package org.wso2.carbon.security.util;

import java.io.ByteArrayInputStream;
import java.io.FileInputStream;
import java.io.IOException;
import java.io.InputStream;
import java.math.BigInteger;
import java.security.GeneralSecurityException;
import java.security.InvalidAlgorithmParameterException;
import java.security.Key;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.cert.CertPath;
import java.security.cert.CertPathValidator;
import java.security.cert.CertPathValidatorException;
import java.security.cert.Certificate;
import java.security.cert.CertificateEncodingException;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.PKIXParameters;
import java.security.cert.X509Certificate;
import java.security.interfaces.RSAPublicKey;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
import java.util.Enumeration;
import java.util.Iterator;
import java.util.List;
import java.util.Properties;
import java.util.Vector;
import org.apache.axiom.om.impl.dom.jaxp.DocumentBuilderFactoryImpl;
import org.apache.commons.collections.CollectionUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.ws.security.WSSecurityException;
import org.apache.ws.security.components.crypto.CredentialException;
import org.apache.ws.security.components.crypto.Crypto;
import org.apache.ws.security.components.crypto.X509NameTokenizer;
import org.wso2.carbon.context.CarbonContext;
import org.wso2.carbon.core.util.KeyStoreManager;
import org.wso2.carbon.registry.core.Registry;
import org.wso2.carbon.security.SecurityServiceHolder;

/* loaded from: input_file:org/wso2/carbon/security/util/ServerCrypto.class */
public class ServerCrypto implements Crypto {
    public static final String PROP_ID_KEY_STORE = "org.wso2.carbon.security.crypto.keystore";
    public static final String PROP_ID_PRIVATE_STORE = "org.wso2.carbon.security.crypto.privatestore";
    public static final String PROP_ID_TRUST_STORES = "org.wso2.carbon.security.crypto.truststores";
    public static final String PROP_ID_CERT_PROVIDER = "org.wso2.carbon.security.crypto.cert.provider";
    public static final String PROP_ID_DEFAULT_ALIAS = "org.wso2.carbon.security.crypto.alias";
    public static final String PROP_ID_REGISTRY = "org.wso2.carbon.security.crypto.registry";
    public static final String PROP_ID_CACERT_PASS = "org.wso2.carbon.security.crypto.cacert.pass";
    public static final String PROP_ID_XKMS_SERVICE_PASS_PHRASE = "org.wso2.wsas.security.wso2wsas.crypto.xkms.pass";
    public static final String PROP_ID_TENANT_ID = "org.wso2.stratos.tenant.id";
    public static final String PROP_ID_XKMS_SERVICE_URL = "org.wso2.carbon.security.crypto.xkms.url";
    private static final String SKI_OID = "2.5.29.14";
    private static Log log = LogFactory.getLog(ServerCrypto.class);
    private static CertificateFactory certFact = null;
    private Properties properties;
    private KeyStore keystore;
    private KeyStore cacerts;
    private List<KeyStore> trustStores;
    private Registry registry;
    private Boolean useXkms;

    public ServerCrypto(Properties properties) throws CredentialException, IOException {
        this(properties, ServerCrypto.class.getClassLoader());
    }

    public ServerCrypto(Properties properties, ClassLoader classLoader) throws CredentialException, IOException {
        this.properties = null;
        this.keystore = null;
        this.cacerts = null;
        this.trustStores = new ArrayList();
        this.registry = null;
        boolean z = false;
        try {
            String str = (String) properties.get(PROP_ID_TENANT_ID);
            int tenantId = (str == null || str.trim().length() == 0) ? CarbonContext.getThreadLocalCarbonContext().getTenantId() : Integer.parseInt(str);
            SecurityServiceHolder.getTenantRegistryLoader().loadTenantRegistry(tenantId);
            if (DocumentBuilderFactoryImpl.isDOOMRequired()) {
                DocumentBuilderFactoryImpl.setDOOMRequired(false);
                z = true;
            }
            this.registry = SecurityServiceHolder.getRegistryService().getGovernanceSystemRegistry(tenantId);
            if (z) {
                DocumentBuilderFactoryImpl.setDOOMRequired(true);
            }
            this.properties = properties;
            KeyStoreManager keyStoreManager = KeyStoreManager.getInstance(tenantId);
            String property = this.properties.getProperty(PROP_ID_PRIVATE_STORE);
            if (property != null) {
                this.keystore = keyStoreManager.getKeyStore(property);
            }
            String property2 = this.properties.getProperty(PROP_ID_TRUST_STORES);
            if (property2 != null && property2.trim().length() != 0) {
                String[] split = property2.trim().split(",");
                this.trustStores = new ArrayList(split.length);
                for (int i = 0; i < split.length; i++) {
                    this.trustStores.add(i, keyStoreManager.getKeyStore(split[i]));
                }
            }
            FileInputStream fileInputStream = new FileInputStream(System.getProperty("java.home") + "/lib/security/cacerts");
            try {
                try {
                    String property3 = this.properties.getProperty(PROP_ID_CACERT_PASS, "changeit");
                    this.cacerts = KeyStore.getInstance(KeyStore.getDefaultType());
                    this.cacerts.load(fileInputStream, property3.toCharArray());
                    fileInputStream.close();
                } catch (GeneralSecurityException e) {
                    log.warn("Unable load to cacerts from the JDK.", e);
                    if (!CollectionUtils.isNotEmpty(this.trustStores)) {
                        throw new CredentialException(3, "secError00", e);
                    }
                    this.cacerts = this.trustStores.get(0);
                    fileInputStream.close();
                }
            } catch (Throwable th) {
                fileInputStream.close();
                throw th;
            }
        } catch (Exception e2) {
            log.error("error creating ServerCryto", e2);
            throw new CredentialException(3, "secError00", e2);
        }
    }

    public X509Certificate loadCertificate(InputStream inputStream) throws WSSecurityException {
        try {
            return (X509Certificate) getCertificateFactory().generateCertificate(inputStream);
        } catch (CertificateException e) {
            throw new WSSecurityException(7, "parseError");
        }
    }

    public X509Certificate[] getX509Certificates(byte[] bArr, boolean z) throws WSSecurityException {
        try {
            List<? extends Certificate> certificates = getCertificateFactory().generateCertPath(new ByteArrayInputStream(bArr)).getCertificates();
            X509Certificate[] x509CertificateArr = new X509Certificate[certificates.size()];
            Iterator<? extends Certificate> it = certificates.iterator();
            for (int i = 0; i < certificates.size(); i++) {
                x509CertificateArr[z ? (certificates.size() - 1) - i : i] = (X509Certificate) it.next();
            }
            return x509CertificateArr;
        } catch (CertificateException e) {
            throw new WSSecurityException(7, "parseError");
        }
    }

    public byte[] getCertificateData(boolean z, X509Certificate[] x509CertificateArr) throws WSSecurityException {
        ArrayList arrayList = new ArrayList();
        for (int i = 0; i < x509CertificateArr.length; i++) {
            if (z) {
                arrayList.add(0, x509CertificateArr[i]);
            } else {
                arrayList.add(x509CertificateArr[i]);
            }
        }
        try {
            return getCertificateFactory().generateCertPath(arrayList).getEncoded();
        } catch (CertificateEncodingException e) {
            throw new WSSecurityException(7, "encodeError");
        } catch (CertificateException e2) {
            throw new WSSecurityException(7, "parseError");
        }
    }

    public PrivateKey getPrivateKey(String str, String str2) throws Exception {
        if (str == null) {
            throw new Exception("alias is null");
        }
        if (!this.keystore.isKeyEntry(str)) {
            log.error("Cannot find key for alias: " + str);
            throw new Exception("Cannot find key for alias: " + str);
        }
        Key key = this.keystore.getKey(str, str2.toCharArray());
        if (key instanceof PrivateKey) {
            return (PrivateKey) key;
        }
        throw new Exception("Key is not a private key, alias: " + str);
    }

    public X509Certificate[] getCertificates(String str) throws WSSecurityException {
        Certificate[] certificateArr = new Certificate[0];
        Certificate certificate = null;
        try {
            if (this.keystore != null) {
                certificateArr = this.keystore.getCertificateChain(str);
                if (certificateArr == null || certificateArr.length == 0) {
                    certificate = this.keystore.getCertificate(str);
                }
            }
            if (certificateArr == null && certificate == null && this.trustStores != null) {
                for (KeyStore keyStore : this.trustStores) {
                    certificateArr = keyStore.getCertificateChain(str);
                    if (certificateArr != null) {
                        break;
                    }
                    certificate = keyStore.getCertificate(str);
                }
            }
            if (certificateArr == null && certificate == null && this.cacerts != null) {
                certificateArr = this.cacerts.getCertificateChain(str);
                if (certificateArr == null || certificateArr.length == 0) {
                    certificate = this.cacerts.getCertificate(str);
                }
            }
            if (certificate != null) {
                certificateArr = new Certificate[]{certificate};
            } else if (certificateArr == null) {
                return new X509Certificate[0];
            }
            X509Certificate[] x509CertificateArr = new X509Certificate[0];
            if (certificateArr != null) {
                x509CertificateArr = new X509Certificate[certificateArr.length];
                for (int i = 0; i < certificateArr.length; i++) {
                    x509CertificateArr[i] = (X509Certificate) certificateArr[i];
                }
            }
            return x509CertificateArr;
        } catch (KeyStoreException e) {
            throw new WSSecurityException(0, "keystore");
        }
    }

    public String getAliasForX509Cert(Certificate certificate) throws WSSecurityException {
        try {
            String str = null;
            if (this.keystore != null) {
                str = this.keystore.getCertificateAlias(certificate);
                if (str == null) {
                    str = findAliasForCert(this.keystore, certificate);
                }
            }
            if (str == null && this.trustStores != null) {
                Iterator<KeyStore> it = this.trustStores.iterator();
                while (it.hasNext()) {
                    str = it.next().getCertificateAlias(certificate);
                    if (str != null) {
                        break;
                    }
                }
            }
            if (str == null && this.trustStores != null) {
                Iterator<KeyStore> it2 = this.trustStores.iterator();
                while (it2.hasNext()) {
                    str = findAliasForCert(it2.next(), certificate);
                    if (str != null) {
                        break;
                    }
                }
            }
            if (str == null && this.cacerts != null) {
                str = this.cacerts.getCertificateAlias(certificate);
                if (str == null) {
                    str = findAliasForCert(this.cacerts, certificate);
                }
            }
            if (str != null) {
                return str;
            }
            return null;
        } catch (KeyStoreException e) {
            throw new WSSecurityException(0, "keystore");
        }
    }

    private String findAliasForCert(KeyStore keyStore, Certificate certificate) throws KeyStoreException {
        Enumeration<String> aliases = keyStore.aliases();
        while (aliases.hasMoreElements()) {
            String nextElement = aliases.nextElement();
            if (((X509Certificate) keyStore.getCertificate(nextElement)).equals(certificate)) {
                return nextElement;
            }
        }
        return null;
    }

    public String getAliasForX509Cert(String str) throws WSSecurityException {
        String aliasForX509Cert = getAliasForX509Cert(str, null, false, this.keystore);
        if (aliasForX509Cert == null) {
            Iterator<KeyStore> it = this.trustStores.iterator();
            while (it.hasNext()) {
                aliasForX509Cert = getAliasForX509Cert(str, null, false, it.next());
                if (aliasForX509Cert != null) {
                    break;
                }
            }
        }
        return aliasForX509Cert;
    }

    public String getAliasForX509Cert(String str, BigInteger bigInteger) throws WSSecurityException {
        String aliasForX509Cert = getAliasForX509Cert(str, bigInteger, true, this.keystore);
        if (aliasForX509Cert == null) {
            Iterator<KeyStore> it = this.trustStores.iterator();
            while (it.hasNext()) {
                aliasForX509Cert = getAliasForX509Cert(str, bigInteger, true, it.next());
                if (aliasForX509Cert != null) {
                    break;
                }
            }
        }
        return aliasForX509Cert;
    }

    public String getAliasForX509Cert(byte[] bArr) throws WSSecurityException {
        String nextElement;
        X509Certificate[] certificates;
        try {
            Enumeration<String> aliases = this.keystore.aliases();
            while (aliases.hasMoreElements() && (certificates = getCertificates((nextElement = aliases.nextElement()))) != null && certificates.length != 0) {
                byte[] sKIBytesFromCert = getSKIBytesFromCert(certificates[0]);
                if (sKIBytesFromCert.length == bArr.length && Arrays.equals(sKIBytesFromCert, bArr)) {
                    return nextElement;
                }
            }
            return null;
        } catch (KeyStoreException e) {
            throw new WSSecurityException(0, "keystore");
        }
    }

    public String getDefaultX509Alias() {
        return this.properties.getProperty(PROP_ID_DEFAULT_ALIAS);
    }

    public byte[] getSKIBytesFromCert(X509Certificate x509Certificate) throws WSSecurityException {
        byte[] extensionValue = x509Certificate.getExtensionValue(SKI_OID);
        if (x509Certificate.getVersion() >= 3 && extensionValue != null) {
            byte[] bArr = new byte[extensionValue.length - 4];
            System.arraycopy(extensionValue, 4, bArr, 0, bArr.length);
            return bArr;
        }
        PublicKey publicKey = x509Certificate.getPublicKey();
        if (!(publicKey instanceof RSAPublicKey)) {
            throw new WSSecurityException(1, "noSKIHandling", new Object[]{"Support for RSA key only"});
        }
        byte[] encoded = publicKey.getEncoded();
        byte[] bArr2 = new byte[encoded.length - 22];
        System.arraycopy(encoded, 22, bArr2, 0, bArr2.length);
        try {
            MessageDigest messageDigest = MessageDigest.getInstance("SHA-1");
            messageDigest.reset();
            messageDigest.update(bArr2);
            return messageDigest.digest();
        } catch (NoSuchAlgorithmException e) {
            throw new WSSecurityException(1, "noSKIHandling", new Object[]{"Wrong certificate version (<3) and no SHA1 message digest availabe"});
        }
    }

    public String getAliasForX509CertThumb(byte[] bArr) throws WSSecurityException {
        String nextElement;
        X509Certificate[] certificates;
        try {
            MessageDigest messageDigest = MessageDigest.getInstance("SHA-1");
            try {
                Enumeration<String> aliases = this.keystore.aliases();
                while (aliases.hasMoreElements() && (certificates = getCertificates((nextElement = aliases.nextElement()))) != null && certificates.length != 0) {
                    X509Certificate x509Certificate = certificates[0];
                    messageDigest.reset();
                    try {
                        messageDigest.update(x509Certificate.getEncoded());
                        if (Arrays.equals(messageDigest.digest(), bArr)) {
                            return nextElement;
                        }
                    } catch (CertificateEncodingException e) {
                        throw new WSSecurityException(7, "encodeError");
                    }
                }
                return null;
            } catch (KeyStoreException e2) {
                throw new WSSecurityException(0, "keystore");
            }
        } catch (NoSuchAlgorithmException e3) {
            throw new WSSecurityException(0, "noSHA1availabe");
        }
    }

    public KeyStore getKeyStore() {
        return this.keystore;
    }

    public CertificateFactory getCertificateFactory() throws WSSecurityException {
        if (certFact == null) {
            try {
                String property = this.properties.getProperty(PROP_ID_CERT_PROVIDER);
                if (property == null || property.length() == 0) {
                    certFact = CertificateFactory.getInstance("X.509");
                } else {
                    certFact = CertificateFactory.getInstance("X.509", property);
                }
            } catch (NoSuchProviderException e) {
                throw new WSSecurityException(7, "noSecProvider");
            } catch (CertificateException e2) {
                throw new WSSecurityException(7, "unsupportedCertType");
            }
        }
        return certFact;
    }

    public boolean validateCertPath(X509Certificate[] x509CertificateArr) throws WSSecurityException {
        boolean validateCertPath = validateCertPath(this.keystore, x509CertificateArr);
        if (!validateCertPath) {
            Iterator<KeyStore> it = this.trustStores.iterator();
            while (!validateCertPath) {
                validateCertPath = validateCertPath(it.next(), x509CertificateArr);
            }
        }
        if (!validateCertPath && this.cacerts != null) {
            validateCertPath = validateCertPath(this.cacerts, x509CertificateArr);
        }
        return validateCertPath;
    }

    public String[] getAliasesForDN(String str) throws WSSecurityException {
        Vector vector = new Vector();
        Vector splitAndTrim = splitAndTrim(str);
        try {
            Enumeration<String> aliases = this.keystore.aliases();
            while (aliases.hasMoreElements()) {
                String nextElement = aliases.nextElement();
                X509Certificate[] certificates = getCertificates(nextElement);
                if (certificates == null || certificates.length == 0) {
                    return new String[0];
                }
                if (splitAndTrim.equals(splitAndTrim(certificates[0].getSubjectDN().getName()))) {
                    vector.add(nextElement);
                }
            }
            String[] strArr = new String[vector.size()];
            for (int i = 0; i < vector.size(); i++) {
                strArr[i] = (String) vector.get(i);
            }
            return strArr;
        } catch (KeyStoreException e) {
            throw new WSSecurityException(0, "keystore");
        }
    }

    private String getAliasForX509Cert(String str, BigInteger bigInteger, boolean z, KeyStore keyStore) throws WSSecurityException {
        String nextElement;
        X509Certificate[] certificates;
        Vector splitAndTrim = splitAndTrim(str);
        try {
            Enumeration<String> aliases = keyStore.aliases();
            while (aliases.hasMoreElements() && (certificates = getCertificates((nextElement = aliases.nextElement()))) != null && certificates.length != 0) {
                X509Certificate x509Certificate = certificates[0];
                if (z && x509Certificate.getSerialNumber().compareTo(bigInteger) == 0 && splitAndTrim(x509Certificate.getIssuerDN().getName()).equals(splitAndTrim)) {
                    return nextElement;
                }
            }
            return null;
        } catch (KeyStoreException e) {
            throw new WSSecurityException(0, "keystore");
        }
    }

    private Vector splitAndTrim(String str) {
        X509NameTokenizer x509NameTokenizer = new X509NameTokenizer(str);
        Vector vector = new Vector();
        while (x509NameTokenizer.hasMoreTokens()) {
            vector.add(x509NameTokenizer.nextToken());
        }
        Collections.sort(vector);
        return vector;
    }

    private boolean validateCertPath(KeyStore keyStore, Certificate[] certificateArr) throws WSSecurityException {
        try {
            CertPath generateCertPath = getCertificateFactory().generateCertPath(Arrays.asList(certificateArr));
            PKIXParameters pKIXParameters = new PKIXParameters(keyStore);
            pKIXParameters.setRevocationEnabled(false);
            String property = this.properties.getProperty("org.apache.ws.security.crypto.merlin.cert.provider");
            ((property == null || property.length() == 0) ? CertPathValidator.getInstance("PKIX") : CertPathValidator.getInstance("PKIX", property)).validate(generateCertPath, pKIXParameters);
            return true;
        } catch (InvalidAlgorithmParameterException | KeyStoreException | NoSuchAlgorithmException | NoSuchProviderException | CertPathValidatorException | CertificateException e) {
            throw new WSSecurityException(0, "certpath", new Object[]{e.getMessage()}, e);
        }
    }
}
