package org.ejbca.core.model.ca.caadmin.extendedcaservices;

import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.io.Serializable;
import java.io.UnsupportedEncodingException;
import java.security.InvalidAlgorithmParameterException;
import java.security.KeyPair;
import java.security.KeyStore;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.PrivateKey;
import java.security.cert.CertStore;
import java.security.cert.CertStoreException;
import java.security.cert.Certificate;
import java.security.cert.CollectionCertStoreParameters;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Date;
import java.util.HashMap;
import java.util.Iterator;
import java.util.LinkedHashMap;
import java.util.List;
import org.apache.log4j.Logger;
import org.bouncycastle.asn1.x500.X500Name;
import org.bouncycastle.cms.CMSEnvelopedData;
import org.bouncycastle.cms.CMSEnvelopedDataGenerator;
import org.bouncycastle.cms.CMSException;
import org.bouncycastle.cms.CMSProcessableByteArray;
import org.bouncycastle.cms.CMSSignedDataGenerator;
import org.bouncycastle.cms.CMSSignedGenerator;
import org.bouncycastle.cms.KeyTransRecipientId;
import org.bouncycastle.cms.RecipientInformation;
import org.bouncycastle.cms.jcajce.JceKeyTransEnvelopedRecipient;
import org.bouncycastle.util.encoders.DecoderException;
import org.cesecore.certificates.ca.CA;
import org.cesecore.certificates.ca.extendedservices.ExtendedCAService;
import org.cesecore.certificates.ca.extendedservices.ExtendedCAServiceInfo;
import org.cesecore.certificates.ca.extendedservices.ExtendedCAServiceNotActiveException;
import org.cesecore.certificates.ca.extendedservices.ExtendedCAServiceRequest;
import org.cesecore.certificates.ca.extendedservices.ExtendedCAServiceRequestException;
import org.cesecore.certificates.ca.extendedservices.ExtendedCAServiceResponse;
import org.cesecore.certificates.ca.extendedservices.IllegalExtendedCAServiceRequestException;
import org.cesecore.certificates.certificateprofile.CertificateProfile;
import org.cesecore.certificates.endentity.EndEntityInformation;
import org.cesecore.certificates.endentity.EndEntityType;
import org.cesecore.certificates.endentity.ExtendedInformation;
import org.cesecore.keys.token.CryptoToken;
import org.cesecore.keys.util.KeyTools;
import org.cesecore.util.Base64;
import org.cesecore.util.CertTools;
import org.cesecore.util.CryptoProviderTools;
import org.cesecore.util.StringTools;
import org.ejbca.config.EjbcaConfiguration;
import org.ejbca.core.model.InternalEjbcaResources;
import org.ejbca.core.model.hardtoken.HardTokenConstants;

/* loaded from: input_file:org/ejbca/core/model/ca/caadmin/extendedcaservices/CmsCAService.class */
public class CmsCAService extends ExtendedCAService implements Serializable {
    private static final long serialVersionUID = 5273836489592921586L;
    private static Logger m_log = Logger.getLogger(CmsCAService.class);
    private static final InternalEjbcaResources intres = InternalEjbcaResources.getInstance();
    public static final float LATEST_VERSION = 2.0f;
    public static final String SERVICENAME = "CMSCASERVICE";
    private PrivateKey privKey;
    private List<Certificate> certificatechain;
    private CmsCAServiceInfo info;
    private static final String KEYSTORE = "keystore";
    private static final String KEYSPEC = "keyspec";
    private static final String KEYALGORITHM = "keyalgorithm";
    private static final String SUBJECTDN = "subjectdn";
    private static final String SUBJECTALTNAME = "subjectaltname";
    private static final String PRIVATESIGNKEYALIAS = "privatesignkeyalias";
    private X509Certificate cmsCertificate;

    public CmsCAService(ExtendedCAServiceInfo extendedCAServiceInfo) {
        super(extendedCAServiceInfo);
        this.privKey = null;
        this.certificatechain = null;
        this.info = null;
        this.cmsCertificate = null;
        m_log.debug("CmsCAService : constructor " + extendedCAServiceInfo.getStatus());
        CryptoProviderTools.installBCProviderIfNotAvailable();
        CmsCAServiceInfo cmsCAServiceInfo = (CmsCAServiceInfo) extendedCAServiceInfo;
        this.data = new LinkedHashMap();
        this.data.put("IMPLCLASS", getClass().getName());
        this.data.put("extendedcaservicetype", 3);
        this.data.put(KEYSPEC, cmsCAServiceInfo.getKeySpec());
        this.data.put(KEYALGORITHM, cmsCAServiceInfo.getKeyAlgorithm());
        setSubjectDN(cmsCAServiceInfo.getSubjectDN());
        setSubjectAltName(cmsCAServiceInfo.getSubjectAltName());
        setStatus(extendedCAServiceInfo.getStatus());
        this.data.put("version", new Float(2.0f));
    }

    public CmsCAService(HashMap<Object, Object> hashMap) throws IllegalArgumentException {
        super(hashMap);
        this.privKey = null;
        this.certificatechain = null;
        this.info = null;
        this.cmsCertificate = null;
        CryptoProviderTools.installBCProviderIfNotAvailable();
        loadData(hashMap);
        if (this.data.get(KEYSTORE) == null) {
            m_log.info("KEYSTORE is null when creating CmsCAService");
            return;
        }
        String passwordDecryption = StringTools.passwordDecryption(EjbcaConfiguration.getCaCmsKeyStorePass(), "ca.cmskeystorepass");
        int i = 1;
        try {
            try {
                m_log.debug("Loading CMS keystore");
                KeyStore keyStore = KeyStore.getInstance(HardTokenConstants.TOKENTYPE_PKCS12, "BC");
                keyStore.load(new ByteArrayInputStream(Base64.decode(((String) this.data.get(KEYSTORE)).getBytes())), passwordDecryption.toCharArray());
                m_log.debug("Finished loading CMS keystore");
                this.privKey = (PrivateKey) keyStore.getKey(PRIVATESIGNKEYALIAS, null);
                this.certificatechain = new ArrayList(CertTools.getCertCollectionFromArray(keyStore.getCertificateChain(PRIVATESIGNKEYALIAS), (String) null));
                i = getStatus();
                this.info = new CmsCAServiceInfo(i, getSubjectDN(), getSubjectAltName(), (String) this.data.get(KEYSPEC), (String) this.data.get(KEYALGORITHM), this.certificatechain);
            } catch (Exception e) {
                m_log.error("Could not load keystore or certificate for CA CMS service. Perhaps the password was changed? " + e.getMessage());
                this.info = new CmsCAServiceInfo(i, getSubjectDN(), getSubjectAltName(), (String) this.data.get(KEYSPEC), (String) this.data.get(KEYALGORITHM), this.certificatechain);
            }
            hashMap.put("extendedcaservicetype", 3);
        } catch (Throwable th) {
            this.info = new CmsCAServiceInfo(i, getSubjectDN(), getSubjectAltName(), (String) this.data.get(KEYSPEC), (String) this.data.get(KEYALGORITHM), this.certificatechain);
            throw th;
        }
    }

    public void init(CryptoToken cryptoToken, CA ca) throws Exception {
        m_log.debug("CmsCAService : init");
        String passwordDecryption = StringTools.passwordDecryption(EjbcaConfiguration.getCaCmsKeyStorePass(), "ca.cmskeystorepass");
        CmsCAServiceInfo cmsCAServiceInfo = (CmsCAServiceInfo) getExtendedCAServiceInfo();
        KeyStore keyStore = KeyStore.getInstance(HardTokenConstants.TOKENTYPE_PKCS12, "BC");
        keyStore.load(null, null);
        KeyPair genKeys = KeyTools.genKeys(cmsCAServiceInfo.getKeySpec(), cmsCAServiceInfo.getKeyAlgorithm());
        CertificateProfile certificateProfile = new CertificateProfile(1);
        certificateProfile.setUseKeyUsage(true);
        certificateProfile.setKeyUsage(new boolean[9]);
        certificateProfile.setKeyUsage(0, true);
        certificateProfile.setKeyUsage(2, true);
        certificateProfile.setKeyUsage(3, true);
        certificateProfile.setKeyUsageCritical(true);
        Certificate generateCertificate = ca.generateCertificate(cryptoToken, new EndEntityInformation("NOUSERNAME", cmsCAServiceInfo.getSubjectDN(), 0, cmsCAServiceInfo.getSubjectAltName(), "NOEMAIL", 0, new EndEntityType(), 0, 0, (Date) null, (Date) null, 0, 0, (ExtendedInformation) null), genKeys.getPublic(), -1, (Date) null, ca.getValidity(), certificateProfile, (String) null);
        this.certificatechain = new ArrayList();
        this.certificatechain.add(generateCertificate);
        this.certificatechain.addAll(ca.getCertificateChain());
        this.privKey = genKeys.getPrivate();
        keyStore.setKeyEntry(PRIVATESIGNKEYALIAS, genKeys.getPrivate(), null, (Certificate[]) this.certificatechain.toArray(new Certificate[this.certificatechain.size()]));
        ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
        keyStore.store(byteArrayOutputStream, passwordDecryption.toCharArray());
        this.data.put(KEYSTORE, new String(Base64.encode(byteArrayOutputStream.toByteArray())));
        setStatus(cmsCAServiceInfo.getStatus());
        this.info = new CmsCAServiceInfo(cmsCAServiceInfo.getStatus(), getSubjectDN(), getSubjectAltName(), (String) this.data.get(KEYSPEC), (String) this.data.get(KEYALGORITHM), this.certificatechain);
    }

    public void update(CryptoToken cryptoToken, ExtendedCAServiceInfo extendedCAServiceInfo, CA ca) {
        CmsCAServiceInfo cmsCAServiceInfo = (CmsCAServiceInfo) extendedCAServiceInfo;
        m_log.debug("CmsCAService : update " + extendedCAServiceInfo.getStatus());
        setStatus(extendedCAServiceInfo.getStatus());
        if (cmsCAServiceInfo.getRenewFlag()) {
            try {
                init(cryptoToken, ca);
            } catch (Exception e) {
                m_log.error("Error initilizing Extended CA service during upgrade: ", e);
            }
        }
        this.data.put(KEYSPEC, cmsCAServiceInfo.getKeySpec());
        this.data.put(KEYALGORITHM, cmsCAServiceInfo.getKeyAlgorithm());
        this.info = new CmsCAServiceInfo(extendedCAServiceInfo.getStatus(), getSubjectDN(), getSubjectAltName(), cmsCAServiceInfo.getKeySpec(), cmsCAServiceInfo.getKeyAlgorithm(), this.certificatechain);
    }

    public ExtendedCAServiceResponse extendedService(CryptoToken cryptoToken, ExtendedCAServiceRequest extendedCAServiceRequest) throws ExtendedCAServiceRequestException, IllegalExtendedCAServiceRequestException, ExtendedCAServiceNotActiveException {
        RecipientInformation recipientInformation;
        m_log.trace(">extendedService");
        if (!(extendedCAServiceRequest instanceof CmsCAServiceRequest)) {
            throw new IllegalExtendedCAServiceRequestException();
        }
        if (getStatus() != 2) {
            String localizedMessage = intres.getLocalizedMessage("caservice.notactive", "CMS");
            m_log.error(localizedMessage);
            throw new ExtendedCAServiceNotActiveException(localizedMessage);
        }
        X509Certificate x509Certificate = (X509Certificate) this.certificatechain.get(0);
        CmsCAServiceRequest cmsCAServiceRequest = (CmsCAServiceRequest) extendedCAServiceRequest;
        CMSSignedDataGenerator cMSSignedDataGenerator = new CMSSignedDataGenerator();
        try {
            byte[] doc = cmsCAServiceRequest.getDoc();
            if ((cmsCAServiceRequest.getMode() & 1) != 0) {
                cMSSignedDataGenerator.addCertificatesAndCRLs(CertStore.getInstance("Collection", new CollectionCertStoreParameters(this.certificatechain), "BC"));
                cMSSignedDataGenerator.addSigner(this.privKey, x509Certificate, CMSSignedGenerator.DIGEST_SHA1);
                doc = cMSSignedDataGenerator.generate(new CMSProcessableByteArray(doc), true, "BC").getEncoded();
            }
            if ((cmsCAServiceRequest.getMode() & 2) != 0) {
                CMSEnvelopedDataGenerator cMSEnvelopedDataGenerator = new CMSEnvelopedDataGenerator();
                cMSEnvelopedDataGenerator.addKeyTransRecipient(getCMSCertificate());
                doc = cMSEnvelopedDataGenerator.generate(new CMSProcessableByteArray(doc), CMSEnvelopedDataGenerator.DES_EDE3_CBC, "BC").getEncoded();
            }
            if ((cmsCAServiceRequest.getMode() & 4) != 0 && (recipientInformation = new CMSEnvelopedData(doc).getRecipientInfos().get(new KeyTransRecipientId(X500Name.getInstance(getCMSCertificate().getIssuerX500Principal().getEncoded()), getCMSCertificate().getSerialNumber()))) != null) {
                JceKeyTransEnvelopedRecipient jceKeyTransEnvelopedRecipient = new JceKeyTransEnvelopedRecipient(this.privKey);
                jceKeyTransEnvelopedRecipient.setProvider("BC");
                doc = recipientInformation.getContent(jceKeyTransEnvelopedRecipient);
            }
            CmsCAServiceResponse cmsCAServiceResponse = new CmsCAServiceResponse(doc);
            m_log.trace("<extendedService");
            return cmsCAServiceResponse;
        } catch (IOException e) {
            m_log.error("Error in CmsCAService", e);
            throw new ExtendedCAServiceRequestException(e);
        } catch (InvalidAlgorithmParameterException e2) {
            m_log.error("Error in CmsCAService", e2);
            throw new ExtendedCAServiceRequestException(e2);
        } catch (NoSuchAlgorithmException e3) {
            m_log.error("Error in CmsCAService", e3);
            throw new ExtendedCAServiceRequestException(e3);
        } catch (NoSuchProviderException e4) {
            m_log.error("Error in CmsCAService", e4);
            throw new ExtendedCAServiceRequestException(e4);
        } catch (CertStoreException e5) {
            m_log.error("Error in CmsCAService", e5);
            throw new ExtendedCAServiceRequestException(e5);
        } catch (CMSException e6) {
            m_log.error("Error in CmsCAService", e6);
            throw new ExtendedCAServiceRequestException(e6);
        }
    }

    private X509Certificate getCMSCertificate() {
        if (this.cmsCertificate == null) {
            Iterator<Certificate> it = this.certificatechain.iterator();
            while (true) {
                if (!it.hasNext()) {
                    break;
                }
                X509Certificate x509Certificate = (X509Certificate) it.next();
                if (x509Certificate.getBasicConstraints() == -1) {
                    this.cmsCertificate = x509Certificate;
                    break;
                }
            }
        }
        return this.cmsCertificate;
    }

    public float getLatestVersion() {
        return 2.0f;
    }

    public void upgrade() {
        if (Float.compare(2.0f, getVersion()) != 0) {
            this.data.put("IMPLCLASS", getClass().getName());
            this.data.put("version", new Float(2.0f));
        }
    }

    public ExtendedCAServiceInfo getExtendedCAServiceInfo() {
        if (this.info == null) {
            this.info = new CmsCAServiceInfo(getStatus(), getSubjectDN(), getSubjectAltName(), (String) this.data.get(KEYSPEC), (String) this.data.get(KEYALGORITHM), this.certificatechain);
        }
        return this.info;
    }

    private String getSubjectDN() {
        String str = null;
        String str2 = (String) this.data.get(SUBJECTDN);
        try {
            str = new String(Base64.decode(str2.getBytes("UTF-8")));
        } catch (UnsupportedEncodingException e) {
            m_log.error("Could not decode data from Base64", e);
        } catch (DecoderException e2) {
            m_log.debug("Old non base64 encoded DN: " + str2);
            str = str2;
        }
        return str;
    }

    private void setSubjectDN(String str) {
        try {
            this.data.put(SUBJECTDN, new String(Base64.encode(str.getBytes("UTF-8"), false)));
        } catch (UnsupportedEncodingException e) {
            m_log.error("Could not encode data from Base64", e);
        }
    }

    private String getSubjectAltName() {
        String str = null;
        String str2 = (String) this.data.get(SUBJECTALTNAME);
        try {
            str = new String(Base64.decode(str2.getBytes("UTF-8")));
        } catch (UnsupportedEncodingException e) {
            m_log.error("Could not decode data from Base64", e);
        } catch (DecoderException e2) {
            m_log.debug("Old non base64 encoded altname: " + str2);
            str = str2;
        }
        return str;
    }

    private void setSubjectAltName(String str) {
        try {
            this.data.put(SUBJECTALTNAME, new String(Base64.encode(str.getBytes("UTF-8"), false)));
        } catch (UnsupportedEncodingException e) {
            m_log.error("Could not encode data from Base64", e);
        }
    }
}
