package eu.contrail.security;

import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.io.File;
import java.io.FileInputStream;
import java.io.IOException;
import java.io.InputStream;
import java.io.OutputStreamWriter;
import java.io.PrintWriter;
import java.math.BigInteger;
import java.net.MalformedURLException;
import java.security.InvalidKeyException;
import java.security.KeyPair;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.Security;
import java.security.SignatureException;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.Date;
import javax.servlet.ServletConfig;
import javax.servlet.ServletContext;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.lang.StringUtils;
import org.apache.xalan.xsltc.trax.TransformerFactoryImpl;
import org.bouncycastle.asn1.x500.style.BCStyle;
import org.bouncycastle.jce.PKCS10CertificationRequest;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.bouncycastle.operator.OperatorCreationException;
import org.eclipse.persistence.internal.helper.Helper;
import org.opensaml.ws.security.ServletRequestX509CredentialAdapter;

/* loaded from: input_file:WEB-INF/classes/eu/contrail/security/DelegatedHostCertServlet.class */
public class DelegatedHostCertServlet extends HttpServlet {
    private static final long serialVersionUID = -1;
    private static String daysString;
    private static int days;
    private static final int DEFAULT_LIFETIME_HOURS = 12;
    private static String hoursString;
    private static int hours;
    private static ServletContext ctx;
    private static KeyPair issuerKeyPair;
    private static String issuerKeyPairFilename;
    private static char[] issuerKeyPairPassword;
    private static X509Certificate issuerCertificate;
    private static String issuerCertificateFilename;
    private static String issuerName;
    private static String allowedCNs;
    private static BigInteger serialNumber;
    private static boolean debug = false;
    private static int minutes = 0;
    private static int paramsMissing = 0;

    private PKCS10CertificationRequest getCSR(HttpServletRequest httpServletRequest, SecurityCommons securityCommons) throws IOException {
        PKCS10CertificationRequest pKCS10CertificationRequest = null;
        String parameter = httpServletRequest.getParameter("certificate_request");
        if (parameter == null) {
            if (debug) {
                ctx.log(String.format("Request Parameter %s is NULL", "certificate_request"));
            }
        } else if (parameter.length() != 0) {
            pKCS10CertificationRequest = securityCommons.readCSR(new ByteArrayInputStream(parameter.getBytes("UTF-8")));
        }
        return pKCS10CertificationRequest;
    }

    protected void processRequest(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws ServletException, IOException {
        SecurityCommons securityCommons = new SecurityCommons();
        String str = null;
        String remoteAddr = httpServletRequest.getRemoteAddr();
        if (remoteAddr != null) {
            ctx.log("Request from IP " + remoteAddr);
            str = "IP=" + remoteAddr;
        }
        PrintWriter writer = httpServletResponse.getWriter();
        try {
            try {
                try {
                    try {
                        try {
                            try {
                                try {
                                    try {
                                        httpServletResponse.setContentType("text/plain");
                                        X509Certificate[] x509CertificateArr = (X509Certificate[]) httpServletRequest.getAttribute(ServletRequestX509CredentialAdapter.X509_CERT_REQUEST_ATTRIBUTE);
                                        if (x509CertificateArr == null || x509CertificateArr.length == 0) {
                                            ctx.log("Can't find certs in javax.servlet.request.X509Certificate");
                                            httpServletResponse.sendError(401);
                                            if (writer != null) {
                                                writer.close();
                                                return;
                                            }
                                            return;
                                        }
                                        if (debug) {
                                            int i = 0;
                                            for (X509Certificate x509Certificate : x509CertificateArr) {
                                                ctx.log(String.format("Certificate %d: %s.%n", Integer.valueOf(i), securityCommons.reverse(x509Certificate.getSubjectDN().getName(), ",")));
                                                i++;
                                            }
                                        }
                                        if (!securityCommons.authorise(x509CertificateArr, allowedCNs)) {
                                            ctx.log(str + " - can't find authorised certificate");
                                            httpServletResponse.sendError(401);
                                            if (writer != null) {
                                                writer.close();
                                                return;
                                            }
                                            return;
                                        }
                                        PKCS10CertificationRequest csr = getCSR(httpServletRequest, securityCommons);
                                        if (csr == null) {
                                            if (debug) {
                                                ctx.log("The request is missing the parameter 'certificate_request'");
                                            }
                                            httpServletResponse.sendError(400, "The request is missing the parameter 'certificate_request'");
                                            if (writer != null) {
                                                writer.close();
                                                return;
                                            }
                                            return;
                                        }
                                        try {
                                            csr.verify();
                                            String x509Name = csr.getCertificationRequestInfo().getSubject().toString();
                                            if (x509Name == null) {
                                                if (debug) {
                                                    ctx.log("Client didn't send Subject DN");
                                                }
                                                httpServletResponse.sendError(400, "Client didn't send Subject DN");
                                                if (writer != null) {
                                                    writer.close();
                                                    return;
                                                }
                                                return;
                                            }
                                            String[] rDNs = securityCommons.getRDNs(x509Name, BCStyle.CN);
                                            if (rDNs == null) {
                                                if (debug) {
                                                    ctx.log("Client didn't send Subject hostname in CN field");
                                                }
                                                httpServletResponse.sendError(400, "Client didn't send Subject hostname in CN field");
                                                if (writer != null) {
                                                    writer.close();
                                                    return;
                                                }
                                                return;
                                            }
                                            String str2 = rDNs[0];
                                            if (!securityCommons.isValidFQDN(str2)) {
                                                String format = String.format("Client sent badly formatted Subject CN=hostname: %s", str2);
                                                if (debug) {
                                                    ctx.log(format);
                                                }
                                                httpServletResponse.sendError(400, format);
                                                if (writer != null) {
                                                    writer.close();
                                                    return;
                                                }
                                                return;
                                            }
                                            if (debug) {
                                                ctx.log(String.format("DHCS: hostname from CSR = %s", str2));
                                            }
                                            String str3 = str + ", hostname=" + str2;
                                            issuerCertificate.getSubjectDN().getName();
                                            X509Certificate createHostCertificate = securityCommons.createHostCertificate(csr.getPublicKey(), str2, serialNumber, issuerCertificate, issuerKeyPair.getPrivate(), "SHA1withRSA", new Date(), days, hours, minutes);
                                            if (createHostCertificate == null) {
                                                if (debug) {
                                                    ctx.log("createHostCertificate returned NULL");
                                                }
                                                httpServletResponse.sendError(500, "Failed to create a certificate");
                                                if (writer != null) {
                                                    writer.close();
                                                    return;
                                                }
                                                return;
                                            }
                                            if (debug) {
                                                ctx.log("About to write cert");
                                            }
                                            ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
                                            securityCommons.writeCertificate(new OutputStreamWriter(byteArrayOutputStream, "UTF-8"), createHostCertificate);
                                            String byteArrayOutputStream2 = byteArrayOutputStream.toString("UTF-8");
                                            httpServletResponse.setContentType("text/plain");
                                            httpServletResponse.setContentLength(byteArrayOutputStream2.length());
                                            PrintWriter writer2 = httpServletResponse.getWriter();
                                            writer2.write(byteArrayOutputStream2);
                                            if (debug) {
                                                ctx.log("Wrote cert");
                                            }
                                            ctx.log(str3 + ", serial=" + createHostCertificate.getSerialNumber());
                                            synchronized (new Object()) {
                                                serialNumber = serialNumber.add(BigInteger.ONE);
                                            }
                                            if (writer2 != null) {
                                                writer2.close();
                                            }
                                        } catch (InvalidKeyException e) {
                                            if (debug) {
                                                ctx.log("Cannot verify CSR - InvalidKeyException - ignoring request");
                                            }
                                            httpServletResponse.sendError(400, "Cannot verify CSR - InvalidKeyException - ignoring request");
                                            if (writer != null) {
                                                writer.close();
                                            }
                                        } catch (SignatureException e2) {
                                            if (debug) {
                                                ctx.log("Cannot verify CSR - SignatureException - ignoring request");
                                            }
                                            httpServletResponse.sendError(400, "Cannot verify CSR - SignatureException - ignoring request");
                                            if (writer != null) {
                                                writer.close();
                                            }
                                        }
                                    } catch (NoSuchAlgorithmException e3) {
                                        ctx.log(e3.getLocalizedMessage());
                                        throw new ServletException(e3.getLocalizedMessage());
                                    }
                                } catch (NoSuchProviderException e4) {
                                    ctx.log(e4.getLocalizedMessage());
                                    throw new ServletException(e4.getLocalizedMessage());
                                }
                            } catch (IOException e5) {
                                ctx.log(e5.getLocalizedMessage());
                                if (writer != null) {
                                    writer.close();
                                }
                            }
                        } catch (InvalidKeyException e6) {
                            ctx.log(e6.getLocalizedMessage());
                            throw new ServletException(e6.getLocalizedMessage());
                        }
                    } catch (CertificateException e7) {
                        ctx.log(e7.getLocalizedMessage());
                        throw new ServletException(e7.getLocalizedMessage());
                    }
                } catch (NullPointerException e8) {
                    ctx.log(e8.getLocalizedMessage());
                    throw new ServletException(e8.getLocalizedMessage());
                }
            } catch (OperatorCreationException e9) {
                ctx.log(e9.getLocalizedMessage());
                throw new ServletException(e9.getLocalizedMessage());
            }
        } catch (Throwable th) {
            if (writer != null) {
                writer.close();
            }
            throw th;
        }
    }

    protected void doGet(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws ServletException, IOException {
        processRequest(httpServletRequest, httpServletResponse);
    }

    protected void doPost(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws ServletException, IOException {
        processRequest(httpServletRequest, httpServletResponse);
    }

    public String getServletInfo() {
        return "Short description";
    }

    private void getInitParams(ServletConfig servletConfig) {
        debug = Boolean.valueOf(servletConfig.getInitParameter(TransformerFactoryImpl.DEBUG)).booleanValue();
        allowedCNs = servletConfig.getInitParameter("allowedCNs");
        issuerKeyPairFilename = servletConfig.getInitParameter("issuerKeyPairFilename");
        if (issuerKeyPairFilename == null) {
            paramsMissing++;
            ctx.log("Cannot read property issuerKeyPairFilename.");
        } else if (debug) {
            ctx.log(String.format("issuerKeyPairFilename = %s.", issuerKeyPairFilename));
        }
        String initParameter = servletConfig.getInitParameter("issuerKeyPairPassword");
        if (initParameter != null) {
            issuerKeyPairPassword = initParameter.toCharArray();
        } else {
            paramsMissing++;
            ctx.log("Cannot read property issuerKeyPairPassword.");
        }
        if (debug) {
            ServletContext servletContext = ctx;
            Object[] objArr = new Object[1];
            objArr[0] = issuerKeyPairPassword == null ? "not set." : "set, but not logged here.";
            servletContext.log(String.format("issuerKeyPairPassword is %s", objArr));
        }
        issuerCertificateFilename = servletConfig.getInitParameter("issuerCertificateFilename");
        if (issuerCertificateFilename == null) {
            paramsMissing++;
            ctx.log("Cannot read property issuerCertificateFilename.");
        } else if (debug) {
            ctx.log(String.format("issuerCertificateFilename = %s.", issuerCertificateFilename));
        }
    }

    public void init(ServletConfig servletConfig) throws ServletException {
        SecurityCommons securityCommons = new SecurityCommons();
        ctx = servletConfig.getServletContext();
        ctx.log("Starting DelegatedHostCertServlet");
        serialNumber = BigInteger.valueOf(System.currentTimeMillis());
        Security.addProvider(new BouncyCastleProvider());
        getInitParams(servletConfig);
        InputStream inputStream = null;
        if (paramsMissing != 0) {
            ctx.log(String.format("Missing %d parameter values", Integer.valueOf(paramsMissing)));
            return;
        }
        try {
            if (!new File(issuerKeyPairFilename).canRead()) {
                ctx.log(String.format("Fatal - can't read key %s", issuerKeyPairFilename));
            }
            issuerKeyPair = securityCommons.readKeyPair(issuerKeyPairFilename, issuerKeyPairPassword);
            if (issuerKeyPair == null) {
                ctx.log(String.format("Couldn't read %s.%n", issuerKeyPairFilename));
                ctx.log(String.format("Check the passphrase or permissions on %s.%n", issuerKeyPairFilename));
                throw new ServletException(String.format("Couldn't read %s", issuerKeyPairFilename));
            }
            if (!new File(issuerCertificateFilename).canRead()) {
                ctx.log(String.format("Fatal - can't read certificate %s", issuerCertificateFilename));
            }
            FileInputStream fileInputStream = new FileInputStream(issuerCertificateFilename);
            issuerCertificate = securityCommons.getCertFromStream(fileInputStream);
            fileInputStream.close();
            if (issuerCertificate == null) {
                ctx.log(String.format("Couldn't read %s.%n", issuerCertificateFilename));
                throw new ServletException(String.format("Couldn't read %s", issuerCertificateFilename));
            }
            issuerName = issuerCertificate.getSubjectDN().getName();
            issuerName = StringUtils.replace(issuerName, Helper.DEFAULT_DATABASE_DELIMITER, "");
            issuerName = securityCommons.reverse(issuerName, ",");
            if (debug) {
                ctx.log(String.format("Issuer name = %s.", issuerName));
            }
            daysString = servletConfig.getInitParameter("certLifetimeDays");
            if (daysString == null) {
                days = -1;
            } else {
                days = Integer.valueOf(daysString).intValue();
                days = Math.max(days, 0);
                if (debug && days != 0) {
                    ctx.log(String.format("Cert lifetime is %d days.%n", Integer.valueOf(days)));
                }
            }
            hoursString = servletConfig.getInitParameter("certLifetimeHours");
            if (hoursString == null) {
                hours = -1;
            } else {
                hours = Integer.valueOf(hoursString).intValue();
                hours = Math.max(hours, 0);
                if (debug) {
                    ctx.log(String.format("Cert lifetime is %d hours.%n", Integer.valueOf(hours)));
                }
            }
            if (days == 0 && hours == 0) {
                days = 0;
                hours = 12;
                if (debug) {
                    ctx.log(String.format("No certificate lifetime parameters set - using default of %s hours.", 12));
                }
            }
        } catch (IOException e) {
            if (0 != 0) {
                try {
                    inputStream.close();
                } catch (IOException e2) {
                }
            }
            ctx.log(e.getLocalizedMessage());
        } catch (NullPointerException e3) {
            e3.printStackTrace();
            ctx.log(e3.getLocalizedMessage());
        } catch (MalformedURLException e4) {
            ctx.log(e4.getLocalizedMessage());
        } catch (NoSuchAlgorithmException e5) {
            ctx.log("Fatal: Cannot find algorithm to read key pair. Check location of BouncyCastle JARs");
        } catch (CertificateException e6) {
            ctx.log(e6.getLocalizedMessage());
        }
    }
}
