package de.trustable.ca3s.adcsKeyStore.provider;

import de.trustable.ca3s.adcs.proxy.web.rest.LocalADCSService;
import de.trustable.ca3s.adcsCertUtil.ADCSException;
import de.trustable.ca3s.adcsCertUtil.CertificateEnrollmentResponse;
import de.trustable.ca3s.adcsCertUtil.NoLocalADCSException;
import de.trustable.ca3s.adcsCertUtil.SubmitStatus;
import de.trustable.ca3s.cert.bundle.BundleFactory;
import de.trustable.ca3s.cert.bundle.KeyCertBundle;
import de.trustable.util.CryptoUtil;
import java.io.IOException;
import java.io.StringWriter;
import java.net.InetAddress;
import java.security.GeneralSecurityException;
import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.HashMap;
import javax.security.auth.x500.X500Principal;
import org.apache.commons.lang3.StringUtils;
import org.bouncycastle.asn1.ASN1Encodable;
import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers;
import org.bouncycastle.asn1.x500.X500Name;
import org.bouncycastle.asn1.x509.ExtendedKeyUsage;
import org.bouncycastle.asn1.x509.Extension;
import org.bouncycastle.asn1.x509.ExtensionsGenerator;
import org.bouncycastle.asn1.x509.GeneralName;
import org.bouncycastle.asn1.x509.GeneralNames;
import org.bouncycastle.asn1.x509.KeyPurposeId;
import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo;
import org.bouncycastle.openssl.jcajce.JcaPEMWriter;
import org.bouncycastle.operator.ContentSigner;
import org.bouncycastle.operator.OperatorCreationException;
import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder;
import org.bouncycastle.pkcs.PKCS10CertificationRequest;
import org.bouncycastle.pkcs.PKCS10CertificationRequestBuilder;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import tech.jhipster.config.JHipsterDefaults;

/* loaded from: input_file:BOOT-INF/classes/de/trustable/ca3s/adcsKeyStore/provider/LocalADCSBundleFactory.class */
public class LocalADCSBundleFactory implements BundleFactory {
    private static final Logger LOG = LoggerFactory.getLogger((Class<?>) LocalADCSBundleFactory.class);
    public static final String KEY_STORE_PROPERTIES_PREFIX = "server.tls.";
    private static final String ADDITIONAL_SANS = "server.tls.additionalSANs";
    private static final String KEY_LENGTH = "server.tls.key.length";
    private static final String KEY_ALGO = "server.tls.key.algorithm";
    private static final String SIGNING_ALGO = "server.tls.signing.algorithm";
    private String keyAlgo;
    private String signingAlgo;
    private int keylength;
    private String[] sanArr;

    public LocalADCSBundleFactory(PropertyProvider propertyProvider) {
        this.keyAlgo = "RSA";
        this.signingAlgo = "SHA256withRSA";
        this.keylength = 2048;
        this.sanArr = new String[0];
        LOG.debug("cTor LocalADCSBundleFactory(proProvider)");
        if (propertyProvider != null) {
            this.sanArr = propertyProvider.getProperty(ADDITIONAL_SANS, "").split(",");
            for (String str : this.sanArr) {
                LOG.debug("additionalSan : " + str);
            }
            this.keylength = Integer.parseUnsignedInt(propertyProvider.getProperty(KEY_LENGTH, "2048"));
            this.keyAlgo = propertyProvider.getProperty(KEY_ALGO, "RSA");
            this.signingAlgo = propertyProvider.getProperty(SIGNING_ALGO, "SHA256withRSA");
        }
    }

    @Override // de.trustable.ca3s.cert.bundle.BundleFactory
    public KeyCertBundle newKeyBundle(String str, long j) throws GeneralSecurityException {
        try {
            try {
                KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance(this.keyAlgo);
                keyPairGenerator.initialize(this.keylength);
                KeyPair genKeyPair = keyPairGenerator.genKeyPair();
                String canonicalHostName = InetAddress.getLocalHost().getCanonicalHostName();
                LOG.debug("requesting certificate for host : " + canonicalHostName);
                String createCsrAsPEM = createCsrAsPEM(canonicalHostName, genKeyPair.getPublic(), genKeyPair.getPrivate());
                LocalADCSService localADCSService = new LocalADCSService();
                HashMap hashMap = new HashMap();
                if (str.contains("@")) {
                    String[] split = str.split("@");
                    if (split.length > 1) {
                        String replaceAll = split[1].replaceAll(StringUtils.SPACE, "");
                        LOG.debug("requesting certificate using template : " + replaceAll);
                        hashMap.put("Certificate Template", replaceAll);
                    } else {
                        LOG.warn("alias contains an '@', but it is not followed by a template name!");
                    }
                } else {
                    LOG.debug("requesting certificate using bundle name '{}' without a template. This is valid for non-domain ADCS instances.", str);
                }
                CertificateEnrollmentResponse submitRequest = localADCSService.getADCSConnector().submitRequest(createCsrAsPEM, hashMap);
                if (!SubmitStatus.ISSUED.equals(submitRequest.getStatus())) {
                    LOG.error("failed to retrieve certificate from ADCS instance, status : '{}', check request id {}", submitRequest.getStatus(), Long.valueOf(submitRequest.getReqId()));
                    throw new GeneralSecurityException("failed to retrieve certificate from ADCS instance!");
                }
                X509Certificate convertPemToCertificate = CryptoUtil.convertPemToCertificate(submitRequest.getB64Cert());
                X509Certificate[] x509CertificateArr = {convertPemToCertificate, CryptoUtil.convertPemToCertificate(submitRequest.getB64CACert())};
                LOG.debug("succeeded to retrieve certificate from ADCS instance");
                return new KeyCertBundle(str, x509CertificateArr, convertPemToCertificate, genKeyPair.getPrivate());
            } catch (NoLocalADCSException e) {
                LOG.error("ADCSConnector not available !");
                throw new GeneralSecurityException("ADCSConnector not available !", e);
            }
        } catch (ADCSException | IOException e2) {
            LOG.warn("failed to retrieve certificate from ADCS instance", e2);
            throw new GeneralSecurityException("ADCSConnector not available !", e2);
        }
    }

    private String createCsrAsPEM(String str, PublicKey publicKey, PrivateKey privateKey) throws GeneralSecurityException, IOException {
        X500Principal x500Principal = new X500Principal("CN=" + str);
        SubjectPublicKeyInfo subjectPublicKeyInfo = SubjectPublicKeyInfo.getInstance(publicKey.getEncoded());
        try {
            ContentSigner build = new JcaContentSignerBuilder(this.signingAlgo).build(privateKey);
            PKCS10CertificationRequestBuilder pKCS10CertificationRequestBuilder = new PKCS10CertificationRequestBuilder(X500Name.getInstance(x500Principal.getEncoded()), subjectPublicKeyInfo);
            ExtensionsGenerator extensionsGenerator = new ExtensionsGenerator();
            extensionsGenerator.addExtension(Extension.extendedKeyUsage, false, (ASN1Encodable) new ExtendedKeyUsage(KeyPurposeId.id_kp_serverAuth));
            ArrayList arrayList = new ArrayList();
            boolean equalsIgnoreCase = JHipsterDefaults.Logging.Logstash.host.equalsIgnoreCase(str);
            for (String str2 : this.sanArr) {
                String trim = str2.trim();
                if (trim.length() != 0) {
                    LOG.debug("set additonal SAN: " + trim);
                    arrayList.add(new GeneralName(2, trim));
                    if (JHipsterDefaults.Logging.Logstash.host.equalsIgnoreCase(trim)) {
                        equalsIgnoreCase = true;
                    }
                }
            }
            if (!equalsIgnoreCase) {
                arrayList.add(new GeneralName(2, JHipsterDefaults.Logging.Logstash.host));
            }
            arrayList.add(new GeneralName(2, str.toLowerCase()));
            arrayList.add(new GeneralName(7, "127.0.0.1"));
            extensionsGenerator.addExtension(Extension.subjectAlternativeName, false, (ASN1Encodable) new GeneralNames((GeneralName[]) arrayList.toArray(new GeneralName[0])));
            pKCS10CertificationRequestBuilder.addAttribute(PKCSObjectIdentifiers.pkcs_9_at_extensionRequest, extensionsGenerator.generate());
            PKCS10CertificationRequest build2 = pKCS10CertificationRequestBuilder.build(build);
            StringWriter stringWriter = new StringWriter();
            JcaPEMWriter jcaPEMWriter = new JcaPEMWriter(stringWriter);
            jcaPEMWriter.writeObject(build2);
            jcaPEMWriter.close();
            return stringWriter.toString();
        } catch (OperatorCreationException e) {
            IOException iOException = new IOException();
            iOException.initCause(e);
            throw iOException;
        }
    }
}
