package org.finos.tracdap.common.config;

import java.nio.charset.StandardCharsets;
import java.security.GeneralSecurityException;
import java.security.KeyFactory;
import java.security.KeyStore;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.spec.InvalidKeySpecException;
import java.security.spec.PKCS8EncodedKeySpec;
import java.security.spec.X509EncodedKeySpec;
import java.util.Arrays;
import java.util.Base64;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import javax.crypto.SecretKeyFactory;
import javax.crypto.spec.PBEKeySpec;
import org.finos.tracdap.common.exception.EConfigLoad;
import org.finos.tracdap.common.exception.ETracInternal;
import org.finos.tracdap.common.exception.EUnexpected;
import org.finos.tracdap.common.startup.StartupLog;
import org.slf4j.event.Level;

/* loaded from: input_file:org/finos/tracdap/common/config/CryptoHelpers.class */
public class CryptoHelpers {
    private static final List<String> KEY_FACTORY_ALGORITHMS = List.of("EC", "RSA", "DSA", "DiffieHellman");

    public static void writeTextEntry(KeyStore keyStore, String str, String str2, String str3) throws EConfigLoad {
        try {
            keyStore.setEntry(str2, new KeyStore.SecretKeyEntry(SecretKeyFactory.getInstance("PBE").generateSecret(new PBEKeySpec(str3.toCharArray()))), new KeyStore.PasswordProtection(str.toCharArray()));
        } catch (IllegalArgumentException | GeneralSecurityException e) {
            throw new EConfigLoad(String.format("Failed to write secret [%s]: %s", str2, e.getMessage()), e);
        }
    }

    public static void writeTextEntry(KeyStore keyStore, String str, String str2, String str3, Map<String, String> map) throws EConfigLoad {
        writeTextEntry(keyStore, str, str2, str3);
        for (Map.Entry<String, String> entry : map.entrySet()) {
            writeTextEntry(keyStore, str, str2 + "$" + entry.getKey(), entry.getValue());
        }
    }

    public static void deleteEntry(KeyStore keyStore, String str) throws EConfigLoad {
        try {
            if (keyStore.containsAlias(str)) {
                keyStore.deleteEntry(str);
            }
        } catch (GeneralSecurityException e) {
            throw new EConfigLoad(String.format("Failed to read secret [%s]: %s", str, e.getMessage()), e);
        }
    }

    public static boolean containsEntry(KeyStore keyStore, String str) throws EConfigLoad {
        try {
            return keyStore.containsAlias(str);
        } catch (GeneralSecurityException e) {
            throw new EConfigLoad(String.format("Failed to read secret [%s]: %s", str, e.getMessage()), e);
        }
    }

    public static String readTextEntry(KeyStore keyStore, String str, String str2) throws EConfigLoad {
        try {
            KeyStore.Entry entry = keyStore.getEntry(str2, new KeyStore.PasswordProtection(str.toCharArray()));
            if (entry == null) {
                String format = String.format("Secret is not present in the store: [%s]", str2);
                StartupLog.log(CryptoHelpers.class, Level.ERROR, format);
                throw new EConfigLoad(format);
            }
            if (entry instanceof KeyStore.SecretKeyEntry) {
                KeyStore.SecretKeyEntry secretKeyEntry = (KeyStore.SecretKeyEntry) entry;
                return new String(((PBEKeySpec) SecretKeyFactory.getInstance(secretKeyEntry.getSecretKey().getAlgorithm()).getKeySpec(secretKeyEntry.getSecretKey(), PBEKeySpec.class)).getPassword());
            }
            String format2 = String.format("Secret is not a secret key: [%s] is %s", str2, entry.getClass().getSimpleName());
            StartupLog.log(CryptoHelpers.class, Level.ERROR, format2);
            throw new EConfigLoad(format2);
        } catch (IllegalArgumentException | GeneralSecurityException e) {
            throw new EConfigLoad(String.format("Failed to read secret [%s]: %s", str2, e.getMessage()), e);
        }
    }

    public static boolean containsAttribute(KeyStore keyStore, String str, String str2) throws EConfigLoad {
        try {
            return keyStore.containsAlias(str + "$" + str2);
        } catch (GeneralSecurityException e) {
            throw new EConfigLoad(String.format("Failed to read secret [%s]: %s", str, e.getMessage()), e);
        }
    }

    public static String readAttribute(KeyStore keyStore, String str, String str2, String str3) throws EConfigLoad {
        return readTextEntry(keyStore, str, str2 + "$" + str3);
    }

    public static String encodeSSHA512(String str, byte[] bArr) {
        try {
            MessageDigest messageDigest = MessageDigest.getInstance("SHA-512");
            messageDigest.update(str.getBytes(StandardCharsets.UTF_8));
            messageDigest.update(bArr);
            byte[] digest = messageDigest.digest();
            Base64.Encoder withoutPadding = Base64.getEncoder().withoutPadding();
            return String.format("$%d$%s$%s", 6, withoutPadding.encodeToString(bArr), withoutPadding.encodeToString(digest));
        } catch (NoSuchAlgorithmException e) {
            throw new EUnexpected(e);
        }
    }

    public static boolean validateSSHA512(String str, String str2) {
        try {
            String[] split = str.split("\\$");
            if (split.length != 4 || !"6".equals(split[1])) {
                throw new ETracInternal("Invalid password hash");
            }
            String str3 = split[2];
            String str4 = split[3];
            Base64.Decoder decoder = Base64.getDecoder();
            byte[] decode = decoder.decode(str3);
            byte[] decode2 = decoder.decode(str4);
            MessageDigest messageDigest = MessageDigest.getInstance("SHA-512");
            messageDigest.update(str2.getBytes(StandardCharsets.UTF_8));
            messageDigest.update(decode);
            return Arrays.equals(messageDigest.digest(), decode2);
        } catch (NoSuchAlgorithmException e) {
            throw new EUnexpected(e);
        }
    }

    public static String encodePublicKey(PublicKey publicKey, boolean z) {
        try {
            byte[] encoded = ((X509EncodedKeySpec) KeyFactory.getInstance(publicKey.getAlgorithm()).getKeySpec(publicKey, X509EncodedKeySpec.class)).getEncoded();
            return z ? "-----BEGIN PUBLIC KEY-----\n" + Base64.getMimeEncoder(80, "\n".getBytes()).encodeToString(encoded) + "\n-----END PUBLIC KEY-----\n" : Base64.getEncoder().encodeToString(encoded);
        } catch (IllegalArgumentException | GeneralSecurityException e) {
            throw new EConfigLoad(String.format("Failed to encode public key: " + e.getMessage(), new Object[0]), e);
        }
    }

    public static String encodePrivateKey(PrivateKey privateKey, boolean z) {
        try {
            byte[] encoded = ((PKCS8EncodedKeySpec) KeyFactory.getInstance(privateKey.getAlgorithm()).getKeySpec(privateKey, PKCS8EncodedKeySpec.class)).getEncoded();
            return z ? "-----BEGIN PRIVATE KEY-----\n" + Base64.getMimeEncoder(80, "\n".getBytes()).encodeToString(encoded) + "\n-----END PRIVATE KEY-----\n" : Base64.getEncoder().encodeToString(encoded);
        } catch (IllegalArgumentException | GeneralSecurityException e) {
            throw new EConfigLoad(String.format("Failed to encode private key: " + e.getMessage(), new Object[0]), e);
        }
    }

    public static PublicKey decodePublicKey(String str, boolean z) {
        try {
            byte[] decode = z ? Base64.getMimeDecoder().decode(str.replace("-----BEGIN PUBLIC KEY-----", "").replaceAll("\\r", "").replaceAll("\\n", "").replace("-----END PUBLIC KEY-----", "")) : Base64.getDecoder().decode(str);
            Iterator<String> it = KEY_FACTORY_ALGORITHMS.iterator();
            while (it.hasNext()) {
                try {
                    return KeyFactory.getInstance(it.next()).generatePublic(new X509EncodedKeySpec(decode));
                } catch (Exception e) {
                    if (!(e instanceof InvalidKeySpecException)) {
                        throw e;
                    }
                }
            }
            throw new EConfigLoad(String.format("Failed to decode public key: No suitable algorithm (available algorithms are %s)", String.join(", ", KEY_FACTORY_ALGORITHMS)));
        } catch (IllegalArgumentException | GeneralSecurityException e2) {
            throw new EConfigLoad(String.format("Failed to decode public key: " + e2.getMessage(), new Object[0]), e2);
        }
    }

    public static PrivateKey decodePrivateKey(String str, boolean z) {
        try {
            byte[] decode = z ? Base64.getMimeDecoder().decode(str.replace("-----BEGIN PRIVATE KEY-----", "").replaceAll("\\r", "").replaceAll("\\n", "").replace("-----END PRIVATE KEY-----", "")) : Base64.getDecoder().decode(str);
            Iterator<String> it = KEY_FACTORY_ALGORITHMS.iterator();
            while (it.hasNext()) {
                try {
                    return KeyFactory.getInstance(it.next()).generatePrivate(new PKCS8EncodedKeySpec(decode));
                } catch (Exception e) {
                    if (!(e instanceof InvalidKeySpecException)) {
                        throw e;
                    }
                }
            }
            throw new EConfigLoad(String.format("Failed to decode public key: No suitable algorithm (available algorithms are %s)", String.join(", ", KEY_FACTORY_ALGORITHMS)));
        } catch (IllegalArgumentException | GeneralSecurityException e2) {
            throw new EConfigLoad(String.format("Failed to decode private key: " + e2.getMessage(), new Object[0]), e2);
        }
    }
}
