package org.apache.cxf.xkms.x509.repo.ldap;

import java.io.ByteArrayInputStream;
import java.security.cert.CRLException;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509CRL;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.List;
import java.util.logging.Level;
import java.util.logging.Logger;
import java.util.regex.Matcher;
import javax.naming.NamingEnumeration;
import javax.naming.NamingException;
import javax.naming.directory.Attribute;
import javax.naming.directory.Attributes;
import javax.naming.directory.BasicAttribute;
import javax.naming.directory.BasicAttributes;
import javax.naming.directory.SearchResult;
import org.apache.cxf.common.logging.LogUtils;
import org.apache.cxf.xkms.handlers.Applications;
import org.apache.cxf.xkms.model.xkms.UseKeyWithType;
import org.apache.cxf.xkms.x509.repo.CertificateRepo;
import org.apache.xml.security.keys.content.x509.XMLX509Certificate;
import org.springframework.beans.propertyeditors.StringArrayPropertyEditor;

/* loaded from: input_file:WEB-INF/lib/cxf-services-xkms-x509-handlers-2.7.19-MULE-002.jar:org/apache/cxf/xkms/x509/repo/ldap/LdapCertificateRepo.class */
public class LdapCertificateRepo implements CertificateRepo {
    private static final Logger LOG = LogUtils.getL7dLogger(LdapCertificateRepo.class);
    private static final String ATTR_OBJECT_CLASS = "objectClass";
    private LdapSearch ldapSearch;
    private String rootDN;
    private CertificateFactory certificateFactory;
    private final LdapSchemaConfig ldapConfig;
    private final String filterUIDTemplate;
    private final String filterIssuerSerialTemplate;

    public LdapCertificateRepo(LdapSearch ldapSearch, LdapSchemaConfig ldapSchemaConfig, String str) {
        this.ldapSearch = ldapSearch;
        this.ldapSearch = ldapSearch;
        this.ldapConfig = ldapSchemaConfig;
        this.rootDN = str;
        try {
            this.certificateFactory = CertificateFactory.getInstance(XMLX509Certificate.JCA_CERT_ID);
        } catch (CertificateException e) {
            LOG.log(Level.SEVERE, e.getMessage(), (Throwable) e);
        }
        this.filterUIDTemplate = "(" + ldapSchemaConfig.getAttrUID() + "=%s)";
        this.filterIssuerSerialTemplate = "(&(" + ldapSchemaConfig.getAttrIssuerID() + "=%s)(" + ldapSchemaConfig.getAttrSerialNumber() + "=%s))";
    }

    @Override // org.apache.cxf.xkms.x509.repo.CertificateRepo
    public List<X509Certificate> getTrustedCaCerts() {
        return getCertificatesFromLdap(this.rootDN, this.ldapConfig.getTrustedAuthorityFilter(), this.ldapConfig.getAttrCrtBinary());
    }

    @Override // org.apache.cxf.xkms.x509.repo.CertificateRepo
    public List<X509Certificate> getCaCerts() {
        return getCertificatesFromLdap(this.rootDN, this.ldapConfig.getIntermediateFilter(), this.ldapConfig.getAttrCrtBinary());
    }

    @Override // org.apache.cxf.xkms.x509.repo.CertificateRepo
    public List<X509CRL> getCRLs() {
        return getCRLsFromLdap(this.rootDN, this.ldapConfig.getCrlFilter(), this.ldapConfig.getAttrCrlBinary());
    }

    private List<X509Certificate> getCertificatesFromLdap(String str, String str2, String str3) {
        try {
            ArrayList arrayList = new ArrayList();
            NamingEnumeration<SearchResult> searchSubTree = this.ldapSearch.searchSubTree(str, str2);
            while (searchSubTree.hasMore()) {
                Attribute attribute = ((SearchResult) searchSubTree.next()).getAttributes().get(str3);
                if (attribute != null) {
                    arrayList.add((X509Certificate) CertificateFactory.getInstance(XMLX509Certificate.JCA_CERT_ID).generateCertificate(new ByteArrayInputStream((byte[]) attribute.get())));
                }
            }
            return arrayList;
        } catch (NamingException e) {
            throw new RuntimeException(e.getMessage(), e);
        } catch (CertificateException e2) {
            throw new RuntimeException(e2.getMessage(), e2);
        }
    }

    private List<X509CRL> getCRLsFromLdap(String str, String str2, String str3) {
        try {
            ArrayList arrayList = new ArrayList();
            NamingEnumeration<SearchResult> searchSubTree = this.ldapSearch.searchSubTree(str, str2);
            while (searchSubTree.hasMore()) {
                Attribute attribute = ((SearchResult) searchSubTree.next()).getAttributes().get(str3);
                if (attribute != null) {
                    arrayList.add((X509CRL) CertificateFactory.getInstance(XMLX509Certificate.JCA_CERT_ID).generateCRL(new ByteArrayInputStream((byte[]) attribute.get())));
                }
            }
            return arrayList;
        } catch (CRLException e) {
            throw new RuntimeException(e.getMessage(), e);
        } catch (CertificateException e2) {
            throw new RuntimeException(e2.getMessage(), e2);
        } catch (NamingException e3) {
            throw new RuntimeException(e3.getMessage(), e3);
        }
    }

    private void saveCertificate(X509Certificate x509Certificate, String str) {
        Attributes basicAttributes = new BasicAttributes();
        basicAttributes.put(new BasicAttribute(ATTR_OBJECT_CLASS, this.ldapConfig.getCertObjectClass()));
        basicAttributes.put(new BasicAttribute(this.ldapConfig.getAttrUID(), x509Certificate.getSubjectX500Principal().getName()));
        basicAttributes.put(new BasicAttribute(this.ldapConfig.getAttrIssuerID(), x509Certificate.getIssuerX500Principal().getName()));
        basicAttributes.put(new BasicAttribute(this.ldapConfig.getAttrSerialNumber(), x509Certificate.getSerialNumber().toString(16)));
        addConstantAttributes(this.ldapConfig.getConstAttrNamesCSV(), this.ldapConfig.getConstAttrValuesCSV(), basicAttributes);
        try {
            basicAttributes.put(new BasicAttribute(this.ldapConfig.getAttrCrtBinary(), x509Certificate.getEncoded()));
            this.ldapSearch.bind(str, basicAttributes);
        } catch (Exception e) {
            throw new RuntimeException(e.getMessage(), e);
        }
    }

    private void addConstantAttributes(String str, String str2, Attributes attributes) {
        String[] split = str.split(StringArrayPropertyEditor.DEFAULT_SEPARATOR);
        String[] split2 = str2.split(StringArrayPropertyEditor.DEFAULT_SEPARATOR);
        if (split.length != split2.length) {
            throw new IllegalArgumentException(String.format("Inconsintent constant attributes: %s; %s", str, str2));
        }
        for (int i = 0; i < split.length; i++) {
            attributes.put(new BasicAttribute(split[i], split2[i]));
        }
    }

    @Override // org.apache.cxf.xkms.x509.repo.CertificateRepo
    public X509Certificate findBySubjectDn(String str) {
        X509Certificate x509Certificate = null;
        try {
            String str2 = str;
            if (this.rootDN != null && !this.rootDN.isEmpty()) {
                str2 = str2 + StringArrayPropertyEditor.DEFAULT_SEPARATOR + this.rootDN;
            }
            x509Certificate = getCertificateForDn(str2);
        } catch (NamingException e) {
        }
        try {
            x509Certificate = getCertificateForUIDAttr(str);
        } catch (NamingException e2) {
        }
        return x509Certificate;
    }

    @Override // org.apache.cxf.xkms.x509.repo.CertificateRepo
    public X509Certificate findByServiceName(String str) {
        X509Certificate x509Certificate = null;
        try {
            x509Certificate = getCertificateForDn(getDnForServiceName(str));
        } catch (NamingException e) {
        }
        try {
            x509Certificate = getCertificateForUIDAttr(String.format(this.ldapConfig.getServiceCertUIDTemplate(), str));
        } catch (NamingException e2) {
        }
        return x509Certificate;
    }

    private String getDnForServiceName(String str) {
        return String.format(this.ldapConfig.getServiceCertRDNTemplate(), str.replaceAll("\\/", Matcher.quoteReplacement("\\/"))) + StringArrayPropertyEditor.DEFAULT_SEPARATOR + this.rootDN;
    }

    private X509Certificate getCertificateForDn(String str) throws NamingException {
        return getCert(this.ldapSearch.getAttribute(str, this.ldapConfig.getAttrCrtBinary()));
    }

    private X509Certificate getCertificateForUIDAttr(String str) throws NamingException {
        return getCert(this.ldapSearch.findAttribute(this.rootDN, String.format(this.filterUIDTemplate, str), this.ldapConfig.getAttrCrtBinary()));
    }

    @Override // org.apache.cxf.xkms.x509.repo.CertificateRepo
    public X509Certificate findByIssuerSerial(String str, String str2) {
        if (str == null || str2 == null) {
            throw new IllegalArgumentException("Issuer and serial applications are expected in request");
        }
        try {
            return getCert(this.ldapSearch.findAttribute(this.rootDN, String.format(this.filterIssuerSerialTemplate, str, str2), this.ldapConfig.getAttrCrtBinary()));
        } catch (NamingException e) {
            throw new RuntimeException(e.getMessage(), e);
        }
    }

    private X509Certificate getCert(Attribute attribute) {
        if (attribute == null) {
            return null;
        }
        try {
            byte[] bArr = (byte[]) attribute.get();
            if (bArr == null) {
                return null;
            }
            try {
                return (X509Certificate) this.certificateFactory.generateCertificate(new ByteArrayInputStream(bArr));
            } catch (CertificateException e) {
                throw new RuntimeException("Error deserializing certificate: " + e.getMessage(), e);
            }
        } catch (NamingException e2) {
            throw new RuntimeException(e2.getMessage(), e2);
        }
    }

    @Override // org.apache.cxf.xkms.x509.repo.CertificateRepo
    public void saveCertificate(X509Certificate x509Certificate, UseKeyWithType useKeyWithType) {
        String dnForServiceName;
        Applications fromUri = Applications.fromUri(useKeyWithType.getApplication());
        if (fromUri == Applications.PKIX) {
            dnForServiceName = useKeyWithType.getIdentifier() + StringArrayPropertyEditor.DEFAULT_SEPARATOR + this.rootDN;
        } else {
            if (fromUri != Applications.SERVICE_SOAP) {
                throw new IllegalArgumentException("Unsupported Application " + fromUri);
            }
            dnForServiceName = getDnForServiceName(useKeyWithType.getIdentifier());
        }
        saveCertificate(x509Certificate, dnForServiceName);
    }
}
