package cz.cesnet.cloud.occi.api.http.auth;

import cz.cesnet.cloud.occi.api.exception.AuthenticationException;
import cz.cesnet.cloud.occi.api.exception.CommunicationException;
import java.io.ByteArrayInputStream;
import java.io.File;
import java.io.FileInputStream;
import java.io.IOException;
import java.io.InputStreamReader;
import java.nio.file.Files;
import java.nio.file.Paths;
import java.security.KeyManagementException;
import java.security.KeyPair;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.Security;
import java.security.UnrecoverableKeyException;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import javax.net.ssl.SSLContext;
import org.apache.http.conn.ssl.SSLContexts;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.bouncycastle.openssl.PEMReader;
import org.bouncycastle.openssl.PasswordFinder;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:WEB-INF/lib/jocci-api-0.2.6.jar:cz/cesnet/cloud/occi/api/http/auth/CertificateAuthentication.class */
public abstract class CertificateAuthentication extends HTTPAuthentication {
    private static final Logger LOGGER = LoggerFactory.getLogger(CertificateAuthentication.class);
    private static final String CERT_BEGIN = "-----BEGIN CERTIFICATE-----";
    private static final String CERT_END = "-----END CERTIFICATE-----";
    private static final String GROUP_WHOLE = "whole";
    private static final String GROUP_TYPE = "type";
    private String certificate;
    private String password;

    public String getCertificate() {
        return this.certificate;
    }

    public void setCertificate(String str) {
        if (str == null) {
            throw new NullPointerException("certificate cannot be null");
        }
        if (str.isEmpty()) {
            throw new IllegalArgumentException("certificate cannot be empty");
        }
        this.certificate = str;
    }

    public String getPassword() {
        return this.password;
    }

    public void setPassword(String str) {
        if (str == null) {
            throw new NullPointerException("password cannot be null");
        }
        this.password = str;
    }

    @Override // cz.cesnet.cloud.occi.api.http.auth.HTTPAuthentication
    protected SSLContext createSSLContext() throws AuthenticationException {
        Security.addProvider(new BouncyCastleProvider());
        try {
            return SSLContexts.custom().loadTrustMaterial(loadCAs()).loadKeyMaterial(this.certificate.endsWith(".p12") ? loadUserCertificateFromPK12() : loadUserCertificateFromPEM(), this.password.toCharArray()).build();
        } catch (KeyManagementException | KeyStoreException | NoSuchAlgorithmException | UnrecoverableKeyException e) {
            throw new AuthenticationException(e);
        }
    }

    private KeyStore loadUserCertificateFromPK12() throws AuthenticationException {
        try {
            KeyStore keyStore = KeyStore.getInstance("PKCS12");
            keyStore.load(new FileInputStream(new File(this.certificate)), this.password.toCharArray());
            return keyStore;
        } catch (IOException | KeyStoreException | NoSuchAlgorithmException | CertificateException e) {
            throw new AuthenticationException(e);
        }
    }

    private KeyStore loadUserCertificateFromPEM() throws AuthenticationException {
        try {
            String str = new String(Files.readAllBytes(Paths.get(this.certificate, new String[0])));
            CertificateFactory.getInstance("X.509");
            ArrayList<X509Certificate> arrayList = new ArrayList();
            for (int indexOf = str.indexOf(CERT_BEGIN, 0); indexOf != -1; indexOf = str.indexOf(CERT_BEGIN, indexOf + 1)) {
                X509Certificate x509Certificate = (X509Certificate) new PEMReader(new InputStreamReader(new ByteArrayInputStream(str.substring(indexOf, str.indexOf(CERT_END, indexOf) + CERT_END.length()).getBytes())), new PasswordFinder() { // from class: cz.cesnet.cloud.occi.api.http.auth.CertificateAuthentication.1
                    @Override // org.bouncycastle.openssl.PasswordFinder
                    public char[] getPassword() {
                        if (CertificateAuthentication.this.password == null) {
                            return null;
                        }
                        return CertificateAuthentication.this.password.toCharArray();
                    }
                }).readObject();
                if (x509Certificate == null) {
                    throw new AuthenticationException("cannot load user certificate");
                }
                arrayList.add(x509Certificate);
            }
            Matcher matcher = Pattern.compile("(?<whole>-----BEGIN (?<type>RSA |DSA |EC |DH )*PRIVATE KEY-----)").matcher(str);
            if (!matcher.find()) {
                throw new AuthenticationException("cannot read certificate key");
            }
            int start = matcher.start(1);
            Matcher matcher2 = Pattern.compile("(?<whole>-----END (?<type>RSA |DSA |EC |DH )*PRIVATE KEY-----)").matcher(str);
            if (!matcher2.find(start)) {
                throw new AuthenticationException("cannot read certificate key");
            }
            Object readObject = new PEMReader(new InputStreamReader(new ByteArrayInputStream(str.substring(start, matcher2.end(1)).trim().getBytes())), new PasswordFinder() { // from class: cz.cesnet.cloud.occi.api.http.auth.CertificateAuthentication.2
                @Override // org.bouncycastle.openssl.PasswordFinder
                public char[] getPassword() {
                    if (CertificateAuthentication.this.password == null) {
                        return null;
                    }
                    return CertificateAuthentication.this.password.toCharArray();
                }
            }).readObject();
            PrivateKey privateKey = readObject instanceof PrivateKey ? (PrivateKey) readObject : null;
            if (readObject instanceof KeyPair) {
                privateKey = ((KeyPair) readObject).getPrivate();
            }
            if (privateKey == null) {
                throw new AuthenticationException("cannot load private key");
            }
            KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
            keyStore.load(null);
            for (X509Certificate x509Certificate2 : arrayList) {
                keyStore.setCertificateEntry(x509Certificate2.getSubjectX500Principal().getName(), x509Certificate2);
                LOGGER.debug("adding certificate: " + x509Certificate2.getSubjectX500Principal().getName());
            }
            keyStore.setKeyEntry("private_key", privateKey, this.password.toCharArray(), (Certificate[]) arrayList.toArray(new Certificate[0]));
            return keyStore;
        } catch (IOException | KeyStoreException | NoSuchAlgorithmException | CertificateException e) {
            throw new AuthenticationException(e);
        }
    }

    @Override // cz.cesnet.cloud.occi.api.http.auth.HTTPAuthentication, cz.cesnet.cloud.occi.api.Authentication
    public void authenticate() throws CommunicationException {
        super.authenticate();
    }
}
