package org.xipki.security;

import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.security.InvalidKeyException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.SecureRandom;
import java.security.Signature;
import java.security.SignatureException;
import java.security.cert.X509Certificate;
import java.security.spec.InvalidKeySpecException;
import java.util.Enumeration;
import java.util.HashMap;
import java.util.Map;
import java.util.Set;
import org.bouncycastle.asn1.pkcs.CertificationRequest;
import org.bouncycastle.asn1.x509.AlgorithmIdentifier;
import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo;
import org.bouncycastle.crypto.RuntimeCryptoException;
import org.bouncycastle.operator.ContentVerifierProvider;
import org.bouncycastle.operator.DefaultDigestAlgorithmIdentifierFinder;
import org.bouncycastle.operator.DigestAlgorithmIdentifierFinder;
import org.bouncycastle.operator.OperatorCreationException;
import org.bouncycastle.operator.bc.BcContentVerifierProviderBuilder;
import org.bouncycastle.operator.bc.BcDSAContentVerifierProviderBuilder;
import org.bouncycastle.pkcs.PKCS10CertificationRequest;
import org.bouncycastle.pkcs.PKCSException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.xipki.password.PasswordResolver;
import org.xipki.security.bc.XiECContentVerifierProviderBuilder;
import org.xipki.security.bc.XiRSAContentVerifierProviderBuilder;
import org.xipki.security.exception.NoIdleSignerException;
import org.xipki.security.util.AlgorithmUtil;
import org.xipki.security.util.KeyUtil;
import org.xipki.security.util.X509Util;
import org.xipki.util.LogUtil;
import org.xipki.util.ObjectCreationException;
import org.xipki.util.ParamUtil;

/* loaded from: input_file:org/xipki/security/SecurityFactoryImpl.class */
public class SecurityFactoryImpl extends AbstractSecurityFactory {
    private static final Logger LOG = LoggerFactory.getLogger(SecurityFactoryImpl.class);
    private static final DigestAlgorithmIdentifierFinder DIGESTALG_IDENTIFIER_FINDER = new DefaultDigestAlgorithmIdentifierFinder();
    private static final Map<String, BcContentVerifierProviderBuilder> VERIFIER_PROVIDER_BUILDER = new HashMap();
    private int defaultSignerParallelism = 32;
    private PasswordResolver passwordResolver;
    private SignerFactoryRegister signerFactoryRegister;
    private boolean strongRandom4KeyEnabled;
    private boolean strongRandom4SignEnabled;

    @Override // org.xipki.security.SecurityFactory
    public Set<String> getSupportedSignerTypes() {
        return this.signerFactoryRegister.getSupportedSignerTypes();
    }

    public boolean isStrongRandom4KeyEnabled() {
        return this.strongRandom4KeyEnabled;
    }

    public void setStrongRandom4KeyEnabled(boolean z) {
        this.strongRandom4KeyEnabled = z;
    }

    public boolean isStrongRandom4SignEnabled() {
        return this.strongRandom4SignEnabled;
    }

    public void setStrongRandom4SignEnabled(boolean z) {
        this.strongRandom4SignEnabled = z;
    }

    @Override // org.xipki.security.SecurityFactory
    public ConcurrentContentSigner createSigner(String str, SignerConf signerConf, X509Certificate[] x509CertificateArr) throws ObjectCreationException {
        ConcurrentContentSigner newSigner = this.signerFactoryRegister.newSigner(this, str, signerConf, x509CertificateArr);
        if (!newSigner.isMac()) {
            validateSigner(newSigner, str, signerConf);
        }
        return newSigner;
    }

    @Override // org.xipki.security.SecurityFactory
    public ContentVerifierProvider getContentVerifierProvider(PublicKey publicKey) throws InvalidKeyException {
        ParamUtil.requireNonNull("publicKey", publicKey);
        String upperCase = publicKey.getAlgorithm().toUpperCase();
        BcContentVerifierProviderBuilder bcContentVerifierProviderBuilder = VERIFIER_PROVIDER_BUILDER.get(upperCase);
        if (bcContentVerifierProviderBuilder == null) {
            if ("RSA".equals(upperCase)) {
                bcContentVerifierProviderBuilder = new XiRSAContentVerifierProviderBuilder(DIGESTALG_IDENTIFIER_FINDER);
            } else if ("DSA".equals(upperCase)) {
                bcContentVerifierProviderBuilder = new BcDSAContentVerifierProviderBuilder(DIGESTALG_IDENTIFIER_FINDER);
            } else {
                if (!"EC".equals(upperCase) && !"ECDSA".equals(upperCase)) {
                    throw new InvalidKeyException("unknown key algorithm of the public key " + upperCase);
                }
                bcContentVerifierProviderBuilder = new XiECContentVerifierProviderBuilder(DIGESTALG_IDENTIFIER_FINDER);
            }
            VERIFIER_PROVIDER_BUILDER.put(upperCase, bcContentVerifierProviderBuilder);
        }
        try {
            return bcContentVerifierProviderBuilder.build(KeyUtil.generatePublicKeyParameter(publicKey));
        } catch (OperatorCreationException e) {
            throw new InvalidKeyException("could not build ContentVerifierProvider: " + e.getMessage(), e);
        }
    }

    @Override // org.xipki.security.SecurityFactory
    public PublicKey generatePublicKey(SubjectPublicKeyInfo subjectPublicKeyInfo) throws InvalidKeyException {
        try {
            return KeyUtil.generatePublicKey(subjectPublicKeyInfo);
        } catch (NoSuchAlgorithmException | InvalidKeySpecException e) {
            throw new InvalidKeyException(e.getMessage(), e);
        }
    }

    @Override // org.xipki.security.SecurityFactory
    public boolean verifyPopo(CertificationRequest certificationRequest, AlgorithmValidator algorithmValidator) {
        return verifyPopo(new PKCS10CertificationRequest(certificationRequest), algorithmValidator);
    }

    @Override // org.xipki.security.SecurityFactory
    public boolean verifyPopo(PKCS10CertificationRequest pKCS10CertificationRequest, AlgorithmValidator algorithmValidator) {
        String id;
        if (algorithmValidator != null) {
            AlgorithmIdentifier signatureAlgorithm = pKCS10CertificationRequest.getSignatureAlgorithm();
            if (!algorithmValidator.isAlgorithmPermitted(signatureAlgorithm)) {
                try {
                    id = AlgorithmUtil.getSignatureAlgoName(signatureAlgorithm);
                } catch (NoSuchAlgorithmException e) {
                    id = signatureAlgorithm.getAlgorithm().getId();
                }
                LOG.error("POPO signature algorithm {} not permitted", id);
                return false;
            }
        }
        try {
            return pKCS10CertificationRequest.isSignatureValid(getContentVerifierProvider(KeyUtil.generatePublicKey(pKCS10CertificationRequest.getSubjectPublicKeyInfo())));
        } catch (InvalidKeyException | PKCSException | NoSuchAlgorithmException | InvalidKeySpecException e2) {
            LogUtil.error(LOG, e2, "could not validate POPO of CSR");
            return false;
        }
    }

    @Override // org.xipki.security.SecurityFactory
    public int getDfltSignerParallelism() {
        return this.defaultSignerParallelism;
    }

    public void setDefaultSignerParallelism(int i) {
        this.defaultSignerParallelism = ParamUtil.requireMin("defaultSignerParallelism", i, 1);
    }

    public void setSignerFactoryRegister(SignerFactoryRegister signerFactoryRegister) {
        this.signerFactoryRegister = signerFactoryRegister;
    }

    public void setPasswordResolver(PasswordResolver passwordResolver) {
        this.passwordResolver = passwordResolver;
    }

    @Override // org.xipki.security.SecurityFactory
    public PasswordResolver getPasswordResolver() {
        return this.passwordResolver;
    }

    @Override // org.xipki.security.SecurityFactory
    public KeyCertPair createPrivateKeyAndCert(String str, SignerConf signerConf, X509Certificate x509Certificate) throws ObjectCreationException {
        signerConf.putConfEntry("parallelism", Integer.toString(1));
        X509Certificate[] x509CertificateArr = null;
        if (x509Certificate != null) {
            x509CertificateArr = new X509Certificate[]{x509Certificate};
        }
        ConcurrentContentSigner newSigner = this.signerFactoryRegister.newSigner(this, str, signerConf, x509CertificateArr);
        return new KeyCertPair((PrivateKey) newSigner.getSigningKey(), newSigner.getCertificate());
    }

    @Override // org.xipki.security.SecurityFactory
    public SecureRandom getRandom4Key() {
        return getSecureRandom(this.strongRandom4KeyEnabled);
    }

    @Override // org.xipki.security.SecurityFactory
    public SecureRandom getRandom4Sign() {
        return getSecureRandom(this.strongRandom4SignEnabled);
    }

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r0v26, types: [java.security.cert.Certificate[]] */
    @Override // org.xipki.security.SecurityFactory
    public byte[] extractMinimalKeyStore(String str, byte[] bArr, String str2, char[] cArr, X509Certificate[] x509CertificateArr) throws KeyStoreException {
        X509Certificate[] certificateChain;
        ParamUtil.requireNonBlank("keystoreType", str);
        ParamUtil.requireNonNull("keystoreBytes", bArr);
        try {
            KeyStore keyStore = KeyUtil.getKeyStore(str);
            keyStore.load(new ByteArrayInputStream(bArr), cArr);
            String str3 = str2;
            if (str3 == null) {
                Enumeration<String> aliases = keyStore.aliases();
                while (true) {
                    if (!aliases.hasMoreElements()) {
                        break;
                    }
                    String nextElement = aliases.nextElement();
                    if (keyStore.isKeyEntry(nextElement)) {
                        str3 = nextElement;
                        break;
                    }
                }
            } else if (!keyStore.isKeyEntry(str3)) {
                throw new KeyStoreException("unknown key named " + str3);
            }
            Enumeration<String> aliases2 = keyStore.aliases();
            int i = 0;
            while (aliases2.hasMoreElements()) {
                aliases2.nextElement();
                i++;
            }
            if (str3 == null) {
                throw new KeyStoreException("no key entry is contained in the keystore");
            }
            if (x509CertificateArr != null && x509CertificateArr.length >= 1) {
                certificateChain = x509CertificateArr;
            } else {
                if (i == 1) {
                    return bArr;
                }
                certificateChain = keyStore.getCertificateChain(str3);
            }
            KeyStore keyStore2 = KeyUtil.getKeyStore(str);
            keyStore2.load(null, cArr);
            keyStore2.setKeyEntry(str3, (PrivateKey) keyStore.getKey(str3, cArr), cArr, certificateChain);
            ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
            keyStore2.store(byteArrayOutputStream, cArr);
            byte[] byteArray = byteArrayOutputStream.toByteArray();
            byteArrayOutputStream.close();
            return byteArray;
        } catch (Exception e) {
            if (e instanceof KeyStoreException) {
                throw ((KeyStoreException) e);
            }
            throw new KeyStoreException(e.getMessage(), e);
        }
    }

    private static SecureRandom getSecureRandom(boolean z) {
        if (!z) {
            return new SecureRandom();
        }
        try {
            return SecureRandom.getInstanceStrong();
        } catch (NoSuchAlgorithmException e) {
            throw new RuntimeCryptoException("could not get strong SecureRandom: " + e.getMessage());
        }
    }

    private static void validateSigner(ConcurrentContentSigner concurrentContentSigner, String str, SignerConf signerConf) throws ObjectCreationException {
        if (concurrentContentSigner.getPublicKey() == null) {
            return;
        }
        String algorithmName = concurrentContentSigner.getAlgorithmName();
        try {
            byte[] bArr = {1, 2, 3, 4, 5, 6, 7, 8, 9, 10};
            Signature signature = Signature.getInstance(algorithmName, "BC");
            byte[] sign = concurrentContentSigner.sign(bArr);
            signature.initVerify(concurrentContentSigner.getPublicKey());
            signature.update(bArr);
            if (signature.verify(sign)) {
                return;
            }
            StringBuilder sb = new StringBuilder();
            sb.append("private key and public key does not match, ");
            sb.append("key type='").append(str).append("'; ");
            if (signerConf.getConfValue("password") != null) {
                signerConf.putConfEntry("password", "****");
            }
            signerConf.putConfEntry("algo", algorithmName);
            sb.append("conf='").append(signerConf.getConf());
            X509Certificate certificate = concurrentContentSigner.getCertificate();
            if (certificate != null) {
                sb.append("', certificate subject='").append(X509Util.getRfc4519Name(certificate.getSubjectX500Principal())).append("'");
            }
            throw new ObjectCreationException(sb.toString());
        } catch (InvalidKeyException | NoSuchAlgorithmException | NoSuchProviderException | SignatureException | NoIdleSignerException e) {
            throw new ObjectCreationException(e.getMessage(), e);
        }
    }
}
