package ca.nrc.cadc.cred.server.actions;

import ca.nrc.cadc.auth.AuthenticationUtil;
import ca.nrc.cadc.auth.X509CertificateChain;
import ca.nrc.cadc.cred.CertUtil;
import ca.nrc.cadc.cred.server.CertificateDAO;
import ca.nrc.cadc.net.ResourceNotFoundException;
import ca.nrc.cadc.profiler.Profiler;
import java.security.AccessControlException;
import java.security.AccessController;
import java.security.InvalidKeyException;
import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.PrivilegedExceptionAction;
import java.security.Security;
import java.security.SignatureException;
import java.security.cert.CertificateEncodingException;
import java.security.cert.CertificateExpiredException;
import java.security.cert.CertificateNotYetValidException;
import java.security.cert.CertificateParsingException;
import java.security.cert.X509Certificate;
import java.security.interfaces.RSAKey;
import java.util.Iterator;
import java.util.Map;
import java.util.Set;
import javax.security.auth.Subject;
import javax.security.auth.x500.X500Principal;
import org.apache.log4j.Logger;
import org.bouncycastle.asn1.ASN1Set;
import org.bouncycastle.asn1.x509.X509Name;
import org.bouncycastle.jce.PKCS10CertificationRequest;
import org.bouncycastle.jce.provider.BouncyCastleProvider;

/* loaded from: input_file:ca/nrc/cadc/cred/server/actions/DelegationAction.class */
public abstract class DelegationAction implements PrivilegedExceptionAction<X509CertificateChain> {
    private static final Logger log = Logger.getLogger(DelegationAction.class);
    X500Principal name;
    Float daysValid;
    Map<X500Principal, Float> trustedPrincipals;
    protected CertificateDAO certDAO;
    Profiler profiler = new Profiler(getClass());

    /* JADX INFO: Access modifiers changed from: protected */
    public DelegationAction(X500Principal x500Principal, Float f, Map<X500Principal, Float> map, CertificateDAO certificateDAO) {
        this.name = x500Principal;
        this.daysValid = f;
        this.trustedPrincipals = map;
        this.certDAO = certificateDAO;
    }

    public abstract X509CertificateChain getCertificate(X500Principal x500Principal) throws Exception;

    /* JADX WARN: Can't rename method to resolve collision */
    @Override // java.security.PrivilegedExceptionAction
    public X509CertificateChain run() throws Exception {
        Set principals = Subject.getSubject(AccessController.getContext()).getPrincipals(X500Principal.class);
        if (principals.isEmpty()) {
            throw new AccessControlException("Delegation failed because the caller is not authenticated.");
        }
        if (principals.size() > 1) {
            throw new AccessControlException("Delegation failed because caller autheticated with multiple certificates.");
        }
        if (this.daysValid == null) {
            this.daysValid = Float.valueOf(30.0f);
        }
        boolean z = false;
        X500Principal x500Principal = (X500Principal) principals.iterator().next();
        if (this.name == null || AuthenticationUtil.equals(this.name, x500Principal)) {
            z = true;
            if (this.daysValid.floatValue() > 30.0d) {
                throw new ResourceNotFoundException("Requested lifetime limitted to 30");
            }
        } else {
            Iterator<X500Principal> it = this.trustedPrincipals.keySet().iterator();
            while (!z && it.hasNext()) {
                X500Principal next = it.next();
                if (AuthenticationUtil.equals(x500Principal, next)) {
                    z = true;
                    float floatValue = this.trustedPrincipals.get(next).floatValue();
                    if (floatValue < this.daysValid.floatValue()) {
                        this.daysValid = Float.valueOf(floatValue);
                    }
                    if (this.daysValid.floatValue() == 0.0f) {
                        this.daysValid = Float.valueOf(floatValue);
                    }
                }
            }
        }
        if (!z) {
            throw new AccessControlException("Delegation failed because caller is not trusted.");
        }
        if (this.name == null) {
            log.debug("calling getCertficate(caller)");
            return getCertificate(x500Principal);
        }
        log.debug("calling getCertficate(target)");
        return getCertificate(this.name);
    }

    public float getDaysValid() {
        return this.daysValid.floatValue();
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public X509CertificateChain prepareCert(X509CertificateChain x509CertificateChain) throws InvalidKeyException, NoSuchAlgorithmException, NoSuchProviderException, SignatureException, CertificateParsingException, CertificateEncodingException, CertificateExpiredException, CertificateNotYetValidException {
        log.debug("prepareCert - START");
        if (!(x509CertificateChain.getPrivateKey() instanceof RSAKey) && this.daysValid.floatValue() == Float.MAX_VALUE) {
            this.daysValid = Float.valueOf(30.0f);
        }
        if (this.daysValid.floatValue() == Float.MAX_VALUE) {
            log.debug("daysValid = " + this.daysValid + ", returning bare certificate");
            return x509CertificateChain;
        }
        try {
            if (Security.getProvider("BC") == null) {
                Security.addProvider(new BouncyCastleProvider());
            }
            try {
                KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA");
                keyPairGenerator.initialize(2048);
                String name = x509CertificateChain.getChain()[0].getSubjectX500Principal().getName("CANONICAL");
                KeyPair generateKeyPair = keyPairGenerator.generateKeyPair();
                PKCS10CertificationRequest pKCS10CertificationRequest = new PKCS10CertificationRequest("SHA256WITHRSA", new X509Name(name), generateKeyPair.getPublic(), (ASN1Set) null, generateKeyPair.getPrivate(), "BC");
                log.debug("PKCS10CertificationRequest " + pKCS10CertificationRequest.getSignatureAlgorithm().toString());
                X509Certificate generateCertificate = CertUtil.generateCertificate(pKCS10CertificationRequest, Math.round(this.daysValid.floatValue() * 24.0f * 60.0f * 60.0f), x509CertificateChain);
                X509Certificate[] x509CertificateArr = new X509Certificate[x509CertificateChain.getChain().length + 1];
                x509CertificateArr[0] = generateCertificate;
                System.arraycopy(x509CertificateChain.getChain(), 0, x509CertificateArr, 1, x509CertificateChain.getChain().length);
                X509CertificateChain x509CertificateChain2 = new X509CertificateChain(x509CertificateArr, generateKeyPair.getPrivate());
                x509CertificateChain2.setPrincipal(x509CertificateChain.getPrincipal());
                this.profiler.checkpoint("prepareCert");
                return x509CertificateChain2;
            } catch (NoSuchAlgorithmException e) {
                e.printStackTrace();
                throw new RuntimeException("The JCE doesn't do RSA! Game over.");
            }
        } catch (Throwable th) {
            this.profiler.checkpoint("prepareCert");
            throw th;
        }
    }
}
