package eu.contrail.security;

import eu.contrail.security.servercommons.SAML;
import eu.contrail.security.servercommons.UserSAML;
import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.io.File;
import java.io.FileInputStream;
import java.io.IOException;
import java.io.OutputStreamWriter;
import java.io.PrintWriter;
import java.math.BigInteger;
import java.net.MalformedURLException;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.PrivateKey;
import java.security.Security;
import java.security.SignatureException;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import javax.persistence.EntityManager;
import javax.persistence.NoResultException;
import javax.security.auth.x500.X500Principal;
import javax.servlet.ServletConfig;
import javax.servlet.ServletContext;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.xalan.xsltc.trax.TransformerFactoryImpl;
import org.bouncycastle.jce.PKCS10CertificationRequest;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.bouncycastle.operator.OperatorCreationException;
import org.opensaml.ws.security.ServletRequestX509CredentialAdapter;
import org.ow2.contrail.federation.federationdb.jpa.entities.User;
import org.ow2.contrail.federation.federationdb.utils.PersistenceUtils;

/* loaded from: input_file:WEB-INF/classes/eu/contrail/security/DelegatedUserCertServlet.class */
public class DelegatedUserCertServlet extends HttpServlet {
    private static final long serialVersionUID = -1;
    private static String daysString;
    private static int days;
    private static final int DEFAULT_LIFETIME_HOURS = 12;
    private static String hoursString;
    private static int hours;
    private static ServletContext ctx;
    private static PrivateKey issuerKey;
    private static String issuerKeyPairFilename;
    private static X509Certificate issuerCertificate;
    private static String issuerCertificateFilename;
    private static String allowedCNs;
    private static String issuerName;
    private static BigInteger serialNumber;
    private static boolean debug = false;
    private static int minutes = 0;
    private static char[] issuerKeyPairPassword = null;
    private static EntityManager em = null;
    private static int paramsMissing = 0;

    private PKCS10CertificationRequest getCSR(HttpServletRequest httpServletRequest, SecurityCommons securityCommons) throws IOException {
        PKCS10CertificationRequest pKCS10CertificationRequest = null;
        String parameter = httpServletRequest.getParameter("certificate_request");
        if (parameter == null) {
            if (debug) {
                ctx.log(String.format("DUCS: Request Parameter %s is NULL", "certificate_request"));
            }
        } else if (parameter.length() != 0) {
            pKCS10CertificationRequest = securityCommons.readCSR(new ByteArrayInputStream(parameter.getBytes("UTF-8")));
        }
        return pKCS10CertificationRequest;
    }

    protected void processRequest(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws ServletException, IOException {
        SecurityCommons securityCommons = new SecurityCommons();
        SAML saml = new SAML();
        String str = null;
        String remoteAddr = httpServletRequest.getRemoteAddr();
        if (remoteAddr != null) {
            ctx.log("DUCS: Request from IP " + remoteAddr);
            str = "DUCS: IP=" + remoteAddr;
        }
        PrintWriter writer = httpServletResponse.getWriter();
        try {
            try {
                try {
                    try {
                        try {
                            try {
                                try {
                                    httpServletResponse.setContentType("text/plain");
                                    X509Certificate[] x509CertificateArr = (X509Certificate[]) httpServletRequest.getAttribute(ServletRequestX509CredentialAdapter.X509_CERT_REQUEST_ATTRIBUTE);
                                    if (x509CertificateArr == null || x509CertificateArr.length == 0) {
                                        ctx.log("DUCS: Can't find certs in javax.servlet.request.X509Certificate");
                                        httpServletResponse.sendError(401);
                                        if (writer != null) {
                                            try {
                                                writer.close();
                                                return;
                                            } catch (Exception e) {
                                                return;
                                            }
                                        }
                                        return;
                                    }
                                    if (debug) {
                                        int i = 0;
                                        for (X509Certificate x509Certificate : x509CertificateArr) {
                                            i++;
                                        }
                                    }
                                    if (!securityCommons.authorise(x509CertificateArr, allowedCNs)) {
                                        ctx.log(str + " - can't find authorised certificate");
                                        httpServletResponse.sendError(401);
                                        if (writer != null) {
                                            try {
                                                writer.close();
                                                return;
                                            } catch (Exception e2) {
                                                return;
                                            }
                                        }
                                        return;
                                    }
                                    PKCS10CertificationRequest csr = getCSR(httpServletRequest, securityCommons);
                                    if (csr == null) {
                                        if (debug) {
                                            ctx.log("DUCS: The request is missing the parameter 'certificate_request'");
                                        }
                                        httpServletResponse.sendError(400, "DUCS: The request is missing the parameter 'certificate_request'");
                                        if (writer != null) {
                                            try {
                                                writer.close();
                                                return;
                                            } catch (Exception e3) {
                                                return;
                                            }
                                        }
                                        return;
                                    }
                                    try {
                                        csr.verify();
                                        String header = httpServletRequest.getHeader("Authorization");
                                        if (header == null || header.length() == 0 || "".equals(header)) {
                                            httpServletResponse.setHeader("WWW-Authenticate", "Basic realm=\"my-contrail-onlineca-realm\"");
                                            httpServletResponse.sendError(401);
                                            if (debug) {
                                                ctx.log("DUCS: Sending BasicAuth challenge");
                                            }
                                            if (writer != null) {
                                                try {
                                                    writer.close();
                                                    return;
                                                } catch (Exception e4) {
                                                    return;
                                                }
                                            }
                                            return;
                                        }
                                        String[] basicAuthUsernamePassword = securityCommons.getBasicAuthUsernamePassword(header);
                                        ctx.log(String.format("DUCS: userID = %s", basicAuthUsernamePassword[0]));
                                        String str2 = basicAuthUsernamePassword[0];
                                        if (debug) {
                                            str = str + ", UserID from BasicAuth header = " + str2;
                                        }
                                        if (em == null) {
                                            if (debug) {
                                                ctx.log("DUCS: EntityManager is NULL");
                                            }
                                            httpServletResponse.sendError(500);
                                            if (writer != null) {
                                                try {
                                                    writer.close();
                                                    return;
                                                } catch (Exception e5) {
                                                    return;
                                                }
                                            }
                                            return;
                                        }
                                        UserSAML userSAML = new UserSAML();
                                        User user = null;
                                        try {
                                            user = userSAML.getUserbyUserID(em, str2);
                                        } catch (NumberFormatException e6) {
                                            if (debug) {
                                                ctx.log(String.format("DUCS: UserID %s is not valid", str2));
                                            }
                                        } catch (NoResultException e7) {
                                            if (debug) {
                                                ctx.log(String.format("DUCS: No user found for ID %s", str2));
                                            }
                                        }
                                        if (user == null) {
                                            httpServletResponse.sendError(401);
                                            if (writer != null) {
                                                try {
                                                    writer.close();
                                                    return;
                                                } catch (Exception e8) {
                                                    return;
                                                }
                                            }
                                            return;
                                        }
                                        String username = user.getUsername();
                                        if (debug) {
                                            ctx.log("DUCS: username " + username);
                                        }
                                        String uuid = user.getUuid();
                                        if (debug) {
                                            ctx.log("DUCS: uuid " + uuid);
                                        }
                                        String sAMLforUser = userSAML.getSAMLforUser(user, saml);
                                        String format = String.format("CN=%s, CN=%s", uuid, username);
                                        if (debug) {
                                            ctx.log("DUCS: About to write cert with subject name " + format);
                                        }
                                        X509Certificate createUserCertificateWithSAML = securityCommons.createUserCertificateWithSAML(csr.getPublicKey(), new X500Principal(issuerName + "," + format), uuid, serialNumber, issuerCertificate, issuerKey, "SHA1withRSA", days, hours, minutes, SecurityCommons.CONTRAIL_ATTRIBUTE_ASSERTION, false, sAMLforUser);
                                        if (createUserCertificateWithSAML == null) {
                                            if (debug) {
                                                ctx.log("DUCS: createCertificate returned NULL");
                                            }
                                            httpServletResponse.sendError(500, "Failed to create a certificate");
                                            if (writer != null) {
                                                try {
                                                    writer.close();
                                                    return;
                                                } catch (Exception e9) {
                                                    return;
                                                }
                                            }
                                            return;
                                        }
                                        if (debug) {
                                            ctx.log("DUCS: About to write cert");
                                        }
                                        ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
                                        securityCommons.writeCertificate(new OutputStreamWriter(byteArrayOutputStream, "UTF-8"), createUserCertificateWithSAML);
                                        String byteArrayOutputStream2 = byteArrayOutputStream.toString("UTF-8");
                                        httpServletResponse.setContentType("text/plain");
                                        httpServletResponse.setContentLength(byteArrayOutputStream2.length());
                                        PrintWriter writer2 = httpServletResponse.getWriter();
                                        writer2.write(byteArrayOutputStream2);
                                        if (debug) {
                                            ctx.log("DUCS: Wrote cert");
                                        }
                                        ctx.log(str + ", serial=" + createUserCertificateWithSAML.getSerialNumber());
                                        synchronized (new Object()) {
                                            serialNumber = serialNumber.add(BigInteger.ONE);
                                        }
                                        if (writer2 != null) {
                                            try {
                                                writer2.close();
                                            } catch (Exception e10) {
                                            }
                                        }
                                    } catch (InvalidKeyException e11) {
                                        if (debug) {
                                            ctx.log("DUCS: Cannot verify CSR - InvalidKeyException - ignoring request");
                                        }
                                        httpServletResponse.sendError(400, "DUCS: Cannot verify CSR - InvalidKeyException - ignoring request");
                                        if (writer != null) {
                                            try {
                                                writer.close();
                                            } catch (Exception e12) {
                                            }
                                        }
                                    } catch (SignatureException e13) {
                                        if (debug) {
                                            ctx.log("DUCS: Cannot verify CSR - SignatureException - ignoring request");
                                        }
                                        httpServletResponse.sendError(400, "DUCS: Cannot verify CSR - SignatureException - ignoring request");
                                        if (writer != null) {
                                            try {
                                                writer.close();
                                            } catch (Exception e14) {
                                            }
                                        }
                                    }
                                } catch (Throwable th) {
                                    if (writer != null) {
                                        try {
                                            writer.close();
                                        } catch (Exception e15) {
                                        }
                                    }
                                    throw th;
                                }
                            } catch (IOException e16) {
                                ctx.log(e16.getLocalizedMessage());
                                if (writer != null) {
                                    try {
                                        writer.close();
                                    } catch (Exception e17) {
                                    }
                                }
                            }
                        } catch (CertificateException e18) {
                            ctx.log(e18.getLocalizedMessage());
                            throw new ServletException(e18.getLocalizedMessage());
                        }
                    } catch (InvalidKeyException e19) {
                        ctx.log(e19.getLocalizedMessage());
                        throw new ServletException(e19.getLocalizedMessage());
                    }
                } catch (NoSuchAlgorithmException e20) {
                    ctx.log(e20.getLocalizedMessage());
                    throw new ServletException(e20.getLocalizedMessage());
                }
            } catch (IllegalArgumentException e21) {
                String localizedMessage = e21.getLocalizedMessage();
                httpServletResponse.sendError(400, localizedMessage);
                throw new ServletException(localizedMessage);
            } catch (NullPointerException e22) {
                ctx.log(e22.getLocalizedMessage());
                throw new ServletException(e22.getLocalizedMessage());
            }
        } catch (NoSuchProviderException e23) {
            ctx.log(e23.getLocalizedMessage());
            throw new ServletException(e23.getLocalizedMessage());
        } catch (OperatorCreationException e24) {
            ctx.log(e24.getLocalizedMessage());
            throw new ServletException(e24.getLocalizedMessage());
        }
    }

    protected void doGet(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws ServletException, IOException {
        processRequest(httpServletRequest, httpServletResponse);
    }

    protected void doPost(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws ServletException, IOException {
        processRequest(httpServletRequest, httpServletResponse);
    }

    public String getServletInfo() {
        return "Short description";
    }

    private static void getInitParams(ServletConfig servletConfig) {
        debug = Boolean.valueOf(servletConfig.getInitParameter(TransformerFactoryImpl.DEBUG)).booleanValue();
        ctx.log("DEBUG is set to " + debug);
        allowedCNs = servletConfig.getInitParameter("allowedCNs");
        issuerKeyPairFilename = servletConfig.getInitParameter("issuerKeyPairFilename");
        if (issuerKeyPairFilename == null) {
            paramsMissing++;
            ctx.log("DUCS: Cannot read property issuerKeyPairFilename.");
        } else if (debug) {
            ctx.log(String.format("DUCS: issuerKeyPairFilename = %s.", issuerKeyPairFilename));
        }
        String initParameter = servletConfig.getInitParameter("issuerKeyPairPassword");
        if (initParameter == null || initParameter.equals("")) {
            ctx.log("DUCS: Cannot read property issuerKeyPairPassword.");
        } else {
            issuerKeyPairPassword = initParameter.toCharArray();
        }
        if (debug) {
            ServletContext servletContext = ctx;
            Object[] objArr = new Object[1];
            objArr[0] = issuerKeyPairPassword == null ? "not set." : "set, but not logged here.";
            servletContext.log(String.format("DUCS: issuerKeyPairPassword is %s", objArr));
        }
        issuerCertificateFilename = servletConfig.getInitParameter("issuerCertificateFilename");
        if (issuerCertificateFilename == null) {
            paramsMissing++;
            ctx.log("DUCS: Cannot read property issuerCertificateFilename.");
        } else if (debug) {
            ctx.log(String.format("DUCS: issuerCertificateFilename = %s.", issuerCertificateFilename));
        }
    }

    public void init(ServletConfig servletConfig) throws ServletException {
        super.init(servletConfig);
        SecurityCommons securityCommons = new SecurityCommons();
        ctx = servletConfig.getServletContext();
        ctx.log("DUCS: Starting");
        serialNumber = BigInteger.valueOf(System.currentTimeMillis());
        Security.addProvider(new BouncyCastleProvider());
        getInitParams(servletConfig);
        if (paramsMissing != 0) {
            ctx.log(String.format("DUCS: Missing %d parameter values", Integer.valueOf(paramsMissing)));
            return;
        }
        try {
            FileInputStream fileInputStream = null;
            if (new File(issuerKeyPairFilename).canRead()) {
                fileInputStream = new FileInputStream(issuerKeyPairFilename);
            } else {
                ctx.log(String.format("DUCS: Fatal - can't read key %s", issuerKeyPairFilename));
            }
            issuerKey = securityCommons.readPrivateKey(fileInputStream, issuerKeyPairPassword);
            if (issuerKey == null) {
                ctx.log(String.format("DUCS: Couldn't read %s.%n", issuerKeyPairFilename));
                ctx.log(String.format("DUCS: Check the passphrase or permissions on %s.%n", issuerKeyPairFilename));
                throw new ServletException(String.format("DUCS: Couldn't read %s", issuerKeyPairFilename));
            }
            ctx.log(String.format("DUCS: Parsed Key OK - format %s.", issuerKey.getAlgorithm()));
            if (!new File(issuerCertificateFilename).canRead()) {
                ctx.log(String.format("DUCS: Fatal - can't read certificate %s", issuerCertificateFilename));
            }
            issuerCertificate = securityCommons.getCertFromStream(new FileInputStream(issuerCertificateFilename));
            if (issuerCertificate == null) {
                ctx.log(String.format("DUCS: Couldn't read %s.%n", issuerCertificateFilename));
                throw new ServletException(String.format("DUCS: Couldn't read %s", issuerCertificateFilename));
            }
            issuerName = issuerCertificate.getSubjectDN().getName();
            issuerName = securityCommons.reverse(issuerName, ",");
            if (debug) {
                ctx.log(String.format("DUCS: Issuer name = %s.", issuerName));
            }
            daysString = servletConfig.getInitParameter("certLifetimeDays");
            if (daysString == null) {
                days = -1;
            } else {
                days = Integer.valueOf(daysString).intValue();
                days = Math.max(days, 0);
                if (debug && days != 0) {
                    ctx.log(String.format("DUCS: Cert lifetime is %d days.%n", Integer.valueOf(days)));
                }
            }
            hoursString = servletConfig.getInitParameter("certLifetimeHours");
            if (hoursString == null) {
                hours = -1;
            } else {
                hours = Integer.valueOf(hoursString).intValue();
                hours = Math.max(hours, 0);
                if (debug) {
                    ctx.log(String.format("DUCS: Cert lifetime is %d hours.%n", Integer.valueOf(hours)));
                }
            }
            if (days == 0 && hours == 0) {
                days = 0;
                hours = 12;
                if (debug) {
                    ctx.log(String.format("DUCS: No certificate lifetime parameters set - using default of %s hours.", 12));
                }
            }
            PersistenceUtils persistenceUtils = PersistenceUtils.getInstance();
            if (persistenceUtils == null) {
                persistenceUtils = PersistenceUtils.createInstance("appPU");
            }
            em = persistenceUtils.getEntityManager();
        } catch (MalformedURLException e) {
            ctx.log(e.getLocalizedMessage());
        } catch (IOException e2) {
            ctx.log(e2.getLocalizedMessage());
        } catch (NullPointerException e3) {
            e3.printStackTrace();
            ctx.log(e3.getLocalizedMessage());
        } catch (NoSuchAlgorithmException e4) {
            ctx.log("DUCS: Fatal: Cannot find algorithm to read key pair. Check location of BouncyCastle JARs");
        } catch (CertificateException e5) {
            ctx.log(e5.getLocalizedMessage());
        }
    }
}
