package org.apache.wss4j.common.crypto;

import java.io.IOException;
import java.io.InputStream;
import java.math.BigInteger;
import java.net.MalformedURLException;
import java.net.URL;
import java.nio.file.Files;
import java.nio.file.OpenOption;
import java.nio.file.Paths;
import java.security.GeneralSecurityException;
import java.security.InvalidAlgorithmParameterException;
import java.security.Key;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.UnrecoverableKeyException;
import java.security.cert.CertPathValidator;
import java.security.cert.CertPathValidatorException;
import java.security.cert.CertStore;
import java.security.cert.Certificate;
import java.security.cert.CertificateEncodingException;
import java.security.cert.CertificateException;
import java.security.cert.CertificateExpiredException;
import java.security.cert.CertificateFactory;
import java.security.cert.CertificateNotYetValidException;
import java.security.cert.PKIXParameters;
import java.security.cert.TrustAnchor;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Enumeration;
import java.util.HashSet;
import java.util.List;
import java.util.Properties;
import java.util.Set;
import java.util.regex.Pattern;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.security.auth.x500.X500Principal;
import org.apache.wss4j.common.crypto.CryptoType;
import org.apache.wss4j.common.ext.WSPasswordCallback;
import org.apache.wss4j.common.ext.WSSecurityException;
import org.apache.wss4j.common.util.Loader;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/wss4j/common/crypto/Merlin.class */
public class Merlin extends CryptoBase {
    public static final String ENCRYPTED_PASSWORD_PREFIX = "ENC(";
    public static final String ENCRYPTED_PASSWORD_SUFFIX = ")";
    public static final String PREFIX = "org.apache.wss4j.crypto.merlin.";
    public static final String OLD_PREFIX = "org.apache.ws.security.crypto.merlin.";
    public static final String OLD_KEYSTORE_FILE = "file";
    public static final String CRYPTO_KEYSTORE_PROVIDER = "keystore.provider";
    public static final String CRYPTO_CERT_PROVIDER = "cert.provider";
    public static final String CRYPTO_CERT_PROVIDER_HANDLES_NAME_CONSTRAINTS = "cert.provider.nameconstraints";
    public static final String KEYSTORE_FILE = "keystore.file";
    public static final String KEYSTORE_PASSWORD = "keystore.password";
    public static final String KEYSTORE_TYPE = "keystore.type";
    public static final String KEYSTORE_ALIAS = "keystore.alias";
    public static final String KEYSTORE_PRIVATE_PASSWORD = "keystore.private.password";
    public static final String LOAD_CA_CERTS = "load.cacerts";
    public static final String TRUSTSTORE_FILE = "truststore.file";
    public static final String TRUSTSTORE_PASSWORD = "truststore.password";
    public static final String TRUSTSTORE_TYPE = "truststore.type";
    public static final String TRUSTSTORE_PROVIDER = "truststore.provider";
    public static final String X509_CRL_FILE = "x509crl.file";
    private static final Logger LOG = LoggerFactory.getLogger(Merlin.class);
    private static final boolean DO_DEBUG = LOG.isDebugEnabled();
    private static final String COMMA_SEPARATOR = ",";
    protected Properties properties;
    protected KeyStore keystore;
    protected KeyStore truststore;
    protected CertStore crlCertStore;
    protected boolean loadCACerts;
    protected boolean privatePasswordSet;
    protected PasswordEncryptor passwordEncryptor;
    private boolean certProviderHandlesNameConstraints = false;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* renamed from: org.apache.wss4j.common.crypto.Merlin$1, reason: invalid class name */
    /* loaded from: input_file:org/apache/wss4j/common/crypto/Merlin$1.class */
    public static /* synthetic */ class AnonymousClass1 {
        static final /* synthetic */ int[] $SwitchMap$org$apache$wss4j$common$crypto$CryptoType$TYPE = new int[CryptoType.TYPE.values().length];

        static {
            try {
                $SwitchMap$org$apache$wss4j$common$crypto$CryptoType$TYPE[CryptoType.TYPE.ISSUER_SERIAL.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$org$apache$wss4j$common$crypto$CryptoType$TYPE[CryptoType.TYPE.THUMBPRINT_SHA1.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
            try {
                $SwitchMap$org$apache$wss4j$common$crypto$CryptoType$TYPE[CryptoType.TYPE.SKI_BYTES.ordinal()] = 3;
            } catch (NoSuchFieldError e3) {
            }
            try {
                $SwitchMap$org$apache$wss4j$common$crypto$CryptoType$TYPE[CryptoType.TYPE.SUBJECT_DN.ordinal()] = 4;
            } catch (NoSuchFieldError e4) {
            }
            try {
                $SwitchMap$org$apache$wss4j$common$crypto$CryptoType$TYPE[CryptoType.TYPE.ALIAS.ordinal()] = 5;
            } catch (NoSuchFieldError e5) {
            }
            try {
                $SwitchMap$org$apache$wss4j$common$crypto$CryptoType$TYPE[CryptoType.TYPE.ENDPOINT.ordinal()] = 6;
            } catch (NoSuchFieldError e6) {
            }
        }
    }

    public Merlin() {
    }

    public Merlin(boolean z, String str) {
        if (this.truststore == null && z) {
            try {
                InputStream newInputStream = Files.newInputStream(Paths.get(System.getProperty("java.home") + "/lib/security/cacerts", new String[0]), new OpenOption[0]);
                Throwable th = null;
                try {
                    try {
                        this.truststore = KeyStore.getInstance(KeyStore.getDefaultType());
                        this.truststore.load(newInputStream, str.toCharArray());
                        this.loadCACerts = true;
                        if (newInputStream != null) {
                            if (0 != 0) {
                                try {
                                    newInputStream.close();
                                } catch (Throwable th2) {
                                    th.addSuppressed(th2);
                                }
                            } else {
                                newInputStream.close();
                            }
                        }
                    } catch (Throwable th3) {
                        th = th3;
                        throw th3;
                    }
                } finally {
                }
            } catch (Exception e) {
                LOG.warn("CA certs could not be loaded: " + e.getMessage());
            }
        }
    }

    public Merlin(Properties properties, ClassLoader classLoader, PasswordEncryptor passwordEncryptor) throws WSSecurityException, IOException {
        loadProperties(properties, classLoader, passwordEncryptor);
    }

    /* JADX WARN: Removed duplicated region for block: B:142:0x067e  */
    /* JADX WARN: Removed duplicated region for block: B:144:? A[RETURN, SYNTHETIC] */
    /*
        Code decompiled incorrectly, please refer to instructions dump.
        To view partially-correct add '--show-bad-code' argument
    */
    public void loadProperties(java.util.Properties r8, java.lang.ClassLoader r9, org.apache.wss4j.common.crypto.PasswordEncryptor r10) throws org.apache.wss4j.common.ext.WSSecurityException, java.io.IOException {
        /*
            Method dump skipped, instructions count: 1696
            To view this dump add '--comments-level debug' option
        */
        throw new UnsupportedOperationException("Method not decompiled: org.apache.wss4j.common.crypto.Merlin.loadProperties(java.util.Properties, java.lang.ClassLoader, org.apache.wss4j.common.crypto.PasswordEncryptor):void");
    }

    public static InputStream loadInputStream(ClassLoader classLoader, String str) throws WSSecurityException, IOException {
        InputStream inputStream = null;
        if (str != null) {
            URL url = null;
            try {
                url = new URL(str);
            } catch (MalformedURLException e) {
            }
            if (url == null) {
                url = Loader.getResource(classLoader, str);
            }
            if (url != null) {
                inputStream = url.openStream();
            }
            if (inputStream == null) {
                try {
                    inputStream = Files.newInputStream(Paths.get(str, new String[0]), new OpenOption[0]);
                } catch (Exception e2) {
                    if (DO_DEBUG) {
                        LOG.debug(e2.getMessage(), e2);
                    }
                    throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, e2, "proxyNotFound", new Object[]{str});
                }
            }
        }
        return inputStream;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public KeyStore load(InputStream inputStream, String str, String str2, String str3) throws WSSecurityException {
        KeyStore keyStore;
        if (str2 != null) {
            try {
                if (str2.length() != 0) {
                    keyStore = KeyStore.getInstance(str3, str2);
                    keyStore.load(inputStream, (str != null || str.length() == 0) ? new char[0] : str.toCharArray());
                    return keyStore;
                }
            } catch (IOException | GeneralSecurityException e) {
                if (DO_DEBUG) {
                    LOG.debug(e.getMessage(), e);
                }
                throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, e, "failedCredentialLoad");
            }
        }
        keyStore = KeyStore.getInstance(str3);
        keyStore.load(inputStream, (str != null || str.length() == 0) ? new char[0] : str.toCharArray());
        return keyStore;
    }

    public KeyStore getKeyStore() {
        return this.keystore;
    }

    public void setKeyStore(KeyStore keyStore) {
        this.keystore = keyStore;
    }

    public KeyStore getTrustStore() {
        return this.truststore;
    }

    public void setTrustStore(KeyStore keyStore) {
        this.truststore = keyStore;
    }

    public void setCRLCertStore(CertStore certStore) {
        this.crlCertStore = certStore;
    }

    public CertStore getCRLCertStore() {
        return this.crlCertStore;
    }

    @Override // org.apache.wss4j.common.crypto.CryptoBase, org.apache.wss4j.common.crypto.Crypto
    public CertificateFactory getCertificateFactory() throws WSSecurityException {
        if (this.certificateFactory != null) {
            return this.certificateFactory;
        }
        String cryptoProvider = getCryptoProvider();
        String str = null;
        if (this.keystore != null) {
            str = this.keystore.getProvider().getName();
        }
        if (cryptoProvider != null) {
            try {
                if (cryptoProvider.length() != 0) {
                    this.certificateFactory = CertificateFactory.getInstance("X.509", cryptoProvider);
                    return this.certificateFactory;
                }
            } catch (NoSuchProviderException e) {
                throw new WSSecurityException(WSSecurityException.ErrorCode.SECURITY_TOKEN_UNAVAILABLE, e, "noSecProvider");
            } catch (CertificateException e2) {
                throw new WSSecurityException(WSSecurityException.ErrorCode.SECURITY_TOKEN_UNAVAILABLE, e2, "unsupportedCertType");
            }
        }
        if (str != null && str.length() != 0) {
            try {
                this.certificateFactory = CertificateFactory.getInstance("X.509", mapKeystoreProviderToCertProvider(str));
            } catch (Exception e3) {
                LOG.debug("The keystore provider '" + str + "' does not support X.509 because \"" + e3.getMessage() + "\". The JVM default provider will be tried out next", e3);
            }
        }
        if (this.certificateFactory == null) {
            this.certificateFactory = CertificateFactory.getInstance("X.509");
        }
        return this.certificateFactory;
    }

    private String mapKeystoreProviderToCertProvider(String str) {
        return "SunJSSE".equals(str) ? "SUN" : str;
    }

    @Override // org.apache.wss4j.common.crypto.CryptoBase, org.apache.wss4j.common.crypto.Crypto
    public String getDefaultX509Identifier() throws WSSecurityException {
        if (super.getDefaultX509Identifier() != null) {
            return super.getDefaultX509Identifier();
        }
        if (this.keystore == null) {
            return null;
        }
        try {
            Enumeration<String> aliases = this.keystore.aliases();
            if (!aliases.hasMoreElements()) {
                return null;
            }
            String nextElement = aliases.nextElement();
            if (aliases.hasMoreElements()) {
                return null;
            }
            setDefaultX509Identifier(nextElement);
            return nextElement;
        } catch (KeyStoreException e) {
            throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, e, "keystore");
        }
    }

    @Override // org.apache.wss4j.common.crypto.Crypto
    public X509Certificate[] getX509Certificates(CryptoType cryptoType) throws WSSecurityException {
        if (cryptoType == null) {
            return null;
        }
        X509Certificate[] x509CertificateArr = null;
        switch (AnonymousClass1.$SwitchMap$org$apache$wss4j$common$crypto$CryptoType$TYPE[cryptoType.getType().ordinal()]) {
            case 1:
                x509CertificateArr = getX509Certificates(cryptoType.getIssuer(), cryptoType.getSerial());
                break;
            case 2:
                x509CertificateArr = getX509Certificates(cryptoType.getBytes());
                break;
            case 3:
                x509CertificateArr = getX509CertificatesSKI(cryptoType.getBytes());
                break;
            case 4:
                x509CertificateArr = getX509CertificatesSubjectDN(cryptoType.getSubjectDN());
                break;
            case WSPasswordCallback.USERNAME_TOKEN_UNKNOWN /* 5 */:
                x509CertificateArr = getX509Certificates(cryptoType.getAlias());
                break;
        }
        return x509CertificateArr;
    }

    @Override // org.apache.wss4j.common.crypto.Crypto
    public String getX509Identifier(X509Certificate x509Certificate) throws WSSecurityException {
        String str = null;
        if (this.keystore != null) {
            str = getIdentifier(x509Certificate, this.keystore);
        }
        if (str == null && this.truststore != null) {
            str = getIdentifier(x509Certificate, this.truststore);
        }
        return str;
    }

    @Override // org.apache.wss4j.common.crypto.Crypto
    public PrivateKey getPrivateKey(X509Certificate x509Certificate, CallbackHandler callbackHandler) throws WSSecurityException {
        if (this.keystore == null) {
            throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "empty", new Object[]{"The keystore is null"});
        }
        if (callbackHandler == null) {
            throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "empty", new Object[]{"The CallbackHandler is null"});
        }
        String identifier = getIdentifier(x509Certificate, this.keystore);
        if (identifier != null) {
            return getPrivateKey(identifier, getPassword(identifier, callbackHandler));
        }
        try {
            LOG.error("Cannot find key for certificate" + createKeyStoreErrorMessage(this.keystore));
            throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "empty", new Object[]{"Cannot find key for certificate"});
        } catch (KeyStoreException e) {
            throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, e, "noPrivateKey", new Object[]{e.getMessage()});
        }
    }

    public PrivateKey getPrivateKey(PublicKey publicKey, CallbackHandler callbackHandler) throws WSSecurityException {
        if (this.keystore == null) {
            throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "empty", new Object[]{"The keystore is null"});
        }
        if (callbackHandler == null) {
            throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "empty", new Object[]{"The CallbackHandler is null"});
        }
        String identifier = getIdentifier(publicKey, this.keystore);
        if (identifier != null) {
            return getPrivateKey(identifier, getPassword(identifier, callbackHandler));
        }
        try {
            LOG.error("Cannot find key for corresponding public key" + createKeyStoreErrorMessage(this.keystore));
            throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "empty", new Object[]{"Cannot find key for corresponding public key"});
        } catch (KeyStoreException e) {
            throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, e, "noPrivateKey", new Object[]{e.getMessage()});
        }
    }

    @Override // org.apache.wss4j.common.crypto.Crypto
    public PrivateKey getPrivateKey(String str, String str2) throws WSSecurityException {
        if (this.keystore == null) {
            throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "empty", new Object[]{"The keystore is null"});
        }
        if (str != null) {
            try {
                if (this.keystore.isKeyEntry(str)) {
                    String str3 = str2;
                    if (str3 == null && this.privatePasswordSet) {
                        str3 = this.properties.getProperty("org.apache.wss4j.crypto.merlin.keystore.private.password");
                        if (str3 == null) {
                            str3 = this.properties.getProperty("org.apache.ws.security.crypto.merlin.keystore.private.password");
                        }
                        if (str3 != null) {
                            str3 = decryptPassword(str3.trim(), this.passwordEncryptor);
                        }
                    }
                    Key key = this.keystore.getKey(str, str3 == null ? new char[0] : str3.toCharArray());
                    if (key instanceof PrivateKey) {
                        return (PrivateKey) key;
                    }
                    String str4 = "Key is not a private key, alias: [" + str + "]";
                    LOG.error(str4 + createKeyStoreErrorMessage(this.keystore));
                    throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "empty", new Object[]{str4});
                }
            } catch (KeyStoreException | NoSuchAlgorithmException | UnrecoverableKeyException e) {
                throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, e, "noPrivateKey", new Object[]{e.getMessage()});
            }
        }
        String str5 = "Cannot find key for alias: [" + str + "]";
        LOG.error(str5 + createKeyStoreErrorMessage(this.keystore));
        throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "empty", new Object[]{str5});
    }

    @Override // org.apache.wss4j.common.crypto.Crypto
    public void verifyTrust(X509Certificate[] x509CertificateArr, boolean z, Collection<Pattern> collection) throws WSSecurityException {
        if (x509CertificateArr.length == 1 && !z) {
            String name = x509CertificateArr[0].getIssuerX500Principal().getName();
            BigInteger serialNumber = x509CertificateArr[0].getSerialNumber();
            CryptoType cryptoType = new CryptoType(CryptoType.TYPE.ISSUER_SERIAL);
            cryptoType.setIssuerSerial(name, serialNumber);
            X509Certificate[] x509Certificates = getX509Certificates(cryptoType);
            if (x509Certificates != null && x509Certificates[0] != null && x509Certificates[0].equals(x509CertificateArr[0])) {
                try {
                    x509CertificateArr[0].checkValidity();
                    if (LOG.isDebugEnabled()) {
                        LOG.debug("Direct trust for certificate with " + x509CertificateArr[0].getSubjectX500Principal().getName());
                        return;
                    }
                    return;
                } catch (CertificateExpiredException | CertificateNotYetValidException e) {
                    throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_CHECK, e, "invalidCert");
                }
            }
        }
        String name2 = x509CertificateArr[0].getIssuerX500Principal().getName();
        if (x509CertificateArr.length == 1) {
            Object convertSubjectToPrincipal = convertSubjectToPrincipal(name2);
            r13 = this.keystore != null ? getCertificates(convertSubjectToPrincipal, this.keystore) : null;
            if ((r13 == null || r13.isEmpty()) && this.truststore != null) {
                r13 = getCertificates(convertSubjectToPrincipal, this.truststore);
            }
            if (r13 == null || r13.isEmpty() || r13.get(0).length < 1) {
                String name3 = x509CertificateArr[0].getSubjectX500Principal().getName();
                if (LOG.isDebugEnabled()) {
                    LOG.debug("No certs found in keystore for issuer " + name2 + " of certificate for " + name3);
                }
                throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "certpath", new Object[]{"No trusted certs found"});
            }
        }
        if (LOG.isDebugEnabled()) {
            LOG.debug("Preparing to validate certificate path for issuer " + name2);
        }
        try {
            HashSet hashSet = new HashSet();
            if (this.truststore != null) {
                addTrustAnchors(hashSet, this.truststore);
            }
            if (this.keystore != null && (this.truststore == null || this.loadCACerts)) {
                addTrustAnchors(hashSet, this.keystore);
            }
            String cryptoProvider = getCryptoProvider();
            CertPathValidator certPathValidator = (cryptoProvider == null || cryptoProvider.length() == 0) ? CertPathValidator.getInstance("PKIX") : CertPathValidator.getInstance("PKIX", cryptoProvider);
            PKIXParameters createPKIXParameters = createPKIXParameters(hashSet, z);
            if (r13 == null || r13.isEmpty()) {
                certPathValidator.validate(getCertificateFactory().generateCertPath(Arrays.asList(x509CertificateArr)), createPKIXParameters);
            } else {
                CertPathValidatorException certPathValidatorException = null;
                for (Certificate[] certificateArr : r13) {
                    X509Certificate[] x509CertificateArr2 = new X509Certificate[certificateArr.length + 1];
                    x509CertificateArr2[0] = x509CertificateArr[0];
                    System.arraycopy(certificateArr, 0, x509CertificateArr2, 1, certificateArr.length);
                    try {
                        certPathValidator.validate(getCertificateFactory().generateCertPath(Arrays.asList(x509CertificateArr2)), createPKIXParameters);
                        certPathValidatorException = null;
                        break;
                    } catch (CertPathValidatorException e2) {
                        certPathValidatorException = e2;
                    }
                }
                if (certPathValidatorException != null) {
                    throw certPathValidatorException;
                }
            }
            if (!matchesSubjectDnPattern(x509CertificateArr[0], collection)) {
                throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_AUTHENTICATION);
            }
        } catch (InvalidAlgorithmParameterException | KeyStoreException | NoSuchAlgorithmException | NoSuchProviderException | CertPathValidatorException | CertificateException e3) {
            throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, e3, "certpath");
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public PKIXParameters createPKIXParameters(Set<TrustAnchor> set, boolean z) throws InvalidAlgorithmParameterException {
        PKIXParameters pKIXParameters = new PKIXParameters(set);
        pKIXParameters.setRevocationEnabled(z);
        if (z && this.crlCertStore != null) {
            pKIXParameters.addCertStore(this.crlCertStore);
        }
        return pKIXParameters;
    }

    @Override // org.apache.wss4j.common.crypto.Crypto
    public void verifyTrust(PublicKey publicKey) throws WSSecurityException {
        if (publicKey == null) {
            throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_AUTHENTICATION);
        }
        if (!findPublicKeyInKeyStore(publicKey, this.keystore) && !findPublicKeyInKeyStore(publicKey, this.truststore)) {
            throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_AUTHENTICATION);
        }
    }

    private X509Certificate[] getX509Certificates(String str, BigInteger bigInteger) throws WSSecurityException {
        Object createBCX509Name;
        try {
            createBCX509Name = createBCX509Name(new X500Principal(str).getName());
        } catch (IllegalArgumentException e) {
            createBCX509Name = createBCX509Name(str);
        }
        Certificate[] certificateArr = null;
        if (this.keystore != null) {
            certificateArr = getCertificates(createBCX509Name, bigInteger, this.keystore);
        }
        if ((certificateArr == null || certificateArr.length == 0) && this.truststore != null) {
            certificateArr = getCertificates(createBCX509Name, bigInteger, this.truststore);
        }
        if (certificateArr == null || certificateArr.length == 0) {
            return null;
        }
        return (X509Certificate[]) Arrays.copyOf(certificateArr, certificateArr.length, X509Certificate[].class);
    }

    private Certificate[] getCertificates(Object obj, BigInteger bigInteger, KeyStore keyStore) throws WSSecurityException {
        Certificate certificate;
        LOG.debug("Searching keystore for cert with issuer {} and serial {}", obj, bigInteger);
        try {
            Enumeration<String> aliases = keyStore.aliases();
            while (aliases.hasMoreElements()) {
                String nextElement = aliases.nextElement();
                Certificate[] certificateChain = keyStore.getCertificateChain(nextElement);
                if ((certificateChain == null || certificateChain.length == 0) && (certificate = keyStore.getCertificate(nextElement)) != null) {
                    certificateChain = new Certificate[]{certificate};
                }
                if (certificateChain != null && certificateChain.length > 0 && (certificateChain[0] instanceof X509Certificate)) {
                    X509Certificate x509Certificate = (X509Certificate) certificateChain[0];
                    LOG.debug("Keystore alias {} has issuer {} and serial {}", new Object[]{nextElement, x509Certificate.getIssuerX500Principal().getName(), x509Certificate.getSerialNumber()});
                    if (x509Certificate.getSerialNumber().compareTo(bigInteger) == 0 && createBCX509Name(x509Certificate.getIssuerX500Principal().getName()).equals(obj)) {
                        LOG.debug("Issuer Serial match found using keystore alias {}", nextElement);
                        return certificateChain;
                    }
                }
            }
            LOG.debug("No issuer serial match found in keystore");
            return new Certificate[0];
        } catch (KeyStoreException e) {
            throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, e, "keystore");
        }
    }

    private X509Certificate[] getX509Certificates(byte[] bArr) throws WSSecurityException {
        try {
            MessageDigest messageDigest = MessageDigest.getInstance("SHA1");
            Certificate[] certificateArr = null;
            if (this.keystore != null) {
                certificateArr = getCertificates(bArr, this.keystore, messageDigest);
            }
            if ((certificateArr == null || certificateArr.length == 0) && this.truststore != null) {
                certificateArr = getCertificates(bArr, this.truststore, messageDigest);
            }
            if (certificateArr == null || certificateArr.length == 0) {
                return null;
            }
            return (X509Certificate[]) Arrays.copyOf(certificateArr, certificateArr.length, X509Certificate[].class);
        } catch (NoSuchAlgorithmException e) {
            throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, e, "decoding.general");
        }
    }

    private Certificate[] getCertificates(byte[] bArr, KeyStore keyStore, MessageDigest messageDigest) throws WSSecurityException {
        Certificate certificate;
        LOG.debug("Searching keystore for cert using a SHA-1 thumbprint");
        try {
            Enumeration<String> aliases = keyStore.aliases();
            while (aliases.hasMoreElements()) {
                String nextElement = aliases.nextElement();
                Certificate[] certificateChain = keyStore.getCertificateChain(nextElement);
                if ((certificateChain == null || certificateChain.length == 0) && (certificate = keyStore.getCertificate(nextElement)) != null) {
                    certificateChain = new Certificate[]{certificate};
                }
                if (certificateChain != null && certificateChain.length > 0 && (certificateChain[0] instanceof X509Certificate)) {
                    try {
                        messageDigest.update(((X509Certificate) certificateChain[0]).getEncoded());
                        if (Arrays.equals(messageDigest.digest(), bArr)) {
                            LOG.debug("Thumbprint match found using keystore alias {}", nextElement);
                            return certificateChain;
                        }
                    } catch (CertificateEncodingException e) {
                        throw new WSSecurityException(WSSecurityException.ErrorCode.SECURITY_TOKEN_UNAVAILABLE, e, "encodeError");
                    }
                }
            }
            LOG.debug("No thumbprint match found in keystore");
            return new Certificate[0];
        } catch (KeyStoreException e2) {
            throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, e2, "keystore");
        }
    }

    private X509Certificate[] getX509CertificatesSKI(byte[] bArr) throws WSSecurityException {
        Certificate[] certificateArr = null;
        if (this.keystore != null) {
            certificateArr = getCertificates(bArr, this.keystore);
        }
        if ((certificateArr == null || certificateArr.length == 0) && this.truststore != null) {
            certificateArr = getCertificates(bArr, this.truststore);
        }
        if (certificateArr == null || certificateArr.length == 0) {
            return null;
        }
        return (X509Certificate[]) Arrays.copyOf(certificateArr, certificateArr.length, X509Certificate[].class);
    }

    private Certificate[] getCertificates(byte[] bArr, KeyStore keyStore) throws WSSecurityException {
        Certificate certificate;
        LOG.debug("Searching keystore for cert using Subject Key Identifier bytes");
        try {
            Enumeration<String> aliases = keyStore.aliases();
            while (aliases.hasMoreElements()) {
                String nextElement = aliases.nextElement();
                Certificate[] certificateChain = keyStore.getCertificateChain(nextElement);
                if ((certificateChain == null || certificateChain.length == 0) && (certificate = keyStore.getCertificate(nextElement)) != null) {
                    certificateChain = new Certificate[]{certificate};
                }
                if (certificateChain != null && certificateChain.length > 0 && (certificateChain[0] instanceof X509Certificate)) {
                    byte[] sKIBytesFromCert = getSKIBytesFromCert((X509Certificate) certificateChain[0]);
                    if (sKIBytesFromCert.length == bArr.length && Arrays.equals(sKIBytesFromCert, bArr)) {
                        LOG.debug("SKI match found using keystore alias {}", nextElement);
                        return certificateChain;
                    }
                }
            }
            LOG.debug("No SKI match found in keystore");
            return new Certificate[0];
        } catch (KeyStoreException e) {
            throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, e, "keystore");
        }
    }

    private X509Certificate[] getX509CertificatesSubjectDN(String str) throws WSSecurityException {
        Object convertSubjectToPrincipal = convertSubjectToPrincipal(str);
        List<Certificate[]> list = null;
        if (this.keystore != null) {
            list = getCertificates(convertSubjectToPrincipal, this.keystore);
        }
        if ((list == null || list.isEmpty()) && this.truststore != null) {
            list = getCertificates(convertSubjectToPrincipal, this.truststore);
        }
        if (list == null || list.isEmpty()) {
            return null;
        }
        return (X509Certificate[]) Arrays.copyOf(list.get(0), list.get(0).length, X509Certificate[].class);
    }

    private Object convertSubjectToPrincipal(String str) {
        Object createBCX509Name;
        try {
            createBCX509Name = createBCX509Name(new X500Principal(str).getName());
        } catch (IllegalArgumentException e) {
            createBCX509Name = createBCX509Name(str);
        }
        return createBCX509Name;
    }

    private X509Certificate[] getX509Certificates(String str) throws WSSecurityException {
        Certificate certificate;
        Certificate certificate2;
        if (str == null) {
            return null;
        }
        Certificate[] certificateArr = null;
        try {
            if (this.keystore != null) {
                certificateArr = this.keystore.getCertificateChain(str);
                if ((certificateArr == null || certificateArr.length == 0) && (certificate2 = this.keystore.getCertificate(str)) != null) {
                    certificateArr = new Certificate[]{certificate2};
                }
            }
            if (certificateArr == null && this.truststore != null) {
                certificateArr = this.truststore.getCertificateChain(str);
                if (certificateArr == null && (certificate = this.truststore.getCertificate(str)) != null) {
                    certificateArr = new Certificate[]{certificate};
                }
            }
            if (certificateArr == null) {
                return null;
            }
            return (X509Certificate[]) Arrays.copyOf(certificateArr, certificateArr.length, X509Certificate[].class);
        } catch (KeyStoreException e) {
            throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, e, "keystore");
        }
    }

    private boolean findPublicKeyInKeyStore(PublicKey publicKey, KeyStore keyStore) {
        Certificate certificate;
        if (keyStore == null) {
            return false;
        }
        LOG.debug("Searching keystore for public key {}", publicKey);
        try {
            Enumeration<String> aliases = keyStore.aliases();
            while (aliases.hasMoreElements()) {
                String nextElement = aliases.nextElement();
                Certificate[] certificateChain = keyStore.getCertificateChain(nextElement);
                if ((certificateChain == null || certificateChain.length == 0) && (certificate = keyStore.getCertificate(nextElement)) != null) {
                    certificateChain = new Certificate[]{certificate};
                }
                if (certificateChain != null && certificateChain.length > 0 && (certificateChain[0] instanceof X509Certificate) && publicKey.equals(((X509Certificate) certificateChain[0]).getPublicKey())) {
                    LOG.debug("PublicKey match found using keystore alias {}", nextElement);
                    return true;
                }
            }
            LOG.debug("No PublicKey match found in keystore");
            return false;
        } catch (KeyStoreException e) {
            return false;
        }
    }

    private List<Certificate[]> getCertificates(Object obj, KeyStore keyStore) throws WSSecurityException {
        Certificate certificate;
        LOG.debug("Searching keystore for cert with Subject {}", obj);
        ArrayList arrayList = new ArrayList();
        try {
            Enumeration<String> aliases = keyStore.aliases();
            while (aliases.hasMoreElements()) {
                String nextElement = aliases.nextElement();
                Certificate[] certificateChain = keyStore.getCertificateChain(nextElement);
                if ((certificateChain == null || certificateChain.length == 0) && (certificate = keyStore.getCertificate(nextElement)) != null) {
                    certificateChain = new Certificate[]{certificate};
                }
                if (certificateChain != null && certificateChain.length > 0 && (certificateChain[0] instanceof X509Certificate) && obj.equals(createBCX509Name(((X509Certificate) certificateChain[0]).getSubjectX500Principal().getName()))) {
                    LOG.debug("Subject certificate match found using keystore alias {}", nextElement);
                    arrayList.add(certificateChain);
                }
            }
            if (arrayList.isEmpty()) {
                LOG.debug("No Subject match found in keystore");
            }
            return arrayList;
        } catch (KeyStoreException e) {
            throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, e, "keystore");
        }
    }

    private static String createKeyStoreErrorMessage(KeyStore keyStore) throws KeyStoreException {
        Enumeration<String> aliases = keyStore.aliases();
        StringBuilder sb = new StringBuilder(keyStore.size() * 7);
        boolean z = true;
        while (true) {
            boolean z2 = z;
            if (!aliases.hasMoreElements()) {
                return " in keystore of type [" + keyStore.getType() + "] from provider [" + keyStore.getProvider() + "] with size [" + keyStore.size() + "] and aliases: {" + sb.toString() + "}";
            }
            if (!z2) {
                sb.append(", ");
            }
            sb.append(aliases.nextElement());
            z = false;
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void addTrustAnchors(Set<TrustAnchor> set, KeyStore keyStore) throws KeyStoreException, WSSecurityException {
        Enumeration<String> aliases = keyStore.aliases();
        while (aliases.hasMoreElements()) {
            X509Certificate x509Certificate = (X509Certificate) keyStore.getCertificate(aliases.nextElement());
            if (x509Certificate != null) {
                if (this.certProviderHandlesNameConstraints) {
                    set.add(new TrustAnchor(x509Certificate, getNameConstraints(x509Certificate)));
                } else {
                    set.add(new TrustAnchor(x509Certificate, null));
                }
            }
        }
    }

    private String getIdentifier(X509Certificate x509Certificate, KeyStore keyStore) throws WSSecurityException {
        Certificate certificate;
        try {
            Enumeration<String> aliases = keyStore.aliases();
            while (aliases.hasMoreElements()) {
                String nextElement = aliases.nextElement();
                Certificate[] certificateChain = keyStore.getCertificateChain(nextElement);
                if ((certificateChain == null || certificateChain.length == 0) && (certificate = keyStore.getCertificate(nextElement)) != null) {
                    certificateChain = new Certificate[]{certificate};
                }
                if (certificateChain != null && certificateChain.length > 0 && certificateChain[0].equals(x509Certificate)) {
                    return nextElement;
                }
            }
            return null;
        } catch (KeyStoreException e) {
            throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, e, "keystore");
        }
    }

    private String getIdentifier(PublicKey publicKey, KeyStore keyStore) throws WSSecurityException {
        Certificate certificate;
        try {
            Enumeration<String> aliases = keyStore.aliases();
            while (aliases.hasMoreElements()) {
                String nextElement = aliases.nextElement();
                Certificate[] certificateChain = keyStore.getCertificateChain(nextElement);
                if ((certificateChain == null || certificateChain.length == 0) && (certificate = keyStore.getCertificate(nextElement)) != null) {
                    certificateChain = new Certificate[]{certificate};
                }
                if (certificateChain != null && certificateChain.length > 0 && certificateChain[0].getPublicKey().equals(publicKey)) {
                    return nextElement;
                }
            }
            return null;
        } catch (KeyStoreException e) {
            throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, e, "keystore");
        }
    }

    private String getPassword(String str, CallbackHandler callbackHandler) throws WSSecurityException {
        WSPasswordCallback wSPasswordCallback = new WSPasswordCallback(str, 1);
        try {
            callbackHandler.handle(new Callback[]{wSPasswordCallback});
            return wSPasswordCallback.getPassword();
        } catch (IOException | UnsupportedCallbackException e) {
            throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, e, "noPassword", new Object[]{str});
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public String decryptPassword(String str, PasswordEncryptor passwordEncryptor) {
        if (!str.startsWith(ENCRYPTED_PASSWORD_PREFIX) || !str.endsWith(ENCRYPTED_PASSWORD_SUFFIX)) {
            return str;
        }
        if (passwordEncryptor != null) {
            return passwordEncryptor.decrypt(str.substring(ENCRYPTED_PASSWORD_PREFIX.length(), str.length() - 1));
        }
        LOG.debug("The Crypto properties has an encrypted password, but no PasswordEncryptor is configured!");
        return str;
    }

    public void setPasswordEncryptor(PasswordEncryptor passwordEncryptor) {
        this.passwordEncryptor = passwordEncryptor;
    }
}
