package org.xipki.ca.server.keypool;

import java.io.IOException;
import java.nio.charset.StandardCharsets;
import java.security.InvalidAlgorithmParameterException;
import java.security.InvalidKeyException;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Map;
import javax.crypto.BadPaddingException;
import javax.crypto.Cipher;
import javax.crypto.IllegalBlockSizeException;
import javax.crypto.SecretKey;
import javax.crypto.SecretKeyFactory;
import javax.crypto.spec.GCMParameterSpec;
import javax.crypto.spec.PBEKeySpec;
import javax.crypto.spec.SecretKeySpec;
import org.bouncycastle.asn1.pkcs.PrivateKeyInfo;
import org.xipki.audit.extra.DatabaseMacAuditService;
import org.xipki.audit.services.MacAuditService;
import org.xipki.datasource.DataAccessException;
import org.xipki.datasource.DataSourceWrapper;
import org.xipki.password.PasswordResolver;
import org.xipki.security.KeypairGenerator;
import org.xipki.security.XiSecurityException;
import org.xipki.util.Args;
import org.xipki.util.ConfPairs;
import org.xipki.util.PermissionConstants;
import org.xipki.util.StringUtil;

/* loaded from: input_file:WEB-INF/lib/ca-server-6.4.0.jar:org/xipki/ca/server/keypool/KeypoolKeypairGenerator.class */
public class KeypoolKeypairGenerator extends KeypairGenerator {
    private int shardId;
    private KeypoolQueryExecutor queryExecutor;
    private SecretKey aes128key;
    private SecretKey aes192key;
    private SecretKey aes256key;
    private Cipher cipher;
    private Map<String, DataSourceWrapper> datasources;
    private final Map<String, Integer> keyspecToId = new HashMap();

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:WEB-INF/lib/ca-server-6.4.0.jar:org/xipki/ca/server/keypool/KeypoolKeypairGenerator$CipherData.class */
    public static class CipherData {
        int encAlg;
        byte[] encMeta;
        byte[] cipherText;
    }

    public void setShardId(int i) {
        this.shardId = i;
    }

    public int getShardId() {
        return this.shardId;
    }

    public void setDatasources(Map<String, DataSourceWrapper> map) {
        this.datasources = map;
    }

    @Override // org.xipki.security.KeypairGenerator
    protected void initialize0(ConfPairs confPairs, PasswordResolver passwordResolver) throws XiSecurityException {
        Args.notNull(confPairs, "conf");
        String value = confPairs.value(DatabaseMacAuditService.KEY_DATASOURCE);
        DataSourceWrapper dataSourceWrapper = value != null ? this.datasources.get(value) : null;
        if (dataSourceWrapper == null) {
            throw new XiSecurityException("no datasource named '" + value + "' is specified");
        }
        try {
            this.queryExecutor = new KeypoolQueryExecutor(dataSourceWrapper, this.shardId);
            this.keyspecToId.clear();
            this.keyspecToId.putAll(this.queryExecutor.getKeyspecs());
            HashSet hashSet = new HashSet();
            for (String str : this.keyspecs) {
                if (this.keyspecToId.containsKey(str)) {
                    hashSet.add(str);
                }
            }
            this.keyspecs.clear();
            this.keyspecs.addAll(hashSet);
            String value2 = confPairs.value(MacAuditService.KEY_PASSWORD);
            if (StringUtil.isBlank(value2)) {
                throw new IllegalArgumentException("property password not defined");
            }
            try {
                SecretKeyFactory secretKeyFactory = SecretKeyFactory.getInstance("PBKDF2WithHmacSHA256");
                char[] charArray = value2.toCharArray();
                for (int i : new int[]{PermissionConstants.ENROLL_CROSS, 192, PermissionConstants.GEN_KEYPAIR}) {
                    SecretKeySpec secretKeySpec = new SecretKeySpec(secretKeyFactory.generateSecret(new PBEKeySpec(charArray, "ENC".getBytes(StandardCharsets.UTF_8), 10000, i)).getEncoded(), "AES");
                    if (i == 128) {
                        this.aes128key = secretKeySpec;
                    } else if (i == 192) {
                        this.aes192key = secretKeySpec;
                    } else {
                        this.aes256key = secretKeySpec;
                    }
                }
                this.cipher = Cipher.getInstance("AES/GCM/NoPadding");
            } catch (Exception e) {
                throw new IllegalStateException("could not initialize Cipher", e);
            }
        } catch (DataAccessException e2) {
            throw new XiSecurityException(e2.getMessage(), e2);
        }
    }

    @Override // org.xipki.security.KeypairGenerator
    public synchronized PrivateKeyInfo generateKeypair(String str) throws XiSecurityException {
        CipherData nextKeyData;
        SecretKey secretKey;
        Integer num = this.keyspecToId.get(str);
        if (num == null) {
            return null;
        }
        synchronized (num) {
            try {
                nextKeyData = this.queryExecutor.nextKeyData(num.intValue());
            } catch (DataAccessException e) {
                throw new XiSecurityException(e);
            }
        }
        if (nextKeyData == null) {
            throw new XiSecurityException("found no keypair of spec " + str + " in the keypool");
        }
        GCMParameterSpec gCMParameterSpec = new GCMParameterSpec(PermissionConstants.ENROLL_CROSS, nextKeyData.encMeta);
        if (nextKeyData.encAlg == 1) {
            secretKey = this.aes128key;
        } else if (nextKeyData.encAlg == 2) {
            secretKey = this.aes192key;
        } else {
            if (nextKeyData.encAlg != 3) {
                throw new XiSecurityException("unknown encryption algorithm " + nextKeyData.encAlg);
            }
            secretKey = this.aes256key;
        }
        try {
            this.cipher.init(2, secretKey, gCMParameterSpec);
            return PrivateKeyInfo.getInstance(this.cipher.doFinal(nextKeyData.cipherText));
        } catch (InvalidAlgorithmParameterException | InvalidKeyException | BadPaddingException | IllegalBlockSizeException e2) {
            throw new XiSecurityException("error decrypting ciphertext", e2);
        }
    }

    @Override // org.xipki.security.KeypairGenerator
    public boolean isHealthy() {
        return this.queryExecutor != null && this.queryExecutor.isHealthy();
    }

    @Override // java.io.Closeable, java.lang.AutoCloseable
    public void close() throws IOException {
    }
}
