package org.jivesoftware.util;

import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.io.InputStream;
import java.io.InputStreamReader;
import java.io.UnsupportedEncodingException;
import java.math.BigInteger;
import java.security.GeneralSecurityException;
import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.Principal;
import java.security.PrivateKey;
import java.security.Provider;
import java.security.PublicKey;
import java.security.SecureRandom;
import java.security.Security;
import java.security.cert.Certificate;
import java.security.cert.CertificateFactory;
import java.security.cert.CertificateParsingException;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
import java.util.Date;
import java.util.Enumeration;
import java.util.HashMap;
import java.util.Hashtable;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.concurrent.CopyOnWriteArrayList;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import org.bouncycastle.asn1.ASN1Encodable;
import org.bouncycastle.asn1.ASN1InputStream;
import org.bouncycastle.asn1.ASN1Set;
import org.bouncycastle.asn1.DERObjectIdentifier;
import org.bouncycastle.asn1.DEROutputStream;
import org.bouncycastle.asn1.DERSequence;
import org.bouncycastle.asn1.DERTaggedObject;
import org.bouncycastle.asn1.DERUTF8String;
import org.bouncycastle.asn1.x509.GeneralName;
import org.bouncycastle.asn1.x509.GeneralNames;
import org.bouncycastle.asn1.x509.X509Extensions;
import org.bouncycastle.asn1.x509.X509Name;
import org.bouncycastle.jce.PKCS10CertificationRequest;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.bouncycastle.openssl.PEMReader;
import org.bouncycastle.openssl.PasswordFinder;
import org.bouncycastle.x509.X509V3CertificateGenerator;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/jivesoftware/util/CertificateManager.class */
public class CertificateManager {
    private static final String OTHERNAME_XMPP_OID = "1.3.6.1.5.5.7.8.5";
    private static final int CERT_REQ_LINE_LENGTH = 76;
    private static final Logger Log = LoggerFactory.getLogger(CertificateManager.class);
    private static Pattern cnPattern = Pattern.compile("(?i)(cn=)([^,]*)");
    private static Pattern valuesPattern = Pattern.compile("(?i)(=)([^,]*)");
    private static Provider provider = new BouncyCastleProvider();
    private static List<CertificateEventListener> listeners = new CopyOnWriteArrayList();

    public static X509Certificate createDSACert(KeyStore keyStore, String str, String str2, String str3, String str4, String str5) throws GeneralSecurityException, IOException {
        KeyPair generateKeyPair = generateKeyPair("DSA", JiveGlobals.getIntProperty("cert.dsa.keysize", 1024));
        X509Certificate createX509V3Certificate = createX509V3Certificate(generateKeyPair, 60, str3, str4, str5, "SHA1withDSA");
        keyStore.setKeyEntry(str2, generateKeyPair.getPrivate(), str.toCharArray(), new X509Certificate[]{createX509V3Certificate});
        Iterator<CertificateEventListener> it = listeners.iterator();
        while (it.hasNext()) {
            try {
                it.next().certificateCreated(keyStore, str2, createX509V3Certificate);
            } catch (Exception e) {
                Log.error(e.getMessage(), (Throwable) e);
            }
        }
        return createX509V3Certificate;
    }

    public static X509Certificate createRSACert(KeyStore keyStore, String str, String str2, String str3, String str4, String str5) throws GeneralSecurityException, IOException {
        KeyPair generateKeyPair = generateKeyPair("RSA", JiveGlobals.getIntProperty("cert.rsa.keysize", 2048));
        X509Certificate createX509V3Certificate = createX509V3Certificate(generateKeyPair, 60, str3, str4, str5, "SHA1WITHRSAENCRYPTION");
        keyStore.setKeyEntry(str2, generateKeyPair.getPrivate(), str.toCharArray(), new X509Certificate[]{createX509V3Certificate});
        Iterator<CertificateEventListener> it = listeners.iterator();
        while (it.hasNext()) {
            try {
                it.next().certificateCreated(keyStore, str2, createX509V3Certificate);
            } catch (Exception e) {
                Log.error(e.getMessage(), (Throwable) e);
            }
        }
        return createX509V3Certificate;
    }

    public static void deleteCertificate(KeyStore keyStore, String str) throws GeneralSecurityException, IOException {
        keyStore.deleteEntry(str);
        Iterator<CertificateEventListener> it = listeners.iterator();
        while (it.hasNext()) {
            try {
                it.next().certificateDeleted(keyStore, str);
            } catch (Exception e) {
                Log.error(e.getMessage(), (Throwable) e);
            }
        }
    }

    public static List<String> getPeerIdentities(X509Certificate x509Certificate) {
        List<String> subjectAlternativeNames = getSubjectAlternativeNames(x509Certificate);
        if (subjectAlternativeNames.isEmpty()) {
            Matcher matcher = cnPattern.matcher(x509Certificate.getSubjectDN().getName());
            subjectAlternativeNames = new ArrayList();
            while (matcher.find()) {
                subjectAlternativeNames.add(matcher.group(2));
            }
        }
        return subjectAlternativeNames;
    }

    private static List<String> getSubjectAlternativeNames(X509Certificate x509Certificate) {
        Collection<List<?>> subjectAlternativeNames;
        DERSequence readObject;
        DERObjectIdentifier objectAt;
        ArrayList arrayList = new ArrayList();
        try {
            subjectAlternativeNames = x509Certificate.getSubjectAlternativeNames();
        } catch (CertificateParsingException e) {
            Log.error("CertificateManager: Error parsing SubjectAltName in certificate: " + x509Certificate.getSubjectDN(), (Throwable) e);
        }
        if (subjectAlternativeNames == null) {
            return Collections.emptyList();
        }
        for (List<?> list : subjectAlternativeNames) {
            if (((Integer) list.get(0)).intValue() == 0) {
                try {
                    readObject = new ASN1InputStream((byte[]) list.get(1)).readObject();
                    objectAt = readObject.getObjectAt(0);
                } catch (UnsupportedEncodingException e2) {
                } catch (IOException e3) {
                } catch (Exception e4) {
                    Log.error("CertificateManager: Error decoding subjectAltName", (Throwable) e4);
                }
                if (OTHERNAME_XMPP_OID.equals(objectAt.getId())) {
                    String string = DERUTF8String.getInstance(readObject.getObjectAt(1)).getString();
                    if (string != null && string.length() > 0) {
                        arrayList.add(string);
                    }
                } else {
                    Log.debug("CertificateManager: Ignoring non-XMPP otherName, " + objectAt.getId());
                }
            }
        }
        return arrayList;
    }

    public static boolean isRSACertificate(KeyStore keyStore, String str) throws KeyStoreException {
        return isCertificate(keyStore, str, "RSA");
    }

    public static boolean isDSACertificate(KeyStore keyStore, String str) throws KeyStoreException {
        return isCertificate(keyStore, str, "DSA");
    }

    public static boolean isDSACertificate(X509Certificate x509Certificate) throws KeyStoreException {
        return x509Certificate.getPublicKey().getAlgorithm().equals("DSA");
    }

    private static boolean isCertificate(KeyStore keyStore, String str, String str2) throws KeyStoreException {
        Enumeration<String> aliases = keyStore.aliases();
        while (aliases.hasMoreElements()) {
            X509Certificate x509Certificate = (X509Certificate) keyStore.getCertificate(aliases.nextElement());
            if (!"*".equals(str)) {
                Iterator<String> it = getPeerIdentities(x509Certificate).iterator();
                while (it.hasNext()) {
                    if (it.next().endsWith(str) && x509Certificate.getPublicKey().getAlgorithm().equals(str2)) {
                        return true;
                    }
                }
            } else if (x509Certificate.getPublicKey().getAlgorithm().equals(str2)) {
                return true;
            }
        }
        return false;
    }

    public static boolean isSelfSignedCertificate(KeyStore keyStore, String str) throws KeyStoreException {
        Certificate[] certificateChain = keyStore.getCertificateChain(str);
        return certificateChain == null || certificateChain.length == 1;
    }

    public static boolean isSelfSignedCertificate(KeyStore keyStore, X509Certificate x509Certificate) throws KeyStoreException {
        String certificateAlias = keyStore.getCertificateAlias(x509Certificate);
        if (certificateAlias == null) {
            throw new KeyStoreException("Certificate not found in store: " + x509Certificate);
        }
        return isSelfSignedCertificate(keyStore, certificateAlias);
    }

    public static boolean isSigningRequestPending(KeyStore keyStore, String str) throws KeyStoreException {
        if (!isSelfSignedCertificate(keyStore, str)) {
            return false;
        }
        Matcher matcher = valuesPattern.matcher(((X509Certificate) keyStore.getCertificate(str)).getIssuerDN().toString());
        return matcher.find() && matcher.find();
    }

    public static String createSigningRequest(X509Certificate x509Certificate, PrivateKey privateKey) throws Exception {
        StringBuilder sb = new StringBuilder();
        X509Name x509Name = new X509Name(x509Certificate.getSubjectDN().getName());
        PublicKey publicKey = x509Certificate.getPublicKey();
        PKCS10CertificationRequest pKCS10CertificationRequest = new PKCS10CertificationRequest("DSA".equals(publicKey.getAlgorithm()) ? "SHA1withDSA" : "SHA1WITHRSAENCRYPTION", x509Name, publicKey, (ASN1Set) null, privateKey);
        ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
        new DEROutputStream(byteArrayOutputStream).writeObject(pKCS10CertificationRequest.getDERObject());
        String str = new String(org.bouncycastle.util.encoders.Base64.encode(byteArrayOutputStream.toByteArray()));
        sb.append("-----BEGIN NEW CERTIFICATE REQUEST-----\n");
        for (int i = 0; i < str.length(); i += CERT_REQ_LINE_LENGTH) {
            sb.append(str.substring(i, i + (i + CERT_REQ_LINE_LENGTH > str.length() ? str.length() - i : CERT_REQ_LINE_LENGTH))).append("\n");
        }
        sb.append("-----END NEW CERTIFICATE REQUEST-----\n");
        return sb.toString();
    }

    public static boolean installReply(KeyStore keyStore, KeyStore keyStore2, String str, String str2, InputStream inputStream, boolean z, boolean z2) throws Exception {
        if (((X509Certificate) keyStore.getCertificate(str2)) == null) {
            Log.warn("Certificate not found for alias: " + str2);
            return false;
        }
        PrivateKey privateKey = (PrivateKey) keyStore.getKey(str2, str.toCharArray());
        ArrayList arrayList = new ArrayList();
        Iterator<? extends Certificate> it = CertificateFactory.getInstance("X509").generateCertificates(inputStream).iterator();
        while (it.hasNext()) {
            arrayList.add((X509Certificate) it.next());
        }
        if (arrayList.isEmpty()) {
            throw new Exception("Reply has no certificates");
        }
        List<X509Certificate> establishCertChain = arrayList.size() == 1 ? establishCertChain(keyStore, keyStore2, null, (X509Certificate) arrayList.get(0), z) : validateReply(keyStore, keyStore2, str2, null, arrayList, z, z2);
        if (establishCertChain == null) {
            return false;
        }
        keyStore.setKeyEntry(str2, privateKey, str.toCharArray(), (Certificate[]) establishCertChain.toArray(new X509Certificate[establishCertChain.size()]));
        Iterator<CertificateEventListener> it2 = listeners.iterator();
        while (it2.hasNext()) {
            try {
                it2.next().certificateSigned(keyStore, str2, establishCertChain);
            } catch (Exception e) {
                Log.error(e.getMessage(), (Throwable) e);
            }
        }
        return true;
    }

    public static boolean installCert(KeyStore keyStore, KeyStore keyStore2, String str, String str2, InputStream inputStream, final String str3, InputStream inputStream2, boolean z, boolean z2) throws Exception {
        X509Certificate x509Certificate = (X509Certificate) keyStore.getCertificate(str2);
        if (x509Certificate != null) {
            Log.warn("Certificate already exists for alias: " + str2);
            return false;
        }
        PrivateKey privateKey = ((KeyPair) new PEMReader(new InputStreamReader(inputStream), new PasswordFinder() { // from class: org.jivesoftware.util.CertificateManager.1
            public char[] getPassword() {
                return str3 != null ? str3.toCharArray() : new char[0];
            }
        }).readObject()).getPrivate();
        ArrayList arrayList = new ArrayList();
        Iterator<? extends Certificate> it = CertificateFactory.getInstance("X509").generateCertificates(inputStream2).iterator();
        while (it.hasNext()) {
            arrayList.add((X509Certificate) it.next());
        }
        if (arrayList.isEmpty()) {
            throw new Exception("No certificates were found");
        }
        List<X509Certificate> establishCertChain = arrayList.size() == 1 ? establishCertChain(keyStore, keyStore2, x509Certificate, (X509Certificate) arrayList.get(0), z) : validateReply(keyStore, keyStore2, str2, x509Certificate, arrayList, z, z2);
        if (establishCertChain == null) {
            return false;
        }
        keyStore.setKeyEntry(str2, privateKey, str.toCharArray(), (Certificate[]) establishCertChain.toArray(new X509Certificate[establishCertChain.size()]));
        for (CertificateEventListener certificateEventListener : listeners) {
            try {
                certificateEventListener.certificateCreated(keyStore, str2, (X509Certificate) arrayList.get(0));
                if (establishCertChain.size() > 1) {
                    certificateEventListener.certificateSigned(keyStore, str2, establishCertChain);
                }
            } catch (Exception e) {
                Log.error(e.getMessage(), (Throwable) e);
            }
        }
        return true;
    }

    public static void addListener(CertificateEventListener certificateEventListener) {
        if (certificateEventListener == null) {
            throw new NullPointerException();
        }
        listeners.add(certificateEventListener);
    }

    public static void removeListener(CertificateEventListener certificateEventListener) {
        listeners.remove(certificateEventListener);
    }

    private static List<X509Certificate> establishCertChain(KeyStore keyStore, KeyStore keyStore2, X509Certificate x509Certificate, X509Certificate x509Certificate2, boolean z) throws Exception {
        if (x509Certificate != null) {
            if (!x509Certificate.getPublicKey().equals(x509Certificate2.getPublicKey())) {
                throw new Exception("Public keys in reply and keystore don't match");
            }
            if (x509Certificate2.equals(x509Certificate)) {
                throw new Exception("Certificate reply and certificate in keystore are identical");
            }
        }
        Hashtable hashtable = new Hashtable();
        if (keyStore.size() > 0) {
            hashtable.putAll(getCertsByIssuer(keyStore));
        }
        if (z && keyStore2.size() > 0) {
            hashtable.putAll(getCertsByIssuer(keyStore2));
        }
        java.util.LinkedList linkedList = new java.util.LinkedList();
        if (buildChain(x509Certificate2, linkedList, hashtable)) {
            return linkedList;
        }
        throw new Exception("Failed to establish chain from reply");
    }

    private static boolean buildChain(X509Certificate x509Certificate, java.util.LinkedList<X509Certificate> linkedList, Map<Principal, List<X509Certificate>> map) {
        Principal subjectDN = x509Certificate.getSubjectDN();
        Principal issuerDN = x509Certificate.getIssuerDN();
        if (subjectDN.equals(issuerDN)) {
            linkedList.addFirst(x509Certificate);
            return true;
        }
        List<X509Certificate> list = map.get(issuerDN);
        if (list == null || list.isEmpty()) {
            return false;
        }
        for (X509Certificate x509Certificate2 : list) {
            try {
                x509Certificate.verify(x509Certificate2.getPublicKey());
                if (!buildChain(x509Certificate2, linkedList, map)) {
                    return false;
                }
            } catch (Exception e) {
                return false;
            }
        }
        linkedList.addFirst(x509Certificate);
        return true;
    }

    private static Map<Principal, List<X509Certificate>> getCertsByIssuer(KeyStore keyStore) throws Exception {
        HashMap hashMap = new HashMap();
        Enumeration<String> aliases = keyStore.aliases();
        while (aliases.hasMoreElements()) {
            X509Certificate x509Certificate = (X509Certificate) keyStore.getCertificate(aliases.nextElement());
            if (x509Certificate != null) {
                Principal subjectDN = x509Certificate.getSubjectDN();
                List list = (List) hashMap.get(subjectDN);
                if (list == null) {
                    list = new ArrayList();
                    list.add(x509Certificate);
                } else if (!list.contains(x509Certificate)) {
                    list.add(x509Certificate);
                }
                hashMap.put(subjectDN, list);
            }
        }
        return hashMap;
    }

    private static List<X509Certificate> validateReply(KeyStore keyStore, KeyStore keyStore2, String str, X509Certificate x509Certificate, List<X509Certificate> list, boolean z, boolean z2) throws Exception {
        if (x509Certificate != null) {
            PublicKey publicKey = x509Certificate.getPublicKey();
            int i = 0;
            while (i < list.size() && !publicKey.equals(list.get(i).getPublicKey())) {
                i++;
            }
            if (i == list.size()) {
                throw new Exception("Certificate reply does not contain public key for <alias>: " + str);
            }
            X509Certificate x509Certificate2 = list.get(0);
            list.set(0, list.get(i));
            list.set(i, x509Certificate2);
        }
        Principal issuerDN = list.get(0).getIssuerDN();
        for (int i2 = 1; i2 < list.size() - 1; i2++) {
            int i3 = i2;
            while (true) {
                if (i3 >= list.size()) {
                    break;
                }
                if (list.get(i3).getSubjectDN().equals(issuerDN)) {
                    X509Certificate x509Certificate3 = list.get(i2);
                    list.set(i2, list.get(i3));
                    list.set(i3, x509Certificate3);
                    issuerDN = list.get(i2).getIssuerDN();
                    break;
                }
                i3++;
            }
            if (i3 == list.size()) {
                throw new Exception("Incomplete certificate chain in reply");
            }
        }
        for (int i4 = 0; i4 < list.size() - 1; i4++) {
            try {
                list.get(i4).verify(list.get(i4 + 1).getPublicKey());
            } catch (Exception e) {
                throw new Exception("Certificate chain in reply does not verify: " + e.getMessage());
            }
        }
        if (!z2) {
            return list;
        }
        X509Certificate x509Certificate4 = list.get(list.size() - 1);
        boolean z3 = keyStore.getCertificateAlias(x509Certificate4) != null;
        boolean z4 = z && keyStore2.getCertificateAlias(x509Certificate4) != null;
        if (!z3 && !z4) {
            boolean z5 = false;
            X509Certificate x509Certificate5 = null;
            if (z) {
                Enumeration<String> aliases = keyStore2.aliases();
                while (aliases.hasMoreElements()) {
                    x509Certificate5 = (X509Certificate) keyStore2.getCertificate(aliases.nextElement());
                    if (x509Certificate5 != null) {
                        try {
                            x509Certificate4.verify(x509Certificate5.getPublicKey());
                            z5 = true;
                            break;
                        } catch (Exception e2) {
                        }
                    }
                }
            }
            if (!z5) {
                return null;
            }
            if (!x509Certificate4.getSubjectDN().equals(x509Certificate4.getIssuerDN())) {
                list.add(x509Certificate5);
            }
        }
        return list;
    }

    private static synchronized X509Certificate createX509V3Certificate(KeyPair keyPair, int i, String str, String str2, String str3, String str4) throws GeneralSecurityException, IOException {
        PublicKey publicKey = keyPair.getPublic();
        PrivateKey privateKey = keyPair.getPrivate();
        byte[] bArr = new byte[8];
        SecureRandom secureRandom = SecureRandom.getInstance("SHA1PRNG");
        secureRandom.setSeed(new Date().getTime());
        secureRandom.nextBytes(bArr);
        BigInteger abs = new BigInteger(bArr).abs();
        X509V3CertificateGenerator x509V3CertificateGenerator = new X509V3CertificateGenerator();
        x509V3CertificateGenerator.reset();
        x509V3CertificateGenerator.setSerialNumber(abs);
        x509V3CertificateGenerator.setIssuerDN(new X509Name(str));
        x509V3CertificateGenerator.setNotBefore(new Date(System.currentTimeMillis()));
        x509V3CertificateGenerator.setNotAfter(new Date(System.currentTimeMillis() + (i * 2592000000L)));
        x509V3CertificateGenerator.setSubjectDN(new X509Name(str2));
        x509V3CertificateGenerator.setPublicKey(publicKey);
        x509V3CertificateGenerator.setSignatureAlgorithm(str4);
        x509V3CertificateGenerator.addExtension(X509Extensions.SubjectAlternativeName, str2 == null || "".equals(str2.trim()), new GeneralNames(new DERSequence(new ASN1Encodable[]{new GeneralName(0, new DERSequence(new ASN1Encodable[]{new DERObjectIdentifier(OTHERNAME_XMPP_OID), new DERTaggedObject(true, 0, new DERUTF8String(str3))}))})));
        X509Certificate generateX509Certificate = x509V3CertificateGenerator.generateX509Certificate(privateKey, "BC", new SecureRandom());
        generateX509Certificate.checkValidity(new Date());
        generateX509Certificate.verify(publicKey);
        return generateX509Certificate;
    }

    private static KeyPair generateKeyPair(String str, int i) throws GeneralSecurityException {
        KeyPairGenerator keyPairGenerator = provider == null ? KeyPairGenerator.getInstance(str) : KeyPairGenerator.getInstance(str, provider);
        keyPairGenerator.initialize(i, new SecureRandom());
        return keyPairGenerator.generateKeyPair();
    }

    static {
        Security.addProvider(provider);
    }
}
