package org.hyperledger.fabric.sdk.security;

import java.io.BufferedInputStream;
import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.io.File;
import java.io.IOException;
import java.io.StringReader;
import java.io.StringWriter;
import java.math.BigInteger;
import java.security.InvalidAlgorithmParameterException;
import java.security.InvalidKeyException;
import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.SecureRandom;
import java.security.Security;
import java.security.Signature;
import java.security.SignatureException;
import java.security.cert.CertPathValidator;
import java.security.cert.CertPathValidatorException;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.PKIXParameters;
import java.security.cert.X509Certificate;
import java.security.interfaces.ECPrivateKey;
import java.security.spec.ECGenParameterSpec;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Optional;
import java.util.Properties;
import javax.security.auth.x500.X500Principal;
import javax.xml.bind.DatatypeConverter;
import org.apache.commons.io.FileUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.bouncycastle.asn1.ASN1Integer;
import org.bouncycastle.asn1.DERSequenceGenerator;
import org.bouncycastle.asn1.nist.NISTNamedCurves;
import org.bouncycastle.asn1.x9.X9ECParameters;
import org.bouncycastle.crypto.Digest;
import org.bouncycastle.crypto.digests.SHA256Digest;
import org.bouncycastle.crypto.digests.SHA3Digest;
import org.bouncycastle.crypto.params.ECDomainParameters;
import org.bouncycastle.crypto.params.ECPrivateKeyParameters;
import org.bouncycastle.crypto.signers.ECDSASigner;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.bouncycastle.openssl.jcajce.JcaPEMWriter;
import org.bouncycastle.operator.OperatorCreationException;
import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder;
import org.bouncycastle.pkcs.PKCS10CertificationRequest;
import org.bouncycastle.pkcs.jcajce.JcaPKCS10CertificationRequestBuilder;
import org.bouncycastle.util.io.pem.PemObject;
import org.bouncycastle.util.io.pem.PemReader;
import org.hyperledger.fabric.sdk.exception.CryptoException;
import org.hyperledger.fabric.sdk.exception.InvalidArgumentException;
import org.hyperledger.fabric.sdk.helper.Config;
import org.hyperledger.fabric.sdk.helper.Utils;

/* loaded from: input_file:org/hyperledger/fabric/sdk/security/CryptoPrimitives.class */
public class CryptoPrimitives implements CryptoSuite {
    private String curveName;
    private CertificateFactory cf;
    private static final Log logger = LogFactory.getLog(CryptoPrimitives.class);
    private final Config config = Config.getConfig();
    private final String SECURITY_PROVIDER = "BC";
    private String hashAlgorithm = this.config.getHashAlgorithm();
    private int securityLevel = this.config.getSecurityLevel();
    private String CERTIFICATE_FORMAT = this.config.getCertificateFormat();
    private String DEFAULT_SIGNATURE_ALGORITHM = this.config.getSignatureAlgorithm();
    private KeyStore trustStore = null;

    public CryptoPrimitives() {
        Security.addProvider(new BouncyCastleProvider());
    }

    public Certificate bytesToCertificate(byte[] bArr) throws CryptoException {
        if (bArr == null || bArr.length == 0) {
            throw new CryptoException("bytesToCertificate: input null or zero length");
        }
        try {
            return (X509Certificate) CertificateFactory.getInstance(this.CERTIFICATE_FORMAT).generateCertificate(new BufferedInputStream(new ByteArrayInputStream(bArr)));
        } catch (CertificateException e) {
            String str = "Unable to converts byte array to certificate. error : " + e.getMessage();
            logger.error(str);
            logger.debug("input bytes array :" + new String(bArr));
            throw new CryptoException(str, e);
        }
    }

    @Override // org.hyperledger.fabric.sdk.security.CryptoSuite
    public boolean verify(byte[] bArr, String str, byte[] bArr2, byte[] bArr3) throws CryptoException {
        if (bArr3 == null || bArr2 == null || bArr == null) {
            return false;
        }
        if (this.config.extraLogLevel(10)) {
            logger.trace("plaintext in hex: " + DatatypeConverter.printHexBinary(bArr3));
            logger.trace("signature in hex: " + DatatypeConverter.printHexBinary(bArr2));
            logger.trace("PEM cert in hex: " + DatatypeConverter.printHexBinary(bArr));
        }
        try {
            X509Certificate x509Certificate = (X509Certificate) CertificateFactory.getInstance(this.CERTIFICATE_FORMAT).generateCertificate(new BufferedInputStream(new ByteArrayInputStream(bArr)));
            boolean validateCertificate = validateCertificate(x509Certificate);
            if (validateCertificate) {
                Signature signature = Signature.getInstance(str);
                signature.initVerify(x509Certificate);
                signature.update(bArr3);
                validateCertificate = signature.verify(bArr2);
            }
            return validateCertificate;
        } catch (InvalidKeyException | CertificateException e) {
            CryptoException cryptoException = new CryptoException("Cannot verify signature. Error is: " + e.getMessage() + "\r\nCertificate: " + DatatypeConverter.printHexBinary(bArr), e);
            logger.error(cryptoException.getMessage(), cryptoException);
            throw cryptoException;
        } catch (NoSuchAlgorithmException | SignatureException e2) {
            CryptoException cryptoException2 = new CryptoException("Cannot verify. Signature algorithm is invalid. Error is: " + e2.getMessage(), e2);
            logger.error(cryptoException2.getMessage(), cryptoException2);
            throw cryptoException2;
        }
    }

    private void createTrustStore() throws CryptoException {
        try {
            KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
            keyStore.load(null, null);
            setTrustStore(keyStore);
        } catch (IOException | KeyStoreException | NoSuchAlgorithmException | CertificateException | InvalidArgumentException e) {
            throw new CryptoException("Cannot create trust store. Error: " + e.getMessage(), e);
        }
    }

    void setTrustStore(KeyStore keyStore) throws InvalidArgumentException {
        if (keyStore == null) {
            throw new InvalidArgumentException("Need to specify a java.security.KeyStore input parameter");
        }
        this.trustStore = keyStore;
    }

    public KeyStore getTrustStore() throws CryptoException {
        if (this.trustStore == null) {
            createTrustStore();
        }
        return this.trustStore;
    }

    public void addCACertificateToTrustStore(File file, String str) throws CryptoException, InvalidArgumentException {
        if (file == null) {
            throw new InvalidArgumentException("The certificate cannot be null");
        }
        if (str == null || str.isEmpty()) {
            throw new InvalidArgumentException("You must assign an alias to a certificate when adding to the trust store");
        }
        try {
            addCACertificateToTrustStore(this.cf.generateCertificate(new BufferedInputStream(new ByteArrayInputStream(FileUtils.readFileToByteArray(file)))), str);
        } catch (IOException | CertificateException e) {
            throw new CryptoException("Unable to add CA certificate to trust store. Error: " + e.getMessage(), e);
        }
    }

    void addCACertificateToTrustStore(Certificate certificate, String str) throws InvalidArgumentException, CryptoException {
        if (str == null || str.isEmpty()) {
            throw new InvalidArgumentException("You must assign an alias to a certificate when adding to the trust store.");
        }
        if (certificate == null) {
            throw new InvalidArgumentException("Certificate cannot be null.");
        }
        try {
            if (this.config.extraLogLevel(10)) {
                logger.trace("Adding cert to trust store. alias:  " + str + "cert: " + certificate.toString());
            }
            getTrustStore().setCertificateEntry(str, certificate);
        } catch (KeyStoreException e) {
            String str2 = "Unable to add CA certificate to trust store. Error: " + e.getMessage();
            logger.error(str2, e);
            throw new CryptoException(str2, e);
        }
    }

    @Override // org.hyperledger.fabric.sdk.security.CryptoSuite
    public void loadCACertificates(Collection<Certificate> collection) throws CryptoException {
        if (collection == null || collection.size() == 0) {
            throw new CryptoException("Unable to load CA certificates. List is empty");
        }
        try {
            for (Certificate certificate : collection) {
                addCACertificateToTrustStore(certificate, Integer.toString(certificate.hashCode()));
            }
        } catch (InvalidArgumentException e) {
            throw new CryptoException("Unable to add certificate to trust store. Error: " + e.getMessage(), e);
        }
    }

    @Override // org.hyperledger.fabric.sdk.security.CryptoSuite
    public void loadCACertificatesAsBytes(Collection<byte[]> collection) throws CryptoException {
        if (collection == null || collection.size() == 0) {
            throw new CryptoException("List of CA certificates is empty. Nothing to load.");
        }
        ArrayList arrayList = new ArrayList();
        for (byte[] bArr : collection) {
            logger.trace("certificate to load:\n" + new String(bArr));
            arrayList.add(bytesToCertificate(bArr));
        }
        loadCACertificates(arrayList);
    }

    boolean validateCertificate(byte[] bArr) {
        if (bArr == null) {
            return false;
        }
        try {
            return validateCertificate((X509Certificate) CertificateFactory.getInstance(this.CERTIFICATE_FORMAT).generateCertificate(new BufferedInputStream(new ByteArrayInputStream(bArr))));
        } catch (CertificateException e) {
            logger.error("Cannot validate certificate. Error is: " + e.getMessage() + "\r\nCertificate (PEM, hex): " + DatatypeConverter.printHexBinary(bArr));
            return false;
        }
    }

    boolean validateCertificate(Certificate certificate) {
        boolean z;
        if (certificate == null) {
            return false;
        }
        try {
            PKIXParameters pKIXParameters = new PKIXParameters(getTrustStore());
            pKIXParameters.setRevocationEnabled(false);
            CertPathValidator certPathValidator = CertPathValidator.getInstance(CertPathValidator.getDefaultType());
            ArrayList arrayList = new ArrayList();
            arrayList.add(certificate);
            certPathValidator.validate(CertificateFactory.getInstance(this.CERTIFICATE_FORMAT).generateCertPath(arrayList), pKIXParameters);
            z = true;
        } catch (InvalidAlgorithmParameterException | KeyStoreException | NoSuchAlgorithmException | CertPathValidatorException | CertificateException | CryptoException e) {
            logger.error("Cannot validate certificate. Error is: " + e.getMessage() + "\r\nCertificate" + certificate.toString());
            z = false;
        }
        return z;
    }

    void setSecurityLevel(int i) throws InvalidArgumentException {
        if (i != 256 && i != 384) {
            throw new InvalidArgumentException("Illegal level: " + i + " must be either 256 or 384");
        }
        if (this.securityLevel == 256) {
            this.curveName = "P-256";
        } else if (this.securityLevel == 384) {
            this.curveName = "secp384r1";
        }
    }

    void setHashAlgorithm(String str) throws InvalidArgumentException {
        if (Utils.isNullOrEmpty(str) || !(str.equalsIgnoreCase("SHA2") || str.equalsIgnoreCase("SHA3"))) {
            throw new InvalidArgumentException("Illegal Hash function family: " + this.hashAlgorithm + " - must be either SHA2 or SHA3");
        }
        this.hashAlgorithm = str;
    }

    @Override // org.hyperledger.fabric.sdk.security.CryptoSuite
    public KeyPair keyGen() throws CryptoException {
        return ecdsaKeyGen();
    }

    private KeyPair ecdsaKeyGen() throws CryptoException {
        return generateKey("ECDSA", this.curveName);
    }

    private KeyPair generateKey(String str, String str2) throws CryptoException {
        try {
            ECGenParameterSpec eCGenParameterSpec = new ECGenParameterSpec(str2);
            KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance(str, "BC");
            keyPairGenerator.initialize(eCGenParameterSpec, new SecureRandom());
            return keyPairGenerator.generateKeyPair();
        } catch (Exception e) {
            throw new CryptoException("Unable to generate key pair", e);
        }
    }

    private byte[] ecdsaSignToBytes(ECPrivateKey eCPrivateKey, byte[] bArr) throws CryptoException {
        try {
            byte[] hash = hash(bArr);
            X9ECParameters byName = NISTNamedCurves.getByName(this.curveName);
            BigInteger n = byName.getN();
            ECDomainParameters eCDomainParameters = new ECDomainParameters(byName.getCurve(), byName.getG(), n, byName.getH());
            ECDSASigner eCDSASigner = new ECDSASigner();
            eCDSASigner.init(true, new ECPrivateKeyParameters(eCPrivateKey.getS(), eCDomainParameters));
            BigInteger[] preventMalleability = preventMalleability(eCDSASigner.generateSignature(hash), n);
            ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
            DERSequenceGenerator dERSequenceGenerator = new DERSequenceGenerator(byteArrayOutputStream);
            dERSequenceGenerator.addObject(new ASN1Integer(preventMalleability[0]));
            dERSequenceGenerator.addObject(new ASN1Integer(preventMalleability[1]));
            dERSequenceGenerator.close();
            return byteArrayOutputStream.toByteArray();
        } catch (Exception e) {
            throw new CryptoException("Could not sign the message using private key", e);
        }
    }

    @Override // org.hyperledger.fabric.sdk.security.CryptoSuite
    public byte[] sign(PrivateKey privateKey, byte[] bArr) throws CryptoException {
        return ecdsaSignToBytes((ECPrivateKey) privateKey, bArr);
    }

    private BigInteger[] preventMalleability(BigInteger[] bigIntegerArr, BigInteger bigInteger) {
        BigInteger divide = bigInteger.divide(BigInteger.valueOf(2L));
        BigInteger bigInteger2 = bigIntegerArr[1];
        if (bigInteger2.compareTo(divide) == 1) {
            bigIntegerArr[1] = bigInteger.subtract(bigInteger2);
        }
        return bigIntegerArr;
    }

    public PKCS10CertificationRequest generateCertificationRequest(String str, KeyPair keyPair) throws OperatorCreationException {
        return new JcaPKCS10CertificationRequestBuilder(new X500Principal("CN=" + str), keyPair.getPublic()).build(new JcaContentSignerBuilder("SHA256withECDSA").build(keyPair.getPrivate()));
    }

    public String certificationRequestToPEM(PKCS10CertificationRequest pKCS10CertificationRequest) throws IOException {
        PemObject pemObject = new PemObject("CERTIFICATE REQUEST", pKCS10CertificationRequest.getEncoded());
        StringWriter stringWriter = new StringWriter();
        JcaPEMWriter jcaPEMWriter = new JcaPEMWriter(stringWriter);
        jcaPEMWriter.writeObject(pemObject);
        jcaPEMWriter.close();
        stringWriter.close();
        return stringWriter.toString();
    }

    @Override // org.hyperledger.fabric.sdk.security.CryptoSuite
    public byte[] hash(byte[] bArr) {
        Digest hashDigest = getHashDigest();
        byte[] bArr2 = new byte[hashDigest.getDigestSize()];
        hashDigest.update(bArr, 0, bArr.length);
        hashDigest.doFinal(bArr2, 0);
        return bArr2;
    }

    @Override // org.hyperledger.fabric.sdk.security.CryptoSuite
    public void init() throws CryptoException, InvalidArgumentException {
        resetConfiguration();
    }

    private Digest getHashDigest() {
        return this.hashAlgorithm.equalsIgnoreCase("SHA3") ? new SHA3Digest() : new SHA256Digest();
    }

    private void resetConfiguration() throws CryptoException, InvalidArgumentException {
        setSecurityLevel(this.securityLevel);
        setHashAlgorithm(this.hashAlgorithm);
        try {
            this.cf = CertificateFactory.getInstance(this.CERTIFICATE_FORMAT);
        } catch (CertificateException e) {
            CryptoException cryptoException = new CryptoException("Cannot initialize " + this.CERTIFICATE_FORMAT + " certificate factory. Error = " + e.getMessage(), e);
            logger.error(cryptoException.getMessage(), cryptoException);
            throw cryptoException;
        }
    }

    @Override // org.hyperledger.fabric.sdk.security.CryptoSuite
    public void setProperties(Properties properties) throws CryptoException, InvalidArgumentException {
        if (properties != null) {
            this.hashAlgorithm = (String) Optional.ofNullable(properties.getProperty("org.hyperledger.fabric.sdk.hash_algorithm")).orElse(this.hashAlgorithm);
            this.securityLevel = Integer.parseInt((String) Optional.ofNullable(properties.getProperty("org.hyperledger.fabric.sdk.security_level")).orElse(Integer.toString(this.securityLevel)));
            this.CERTIFICATE_FORMAT = (String) Optional.ofNullable(properties.getProperty("org.hyperledger.fabric.sdk.crypto.certificate_format")).orElse(this.CERTIFICATE_FORMAT);
            this.DEFAULT_SIGNATURE_ALGORITHM = (String) Optional.ofNullable(properties.getProperty("org.hyperledger.fabric.sdk.crypto.default_signature_algorithm")).orElse(this.DEFAULT_SIGNATURE_ALGORITHM);
            resetConfiguration();
        }
    }

    @Override // org.hyperledger.fabric.sdk.security.CryptoSuite
    public Properties getProperties() {
        Properties properties = new Properties();
        properties.setProperty("org.hyperledger.fabric.sdk.hash_algorithm", this.hashAlgorithm);
        properties.setProperty("org.hyperledger.fabric.sdk.security_level", Integer.toString(this.securityLevel));
        properties.setProperty("org.hyperledger.fabric.sdk.crypto.certificate_format", this.CERTIFICATE_FORMAT);
        properties.setProperty("org.hyperledger.fabric.sdk.crypto.default_signature_algorithm", this.DEFAULT_SIGNATURE_ALGORITHM);
        return properties;
    }

    public byte[] certificateToDER(String str) {
        PemReader pemReader;
        Throwable th;
        byte[] bArr = null;
        try {
            pemReader = new PemReader(new StringReader(str));
            th = null;
        } catch (IOException e) {
        }
        try {
            try {
                bArr = pemReader.readPemObject().getContent();
                if (pemReader != null) {
                    if (0 != 0) {
                        try {
                            pemReader.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    } else {
                        pemReader.close();
                    }
                }
                return bArr;
            } finally {
            }
        } finally {
        }
    }
}
