package org.dcache.gridsite;

import eu.emi.security.authn.x509.X509Credential;
import eu.emi.security.authn.x509.impl.KeyAndCertCredential;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.io.InputStream;
import java.io.StringWriter;
import java.io.UnsupportedEncodingException;
import java.security.GeneralSecurityException;
import java.security.KeyPair;
import java.security.KeyStoreException;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Enumeration;
import java.util.stream.Stream;
import javax.security.auth.x500.X500Principal;
import org.bouncycastle.asn1.ASN1Encodable;
import org.bouncycastle.asn1.ASN1InputStream;
import org.bouncycastle.asn1.ASN1Object;
import org.bouncycastle.asn1.ASN1Sequence;
import org.bouncycastle.asn1.ASN1Set;
import org.bouncycastle.asn1.ASN1StreamParser;
import org.bouncycastle.asn1.DERPrintableString;
import org.bouncycastle.asn1.DERSequence;
import org.bouncycastle.asn1.DERSet;
import org.bouncycastle.asn1.x509.X509CertificateStructure;
import org.bouncycastle.asn1.x509.X509Name;
import org.bouncycastle.jce.PKCS10CertificationRequest;
import org.bouncycastle.jce.provider.X509CertificateObject;
import org.bouncycastle.openssl.PEMWriter;
import org.dcache.delegation.gridsite2.DelegationException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/dcache/gridsite/BouncyCastleCredentialDelegation.class */
public class BouncyCastleCredentialDelegation implements CredentialDelegation {
    private static final Logger LOG = LoggerFactory.getLogger(BouncyCastleCredentialDelegation.class);
    private final DelegationIdentity _id;
    private final Collection<X509Certificate> _certificates;
    private final X509Certificate _first;
    private final String _pemRequest;
    protected final KeyPair _keyPair;

    /* JADX INFO: Access modifiers changed from: package-private */
    public BouncyCastleCredentialDelegation(KeyPair keyPair, DelegationIdentity delegationIdentity, Collection<X509Certificate> collection) throws DelegationException {
        this._id = delegationIdentity;
        this._certificates = collection;
        this._first = collection.iterator().next();
        this._keyPair = keyPair;
        try {
            this._pemRequest = pemEncode(createRequest(this._first, keyPair));
        } catch (IOException e) {
            LOG.error("Failed to convert CSR to PEM: {}", e.toString());
            throw new DelegationException("cannot PEM-encode certificate-signing request: " + e.getMessage());
        } catch (GeneralSecurityException e2) {
            LOG.error("Failed to create CSR: {}", e2.toString());
            throw new DelegationException("cannot create certificate-signing request: " + e2.getMessage());
        }
    }

    private static PKCS10CertificationRequest createRequest(X509Certificate x509Certificate, KeyPair keyPair) throws GeneralSecurityException {
        return new PKCS10CertificationRequest(x509Certificate.getSigAlgName(), buildProxyDN(x509Certificate.getSubjectX500Principal()), keyPair.getPublic(), (ASN1Set) null, keyPair.getPrivate());
    }

    private static X509Name buildProxyDN(X500Principal x500Principal) throws GeneralSecurityException {
        try {
            DERSequence dERObject = new ASN1StreamParser(x500Principal.getEncoded()).readObject().getDERObject();
            if (!(dERObject instanceof DERSequence)) {
                throw new IOException("not a DER-encoded ASN.1 sequence");
            }
            DERSequence dERSequence = dERObject;
            ArrayList arrayList = new ArrayList(dERSequence.size() + 1);
            Enumeration objects = dERSequence.getObjects();
            while (objects.hasMoreElements()) {
                arrayList.add((ASN1Encodable) objects.nextElement());
            }
            arrayList.add(new DERSet(new DERSequence(new ASN1Object[]{X509Name.CN, new DERPrintableString("proxy")})));
            return new X509Name(new DERSequence((ASN1Encodable[]) arrayList.toArray(new ASN1Encodable[arrayList.size()])));
        } catch (IOException e) {
            throw new GeneralSecurityException("failed to parse DN: " + e.getMessage());
        }
    }

    private static X509Certificate loadCertificate(InputStream inputStream) throws IOException, GeneralSecurityException {
        return new X509CertificateObject(new X509CertificateStructure(ASN1Sequence.getInstance(new ASN1InputStream(inputStream).readObject())));
    }

    private static String pemEncode(Object obj) throws IOException {
        StringWriter stringWriter = new StringWriter();
        PEMWriter pEMWriter = new PEMWriter(stringWriter);
        Throwable th = null;
        try {
            pEMWriter.writeObject(obj);
            if (pEMWriter != null) {
                if (0 != 0) {
                    try {
                        pEMWriter.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                } else {
                    pEMWriter.close();
                }
            }
            return stringWriter.toString();
        } catch (Throwable th3) {
            if (pEMWriter != null) {
                if (0 != 0) {
                    try {
                        pEMWriter.close();
                    } catch (Throwable th4) {
                        th.addSuppressed(th4);
                    }
                } else {
                    pEMWriter.close();
                }
            }
            throw th3;
        }
    }

    @Override // org.dcache.gridsite.CredentialDelegation
    public String getCertificateSigningRequest() {
        return this._pemRequest;
    }

    @Override // org.dcache.gridsite.CredentialDelegation
    public DelegationIdentity getId() {
        return this._id;
    }

    @Override // org.dcache.gridsite.CredentialDelegation
    public X509Credential acceptCertificate(String str) throws DelegationException {
        try {
            try {
                return new KeyAndCertCredential(this._keyPair.getPrivate(), (X509Certificate[]) Stream.concat(Stream.of(pemDecodeCertificate(str)), this._certificates.stream()).map(BouncyCastleCredentialDelegation::asBcCertificate).toArray(i -> {
                    return new X509Certificate[i];
                }));
            } catch (KeyStoreException e) {
                LOG.error("Failed to create delegated credential: {}", e.getMessage());
                throw new DelegationException("Unable to create delegated credential: " + e.getMessage());
            }
        } catch (CertificateException e2) {
            LOG.debug("Bad certificate: {}", e2.getMessage());
            throw new DelegationException("Supplied certificate is unacceptable: " + e2.getMessage());
        }
    }

    private static X509Certificate asBcCertificate(X509Certificate x509Certificate) {
        if (x509Certificate instanceof X509CertificateObject) {
            return x509Certificate;
        }
        try {
            ByteArrayInputStream byteArrayInputStream = new ByteArrayInputStream(x509Certificate.getEncoded());
            Throwable th = null;
            try {
                X509Certificate loadCertificate = loadCertificate(byteArrayInputStream);
                if (byteArrayInputStream != null) {
                    if (0 != 0) {
                        try {
                            byteArrayInputStream.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    } else {
                        byteArrayInputStream.close();
                    }
                }
                return loadCertificate;
            } finally {
            }
        } catch (IOException | GeneralSecurityException e) {
            throw new RuntimeException("failed to convert certificate: " + e.getMessage());
        }
    }

    private static X509Certificate pemDecodeCertificate(String str) throws CertificateException {
        try {
            byte[] bytes = str.getBytes("UTF-8");
            try {
                return (X509Certificate) CertificateFactory.getInstance("X.509").generateCertificate(new ByteArrayInputStream(bytes, 0, bytes.length));
            } catch (CertificateException e) {
                throw new RuntimeException("Failed to find CertificateFactory for X.509: " + e.getMessage());
            }
        } catch (UnsupportedEncodingException e2) {
            throw new RuntimeException("UTF-8 not supported");
        }
    }
}
