package org.apache.cxf.rs.security.jose.common;

import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.cert.CertPathBuilder;
import java.security.cert.CertPathValidator;
import java.security.cert.CertStore;
import java.security.cert.Certificate;
import java.security.cert.CertificateEncodingException;
import java.security.cert.CollectionCertStoreParameters;
import java.security.cert.PKIXBuilderParameters;
import java.security.cert.X509CertSelector;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Enumeration;
import java.util.Iterator;
import java.util.List;
import java.util.Properties;
import java.util.logging.Level;
import java.util.logging.Logger;
import org.apache.cxf.Bus;
import org.apache.cxf.common.logging.LogUtils;
import org.apache.cxf.common.util.Base64Exception;
import org.apache.cxf.common.util.Base64UrlUtility;
import org.apache.cxf.message.Message;
import org.apache.cxf.message.MessageUtils;
import org.apache.cxf.phase.PhaseInterceptorChain;
import org.apache.cxf.rs.security.jose.jwk.JwkException;
import org.apache.cxf.rs.security.jose.jwk.KeyOperation;
import org.apache.cxf.rt.security.crypto.CryptoUtils;
import org.apache.cxf.rt.security.crypto.MessageDigestUtils;

/* loaded from: input_file:org/apache/cxf/rs/security/jose/common/KeyManagementUtils.class */
public final class KeyManagementUtils {
    private static final Logger LOG = LogUtils.getL7dLogger(KeyManagementUtils.class);

    private KeyManagementUtils() {
    }

    public static List<String> loadAndEncodeX509CertificateOrChain(Message message, Properties properties) {
        return encodeX509CertificateChain(loadX509CertificateOrChain(message, properties));
    }

    public static String loadDigestAndEncodeX509Certificate(Message message, Properties properties, String str) {
        X509Certificate[] loadX509CertificateOrChain = loadX509CertificateOrChain(message, properties);
        if (loadX509CertificateOrChain == null || loadX509CertificateOrChain.length <= 0) {
            return null;
        }
        try {
            return Base64UrlUtility.encode(MessageDigestUtils.createDigest(loadX509CertificateOrChain[0].getEncoded(), str));
        } catch (NoSuchAlgorithmException e) {
            LOG.log(Level.FINE, "Error creating digest", (Throwable) e);
            throw new JoseException(e);
        } catch (CertificateEncodingException e2) {
            LOG.log(Level.FINE, "Error creating digest", (Throwable) e2);
            throw new JoseException(e2);
        }
    }

    public static X509Certificate[] loadX509CertificateOrChain(Message message, Properties properties) {
        return loadX509CertificateOrChain(loadPersistKeyStore(message, properties), properties.getProperty(JoseConstants.RSSEC_KEY_STORE_ALIAS));
    }

    private static X509Certificate[] loadX509CertificateOrChain(KeyStore keyStore, String str) {
        if (str == null) {
            throw new JoseException("No alias supplied");
        }
        try {
            Certificate[] certificateChain = keyStore.getCertificateChain(str);
            return certificateChain != null ? (X509Certificate[]) Arrays.copyOf(certificateChain, certificateChain.length, X509Certificate[].class) : new X509Certificate[]{(X509Certificate) CryptoUtils.loadCertificate(keyStore, str)};
        } catch (Exception e) {
            LOG.warning("X509 Certificates can not be created");
            throw new JoseException(e);
        }
    }

    public static PublicKey loadPublicKey(Message message, Properties properties) {
        return CryptoUtils.loadPublicKey(loadPersistKeyStore(message, properties), properties.getProperty(JoseConstants.RSSEC_KEY_STORE_ALIAS));
    }

    public static PublicKey loadPublicKey(Message message, String str) {
        return loadPublicKey(message, str, null);
    }

    public static PublicKey loadPublicKey(Message message, String str, String str2) {
        try {
            return loadPublicKey(message, JoseUtils.loadProperties(getMessageProperty(message, str, str2), message.getExchange().getBus()));
        } catch (Exception e) {
            LOG.warning("Public key can not be loaded");
            throw new JoseException(e);
        }
    }

    public static PublicKey loadPublicKey(String str, Bus bus) {
        try {
            return loadPublicKey((Message) null, JoseUtils.loadProperties(str, bus));
        } catch (Exception e) {
            LOG.warning("Public key can not be loaded");
            throw new JoseException(e);
        }
    }

    public static PublicKey loadPublicKey(String str, String str2, String str3, Bus bus) {
        try {
            return CryptoUtils.loadPublicKey(loadKeyStore(str, null, str2, bus), str3);
        } catch (Exception e) {
            throw new SecurityException(e);
        }
    }

    private static String getMessageProperty(Message message, String str, String str2) {
        String str3 = (String) MessageUtils.getContextualProperty(message, str, str2);
        if (str3 != null) {
            return str3;
        }
        LOG.warning("Properties resource is not identified");
        throw new JoseException();
    }

    private static PrivateKey loadPrivateKey(KeyStore keyStore, Message message, Properties properties, KeyOperation keyOperation, String str) {
        String property = properties.getProperty(JoseConstants.RSSEC_KEY_PSWD);
        String keyId = str != null ? str : getKeyId(message, properties, JoseConstants.RSSEC_KEY_STORE_ALIAS, keyOperation);
        if (keyId != null) {
            properties.put(JoseConstants.RSSEC_KEY_STORE_ALIAS, keyId);
        }
        char[] charArray = property != null ? property.toCharArray() : null;
        if (charArray == null) {
            PrivateKeyPasswordProvider loadPasswordProvider = loadPasswordProvider(message, properties, keyOperation);
            charArray = loadPasswordProvider != null ? loadPasswordProvider.getPassword(properties) : null;
        }
        return CryptoUtils.loadPrivateKey(keyStore, charArray, keyId);
    }

    public static PrivateKey loadPrivateKey(Message message, String str, KeyOperation keyOperation) {
        return loadPrivateKey(message, str, (String) null, keyOperation);
    }

    public static PrivateKey loadPrivateKey(Message message, String str, String str2, KeyOperation keyOperation) {
        try {
            return loadPrivateKey(message, JoseUtils.loadProperties(getMessageProperty(message, str, str2), message.getExchange().getBus()), keyOperation);
        } catch (Exception e) {
            throw new SecurityException(e);
        }
    }

    public static PrivateKey loadPrivateKey(String str, String str2, String str3, String str4, Bus bus) {
        try {
            return CryptoUtils.loadPrivateKey(loadKeyStore(str, null, str2, bus), str4 == null ? new char[0] : str4.toCharArray(), str3);
        } catch (Exception e) {
            throw new SecurityException(e);
        }
    }

    public static PrivateKey loadPrivateKey(String str, Bus bus) {
        try {
            return loadPrivateKey((Message) null, JoseUtils.loadProperties(str, bus), (KeyOperation) null);
        } catch (Exception e) {
            throw new SecurityException(e);
        }
    }

    public static String getKeyId(Message message, Properties properties, String str, KeyOperation keyOperation) {
        String str2 = null;
        String str3 = null;
        if (keyOperation != null && message != null) {
            if (keyOperation == KeyOperation.ENCRYPT || keyOperation == KeyOperation.DECRYPT) {
                str3 = str + ".jwe";
            } else if (keyOperation == KeyOperation.SIGN || keyOperation == KeyOperation.VERIFY) {
                str3 = str + ".jws";
            }
            str2 = (String) MessageUtils.getContextualProperty(message, str, str3 + (message.getExchange().getOutMessage() == message ? ".out" : ".in"));
            if (str2 == null && str3 != null) {
                str2 = (String) message.getContextualProperty(str3);
            }
        }
        if (str2 == null) {
            str2 = properties.getProperty(str);
        }
        if (str2 == null && str3 != null) {
            str2 = properties.getProperty(str3);
        }
        return str2;
    }

    public static PrivateKeyPasswordProvider loadPasswordProvider(Message message, Properties properties, KeyOperation keyOperation) {
        PrivateKeyPasswordProvider privateKeyPasswordProvider = null;
        if (keyOperation != null) {
            String str = keyOperation == KeyOperation.SIGN ? JoseConstants.RSSEC_SIGNATURE_KEY_PSWD_PROVIDER : keyOperation == KeyOperation.DECRYPT ? JoseConstants.RSSEC_DECRYPTION_KEY_PSWD_PROVIDER : null;
            if (str != null) {
                if (properties.containsKey(str)) {
                    privateKeyPasswordProvider = (PrivateKeyPasswordProvider) properties.get(str);
                } else if (message != null) {
                    privateKeyPasswordProvider = (PrivateKeyPasswordProvider) message.getContextualProperty(str);
                }
            }
        }
        if (privateKeyPasswordProvider == null) {
            if (properties.containsKey(JoseConstants.RSSEC_KEY_PSWD_PROVIDER)) {
                privateKeyPasswordProvider = (PrivateKeyPasswordProvider) properties.get(JoseConstants.RSSEC_KEY_PSWD_PROVIDER);
            } else if (message != null) {
                privateKeyPasswordProvider = (PrivateKeyPasswordProvider) message.getContextualProperty(JoseConstants.RSSEC_KEY_PSWD_PROVIDER);
            }
        }
        return privateKeyPasswordProvider;
    }

    public static PrivateKey loadPrivateKey(Message message, Properties properties, KeyOperation keyOperation) {
        return loadPrivateKey(loadPersistKeyStore(message, properties), message, properties, keyOperation, (String) null);
    }

    public static KeyStore loadPersistKeyStore(Message message, Properties properties) {
        KeyStore keyStore = null;
        if (properties.containsKey(JoseConstants.RSSEC_KEY_STORE)) {
            keyStore = (KeyStore) properties.get(JoseConstants.RSSEC_KEY_STORE);
        }
        if (keyStore == null) {
            if (!properties.containsKey(JoseConstants.RSSEC_KEY_STORE_FILE)) {
                LOG.warning("No keystore file has been configured");
                throw new JoseException("No keystore file has been configured");
            }
            if (message != null) {
                Object obj = message.getExchange().get(properties.get(JoseConstants.RSSEC_KEY_STORE_FILE));
                if (obj != null && !(obj instanceof KeyStore)) {
                    throw new JwkException("Unexpected key store class: " + obj.getClass().getName());
                }
                keyStore = (KeyStore) obj;
            }
        }
        if (keyStore == null) {
            keyStore = loadKeyStore(properties, message != null ? message.getExchange().getBus() : null);
            if (message != null) {
                message.getExchange().put((String) properties.get(JoseConstants.RSSEC_KEY_STORE_FILE), keyStore);
            }
        }
        return keyStore;
    }

    public static KeyStore loadKeyStore(Properties properties, Bus bus) {
        return loadKeyStore(properties.getProperty(JoseConstants.RSSEC_KEY_STORE_FILE), properties.getProperty(JoseConstants.RSSEC_KEY_STORE_TYPE), properties.getProperty(JoseConstants.RSSEC_KEY_STORE_PSWD), bus);
    }

    public static KeyStore loadKeyStore(String str, String str2, String str3, Bus bus) {
        if (str3 == null) {
            throw new JoseException("No keystore password was defined");
        }
        try {
            return CryptoUtils.loadKeyStore(JoseUtils.getResourceStream(str, bus), str3.toCharArray(), str2);
        } catch (Exception e) {
            LOG.warning("Key store can not be loaded");
            throw new JoseException(e);
        }
    }

    public static List<String> encodeX509CertificateChain(X509Certificate[] x509CertificateArr) {
        return encodeX509CertificateChain((List<X509Certificate>) Arrays.asList(x509CertificateArr));
    }

    public static List<String> encodeX509CertificateChain(List<X509Certificate> list) {
        ArrayList arrayList = new ArrayList(list.size());
        Iterator<X509Certificate> it = list.iterator();
        while (it.hasNext()) {
            try {
                arrayList.add(CryptoUtils.encodeCertificate(it.next()));
            } catch (Exception e) {
                LOG.warning("X509 Certificate can not be encoded");
                throw new JoseException(e);
            }
        }
        return arrayList;
    }

    public static List<X509Certificate> toX509CertificateChain(List<String> list) {
        if (list == null) {
            return null;
        }
        ArrayList arrayList = new ArrayList(list.size());
        Iterator<String> it = list.iterator();
        while (it.hasNext()) {
            try {
                arrayList.add((X509Certificate) CryptoUtils.decodeCertificate(it.next()));
            } catch (Exception e) {
                LOG.warning("X509 Certificate can not be decoded");
                throw new JoseException(e);
            }
        }
        return arrayList;
    }

    public static void validateCertificateChain(Properties properties, List<X509Certificate> list) {
        validateCertificateChain(loadPersistKeyStore(PhaseInterceptorChain.getCurrentMessage(), properties), list);
    }

    public static void validateCertificateChain(KeyStore keyStore, List<X509Certificate> list) {
        try {
            X509CertSelector x509CertSelector = new X509CertSelector();
            x509CertSelector.setCertificate(list.get(0));
            PKIXBuilderParameters pKIXBuilderParameters = new PKIXBuilderParameters(keyStore, x509CertSelector);
            pKIXBuilderParameters.addCertStore(CertStore.getInstance("Collection", new CollectionCertStoreParameters(list)));
            pKIXBuilderParameters.setMaxPathLength(-1);
            pKIXBuilderParameters.setRevocationEnabled(false);
            CertPathValidator.getInstance("PKIX").validate(CertPathBuilder.getInstance("PKIX").build(pKIXBuilderParameters).getCertPath(), pKIXBuilderParameters);
        } catch (Exception e) {
            LOG.warning("Certificate path validation error");
            throw new JoseException(e);
        }
    }

    public static X509Certificate[] toX509CertificateChainArray(List<String> list) {
        List<X509Certificate> x509CertificateChain = toX509CertificateChain(list);
        if (x509CertificateChain == null) {
            return null;
        }
        return (X509Certificate[]) x509CertificateChain.toArray(new X509Certificate[0]);
    }

    public static String getKeyAlgorithm(Message message, Properties properties, String str, String str2) {
        String property = properties != null ? properties.getProperty(str) : null;
        if (property == null && message != null) {
            property = (String) message.getContextualProperty(str);
        }
        if (property == null) {
            property = str2;
        }
        return property;
    }

    public static Properties loadStoreProperties(Message message, boolean z, String str, String str2) {
        if (message == null) {
            if (z) {
                throw new JoseException();
            }
            return null;
        }
        Properties properties = null;
        String str3 = (String) MessageUtils.getContextualProperty(message, str, str2);
        if (str3 != null) {
            try {
                properties = JoseUtils.loadProperties(str3, message.getExchange().getBus());
            } catch (Exception e) {
                LOG.warning("Properties resource is not identified");
                throw new JoseException(e);
            }
        } else {
            String str4 = (String) message.getContextualProperty(JoseConstants.RSSEC_KEY_STORE_FILE);
            if (str4 != null) {
                properties = new Properties();
                properties.setProperty(JoseConstants.RSSEC_KEY_STORE_FILE, str4);
                String str5 = (String) message.getContextualProperty(JoseConstants.RSSEC_KEY_STORE_TYPE);
                if (str5 == null) {
                    str5 = JoseConstants.HEADER_JSON_WEB_KEY;
                }
                properties.setProperty(JoseConstants.RSSEC_KEY_STORE_TYPE, str5);
                String str6 = (String) message.getContextualProperty(JoseConstants.RSSEC_KEY_STORE_ALIAS);
                if (str6 != null) {
                    properties.setProperty(JoseConstants.RSSEC_KEY_STORE_ALIAS, str6);
                }
                String str7 = (String) message.getContextualProperty(JoseConstants.RSSEC_KEY_STORE_PSWD);
                if (str7 != null) {
                    properties.setProperty(JoseConstants.RSSEC_KEY_STORE_PSWD, str7);
                }
                String str8 = (String) message.getContextualProperty(JoseConstants.RSSEC_KEY_PSWD);
                if (str8 != null) {
                    properties.setProperty(JoseConstants.RSSEC_KEY_PSWD, str8);
                }
            }
        }
        if (properties == null) {
            if (z) {
                LOG.warning("Properties resource is not identified");
                throw new JoseException("Properties resource is not identified");
            }
            properties = new Properties();
        }
        return properties;
    }

    public static PrivateKey loadPrivateKey(Message message, Properties properties, X509Certificate x509Certificate, KeyOperation keyOperation) {
        KeyStore loadPersistKeyStore = loadPersistKeyStore(message, properties);
        try {
            return loadPrivateKey(loadPersistKeyStore, message, properties, keyOperation, loadPersistKeyStore.getCertificateAlias(x509Certificate));
        } catch (Exception e) {
            LOG.warning("Private key can not be loaded");
            throw new JoseException(e);
        }
    }

    public static X509Certificate getCertificateFromThumbprint(String str, String str2, Message message, Properties properties) {
        Certificate certificate;
        KeyStore loadPersistKeyStore = loadPersistKeyStore(message, properties);
        if (loadPersistKeyStore == null || str == null) {
            return null;
        }
        try {
            byte[] decode = Base64UrlUtility.decode(str);
            Enumeration<String> aliases = loadPersistKeyStore.aliases();
            while (aliases.hasMoreElements()) {
                String nextElement = aliases.nextElement();
                Certificate[] certificateChain = loadPersistKeyStore.getCertificateChain(nextElement);
                if ((certificateChain == null || certificateChain.length == 0) && (certificate = loadPersistKeyStore.getCertificate(nextElement)) != null) {
                    certificateChain = new Certificate[]{certificate};
                }
                if (certificateChain != null && certificateChain.length > 0 && (certificateChain[0] instanceof X509Certificate)) {
                    X509Certificate x509Certificate = (X509Certificate) certificateChain[0];
                    if (Arrays.equals(MessageDigestUtils.createDigest(x509Certificate.getEncoded(), str2), decode)) {
                        return x509Certificate;
                    }
                }
            }
            return null;
        } catch (NoSuchAlgorithmException e) {
            LOG.log(Level.WARNING, "X509Certificate can not be loaded: ", (Throwable) e);
            throw new JoseException(e);
        } catch (CertificateEncodingException e2) {
            LOG.log(Level.WARNING, "X509Certificate can not be loaded: ", (Throwable) e2);
            throw new JoseException(e2);
        } catch (Base64Exception e3) {
            LOG.log(Level.WARNING, "X509Certificate can not be loaded: ", e3);
            throw new JoseException(e3);
        } catch (KeyStoreException e4) {
            LOG.log(Level.WARNING, "X509Certificate can not be loaded: ", (Throwable) e4);
            throw new JoseException(e4);
        }
    }

    public static void setSha1DigestHeader(JoseHeaders joseHeaders, Message message, Properties properties) {
        String loadDigestAndEncodeX509Certificate = loadDigestAndEncodeX509Certificate(message, properties, MessageDigestUtils.ALGO_SHA_1);
        if (loadDigestAndEncodeX509Certificate != null) {
            joseHeaders.setX509Thumbprint(loadDigestAndEncodeX509Certificate);
        }
    }

    public static void setSha256DigestHeader(JoseHeaders joseHeaders, Message message, Properties properties) {
        String loadDigestAndEncodeX509Certificate = loadDigestAndEncodeX509Certificate(message, properties, MessageDigestUtils.ALGO_SHA_256);
        if (loadDigestAndEncodeX509Certificate != null) {
            joseHeaders.setX509ThumbprintSHA256(loadDigestAndEncodeX509Certificate);
        }
    }
}
