package org.gluu.oxtrust.action;

import java.io.BufferedOutputStream;
import java.io.ByteArrayInputStream;
import java.io.File;
import java.io.FileOutputStream;
import java.io.FileReader;
import java.io.IOException;
import java.io.InputStream;
import java.io.Serializable;
import java.security.GeneralSecurityException;
import java.security.KeyFactory;
import java.security.KeyPair;
import java.security.PublicKey;
import java.security.Security;
import java.security.cert.X509Certificate;
import java.security.spec.RSAPublicKeySpec;
import java.util.ArrayList;
import java.util.Date;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import javax.faces.context.FacesContext;
import javax.security.auth.x500.X500Principal;
import org.apache.commons.io.FileUtils;
import org.apache.commons.io.IOUtils;
import org.apache.commons.lang.WordUtils;
import org.bouncycastle.asn1.ASN1Set;
import org.bouncycastle.jce.PKCS10CertificationRequest;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.bouncycastle.jce.provider.JCERSAPrivateCrtKey;
import org.bouncycastle.openssl.PEMReader;
import org.bouncycastle.openssl.PasswordFinder;
import org.bouncycastle.util.encoders.Base64;
import org.gluu.oxtrust.ldap.service.ApplianceService;
import org.gluu.oxtrust.ldap.service.OrganizationService;
import org.gluu.oxtrust.ldap.service.SSLService;
import org.gluu.oxtrust.model.GluuAppliance;
import org.gluu.oxtrust.model.GluuCustomPerson;
import org.gluu.oxtrust.model.cert.TrustStoreCertificate;
import org.gluu.oxtrust.model.cert.TrustStoreConfiguration;
import org.gluu.oxtrust.util.OxTrustConstants;
import org.gluu.site.ldap.persistence.exception.LdapMappingException;
import org.jboss.seam.Component;
import org.jboss.seam.ScopeType;
import org.jboss.seam.annotations.In;
import org.jboss.seam.annotations.Logger;
import org.jboss.seam.annotations.Name;
import org.jboss.seam.annotations.Scope;
import org.jboss.seam.annotations.security.Restrict;
import org.jboss.seam.faces.FacesMessages;
import org.jboss.seam.international.StatusMessage;
import org.jboss.seam.log.Log;
import org.richfaces.event.FileUploadEvent;
import org.richfaces.model.UploadedFile;
import org.xdi.config.oxtrust.ApplicationConfiguration;
import org.xdi.util.StringHelper;
import org.xdi.util.io.FileHelper;
import org.xdi.util.io.ResponseHelper;

@Name("manageCertificateAction")
@Restrict("#{identity.loggedIn}")
@Scope(ScopeType.CONVERSATION)
/* loaded from: input_file:org/gluu/oxtrust/action/ManageCertificateAction.class */
public class ManageCertificateAction implements Serializable {
    public static final String BEGIN_CERT_REQ = "-----BEGIN CERTIFICATE REQUEST-----";
    public static final String END_CERT_REQ = "-----END CERTIFICATE REQUEST-----";
    private static final long serialVersionUID = 4012709440384265524L;

    @Logger
    private Log log;

    @In("#{facesContext}")
    FacesContext facesContext;

    @In
    private FacesMessages facesMessages;

    @In
    private SSLService sslService;

    @In("#{oxTrustConfiguration.applicationConfiguration}")
    private ApplicationConfiguration applicationConfiguration;

    @In
    private ApplianceService applianceService;

    @In
    protected GluuCustomPerson currentPerson;
    private TrustStoreConfiguration trustStoreConfiguration;
    private List<TrustStoreCertificate> trustStoreCertificates;
    private String orgInumFN;
    private String tomcatCertFN;
    private String idpCertFN;
    private HashMap<String, String> issuer;
    private HashMap<String, String> subject;
    private String uploadMarker;
    private TrustStoreCertificate trustStoreCertificateUploadMarker;
    private boolean certsMmanagePossible;
    private boolean initialized;
    private boolean wereAnyChanges;

    @Restrict("#{s:hasPermission('configuration', 'access')}")
    public String init() {
        if (this.initialized) {
            return OxTrustConstants.RESULT_SUCCESS;
        }
        this.wereAnyChanges = false;
        this.certsMmanagePossible = prepareTempWorkspace();
        this.orgInumFN = StringHelper.removePunctuation(OrganizationService.instance().getOrganizationInum());
        this.tomcatCertFN = this.orgInumFN + "-java.crt";
        this.idpCertFN = this.orgInumFN + "-shib.crt";
        try {
            GluuAppliance appliance = this.applianceService.getAppliance();
            if (appliance == null) {
                return OxTrustConstants.RESULT_FAILURE;
            }
            this.trustStoreConfiguration = appliance.getTrustStoreConfiguration();
            if (this.trustStoreConfiguration == null) {
                this.trustStoreConfiguration = new TrustStoreConfiguration();
            }
            this.trustStoreCertificates = appliance.getTrustStoreCertificates();
            if (this.trustStoreCertificates == null) {
                this.trustStoreCertificates = new ArrayList();
            }
            this.initialized = true;
            return OxTrustConstants.RESULT_SUCCESS;
        } catch (Exception e) {
            this.log.error("Failed to load appliance configuration", e, new Object[0]);
            return OxTrustConstants.RESULT_FAILURE;
        }
    }

    @Restrict("#{s:hasPermission('configuration', 'access')}")
    public void getCert(String str) {
        loadCert(this.sslService.getCertificate(getTempCertDir() + str));
    }

    @Restrict("#{s:hasPermission('configuration', 'access')}")
    public void getCert(TrustStoreCertificate trustStoreCertificate) {
        this.issuer = new HashMap<>();
        this.subject = new HashMap<>();
        if (trustStoreCertificate != null) {
            loadCert(this.sslService.getCertificate(new ByteArrayInputStream(trustStoreCertificate.getCertificate().getBytes())));
        }
    }

    private void loadCert(X509Certificate x509Certificate) {
        if (x509Certificate != null) {
            for (String str : x509Certificate.getIssuerX500Principal().getName().split("(?<!\\\\),")) {
                String[] split = str.split("=");
                this.issuer.put(split[0], split[1]);
            }
            for (String str2 : x509Certificate.getSubjectX500Principal().getName().split("(?<!\\\\),")) {
                String[] split2 = str2.split("=");
                this.subject.put(split2[0], split2[1]);
            }
            this.subject.put("validUntil", StringHelper.toString(x509Certificate.getNotAfter()));
            this.subject.put("validAfter", StringHelper.toString(x509Certificate.getNotBefore()));
        }
    }

    @Restrict("#{s:hasPermission('configuration', 'access')}")
    public String generateCSR(String str) {
        if (Security.getProvider(BouncyCastleProvider.PROVIDER_NAME) == null) {
            Security.addProvider(new BouncyCastleProvider());
        }
        KeyPair keyPair = getKeyPair(str);
        boolean z = false;
        if (keyPair != null) {
            try {
                PKCS10CertificationRequest pKCS10CertificationRequest = new PKCS10CertificationRequest("SHA1withRSA", new X500Principal(String.format("CN=%s", this.applicationConfiguration.getIdpUrl().replaceFirst(".*//", ""))), keyPair.getPublic(), (ASN1Set) null, keyPair.getPrivate());
                StringBuilder sb = new StringBuilder();
                sb.append("-----BEGIN CERTIFICATE REQUEST-----\n");
                sb.append(WordUtils.wrap(new String(Base64.encode(pKCS10CertificationRequest.getDEREncoded())), 64, "\n", true) + "\n");
                sb.append("-----END CERTIFICATE REQUEST-----\n");
                z = ResponseHelper.downloadFile("csr.pem", OxTrustConstants.CONTENT_TYPE_TEXT_PLAIN, sb.toString().getBytes(), this.facesContext);
            } catch (GeneralSecurityException e) {
                this.log.error(e.getMessage(), e, new Object[0]);
                return OxTrustConstants.RESULT_FAILURE;
            }
        }
        return z ? OxTrustConstants.RESULT_SUCCESS : OxTrustConstants.RESULT_FAILURE;
    }

    @Restrict("#{s:hasPermission('configuration', 'access')}")
    public boolean compare(String str) {
        KeyPair keyPair = getKeyPair(str);
        X509Certificate certificate = this.sslService.getCertificate(getTempCertDir() + str);
        boolean z = keyPair == null && certificate == null;
        boolean z2 = (keyPair == null || certificate == null) ? false : true;
        boolean z3 = false;
        if (z2) {
            z3 = keyPair.getPublic() != null && keyPair.getPublic().equals(certificate.getPublicKey());
        }
        boolean z4 = z || (z2 && z3);
        this.log.debug(str + " compare result: " + z4, new Object[0]);
        return z4;
    }

    private KeyPair getKeyPair(String str) {
        KeyPair keyPair = null;
        PEMReader pEMReader = null;
        FileReader fileReader = null;
        File file = new File(getTempCertDir() + str.replace("crt", "key"));
        try {
            if (file.isFile()) {
                try {
                    FileReader fileReader2 = new FileReader(file);
                    PEMReader pEMReader2 = new PEMReader(fileReader2, new PasswordFinder() { // from class: org.gluu.oxtrust.action.ManageCertificateAction.1
                        public char[] getPassword() {
                            return null;
                        }
                    });
                    Object readObject = pEMReader2.readObject();
                    if (readObject == null) {
                        this.log.error(" Unable to read keys from: " + file.getAbsolutePath(), new Object[0]);
                        try {
                            pEMReader2.close();
                            fileReader2.close();
                            return null;
                        } catch (Exception e) {
                            this.log.error(e.getMessage(), e, new Object[0]);
                            return null;
                        }
                    }
                    if (readObject instanceof KeyPair) {
                        keyPair = (KeyPair) readObject;
                        this.log.debug(file.getAbsolutePath() + "contains KeyPair", new Object[0]);
                    } else {
                        if (!(readObject instanceof JCERSAPrivateCrtKey)) {
                            this.log.error(file.getAbsolutePath() + " Contains unsupported key type: " + readObject.getClass().getName(), new Object[0]);
                            try {
                                pEMReader2.close();
                                fileReader2.close();
                                return null;
                            } catch (Exception e2) {
                                this.log.error(e2.getMessage(), e2, new Object[0]);
                                return null;
                            }
                        }
                        JCERSAPrivateCrtKey jCERSAPrivateCrtKey = (JCERSAPrivateCrtKey) readObject;
                        this.log.debug(file.getAbsolutePath() + "contains JCERSAPrivateCrtKey", new Object[0]);
                        PublicKey publicKey = null;
                        try {
                            publicKey = KeyFactory.getInstance("RSA").generatePublic(new RSAPublicKeySpec(jCERSAPrivateCrtKey.getModulus(), jCERSAPrivateCrtKey.getPublicExponent()));
                        } catch (Exception e3) {
                            e3.printStackTrace();
                        }
                        keyPair = new KeyPair(publicKey, jCERSAPrivateCrtKey);
                    }
                    try {
                        pEMReader2.close();
                        fileReader2.close();
                    } catch (Exception e4) {
                        this.log.error(e4.getMessage(), e4, new Object[0]);
                        return null;
                    }
                } catch (IOException e5) {
                    this.log.error(e5.getMessage(), e5, new Object[0]);
                    try {
                        pEMReader.close();
                        fileReader.close();
                        return null;
                    } catch (Exception e6) {
                        this.log.error(e6.getMessage(), e6, new Object[0]);
                        return null;
                    }
                }
            } else {
                this.log.error("Key file does not exist : " + file.getAbsolutePath(), new Object[0]);
            }
            this.log.debug("KeyPair successfully extracted from: " + file.getAbsolutePath(), new Object[0]);
            return keyPair;
        } catch (Throwable th) {
            try {
                pEMReader.close();
                fileReader.close();
                throw th;
            } catch (Exception e7) {
                this.log.error(e7.getMessage(), e7, new Object[0]);
                return null;
            }
        }
    }

    @Restrict("#{s:hasPermission('configuration', 'access')}")
    public boolean certPresent(String str) {
        return (getKeyPair(str) == null || this.sslService.getCertificate(new StringBuilder().append(getTempCertDir()).append(str).toString()) == null) ? false : true;
    }

    public String getIdpCertFN() {
        return this.idpCertFN;
    }

    public String getTomcatCertFN() {
        return this.tomcatCertFN;
    }

    public String getTempCertDir() {
        return this.applicationConfiguration.getTempCertDir() + File.separator;
    }

    public HashMap<String, String> getIssuer() {
        return this.issuer;
    }

    public HashMap<String, String> getSubject() {
        return this.subject;
    }

    public void setUploadMarker(String str) {
        this.uploadMarker = str;
        this.trustStoreCertificateUploadMarker = null;
    }

    public void setUploadMarker(TrustStoreCertificate trustStoreCertificate) {
        this.uploadMarker = null;
        this.trustStoreCertificateUploadMarker = trustStoreCertificate;
    }

    private boolean prepareTempWorkspace() {
        String tempCertDir = this.applicationConfiguration.getTempCertDir();
        String certDir = this.applicationConfiguration.getCertDir();
        File file = new File(certDir);
        if (tempCertDir == null || certDir == null || !file.isDirectory() || StringHelper.isEmpty(tempCertDir)) {
            return false;
        }
        File file2 = new File(tempCertDir);
        if (file2.isDirectory()) {
            for (File file3 : file2.listFiles()) {
                if (file3.isFile()) {
                    file3.delete();
                }
            }
        } else {
            if (file2.exists()) {
                this.log.error("Temporary certifcates path exists but is not a directory", new Object[0]);
                return false;
            }
            file2.mkdirs();
        }
        for (File file4 : file.listFiles()) {
            if (file4.isFile()) {
                try {
                    FileHelper.copy(file4, new File(tempCertDir + File.separator + file4.getName()));
                } catch (IOException e) {
                    this.log.error("Unable to populate temp certs directory: ", e, new Object[0]);
                    return false;
                }
            }
        }
        return true;
    }

    public static ManageCertificateAction instance() {
        return (ManageCertificateAction) Component.getInstance(ManageCertificateAction.class);
    }

    @Restrict("#{s:hasPermission('configuration', 'access')}")
    public String update() {
        if (!isCertsManagePossible()) {
            return OxTrustConstants.RESULT_FAILURE;
        }
        boolean z = updateTrustCertificates() && updateCertificates();
        if (z) {
            tirggerTrustStoreUpdate();
        }
        return z ? OxTrustConstants.RESULT_SUCCESS : OxTrustConstants.RESULT_FAILURE;
    }

    private boolean updateTrustCertificates() {
        try {
            GluuAppliance appliance = this.applianceService.getAppliance();
            TrustStoreConfiguration trustStoreConfiguration = appliance.getTrustStoreConfiguration();
            List<TrustStoreCertificate> trustStoreCertificates = appliance.getTrustStoreCertificates();
            if (trustStoreCertificates == null) {
                trustStoreCertificates = new ArrayList(0);
            }
            if (!this.trustStoreConfiguration.equals(trustStoreConfiguration) || !this.trustStoreCertificates.equals(trustStoreCertificates)) {
                this.wereAnyChanges = true;
            }
            appliance.setTrustStoreConfiguration(this.trustStoreConfiguration);
            if (this.trustStoreCertificates.size() == 0) {
                appliance.setTrustStoreCertificates(null);
            } else {
                appliance.setTrustStoreCertificates(this.trustStoreCertificates);
            }
            this.applianceService.updateAppliance(appliance);
            return true;
        } catch (LdapMappingException e) {
            this.log.error("Failed to update appliance configuration", e, new Object[0]);
            this.facesMessages.add(StatusMessage.Severity.ERROR, "Failed to update appliance", new Object[0]);
            return false;
        }
    }

    private boolean updateCertificates() {
        if (!compare(this.tomcatCertFN) || !compare(this.idpCertFN)) {
            this.facesMessages.add(StatusMessage.Severity.ERROR, "Certificates and private keys should match. Certificate update aborted.", new Object[0]);
            return false;
        }
        String tempCertDir = this.applicationConfiguration.getTempCertDir();
        String certDir = this.applicationConfiguration.getCertDir();
        File file = new File(certDir);
        File file2 = new File(tempCertDir);
        if (tempCertDir == null || certDir == null || !file.isDirectory() || !file2.isDirectory()) {
            this.facesMessages.add(StatusMessage.Severity.ERROR, "Certificate update aborted due to filesystem error", new Object[0]);
            return false;
        }
        for (File file3 : file2.listFiles()) {
            try {
                if (file3.isFile() && !FileUtils.contentEquals(file3, new File(certDir + File.separator + file3.getName()))) {
                    FileHelper.copy(file3, new File(certDir + File.separator + file3.getName()));
                    this.wereAnyChanges = true;
                }
            } catch (IOException e) {
                this.facesMessages.add(StatusMessage.Severity.FATAL, "Certificate update failed. Certificates may have been corrupted. Please contact a Gluu administrator for help.", new Object[0]);
                this.log.fatal("Error occured on certificates update:", e, new Object[0]);
            }
        }
        return true;
    }

    private void tirggerTrustStoreUpdate() {
        File file = new File(this.applicationConfiguration.getCertDir());
        if (this.wereAnyChanges) {
            File file2 = new File(file, this.orgInumFN + "-java.pkcs12");
            File file3 = new File(file, this.orgInumFN + "-java.pem");
            File file4 = new File(file, this.orgInumFN + "-java.jks");
            this.log.info("Deleting %s : %s", new Object[]{this.orgInumFN + "-java.pkcs12", Boolean.valueOf(file2.delete())});
            this.log.info("Deleting %s : %s", new Object[]{this.orgInumFN + "-java.pem", Boolean.valueOf(file3.delete())});
            this.log.info("Deleting %s : %s", new Object[]{this.orgInumFN + "-java.jks", Boolean.valueOf(file4.delete())});
            ApplianceService.instance().restartServices();
            this.facesMessages.add(StatusMessage.Severity.WARN, "Certificates were updated and appliance service will be restarted. Please log in again in 5 minutes.", new Object[0]);
            this.wereAnyChanges = false;
        }
    }

    @Restrict("#{s:hasPermission('configuration', 'access')}")
    public void cancel() {
    }

    @Restrict("#{s:hasPermission('configuration', 'access')}")
    public void certUpload(FileUploadEvent fileUploadEvent) {
        if (this.trustStoreCertificateUploadMarker == null) {
            updateCert(fileUploadEvent.getUploadedFile());
        } else {
            updateTrsutStoreCert(fileUploadEvent.getUploadedFile());
        }
    }

    private void updateCert(UploadedFile uploadedFile) {
        InputStream inputStream = null;
        FileOutputStream fileOutputStream = null;
        try {
            try {
                inputStream = uploadedFile.getInputStream();
                fileOutputStream = new FileOutputStream(getTempCertDir() + this.uploadMarker);
                BufferedOutputStream bufferedOutputStream = new BufferedOutputStream(fileOutputStream);
                IOUtils.copy(inputStream, bufferedOutputStream);
                bufferedOutputStream.flush();
                IOUtils.closeQuietly(inputStream);
                IOUtils.closeQuietly(fileOutputStream);
            } catch (IOException e) {
                this.log.error("Failed to upload certicicate", e, new Object[0]);
                IOUtils.closeQuietly(inputStream);
                IOUtils.closeQuietly(fileOutputStream);
            }
        } catch (Throwable th) {
            IOUtils.closeQuietly(inputStream);
            IOUtils.closeQuietly(fileOutputStream);
            throw th;
        }
    }

    private void updateTrsutStoreCert(UploadedFile uploadedFile) {
        InputStream inputStream = null;
        try {
            try {
                inputStream = uploadedFile.getInputStream();
                this.trustStoreCertificateUploadMarker.setCertificate(IOUtils.toString(inputStream));
                this.trustStoreCertificateUploadMarker.setAddedAt(new Date());
                this.trustStoreCertificateUploadMarker.setAddedBy(this.currentPerson.getDn());
                IOUtils.closeQuietly(inputStream);
            } catch (IOException e) {
                this.log.error("Failed to upload key", e, new Object[0]);
                IOUtils.closeQuietly(inputStream);
            }
        } catch (Throwable th) {
            IOUtils.closeQuietly(inputStream);
            throw th;
        }
    }

    @Restrict("#{s:hasPermission('configuration', 'access')}")
    public void keyUpload(FileUploadEvent fileUploadEvent) {
        updateKey(fileUploadEvent.getUploadedFile());
    }

    private void updateKey(UploadedFile uploadedFile) {
        InputStream inputStream = null;
        FileOutputStream fileOutputStream = null;
        try {
            try {
                inputStream = uploadedFile.getInputStream();
                fileOutputStream = new FileOutputStream(getTempCertDir() + this.uploadMarker.replace("crt", "key"));
                BufferedOutputStream bufferedOutputStream = new BufferedOutputStream(fileOutputStream);
                IOUtils.copy(inputStream, bufferedOutputStream);
                bufferedOutputStream.flush();
                IOUtils.closeQuietly(inputStream);
                IOUtils.closeQuietly(fileOutputStream);
            } catch (IOException e) {
                this.log.error("Failed to upload key", e, new Object[0]);
                IOUtils.closeQuietly(inputStream);
                IOUtils.closeQuietly(fileOutputStream);
            }
        } catch (Throwable th) {
            IOUtils.closeQuietly(inputStream);
            IOUtils.closeQuietly(fileOutputStream);
            throw th;
        }
    }

    public void addPublicCertificate() {
        TrustStoreCertificate trustStoreCertificate = new TrustStoreCertificate();
        trustStoreCertificate.setAddedAt(new Date());
        trustStoreCertificate.setAddedBy(this.currentPerson.getDn());
        this.trustStoreCertificates.add(trustStoreCertificate);
    }

    public void removePublicCertificate(TrustStoreCertificate trustStoreCertificate) {
        Iterator<TrustStoreCertificate> it = this.trustStoreCertificates.iterator();
        while (it.hasNext()) {
            if (System.identityHashCode(trustStoreCertificate) == System.identityHashCode(it.next())) {
                it.remove();
                return;
            }
        }
    }

    public boolean isInitialized() {
        return this.initialized;
    }

    public boolean isCertsManagePossible() {
        return this.certsMmanagePossible;
    }

    public TrustStoreConfiguration getTrustStoreConfiguration() {
        return this.trustStoreConfiguration;
    }

    public List<TrustStoreCertificate> getTrustStoreCertificates() {
        return this.trustStoreCertificates;
    }
}
