package org.bitrepository.protocol.security;

import java.io.BufferedReader;
import java.io.ByteArrayInputStream;
import java.io.File;
import java.io.FileInputStream;
import java.io.IOException;
import java.io.InputStreamReader;
import java.io.UnsupportedEncodingException;
import java.nio.charset.StandardCharsets;
import java.security.KeyManagementException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.Security;
import java.security.UnrecoverableKeyException;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.util.Enumeration;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.SSLContext;
import javax.net.ssl.TrustManagerFactory;
import org.bitrepository.common.ArgumentValidator;
import org.bitrepository.protocol.security.exception.CertificateUseException;
import org.bitrepository.protocol.security.exception.MessageAuthenticationException;
import org.bitrepository.protocol.security.exception.MessageSigningException;
import org.bitrepository.protocol.security.exception.OperationAuthorizationException;
import org.bitrepository.protocol.security.exception.SecurityException;
import org.bitrepository.protocol.security.exception.UnregisteredPermissionException;
import org.bitrepository.settings.repositorysettings.InfrastructurePermission;
import org.bitrepository.settings.repositorysettings.Permission;
import org.bitrepository.settings.repositorysettings.PermissionSet;
import org.bitrepository.settings.repositorysettings.RepositorySettings;
import org.bouncycastle.asn1.pkcs.PrivateKeyInfo;
import org.bouncycastle.cert.X509CertificateHolder;
import org.bouncycastle.cert.jcajce.JcaX509CertificateConverter;
import org.bouncycastle.cms.CMSException;
import org.bouncycastle.cms.CMSProcessableByteArray;
import org.bouncycastle.cms.CMSSignedData;
import org.bouncycastle.cms.SignerId;
import org.bouncycastle.cms.SignerInformation;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.bouncycastle.openssl.PEMParser;
import org.bouncycastle.openssl.jcajce.JcaPEMKeyConverter;
import org.bouncycastle.util.encoders.Base64;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/bitrepository/protocol/security/BasicSecurityManager.class */
public class BasicSecurityManager implements SecurityManager {
    private static final String DEFAULT_TRUSTSTORE_PARAM = "javax.net.ssl.trustStore";
    private static final String DEFAULT_TRUSTSTORE_PASS_PARAM = "javax.net.ssl.trustStorePassword";
    private final Logger log = LoggerFactory.getLogger((Class<?>) BasicSecurityManager.class);
    private static final String defaultPassword = "123456";
    private final String privateKeyFile;
    private final RepositorySettings repositorySettings;
    private final MessageAuthenticator authenticator;
    private final MessageSigner signer;
    private final OperationAuthorizor authorizer;
    private final PermissionStore permissionStore;
    private static int aliasID = 0;
    private KeyStore keyStore;
    private KeyStore.PrivateKeyEntry privateKeyEntry;
    private final String componentID;

    public BasicSecurityManager(RepositorySettings repositorySettings, String str, MessageAuthenticator messageAuthenticator, MessageSigner messageSigner, OperationAuthorizor operationAuthorizor, PermissionStore permissionStore, String str2) {
        ArgumentValidator.checkNotNull(repositorySettings, "repositorySettings");
        ArgumentValidator.checkNotNull(messageAuthenticator, "authenticator");
        ArgumentValidator.checkNotNull(messageSigner, "signer");
        ArgumentValidator.checkNotNull(operationAuthorizor, "authorizer");
        ArgumentValidator.checkNotNull(permissionStore, "permissionStore");
        this.privateKeyFile = str;
        this.repositorySettings = repositorySettings;
        this.authenticator = messageAuthenticator;
        this.signer = messageSigner;
        this.authorizer = operationAuthorizor;
        this.permissionStore = permissionStore;
        this.componentID = str2;
        initialize();
    }

    @Override // org.bitrepository.protocol.security.SecurityManager
    public SignerId authenticateMessage(String str, String str2) throws MessageAuthenticationException {
        if (!this.repositorySettings.getProtocolSettings().isRequireMessageAuthentication()) {
            return null;
        }
        if (str2 == null) {
            throw new MessageAuthenticationException("Received unsigned message, but authentication is required");
        }
        try {
            byte[] decode = Base64.decode(str2.getBytes("UTF-8"));
            return this.authenticator.authenticateMessage(str.getBytes("UTF-8"), decode);
        } catch (UnsupportedEncodingException e) {
            throw new SecurityException("UTF-8 encoding not supported", e);
        }
    }

    @Override // org.bitrepository.protocol.security.SecurityManager
    public String signMessage(String str) throws MessageSigningException {
        if (!this.repositorySettings.getProtocolSettings().isRequireMessageAuthentication()) {
            return null;
        }
        try {
            return new String(Base64.encode(this.signer.signMessage(str.getBytes("UTF-8"))), StandardCharsets.UTF_8);
        } catch (UnsupportedEncodingException e) {
            throw new SecurityException("UTF-8 encoding not supported", e);
        }
    }

    @Override // org.bitrepository.protocol.security.SecurityManager
    public void authorizeCertificateUse(String str, String str2, String str3) throws CertificateUseException {
        if (this.repositorySettings.getProtocolSettings().isRequireOperationAuthorization()) {
            try {
                this.authorizer.authorizeCertificateUse(str, ((SignerInformation) new CMSSignedData(new CMSProcessableByteArray(str2.getBytes(StandardCharsets.UTF_8)), Base64.decode(str3.getBytes(StandardCharsets.UTF_8))).getSignerInfos().getSigners().iterator().next()).getSID());
            } catch (CMSException e) {
                throw new SecurityException(e.getMessage(), e);
            }
        }
    }

    @Override // org.bitrepository.protocol.security.SecurityManager
    public String getCertificateFingerprint(SignerId signerId) throws UnregisteredPermissionException {
        return this.permissionStore.getCertificateFingerprint(signerId);
    }

    @Override // org.bitrepository.protocol.security.SecurityManager
    public void authorizeOperation(String str, String str2, String str3, String str4) throws OperationAuthorizationException {
        if (this.repositorySettings.getProtocolSettings().isRequireOperationAuthorization()) {
            try {
                try {
                    this.authorizer.authorizeOperation(str, ((SignerInformation) new CMSSignedData(new CMSProcessableByteArray(str2.getBytes(StandardCharsets.UTF_8)), Base64.decode(str3.getBytes(StandardCharsets.UTF_8))).getSignerInfos().getSigners().iterator().next()).getSID(), str4);
                } catch (UnregisteredPermissionException e) {
                    this.log.info(e.getMessage());
                }
            } catch (CMSException e2) {
                throw new SecurityException(e2.getMessage(), e2);
            }
        }
    }

    private void initialize() {
        Security.addProvider(new BouncyCastleProvider());
        try {
            this.keyStore = getKeyStore();
            loadPrivateKey(this.privateKeyFile);
            loadInfrastructureCertificates(this.repositorySettings.getPermissionSet());
            this.permissionStore.loadPermissions(this.repositorySettings.getPermissionSet(), this.componentID);
            this.signer.setPrivateKeyEntry(this.privateKeyEntry);
            setupDefaultSSLContext();
        } catch (Exception e) {
            throw new SecurityException(e.getMessage(), e);
        }
    }

    private KeyStore getKeyStore() throws KeyStoreException, NoSuchAlgorithmException, CertificateException, IOException {
        KeyStore keyStore = KeyStore.getInstance(SecurityModuleConstants.keyStoreType);
        keyStore.load(null);
        KeyStore loadSystemTrustStore = loadSystemTrustStore();
        if (loadSystemTrustStore != null) {
            Enumeration<String> aliases = loadSystemTrustStore.aliases();
            while (aliases.hasMoreElements()) {
                keyStore.setEntry(getNewAlias(), new KeyStore.TrustedCertificateEntry(loadSystemTrustStore.getCertificate(aliases.nextElement())), SecurityModuleConstants.nullProtectionParameter);
            }
        }
        return keyStore;
    }

    private KeyStore loadSystemTrustStore() throws KeyStoreException, IOException, NoSuchAlgorithmException, CertificateException {
        KeyStore keyStore = null;
        String property = System.getProperty(DEFAULT_TRUSTSTORE_PARAM);
        if (property != null) {
            File file = new File(property);
            if (file.isFile() && file.canRead()) {
                keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
                String property2 = System.getProperty(DEFAULT_TRUSTSTORE_PASS_PARAM);
                FileInputStream fileInputStream = new FileInputStream(file);
                Throwable th = null;
                try {
                    try {
                        keyStore.load(fileInputStream, property2.toCharArray());
                        if (fileInputStream != null) {
                            if (0 != 0) {
                                try {
                                    fileInputStream.close();
                                } catch (Throwable th2) {
                                    th.addSuppressed(th2);
                                }
                            } else {
                                fileInputStream.close();
                            }
                        }
                    } finally {
                    }
                } catch (Throwable th3) {
                    if (fileInputStream != null) {
                        if (th != null) {
                            try {
                                fileInputStream.close();
                            } catch (Throwable th4) {
                                th.addSuppressed(th4);
                            }
                        } else {
                            fileInputStream.close();
                        }
                    }
                    throw th3;
                }
            }
        }
        return keyStore;
    }

    private String getNewAlias() {
        StringBuilder append = new StringBuilder().append("");
        int i = aliasID;
        aliasID = i + 1;
        return append.append(i).toString();
    }

    private void loadPrivateKey(String str) throws IOException, KeyStoreException, CertificateException {
        PrivateKey privateKey = null;
        X509Certificate x509Certificate = null;
        if (str == null || !new File(str).isFile()) {
            this.log.info("Key file '" + str + "' with private key and certificate does not exist!");
            return;
        }
        PEMParser pEMParser = new PEMParser(new BufferedReader(new InputStreamReader(new FileInputStream(str), StandardCharsets.UTF_8)));
        Object readObject = pEMParser.readObject();
        while (true) {
            Object obj = readObject;
            if (obj == null) {
                break;
            }
            if (obj instanceof X509Certificate) {
                this.log.debug("Certificate for PrivateKeyEntry found");
                x509Certificate = (X509Certificate) obj;
            } else if (obj instanceof PrivateKey) {
                this.log.debug("Key for PrivateKeyEntry found");
                privateKey = (PrivateKey) obj;
            } else if (obj instanceof X509CertificateHolder) {
                this.log.debug("X509CertificateHolder found");
                x509Certificate = new JcaX509CertificateConverter().setProvider(SecurityModuleConstants.BC).getCertificate((X509CertificateHolder) obj);
            } else if (obj instanceof PrivateKeyInfo) {
                this.log.debug("PrivateKeyInfo found");
                privateKey = new JcaPEMKeyConverter().getPrivateKey((PrivateKeyInfo) obj);
            } else {
                this.log.debug("Got something, that we don't (yet) recognize. Class: " + obj.getClass().getSimpleName());
            }
            readObject = pEMParser.readObject();
        }
        pEMParser.close();
        if (privateKey == null || x509Certificate == null) {
            this.log.info("No material to create private key entry found!");
            return;
        }
        x509Certificate.checkValidity();
        this.privateKeyEntry = new KeyStore.PrivateKeyEntry(privateKey, new Certificate[]{x509Certificate});
        this.keyStore.setEntry(SecurityModuleConstants.privateKeyAlias, this.privateKeyEntry, new KeyStore.PasswordProtection(defaultPassword.toCharArray()));
    }

    private void loadInfrastructureCertificates(PermissionSet permissionSet) throws CertificateException, KeyStoreException {
        if (permissionSet == null) {
            this.log.info("The provided PermissionSet is empty. Continuing without permissions!");
            return;
        }
        for (Permission permission : permissionSet.getPermission()) {
            if (permission.getInfrastructurePermission().contains(InfrastructurePermission.MESSAGE_BUS_SERVER) || permission.getInfrastructurePermission().contains(InfrastructurePermission.FILE_EXCHANGE_SERVER)) {
                try {
                    ByteArrayInputStream byteArrayInputStream = new ByteArrayInputStream(permission.getCertificate().getCertificateData());
                    Throwable th = null;
                    try {
                        try {
                            X509Certificate x509Certificate = (X509Certificate) CertificateFactory.getInstance(SecurityModuleConstants.CertificateType).generateCertificate(byteArrayInputStream);
                            x509Certificate.checkValidity();
                            this.keyStore.setEntry(getNewAlias(), new KeyStore.TrustedCertificateEntry(x509Certificate), SecurityModuleConstants.nullProtectionParameter);
                            if (byteArrayInputStream != null) {
                                if (0 != 0) {
                                    try {
                                        byteArrayInputStream.close();
                                    } catch (Throwable th2) {
                                        th.addSuppressed(th2);
                                    }
                                } else {
                                    byteArrayInputStream.close();
                                }
                            }
                        } catch (Throwable th3) {
                            th = th3;
                            throw th3;
                            break;
                        }
                    } catch (Throwable th4) {
                        if (byteArrayInputStream != null) {
                            if (th != null) {
                                try {
                                    byteArrayInputStream.close();
                                } catch (Throwable th5) {
                                    th.addSuppressed(th5);
                                }
                            } else {
                                byteArrayInputStream.close();
                            }
                        }
                        throw th4;
                        break;
                    }
                } catch (IOException e) {
                    this.log.debug("Failed closing ByteArrayInputStream", (Throwable) e);
                } catch (CertificateException e2) {
                    this.log.warn("Check of certificate validity failed, not adding certificate ({}) to keystore.", permission.getDescription(), e2);
                }
            }
        }
    }

    private void setupDefaultSSLContext() throws NoSuchAlgorithmException, KeyStoreException, UnrecoverableKeyException, KeyManagementException {
        TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(SecurityModuleConstants.keyTrustStoreAlgorithm);
        trustManagerFactory.init(this.keyStore);
        KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(SecurityModuleConstants.keyTrustStoreAlgorithm);
        keyManagerFactory.init(this.keyStore, defaultPassword.toCharArray());
        SSLContext sSLContext = SSLContext.getInstance("TLS");
        sSLContext.init(keyManagerFactory.getKeyManagers(), trustManagerFactory.getTrustManagers(), SecurityModuleConstants.defaultRandom);
        SSLContext.setDefault(sSLContext);
    }
}
