package oracle.kv.impl.security;

import java.io.File;
import java.io.IOException;
import java.security.InvalidKeyException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.Signature;
import java.security.SignatureException;
import java.security.UnrecoverableEntryException;
import java.security.cert.Certificate;
import javax.security.auth.DestroyFailedException;
import oracle.kv.impl.admin.param.SecurityParams;
import oracle.kv.impl.param.ParameterState;
import oracle.kv.impl.security.ssl.KeyStorePasswordSource;
import oracle.kv.impl.security.util.SecurityUtils;
import oracle.kv.impl.topo.Topology;

/* loaded from: input_file:oracle/kv/impl/security/TopoSignatureHelper.class */
public class TopoSignatureHelper implements SignatureHelper<Topology> {
    private static final String SIG_PRIVATE_KEY_ALIAS_DEFAULT = "shared";
    private static final String SIG_PUBLIC_KEY_ALIAS_DEFAULT = "mykey";
    private static final String SIG_ALGORITHM_DEFAULT = "SHA256withRSA";
    private final KeyStore keyStore;
    private final KeyStore certStore;
    private final String privKeyAlias;
    private final String certAlias;
    private final KeyStorePasswordSource ksPwdSource;
    private final Signature signature;
    private PublicKey publicKey;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:oracle/kv/impl/security/TopoSignatureHelper$KeyAccessException.class */
    public static class KeyAccessException extends RuntimeException {
        private static final long serialVersionUID = 1;

        public KeyAccessException(String str, Throwable th) {
            super(str, th);
        }

        public KeyAccessException(String str) {
            super(str);
        }
    }

    public static TopoSignatureHelper buildFromSecurityParams(SecurityParams securityParams) {
        if (securityParams == null) {
            throw new IllegalArgumentException("Security params must not be null");
        }
        String keystoreSigPrivateKeyAlias = securityParams.getKeystoreSigPrivateKeyAlias();
        if (keystoreSigPrivateKeyAlias == null) {
            keystoreSigPrivateKeyAlias = "shared";
        }
        String truststoreSigPublicKeyAlias = securityParams.getTruststoreSigPublicKeyAlias();
        if (truststoreSigPublicKeyAlias == null) {
            truststoreSigPublicKeyAlias = SIG_PUBLIC_KEY_ALIAS_DEFAULT;
        }
        KeyStorePasswordSource create = KeyStorePasswordSource.create(securityParams);
        if (create == null) {
            throw new IllegalArgumentException("Unable to create keystore password source");
        }
        String str = securityParams.getConfigDir() + File.separator + securityParams.getKeystoreFile();
        String str2 = securityParams.getConfigDir() + File.separator + securityParams.getTruststoreFile();
        char[] cArr = null;
        try {
            cArr = create.getPassword();
            KeyStore loadKeyStore = SecurityUtils.loadKeyStore(str, cArr, ParameterState.SEC_KEYSTORE_FILE, securityParams.getKeystoreType());
            KeyStore loadKeyStore2 = SecurityUtils.loadKeyStore(str2, cArr, ParameterState.SEC_TRUSTSTORE_FILE, securityParams.getTruststoreType());
            String signatureAlgorithm = securityParams.getSignatureAlgorithm();
            if (signatureAlgorithm == null || signatureAlgorithm.isEmpty()) {
                signatureAlgorithm = SIG_ALGORITHM_DEFAULT;
            }
            TopoSignatureHelper topoSignatureHelper = new TopoSignatureHelper(signatureAlgorithm, loadKeyStore, keystoreSigPrivateKeyAlias, loadKeyStore2, truststoreSigPublicKeyAlias, create);
            SecurityUtils.clearPassword(cArr);
            return topoSignatureHelper;
        } catch (Throwable th) {
            SecurityUtils.clearPassword(cArr);
            throw th;
        }
    }

    private TopoSignatureHelper(String str, KeyStore keyStore, String str2, KeyStore keyStore2, String str3, KeyStorePasswordSource keyStorePasswordSource) {
        try {
            this.signature = Signature.getInstance(str);
            this.keyStore = keyStore;
            this.privKeyAlias = str2;
            this.certStore = keyStore2;
            this.certAlias = str3;
            this.ksPwdSource = keyStorePasswordSource;
        } catch (NoSuchAlgorithmException e) {
            throw new IllegalArgumentException("Unrecognized signature algorithm: " + str);
        }
    }

    @Override // oracle.kv.impl.security.SignatureHelper
    public byte[] sign(Topology topology) throws SignatureFaultException {
        byte[] sign;
        try {
            byte[] byteArrayForSignature = topology.toByteArrayForSignature();
            synchronized (this.signature) {
                try {
                    try {
                        try {
                            this.signature.initSign(getPrivateKey());
                            this.signature.update(byteArrayForSignature);
                            sign = this.signature.sign();
                        } catch (InvalidKeyException e) {
                            throw new SignatureFaultException("Private key used to generate signature is invalid", e);
                        }
                    } catch (SignatureException e2) {
                        throw new SignatureFaultException("Problem while attempting to sign topology", e2);
                    }
                } catch (KeyAccessException e3) {
                    throw new SignatureFaultException("Failed to access private key", e3);
                }
            }
            return sign;
        } catch (IOException e4) {
            throw new SignatureFaultException("Failed to get topology bytes", e4);
        }
    }

    @Override // oracle.kv.impl.security.SignatureHelper
    public boolean verify(Topology topology, byte[] bArr) throws SignatureFaultException {
        boolean verify;
        try {
            byte[] byteArrayForSignature = topology.toByteArrayForSignature();
            synchronized (this.signature) {
                try {
                    try {
                        this.signature.initVerify(getPublicKey());
                        this.signature.update(byteArrayForSignature);
                        verify = this.signature.verify(bArr);
                    } catch (InvalidKeyException e) {
                        throw new SignatureFaultException("Public key used to verify signature is invalid", e);
                    }
                } catch (SignatureException e2) {
                    throw new SignatureFaultException("Problem while attempting to verify topology", e2);
                } catch (KeyAccessException e3) {
                    throw new SignatureFaultException("Failed to access public key", e3);
                }
            }
            return verify;
        } catch (IOException e4) {
            throw new SignatureFaultException("Failed to get topology bytes", e4);
        }
    }

    private PrivateKey getPrivateKey() throws KeyAccessException {
        KeyStore.PasswordProtection passwordProtection = null;
        try {
            try {
                try {
                    char[] password = this.ksPwdSource.getPassword();
                    KeyStore.PasswordProtection passwordProtection2 = new KeyStore.PasswordProtection(password);
                    KeyStore.PrivateKeyEntry privateKeyEntry = (KeyStore.PrivateKeyEntry) this.keyStore.getEntry(this.privKeyAlias, passwordProtection2);
                    if (privateKeyEntry == null) {
                        throw new KeyAccessException("Could not find private key entry with alias of " + this.privKeyAlias);
                    }
                    PrivateKey privateKey = privateKeyEntry.getPrivateKey();
                    SecurityUtils.clearPassword(password);
                    if (passwordProtection2 != null) {
                        try {
                            passwordProtection2.destroy();
                        } catch (DestroyFailedException e) {
                        }
                    }
                    return privateKey;
                } catch (Throwable th) {
                    SecurityUtils.clearPassword(null);
                    if (0 != 0) {
                        try {
                            passwordProtection.destroy();
                        } catch (DestroyFailedException e2) {
                        }
                    }
                    throw th;
                }
            } catch (KeyStoreException e3) {
                throw new KeyAccessException("Keystore is not loaded or initialized", e3);
            }
        } catch (NoSuchAlgorithmException e4) {
            throw new KeyAccessException("Unable to recover private key entry from keystore", e4);
        } catch (UnrecoverableEntryException e5) {
            throw new KeyAccessException("Password parameter is invalid or insufficent to recover private key entry from keystore", e5);
        }
    }

    private PublicKey getPublicKey() throws KeyAccessException {
        if (this.publicKey == null) {
            try {
                Certificate certificate = this.certStore.getCertificate(this.certAlias);
                if (certificate == null) {
                    throw new KeyAccessException("Could not find certificate with alias of " + this.certAlias + " or other");
                }
                this.publicKey = certificate.getPublicKey();
            } catch (KeyStoreException e) {
                throw new KeyAccessException("Certificate store is not loaded or initialized", e);
            }
        }
        return this.publicKey;
    }
}
