().getRootDir().getPath(), SAML_JENKINS_KEYSTORE_JKS).toFile();
                this.keystorePath = "file:" + this.keystore.getPath();
            }
            if (PAC4J_DEMO_KEYSTORE.equals(this.ksPassword.getPlainText())) {
                this.ksPassword = Secret.fromString(generatePassword());
                this.ksPkPassword = Secret.fromString(generatePassword());
            }
            this.ksPkAlias = DEFAULT_KEY_ALIAS;
            KeyStore loadKeyStore = loadKeyStore(this.keystore, this.ksPassword.getPlainText());
            KeyPair generate = generate(2048);
            loadKeyStore.setKeyEntry(this.ksPkAlias, generate.getPrivate(), this.ksPkPassword.getPlainText().toCharArray(), createCertificateChain(generate));
            saveKeyStore(this.keystore, loadKeyStore, this.ksPassword.getPlainText());
            LOG.warning("Using automatic generated keystore : " + this.keystorePath);
            try {
                this.config.write(this);
            } catch (IOException e) {
                LOG.log(Level.WARNING, "It is not possible to write the configuration file " + this.config.getFile().getAbsolutePath(), (Throwable) e);
            }
        } catch (Exception e2) {
            LOG.warning("Using bundled keystore : " + e2.getMessage());
            this.ksPassword = Secret.fromString(PAC4J_DEMO_PASSWD);
            this.ksPkPassword = Secret.fromString(PAC4J_DEMO_PASSWD);
            this.keystorePath = PAC4J_DEMO_KEYSTORE;
            this.ksPkAlias = PAC4J_DEMO_ALIAS;
        }
    }

    private X509Certificate[] createCertificateChain(KeyPair keyPair) throws IOException, CertificateException, InvalidKeyException, SignatureException, NoSuchAlgorithmException, NoSuchProviderException, OperatorCreationException {
        return new X509Certificate[]{generateCertificate("cn=SAML-jenkins", new Date(), TimeUnit.DAYS.toSeconds(Long.valueOf(NumberUtils.toLong(System.getProperty(KEY_VALIDITY_PROPERTY), KEY_VALIDITY.longValue())).longValue()), keyPair)};
    }

    private KeyStore initKeyStore(File file, String str) throws KeyStoreException, IOException, NoSuchAlgorithmException, CertificateException {
        KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
        keyStore.load(null, str.toCharArray());
        saveKeyStore(file, keyStore, str);
        return keyStore;
    }

    private void saveKeyStore(File file, KeyStore keyStore, String str) throws KeyStoreException, IOException, NoSuchAlgorithmException, CertificateException {
        FileOutputStream fileOutputStream = new FileOutputStream(file);
        try {
            keyStore.store(fileOutputStream, str.toCharArray());
            fileOutputStream.close();
        } catch (Throwable th) {
            fileOutputStream.close();
            throw th;
        }
    }

    private KeyStore loadKeyStore(File file, String str) throws KeyStoreException, IOException, CertificateException, NoSuchAlgorithmException {
        FileInputStream fileInputStream;
        Throwable th;
        KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
        try {
            fileInputStream = new FileInputStream(file);
            th = null;
        } catch (IOException e) {
            keyStore = initKeyStore(file, str);
        }
        try {
            try {
                keyStore.load(fileInputStream, str.toCharArray());
                if (fileInputStream != null) {
                    if (0 != 0) {
                        try {
                            fileInputStream.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    } else {
                        fileInputStream.close();
                    }
                }
                return keyStore;
            } finally {
            }
        } finally {
        }
    }

    private String generatePassword() throws NoSuchAlgorithmException {
        byte[] bArr = new byte[256];
        SecureRandom.getInstanceStrong().nextBytes(bArr);
        return Base64.getEncoder().encodeToString(bArr);
    }

    private KeyPair generate(int i) throws InvalidKeyException, NoSuchAlgorithmException, NoSuchProviderException {
        KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA", PROVIDER);
        keyPairGenerator.initialize(i, new SecureRandom());
        return keyPairGenerator.generateKeyPair();
    }

    private X509Certificate generateCertificate(String str, Date date, long j, KeyPair keyPair) throws CertIOException, OperatorCreationException, CertificateException, NoSuchAlgorithmException {
        X500Name x500Name = new X500Name(str);
        Date date2 = new Date(date.getTime() + (j * 1000));
        this.dateValidity = date2;
        JcaX509v3CertificateBuilder jcaX509v3CertificateBuilder = new JcaX509v3CertificateBuilder(x500Name, new BigInteger(Constants.IF_ICMPNE, new SecureRandom()), date, date2, x500Name, keyPair.getPublic());
        jcaX509v3CertificateBuilder.addExtension(Extension.subjectKeyIdentifier, false, new JcaX509ExtensionUtils().createSubjectKeyIdentifier(keyPair.getPublic()));
        jcaX509v3CertificateBuilder.addExtension(Extension.subjectAlternativeName, false, GeneralNames.getInstance(new DERSequence(new ASN1Encodable[]{new GeneralName(2, str)})));
        return new JcaX509CertificateConverter().getCertificate(jcaX509v3CertificateBuilder.build(new JcaContentSignerBuilder("SHA256withRSA").build(keyPair.getPrivate())));
    }

    public String getKeystorePath() {
        return this.keystorePath;
    }

    public String getKsPassword() {
        return this.ksPassword.getPlainText();
    }

    public String getKsPkPassword() {
        return this.ksPkPassword.getPlainText();
    }

    public String getKsPkAlias() {
        return this.ksPkAlias;
    }

    public boolean isUsingDemoKeyStore() {
        return PAC4J_DEMO_KEYSTORE.equals(this.keystorePath);
    }

    public synchronized boolean isValid() {
        boolean z = false;
        boolean keystoreFileExists = keystoreFileExists();
        boolean z2 = false;
        if (this.dateValidity != null) {
            Calendar calendar = Calendar.getInstance();
            calendar.setTime(this.dateValidity);
            z = Calendar.getInstance().compareTo(calendar) <= 0;
        }
        if (keystoreFileExists) {
            try {
                z2 = loadKeyStore(this.keystore, this.ksPassword.getPlainText()).getKey(this.ksPkAlias, this.ksPkPassword.getPlainText().toCharArray()) != null;
            } catch (IOException | KeyStoreException | NoSuchAlgorithmException | UnrecoverableKeyException | CertificateException e) {
                LOG.log(Level.WARNING, "THe keystore is not accessible", e);
                z2 = false;
            }
        }
        return z && keystoreFileExists && z2;
    }

    private boolean keystoreFileExists() {
        return this.keystore != null && this.keystore.exists() && this.keystore.canRead();
    }
}
