package org.xipki.ca.gateway;

import java.io.ByteArrayInputStream;
import java.io.FileInputStream;
import java.io.FileNotFoundException;
import java.io.IOException;
import java.io.InputStream;
import java.math.BigInteger;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.UnrecoverableKeyException;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Enumeration;
import java.util.LinkedList;
import java.util.List;
import org.bouncycastle.asn1.x500.X500Name;
import org.bouncycastle.jcajce.interfaces.XDHKey;
import org.xipki.ca.gateway.conf.KeystoreConf;
import org.xipki.ca.gateway.conf.PopControlConf;
import org.xipki.security.AlgorithmValidator;
import org.xipki.security.CollectionAlgorithmValidator;
import org.xipki.security.DHSigStaticKeyCertPair;
import org.xipki.security.X509Cert;
import org.xipki.security.util.KeyUtil;
import org.xipki.util.Base64;
import org.xipki.util.IoUtil;
import org.xipki.util.StringUtil;
import org.xipki.util.exception.InvalidConfException;

/* loaded from: input_file:WEB-INF/lib/gateway-common-6.4.0.jar:org/xipki/ca/gateway/PopControl.class */
public class PopControl {
    private final CollectionAlgorithmValidator popAlgoValidator;
    private final List<DHSigStaticKeyCertPair> dhKeyAndCerts = new ArrayList(1);
    private final X509Cert[] dhCerts;

    public PopControl(PopControlConf popControlConf) throws InvalidConfException {
        if (popControlConf.getSigAlgos() == null) {
            this.popAlgoValidator = CollectionAlgorithmValidator.INSTANCE;
        } else {
            try {
                this.popAlgoValidator = CollectionAlgorithmValidator.buildAlgorithmValidator(popControlConf.getSigAlgos());
            } catch (NoSuchAlgorithmException e) {
                throw new InvalidConfException("invalid signature algorithm", e);
            }
        }
        KeystoreConf dh = popControlConf.getDh();
        if (dh == null) {
            this.dhCerts = null;
            return;
        }
        String type = dh.getType();
        String password = dh.getPassword();
        String keystore = dh.getKeystore();
        if (StringUtil.isBlank(type) && StringUtil.isBlank(password) && StringUtil.isBlank(keystore)) {
            this.dhCerts = null;
            return;
        }
        if (StringUtil.isBlank(type)) {
            throw new InvalidConfException("type is not defined in conf");
        }
        if (StringUtil.isBlank(keystore)) {
            throw new InvalidConfException("keystore is not defined in conf");
        }
        if (StringUtil.isBlank(password)) {
            throw new InvalidConfException("password is not defined in conf");
        }
        try {
            InputStream keyStoreInputStream = getKeyStoreInputStream(keystore);
            try {
                char[] charArray = password.toCharArray();
                KeyStore inKeyStore = KeyUtil.getInKeyStore(type);
                inKeyStore.load(keyStoreInputStream, charArray);
                Enumeration<String> aliases = inKeyStore.aliases();
                LinkedList linkedList = new LinkedList();
                while (aliases.hasMoreElements()) {
                    String nextElement = aliases.nextElement();
                    if (inKeyStore.isKeyEntry(nextElement)) {
                        PrivateKey privateKey = (PrivateKey) inKeyStore.getKey(nextElement, charArray);
                        if (privateKey instanceof XDHKey) {
                            X509Cert x509Cert = new X509Cert((X509Certificate) inKeyStore.getCertificate(nextElement));
                            this.dhKeyAndCerts.add(new DHSigStaticKeyCertPair(privateKey, x509Cert));
                            linkedList.add(x509Cert);
                        }
                    }
                }
                this.dhCerts = (X509Cert[]) linkedList.toArray(new X509Cert[0]);
                if (keyStoreInputStream != null) {
                    keyStoreInputStream.close();
                }
            } finally {
            }
        } catch (IOException | ClassCastException | KeyStoreException | NoSuchAlgorithmException | UnrecoverableKeyException | CertificateException e2) {
            throw new InvalidConfException("invalid dhStatic pop configuration", e2);
        }
    }

    private InputStream getKeyStoreInputStream(String str) throws InvalidConfException {
        if (str.startsWith("base64:")) {
            return new ByteArrayInputStream(Base64.decode(str.substring("base64:".length())));
        }
        try {
            return new FileInputStream(IoUtil.expandFilepath(str, true));
        } catch (FileNotFoundException e) {
            throw new InvalidConfException(e.getMessage(), e);
        }
    }

    public X509Cert[] getDhCertificates() {
        if (this.dhCerts == null || this.dhCerts.length == 0) {
            return null;
        }
        return (X509Cert[]) Arrays.copyOf(this.dhCerts, this.dhCerts.length);
    }

    public DHSigStaticKeyCertPair getDhKeyCertPair(X500Name x500Name, BigInteger bigInteger, String str) {
        if (this.dhKeyAndCerts.isEmpty()) {
            return null;
        }
        for (DHSigStaticKeyCertPair dHSigStaticKeyCertPair : this.dhKeyAndCerts) {
            if (dHSigStaticKeyCertPair.getIssuer().equals(x500Name) && dHSigStaticKeyCertPair.getSerialNumber().equals(bigInteger) && dHSigStaticKeyCertPair.getPrivateKey().getAlgorithm().equalsIgnoreCase(str)) {
                return dHSigStaticKeyCertPair;
            }
        }
        return null;
    }

    public AlgorithmValidator getPopAlgoValidator() {
        return this.popAlgoValidator;
    }
}
