package org.ejbca.core.model.ca.caadmin.extendedcaservices;

import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.io.Serializable;
import java.io.UnsupportedEncodingException;
import java.security.KeyPair;
import java.security.KeyStore;
import java.security.PrivateKey;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Date;
import java.util.HashMap;
import java.util.LinkedHashMap;
import java.util.List;
import org.apache.log4j.Logger;
import org.apache.xml.security.exceptions.XMLSecurityException;
import org.apache.xml.security.signature.XMLSignature;
import org.apache.xml.security.signature.XMLSignatureException;
import org.apache.xml.security.transforms.Transforms;
import org.bouncycastle.util.encoders.DecoderException;
import org.cesecore.certificates.ca.CA;
import org.cesecore.certificates.ca.extendedservices.ExtendedCAService;
import org.cesecore.certificates.ca.extendedservices.ExtendedCAServiceInfo;
import org.cesecore.certificates.ca.extendedservices.ExtendedCAServiceNotActiveException;
import org.cesecore.certificates.ca.extendedservices.ExtendedCAServiceRequest;
import org.cesecore.certificates.ca.extendedservices.ExtendedCAServiceRequestException;
import org.cesecore.certificates.ca.extendedservices.ExtendedCAServiceResponse;
import org.cesecore.certificates.ca.extendedservices.IllegalExtendedCAServiceRequestException;
import org.cesecore.certificates.certificateprofile.CertificateProfile;
import org.cesecore.certificates.endentity.EndEntityInformation;
import org.cesecore.certificates.endentity.EndEntityTypes;
import org.cesecore.certificates.endentity.ExtendedInformation;
import org.cesecore.keys.token.CryptoToken;
import org.cesecore.keys.util.KeyTools;
import org.cesecore.util.Base64;
import org.cesecore.util.CertTools;
import org.cesecore.util.CryptoProviderTools;
import org.cesecore.util.StringTools;
import org.ejbca.config.EjbcaConfiguration;
import org.ejbca.core.model.InternalEjbcaResources;
import org.ejbca.core.model.hardtoken.HardTokenConstants;
import org.w3c.dom.Document;

/* loaded from: input_file:org/ejbca/core/model/ca/caadmin/extendedcaservices/XKMSCAService.class */
public class XKMSCAService extends ExtendedCAService implements Serializable {
    private static final long serialVersionUID = 6337172829214941501L;
    private static Logger m_log = Logger.getLogger(XKMSCAService.class);
    private static final InternalEjbcaResources intres = InternalEjbcaResources.getInstance();
    public static final float LATEST_VERSION = 2.0f;
    public static final String SERVICENAME = "XKMSCASERVICE";
    private PrivateKey xKMSkey;
    private List<Certificate> xKMScertificatechain;
    private XKMSCAServiceInfo info;
    private static final String XKMSKEYSTORE = "xkmskeystore";
    private static final String KEYSPEC = "keyspec";
    private static final String KEYALGORITHM = "keyalgorithm";
    private static final String SUBJECTDN = "subjectdn";
    private static final String SUBJECTALTNAME = "subjectaltname";
    private static final String PRIVATESIGNKEYALIAS = "privatesignkeyalias";

    public XKMSCAService(ExtendedCAServiceInfo extendedCAServiceInfo) {
        super(extendedCAServiceInfo);
        this.xKMSkey = null;
        this.xKMScertificatechain = null;
        this.info = null;
        if (m_log.isDebugEnabled()) {
            m_log.debug("XKMSCAService : constructor " + extendedCAServiceInfo.getStatus());
        }
        CryptoProviderTools.installBCProviderIfNotAvailable();
        XKMSCAServiceInfo xKMSCAServiceInfo = (XKMSCAServiceInfo) extendedCAServiceInfo;
        this.data = new LinkedHashMap();
        this.data.put("IMPLCLASS", getClass().getName());
        this.data.put("extendedcaservicetype", 2);
        this.data.put(KEYSPEC, xKMSCAServiceInfo.getKeySpec());
        this.data.put(KEYALGORITHM, xKMSCAServiceInfo.getKeyAlgorithm());
        setSubjectDN(xKMSCAServiceInfo.getSubjectDN());
        setSubjectAltName(xKMSCAServiceInfo.getSubjectAltName());
        setStatus(extendedCAServiceInfo.getStatus());
        this.data.put("version", new Float(2.0f));
    }

    public XKMSCAService(HashMap<Object, Object> hashMap) throws IllegalArgumentException {
        super(hashMap);
        this.xKMSkey = null;
        this.xKMScertificatechain = null;
        this.info = null;
        CryptoProviderTools.installBCProviderIfNotAvailable();
        loadData(hashMap);
        if (hashMap.get(XKMSKEYSTORE) != null) {
            String passwordDecryption = StringTools.passwordDecryption(EjbcaConfiguration.getCaXkmsKeyStorePass(), "ca.xkmskeystorepass");
            try {
                try {
                    m_log.debug("Loading XKMS keystore");
                    KeyStore keyStore = KeyStore.getInstance(HardTokenConstants.TOKENTYPE_PKCS12, "BC");
                    keyStore.load(new ByteArrayInputStream(Base64.decode(((String) hashMap.get(XKMSKEYSTORE)).getBytes())), passwordDecryption.toCharArray());
                    m_log.debug("Finished loading XKMS keystore");
                    this.xKMSkey = (PrivateKey) keyStore.getKey(PRIVATESIGNKEYALIAS, null);
                    this.xKMScertificatechain = new ArrayList(CertTools.getCertCollectionFromArray(keyStore.getCertificateChain(PRIVATESIGNKEYALIAS), (String) null));
                    int status = getStatus();
                    try {
                        if (!keyStore.getCertificate(PRIVATESIGNKEYALIAS).getPublicKey().equals(this.xKMScertificatechain.get(0).getPublicKey())) {
                            m_log.error("Keystore does not hold the same public key as XKMS service certificate.");
                        }
                    } catch (Exception e) {
                        m_log.error("Could not compare public keys. " + e.getMessage());
                    }
                    this.info = new XKMSCAServiceInfo(status, getSubjectDN(), getSubjectAltName(), (String) hashMap.get(KEYSPEC), (String) hashMap.get(KEYALGORITHM), this.xKMScertificatechain);
                } catch (Exception e2) {
                    m_log.error("Could not load keystore or certificate for CA XKMS service. Perhaps the password was changed? " + e2.getMessage());
                    this.info = new XKMSCAServiceInfo(1, getSubjectDN(), getSubjectAltName(), (String) hashMap.get(KEYSPEC), (String) hashMap.get(KEYALGORITHM), this.xKMScertificatechain);
                }
                hashMap.put("extendedcaservicetype", 2);
            } catch (Throwable th) {
                this.info = new XKMSCAServiceInfo(1, getSubjectDN(), getSubjectAltName(), (String) hashMap.get(KEYSPEC), (String) hashMap.get(KEYALGORITHM), this.xKMScertificatechain);
                throw th;
            }
        }
    }

    public void init(CryptoToken cryptoToken, CA ca) throws Exception {
        m_log.trace(">init");
        String passwordDecryption = StringTools.passwordDecryption(EjbcaConfiguration.getCaXkmsKeyStorePass(), "ca.xkmskeystorepass");
        XKMSCAServiceInfo xKMSCAServiceInfo = (XKMSCAServiceInfo) getExtendedCAServiceInfo();
        KeyStore keyStore = KeyStore.getInstance(HardTokenConstants.TOKENTYPE_PKCS12, "BC");
        keyStore.load(null, null);
        KeyPair genKeys = KeyTools.genKeys(xKMSCAServiceInfo.getKeySpec(), xKMSCAServiceInfo.getKeyAlgorithm());
        EndEntityInformation endEntityInformation = new EndEntityInformation("NOUSERNAME", xKMSCAServiceInfo.getSubjectDN(), 0, xKMSCAServiceInfo.getSubjectAltName(), "NOEMAIL", 0, EndEntityTypes.INVALID.toEndEntityType(), 0, 0, (Date) null, (Date) null, 0, 0, (ExtendedInformation) null);
        CertificateProfile certificateProfile = new CertificateProfile(1);
        certificateProfile.setUseKeyUsage(true);
        certificateProfile.setKeyUsage(new boolean[9]);
        certificateProfile.setKeyUsage(0, true);
        certificateProfile.setKeyUsage(2, true);
        certificateProfile.setKeyUsage(3, true);
        certificateProfile.setKeyUsageCritical(true);
        Certificate generateCertificate = ca.generateCertificate(cryptoToken, endEntityInformation, genKeys.getPublic(), -1, (Date) null, ca.getValidity(), certificateProfile, (String) null);
        this.xKMScertificatechain = new ArrayList();
        this.xKMScertificatechain.add(generateCertificate);
        this.xKMScertificatechain.addAll(ca.getCertificateChain());
        this.xKMSkey = genKeys.getPrivate();
        keyStore.setKeyEntry(PRIVATESIGNKEYALIAS, genKeys.getPrivate(), null, (Certificate[]) this.xKMScertificatechain.toArray(new Certificate[this.xKMScertificatechain.size()]));
        ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
        keyStore.store(byteArrayOutputStream, passwordDecryption.toCharArray());
        this.data.put(XKMSKEYSTORE, new String(Base64.encode(byteArrayOutputStream.toByteArray())));
        setStatus(xKMSCAServiceInfo.getStatus());
        this.info = new XKMSCAServiceInfo(xKMSCAServiceInfo.getStatus(), getSubjectDN(), getSubjectAltName(), (String) this.data.get(KEYSPEC), (String) this.data.get(KEYALGORITHM), this.xKMScertificatechain);
        m_log.trace("<init");
    }

    public void update(CryptoToken cryptoToken, ExtendedCAServiceInfo extendedCAServiceInfo, CA ca) {
        XKMSCAServiceInfo xKMSCAServiceInfo = (XKMSCAServiceInfo) extendedCAServiceInfo;
        m_log.trace(">update: " + extendedCAServiceInfo.getStatus());
        setStatus(extendedCAServiceInfo.getStatus());
        if (xKMSCAServiceInfo.getRenewFlag()) {
            try {
                init(cryptoToken, ca);
            } catch (Exception e) {
                m_log.error("Error updating the XKMS service: ", e);
            }
        }
        this.data.put(KEYSPEC, xKMSCAServiceInfo.getKeySpec());
        this.data.put(KEYALGORITHM, xKMSCAServiceInfo.getKeyAlgorithm());
        this.info = new XKMSCAServiceInfo(extendedCAServiceInfo.getStatus(), getSubjectDN(), getSubjectAltName(), xKMSCAServiceInfo.getKeySpec(), xKMSCAServiceInfo.getKeyAlgorithm(), this.xKMScertificatechain);
        m_log.trace("<update: " + extendedCAServiceInfo.getStatus());
    }

    public ExtendedCAServiceResponse extendedService(CryptoToken cryptoToken, ExtendedCAServiceRequest extendedCAServiceRequest) throws ExtendedCAServiceRequestException, IllegalExtendedCAServiceRequestException, ExtendedCAServiceNotActiveException {
        m_log.trace(">extendedService");
        if (!(extendedCAServiceRequest instanceof XKMSCAServiceRequest)) {
            throw new IllegalExtendedCAServiceRequestException();
        }
        if (getStatus() != 2) {
            String localizedMessage = intres.getLocalizedMessage("caservice.notactive", "XKMS");
            m_log.error(localizedMessage);
            throw new ExtendedCAServiceNotActiveException(localizedMessage);
        }
        XKMSCAServiceResponse xKMSCAServiceResponse = null;
        X509Certificate x509Certificate = (X509Certificate) this.xKMScertificatechain.get(0);
        XKMSCAServiceRequest xKMSCAServiceRequest = (XKMSCAServiceRequest) extendedCAServiceRequest;
        Document doc = xKMSCAServiceRequest.getDoc();
        if (xKMSCAServiceRequest.isSign()) {
            try {
                XMLSignature xMLSignature = new XMLSignature(doc, "", "http://www.w3.org/2000/09/xmldsig#rsa-sha1", "http://www.w3.org/2001/10/xml-exc-c14n#");
                Transforms transforms = new Transforms(doc);
                transforms.addTransform("http://www.w3.org/2000/09/xmldsig#enveloped-signature");
                transforms.addTransform("http://www.w3.org/2001/10/xml-exc-c14n#");
                xMLSignature.addDocument("#" + xKMSCAServiceRequest.getId(), transforms, "http://www.w3.org/2000/09/xmldsig#sha1");
                xMLSignature.addKeyInfo(x509Certificate);
                doc.getDocumentElement().insertBefore(xMLSignature.getElement(), doc.getDocumentElement().getFirstChild());
                xMLSignature.sign(this.xKMSkey);
                xKMSCAServiceResponse = new XKMSCAServiceResponse(doc);
            } catch (XMLSignatureException e) {
                throw new ExtendedCAServiceRequestException(e);
            } catch (XMLSecurityException e2) {
                throw new ExtendedCAServiceRequestException(e2);
            }
        }
        m_log.trace("<extendedService");
        return xKMSCAServiceResponse;
    }

    public float getLatestVersion() {
        return 2.0f;
    }

    public void upgrade() {
        if (Float.compare(2.0f, getVersion()) != 0) {
            this.data.put("IMPLCLASS", getClass().getName());
            this.data.put("version", new Float(2.0f));
        }
    }

    public ExtendedCAServiceInfo getExtendedCAServiceInfo() {
        if (this.info == null) {
            this.info = new XKMSCAServiceInfo(getStatus(), getSubjectDN(), getSubjectAltName(), (String) this.data.get(KEYSPEC), (String) this.data.get(KEYALGORITHM), this.xKMScertificatechain);
        }
        return this.info;
    }

    private String getSubjectDN() {
        String str = null;
        String str2 = (String) this.data.get(SUBJECTDN);
        try {
            str = new String(Base64.decode(str2.getBytes("UTF-8")));
        } catch (UnsupportedEncodingException e) {
            m_log.error("Could not decode XKMS data from Base64", e);
        } catch (ArrayIndexOutOfBoundsException e2) {
            m_log.debug("Old non base64 encoded DN: " + str2);
            str = str2;
        }
        return str;
    }

    private void setSubjectDN(String str) {
        try {
            this.data.put(SUBJECTDN, new String(Base64.encode(str.getBytes("UTF-8"), false)));
        } catch (UnsupportedEncodingException e) {
            m_log.error("Could not encode XKMS data from Base64", e);
        }
    }

    private String getSubjectAltName() {
        String str = null;
        String str2 = (String) this.data.get(SUBJECTALTNAME);
        try {
            str = new String(Base64.decode(str2.getBytes("UTF-8")));
        } catch (UnsupportedEncodingException e) {
            m_log.error("Could not decode XKMS data from Base64", e);
        } catch (DecoderException e2) {
            m_log.debug("Old non base64 encoded altname: " + str2);
            str = str2;
        }
        return str;
    }

    private void setSubjectAltName(String str) {
        try {
            this.data.put(SUBJECTALTNAME, new String(Base64.encode(str.getBytes("UTF-8"), false)));
        } catch (UnsupportedEncodingException e) {
            m_log.error("Could not encode XKMS data from Base64", e);
        }
    }
}
