package org.spin.tools.crypto;

import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.io.InputStream;
import java.math.BigInteger;
import java.net.URI;
import java.security.InvalidKeyException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.Principal;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.Signature;
import java.security.SignatureException;
import java.security.cert.Certificate;
import java.security.cert.CertificateEncodingException;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.util.Enumeration;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import javax.crypto.Cipher;
import org.apache.log4j.Logger;
import org.spin.tools.Base64Codec;
import org.spin.tools.Util;
import org.spin.tools.config.ConfigException;
import org.spin.tools.config.ConfigTool;
import org.spin.tools.config.KeyStoreConfig;
import org.spin.tools.config.KeyStoreType;
import org.spin.tools.crypto.signature.CertData;
import org.spin.tools.crypto.signature.CertID;

/* loaded from: input_file:WEB-INF/lib/spin-tools-1.20.jar:org/spin/tools/crypto/PKITool.class */
public final class PKITool {
    public static final String certificateFormat = "X.509";
    public static final String publicKeyAlgorithm = "RSA";
    public static final String signatureAlgorithm = "SHA1withRSA";
    static final Logger log = Logger.getLogger(PKITool.class);
    static final boolean DEBUG = log.isDebugEnabled();
    static final boolean INFO = log.isInfoEnabled();
    private static PKITool instance;
    private final KeyStoreConfig config;
    private KeyStoreType keystoreType;
    private final KeyStore keystore;
    private final CertificateFactory certFactory;
    private final CertData myX509;
    private final PrivateKey myPrivateKey;
    private final PublicKey myPublicKey;
    private final Map<BigInteger, CertData> x509KeyInfoMap = Util.makeHashMap();
    private final Map<Principal, X509Certificate> caCertificates = Util.makeHashMap();

    /* loaded from: input_file:WEB-INF/lib/spin-tools-1.20.jar:org/spin/tools/crypto/PKITool$KeyPair.class */
    public static final class KeyPair {
        public final CertData x509Data;
        public final PrivateKey privateKey;
        public final PublicKey publicKey;

        public KeyPair(CertData certData, PrivateKey privateKey, PublicKey publicKey) {
            this.x509Data = certData;
            this.privateKey = privateKey;
            this.publicKey = publicKey;
        }
    }

    public static synchronized PKITool getInstance() {
        if (instance == null) {
            if (DEBUG) {
                log.debug("instance == null");
            }
            instance = makeInstance(ConfigTool.loadKeyStoreConfig());
        }
        return instance;
    }

    public static PKITool makeInstance(KeyStoreConfig keyStoreConfig) {
        return new PKITool(keyStoreConfig);
    }

    static final URI getKeyStoreURI(KeyStoreConfig keyStoreConfig) {
        if (keyStoreConfig.getFile() == null) {
            throw new ConfigException("KeyStoreConfig has null File property");
        }
        URI configFileAsURI = ConfigTool.getConfigFileAsURI(keyStoreConfig.getFile().getPath());
        if (INFO) {
            log.info("KeyStore URI: " + configFileAsURI);
        }
        return configFileAsURI;
    }

    private static final InputStream getKeyStoreStream(KeyStoreConfig keyStoreConfig) {
        try {
            return getKeyStoreURI(keyStoreConfig).toURL().openStream();
        } catch (IOException e) {
            throw new ConfigException("Error getting keystore stream", e);
        }
    }

    private PKITool(KeyStoreConfig keyStoreConfig) {
        if (DEBUG) {
            log.debug("Initializing Keystore");
        }
        Util.guardNotNull(keyStoreConfig, "Null KeyStoreConfig");
        Util.guardNotNull(keyStoreConfig.getKeystoreType(), "Null KeyStoreType");
        Util.guardNotNull(keyStoreConfig.getPasswordAsCharArray(), "Null keystore password");
        try {
            this.config = keyStoreConfig;
            this.keystoreType = keyStoreConfig.getKeystoreType();
            this.certFactory = CertificateFactory.getInstance("X.509");
            this.keystore = KeyStore.getInstance(this.keystoreType.name());
            this.keystore.load(getKeyStoreStream(keyStoreConfig), keyStoreConfig.getPasswordAsCharArray());
            KeyPair determineKeyPair = determineKeyPair(this.keystore, keyStoreConfig);
            this.myX509 = determineKeyPair.x509Data;
            this.myPrivateKey = determineKeyPair.privateKey;
            this.myPublicKey = determineKeyPair.publicKey;
            fillInCACertMap(keyStoreConfig);
            fillKeyInfoMap();
            debug();
        } catch (Exception e) {
            throw new ConfigException("Error initializing PKITool", e);
        }
    }

    private void fillInCACertMap(KeyStoreConfig keyStoreConfig) {
        if (keyStoreConfig.getCaPublicKeyAliases().size() > 0) {
            Iterator<String> it = keyStoreConfig.getCaPublicKeyAliases().iterator();
            while (it.hasNext()) {
                X509Certificate certificate = getCertificate(it.next());
                this.caCertificates.put(certificate.getIssuerDN(), certificate);
            }
        }
    }

    public KeyStoreType getKeystoreType() {
        return this.keystoreType;
    }

    public KeyStore getKeystore() {
        return this.keystore;
    }

    private void fillKeyInfoMap() {
        this.x509KeyInfoMap.clear();
        try {
            Iterator it = Util.iterable(this.keystore.aliases()).iterator();
            while (it.hasNext()) {
                CertData x509Data = getX509Data(getCertificate((String) it.next()));
                this.x509KeyInfoMap.put(x509Data.getCertID().getSerial(), x509Data);
            }
        } catch (CryptoException e) {
            throw e;
        } catch (Exception e2) {
            throw new CryptoException(e2);
        }
    }

    private X509Certificate getCertificate(String str) {
        try {
            return (X509Certificate) this.keystore.getCertificate(str);
        } catch (Exception e) {
            throw new CryptoException(e);
        }
    }

    static final KeyPair determineKeyPair(KeyStore keyStore, KeyStoreConfig keyStoreConfig) {
        Util.guardNotNull(keyStore);
        Util.guardNotNull(keyStoreConfig);
        int countKeyPairs = countKeyPairs(keyStore);
        if (countKeyPairs == 0) {
            throw new CryptoException("At least one public/private key pair is required.");
        }
        return countKeyPairs == 1 ? findKeyPair(keyStore, keyStoreConfig) : getKeyPairByKeyAlias(keyStore, keyStoreConfig);
    }

    static KeyPair findKeyPair(KeyStore keyStore, KeyStoreConfig keyStoreConfig) {
        try {
            Iterator it = Util.iterable(keyStore.aliases()).iterator();
            while (it.hasNext()) {
                String str = (String) it.next();
                if (keyStore.isKeyEntry(str)) {
                    return getKeyPair(keyStore, keyStoreConfig, str);
                }
            }
            throw new CryptoException("At least one public/private key pair is required.");
        } catch (CryptoException e) {
            throw e;
        } catch (Exception e2) {
            throw new CryptoException(e2);
        }
    }

    static KeyPair getKeyPairByKeyAlias(KeyStore keyStore, KeyStoreConfig keyStoreConfig) {
        if (keyStoreConfig.getKeyAlias() == null) {
            throw new CryptoException("There are " + countKeyPairs(keyStore) + " keypairs in " + keyStoreConfig.getFile() + ".  Set the keyAlias property in keystore.xml to specify which keypair to use");
        }
        return getKeyPair(keyStore, keyStoreConfig, keyStoreConfig.getKeyAlias());
    }

    private static final int countKeyPairs(KeyStore keyStore) {
        int i = 0;
        try {
            Iterator it = Util.iterable(keyStore.aliases()).iterator();
            while (it.hasNext()) {
                if (keyStore.isKeyEntry((String) it.next())) {
                    i++;
                }
            }
            return i;
        } catch (Exception e) {
            throw new CryptoException(e);
        }
    }

    public KeyPair getKeyPair(String str) {
        return getKeyPair(this.keystore, this.config, str);
    }

    private static final KeyPair getKeyPair(KeyStore keyStore, KeyStoreConfig keyStoreConfig, String str) {
        try {
            X509Certificate x509Certificate = (X509Certificate) keyStore.getCertificate(str);
            return new KeyPair(getX509Data(x509Certificate), (PrivateKey) keyStore.getKey(str, keyStoreConfig.getPasswordAsCharArray()), x509Certificate.getPublicKey());
        } catch (CryptoException e) {
            throw e;
        } catch (Exception e2) {
            throw new CryptoException(e2);
        }
    }

    public KeyStoreConfig getConfig() {
        return this.config;
    }

    public PrivateKey getMyPrivateKey() {
        return this.myPrivateKey;
    }

    public PublicKey getMyPublicKey() {
        return this.myPublicKey;
    }

    public CertData getMyX509() {
        return this.myX509;
    }

    public CertID getMyCertID() {
        return this.myX509.getCertID();
    }

    public static CertData getX509Data(X509Certificate x509Certificate) {
        try {
            return new CertData(new CertID(x509Certificate), x509Certificate.getEncoded());
        } catch (CertificateEncodingException e) {
            throw new CryptoException("Could not read encoded bytes for x509 cert", e);
        }
    }

    public Set<BigInteger> getSerialNumbersCopy() {
        return Util.asSet(this.x509KeyInfoMap.keySet());
    }

    public Set<CertData> getImportedCertsCopy() {
        return Util.asSet(this.x509KeyInfoMap.values());
    }

    public boolean containsX509Certificate(CertID certID) {
        return containsX509Certificate(certID.getSerial());
    }

    public boolean containsX509Certificate(BigInteger bigInteger) {
        return this.x509KeyInfoMap.containsKey(bigInteger);
    }

    public void addX509Certificate(X509Certificate x509Certificate) {
        if (x509Certificate == null) {
            throw new CryptoException("Null certificate passed in");
        }
        synchronized (this.x509KeyInfoMap) {
            CertData x509Data = getX509Data(x509Certificate);
            this.x509KeyInfoMap.put(x509Data.getCertID().getSerial(), x509Data);
        }
    }

    public void addX509Certificate(byte[] bArr) {
        addX509Certificate(getX509Certificate(bArr));
    }

    public void addX509Certificate(InputStream inputStream) {
        if (inputStream == null) {
            throw new CryptoException("Null InputStream passed in");
        }
        try {
            addX509Certificate((X509Certificate) this.certFactory.generateCertificate(inputStream));
        } catch (Exception e) {
            throw new CryptoException("Error decoding certificate.  Is it an X.509 cert in the DER encoding?", e);
        }
    }

    public X509Certificate getX509Certificate(CertData certData) {
        Util.guardNotNull(certData);
        return certData.getX509Certificate() != null ? getX509Certificate(certData.getX509Certificate()) : getX509Certificate(certData.getCertID());
    }

    public X509Certificate getX509Certificate(CertID certID) {
        Util.guardNotNull(certID);
        return getX509Certificate(certID.getSerial());
    }

    public X509Certificate getX509Certificate(BigInteger bigInteger) {
        Util.guardNotNull(bigInteger);
        if (containsX509Certificate(bigInteger)) {
            return getX509Certificate(this.x509KeyInfoMap.get(bigInteger).getX509Certificate());
        }
        return null;
    }

    public X509Certificate getX509Certificate(byte[] bArr) {
        Util.guardNotNull(bArr);
        try {
            return (X509Certificate) this.certFactory.generateCertificate(new ByteArrayInputStream(bArr));
        } catch (CertificateException e) {
            throw new CryptoException("Could not get x509 cert from encoded bytes[]", e);
        }
    }

    public List<X509Certificate> getAllCACerts() {
        return Util.makeArrayList(this.caCertificates.values());
    }

    public X509Certificate removeX509Certificate(CertData certData) {
        Util.guardNotNull(certData);
        return removeX509Certificate(certData.getCertID());
    }

    public X509Certificate removeX509Certificate(CertID certID) {
        Util.guardNotNull(certID);
        return removeX509Certificate(certID.getSerial());
    }

    public X509Certificate removeX509Certificate(BigInteger bigInteger) {
        CertData remove;
        if (bigInteger == null) {
            throw new CryptoException("Null x509Serial passed in.");
        }
        synchronized (this.x509KeyInfoMap) {
            remove = this.x509KeyInfoMap.remove(bigInteger);
        }
        if (remove != null) {
            return getX509Certificate(remove.getX509Certificate());
        }
        return null;
    }

    public PublicKey getPublicKey(BigInteger bigInteger) {
        if (isUnknownCert(bigInteger)) {
            throw new CryptoException("No entry found for x509Serial " + bigInteger);
        }
        return getX509Certificate(this.x509KeyInfoMap.get(bigInteger)).getPublicKey();
    }

    private static final Cipher getPublicKeyCipher() {
        try {
            return Cipher.getInstance(publicKeyAlgorithm);
        } catch (Exception e) {
            throw new CryptoException(e);
        }
    }

    private static final Signature getSignerVerifier() {
        try {
            return Signature.getInstance(signatureAlgorithm);
        } catch (Exception e) {
            throw new CryptoException(e);
        }
    }

    public byte[] sign(String str) {
        return sign(str.getBytes());
    }

    public byte[] sign(byte[] bArr) {
        try {
            Signature signerVerifier = getSignerVerifier();
            signerVerifier.initSign(this.myPrivateKey);
            signerVerifier.update(bArr);
            return signerVerifier.sign();
        } catch (CryptoException e) {
            throw e;
        } catch (Exception e2) {
            throw new CryptoException("Invalid key, failed to sign challenge " + new String(bArr), e2);
        }
    }

    public boolean verifySignature(String str, byte[] bArr) {
        return verifySignature(str.getBytes(), bArr);
    }

    public boolean verifySignature(String str, byte[] bArr, CertData certData) {
        return verifySignature(str, bArr, certData.getCertID());
    }

    public boolean verifySignature(String str, byte[] bArr, CertID certID) {
        return verifySignature(str, bArr, certID.getSerial());
    }

    public boolean verifySignature(String str, byte[] bArr, BigInteger bigInteger) {
        return verifySignature(str.getBytes(), bArr, bigInteger);
    }

    public boolean verifySignature(byte[] bArr, byte[] bArr2) {
        return verifySignature(bArr, bArr2, this.myX509.getCertID().getSerial());
    }

    public boolean verifySignature(byte[] bArr, byte[] bArr2, CertData certData) {
        return verifySignature(bArr, bArr2, certData.getCertID().getSerial());
    }

    public boolean verifySignature(byte[] bArr, byte[] bArr2, CertID certID) {
        return verifySignature(bArr, bArr2, certID.getSerial());
    }

    public boolean verifySignature(byte[] bArr, byte[] bArr2, BigInteger bigInteger) {
        guardNoNulls(bArr, bArr2, bigInteger);
        try {
            if (DEBUG) {
                log.debug("Verifying signature, signer: " + bigInteger + " challenge: '" + Base64Codec.toString(bArr) + "' signature: '" + Base64Codec.toString(bArr2) + "'");
            }
            if (isUnknownCert(bigInteger)) {
                log.error("No certificate found for signer key ID " + bigInteger);
                return false;
            }
            X509Certificate x509Certificate = getX509Certificate(bigInteger);
            if (DEBUG) {
                log.debug("Signer keyID: " + bigInteger);
                log.debug("Signer cert: " + x509Certificate.toString());
            }
            return verifyWith(bArr2, makeSignerVerifier(bArr, x509Certificate));
        } catch (SignatureException e) {
            throw new BadSignatureException(e);
        } catch (CryptoException e2) {
            throw e2;
        } catch (Exception e3) {
            throw new CryptoException("Invalid key, failed to verify challenge " + Base64Codec.toString(bArr), e3);
        }
    }

    private boolean verifyWith(byte[] bArr, Signature signature) throws SignatureException {
        boolean verify = signature.verify(bArr);
        if (DEBUG) {
            log.debug("signature verified: " + verify);
        }
        return verify;
    }

    private Signature makeSignerVerifier(byte[] bArr, Certificate certificate) throws InvalidKeyException, SignatureException {
        Signature signerVerifier = getSignerVerifier();
        signerVerifier.initVerify(certificate);
        signerVerifier.update(bArr);
        return signerVerifier;
    }

    private boolean isUnknownCert(BigInteger bigInteger) {
        return !containsX509Certificate(bigInteger);
    }

    private void guardNoNulls(byte[] bArr, byte[] bArr2, BigInteger bigInteger) {
        if (bArr == null || bArr2 == null || bigInteger == null) {
            throw new CryptoException("Invalid input:  Verifying signature, signer: " + bigInteger + " challenge: '" + Base64Codec.toString(bArr) + "' signature: '" + Base64Codec.toString(bArr2) + "'");
        }
    }

    public byte[] encrypt(byte[] bArr, CertData certData) {
        return encrypt(bArr, getX509Certificate(certData.getX509Certificate()).getPublicKey());
    }

    public byte[] encrypt(byte[] bArr, CertID certID) {
        return encrypt(bArr, certID.getSerial());
    }

    public byte[] encrypt(byte[] bArr, BigInteger bigInteger) {
        try {
            return encrypt(bArr, getPublicKey(bigInteger));
        } catch (CryptoException e) {
            throw new CryptoException("Error encrypting using the provided key ", e);
        }
    }

    public byte[] encrypt(byte[] bArr, PublicKey publicKey) {
        try {
            Cipher cipher = Cipher.getInstance(publicKeyAlgorithm);
            cipher.init(1, publicKey);
            return cipher.doFinal(bArr);
        } catch (Exception e) {
            throw new CryptoException("Error encrypting: ", e);
        }
    }

    public byte[] decrypt(byte[] bArr) {
        try {
            Cipher publicKeyCipher = getPublicKeyCipher();
            publicKeyCipher.init(2, this.myPrivateKey);
            return publicKeyCipher.doFinal(bArr);
        } catch (Exception e) {
            throw new CryptoException("Error decrypting: ", e);
        }
    }

    public final PKCryptor cryptor() {
        return new PKCryptor(this);
    }

    public final void debug() throws CryptoException {
        if (INFO) {
            log.info("Keystore Type: " + this.keystore.getType());
            log.info("Public-key crypto Algorithm: RSA");
            log.info("Signature Algorithm: SHA1withRSA");
            log.info("Config: " + this.config);
            log.info("Key Aliases:");
            try {
                Enumeration<String> aliases = this.keystore.aliases();
                while (aliases.hasMoreElements()) {
                    log.info("\t" + aliases.nextElement());
                }
                log.info("Key IDs:");
                Iterator<CertData> it = this.x509KeyInfoMap.values().iterator();
                while (it.hasNext()) {
                    log.info(it.next().getCertID());
                }
                if (INFO) {
                    log.info("Private Key ID: " + this.myX509.getCertID());
                }
            } catch (KeyStoreException e) {
                throw new CryptoException(e);
            }
        }
    }

    public X509Certificate getCaCertificate(Principal principal) {
        return this.caCertificates.get(principal);
    }
}
