package no.digipost.security;

import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.io.InputStream;
import java.security.KeyStore;
import java.security.NoSuchAlgorithmException;
import java.security.Security;
import java.security.cert.CertPath;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.util.List;
import java.util.Objects;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import java.util.stream.StreamSupport;
import javax.crypto.Cipher;
import no.digipost.security.cert.CertificateNotFound;
import no.digipost.security.cert.internal.JavaSecurityUtils;
import no.digipost.security.keystore.KeyStoreType;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:no/digipost/security/DigipostSecurity.class */
public final class DigipostSecurity {
    public static final String PROVIDER_NAME = "BC";
    public static final String PKIX = "PKIX";
    public static final String X509 = "X.509";
    private static final Logger LOG = LoggerFactory.getLogger(DigipostSecurity.class);
    private static volatile boolean securityProviderSet = false;
    private static volatile boolean cryptoPolicyPropertySet = false;

    public static CertificateFactory getX509CertificateFactory() {
        return JavaSecurityUtils.getX509CertificateFactory();
    }

    public static X509Certificate readCertificate(String str) {
        return readCertificates(str).findFirst().orElseThrow(() -> {
            return new CertificateNotFound(str);
        });
    }

    public static X509Certificate readCertificate(byte[] bArr) {
        return readCertificate(new ByteArrayInputStream(bArr));
    }

    public static X509Certificate readCertificate(InputStream inputStream) {
        return readCertificates(inputStream).findFirst().orElseThrow(() -> {
            return new CertificateNotFound();
        });
    }

    public static Stream<X509Certificate> readCertificates(String str) {
        try {
            InputStream inputStream = (InputStream) Objects.requireNonNull(DigipostSecurity.class.getClassLoader().getResourceAsStream(str), str + " not found on classpath!");
            try {
                Stream<X509Certificate> readCertificates = readCertificates(inputStream);
                if (inputStream != null) {
                    inputStream.close();
                }
                return readCertificates;
            } finally {
            }
        } catch (IOException e) {
            throw new RuntimeException("Error reading certificate from " + str + ": " + e.getMessage(), e);
        }
    }

    public static Stream<X509Certificate> readCertificates(byte[] bArr) {
        return readCertificates(new ByteArrayInputStream(bArr));
    }

    public static Stream<X509Certificate> readCertificates(InputStream inputStream) {
        try {
            return getX509CertificateFactory().generateCertificates(inputStream).stream().map(DigipostSecurity::requireX509);
        } catch (CertificateException e) {
            throw new RuntimeException("Unable to generate certificate: " + e.getMessage(), e);
        }
    }

    public static X509Certificate requireX509(Certificate certificate) {
        if (certificate instanceof X509Certificate) {
            return (X509Certificate) certificate;
        }
        throw new IllegalCertificateType(certificate);
    }

    public static Stream<X509Certificate> asStream(CertPath certPath) {
        return certPath.getCertificates().stream().map(DigipostSecurity::requireX509);
    }

    @Deprecated
    public static KeyStore asKeyStore(Iterable<X509Certificate> iterable) {
        return KeyStoreType.JCEKS.newKeyStore().containing(StreamSupport.stream(iterable.spliterator(), false), x509Certificate -> {
            return x509Certificate.getSubjectDN().toString();
        }).withNoPassword();
    }

    public static CertPath asCertPath(Stream<X509Certificate> stream) {
        try {
            return getX509CertificateFactory().generateCertPath((List<? extends Certificate>) stream.collect(Collectors.toList()));
        } catch (CertificateException e) {
            throw new DigipostSecurityException(e);
        }
    }

    public static String describe(CertPath certPath) {
        return JavaSecurityUtils.describe(certPath);
    }

    public static String describe(Certificate certificate) {
        return JavaSecurityUtils.describe(certificate);
    }

    public static void ensureSecurityProvider() {
        ensureCryptoPolicyUnlimited();
        if (securityProviderSet) {
            return;
        }
        synchronized (Security.class) {
            if (Security.getProvider(PROVIDER_NAME) == null) {
                Security.addProvider(new BouncyCastleProvider());
                securityProviderSet = true;
                LOG.info("Security provider BC added: " + BouncyCastleProvider.class.getName());
            }
        }
    }

    public static void ensureCryptoPolicyUnlimited() {
        if (cryptoPolicyPropertySet) {
            return;
        }
        Security.setProperty("crypto.policy", "unlimited");
        cryptoPolicyPropertySet = true;
        LOG.info("Security policy set: crypto.policy=unlimited");
    }

    public static void verifyJceUnlimitedStrength() {
        try {
            int maxAllowedKeyLength = Cipher.getMaxAllowedKeyLength("AES");
            if (maxAllowedKeyLength != Integer.MAX_VALUE) {
                throw new DigipostSecurityException("Java Cryptography Extension (JCE) Unlimited Strength not enabled! Maximum allowed key length for AES is " + maxAllowedKeyLength);
            }
        } catch (NoSuchAlgorithmException e) {
            throw new DigipostSecurityException("Error when verifying the maximum key length for the AES algorithm. Is Java Cryptography Extension (JCE) Unlimited Strength enabled?", e);
        }
    }

    private DigipostSecurity() {
    }

    static {
        ensureSecurityProvider();
    }
}
