package org.apache.nifi.security.util;

import java.io.BufferedInputStream;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.math.BigInteger;
import java.net.Socket;
import java.net.URL;
import java.security.KeyPair;
import java.security.NoSuchAlgorithmException;
import java.security.PublicKey;
import java.security.Security;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.CertificateParsingException;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.Comparator;
import java.util.Date;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.concurrent.TimeUnit;
import javax.naming.InvalidNameException;
import javax.naming.ldap.LdapName;
import javax.net.ssl.SSLPeerUnverifiedException;
import javax.net.ssl.SSLSocket;
import javax.security.cert.CertificateEncodingException;
import org.apache.commons.lang3.StringUtils;
import org.bouncycastle.asn1.ASN1Encodable;
import org.bouncycastle.asn1.ASN1ObjectIdentifier;
import org.bouncycastle.asn1.ASN1Set;
import org.bouncycastle.asn1.DERSequence;
import org.bouncycastle.asn1.pkcs.Attribute;
import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers;
import org.bouncycastle.asn1.x500.AttributeTypeAndValue;
import org.bouncycastle.asn1.x500.RDN;
import org.bouncycastle.asn1.x500.X500Name;
import org.bouncycastle.asn1.x500.style.BCStyle;
import org.bouncycastle.asn1.x509.BasicConstraints;
import org.bouncycastle.asn1.x509.ExtendedKeyUsage;
import org.bouncycastle.asn1.x509.Extension;
import org.bouncycastle.asn1.x509.Extensions;
import org.bouncycastle.asn1.x509.KeyPurposeId;
import org.bouncycastle.asn1.x509.KeyUsage;
import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo;
import org.bouncycastle.cert.CertIOException;
import org.bouncycastle.cert.X509v3CertificateBuilder;
import org.bouncycastle.cert.jcajce.JcaX509CertificateConverter;
import org.bouncycastle.cert.jcajce.JcaX509ExtensionUtils;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.bouncycastle.operator.ContentSigner;
import org.bouncycastle.operator.OperatorCreationException;
import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder;
import org.bouncycastle.pkcs.jcajce.JcaPKCS10CertificationRequest;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:WEB-INF/lib/nifi-security-utils-1.2.0.jar:org/apache/nifi/security/util/CertificateUtils.class */
public final class CertificateUtils {
    private static final String PEER_NOT_AUTHENTICATED_MSG = "peer not authenticated";
    private static long lastSerialNumberMillis;
    private static int serialNumberIncrementor;
    private static BigInteger millisecondBigInteger;
    private static final Logger logger = LoggerFactory.getLogger(CertificateUtils.class);
    private static final Map<ASN1ObjectIdentifier, Integer> dnOrderMap = createDnOrderMap();

    /* loaded from: input_file:WEB-INF/lib/nifi-security-utils-1.2.0.jar:org/apache/nifi/security/util/CertificateUtils$ClientAuth.class */
    public enum ClientAuth {
        NONE(0, "none"),
        WANT(1, "want"),
        NEED(2, "need");

        private int value;
        private String description;

        ClientAuth(int i, String str) {
            this.value = i;
            this.description = str;
        }

        @Override // java.lang.Enum
        public String toString() {
            return "Client Auth: " + this.description + " (" + this.value + ")";
        }
    }

    private static Map<ASN1ObjectIdentifier, Integer> createDnOrderMap() {
        HashMap hashMap = new HashMap();
        int i = 0 + 1;
        hashMap.put(BCStyle.CN, 0);
        int i2 = i + 1;
        hashMap.put(BCStyle.L, Integer.valueOf(i));
        int i3 = i2 + 1;
        hashMap.put(BCStyle.ST, Integer.valueOf(i2));
        int i4 = i3 + 1;
        hashMap.put(BCStyle.O, Integer.valueOf(i3));
        int i5 = i4 + 1;
        hashMap.put(BCStyle.OU, Integer.valueOf(i4));
        int i6 = i5 + 1;
        hashMap.put(BCStyle.C, Integer.valueOf(i5));
        int i7 = i6 + 1;
        hashMap.put(BCStyle.STREET, Integer.valueOf(i6));
        int i8 = i7 + 1;
        hashMap.put(BCStyle.DC, Integer.valueOf(i7));
        int i9 = i8 + 1;
        hashMap.put(BCStyle.UID, Integer.valueOf(i8));
        return Collections.unmodifiableMap(hashMap);
    }

    public static boolean isStoreValid(URL url, KeystoreType keystoreType, char[] cArr) {
        if (url == null) {
            throw new IllegalArgumentException("keystore may not be null");
        }
        if (keystoreType == null) {
            throw new IllegalArgumentException("keystore type may not be null");
        }
        if (cArr == null) {
            throw new IllegalArgumentException("password may not be null");
        }
        BufferedInputStream bufferedInputStream = null;
        try {
            bufferedInputStream = new BufferedInputStream(url.openStream());
            KeyStoreUtils.getKeyStore(keystoreType.name()).load(bufferedInputStream, cArr);
            if (bufferedInputStream != null) {
                try {
                    bufferedInputStream.close();
                } catch (IOException e) {
                    logger.warn("Failed to close input stream", e);
                }
            }
            return true;
        } catch (Exception e2) {
            if (bufferedInputStream != null) {
                try {
                    bufferedInputStream.close();
                } catch (IOException e3) {
                    logger.warn("Failed to close input stream", e3);
                }
            }
            return false;
        } catch (Throwable th) {
            if (bufferedInputStream != null) {
                try {
                    bufferedInputStream.close();
                } catch (IOException e4) {
                    logger.warn("Failed to close input stream", e4);
                }
            }
            throw th;
        }
    }

    public static String extractUsername(String str) {
        String str2 = str;
        if (StringUtils.isNotBlank(str)) {
            String str3 = StringUtils.indexOfIgnoreCase(str, "/cn=") > 0 ? "/" : ",";
            int indexOfIgnoreCase = StringUtils.indexOfIgnoreCase(str, "cn=");
            if (indexOfIgnoreCase >= 0) {
                int indexOf = StringUtils.indexOf(str, str3, indexOfIgnoreCase);
                str2 = indexOf > 0 ? StringUtils.substring(str, indexOfIgnoreCase + "cn=".length(), indexOf) : StringUtils.substring(str, indexOfIgnoreCase + "cn=".length());
            }
        }
        return str2;
    }

    public static List<String> getSubjectAlternativeNames(X509Certificate x509Certificate) throws CertificateParsingException {
        Collection<List<?>> subjectAlternativeNames = x509Certificate.getSubjectAlternativeNames();
        if (subjectAlternativeNames == null) {
            return new ArrayList();
        }
        ArrayList arrayList = new ArrayList();
        Iterator<List<?>> it = subjectAlternativeNames.iterator();
        while (it.hasNext()) {
            Object obj = it.next().get(1);
            if (obj instanceof String) {
                arrayList.add(((String) obj).toLowerCase());
            }
        }
        return arrayList;
    }

    public static String extractPeerDNFromSSLSocket(Socket socket) throws CertificateException {
        String str = null;
        if (socket instanceof SSLSocket) {
            SSLSocket sSLSocket = (SSLSocket) socket;
            boolean useClientMode = sSLSocket.getUseClientMode();
            logger.debug("SSL Socket in {} mode", useClientMode ? "client" : "server");
            logger.debug("SSL Socket client auth status: {}", getClientAuthStatus(sSLSocket));
            if (useClientMode) {
                logger.debug("This socket is in client mode, so attempting to extract certificate from remote 'server' socket");
                str = extractPeerDNFromServerSSLSocket(sSLSocket);
            } else {
                logger.debug("This socket is in server mode, so attempting to extract certificate from remote 'client' socket");
                str = extractPeerDNFromClientSSLSocket(sSLSocket);
            }
        }
        return str;
    }

    private static String extractPeerDNFromClientSSLSocket(SSLSocket sSLSocket) throws CertificateException {
        String str = null;
        ClientAuth clientAuthStatus = getClientAuthStatus(sSLSocket);
        logger.debug("SSL Socket client auth status: {}", clientAuthStatus);
        if (clientAuthStatus != ClientAuth.NONE) {
            try {
                Certificate[] peerCertificates = sSLSocket.getSession().getPeerCertificates();
                if (peerCertificates != null && peerCertificates.length > 0) {
                    str = convertAbstractX509Certificate(peerCertificates[0]).getSubjectDN().getName().trim();
                    logger.debug("Extracted DN={} from client certificate", str);
                }
            } catch (SSLPeerUnverifiedException e) {
                if (e.getMessage().equals(PEER_NOT_AUTHENTICATED_MSG)) {
                    logger.error("The incoming request did not contain client certificates and thus the DN cannot be extracted. Check that the other endpoint is providing a complete client certificate chain");
                }
                if (clientAuthStatus != ClientAuth.WANT) {
                    throw new CertificateException(e);
                }
                logger.warn("Suppressing missing client certificate exception because client auth is set to 'want'");
                return str;
            }
        }
        return str;
    }

    private static String extractPeerDNFromServerSSLSocket(Socket socket) throws CertificateException {
        String str = null;
        if (socket instanceof SSLSocket) {
            try {
                Certificate[] peerCertificates = ((SSLSocket) socket).getSession().getPeerCertificates();
                if (peerCertificates != null && peerCertificates.length > 0) {
                    str = convertAbstractX509Certificate(peerCertificates[0]).getSubjectDN().getName().trim();
                    logger.debug("Extracted DN={} from server certificate", str);
                }
            } catch (SSLPeerUnverifiedException e) {
                if (e.getMessage().equals(PEER_NOT_AUTHENTICATED_MSG)) {
                    logger.error("The server did not present a certificate and thus the DN cannot be extracted. Check that the other endpoint is providing a complete certificate chain");
                }
                throw new CertificateException(e);
            }
        }
        return str;
    }

    private static ClientAuth getClientAuthStatus(SSLSocket sSLSocket) {
        return sSLSocket.getNeedClientAuth() ? ClientAuth.NEED : sSLSocket.getWantClientAuth() ? ClientAuth.WANT : ClientAuth.NONE;
    }

    public static X509Certificate convertLegacyX509Certificate(javax.security.cert.X509Certificate x509Certificate) throws CertificateException {
        if (x509Certificate == null) {
            throw new IllegalArgumentException("The X.509 certificate cannot be null");
        }
        try {
            return formX509Certificate(x509Certificate.getEncoded());
        } catch (CertificateEncodingException e) {
            throw new CertificateException(e);
        }
    }

    public static X509Certificate convertAbstractX509Certificate(Certificate certificate) throws CertificateException {
        if (certificate == null || !(certificate instanceof X509Certificate)) {
            throw new IllegalArgumentException("The certificate cannot be null and must be an X.509 certificate");
        }
        try {
            return formX509Certificate(certificate.getEncoded());
        } catch (java.security.cert.CertificateEncodingException e) {
            throw new CertificateException(e);
        }
    }

    private static X509Certificate formX509Certificate(byte[] bArr) throws CertificateException {
        try {
            return (X509Certificate) CertificateFactory.getInstance("X.509").generateCertificate(new ByteArrayInputStream(bArr));
        } catch (CertificateException e) {
            logger.error("Error converting the certificate", e);
            throw e;
        }
    }

    public static String reorderDn(String str) {
        RDN[] rDNs = new X500Name(str).getRDNs();
        Arrays.sort(rDNs, new Comparator<RDN>() { // from class: org.apache.nifi.security.util.CertificateUtils.1
            @Override // java.util.Comparator
            public int compare(RDN rdn, RDN rdn2) {
                AttributeTypeAndValue first = rdn.getFirst();
                AttributeTypeAndValue first2 = rdn2.getFirst();
                ASN1ObjectIdentifier type = first.getType();
                ASN1ObjectIdentifier type2 = first2.getType();
                Integer num = (Integer) CertificateUtils.dnOrderMap.get(type);
                Integer num2 = (Integer) CertificateUtils.dnOrderMap.get(type2);
                if (num != null) {
                    if (num2 == null) {
                        return -1;
                    }
                    return num.intValue() - num2.intValue();
                }
                if (num2 != null) {
                    return 1;
                }
                int compareTo = type.getId().compareTo(type2.getId());
                return compareTo != 0 ? compareTo : String.valueOf(type).compareTo(String.valueOf(type2));
            }
        });
        return new X500Name(rDNs).toString();
    }

    private static X500Name reverseX500Name(X500Name x500Name) {
        List asList = Arrays.asList(x500Name.getRDNs());
        Collections.reverse(asList);
        return new X500Name((RDN[]) asList.toArray(new RDN[asList.size()]));
    }

    protected static synchronized BigInteger getUniqueSerialNumber() {
        int i;
        long currentTimeMillis = System.currentTimeMillis();
        if (lastSerialNumberMillis != currentTimeMillis) {
            millisecondBigInteger = BigInteger.valueOf(currentTimeMillis).shiftLeft(32);
            lastSerialNumberMillis = currentTimeMillis;
            i = 0;
            serialNumberIncrementor = 1;
        } else {
            int i2 = serialNumberIncrementor;
            serialNumberIncrementor = i2 + 1;
            i = i2;
        }
        return millisecondBigInteger.add(BigInteger.valueOf(i));
    }

    public static X509Certificate generateSelfSignedX509Certificate(KeyPair keyPair, String str, String str2, int i) throws CertificateException {
        try {
            ContentSigner build = new JcaContentSignerBuilder(str2).setProvider(BouncyCastleProvider.PROVIDER_NAME).build(keyPair.getPrivate());
            SubjectPublicKeyInfo subjectPublicKeyInfo = SubjectPublicKeyInfo.getInstance(keyPair.getPublic().getEncoded());
            Date date = new Date();
            X509v3CertificateBuilder x509v3CertificateBuilder = new X509v3CertificateBuilder(reverseX500Name(new X500Name(str)), getUniqueSerialNumber(), date, new Date(date.getTime() + TimeUnit.DAYS.toMillis(i)), reverseX500Name(new X500Name(str)), subjectPublicKeyInfo);
            x509v3CertificateBuilder.addExtension(Extension.keyUsage, true, (ASN1Encodable) new KeyUsage(254));
            x509v3CertificateBuilder.addExtension(Extension.basicConstraints, false, (ASN1Encodable) new BasicConstraints(true));
            x509v3CertificateBuilder.addExtension(Extension.subjectKeyIdentifier, false, (ASN1Encodable) new JcaX509ExtensionUtils().createSubjectKeyIdentifier(keyPair.getPublic()));
            x509v3CertificateBuilder.addExtension(Extension.authorityKeyIdentifier, false, (ASN1Encodable) new JcaX509ExtensionUtils().createAuthorityKeyIdentifier(keyPair.getPublic()));
            x509v3CertificateBuilder.addExtension(Extension.extendedKeyUsage, false, (ASN1Encodable) new ExtendedKeyUsage(new KeyPurposeId[]{KeyPurposeId.id_kp_clientAuth, KeyPurposeId.id_kp_serverAuth}));
            return new JcaX509CertificateConverter().setProvider(BouncyCastleProvider.PROVIDER_NAME).getCertificate(x509v3CertificateBuilder.build(build));
        } catch (NoSuchAlgorithmException | CertIOException | OperatorCreationException e) {
            throw new CertificateException(e);
        }
    }

    public static X509Certificate generateIssuedCertificate(String str, PublicKey publicKey, X509Certificate x509Certificate, KeyPair keyPair, String str2, int i) throws CertificateException {
        return generateIssuedCertificate(str, publicKey, null, x509Certificate, keyPair, str2, i);
    }

    public static X509Certificate generateIssuedCertificate(String str, PublicKey publicKey, Extensions extensions, X509Certificate x509Certificate, KeyPair keyPair, String str2, int i) throws CertificateException {
        try {
            ContentSigner build = new JcaContentSignerBuilder(str2).setProvider(BouncyCastleProvider.PROVIDER_NAME).build(keyPair.getPrivate());
            SubjectPublicKeyInfo subjectPublicKeyInfo = SubjectPublicKeyInfo.getInstance(publicKey.getEncoded());
            Date date = new Date();
            X509v3CertificateBuilder x509v3CertificateBuilder = new X509v3CertificateBuilder(reverseX500Name(new X500Name(x509Certificate.getSubjectX500Principal().getName())), getUniqueSerialNumber(), date, new Date(date.getTime() + TimeUnit.DAYS.toMillis(i)), reverseX500Name(new X500Name(str)), subjectPublicKeyInfo);
            x509v3CertificateBuilder.addExtension(Extension.subjectKeyIdentifier, false, (ASN1Encodable) new JcaX509ExtensionUtils().createSubjectKeyIdentifier(publicKey));
            x509v3CertificateBuilder.addExtension(Extension.authorityKeyIdentifier, false, (ASN1Encodable) new JcaX509ExtensionUtils().createAuthorityKeyIdentifier(keyPair.getPublic()));
            x509v3CertificateBuilder.addExtension(Extension.keyUsage, true, (ASN1Encodable) new KeyUsage(248));
            x509v3CertificateBuilder.addExtension(Extension.basicConstraints, false, (ASN1Encodable) new BasicConstraints(false));
            x509v3CertificateBuilder.addExtension(Extension.extendedKeyUsage, false, (ASN1Encodable) new ExtendedKeyUsage(new KeyPurposeId[]{KeyPurposeId.id_kp_clientAuth, KeyPurposeId.id_kp_serverAuth}));
            if (extensions != null && extensions.getExtension(Extension.subjectAlternativeName) != null) {
                x509v3CertificateBuilder.addExtension(Extension.subjectAlternativeName, false, extensions.getExtensionParsedValue(Extension.subjectAlternativeName));
            }
            return new JcaX509CertificateConverter().setProvider(BouncyCastleProvider.PROVIDER_NAME).getCertificate(x509v3CertificateBuilder.build(build));
        } catch (NoSuchAlgorithmException | CertIOException | OperatorCreationException e) {
            throw new CertificateException(e);
        }
    }

    public static boolean compareDNs(String str, String str2) {
        if (str == null) {
            str = "";
        }
        if (str2 == null) {
            str2 = "";
        }
        if (StringUtils.isEmpty(str) || StringUtils.isEmpty(str2)) {
            return str.equals(str2);
        }
        try {
            List rdns = new LdapName(str).getRdns();
            List rdns2 = new LdapName(str2).getRdns();
            if (rdns.size() == rdns2.size()) {
                if (rdns.containsAll(rdns2)) {
                    return true;
                }
            }
            return false;
        } catch (InvalidNameException e) {
            logger.warn("Cannot compare DNs: {} and {} because one or both is not a valid DN", str, str2);
            return false;
        }
    }

    public static Extensions getExtensionsFromCSR(JcaPKCS10CertificationRequest jcaPKCS10CertificationRequest) {
        for (Attribute attribute : jcaPKCS10CertificationRequest.getAttributes(PKCSObjectIdentifiers.pkcs_9_at_extensionRequest)) {
            ASN1Set attrValues = attribute.getAttrValues();
            if (attrValues != null) {
                ASN1Encodable objectAt = attrValues.getObjectAt(0);
                if (objectAt instanceof Extensions) {
                    return (Extensions) objectAt;
                }
                if (objectAt instanceof DERSequence) {
                    return Extensions.getInstance(objectAt);
                }
            }
        }
        return null;
    }

    private CertificateUtils() {
    }

    static {
        Security.addProvider(new BouncyCastleProvider());
        lastSerialNumberMillis = 0L;
        serialNumberIncrementor = 0;
    }
}
