package com.adobe.granite.security.user.internal.servlets;

import com.adobe.granite.auth.cert.UserCertificateMapping;
import com.adobe.granite.auth.cert.UserCertificateMappingException;
import com.adobe.granite.crypto.CryptoSupport;
import com.adobe.granite.keystore.KeyStoreNotInitialisedException;
import com.adobe.granite.keystore.KeyStoreService;
import java.io.IOException;
import java.io.InputStream;
import java.security.GeneralSecurityException;
import java.security.KeyFactory;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.PrivateKey;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.security.spec.PKCS8EncodedKeySpec;
import java.util.Enumeration;
import java.util.HashMap;
import java.util.Map;
import javax.jcr.RepositoryException;
import javax.servlet.ServletException;
import org.apache.commons.io.IOUtils;
import org.apache.felix.scr.annotations.Reference;
import org.apache.felix.scr.annotations.sling.SlingServlet;
import org.apache.jackrabbit.api.security.user.Authorizable;
import org.apache.jackrabbit.api.security.user.User;
import org.apache.sling.api.SlingHttpServletRequest;
import org.apache.sling.api.SlingHttpServletResponse;
import org.apache.sling.api.request.RequestParameter;
import org.apache.sling.api.resource.Resource;
import org.apache.sling.api.resource.ResourceResolver;
import org.apache.sling.api.servlets.SlingAllMethodsServlet;
import org.apache.sling.commons.json.JSONArray;
import org.apache.sling.commons.json.JSONObject;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@SlingServlet(methods = {"GET", "POST"}, paths = {"rep/SystemUser/ks.json.GET.servlet", "rep/User/ks.json.GET.servlet", KeyStoreManagingServlet.TRUSTSTORE_GET, "rep/SystemUser/ks.html.POST.servlet", "rep/User/ks.html.POST.servlet", KeyStoreManagingServlet.TRUSTSTORE_POST})
/* loaded from: input_file:com/adobe/granite/security/user/internal/servlets/KeyStoreManagingServlet.class */
public class KeyStoreManagingServlet extends SlingAllMethodsServlet {
    private static final String P_OPERATION = ":operation";
    private static final String OP_ADD_KEY_PAIR = "addKeyPair";
    private static final String KEYPAIR_ALGORITHM = "RSA";
    private static final String ALIAS_PARAM_NAME = "alias";
    private static final String KEYSTORE_PARAM_NAME = "keyStore";
    private static final String KEYSTORE_PASS_PARAM_NAME = "keyStorePass";
    private static final String KEYSTORE_TYPE_PARAM_NAME = "keyStoreType";
    private static final String KEY_PASS_PARAM_NAME = "keyPassword";
    private static final String NEW_ALIAS_PARAM_NAME = "newAlias";
    private static final String CERT_PARAM_NAME = "certificate";
    private static final String MAP_CERTIFICATE_PARAM_NAME = "mapCertificate";
    private static final String USER_PATH_PARAM_NAME = "userPath";
    private static final String SEPARATOR = "#";
    private static final String PK_PARAM_NAME = "pk";
    private static final String CERT_CHAIN_PARAM_NAME = "cert-chain";
    private static final String ALIAS_REMOVE_PARAM_NAME = "removeAlias";
    private static final String SUBJECT_PROP_NAME = "subject";
    private static final String CERT_ALIAS_STRING = "certAlias___";
    static final String TRUSTSTORE_GET = "/libs/granite/security/truststore.json";
    static final String TRUSTSTORE_POST = "/libs/granite/security/post/truststore";

    @Reference
    private KeyStoreService keyStoreService = null;

    @Reference
    private CryptoSupport cryptoSupport = null;

    @Reference
    private UserCertificateMapping certMapping = null;
    private Map<String, String> mimeTypeToStoreTypeMap = new HashMap();
    private static final Logger log = LoggerFactory.getLogger(KeyStoreManagingServlet.class);
    private static final Logger LOG = LoggerFactory.getLogger(KeyStoreManagingServlet.class);

    /* loaded from: input_file:com/adobe/granite/security/user/internal/servlets/KeyStoreManagingServlet$StoreType.class */
    private enum StoreType {
        KEYSTORE,
        TRUSTSTORE
    }

    public KeyStoreManagingServlet() {
        this.mimeTypeToStoreTypeMap.put("application/x-pkcs12", "pkcs12");
        this.mimeTypeToStoreTypeMap.put("application/x-java-keystore", "jks");
        this.mimeTypeToStoreTypeMap.put("application/pkcs12", "pkcs12");
    }

    protected void doGet(SlingHttpServletRequest slingHttpServletRequest, SlingHttpServletResponse slingHttpServletResponse) throws ServletException, IOException {
        ResourceResolver resourceResolver = slingHttpServletRequest.getResourceResolver();
        Resource resource = slingHttpServletRequest.getResource();
        setJSONHeader(slingHttpServletResponse);
        JSONObject jSONObject = new JSONObject();
        KeyStore keyStore = null;
        try {
            boolean z = false;
            Authorizable authorizable = null;
            try {
                try {
                    if (TRUSTSTORE_GET.equals(resource.getPath())) {
                        keyStore = this.keyStoreService.getTrustStore(resourceResolver);
                        z = true;
                    } else {
                        authorizable = (Authorizable) resource.adaptTo(Authorizable.class);
                        if (authorizable != null) {
                            keyStore = getKeyStore(resourceResolver, authorizable.getID());
                        }
                    }
                } catch (Exception e) {
                    LOG.error("Unable to retrieve the truststore's aliases.", e);
                    slingHttpServletResponse.sendError(500);
                    slingHttpServletResponse.getWriter().write(jSONObject.toString());
                    return;
                }
            } catch (KeyStoreNotInitialisedException e2) {
                jSONObject.put("exists", false);
            }
            if (keyStore != null) {
                JSONArray jSONArray = new JSONArray();
                Enumeration<String> aliases = keyStore.aliases();
                while (aliases.hasMoreElements()) {
                    String nextElement = aliases.nextElement();
                    JSONObject jSONObject2 = new JSONObject();
                    jSONObject2.put(ALIAS_PARAM_NAME, nextElement);
                    KeyStore.Entry trustedCertificateEntry = z ? new KeyStore.TrustedCertificateEntry(keyStore.getCertificate(nextElement)) : this.keyStoreService.getKeyStoreEntry(resourceResolver, authorizable.getID(), nextElement);
                    if (trustedCertificateEntry instanceof KeyStore.PrivateKeyEntry) {
                        jSONObject2.put("entryType", "privateKey");
                        KeyStore.PrivateKeyEntry privateKeyEntry = (KeyStore.PrivateKeyEntry) trustedCertificateEntry;
                        PrivateKey privateKey = privateKeyEntry.getPrivateKey();
                        jSONObject2.put("algorithm", privateKey.getAlgorithm());
                        jSONObject2.put("format", privateKey.getFormat());
                        Certificate[] certificateChain = privateKeyEntry.getCertificateChain();
                        JSONArray jSONArray2 = new JSONArray();
                        for (Certificate certificate : certificateChain) {
                            JSONObject jSONObject3 = new JSONObject();
                            X509Certificate x509Certificate = (X509Certificate) certificate;
                            jSONObject3.put(SUBJECT_PROP_NAME, x509Certificate.getSubjectX500Principal().toString());
                            jSONObject3.put("issuer", x509Certificate.getIssuerX500Principal().toString());
                            jSONObject3.put("notBefore", x509Certificate.getNotBefore());
                            jSONObject3.put("notAfter", x509Certificate.getNotAfter());
                            jSONObject3.put("serialNumber", x509Certificate.getSerialNumber());
                            jSONArray2.put(jSONObject3);
                        }
                        jSONObject2.put("chain", jSONArray2);
                    } else if (trustedCertificateEntry instanceof KeyStore.TrustedCertificateEntry) {
                        jSONObject2.put("entryType", "trustedCertificate");
                        X509Certificate x509Certificate2 = (X509Certificate) ((KeyStore.TrustedCertificateEntry) trustedCertificateEntry).getTrustedCertificate();
                        jSONObject2.put(SUBJECT_PROP_NAME, x509Certificate2.getSubjectX500Principal().toString());
                        jSONObject2.put("issuer", x509Certificate2.getIssuerX500Principal().toString());
                        jSONObject2.put("notBefore", x509Certificate2.getNotBefore());
                        jSONObject2.put("notAfter", x509Certificate2.getNotAfter());
                        jSONObject2.put("serialNumber", x509Certificate2.getSerialNumber());
                    }
                    jSONArray.put(jSONObject2);
                }
                jSONObject.put("aliases", jSONArray);
            }
            slingHttpServletResponse.getWriter().write(jSONObject.toString());
        } catch (Throwable th) {
            slingHttpServletResponse.getWriter().write(jSONObject.toString());
            throw th;
        }
    }

    protected void doPost(SlingHttpServletRequest slingHttpServletRequest, SlingHttpServletResponse slingHttpServletResponse) throws ServletException, IOException {
        RequestParameter requestParameter;
        try {
            ResourceResolver resourceResolver = slingHttpServletRequest.getResourceResolver();
            Resource resource = slingHttpServletRequest.getResource();
            String resourcePath = slingHttpServletRequest.getRequestPathInfo().getResourcePath();
            RequestParameter requestParameter2 = slingHttpServletRequest.getRequestParameter(ALIAS_PARAM_NAME);
            RequestParameter requestParameter3 = slingHttpServletRequest.getRequestParameter(PK_PARAM_NAME);
            RequestParameter requestParameter4 = slingHttpServletRequest.getRequestParameter(ALIAS_REMOVE_PARAM_NAME);
            RequestParameter[] requestParameters = slingHttpServletRequest.getRequestParameters(CERT_CHAIN_PARAM_NAME);
            RequestParameter requestParameter5 = slingHttpServletRequest.getRequestParameter(KEYSTORE_PARAM_NAME);
            RequestParameter requestParameter6 = slingHttpServletRequest.getRequestParameter(KEYSTORE_PASS_PARAM_NAME);
            RequestParameter requestParameter7 = slingHttpServletRequest.getRequestParameter(KEYSTORE_TYPE_PARAM_NAME);
            RequestParameter requestParameter8 = slingHttpServletRequest.getRequestParameter(KEY_PASS_PARAM_NAME);
            RequestParameter requestParameter9 = slingHttpServletRequest.getRequestParameter(NEW_ALIAS_PARAM_NAME);
            String parameter = slingHttpServletRequest.getParameter("newPassword");
            String parameter2 = slingHttpServletRequest.getParameter("newPassword");
            String parameter3 = slingHttpServletRequest.getParameter("currentPassword");
            String parameter4 = slingHttpServletRequest.getParameter(P_OPERATION);
            if (TRUSTSTORE_POST.equals(resourcePath)) {
                boolean z = false;
                if ("createStore".equals(parameter4)) {
                    createTrustStore(resourceResolver, parameter, parameter2);
                } else if ("changePassword".equals(parameter4)) {
                    changeTrustStorePass(resourceResolver, parameter3, parameter, parameter2);
                } else if (requestParameter4 != null) {
                    removeAlias(StoreType.TRUSTSTORE, resourceResolver, requestParameter4.getString(), null);
                } else {
                    String str = null;
                    if (slingHttpServletRequest.getParameter(MAP_CERTIFICATE_PARAM_NAME) != null) {
                        str = extractUserIdFromPath(resourceResolver, slingHttpServletRequest.getParameter(USER_PATH_PARAM_NAME));
                    }
                    Enumeration parameterNames = slingHttpServletRequest.getParameterNames();
                    while (parameterNames.hasMoreElements()) {
                        String str2 = (String) parameterNames.nextElement();
                        if (CERT_PARAM_NAME.equals(str2)) {
                            RequestParameter requestParameter10 = slingHttpServletRequest.getRequestParameter(str2);
                            if (requestParameter10 != null && !requestParameter10.isFormField()) {
                                uploadCertToTrustStore(slingHttpServletResponse, resourceResolver, str, requestParameter10);
                                z = true;
                            }
                        } else if (KEYSTORE_PARAM_NAME.equals(str2) && (requestParameter = slingHttpServletRequest.getRequestParameter(str2)) != null && !requestParameter.isFormField() && requestParameter6 != null && requestParameter2 != null) {
                            importKeyFromKeyStore(resourceResolver, str, requestParameter.getInputStream(), requestParameter.getContentType(), requestParameter6.getString(), requestParameter7 == null ? null : requestParameter7.getString(), requestParameter2.getString(), requestParameter8 == null ? null : requestParameter8.getString(), requestParameter9 == null ? null : requestParameter9.getString(), false);
                            z = true;
                        }
                    }
                    if (!z) {
                        slingHttpServletResponse.sendError(500, "Cannot process request. Insufficient request parameters.");
                    }
                }
            } else {
                User user = (User) resource.adaptTo(User.class);
                if (user != null) {
                    String id = user.getID();
                    if (OP_ADD_KEY_PAIR.equals(parameter4)) {
                        if (requestParameter2 == null) {
                            log.info("Missing parameter: {}", ALIAS_PARAM_NAME);
                            slingHttpServletResponse.sendError(412);
                            return;
                        }
                        this.keyStoreService.addKeyStoreKeyPair(resourceResolver, id, this.cryptoSupport.createKeyPair(KEYPAIR_ALGORITHM), requestParameter2.getString());
                    } else if ("createStore".equals(parameter4)) {
                        createKeyStore(resourceResolver, id, parameter, parameter2);
                    } else if ("changePassword".equals(parameter4)) {
                        changeKeyStorePass(resourceResolver, id, parameter3, parameter, parameter2);
                    } else if (requestParameter4 != null) {
                        removeAlias(StoreType.KEYSTORE, resourceResolver, requestParameter4.getString(), id);
                    } else if (requestParameter3 != null && !requestParameter3.isFormField() && requestParameters != null && requestParameters.length > 0) {
                        uploadPrivateKeyAndCertChain(slingHttpServletResponse, resourceResolver, requestParameter2, requestParameter3, requestParameters, id);
                    } else if (requestParameter5 != null && !requestParameter5.isFormField() && requestParameter6 != null && requestParameter2 != null) {
                        importKeyFromKeyStore(resourceResolver, id, requestParameter5.getInputStream(), requestParameter5.getContentType(), requestParameter6.getString(), requestParameter7 == null ? null : requestParameter7.getString(), requestParameter2.getString(), requestParameter8 == null ? null : requestParameter8.getString(), requestParameter9 == null ? null : requestParameter9.getString(), true);
                    }
                } else {
                    LOG.error("Cannot adapt to user from path {0}", resource.getPath());
                    slingHttpServletResponse.sendError(500, "Cannot adapt to user from path [" + resource.getPath() + "]");
                }
            }
        } catch (Exception e) {
            throw new ServletException(e);
        }
    }

    private String extractUserIdFromPath(ResourceResolver resourceResolver, String str) {
        Resource resource;
        if (str == null || (resource = resourceResolver.getResource(str)) == null) {
            return null;
        }
        try {
            return ((User) resource.adaptTo(User.class)).getID();
        } catch (RepositoryException e) {
            log.error("Could not obtain user ID from path: " + str, e);
            return null;
        }
    }

    private void changeTrustStorePass(ResourceResolver resourceResolver, String str, String str2, String str3) throws KeyStoreNotInitialisedException {
        if (str2.equals(str3)) {
            this.keyStoreService.changeTrustStorePassword(resourceResolver, str.toCharArray(), str2.toCharArray());
        }
    }

    private void changeKeyStorePass(ResourceResolver resourceResolver, String str, String str2, String str3, String str4) throws KeyStoreNotInitialisedException {
        if (str3.equals(str4)) {
            this.keyStoreService.changeKeyStorePassword(resourceResolver, str, str2.toCharArray(), str3.toCharArray());
        }
    }

    private void createTrustStore(ResourceResolver resourceResolver, String str, String str2) {
        if (str.equals(str2)) {
            this.keyStoreService.createTrustStore(resourceResolver, str.toCharArray());
        }
    }

    private void createKeyStore(ResourceResolver resourceResolver, String str, String str2, String str3) {
        if (str2.equals(str3)) {
            this.keyStoreService.createKeyStore(resourceResolver, str, str2.toCharArray());
        }
    }

    private void uploadCertToTrustStore(SlingHttpServletResponse slingHttpServletResponse, ResourceResolver resourceResolver, String str, RequestParameter requestParameter) throws IOException {
        InputStream inputStream = requestParameter.getInputStream();
        try {
            try {
                try {
                    try {
                        try {
                            X509Certificate x509Certificate = (X509Certificate) CertificateFactory.getInstance("X.509").generateCertificate(inputStream);
                            if (str == null || "".equals(str)) {
                                KeyStore trustStore = this.keyStoreService.getTrustStore(resourceResolver);
                                String certificateAlias = trustStore.getCertificateAlias(x509Certificate);
                                if (certificateAlias != null) {
                                    trustStore.deleteEntry(certificateAlias);
                                }
                                trustStore.setCertificateEntry("certAlias___" + System.currentTimeMillis(), x509Certificate);
                            } else {
                                this.certMapping.mapCertificate(resourceResolver, str, x509Certificate);
                            }
                            if (inputStream != null) {
                                inputStream.close();
                            }
                        } catch (KeyStoreException e) {
                            LOG.error(e.getMessage(), e);
                            slingHttpServletResponse.sendError(500);
                            if (inputStream != null) {
                                inputStream.close();
                            }
                        }
                    } catch (KeyStoreNotInitialisedException e2) {
                        LOG.error("Trust store was not initialised.", e2);
                        slingHttpServletResponse.sendError(500);
                        if (inputStream != null) {
                            inputStream.close();
                        }
                    }
                } catch (CertificateException e3) {
                    LOG.error("Unable to extract a certificate from the uploaded file.", e3);
                    slingHttpServletResponse.sendError(500);
                    if (inputStream != null) {
                        inputStream.close();
                    }
                }
            } catch (UserCertificateMappingException e4) {
                LOG.error("Unable to add certificate to trustore.", e4);
                slingHttpServletResponse.sendError(500);
                if (inputStream != null) {
                    inputStream.close();
                }
            }
        } catch (Throwable th) {
            if (inputStream != null) {
                inputStream.close();
            }
            throw th;
        }
    }

    private void setJSONHeader(SlingHttpServletResponse slingHttpServletResponse) {
        slingHttpServletResponse.setContentType("application/json");
        slingHttpServletResponse.setCharacterEncoding("utf-8");
    }

    private void uploadPrivateKeyAndCertChain(SlingHttpServletResponse slingHttpServletResponse, ResourceResolver resourceResolver, RequestParameter requestParameter, RequestParameter requestParameter2, RequestParameter[] requestParameterArr, String str) throws IOException {
        try {
            PrivateKey generatePrivate = KeyFactory.getInstance(KEYPAIR_ALGORITHM).generatePrivate(new PKCS8EncodedKeySpec(IOUtils.toByteArray(requestParameter2.getInputStream())));
            X509Certificate[] x509CertificateArr = new X509Certificate[requestParameterArr.length];
            CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509");
            int i = 0;
            for (RequestParameter requestParameter3 : requestParameterArr) {
                int i2 = i;
                i++;
                x509CertificateArr[i2] = (X509Certificate) certificateFactory.generateCertificate(requestParameter3.getInputStream());
            }
            this.keyStoreService.addKeyStoreKeyEntry(resourceResolver, str, requestParameter.getString(), generatePrivate, x509CertificateArr);
        } catch (Exception e) {
            if (e instanceof IOException) {
                throw ((IOException) e);
            }
            LOG.error(e.getMessage(), e);
            slingHttpServletResponse.sendError(500);
        }
    }

    private void importKeyFromKeyStore(ResourceResolver resourceResolver, String str, InputStream inputStream, String str2, String str3, String str4, String str5, String str6, String str7, boolean z) throws GeneralSecurityException, IOException, UserCertificateMappingException, KeyStoreNotInitialisedException {
        String str8 = str4 != null ? str4 : this.mimeTypeToStoreTypeMap.get(str2);
        KeyStore keyStore = KeyStore.getInstance(str8 != null ? str8 : KeyStore.getDefaultType());
        keyStore.load(inputStream, str3.toCharArray());
        KeyStore.Entry entry = (str6 == null || "".equals(str6)) ? keyStore.getEntry(str5, null) : keyStore.getEntry(str5, new KeyStore.PasswordProtection(str6.toCharArray()));
        if (entry == null) {
            throw new IllegalArgumentException("Key [" + str5 + "] not found in keystore");
        }
        boolean z2 = entry instanceof KeyStore.PrivateKeyEntry;
        if (z && !z2) {
            throw new IllegalArgumentException("Key [" + str5 + "] is not private key entry. ");
        }
        if (z) {
            if (str7 == null || "".equals(str7)) {
                str7 = str5;
            }
            KeyStore.PrivateKeyEntry privateKeyEntry = (KeyStore.PrivateKeyEntry) entry;
            this.keyStoreService.addKeyStoreKeyEntry(resourceResolver, str, str7, privateKeyEntry.getPrivateKey(), privateKeyEntry.getCertificateChain());
            return;
        }
        Certificate certificate = null;
        if (entry instanceof KeyStore.PrivateKeyEntry) {
            certificate = ((KeyStore.PrivateKeyEntry) entry).getCertificate();
        } else if (entry instanceof KeyStore.TrustedCertificateEntry) {
            certificate = ((KeyStore.TrustedCertificateEntry) entry).getTrustedCertificate();
        }
        if (!(certificate instanceof X509Certificate)) {
            throw new IllegalArgumentException("Only X509 certificate type supported. Certificate corresponding to [" + str5 + "] is of type [" + (certificate != null ? certificate.getType() : "(null)") + "].");
        }
        if (str == null || "".equals(str)) {
            this.keyStoreService.getTrustStore(resourceResolver).setCertificateEntry("certAlias___" + System.currentTimeMillis(), certificate);
        } else {
            this.certMapping.mapCertificate(resourceResolver, str, (X509Certificate) certificate);
        }
    }

    private KeyStore getKeyStore(ResourceResolver resourceResolver, String str) throws KeyStoreNotInitialisedException {
        return resourceResolver.getUserID().equals(str) ? this.keyStoreService.getKeyStore(resourceResolver) : this.keyStoreService.getKeyStore(resourceResolver, str);
    }

    private void removeAlias(StoreType storeType, ResourceResolver resourceResolver, String str, String str2) throws IOException {
        KeyStore keyStore = null;
        try {
            switch (storeType) {
                case KEYSTORE:
                    keyStore = getKeyStore(resourceResolver, str2);
                    break;
                case TRUSTSTORE:
                    keyStore = this.keyStoreService.getTrustStore(resourceResolver);
                    break;
            }
        } catch (KeyStoreNotInitialisedException e) {
            LOG.error("Unable to perform remove alias operation because the store was not initialised.");
        }
        if (keyStore != null) {
            try {
                keyStore.deleteEntry(str);
            } catch (KeyStoreException e2) {
                throw new IOException(e2);
            }
        }
    }

    protected void bindKeyStoreService(KeyStoreService keyStoreService) {
        this.keyStoreService = keyStoreService;
    }

    protected void unbindKeyStoreService(KeyStoreService keyStoreService) {
        if (this.keyStoreService == keyStoreService) {
            this.keyStoreService = null;
        }
    }

    protected void bindCryptoSupport(CryptoSupport cryptoSupport) {
        this.cryptoSupport = cryptoSupport;
    }

    protected void unbindCryptoSupport(CryptoSupport cryptoSupport) {
        if (this.cryptoSupport == cryptoSupport) {
            this.cryptoSupport = null;
        }
    }

    protected void bindCertMapping(UserCertificateMapping userCertificateMapping) {
        this.certMapping = userCertificateMapping;
    }

    protected void unbindCertMapping(UserCertificateMapping userCertificateMapping) {
        if (this.certMapping == userCertificateMapping) {
            this.certMapping = null;
        }
    }
}
