package net.bluemind.system.service.certificate.engine;

import com.google.common.base.Strings;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.io.StringReader;
import java.security.InvalidAlgorithmParameterException;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.Security;
import java.security.Signature;
import java.security.SignatureException;
import java.security.cert.CertPath;
import java.security.cert.CertPathValidator;
import java.security.cert.CertPathValidatorException;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.PKIXParameters;
import java.security.cert.TrustAnchor;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Optional;
import net.bluemind.core.api.fault.ServerFault;
import net.bluemind.core.container.model.ItemValue;
import net.bluemind.core.rest.BmContext;
import net.bluemind.domain.api.Domain;
import net.bluemind.domain.api.DomainSettingsKeys;
import net.bluemind.node.api.INodeClient;
import net.bluemind.node.client.OkHttpNodeClientFactory;
import net.bluemind.server.api.Server;
import net.bluemind.system.api.CertData;
import net.bluemind.system.api.SysConfKeys;
import net.bluemind.system.hook.ISystemHook;
import net.bluemind.system.service.certificate.lets.encrypt.LetsEncryptCertificate;
import net.bluemind.system.service.helper.SecurityCertificateHelper;
import net.bluemind.utils.CertificateUtils;
import org.bouncycastle.asn1.pkcs.PrivateKeyInfo;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.bouncycastle.openssl.PEMException;
import org.bouncycastle.openssl.PEMKeyPair;
import org.bouncycastle.openssl.PEMParser;
import org.bouncycastle.openssl.jcajce.JcaPEMKeyConverter;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:net/bluemind/system/service/certificate/engine/CertifEngine.class */
public abstract class CertifEngine implements ICertifEngine {
    protected static final Logger logger = LoggerFactory.getLogger(CertifEngine.class);
    protected String domainUid;
    protected CertData certData;
    protected final SecurityCertificateHelper systemHelper;
    protected ItemValue<Domain> domain;

    static {
        Security.addProvider(new BouncyCastleProvider());
    }

    private CertifEngine() {
        this.systemHelper = new SecurityCertificateHelper();
    }

    private CertifEngine(BmContext bmContext) {
        this.systemHelper = bmContext != null ? new SecurityCertificateHelper(bmContext) : new SecurityCertificateHelper();
    }

    public CertifEngine(String str) {
        this();
        this.domainUid = str;
        verifyDomain();
    }

    public CertifEngine(CertData certData, BmContext bmContext) {
        this(bmContext);
        this.domainUid = certData.domainUid;
        this.certData = certData;
        verifyCertDataAndDomain();
    }

    @Override // net.bluemind.system.service.certificate.engine.ICertifEngine
    public abstract void externalUrlUpdated(boolean z);

    @Override // net.bluemind.system.service.certificate.engine.ICertifEngine
    public abstract boolean authorizeUpdate();

    @Override // net.bluemind.system.service.certificate.engine.ICertifEngine
    public abstract void certificateMgmt(List<ItemValue<Server>> list, List<ISystemHook> list2);

    /* JADX INFO: Access modifiers changed from: protected */
    public void fireCertificateUpdated(List<ISystemHook> list) {
        Iterator<ISystemHook> it = list.iterator();
        while (it.hasNext()) {
            it.next().onCertificateUpdate();
        }
    }

    private void verifyCertDataAndDomain() {
        if (this.certData == null || Strings.isNullOrEmpty(this.domainUid) || this.certData.sslCertificateEngine == null) {
            throw new ServerFault("Missing data from request body");
        }
        verifyDomain();
    }

    private void verifyDomain() {
        this.domain = this.systemHelper.checkDomain(this.domainUid);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public CertData createDomainCertData(CertData.CertificateDomainEngine certificateDomainEngine) {
        return CertData.create(certificateDomainEngine, (String) null, (String) null, (String) null, this.domainUid, (String) Optional.ofNullable(this.systemHelper.checkDomain(this.domainUid)).map(itemValue -> {
            return LetsEncryptCertificate.getContactProperty((Domain) itemValue.value);
        }).orElse(null));
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void checkCertificateAndWriteFile(List<ItemValue<Server>> list, List<ISystemHook> list2) {
        logger.info("update certificate by {}", this.systemHelper.getContext().getSecurityContext().getSubject());
        checkCertificate();
        Iterator<ItemValue<Server>> it = list.iterator();
        while (it.hasNext()) {
            writeCert((Server) it.next().value);
        }
        updateDomainCertifEngine();
        fireCertificateUpdated(list2);
    }

    private void writeCert(Server server) {
        String str = this.certData.certificateAuthority;
        String str2 = this.certData.certificate;
        String str3 = this.certData.privateKey;
        logger.info("Writing certificate for domain {} ", this.certData.domainUid);
        copyCertToNode(new OkHttpNodeClientFactory().create(server.address()), str, str2 + "\n" + str3 + "\n" + str);
    }

    private void copyCertToNode(INodeClient iNodeClient, String str, String str2) {
        if (Strings.isNullOrEmpty(this.domainUid) || SecurityCertificateHelper.isGlobalVirtDomain(this.domainUid)) {
            iNodeClient.mkdirs("/var/lib/bm-ca");
            iNodeClient.writeFile("/var/lib/bm-ca/cacert.pem", new ByteArrayInputStream(str.getBytes()));
        }
        iNodeClient.mkdirs("/etc/bm/certs");
        Iterator<String> it = getCertificateFilePaths().iterator();
        while (it.hasNext()) {
            iNodeClient.writeFile(it.next(), new ByteArrayInputStream(str2.getBytes()));
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void updateDomainCertifEngine() {
        String name = this.certData.sslCertificateEngine.name();
        logger.info("update ssl_certif_engine for domain {}", this.domainUid);
        if (SecurityCertificateHelper.isGlobalVirtDomain(this.domainUid)) {
            this.systemHelper.getGlobalSettingsService().updateMutableValues(Map.of(SysConfKeys.ssl_certif_engine.name(), name));
        } else {
            Map map = this.systemHelper.getDomainSettingsService(this.domainUid).get();
            map.put(DomainSettingsKeys.ssl_certif_engine.name(), name);
            this.systemHelper.getDomainSettingsService(this.domainUid).set(map);
        }
    }

    public List<String> getCertificateFilePaths() {
        String str = SecurityCertificateHelper.isGlobalVirtDomain(this.domainUid) ? "bm_cert.pem" : "bm_cert-" + this.domainUid + ".pem";
        return Arrays.asList("/etc/bm/certs/" + str, "/etc/ssl/certs/" + str);
    }

    @Override // net.bluemind.system.service.certificate.engine.ICertifEngine
    public void checkCertificate() {
        PrivateKeyInfo privateKeyInfo;
        if (Strings.isNullOrEmpty(this.certData.certificate)) {
            throw new ServerFault("Certificate must not be null or empty");
        }
        if (Strings.isNullOrEmpty(this.certData.privateKey)) {
            throw new ServerFault("Private key must not be null or empty");
        }
        if (Strings.isNullOrEmpty(this.certData.certificateAuthority)) {
            throw new ServerFault("CA must not be null or empty");
        }
        byte[] bytes = this.certData.certificateAuthority.getBytes();
        byte[] bytes2 = this.certData.certificate.getBytes();
        byte[] bytes3 = this.certData.privateKey.getBytes();
        try {
            Collection generateX509Certificates = CertificateUtils.generateX509Certificates(bytes);
            HashSet hashSet = new HashSet();
            ArrayList arrayList = new ArrayList();
            Iterator it = generateX509Certificates.iterator();
            while (it.hasNext()) {
                X509Certificate x509Certificate = (X509Certificate) ((Certificate) it.next());
                if (!x509Certificate.getSubjectX500Principal().equals(x509Certificate.getIssuerX500Principal()) && x509Certificate.getBasicConstraints() == -1) {
                    throw new ServerFault("Certificate Authority is not one");
                }
                logger.info("CA issuer {} for {} depth {} ", new Object[]{x509Certificate.getIssuerX500Principal(), x509Certificate.getSubjectX500Principal(), Integer.valueOf(x509Certificate.getBasicConstraints())});
                hashSet.add(new TrustAnchor(x509Certificate, null));
                arrayList.add(x509Certificate);
            }
            try {
                X509Certificate generateX509Certificate = CertificateUtils.generateX509Certificate(bytes2);
                try {
                    CertPath generateCertPath = CertificateFactory.getInstance("X.509").generateCertPath(Arrays.asList(generateX509Certificate));
                    PKIXParameters pKIXParameters = new PKIXParameters(hashSet);
                    pKIXParameters.setRevocationEnabled(false);
                    CertPathValidator.getInstance("PKIX").validate(generateCertPath, pKIXParameters);
                    logger.info("Certificate issuer {} for {} ", generateX509Certificate.getIssuerX500Principal(), generateX509Certificate.getSubjectX500Principal());
                    if (generateX509Certificate.getBasicConstraints() != -1) {
                        throw new ServerFault("Certificate is not a certificate but a CA");
                    }
                    try {
                        Object readObject = new PEMParser(new StringReader(new String(bytes3))).readObject();
                        if (readObject instanceof PEMKeyPair) {
                            privateKeyInfo = ((PEMKeyPair) readObject).getPrivateKeyInfo();
                        } else {
                            if (!(readObject instanceof PrivateKeyInfo)) {
                                if (readObject != null) {
                                    throw new ServerFault("privatekey format not handled " + readObject.getClass().getName());
                                }
                                throw new ServerFault("privatekey format not handled");
                            }
                            privateKeyInfo = (PrivateKeyInfo) readObject;
                        }
                        PrivateKey privateKey = new JcaPEMKeyConverter().getPrivateKey(privateKeyInfo);
                        try {
                            Signature signature = Signature.getInstance(privateKey.getAlgorithm());
                            signature.initSign(privateKey);
                            signature.update("testSign".getBytes());
                            byte[] sign = signature.sign();
                            Signature signature2 = Signature.getInstance(privateKey.getAlgorithm());
                            signature2.initVerify(generateX509Certificate.getPublicKey());
                            signature2.update("testSign".getBytes());
                            if (signature2.verify(sign)) {
                            } else {
                                throw new ServerFault("private key doesnt correspond to certificate");
                            }
                        } catch (InvalidKeyException | NoSuchAlgorithmException | SignatureException e) {
                            logger.error("Error occurred during private key validation: {}", e.getMessage(), e);
                            throw new ServerFault("Error occurred during private key validation : " + e.getMessage(), e);
                        }
                    } catch (IOException e2) {
                        logger.error("error during private key validation: {}", e2.getMessage(), e2);
                        throw new ServerFault("error during private key validation ", e2);
                    } catch (PEMException e3) {
                        logger.error("error loading private key: {}", e3.getMessage(), e3);
                        throw new ServerFault("error loading private key : " + e3.getMessage(), e3);
                    }
                } catch (InvalidAlgorithmParameterException | NoSuchAlgorithmException | CertificateException e4) {
                    logger.error("error during cert validation {}", e4.getMessage(), e4);
                    throw new ServerFault("Certificate not valid : " + e4.getMessage(), e4);
                } catch (CertPathValidatorException e5) {
                    logger.error("error during cert validation {}", e5.getMessage(), e5);
                    throw new ServerFault("Certificate path not valid : " + e5.getMessage(), e5);
                }
            } catch (CertificateException e6) {
                logger.error("error reading certificate: {}", e6.getMessage(), e6);
                throw new ServerFault("Certificate not valid : " + e6.getMessage(), e6);
            }
        } catch (CertificateException e7) {
            logger.error("error during ca read : {}", e7.getMessage(), e7);
            throw new ServerFault("Certificate Authority not valid : " + e7.getMessage(), e7);
        }
    }
}
