package com.gitblit.utils;

import com.gitblit.Constants;
import java.io.File;
import java.io.FileInputStream;
import java.io.FileOutputStream;
import java.io.FileWriter;
import java.io.IOException;
import java.math.BigInteger;
import java.security.InvalidKeyException;
import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.KeyStore;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.SecureRandom;
import java.security.Security;
import java.security.SignatureException;
import java.security.cert.CertPathBuilder;
import java.security.cert.CertPathBuilderException;
import java.security.cert.CertStore;
import java.security.cert.Certificate;
import java.security.cert.CertificateFactory;
import java.security.cert.CollectionCertStoreParameters;
import java.security.cert.PKIXBuilderParameters;
import java.security.cert.PKIXCertPathBuilderResult;
import java.security.cert.TrustAnchor;
import java.security.cert.X509CRL;
import java.security.cert.X509CertSelector;
import java.security.cert.X509Certificate;
import java.text.MessageFormat;
import java.text.SimpleDateFormat;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Calendar;
import java.util.Date;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Map;
import java.util.TimeZone;
import java.util.zip.ZipEntry;
import java.util.zip.ZipOutputStream;
import javax.crypto.Cipher;
import org.apache.axis2.util.CommandLineOptionConstants;
import org.apache.commons.io.IOUtils;
import org.bouncycastle.asn1.ASN1ObjectIdentifier;
import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers;
import org.bouncycastle.asn1.x500.X500Name;
import org.bouncycastle.asn1.x500.X500NameBuilder;
import org.bouncycastle.asn1.x500.style.BCStyle;
import org.bouncycastle.asn1.x509.BasicConstraints;
import org.bouncycastle.asn1.x509.GeneralName;
import org.bouncycastle.asn1.x509.GeneralNames;
import org.bouncycastle.asn1.x509.KeyUsage;
import org.bouncycastle.asn1.x509.X509Extension;
import org.bouncycastle.cert.X509CRLHolder;
import org.bouncycastle.cert.X509v2CRLBuilder;
import org.bouncycastle.cert.jcajce.JcaX509CertificateConverter;
import org.bouncycastle.cert.jcajce.JcaX509ExtensionUtils;
import org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder;
import org.bouncycastle.jce.PrincipalUtil;
import org.bouncycastle.jce.interfaces.PKCS12BagAttributeCarrier;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.bouncycastle.openssl.PEMWriter;
import org.bouncycastle.operator.ContentSigner;
import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder;
import org.eclipse.core.runtime.internal.adaptor.IModel;
import org.eclipse.osgi.framework.internal.reliablefile.ReliableFile;
import org.fontbox.afm.AFMParser;
import org.pdfbox.pdmodel.interactive.annotation.PDAnnotationLink;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* JADX WARN: Classes with same name are omitted:
  input_file:com/gitblit/utils/X509Utils.class
 */
/* loaded from: input_file:gitblit-1.4.1-wso2v1.jar:com/gitblit/utils/X509Utils.class */
public class X509Utils {
    public static final String SERVER_KEY_STORE = "serverKeyStore.jks";
    public static final String SERVER_TRUST_STORE = "serverTrustStore.jks";
    public static final String CERTS = "certs";
    public static final String CA_KEY_STORE = "certs/caKeyStore.p12";
    public static final String CA_REVOCATION_LIST = "certs/caRevocationList.crl";
    public static final String CA_CONFIG = "certs/authority.conf";
    public static final String CA_CN = "Gitblit Certificate Authority";
    public static final String CA_ALIAS = "Gitblit Certificate Authority";
    private static final String BC = "BC";
    private static final int KEY_LENGTH = 2048;
    private static final String KEY_ALGORITHM = "RSA";
    private static final String SIGNING_ALGORITHM = "SHA512withRSA";
    public static final boolean unlimitedStrength;
    private static final Logger logger = LoggerFactory.getLogger(X509Utils.class);

    /* JADX WARN: Classes with same name are omitted:
      input_file:com/gitblit/utils/X509Utils$RevocationReason.class
     */
    /* loaded from: input_file:gitblit-1.4.1-wso2v1.jar:com/gitblit/utils/X509Utils$RevocationReason.class */
    public enum RevocationReason {
        unspecified,
        keyCompromise,
        caCompromise,
        affiliationChanged,
        superseded,
        cessationOfOperation,
        certificateHold,
        unused,
        removeFromCRL,
        privilegeWithdrawn,
        ACompromise;

        public static RevocationReason[] reasons = {unspecified, keyCompromise, caCompromise, affiliationChanged, superseded, cessationOfOperation, privilegeWithdrawn};

        @Override // java.lang.Enum
        public String toString() {
            return name() + " (" + ordinal() + ")";
        }
    }

    /* JADX WARN: Classes with same name are omitted:
      input_file:com/gitblit/utils/X509Utils$X509Log.class
     */
    /* loaded from: input_file:gitblit-1.4.1-wso2v1.jar:com/gitblit/utils/X509Utils$X509Log.class */
    public interface X509Log {
        void log(String str);
    }

    /* JADX WARN: Classes with same name are omitted:
      input_file:com/gitblit/utils/X509Utils$X509Metadata.class
     */
    /* loaded from: input_file:gitblit-1.4.1-wso2v1.jar:com/gitblit/utils/X509Utils$X509Metadata.class */
    public static class X509Metadata {
        public final Map<String, String> oids;
        public final String commonName;
        public final String password;
        public String passwordHint;
        public String emailAddress;
        public Date notBefore;
        public Date notAfter;
        public String serverHostname;
        public String userDisplayname;
        public String serialNumber;

        public X509Metadata(String str, String str2) {
            if (StringUtils.isEmpty(str)) {
                throw new RuntimeException("Common name required!");
            }
            if (StringUtils.isEmpty(str2)) {
                throw new RuntimeException("Password required!");
            }
            this.commonName = str;
            this.password = str2;
            Calendar calendar = Calendar.getInstance(TimeZone.getDefault());
            calendar.set(13, 0);
            calendar.set(14, 0);
            this.notBefore = calendar.getTime();
            calendar.add(1, 1);
            calendar.add(5, 1);
            this.notAfter = calendar.getTime();
            this.oids = new HashMap();
        }

        public X509Metadata clone(String str, String str2) {
            X509Metadata x509Metadata = new X509Metadata(str, str2);
            x509Metadata.emailAddress = this.emailAddress;
            x509Metadata.notBefore = this.notBefore;
            x509Metadata.notAfter = this.notAfter;
            x509Metadata.oids.putAll(this.oids);
            x509Metadata.passwordHint = this.passwordHint;
            x509Metadata.serverHostname = this.serverHostname;
            x509Metadata.userDisplayname = this.userDisplayname;
            return x509Metadata;
        }

        public String getOID(String str, String str2) {
            return this.oids.containsKey(str) ? this.oids.get(str) : str2;
        }

        public void setOID(String str, String str2) {
            if (StringUtils.isEmpty(str2)) {
                this.oids.remove(str);
            } else {
                this.oids.put(str, str2);
            }
        }
    }

    public static void prepareX509Infrastructure(X509Metadata x509Metadata, File file, X509Log x509Log) {
        file.mkdirs();
        File file2 = new File(file, CA_KEY_STORE);
        if (!file2.exists()) {
            logger.info(MessageFormat.format("Generating {0} ({1})", "Gitblit Certificate Authority", file2.getAbsolutePath()));
            saveCertificate(newCertificateAuthority(x509Metadata, file2, x509Log), new File(file2.getParentFile(), "ca.cer"));
        }
        File file3 = new File(file, CA_REVOCATION_LIST);
        if (!file3.exists()) {
            logger.info(MessageFormat.format("Generating {0} CRL ({1})", "Gitblit Certificate Authority", file3.getAbsolutePath()));
            newCertificateRevocationList(file3, file2, x509Metadata.password);
            x509Log.log("new certificate revocation list created");
        }
        File file4 = new File(file, "keystore");
        if (file4.exists()) {
            file4.renameTo(new File(file, SERVER_KEY_STORE));
            logger.info(MessageFormat.format("Renaming {0} to {1}", file4.getName(), SERVER_KEY_STORE));
        }
        File file5 = new File(file, SERVER_KEY_STORE);
        if (!file5.exists()) {
            logger.info(MessageFormat.format("Generating SSL certificate for {0} signed by {1} ({2})", x509Metadata.commonName, "Gitblit Certificate Authority", file5.getAbsolutePath()));
            newSSLCertificate(x509Metadata, getPrivateKey("Gitblit Certificate Authority", file2, x509Metadata.password), getCertificate("Gitblit Certificate Authority", file2, x509Metadata.password), file5, x509Log);
        }
        File file6 = new File(file, SERVER_TRUST_STORE);
        if (file6.exists()) {
            return;
        }
        logger.info(MessageFormat.format("Importing {0} into trust store ({1})", "Gitblit Certificate Authority", file6.getAbsolutePath()));
        addTrustedCertificate("Gitblit Certificate Authority", getCertificate("Gitblit Certificate Authority", file2, x509Metadata.password), file6, x509Metadata.password);
    }

    /* JADX WARN: Finally extract failed */
    public static KeyStore openKeyStore(File file, String str) {
        String lowerCase = file.getName().toLowerCase();
        String str2 = "JKS";
        String str3 = null;
        if (lowerCase.endsWith(".p12") || lowerCase.endsWith(".pfx")) {
            str2 = "PKCS12";
            str3 = BC;
        }
        try {
            KeyStore keyStore = str3 == null ? KeyStore.getInstance(str2) : KeyStore.getInstance(str2, str3);
            if (file.exists()) {
                FileInputStream fileInputStream = null;
                try {
                    fileInputStream = new FileInputStream(file);
                    keyStore.load(fileInputStream, str.toCharArray());
                    if (fileInputStream != null) {
                        fileInputStream.close();
                    }
                } catch (Throwable th) {
                    if (fileInputStream != null) {
                        fileInputStream.close();
                    }
                    throw th;
                }
            } else {
                keyStore.load(null);
            }
            return keyStore;
        } catch (Exception e) {
            throw new RuntimeException("Could not open keystore " + file, e);
        }
    }

    public static void saveKeyStore(File file, KeyStore keyStore, String str) {
        File parentFile = file.getAbsoluteFile().getParentFile();
        if (!parentFile.exists()) {
            parentFile.mkdirs();
        }
        File file2 = new File(parentFile, Long.toHexString(System.currentTimeMillis()) + ReliableFile.tmpExt);
        FileOutputStream fileOutputStream = null;
        try {
            try {
                try {
                    fileOutputStream = new FileOutputStream(file2);
                    keyStore.store(fileOutputStream, str.toCharArray());
                    fileOutputStream.flush();
                    fileOutputStream.close();
                    if (file.exists()) {
                        file.delete();
                    }
                    file2.renameTo(file);
                    if (fileOutputStream != null) {
                        try {
                            fileOutputStream.close();
                        } catch (IOException e) {
                        }
                    }
                    if (file2.exists()) {
                        file2.delete();
                    }
                } catch (Exception e2) {
                    throw new RuntimeException("Could not save keystore " + file, e2);
                }
            } catch (IOException e3) {
                if (!e3.getMessage().toLowerCase().contains("illegal key size")) {
                    throw new RuntimeException("Could not save keystore " + file, e3);
                }
                throw new RuntimeException("Illegal Key Size! You might consider installing the JCE Unlimited Strength Jurisdiction Policy files for your JVM.");
            }
        } catch (Throwable th) {
            if (fileOutputStream != null) {
                try {
                    fileOutputStream.close();
                } catch (IOException e4) {
                }
            }
            if (file2.exists()) {
                file2.delete();
            }
            throw th;
        }
    }

    public static X509Certificate getCertificate(String str, File file, String str2) {
        try {
            return (X509Certificate) openKeyStore(file, str2).getCertificate(str);
        } catch (Exception e) {
            throw new RuntimeException(e);
        }
    }

    public static PrivateKey getPrivateKey(String str, File file, String str2) {
        try {
            return (PrivateKey) openKeyStore(file, str2).getKey(str, str2.toCharArray());
        } catch (Exception e) {
            throw new RuntimeException(e);
        }
    }

    /* JADX WARN: Removed duplicated region for block: B:16:0x00c4 A[Catch: Exception -> 0x00d2, TryCatch #2 {Exception -> 0x00d2, blocks: (B:6:0x0035, B:10:0x004b, B:12:0x006c, B:14:0x00bd, B:16:0x00c4, B:17:0x00c9, B:24:0x007b, B:26:0x0082, B:29:0x0089, B:31:0x00a6, B:36:0x00b5, B:38:0x00bc), top: B:5:0x0035, inners: #0, #1 }] */
    /*
        Code decompiled incorrectly, please refer to instructions dump.
        To view partially-correct add '--show-bad-code' argument
    */
    public static void saveCertificate(java.security.cert.X509Certificate r7, java.io.File r8) {
        /*
            Method dump skipped, instructions count: 260
            To view this dump add '--comments-level debug' option
        */
        throw new UnsupportedOperationException("Method not decompiled: com.gitblit.utils.X509Utils.saveCertificate(java.security.cert.X509Certificate, java.io.File):void");
    }

    private static KeyPair newKeyPair() throws Exception {
        KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA", BC);
        keyPairGenerator.initialize(2048, new SecureRandom());
        return keyPairGenerator.generateKeyPair();
    }

    private static X500Name buildDistinguishedName(X509Metadata x509Metadata) {
        X500NameBuilder x500NameBuilder = new X500NameBuilder(BCStyle.INSTANCE);
        setOID(x500NameBuilder, x509Metadata, "C", null);
        setOID(x500NameBuilder, x509Metadata, "ST", null);
        setOID(x500NameBuilder, x509Metadata, AFMParser.CHARMETRICS_L, null);
        setOID(x500NameBuilder, x509Metadata, PDAnnotationLink.HIGHLIGHT_MODE_OUTLINE, Constants.NAME);
        setOID(x500NameBuilder, x509Metadata, "OU", Constants.NAME);
        setOID(x500NameBuilder, x509Metadata, CommandLineOptionConstants.WSDL2JavaConstants.EXTRA_OPTIONTYPE_PREFIX, x509Metadata.emailAddress);
        setOID(x500NameBuilder, x509Metadata, "CN", x509Metadata.commonName);
        return x500NameBuilder.build();
    }

    private static void setOID(X500NameBuilder x500NameBuilder, X509Metadata x509Metadata, String str, String str2) {
        String str3 = null;
        if (x509Metadata.oids != null && x509Metadata.oids.containsKey(str)) {
            str3 = x509Metadata.oids.get(str);
        }
        if (StringUtils.isEmpty(str3)) {
            str3 = str2;
        }
        if (StringUtils.isEmpty(str3)) {
            return;
        }
        try {
            x500NameBuilder.addRDN((ASN1ObjectIdentifier) BCStyle.class.getField(str).get(null), str3);
        } catch (Exception e) {
            logger.error(MessageFormat.format("Failed to set OID \"{0}\"!", str), e);
        }
    }

    public static X509Certificate newSSLCertificate(X509Metadata x509Metadata, PrivateKey privateKey, X509Certificate x509Certificate, File file, X509Log x509Log) {
        try {
            KeyPair newKeyPair = newKeyPair();
            JcaX509v3CertificateBuilder jcaX509v3CertificateBuilder = new JcaX509v3CertificateBuilder(new X500Name(PrincipalUtil.getIssuerX509Principal(x509Certificate).getName()), BigInteger.valueOf(System.currentTimeMillis()), x509Metadata.notBefore, x509Metadata.notAfter, buildDistinguishedName(x509Metadata), newKeyPair.getPublic());
            JcaX509ExtensionUtils jcaX509ExtensionUtils = new JcaX509ExtensionUtils();
            jcaX509v3CertificateBuilder.addExtension(X509Extension.subjectKeyIdentifier, false, jcaX509ExtensionUtils.createSubjectKeyIdentifier(newKeyPair.getPublic()));
            jcaX509v3CertificateBuilder.addExtension(X509Extension.basicConstraints, false, new BasicConstraints(false));
            jcaX509v3CertificateBuilder.addExtension(X509Extension.authorityKeyIdentifier, false, jcaX509ExtensionUtils.createAuthorityKeyIdentifier(x509Certificate.getPublicKey()));
            ArrayList arrayList = new ArrayList();
            if (HttpUtils.isIpAddress(x509Metadata.commonName)) {
                arrayList.add(new GeneralName(7, x509Metadata.commonName));
            }
            if (arrayList.size() > 0) {
                jcaX509v3CertificateBuilder.addExtension(X509Extension.subjectAlternativeName, false, new GeneralNames((GeneralName[]) arrayList.toArray(new GeneralName[arrayList.size()])));
            }
            X509Certificate certificate = new JcaX509CertificateConverter().setProvider(BC).getCertificate(jcaX509v3CertificateBuilder.build(new JcaContentSignerBuilder(SIGNING_ALGORITHM).setProvider(BC).build(privateKey)));
            certificate.checkValidity(new Date());
            certificate.verify(x509Certificate.getPublicKey());
            KeyStore openKeyStore = openKeyStore(file, x509Metadata.password);
            openKeyStore.setKeyEntry(x509Metadata.commonName, newKeyPair.getPrivate(), x509Metadata.password.toCharArray(), new Certificate[]{certificate, x509Certificate});
            saveKeyStore(file, openKeyStore, x509Metadata.password);
            x509Log.log(MessageFormat.format("New SSL certificate {0,number,0} [{1}]", certificate.getSerialNumber(), certificate.getSubjectDN().getName()));
            x509Metadata.serialNumber = certificate.getSerialNumber().toString();
            return certificate;
        } catch (Throwable th) {
            throw new RuntimeException("Failed to generate SSL certificate!", th);
        }
    }

    public static X509Certificate newCertificateAuthority(X509Metadata x509Metadata, File file, X509Log x509Log) {
        try {
            KeyPair newKeyPair = newKeyPair();
            ContentSigner build = new JcaContentSignerBuilder(SIGNING_ALGORITHM).setProvider(BC).build(newKeyPair.getPrivate());
            X509Metadata clone = x509Metadata.clone("Gitblit Certificate Authority", x509Metadata.password);
            X500Name buildDistinguishedName = buildDistinguishedName(clone);
            JcaX509v3CertificateBuilder jcaX509v3CertificateBuilder = new JcaX509v3CertificateBuilder(buildDistinguishedName, BigInteger.valueOf(System.currentTimeMillis()), clone.notBefore, clone.notAfter, buildDistinguishedName, newKeyPair.getPublic());
            JcaX509ExtensionUtils jcaX509ExtensionUtils = new JcaX509ExtensionUtils();
            jcaX509v3CertificateBuilder.addExtension(X509Extension.subjectKeyIdentifier, false, jcaX509ExtensionUtils.createSubjectKeyIdentifier(newKeyPair.getPublic()));
            jcaX509v3CertificateBuilder.addExtension(X509Extension.authorityKeyIdentifier, false, jcaX509ExtensionUtils.createAuthorityKeyIdentifier(newKeyPair.getPublic()));
            jcaX509v3CertificateBuilder.addExtension(X509Extension.basicConstraints, false, new BasicConstraints(true));
            jcaX509v3CertificateBuilder.addExtension(X509Extension.keyUsage, true, new KeyUsage(134));
            X509Certificate certificate = new JcaX509CertificateConverter().setProvider(BC).getCertificate(jcaX509v3CertificateBuilder.build(build));
            certificate.checkValidity(new Date());
            certificate.verify(certificate.getPublicKey());
            if (file.exists()) {
                file.delete();
            }
            KeyStore openKeyStore = openKeyStore(file, clone.password);
            openKeyStore.setKeyEntry("Gitblit Certificate Authority", newKeyPair.getPrivate(), clone.password.toCharArray(), new Certificate[]{certificate});
            saveKeyStore(file, openKeyStore, clone.password);
            x509Log.log(MessageFormat.format("New CA certificate {0,number,0} [{1}]", certificate.getSerialNumber(), certificate.getIssuerDN().getName()));
            clone.serialNumber = certificate.getSerialNumber().toString();
            return certificate;
        } catch (Throwable th) {
            throw new RuntimeException("Failed to generate Gitblit CA certificate!", th);
        }
    }

    public static void newCertificateRevocationList(File file, File file2, String str) {
        try {
            KeyStore openKeyStore = openKeyStore(file2, str);
            X509CRLHolder build = new X509v2CRLBuilder(new X500Name(PrincipalUtil.getIssuerX509Principal((X509Certificate) openKeyStore.getCertificate("Gitblit Certificate Authority")).getName()), new Date()).build(new JcaContentSignerBuilder(SIGNING_ALGORITHM).setProvider(BC).build((PrivateKey) openKeyStore.getKey("Gitblit Certificate Authority", str.toCharArray())));
            File file3 = new File(file.getParentFile(), Long.toHexString(System.currentTimeMillis()) + ReliableFile.tmpExt);
            FileOutputStream fileOutputStream = null;
            try {
                fileOutputStream = new FileOutputStream(file3);
                fileOutputStream.write(build.getEncoded());
                fileOutputStream.flush();
                fileOutputStream.close();
                if (file.exists()) {
                    file.delete();
                }
                file3.renameTo(file);
                if (fileOutputStream != null) {
                    fileOutputStream.close();
                }
                if (file3.exists()) {
                    file3.delete();
                }
            } catch (Throwable th) {
                if (fileOutputStream != null) {
                    fileOutputStream.close();
                }
                if (file3.exists()) {
                    file3.delete();
                }
                throw th;
            }
        } catch (Exception e) {
            throw new RuntimeException("Failed to create new certificate revocation list " + file, e);
        }
    }

    public static void addTrustedCertificate(String str, X509Certificate x509Certificate, File file, String str2) {
        try {
            KeyStore openKeyStore = openKeyStore(file, str2);
            openKeyStore.setCertificateEntry(str, x509Certificate);
            saveKeyStore(file, openKeyStore, str2);
        } catch (Exception e) {
            throw new RuntimeException("Failed to import certificate into trust store " + file, e);
        }
    }

    public static File newClientBundle(X509Metadata x509Metadata, File file, String str, X509Log x509Log) {
        try {
            KeyStore openKeyStore = openKeyStore(file, str);
            PrivateKey privateKey = (PrivateKey) openKeyStore.getKey("Gitblit Certificate Authority", str.toCharArray());
            X509Certificate x509Certificate = (X509Certificate) openKeyStore.getCertificate("Gitblit Certificate Authority");
            File file2 = new File(file.getParentFile(), x509Metadata.commonName);
            X509Certificate newClientCertificate = newClientCertificate(x509Metadata, privateKey, x509Certificate, file2);
            x509Log.log(MessageFormat.format("New client certificate {0,number,0} [{1}]", newClientCertificate.getSerialNumber(), newClientCertificate.getSubjectDN().getName()));
            String processTemplate = processTemplate(new File(file.getParentFile(), "instructions.tmpl"), x509Metadata);
            File file3 = new File(file2, x509Metadata.commonName + ".zip");
            if (file3.exists()) {
                file3.delete();
            }
            ZipOutputStream zipOutputStream = null;
            try {
                zipOutputStream = new ZipOutputStream(new FileOutputStream(file3));
                File file4 = new File(file2, x509Metadata.commonName + ".p12");
                if (file4.exists()) {
                    zipOutputStream.putNextEntry(new ZipEntry(file4.getName()));
                    zipOutputStream.write(FileUtils.readContent(file4));
                    zipOutputStream.closeEntry();
                }
                File file5 = new File(file2, x509Metadata.commonName + ".pem");
                if (file5.exists()) {
                    zipOutputStream.putNextEntry(new ZipEntry(file5.getName()));
                    zipOutputStream.write(FileUtils.readContent(file5));
                    zipOutputStream.closeEntry();
                }
                zipOutputStream.putNextEntry(new ZipEntry(x509Metadata.commonName + ".cer"));
                zipOutputStream.write(newClientCertificate.getEncoded());
                zipOutputStream.closeEntry();
                zipOutputStream.putNextEntry(new ZipEntry("ca.cer"));
                zipOutputStream.write(x509Certificate.getEncoded());
                zipOutputStream.closeEntry();
                if (processTemplate != null) {
                    zipOutputStream.putNextEntry(new ZipEntry("README.TXT"));
                    zipOutputStream.write(processTemplate.getBytes("UTF-8"));
                    zipOutputStream.closeEntry();
                }
                zipOutputStream.flush();
                if (zipOutputStream != null) {
                    zipOutputStream.close();
                }
                return file3;
            } catch (Throwable th) {
                if (zipOutputStream != null) {
                    zipOutputStream.close();
                }
                throw th;
            }
        } catch (Throwable th2) {
            throw new RuntimeException("Failed to generate client bundle!", th2);
        }
    }

    public static X509Certificate newClientCertificate(X509Metadata x509Metadata, PrivateKey privateKey, X509Certificate x509Certificate, File file) {
        try {
            KeyPair newKeyPair = newKeyPair();
            JcaX509v3CertificateBuilder jcaX509v3CertificateBuilder = new JcaX509v3CertificateBuilder(new X500Name(PrincipalUtil.getIssuerX509Principal(x509Certificate).getName()), BigInteger.valueOf(System.currentTimeMillis()), x509Metadata.notBefore, x509Metadata.notAfter, buildDistinguishedName(x509Metadata), newKeyPair.getPublic());
            JcaX509ExtensionUtils jcaX509ExtensionUtils = new JcaX509ExtensionUtils();
            jcaX509v3CertificateBuilder.addExtension(X509Extension.subjectKeyIdentifier, false, jcaX509ExtensionUtils.createSubjectKeyIdentifier(newKeyPair.getPublic()));
            jcaX509v3CertificateBuilder.addExtension(X509Extension.basicConstraints, false, new BasicConstraints(false));
            jcaX509v3CertificateBuilder.addExtension(X509Extension.authorityKeyIdentifier, false, jcaX509ExtensionUtils.createAuthorityKeyIdentifier(x509Certificate.getPublicKey()));
            jcaX509v3CertificateBuilder.addExtension(X509Extension.keyUsage, true, new KeyUsage(160));
            if (!StringUtils.isEmpty(x509Metadata.emailAddress)) {
                jcaX509v3CertificateBuilder.addExtension(X509Extension.subjectAlternativeName, false, new GeneralNames(new GeneralName(1, x509Metadata.emailAddress)));
            }
            X509Certificate certificate = new JcaX509CertificateConverter().setProvider(BC).getCertificate(jcaX509v3CertificateBuilder.build(new JcaContentSignerBuilder(SIGNING_ALGORITHM).setProvider(BC).build(privateKey)));
            ((PKCS12BagAttributeCarrier) newKeyPair.getPrivate()).setBagAttribute(PKCSObjectIdentifiers.pkcs_9_at_localKeyId, jcaX509ExtensionUtils.createSubjectKeyIdentifier(newKeyPair.getPublic()));
            certificate.checkValidity();
            certificate.verify(x509Certificate.getPublicKey());
            certificate.getIssuerDN().equals(x509Certificate.getSubjectDN());
            verifyChain(certificate, x509Certificate);
            file.mkdirs();
            String format = new SimpleDateFormat("yyyyMMdd").format(new Date());
            String str = format;
            File file2 = new File(file, str + ".cer");
            int i = 0;
            while (file2.exists()) {
                str = format + IModel.PLUGIN_KEY_VERSION_SEPARATOR + Character.toString((char) (97 + i));
                file2 = new File(file, str + ".cer");
                i++;
            }
            File file3 = new File(file, x509Metadata.commonName + ".p12");
            if (file3.exists()) {
                file3.delete();
            }
            KeyStore openKeyStore = openKeyStore(file3, x509Metadata.password);
            openKeyStore.setKeyEntry(MessageFormat.format("Gitblit ({0}) {1} {2}", x509Metadata.serverHostname, x509Metadata.userDisplayname, str), newKeyPair.getPrivate(), null, new Certificate[]{certificate});
            openKeyStore.setCertificateEntry(MessageFormat.format("Gitblit ({0}) Certificate Authority", x509Metadata.serverHostname), x509Certificate);
            saveKeyStore(file3, openKeyStore, x509Metadata.password);
            File file4 = new File(file, x509Metadata.commonName + ".pem");
            if (file4.exists()) {
                file4.delete();
            }
            PEMWriter pEMWriter = new PEMWriter(new FileWriter(file4));
            pEMWriter.writeObject(newKeyPair.getPrivate(), "DES-EDE3-CBC", x509Metadata.password.toCharArray(), new SecureRandom());
            pEMWriter.writeObject(certificate);
            pEMWriter.writeObject(x509Certificate);
            pEMWriter.flush();
            pEMWriter.close();
            saveCertificate(certificate, file2);
            x509Metadata.serialNumber = certificate.getSerialNumber().toString();
            return certificate;
        } catch (Throwable th) {
            throw new RuntimeException("Failed to generate client certificate!", th);
        }
    }

    public static PKIXCertPathBuilderResult verifyChain(X509Certificate x509Certificate, X509Certificate... x509CertificateArr) {
        try {
            if (isSelfSigned(x509Certificate)) {
                throw new RuntimeException("The certificate is self-signed.  Nothing to verify.");
            }
            HashSet hashSet = new HashSet();
            hashSet.add(x509Certificate);
            hashSet.addAll(Arrays.asList(x509CertificateArr));
            X509CertSelector x509CertSelector = new X509CertSelector();
            x509CertSelector.setCertificate(x509Certificate);
            HashSet hashSet2 = new HashSet();
            for (X509Certificate x509Certificate2 : x509CertificateArr) {
                if (isSelfSigned(x509Certificate2)) {
                    hashSet2.add(new TrustAnchor(x509Certificate2, null));
                }
            }
            PKIXBuilderParameters pKIXBuilderParameters = new PKIXBuilderParameters(hashSet2, x509CertSelector);
            pKIXBuilderParameters.setRevocationEnabled(false);
            pKIXBuilderParameters.addCertStore(CertStore.getInstance("Collection", new CollectionCertStoreParameters(hashSet), BC));
            return (PKIXCertPathBuilderResult) CertPathBuilder.getInstance("PKIX", BC).build(pKIXBuilderParameters);
        } catch (CertPathBuilderException e) {
            throw new RuntimeException("Error building certification path: " + x509Certificate.getSubjectX500Principal(), e);
        } catch (Exception e2) {
            throw new RuntimeException("Error verifying the certificate: " + x509Certificate.getSubjectX500Principal(), e2);
        }
    }

    public static boolean isSelfSigned(X509Certificate x509Certificate) {
        try {
            x509Certificate.verify(x509Certificate.getPublicKey());
            return true;
        } catch (InvalidKeyException e) {
            return false;
        } catch (SignatureException e2) {
            return false;
        } catch (Exception e3) {
            throw new RuntimeException(e3);
        }
    }

    public static String processTemplate(File file, X509Metadata x509Metadata) {
        String str = null;
        if (file.exists()) {
            String readContent = FileUtils.readContent(file, IOUtils.LINE_SEPARATOR_UNIX);
            if (!StringUtils.isEmpty(readContent)) {
                str = readContent;
                if (!StringUtils.isEmpty(x509Metadata.serverHostname)) {
                    str = str.replace("$serverHostname", x509Metadata.serverHostname);
                }
                if (!StringUtils.isEmpty(x509Metadata.commonName)) {
                    str = str.replace("$username", x509Metadata.commonName);
                }
                if (!StringUtils.isEmpty(x509Metadata.userDisplayname)) {
                    str = str.replace("$userDisplayname", x509Metadata.userDisplayname);
                }
                if (!StringUtils.isEmpty(x509Metadata.passwordHint)) {
                    str = str.replace("$storePasswordHint", x509Metadata.passwordHint);
                }
            }
        }
        return str;
    }

    public static boolean revoke(X509Certificate x509Certificate, RevocationReason revocationReason, File file, File file2, String str, X509Log x509Log) {
        try {
            return revoke(x509Certificate, revocationReason, file, (PrivateKey) openKeyStore(file2, str).getKey("Gitblit Certificate Authority", str.toCharArray()), x509Log);
        } catch (Exception e) {
            logger.error(MessageFormat.format("Failed to revoke certificate {0,number,0} [{1}] in {2}", x509Certificate.getSerialNumber(), x509Certificate.getSubjectDN().getName(), file));
            return false;
        }
    }

    public static boolean revoke(X509Certificate x509Certificate, RevocationReason revocationReason, File file, PrivateKey privateKey, X509Log x509Log) {
        try {
            X509v2CRLBuilder x509v2CRLBuilder = new X509v2CRLBuilder(new X500Name(PrincipalUtil.getIssuerX509Principal(x509Certificate).getName()), new Date());
            if (file.exists()) {
                x509v2CRLBuilder.addCRL(new X509CRLHolder(FileUtils.readContent(file)));
            }
            x509v2CRLBuilder.addCRLEntry(x509Certificate.getSerialNumber(), new Date(), revocationReason.ordinal());
            X509CRLHolder build = x509v2CRLBuilder.build(new JcaContentSignerBuilder("SHA1WithRSA").setProvider(BC).build(privateKey));
            File file2 = new File(file.getParentFile(), Long.toHexString(System.currentTimeMillis()) + ReliableFile.tmpExt);
            FileOutputStream fileOutputStream = null;
            try {
                fileOutputStream = new FileOutputStream(file2);
                fileOutputStream.write(build.getEncoded());
                fileOutputStream.flush();
                fileOutputStream.close();
                if (file.exists()) {
                    file.delete();
                }
                file2.renameTo(file);
                if (fileOutputStream != null) {
                    fileOutputStream.close();
                }
                if (file2.exists()) {
                    file2.delete();
                }
                x509Log.log(MessageFormat.format("Revoked certificate {0,number,0} reason: {1} [{2}]", x509Certificate.getSerialNumber(), revocationReason.toString(), x509Certificate.getSubjectDN().getName()));
                return true;
            } catch (Throwable th) {
                if (fileOutputStream != null) {
                    fileOutputStream.close();
                }
                if (file2.exists()) {
                    file2.delete();
                }
                throw th;
            }
        } catch (Exception e) {
            logger.error(MessageFormat.format("Failed to revoke certificate {0,number,0} [{1}] in {2}", x509Certificate.getSerialNumber(), x509Certificate.getSubjectDN().getName(), file));
            return false;
        }
    }

    public static boolean isRevoked(X509Certificate x509Certificate, File file) {
        if (!file.exists()) {
            return false;
        }
        FileInputStream fileInputStream = null;
        try {
            try {
                fileInputStream = new FileInputStream(file);
                boolean isRevoked = ((X509CRL) CertificateFactory.getInstance("X.509").generateCRL(fileInputStream)).isRevoked(x509Certificate);
                if (fileInputStream != null) {
                    try {
                        fileInputStream.close();
                    } catch (Exception e) {
                    }
                }
                return isRevoked;
            } catch (Exception e2) {
                logger.error(MessageFormat.format("Failed to check revocation status for certificate {0,number,0} [{1}] in {2}", x509Certificate.getSerialNumber(), x509Certificate.getSubjectDN().getName(), file));
                if (fileInputStream == null) {
                    return false;
                }
                try {
                    fileInputStream.close();
                    return false;
                } catch (Exception e3) {
                    return false;
                }
            }
        } catch (Throwable th) {
            if (fileInputStream != null) {
                try {
                    fileInputStream.close();
                } catch (Exception e4) {
                }
            }
            throw th;
        }
    }

    public static X509Metadata getMetadata(X509Certificate x509Certificate) {
        String name = x509Certificate.getSubjectDN().getName();
        HashMap hashMap = new HashMap();
        for (String str : name.split(",")) {
            String[] split = str.trim().split("=");
            hashMap.put(split[0].toUpperCase().trim(), split[1].trim());
        }
        X509Metadata x509Metadata = new X509Metadata((String) hashMap.get("CN"), "whocares");
        x509Metadata.oids.putAll(hashMap);
        x509Metadata.serialNumber = x509Certificate.getSerialNumber().toString();
        x509Metadata.notAfter = x509Certificate.getNotAfter();
        x509Metadata.notBefore = x509Certificate.getNotBefore();
        x509Metadata.emailAddress = x509Metadata.getOID(CommandLineOptionConstants.WSDL2JavaConstants.EXTRA_OPTIONTYPE_PREFIX, null);
        if (x509Metadata.emailAddress == null) {
            x509Metadata.emailAddress = x509Metadata.getOID("EMAILADDRESS", null);
        }
        return x509Metadata;
    }

    static {
        Security.addProvider(new BouncyCastleProvider());
        int i = 0;
        try {
            i = Cipher.getMaxAllowedKeyLength("AES");
        } catch (NoSuchAlgorithmException e) {
        }
        unlimitedStrength = i > 128;
        if (unlimitedStrength) {
            logger.info("Using JCE Unlimited Strength Jurisdiction Policy files");
        } else {
            logger.info("Using JCE Standard Encryption Policy files, encryption key lengths will be limited");
        }
    }
}
