package ca.nrc.cadc.cred.client;

import ca.nrc.cadc.auth.AuthMethod;
import ca.nrc.cadc.auth.AuthenticationUtil;
import ca.nrc.cadc.auth.HttpPrincipal;
import ca.nrc.cadc.auth.SSLUtil;
import ca.nrc.cadc.auth.X509CertificateChain;
import ca.nrc.cadc.cred.CertUtil;
import ca.nrc.cadc.net.HttpGet;
import ca.nrc.cadc.net.NetUtil;
import ca.nrc.cadc.net.ResourceNotFoundException;
import ca.nrc.cadc.profiler.Profiler;
import ca.nrc.cadc.reg.Standards;
import ca.nrc.cadc.reg.client.RegistryClient;
import ca.nrc.cadc.util.Base64;
import java.io.BufferedReader;
import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.io.FileNotFoundException;
import java.io.IOException;
import java.io.InputStream;
import java.io.InputStreamReader;
import java.io.OutputStreamWriter;
import java.io.UnsupportedEncodingException;
import java.net.MalformedURLException;
import java.net.URI;
import java.net.URL;
import java.net.URLEncoder;
import java.security.AccessControlException;
import java.security.AccessController;
import java.security.GeneralSecurityException;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.Principal;
import java.security.SignatureException;
import java.security.cert.CertificateEncodingException;
import java.security.cert.CertificateException;
import java.security.cert.CertificateExpiredException;
import java.security.cert.CertificateNotYetValidException;
import java.security.cert.CertificateParsingException;
import java.security.cert.X509Certificate;
import java.util.Set;
import javax.net.ssl.HttpsURLConnection;
import javax.net.ssl.SSLSocketFactory;
import javax.security.auth.Subject;
import javax.security.auth.x500.X500Principal;
import org.apache.log4j.Logger;
import org.bouncycastle.jce.PKCS10CertificationRequest;
import org.bouncycastle.openssl.PEMWriter;

/* loaded from: input_file:ca/nrc/cadc/cred/client/CredClient.class */
public class CredClient {
    private static Logger LOGGER = Logger.getLogger(CredClient.class);
    private URI serviceID;

    public CredClient(URI uri) {
        if (uri == null) {
            throw new IllegalArgumentException("invalid serviceID: " + uri);
        }
        if (uri.getFragment() != null) {
            throw new IllegalArgumentException("invalid serviceID (fragment not allowed): " + uri);
        }
        this.serviceID = uri;
    }

    public X509CertificateChain getProxyCertificate(Subject subject, double d) throws AccessControlException, CertificateException, IOException, ResourceNotFoundException {
        X500Principal x500Principal = null;
        HttpPrincipal httpPrincipal = null;
        for (Principal principal : subject.getPrincipals()) {
            if ((principal instanceof X500Principal) && x500Principal == null) {
                x500Principal = (X500Principal) principal;
            } else if ((principal instanceof HttpPrincipal) && httpPrincipal == null) {
                httpPrincipal = (HttpPrincipal) principal;
            }
        }
        StringBuilder sb = new StringBuilder();
        if (x500Principal != null) {
            sb.append("/dn/").append(NetUtil.encode(AuthenticationUtil.canonizeDistinguishedName(x500Principal.getName())));
        } else {
            if (httpPrincipal == null) {
                throw new UnsupportedOperationException("current subject lacks supported principal type");
            }
            sb.append("/userid/").append(httpPrincipal.getName());
        }
        if (d > 0.0d) {
            sb.append("?daysValid=").append(String.valueOf(d));
        }
        LOGGER.debug("serviceID: " + this.serviceID);
        URL serviceURL = getRegistryClient().getServiceURL(this.serviceID, Standards.CRED_PROXY_10, AuthMethod.CERT);
        if (serviceURL == null) {
            throw new RuntimeException("lookup failed: " + this.serviceID + " + " + Standards.CRED_PROXY_10 + " + " + AuthMethod.CERT);
        }
        URL url = new URL(serviceURL.toExternalForm() + sb.toString());
        LOGGER.debug("getCertficate: " + url.toString());
        return downloadCertificate(url);
    }

    public void delegate(double d) throws MalformedURLException, IOException, InvalidKeyException, NoSuchProviderException, NoSuchAlgorithmException, SignatureException, CertificateEncodingException, CertificateParsingException, CertificateExpiredException, CertificateNotYetValidException, ResourceNotFoundException {
        delegate(null, d);
    }

    public void delegate(X500Principal x500Principal, double d) throws MalformedURLException, IOException, InvalidKeyException, NoSuchProviderException, NoSuchAlgorithmException, SignatureException, CertificateEncodingException, CertificateParsingException, CertificateExpiredException, CertificateNotYetValidException, ResourceNotFoundException {
        StringBuilder sb = new StringBuilder(64);
        if (x500Principal != null) {
            sb.append("?DN=");
            sb.append(URLEncoder.encode(x500Principal.getName(), "UTF-8"));
        }
        URL url = new URL(getRegistryClient().getServiceURL(this.serviceID, Standards.CRED_DELEGATE_10, AuthMethod.CERT).toExternalForm() + "/" + sb.toString());
        LOGGER.debug("delegate(), URL=" + url);
        HttpsURLConnection openConnection = openConnection(url);
        openConnection.setRequestMethod("POST");
        openConnection.setDoInput(true);
        openConnection.setDoOutput(true);
        openConnection.setUseCaches(false);
        openConnection.connect();
        String responseMessage = openConnection.getResponseMessage();
        int responseCode = openConnection.getResponseCode();
        LOGGER.debug("create step in delegate(), response code: " + responseCode);
        LOGGER.debug("create step in delegate(), response message: " + responseMessage);
        switch (responseCode) {
            case 200:
            case 400:
            case 409:
                throw new IllegalArgumentException(responseMessage);
            case 201:
                String headerField = openConnection.getHeaderField("Location");
                putSignedCert(headerField, createProxyCertChain(generateV3Certificate(readCSR(getEncodedCSR(headerField, x500Principal).getBytes()), ((int) d) * 24 * 60 * 60)), x500Principal);
                return;
            case 401:
                throw new AccessControlException(responseMessage);
            case 404:
                throw new ResourceNotFoundException(responseMessage);
            default:
                throw new RuntimeException("Unexpected failure mode: " + responseMessage + "(" + responseCode + ")");
        }
    }

    public String createResoure(X500Principal x500Principal) throws IOException, ResourceNotFoundException {
        StringBuilder sb = new StringBuilder(64);
        if (x500Principal != null) {
            sb.append("?DN=");
            sb.append(URLEncoder.encode(x500Principal.getName(), "UTF-8"));
        }
        URL url = new URL(getRegistryClient().getServiceURL(this.serviceID, Standards.CRED_DELEGATE_10, AuthMethod.CERT).toExternalForm() + "/" + sb.toString());
        LOGGER.debug("delegate(), URL=" + url);
        HttpsURLConnection openConnection = openConnection(url);
        openConnection.setRequestMethod("POST");
        openConnection.setDoInput(true);
        openConnection.setDoOutput(true);
        openConnection.setUseCaches(false);
        openConnection.connect();
        String responseMessage = openConnection.getResponseMessage();
        int responseCode = openConnection.getResponseCode();
        LOGGER.debug("create step in delegate(), response code: " + responseCode);
        LOGGER.debug("create step in delegate(), response message: " + responseMessage);
        switch (responseCode) {
            case 200:
            case 404:
            case 409:
                throw new ResourceNotFoundException(responseMessage);
            case 201:
                return openConnection.getHeaderField("Location");
            case 400:
                throw new IllegalArgumentException(responseMessage);
            case 403:
                throw new AccessControlException(responseMessage);
            default:
                throw new RuntimeException("Unexpected failure mode: " + responseMessage + "(" + responseCode + ")");
        }
    }

    public void deleteResource(X500Principal x500Principal) throws IOException, CertificateException, ResourceNotFoundException {
        String location = getLocation(x500Principal);
        StringBuilder sb = new StringBuilder(64);
        sb.append(location);
        if (x500Principal != null) {
            sb.append("?DN=");
            sb.append(URLEncoder.encode(x500Principal.getName(), "UTF-8"));
        }
        URL url = new URL(sb.toString());
        LOGGER.debug("delegate(), URL=" + url);
        HttpsURLConnection openConnection = openConnection(url);
        openConnection.setRequestMethod("DELETE");
        openConnection.setDoInput(true);
        openConnection.setDoOutput(false);
        openConnection.setUseCaches(false);
        openConnection.connect();
        String responseMessage = openConnection.getResponseMessage();
        int responseCode = openConnection.getResponseCode();
        LOGGER.debug("delete step in delegate(), response code: " + responseCode);
        LOGGER.debug("delete step in delegate(), response message: " + responseMessage);
        switch (responseCode) {
            case 204:
                return;
            case 400:
                throw new IllegalArgumentException(responseMessage);
            case 403:
                throw new AccessControlException(responseMessage);
            case 404:
            case 409:
                throw new ResourceNotFoundException(responseMessage);
            default:
                throw new RuntimeException("Unexpected failure mode: " + responseMessage + "(" + responseCode + ")");
        }
    }

    public String getEncodedCSR(X500Principal x500Principal) throws IOException, InvalidKeyException, CertificateEncodingException, CertificateParsingException, CertificateExpiredException, CertificateNotYetValidException, NoSuchProviderException, NoSuchAlgorithmException, SignatureException, CertificateException, ResourceNotFoundException {
        String location = getLocation(x500Principal);
        if (location == null) {
            throw new IllegalArgumentException("No certificate found for " + x500Principal);
        }
        return getEncodedCSR(location, x500Principal);
    }

    private String getEncodedCSR(String str, X500Principal x500Principal) throws IOException, InvalidKeyException, NoSuchProviderException, NoSuchAlgorithmException, SignatureException, CertificateEncodingException, CertificateParsingException, CertificateExpiredException, CertificateNotYetValidException, ResourceNotFoundException {
        URL url = new URL(str + "/CSR");
        LOGGER.debug("get CSR step in delegate(), URL=" + url);
        HttpsURLConnection openConnection = openConnection(url);
        openConnection.setRequestMethod("GET");
        openConnection.setDoInput(true);
        openConnection.setDoOutput(true);
        openConnection.setUseCaches(false);
        openConnection.connect();
        String responseMessage = openConnection.getResponseMessage();
        int responseCode = openConnection.getResponseCode();
        LOGGER.debug("get CSR step in delegate(), response code: " + responseCode);
        LOGGER.debug("get CSR step in delegate(), response message: " + responseMessage);
        switch (responseCode) {
            case 200:
                try {
                    InputStream inputStream = openConnection.getInputStream();
                    ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
                    byte[] bArr = new byte[1024];
                    while (true) {
                        int read = inputStream.read(bArr, 0, bArr.length);
                        if (read == -1) {
                            byteArrayOutputStream.flush();
                            byte[] byteArray = byteArrayOutputStream.toByteArray();
                            inputStream.close();
                            LOGGER.debug("Downloaded CSR of size: " + byteArray.length);
                            return new String(byteArray);
                        }
                        byteArrayOutputStream.write(bArr, 0, read);
                    }
                } catch (UnsupportedEncodingException e) {
                    throw new RuntimeException("UTF-8 encoding not supported");
                }
            case 400:
                throw new IllegalArgumentException(responseMessage);
            case 403:
                throw new AccessControlException(responseMessage);
            case 404:
            case 409:
                throw new ResourceNotFoundException(responseMessage);
            default:
                throw new RuntimeException("Unexpected failure mode: " + responseMessage + "(" + responseCode + ")");
        }
    }

    public X509Certificate[] getCertificate(X500Principal x500Principal) throws IOException, InvalidKeyException, NoSuchProviderException, NoSuchAlgorithmException, SignatureException, CertificateEncodingException, CertificateParsingException, CertificateException, ResourceNotFoundException {
        URL url = new URL(getLocation(x500Principal) + "/certificate");
        LOGGER.debug("get certificate, URL=" + url);
        HttpsURLConnection openConnection = openConnection(url);
        openConnection.setRequestMethod("GET");
        openConnection.setDoInput(true);
        openConnection.setDoOutput(true);
        openConnection.setUseCaches(false);
        openConnection.connect();
        String responseMessage = openConnection.getResponseMessage();
        int responseCode = openConnection.getResponseCode();
        LOGGER.debug("get certificate, response code: " + responseCode);
        LOGGER.debug("get certificate, response message: " + responseMessage);
        switch (responseCode) {
            case 200:
                try {
                    InputStream inputStream = openConnection.getInputStream();
                    ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
                    byte[] bArr = new byte[1024];
                    while (true) {
                        int read = inputStream.read(bArr, 0, bArr.length);
                        if (read == -1) {
                            byteArrayOutputStream.flush();
                            byte[] byteArray = byteArrayOutputStream.toByteArray();
                            inputStream.close();
                            return SSLUtil.readCertificateChain(SSLUtil.getCertificates(byteArray));
                        }
                        byteArrayOutputStream.write(bArr, 0, read);
                    }
                } catch (UnsupportedEncodingException e) {
                    throw new RuntimeException("UTF-8 encoding not supported");
                }
            case 400:
                throw new IllegalArgumentException(responseMessage);
            case 401:
                throw new AccessControlException(responseMessage);
            case 404:
            case 409:
                throw new ResourceNotFoundException(responseMessage);
            default:
                throw new RuntimeException("Unexpected failure mode: " + responseMessage + "(" + responseCode + ")");
        }
    }

    public String getLocation(X500Principal x500Principal) throws IOException, CertificateException, ResourceNotFoundException {
        StringBuilder sb = new StringBuilder(64);
        if (x500Principal != null) {
            sb.append("?DN=");
            sb.append(URLEncoder.encode(x500Principal.getName(), "UTF-8"));
        }
        URL serviceURL = getRegistryClient().getServiceURL(this.serviceID, Standards.CRED_DELEGATE_10, AuthMethod.CERT);
        URL url = new URL(serviceURL.toExternalForm() + "/" + sb.toString());
        LOGGER.debug("get hash, URL=" + url);
        HttpsURLConnection openConnection = openConnection(url);
        openConnection.setRequestMethod("GET");
        openConnection.setDoInput(true);
        openConnection.setDoOutput(true);
        openConnection.setUseCaches(false);
        openConnection.connect();
        String responseMessage = openConnection.getResponseMessage();
        int responseCode = openConnection.getResponseCode();
        LOGGER.debug("get hash, response code: " + responseCode);
        LOGGER.debug("get hash, response message: " + responseMessage);
        switch (responseCode) {
            case 200:
                try {
                    BufferedReader bufferedReader = new BufferedReader(new InputStreamReader(openConnection.getInputStream()));
                    String readLine = bufferedReader.readLine();
                    if (bufferedReader.readLine() != null) {
                        throw new CertificateException("Only one hash expected");
                    }
                    return new URL(serviceURL.toExternalForm() + "/" + ("/" + readLine)).toExternalForm();
                } catch (UnsupportedEncodingException e) {
                    throw new RuntimeException("UTF-8 encoding not supported");
                }
            case 400:
                throw new IllegalArgumentException(responseMessage);
            case 401:
                throw new AccessControlException(responseMessage);
            case 404:
            case 409:
                throw new ResourceNotFoundException(responseMessage);
            default:
                throw new RuntimeException("Unexpected failure mode: " + responseMessage + "(" + responseCode + ")");
        }
    }

    public void putSignedCert(X509Certificate[] x509CertificateArr) throws IOException, InvalidKeyException, NoSuchProviderException, NoSuchAlgorithmException, SignatureException, CertificateException, ResourceNotFoundException {
        X500Principal subjectX500Principal = x509CertificateArr[0].getSubjectX500Principal();
        putSignedCert(getLocation(subjectX500Principal), x509CertificateArr, subjectX500Principal);
    }

    private X509Certificate[] createProxyCertChain(X509Certificate x509Certificate) {
        Subject subject = Subject.getSubject(AccessController.getContext());
        if (subject != null) {
            Set publicCredentials = subject.getPublicCredentials(X509CertificateChain.class);
            if (publicCredentials.size() > 0) {
                X509Certificate[] chain = ((X509CertificateChain) publicCredentials.iterator().next()).getChain();
                X509Certificate[] x509CertificateArr = new X509Certificate[chain.length + 1];
                x509CertificateArr[0] = x509Certificate;
                for (int i = 0; i < chain.length; i++) {
                    x509CertificateArr[i + 1] = chain[i];
                }
                return x509CertificateArr;
            }
        }
        throw new IllegalStateException("current Subject does not contain a certficate chain");
    }

    private void putSignedCert(String str, X509Certificate[] x509CertificateArr, X500Principal x500Principal) throws IOException, InvalidKeyException, NoSuchProviderException, NoSuchAlgorithmException, SignatureException, CertificateEncodingException, CertificateParsingException, ResourceNotFoundException {
        LOGGER.debug("putSignedCert: " + x500Principal + " chain length: " + x509CertificateArr.length);
        StringBuilder sb = new StringBuilder(64);
        sb.append(str);
        sb.append("/certificate");
        if (x500Principal != null) {
            sb.append("?DN=");
            sb.append(URLEncoder.encode(x500Principal.getName(), "UTF-8"));
        }
        URL url = new URL(sb.toString());
        LOGGER.debug("put certificate step in delegate(), URL=" + url);
        HttpsURLConnection openConnection = openConnection(url);
        openConnection.setRequestMethod("PUT");
        openConnection.setDoInput(true);
        openConnection.setDoOutput(true);
        openConnection.setUseCaches(false);
        PEMWriter pEMWriter = new PEMWriter(new OutputStreamWriter(openConnection.getOutputStream()));
        for (X509Certificate x509Certificate : x509CertificateArr) {
            pEMWriter.writeObject(x509Certificate);
        }
        pEMWriter.flush();
        pEMWriter.close();
        String responseMessage = openConnection.getResponseMessage();
        int responseCode = openConnection.getResponseCode();
        LOGGER.debug("put certificate step in delegate(), response code: " + responseCode);
        LOGGER.debug("put certificate step in delegate(), response message: " + responseMessage);
        switch (responseCode) {
            case 200:
                LOGGER.debug("Certificate uploaded");
                return;
            case 400:
                throw new IllegalArgumentException(responseMessage);
            case 401:
                throw new AccessControlException(responseMessage);
            case 404:
            case 409:
                throw new ResourceNotFoundException(responseMessage);
            default:
                throw new RuntimeException("Unexpected failure mode: " + responseMessage + "(" + responseCode + ")");
        }
    }

    protected HttpsURLConnection openConnection(URL url) throws IOException {
        if (!url.getProtocol().equals("https")) {
            throw new IllegalArgumentException("Wrong protocol: " + url.getProtocol() + ". CDP works on https only");
        }
        SSLSocketFactory socketFactory = SSLUtil.getSocketFactory(Subject.getSubject(AccessController.getContext()));
        HttpsURLConnection httpsURLConnection = (HttpsURLConnection) url.openConnection();
        httpsURLConnection.setSSLSocketFactory(socketFactory);
        return httpsURLConnection;
    }

    public X509Certificate generateV3Certificate(PKCS10CertificationRequest pKCS10CertificationRequest, int i) throws InvalidKeyException, NoSuchProviderException, NoSuchAlgorithmException, SignatureException, CertificateEncodingException, CertificateParsingException, CertificateExpiredException, CertificateNotYetValidException {
        Subject subject = Subject.getSubject(AccessController.getContext());
        X509CertificateChain x509CertificateChain = null;
        if (subject != null) {
            Set publicCredentials = subject.getPublicCredentials(X509CertificateChain.class);
            if (publicCredentials.size() > 0) {
                x509CertificateChain = (X509CertificateChain) publicCredentials.iterator().next();
            }
        }
        if (x509CertificateChain == null) {
            throw new AccessControlException("Subject not authorized");
        }
        return CertUtil.generateCertificate(pKCS10CertificationRequest, i, x509CertificateChain);
    }

    public static PKCS10CertificationRequest readCSR(byte[] bArr) throws IOException {
        return new PKCS10CertificationRequest(getCSR(bArr));
    }

    protected RegistryClient getRegistryClient() {
        return new RegistryClient();
    }

    static byte[] getCSR(byte[] bArr) throws IOException {
        String str;
        BufferedReader bufferedReader = new BufferedReader(new InputStreamReader(new ByteArrayInputStream(bArr)));
        String readLine = bufferedReader.readLine();
        StringBuilder sb = new StringBuilder();
        while (readLine != null) {
            if (readLine.startsWith("-----BEGIN CERTIFICATE REQUEST-")) {
                LOGGER.debug(readLine);
                String readLine2 = bufferedReader.readLine();
                while (true) {
                    str = readLine2;
                    if (str == null || str.startsWith("-----END CERTIFICATE REQUEST-")) {
                        break;
                    }
                    LOGGER.debug(str + " (" + str.length() + ")");
                    sb.append(str.trim());
                    readLine2 = bufferedReader.readLine();
                }
                LOGGER.debug(str);
                readLine = null;
            } else {
                readLine = bufferedReader.readLine();
            }
        }
        bufferedReader.close();
        String sb2 = sb.toString();
        LOGGER.debug("CERTIFICATE REQUEST: " + sb2);
        byte[] decode = Base64.decode(sb2);
        LOGGER.debug("RSA private key: " + decode.length + " bytes");
        return decode;
    }

    private X509CertificateChain downloadCertificate(URL url) throws AccessControlException, IOException, ResourceNotFoundException {
        Profiler profiler = new Profiler(getClass());
        try {
            ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
            HttpGet httpGet = new HttpGet(url, byteArrayOutputStream);
            httpGet.run();
            if (httpGet.getThrowable() != null) {
                if (httpGet.getThrowable() instanceof IOException) {
                    throw ((IOException) httpGet.getThrowable());
                }
                if (httpGet.getThrowable() instanceof AccessControlException) {
                    throw ((AccessControlException) httpGet.getThrowable());
                }
                if (httpGet.getThrowable() instanceof FileNotFoundException) {
                    throw new ResourceNotFoundException(httpGet.getThrowable().getMessage(), httpGet.getThrowable());
                }
                throw new RuntimeException("unexpected failure download certificate", httpGet.getThrowable());
            }
            byte[] byteArray = byteArrayOutputStream.toByteArray();
            LOGGER.debug("Downloaded Certificate of size: " + byteArray.length);
            profiler.checkpoint("downloadCertificate");
            if (byteArray == null || byteArray.length <= 0) {
                throw new RuntimeException("No content in certificate");
            }
            try {
                try {
                    X509CertificateChain readPemCertificateAndKey = SSLUtil.readPemCertificateAndKey(byteArray);
                    profiler.checkpoint("parseCertificate");
                    return readPemCertificateAndKey;
                } catch (GeneralSecurityException e) {
                    LOGGER.warn(e);
                    throw new IllegalStateException("Could not parse the certificate", e);
                }
            } catch (Throwable th) {
                profiler.checkpoint("parseCertificate");
                throw th;
            }
        } catch (Throwable th2) {
            profiler.checkpoint("downloadCertificate");
            throw th2;
        }
    }
}
