package org.cesecore.keys.util;

import java.io.FileInputStream;
import java.io.FileWriter;
import java.io.IOException;
import java.math.BigInteger;
import java.security.InvalidAlgorithmParameterException;
import java.security.InvalidKeyException;
import java.security.Key;
import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.Security;
import java.security.UnrecoverableEntryException;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.security.spec.AlgorithmParameterSpec;
import java.security.spec.ECGenParameterSpec;
import java.util.Date;
import java.util.Enumeration;
import javax.crypto.KeyGenerator;
import org.apache.commons.lang.StringUtils;
import org.apache.log4j.Logger;
import org.bouncycastle.asn1.DERSet;
import org.bouncycastle.asn1.x500.X500Name;
import org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder;
import org.bouncycastle.jce.ECKeyUtil;
import org.bouncycastle.operator.BufferingContentSigner;
import org.bouncycastle.operator.OperatorCreationException;
import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder;
import org.bouncycastle.pkcs.PKCS10CertificationRequest;
import org.cesecore.certificates.util.AlgorithmConstants;
import org.cesecore.certificates.util.AlgorithmTools;
import org.cesecore.config.CesecoreConfiguration;
import org.cesecore.internal.InternalResources;
import org.cesecore.keys.KeyCreationException;
import org.cesecore.keys.token.CachingKeyStoreWrapper;
import org.cesecore.util.Base64;
import org.cesecore.util.CertTools;
import org.cesecore.util.SimpleTime;

/* loaded from: input_file:org/cesecore/keys/util/KeyStoreTools.class */
public class KeyStoreTools {
    private static final Logger log = Logger.getLogger(KeyStoreTools.class);
    private static final InternalResources intres = InternalResources.getInstance();
    protected final CachingKeyStoreWrapper keyStore;
    private final String providerName;

    public KeyStoreTools(CachingKeyStoreWrapper cachingKeyStoreWrapper, String str) {
        this.keyStore = cachingKeyStoreWrapper;
        this.providerName = str;
    }

    public String getProviderName() {
        return this.providerName;
    }

    public CachingKeyStoreWrapper getKeyStore() {
        return this.keyStore;
    }

    public void setKeyEntry(String str, Key key, Certificate[] certificateArr) throws KeyStoreException {
        getKeyStore().setKeyEntry(str, key, null, certificateArr);
    }

    private void deleteAlias(String str) throws KeyStoreException {
        getKeyStore().deleteEntry(str);
    }

    public void deleteEntry(String str) throws KeyStoreException, NoSuchAlgorithmException, CertificateException, IOException {
        if (str != null) {
            deleteAlias(str);
            return;
        }
        Enumeration<String> aliases = getKeyStore().aliases();
        while (aliases.hasMoreElements()) {
            deleteAlias(aliases.nextElement());
        }
    }

    public void copyEntry(String str, String str2) throws KeyStoreException, NoSuchAlgorithmException, UnrecoverableEntryException, CertificateException, IOException {
        getKeyStore().setEntry(str2, getKeyStore().getEntry(str, null), null);
    }

    private X509Certificate getSelfCertificate(String str, long j, String str2, KeyPair keyPair) throws InvalidKeyException, CertificateException {
        long time = new Date().getTime();
        Date date = new Date(time - SimpleTime.MILLISECONDS_PER_DAY);
        Date date2 = new Date(time + (j * 1000));
        X500Name x500Name = new X500Name(str);
        BigInteger valueOf = BigInteger.valueOf(date.getTime());
        PublicKey publicKey = keyPair.getPublic();
        if (publicKey == null) {
            throw new InvalidKeyException("Public key is null");
        }
        try {
            JcaX509v3CertificateBuilder jcaX509v3CertificateBuilder = new JcaX509v3CertificateBuilder(x500Name, valueOf, date, date2, x500Name, publicKey);
            log.debug("Keystore signing algorithm " + str2);
            return (X509Certificate) CertTools.getCertfromByteArray(jcaX509v3CertificateBuilder.build(new BufferingContentSigner(new JcaContentSignerBuilder(str2).setProvider(this.providerName).build(keyPair.getPrivate()), 20480)).getEncoded());
        } catch (IOException e) {
            throw new CertificateException("Could not read certificate", e);
        } catch (OperatorCreationException e2) {
            log.error("Error creating content signer: ", e2);
            throw new CertificateException((Throwable) e2);
        }
    }

    private void generateEC(String str, String str2) throws InvalidAlgorithmParameterException {
        ECGenParameterSpec eCGenParameterSpec;
        if (log.isTraceEnabled()) {
            log.trace(">generate EC: curve name " + str + ", keyEntryName " + str2);
        }
        try {
            KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance(AlgorithmConstants.KEYALGORITHM_EC, this.providerName);
            try {
                if (StringUtils.contains(Security.getProvider(this.providerName).getClass().getName(), "iaik")) {
                    throw new InvalidAlgorithmParameterException("IAIK ECC key generation not implemented.");
                }
                if (StringUtils.equals(str, "implicitlyCA")) {
                    if (log.isDebugEnabled()) {
                        log.debug("Generating implicitlyCA encoded ECDSA key pair");
                    }
                    eCGenParameterSpec = null;
                } else {
                    String ecKeySpecOidFromBcName = AlgorithmTools.getEcKeySpecOidFromBcName(str);
                    if (log.isDebugEnabled()) {
                        log.debug("keySpecification '" + str + "' transformed into OID " + ecKeySpecOidFromBcName);
                    }
                    eCGenParameterSpec = new ECGenParameterSpec(ecKeySpecOidFromBcName);
                }
                keyPairGenerator.initialize(eCGenParameterSpec);
                generateKeyPair(keyPairGenerator, str2, AlgorithmConstants.SIGALG_SHA1_WITH_ECDSA);
                if (log.isTraceEnabled()) {
                    log.trace("<generate: curve name " + str + ", keyEntryName " + str2);
                }
            } catch (InvalidAlgorithmParameterException e) {
                log.debug("EC name " + str + " not supported.");
                throw e;
            }
        } catch (NoSuchAlgorithmException e2) {
            throw new IllegalStateException("Algorithm ECwas not recognized.", e2);
        } catch (NoSuchProviderException e3) {
            throw new IllegalStateException("BouncyCastle was not found as a provider.", e3);
        }
    }

    private void generateExtraEC(String str, String str2, String str3, String str4) throws InvalidAlgorithmParameterException {
        if (log.isTraceEnabled()) {
            log.trace(">generate " + str3 + ": curve name " + str + ", keyEntryName " + str2);
        }
        try {
            KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance(str3, this.providerName);
            try {
                keyPairGenerator.initialize(new ECGenParameterSpec(str));
                generateKeyPair(keyPairGenerator, str2, str4);
                if (log.isTraceEnabled()) {
                    log.trace("<generate: curve name " + str + ", keyEntryName " + str2);
                }
            } catch (InvalidAlgorithmParameterException e) {
                log.debug("EC " + str3 + " name " + str + " not supported.");
                throw e;
            }
        } catch (NoSuchAlgorithmException e2) {
            throw new IllegalStateException("Algorithm " + str + "was not recognized.", e2);
        } catch (NoSuchProviderException e3) {
            throw new IllegalStateException("BouncyCastle was not found as a provider.", e3);
        }
    }

    private void generateGOST3410(String str, String str2) throws InvalidAlgorithmParameterException {
        generateExtraEC(str, str2, AlgorithmConstants.KEYALGORITHM_ECGOST3410, AlgorithmConstants.SIGALG_GOST3411_WITH_ECGOST3410);
    }

    private void generateDSTU4145(String str, String str2) throws InvalidAlgorithmParameterException {
        generateExtraEC(str, str2, AlgorithmConstants.KEYALGORITHM_DSTU4145, AlgorithmConstants.SIGALG_GOST3411_WITH_DSTU4145);
    }

    private void generateRSA(int i, String str) {
        if (log.isTraceEnabled()) {
            log.trace(">generate: keySize " + i + ", keyEntryName " + str);
        }
        try {
            KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance(AlgorithmConstants.KEYALGORITHM_RSA, this.providerName);
            keyPairGenerator.initialize(i);
            generateKeyPair(keyPairGenerator, str, "SHA1withRSA");
            if (log.isTraceEnabled()) {
                log.trace("<generate: keySize " + i + ", keyEntryName " + str);
            }
        } catch (NoSuchAlgorithmException e) {
            throw new IllegalStateException("Algorithm RSAwas not recognized.", e);
        } catch (NoSuchProviderException e2) {
            throw new IllegalStateException("BouncyCastle was not found as a provider.", e2);
        }
    }

    private void generateDSA(int i, String str) {
        if (log.isTraceEnabled()) {
            log.trace(">generate: keySize " + i + ", keyEntryName " + str);
        }
        try {
            KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance(AlgorithmConstants.KEYALGORITHM_DSA, this.providerName);
            keyPairGenerator.initialize(i);
            generateKeyPair(keyPairGenerator, str, "SHA1withDSA");
            if (log.isTraceEnabled()) {
                log.trace("<generate: keySize " + i + ", keyEntryName " + str);
            }
        } catch (NoSuchAlgorithmException e) {
            throw new IllegalStateException("Algorithm DSAwas not recognized.", e);
        } catch (NoSuchProviderException e2) {
            throw new IllegalStateException("BouncyCastle was not found as a provider.", e2);
        }
    }

    public void generateKeyPair(String str, String str2) throws InvalidAlgorithmParameterException {
        if (str.toUpperCase().startsWith(AlgorithmConstants.KEYALGORITHM_DSA)) {
            generateDSA(Integer.parseInt(str.substring(3).trim()), str2);
            return;
        }
        if (AlgorithmTools.isGost3410Enabled() && str.startsWith(AlgorithmConstants.KEYSPECPREFIX_ECGOST3410)) {
            generateGOST3410(str, str2);
            return;
        }
        if (AlgorithmTools.isDstu4145Enabled() && str.startsWith(CesecoreConfiguration.getOidDstu4145() + ".")) {
            generateDSTU4145(str, str2);
            return;
        }
        try {
            generateRSA(Integer.parseInt(str.trim()), str2);
        } catch (NumberFormatException e) {
            generateEC(str, str2);
        }
    }

    public void generateKey(String str, int i, String str2) throws NoSuchAlgorithmException, NoSuchProviderException, KeyStoreException {
        KeyGenerator keyGenerator = KeyGenerator.getInstance(str, this.providerName);
        keyGenerator.init(i);
        setKeyEntry(str2, keyGenerator.generateKey(), null);
    }

    public void generateKeyPair(AlgorithmParameterSpec algorithmParameterSpec, String str) throws InvalidAlgorithmParameterException, CertificateException, IOException {
        if (log.isTraceEnabled()) {
            log.trace(">generate from AlgorithmParameterSpec: " + algorithmParameterSpec.getClass().getName());
        }
        String str2 = AlgorithmConstants.KEYALGORITHM_EC;
        String str3 = AlgorithmConstants.SIGALG_SHA1_WITH_ECDSA;
        String name = algorithmParameterSpec.getClass().getName();
        if (name.contains(AlgorithmConstants.KEYALGORITHM_DSA)) {
            str2 = AlgorithmConstants.KEYALGORITHM_DSA;
            str3 = "SHA1withDSA";
        } else if (name.contains(AlgorithmConstants.KEYALGORITHM_RSA)) {
            str2 = AlgorithmConstants.KEYALGORITHM_RSA;
            str3 = "SHA1withRSA";
        }
        try {
            KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance(str2, this.providerName);
            try {
                keyPairGenerator.initialize(algorithmParameterSpec);
                generateKeyPair(keyPairGenerator, str, str3);
                if (log.isTraceEnabled()) {
                    log.trace("<generate from AlgorithmParameterSpec: " + algorithmParameterSpec.getClass().getName());
                }
            } catch (InvalidAlgorithmParameterException e) {
                log.debug("Algorithm parameters not supported: " + e.getMessage());
                throw e;
            }
        } catch (NoSuchAlgorithmException e2) {
            throw new IllegalStateException("Algorithm " + str2 + " was not recognized.", e2);
        } catch (NoSuchProviderException e3) {
            throw new IllegalStateException("BouncyCastle was not found as a provider.", e3);
        }
    }

    private void generateKeyPair(KeyPairGenerator keyPairGenerator, String str, String str2) {
        int i = 0;
        while (i < 3) {
            i++;
            try {
                log.debug("generating...");
                KeyPair generateKeyPair = keyPairGenerator.generateKeyPair();
                X509Certificate[] x509CertificateArr = {getSelfCertificate("CN=some guy, L=around, C=US", 946080000L, str2, generateKeyPair)};
                log.debug("Creating certificate with entry " + str + '.');
                setKeyEntry(str, generateKeyPair.getPrivate(), x509CertificateArr);
                return;
            } catch (InvalidKeyException e) {
                throw new KeyCreationException("Dummy certificate chain was created with an invalid key", e);
            } catch (KeyStoreException e2) {
                log.info("Failed to generate or store new key, will try 3 times. This was try: " + i, e2);
            } catch (CertificateException e3) {
                throw new KeyCreationException("Can't create keystore because dummy certificate chain creation failed.", e3);
            }
        }
    }

    public void generateCertReq(String str, String str2, boolean z) throws Exception {
        PublicKey publicKey = getCertificate(str).getPublicKey();
        PrivateKey privateKey = getPrivateKey(str);
        if (log.isDebugEnabled()) {
            log.debug("alias: " + str + " SHA1 of public key: " + CertTools.getFingerprintAsString(publicKey.getEncoded()));
        }
        String next = AlgorithmTools.getSignatureAlgorithms(publicKey).iterator().next();
        if (next == null) {
            next = AlgorithmConstants.SIGALG_SHA1_WITH_RSA;
        }
        if (next.contains(AlgorithmConstants.KEYALGORITHM_ECDSA) && z) {
            log.info("Using explicit parameter encoding for ECC key.");
            publicKey = ECKeyUtil.publicToExplicitParameters(publicKey, "BC");
        } else {
            log.info("Using named curve parameter encoding for ECC key.");
        }
        PKCS10CertificationRequest genPKCS10CertificationRequest = CertTools.genPKCS10CertificationRequest(next, str2 != null ? new X500Name(str2) : new X500Name("CN=" + str), publicKey, new DERSet(), privateKey, this.keyStore.getProvider().getName());
        if (!genPKCS10CertificationRequest.isSignatureValid(CertTools.genContentVerifierProvider(publicKey))) {
            throw new Exception(intres.getLocalizedMessage("token.errorcertreqverify", str));
        }
        String str3 = str + ".pem";
        FileWriter fileWriter = new FileWriter(str3);
        fileWriter.write("-----BEGIN CERTIFICATE REQUEST-----\n");
        fileWriter.write(new String(Base64.encode(genPKCS10CertificationRequest.getEncoded())));
        fileWriter.write("\n-----END CERTIFICATE REQUEST-----\n");
        fileWriter.close();
        log.info("Wrote csr to file: " + str3);
    }

    public void installCertificate(String str) throws Exception {
        X509Certificate[] x509CertificateArr = (X509Certificate[]) CertTools.getCertsFromPEM(new FileInputStream(str)).toArray(new X509Certificate[0]);
        PublicKey publicKey = x509CertificateArr[0].getPublicKey();
        String fingerprintAsString = CertTools.getFingerprintAsString(publicKey.getEncoded());
        Enumeration<String> aliases = getKeyStore().aliases();
        boolean z = true;
        while (aliases.hasMoreElements() && z) {
            String nextElement = aliases.nextElement();
            PublicKey publicKey2 = getCertificate(nextElement).getPublicKey();
            if (log.isDebugEnabled()) {
                log.debug("alias: " + nextElement + " SHA1 of public hsm key: " + CertTools.getFingerprintAsString(publicKey2.getEncoded()) + " SHA1 of first public key in chain: " + fingerprintAsString + (x509CertificateArr.length == 1 ? "" : "SHA1 of last public key in chain: " + CertTools.getFingerprintAsString(x509CertificateArr[x509CertificateArr.length - 1].getPublicKey().getEncoded())));
            }
            if (publicKey2.equals(publicKey)) {
                log.info("Found a matching public key for alias \"" + nextElement + "\".");
                getKeyStore().setKeyEntry(nextElement, getPrivateKey(nextElement), null, x509CertificateArr);
                z = false;
            }
        }
        if (z) {
            throw new Exception(intres.getLocalizedMessage("token.errorkeynottoken", fingerprintAsString));
        }
    }

    public void installTrustedRoot(String str) throws Exception {
        X509Certificate[] x509CertificateArr = (X509Certificate[]) CertTools.getCertsFromPEM(new FileInputStream(str)).toArray(new X509Certificate[0]);
        if (x509CertificateArr.length < 1) {
            throw new Exception("No certificate in file");
        }
        getKeyStore().setCertificateEntry("trusted", x509CertificateArr[x509CertificateArr.length - 1]);
    }

    private PrivateKey getPrivateKey(String str) throws Exception {
        PrivateKey privateKey = (PrivateKey) getKey(str);
        if (privateKey == null) {
            log.info(intres.getLocalizedMessage("token.errornokeyalias", str));
        }
        return privateKey;
    }

    private Key getKey(String str) throws Exception, IOException {
        return getKeyStore().getKey(str, null);
    }

    private X509Certificate getCertificate(String str) throws KeyStoreException {
        X509Certificate x509Certificate = (X509Certificate) this.keyStore.getCertificate(str);
        if (x509Certificate == null) {
            log.info(intres.getLocalizedMessage("token.errornocertalias", str));
        }
        return x509Certificate;
    }
}
