package org.forgerock.openam.utils;

import com.sun.identity.saml.xmlsig.KeyProvider;
import com.sun.identity.security.DecodeAction;
import com.sun.identity.security.SecurityDebug;
import com.sun.identity.shared.configuration.SystemPropertiesManager;
import com.sun.identity.shared.debug.Debug;
import com.sun.identity.shared.encode.Base64;
import java.io.BufferedReader;
import java.io.FileInputStream;
import java.io.FileOutputStream;
import java.io.FileReader;
import java.io.IOException;
import java.nio.charset.StandardCharsets;
import java.security.AccessController;
import java.security.Key;
import java.security.KeyPair;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.UnrecoverableKeyException;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.Enumeration;
import java.util.HashMap;
import java.util.Map;
import java.util.concurrent.ConcurrentHashMap;
import javax.crypto.SecretKey;
import javax.crypto.spec.SecretKeySpec;
import javax.security.auth.DestroyFailedException;
import org.forgerock.openam.keystore.KeyStoreConfig;

/* loaded from: input_file:WEB-INF/lib/openam-clientsdk-15.0.0.jar:org/forgerock/openam/utils/AMKeyProvider.class */
public class AMKeyProvider implements KeyProvider {
    private static final String DEFAULT_KEYSTORE_FILE_PROP = "com.sun.identity.saml.xmlsig.keystore";
    private static final String DEFAULT_KEYSTORE_PASS_FILE_PROP = "com.sun.identity.saml.xmlsig.storepass";
    private static final String DEFAULT_KEYSTORE_TYPE_PROP = "com.sun.identity.saml.xmlsig.storetype";
    private static final String DEFAULT_PRIVATE_KEY_PASS_FILE_PROP = "com.sun.identity.saml.xmlsig.keypass";
    private Debug logger;
    private KeyStore ks;
    private String privateKeyPass;
    private String keystorePass;
    private String keystoreFile;
    private String keystoreType;
    private String storePassPath;
    private String keyPassPath;
    HashMap keyTable;
    private static Map<String, PrivateKey> mapKey = new ConcurrentHashMap();

    public AMKeyProvider() {
        this("com.sun.identity.saml.xmlsig.keystore", "com.sun.identity.saml.xmlsig.storepass", DEFAULT_KEYSTORE_TYPE_PROP, "com.sun.identity.saml.xmlsig.keypass");
    }

    public AMKeyProvider(KeyStoreConfig keyStoreConfig) throws KeyStoreException, IOException {
        this.logger = SecurityDebug.debug;
        this.ks = null;
        this.privateKeyPass = null;
        this.keystorePass = "";
        this.keystoreFile = "";
        this.keystoreType = "JKS";
        this.keyTable = new HashMap();
        this.keystoreFile = keyStoreConfig.getKeyStoreFile();
        this.keystorePass = new String(keyStoreConfig.getKeyStorePassword());
        this.privateKeyPass = new String(keyStoreConfig.getKeyPassword());
        this.keystoreType = keyStoreConfig.getKeyStoreType();
        this.storePassPath = keyStoreConfig.getKeyStorePasswordFile();
        this.keyPassPath = keyStoreConfig.getKeyPasswordFile();
        mapPk2Cert();
    }

    public AMKeyProvider(String str, String str2, String str3, String str4) {
        this.logger = SecurityDebug.debug;
        this.ks = null;
        this.privateKeyPass = null;
        this.keystorePass = "";
        this.keystoreFile = "";
        this.keystoreType = "JKS";
        this.keyTable = new HashMap();
        initialize(str, str2, str3, str4);
        mapPk2Cert();
    }

    public AMKeyProvider(boolean z, String str, String str2, String str3, String str4) {
        this.logger = SecurityDebug.debug;
        this.ks = null;
        this.privateKeyPass = null;
        this.keystorePass = "";
        this.keystoreFile = "";
        this.keystoreType = "JKS";
        this.keyTable = new HashMap();
        this.keystoreFile = str;
        this.keystoreType = str3;
        this.keystorePass = str2;
        this.privateKeyPass = str4;
        mapPk2Cert();
    }

    private void initialize(String str, String str2, String str3, String str4) {
        this.keystoreFile = SystemPropertiesManager.get(str);
        if (this.keystoreFile == null || this.keystoreFile.length() == 0) {
            this.logger.error("JKSKeyProvider: keystore file does not exist");
        }
        this.storePassPath = SystemPropertiesManager.get(str2);
        String str5 = SystemPropertiesManager.get(str3);
        if (null != str5) {
            this.keystoreType = str5.trim();
        }
        if (this.storePassPath != null) {
            this.keystorePass = readPasswordFile(this.storePassPath);
        } else {
            this.logger.error("JKSKeyProvider: keystore password is null");
        }
        this.keyPassPath = SystemPropertiesManager.get(str4);
        if (this.keyPassPath != null) {
            this.privateKeyPass = readPasswordFile(this.keyPassPath);
        }
    }

    protected String readPasswordFile(String str) {
        BufferedReader bufferedReader;
        Throwable th;
        String str2 = null;
        try {
            bufferedReader = new BufferedReader(new FileReader(str));
            th = null;
        } catch (IOException e) {
            this.logger.error("Unable to read private key password file " + str, e);
        }
        try {
            try {
                str2 = decodePassword(bufferedReader.readLine());
                if (bufferedReader != null) {
                    if (0 != 0) {
                        try {
                            bufferedReader.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    } else {
                        bufferedReader.close();
                    }
                }
                return str2;
            } finally {
            }
        } finally {
        }
    }

    public static String decodePassword(String str) {
        String str2 = (String) AccessController.doPrivileged(new DecodeAction(str));
        return str2 == null ? str : str2;
    }

    private void mapPk2Cert() {
        try {
            this.ks = KeyStore.getInstance(this.keystoreType);
            if (this.keystoreFile == null || this.keystoreFile.isEmpty()) {
                this.logger.error("mapPk2Cert.JKSKeyProvider: KeyStore FileName is null, unable to establish Mapping Public Keys to Certificates!");
                return;
            }
            this.ks.load(new FileInputStream(this.keystoreFile), this.keystorePass.toCharArray());
            Enumeration<String> aliases = this.ks.aliases();
            while (aliases.hasMoreElements()) {
                String nextElement = aliases.nextElement();
                if (!this.ks.entryInstanceOf(nextElement, KeyStore.SecretKeyEntry.class)) {
                    Certificate certificate = getCertificate(nextElement);
                    this.keyTable.put(Base64.encode(getPublicKey(nextElement).getEncoded()), certificate);
                }
            }
        } catch (IOException | KeyStoreException | NoSuchAlgorithmException | CertificateException e) {
            this.logger.error("mapPk2Cert.JKSKeyProvider:", e);
        }
    }

    public void setLogger(Debug debug) {
        this.logger = debug;
    }

    @Override // com.sun.identity.saml.xmlsig.KeyProvider
    public void setKey(String str, String str2) {
        this.keystorePass = str;
        this.privateKeyPass = str2;
    }

    @Override // com.sun.identity.saml.xmlsig.KeyProvider
    public X509Certificate getX509Certificate(String str) {
        if (str == null || str.length() == 0) {
            return null;
        }
        X509Certificate x509Certificate = null;
        try {
            x509Certificate = (X509Certificate) this.ks.getCertificate(str);
        } catch (KeyStoreException e) {
            this.logger.error("Unable to get cert alias:" + str, e);
        }
        return x509Certificate;
    }

    @Override // com.sun.identity.saml.xmlsig.KeyProvider
    public PublicKey getPublicKey(String str) {
        X509Certificate x509Certificate;
        if (str == null || str.length() == 0) {
            return null;
        }
        PublicKey publicKey = null;
        try {
            x509Certificate = (X509Certificate) this.ks.getCertificate(str);
        } catch (KeyStoreException e) {
            this.logger.error("Unable to get public key:" + str, e);
        }
        if (x509Certificate == null) {
            this.logger.error("Unable to retrieve certificate with alias '" + str + "' from keystore '" + this.keystoreFile + "'");
            return null;
        }
        publicKey = x509Certificate.getPublicKey();
        return publicKey;
    }

    @Override // com.sun.identity.saml.xmlsig.KeyProvider
    public PrivateKey getPrivateKey(String str) {
        PrivateKey privateKey = null;
        try {
            privateKey = (PrivateKey) this.ks.getKey(str, this.privateKeyPass.toCharArray());
        } catch (KeyStoreException | NoSuchAlgorithmException | UnrecoverableKeyException e) {
            this.logger.error(e.getMessage());
        }
        return privateKey;
    }

    @Override // com.sun.identity.saml.xmlsig.KeyProvider
    public SecretKey getSecretKey(String str) {
        try {
            Key key = this.ks.getKey(str, this.privateKeyPass.toCharArray());
            if (key instanceof SecretKey) {
                return (SecretKey) key;
            }
            if (key != null) {
                this.logger.error("Expected a key of type javax.crypto.SecretKey but got " + key.getClass().getName());
            }
            return null;
        } catch (KeyStoreException | NoSuchAlgorithmException | UnrecoverableKeyException e) {
            this.logger.error("Unable to get the secret key for certificate alias " + str, e);
            return null;
        }
    }

    @Override // com.sun.identity.saml.xmlsig.KeyProvider
    public PrivateKey getPrivateKey(String str, String str2) {
        PrivateKey privateKey = null;
        String decodePassword = decodePassword(str2);
        if (decodePassword != null) {
            try {
                privateKey = (PrivateKey) this.ks.getKey(str, decodePassword.toCharArray());
            } catch (KeyStoreException e) {
                this.logger.error(e.getMessage());
            } catch (NoSuchAlgorithmException e2) {
                this.logger.error(e2.getMessage());
            } catch (UnrecoverableKeyException e3) {
                this.logger.error(e3.getMessage());
            }
        } else {
            this.logger.error("AMKeyProvider.getPrivateKey: null key password returned from decryption for certificate alias:" + str + " The password maybe incorrect.");
        }
        return privateKey;
    }

    public KeyPair getKeyPair(String str) {
        PrivateKey privateKey;
        PublicKey publicKey = getPublicKey(str);
        if (mapKey.containsKey(str)) {
            privateKey = mapKey.get(str);
        } else {
            privateKey = getPrivateKey(str);
            if (privateKey != null) {
                mapKey.putIfAbsent(str, privateKey);
            }
        }
        if (publicKey == null || privateKey == null) {
            return null;
        }
        return new KeyPair(publicKey, privateKey);
    }

    @Override // com.sun.identity.saml.xmlsig.KeyProvider
    public String getCertificateAlias(Certificate certificate) {
        String str = null;
        try {
            if (this.ks != null) {
                str = this.ks.getCertificateAlias(certificate);
            }
            return str;
        } catch (KeyStoreException e) {
            return null;
        }
    }

    public char[] getKeystorePass() {
        return this.keystorePass.toCharArray();
    }

    public String getPrivateKeyPass() {
        return this.privateKeyPass;
    }

    public String getKeystoreType() {
        return this.keystoreType;
    }

    public String getKeystoreFilePath() {
        return this.keystoreFile;
    }

    public String getKeystorePasswordFilePath() {
        return this.storePassPath;
    }

    public String getKeyPasswordFilePath() {
        return this.keyPassPath;
    }

    @Override // com.sun.identity.saml.xmlsig.KeyProvider
    public KeyStore getKeyStore() {
        return this.ks;
    }

    public void setCertificateEntry(String str, Certificate certificate) throws KeyStoreException {
        try {
            this.ks.setCertificateEntry(str, certificate);
        } catch (KeyStoreException e) {
            this.logger.error(e.getMessage());
            throw e;
        }
    }

    public Certificate getCertificate(String str) {
        try {
            return this.ks.getCertificate(str);
        } catch (KeyStoreException e) {
            this.logger.error(e.getMessage());
            return null;
        }
    }

    public void store() throws IOException, CertificateException, NoSuchAlgorithmException, KeyStoreException {
        try {
            FileOutputStream fileOutputStream = new FileOutputStream(this.keystoreFile);
            this.ks.store(fileOutputStream, this.keystorePass.toCharArray());
            fileOutputStream.close();
            if (this.logger.messageEnabled()) {
                this.logger.message("Keystore saved in " + this.keystoreFile);
            }
        } catch (KeyStoreException e) {
            this.logger.error(e.getMessage());
            throw e;
        }
    }

    @Override // com.sun.identity.saml.xmlsig.KeyProvider
    public Certificate getCertificate(PublicKey publicKey) {
        return (Certificate) this.keyTable.get(Base64.encode(publicKey.getEncoded()));
    }

    @Override // com.sun.identity.saml.xmlsig.KeyProvider
    public boolean containsKey(String str) {
        try {
            return this.ks.containsAlias(str);
        } catch (KeyStoreException e) {
            this.logger.error("Unable to determine key alias presence", e);
            return false;
        }
    }

    public void setSecretKeyEntry(String str, String str2) throws KeyStoreException {
        SecretKeySpec secretKeySpec = new SecretKeySpec(str2.getBytes(StandardCharsets.UTF_8), "RAW");
        KeyStore.PasswordProtection passwordProtection = new KeyStore.PasswordProtection(this.keystorePass.toCharArray());
        try {
            if (this.ks.containsAlias(str)) {
                this.ks.deleteEntry(str);
            }
            this.ks.setEntry(str, new KeyStore.SecretKeyEntry(secretKeySpec), passwordProtection);
        } finally {
            try {
                passwordProtection.destroy();
            } catch (DestroyFailedException e) {
            }
        }
    }

    public String getSecret(String str) throws KeyStoreException {
        KeyStore.PasswordProtection passwordProtection = new KeyStore.PasswordProtection(this.keystorePass.toCharArray());
        try {
            try {
                String str2 = new String(((KeyStore.SecretKeyEntry) this.ks.getEntry(str, passwordProtection)).getSecretKey().getEncoded(), StandardCharsets.UTF_8);
                try {
                    passwordProtection.destroy();
                    return str2;
                } catch (DestroyFailedException e) {
                    throw new KeyStoreException("Destroy failed", e);
                }
            } catch (Exception e2) {
                throw new KeyStoreException("Exception trying to fetch key with alias " + str, e2);
            }
        } catch (Throwable th) {
            try {
                passwordProtection.destroy();
                throw th;
            } catch (DestroyFailedException e3) {
                throw new KeyStoreException("Destroy failed", e3);
            }
        }
    }
}
