package org.apache.airavata.gfac.bes.security;

import eu.emi.security.authn.x509.X509Credential;
import eu.emi.security.authn.x509.helpers.CertificateHelpers;
import eu.emi.security.authn.x509.helpers.proxy.X509v3CertificateBuilder;
import eu.emi.security.authn.x509.impl.CertificateUtils;
import eu.emi.security.authn.x509.impl.DirectoryCertChainValidator;
import eu.emi.security.authn.x509.impl.KeyAndCertCredential;
import eu.emi.security.authn.x509.impl.X500NameUtils;
import java.io.File;
import java.io.FileInputStream;
import java.io.IOException;
import java.math.BigInteger;
import java.security.InvalidKeyException;
import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.PrivateKey;
import java.security.SecureRandom;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Date;
import java.util.Random;
import javax.security.auth.x500.X500Principal;
import org.apache.airavata.common.exception.ApplicationSettingsException;
import org.apache.airavata.common.utils.ServerSettings;
import org.apache.airavata.credential.store.credential.impl.certificate.CertificateCredential;
import org.apache.airavata.credential.store.store.CredentialReader;
import org.apache.airavata.gfac.AbstractSecurityContext;
import org.apache.airavata.gfac.GFacException;
import org.apache.airavata.gfac.RequestData;
import org.apache.airavata.gfac.bes.utils.MyProxyLogon;
import org.bouncycastle.asn1.ASN1InputStream;
import org.bouncycastle.asn1.x500.style.BCStyle;
import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/airavata/gfac/bes/security/X509SecurityContext.class */
public class X509SecurityContext extends AbstractSecurityContext {
    private static final long serialVersionUID = 1;
    protected static final Logger log = LoggerFactory.getLogger(X509SecurityContext.class);
    public static final String X509_SECURITY_CONTEXT = "x509.security.context";
    public static final int CREDENTIAL_RENEWING_THRESH_HOLD = 900;
    protected static DirectoryCertChainValidator dcValidator;
    private X509Credential x509Credentials;

    public static void setUpTrustedCertificatePath(String str) {
        File file = new File(str);
        if (file.exists() && file.canRead()) {
            System.setProperty("X509_CERT_DIR", file.getAbsolutePath());
        } else {
            log.info("Current directory " + new File(".").getAbsolutePath());
            throw new RuntimeException("Cannot read trusted certificate path " + str);
        }
    }

    private static void setUpTrustedCertificatePath() throws ApplicationSettingsException {
        setUpTrustedCertificatePath(ServerSettings.getSetting("trusted.cert.location"));
    }

    public static String getTrustedCertificatePath() {
        return System.getProperty("X509_CERT_DIR");
    }

    public X509SecurityContext(CredentialReader credentialReader, RequestData requestData) {
        super(credentialReader, requestData);
        this.x509Credentials = null;
    }

    public X509Credential getX509Credentials() throws GFacException, ApplicationSettingsException {
        if (getCredentialReader() == null) {
            return getDefaultCredentials();
        }
        if (this.x509Credentials == null) {
            try {
                this.x509Credentials = getCredentialsFromStore();
            } catch (Exception e) {
                log.error("An exception occurred while retrieving credentials from the credential store. Will continue with my proxy user name and password.", e);
            }
            if (this.x509Credentials == null) {
                this.x509Credentials = getDefaultCredentials();
            }
            if (this.x509Credentials == null) {
                throw new GFacException("Unable to retrieve my proxy credentials to continue operation.");
            }
        } else {
            try {
                if (this.x509Credentials.getCertificate().getNotAfter().getTime() - new Date().getTime() < 900) {
                    log.warn("Do not support credentials renewal");
                }
                log.info("Fall back to get new default credentials");
                try {
                    this.x509Credentials.getCertificate().checkValidity();
                } catch (Exception e2) {
                    this.x509Credentials = getDefaultCredentials();
                }
            } catch (Exception e3) {
                throw new GFacException("Unable to retrieve remaining life time from credentials.", e3);
            }
        }
        return this.x509Credentials;
    }

    public X509Credential getCredentialsFromStore() throws Exception {
        if (getCredentialReader() == null) {
            return null;
        }
        CertificateCredential credential = getCredentialReader().getCredential(getRequestData().getGatewayId(), getRequestData().getTokenId());
        if (credential == null) {
            log.info("Could not find credentials for token - " + getRequestData().getTokenId() + " and gateway id - " + getRequestData().getGatewayId());
            return null;
        }
        if (!(credential instanceof CertificateCredential)) {
            log.info("Credential type is not CertificateCredential. Cannot create mapping globus credentials. Credential type - " + credential.getClass().getName());
            return null;
        }
        log.info("Successfully found credentials for token id - " + getRequestData().getTokenId() + " gateway id - " + getRequestData().getGatewayId());
        CertificateCredential certificateCredential = credential;
        return new KeyAndCertCredential(certificateCredential.getPrivateKey(), certificateCredential.getCertificates());
    }

    public X509Credential getDefaultCredentials() throws GFacException, ApplicationSettingsException {
        MyProxyLogon myProxyLogon = new MyProxyLogon();
        myProxyLogon.setValidator(dcValidator);
        myProxyLogon.setHost(getRequestData().getMyProxyServerUrl());
        myProxyLogon.setPort(getRequestData().getMyProxyPort());
        myProxyLogon.setUsername(getRequestData().getMyProxyUserName());
        myProxyLogon.setPassphrase(getRequestData().getMyProxyPassword().toCharArray());
        myProxyLogon.setLifetime(getRequestData().getMyProxyLifeTime());
        try {
            myProxyLogon.connect();
            myProxyLogon.logon();
            myProxyLogon.getCredentials();
            myProxyLogon.disconnect();
            return new KeyAndCertCredential(myProxyLogon.getPrivateKey(), new X509Certificate[]{myProxyLogon.getCertificate()});
        } catch (Exception e) {
            throw new GFacException("An error occurred while retrieving default security credentials.", e);
        }
    }

    private static DirectoryCertChainValidator getTrustedCerts() throws Exception {
        String trustedCertificatePath = getTrustedCertificatePath();
        ArrayList arrayList = new ArrayList();
        arrayList.add(trustedCertificatePath + "/*.0");
        arrayList.add(trustedCertificatePath + "/*.pem");
        return new DirectoryCertChainValidator(arrayList, CertificateUtils.Encoding.PEM, -1L, 60000, (String) null);
    }

    private String getCNFromUserDN(String str) {
        return X500NameUtils.getAttributeValues(str, BCStyle.CN)[0];
    }

    public KeyAndCertCredential generateShortLivedCredential(String str, String str2, String str3, String str4) throws Exception {
        long currentTimeMillis = System.currentTimeMillis() - 900000;
        long j = currentTimeMillis + 108000000;
        int parseInt = Integer.parseInt("1024");
        KeyAndCertCredential cACredential = getCACredential(str2, str3, str4);
        KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance(cACredential.getKey().getAlgorithm());
        keyPairGenerator.initialize(parseInt);
        KeyPair generateKeyPair = keyPairGenerator.generateKeyPair();
        X500Principal x500Principal = new X500Principal(str);
        Random random = new Random();
        try {
            X509Certificate build = new X509v3CertificateBuilder(CertificateHelpers.toX500Name(cACredential.getCertificate().getSubjectX500Principal()), new BigInteger(20, random), new Date(currentTimeMillis), new Date(j), CertificateHelpers.toX500Name(x500Principal), SubjectPublicKeyInfo.getInstance(new ASN1InputStream(generateKeyPair.getPublic().getEncoded()).readObject())).build(cACredential.getKey(), X509v3CertificateBuilder.extractAlgorithmId(cACredential.getCertificate()), "SHA1withRSA", (String) null, (SecureRandom) null);
            build.checkValidity(new Date());
            build.verify(cACredential.getCertificate().getPublicKey());
            return new KeyAndCertCredential(generateKeyPair.getPrivate(), new X509Certificate[]{build, cACredential.getCertificate()});
        } catch (IOException e) {
            throw new InvalidKeyException("Can not parse the public keybeing included in the short lived certificate", e);
        }
    }

    private KeyAndCertCredential getCACredential(String str, String str2, String str3) throws Exception {
        FileInputStream fileInputStream = null;
        FileInputStream fileInputStream2 = null;
        try {
            fileInputStream2 = new FileInputStream(str2);
            PrivateKey loadPrivateKey = CertificateUtils.loadPrivateKey(fileInputStream2, CertificateUtils.Encoding.PEM, str3.toCharArray());
            fileInputStream = new FileInputStream(str);
            KeyAndCertCredential keyAndCertCredential = new KeyAndCertCredential(loadPrivateKey, new X509Certificate[]{CertificateUtils.loadCertificate(fileInputStream, CertificateUtils.Encoding.PEM)});
            if (fileInputStream2 != null) {
                fileInputStream2.close();
            }
            if (fileInputStream != null) {
                fileInputStream.close();
            }
            return keyAndCertCredential;
        } catch (Throwable th) {
            if (fileInputStream2 != null) {
                fileInputStream2.close();
            }
            if (fileInputStream != null) {
                fileInputStream.close();
            }
            throw th;
        }
    }

    static {
        try {
            setUpTrustedCertificatePath();
            dcValidator = getTrustedCerts();
        } catch (Exception e) {
            log.error(e.getLocalizedMessage(), e);
        }
    }
}
