package ch.icosys.popjava.core.util.ssl;

import ch.icosys.popjava.core.combox.socket.ssl.POPKeyManager;
import ch.icosys.popjava.core.combox.socket.ssl.POPTrustManager;
import ch.icosys.popjava.core.service.jobmanager.network.POPNode;
import ch.icosys.popjava.core.util.Configuration;
import ch.icosys.popjava.core.util.LogWriter;
import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.io.File;
import java.io.FileInputStream;
import java.io.FileOutputStream;
import java.io.IOException;
import java.math.BigInteger;
import java.nio.charset.StandardCharsets;
import java.nio.file.Files;
import java.nio.file.OpenOption;
import java.security.KeyManagementException;
import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.SecureRandom;
import java.security.UnrecoverableKeyException;
import java.security.cert.Certificate;
import java.security.cert.CertificateEncodingException;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.interfaces.RSAPrivateKey;
import java.security.interfaces.RSAPublicKey;
import java.util.Base64;
import java.util.Collections;
import java.util.Enumeration;
import java.util.GregorianCalendar;
import java.util.Map;
import javax.net.ssl.KeyManager;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLSessionContext;
import javax.net.ssl.TrustManager;
import org.bouncycastle.asn1.ASN1InputStream;
import org.bouncycastle.asn1.ASN1ObjectIdentifier;
import org.bouncycastle.asn1.x500.X500Name;
import org.bouncycastle.asn1.x500.X500NameBuilder;
import org.bouncycastle.asn1.x500.style.BCStrictStyle;
import org.bouncycastle.asn1.x509.AlgorithmIdentifier;
import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo;
import org.bouncycastle.cert.X509v3CertificateBuilder;
import org.bouncycastle.cert.jcajce.JcaX509CertificateConverter;
import org.bouncycastle.crypto.params.RSAKeyParameters;
import org.bouncycastle.operator.DefaultDigestAlgorithmIdentifierFinder;
import org.bouncycastle.operator.DefaultSignatureAlgorithmIdentifierFinder;
import org.bouncycastle.operator.OperatorCreationException;
import org.bouncycastle.operator.bc.BcRSAContentSignerBuilder;

/* loaded from: input_file:ch/icosys/popjava/core/util/ssl/SSLUtils.class */
public class SSLUtils {
    private static CertificateFactory certFactory;
    private static SSLContext sslContextInstance = null;
    private static POPTrustManager trustManager = null;
    private static POPKeyManager keyManager = null;
    private static File keyStoreLocation = null;
    private static final Configuration conf = Configuration.getInstance();
    private static final SecureRandom RANDOM = new SecureRandom();

    private SSLUtils() {
    }

    private static KeyStore loadKeyStore() throws IOException, NoSuchAlgorithmException, CertificateException, KeyStoreException {
        KeyStore keyStore = KeyStore.getInstance(conf.getSSLKeyStoreFormat().name());
        keyStore.load(new FileInputStream(conf.getSSLKeyStoreFile()), conf.getSSLKeyStorePassword().toCharArray());
        return keyStore;
    }

    private static void storeKeyStore(KeyStore keyStore) throws KeyStoreException, IOException, NoSuchAlgorithmException, CertificateException {
        FileOutputStream fileOutputStream = new FileOutputStream(conf.getSSLKeyStoreFile());
        try {
            keyStore.store(fileOutputStream, conf.getSSLKeyStorePassword().toCharArray());
            $closeResource(null, fileOutputStream);
        } catch (Throwable th) {
            $closeResource(null, fileOutputStream);
            throw th;
        }
    }

    public static SSLContext getSSLContext() throws KeyStoreException, IOException, NoSuchAlgorithmException, CertificateException, UnrecoverableKeyException, KeyManagementException {
        if (sslContextInstance == null || !conf.getSSLTemporaryCertificateLocation().equals(keyStoreLocation)) {
            keyStoreLocation = conf.getSSLTemporaryCertificateLocation();
            if (trustManager == null) {
                trustManager = new POPTrustManager();
                keyManager = new POPKeyManager();
                TrustManager[] trustManagerArr = {trustManager};
                KeyManager[] keyManagerArr = {keyManager};
                if (sslContextInstance == null) {
                    sslContextInstance = SSLContext.getInstance(conf.getSSLProtocolVersion());
                }
                sslContextInstance.init(keyManagerArr, trustManagerArr, RANDOM);
            } else {
                trustManager.reloadTrustManager();
                keyManager.reloadKeyManager();
            }
        }
        return sslContextInstance;
    }

    public static void invalidateSSLSessions() {
        if (sslContextInstance == null) {
            return;
        }
        invalidateSSLSessions(sslContextInstance.getClientSessionContext());
        invalidateSSLSessions(sslContextInstance.getServerSessionContext());
    }

    private static void invalidateSSLSessions(SSLSessionContext sSLSessionContext) {
        Enumeration<byte[]> ids = sSLSessionContext.getIds();
        while (ids.hasMoreElements()) {
            sSLSessionContext.getSession(ids.nextElement()).invalidate();
        }
    }

    public static void reloadPOPManagers() {
        try {
            if (trustManager != null) {
                trustManager.reloadTrustManager();
            }
            if (keyManager != null) {
                keyManager.reloadKeyManager();
            }
        } catch (Exception e) {
            LogWriter.writeDebugInfo("[SSLUtils] Failed to reload Managers: %s", e.getCause());
            LogWriter.writeExceptionLog(e);
        }
    }

    private static String confidenceLinkAlias(POPNode pOPNode, String str) {
        return String.format("%x@%s", Integer.valueOf(pOPNode.hashCode()), str.toLowerCase());
    }

    private static void addConfidenceLink(POPNode pOPNode, Certificate certificate, String str, boolean z) throws IOException {
        try {
            KeyStore loadKeyStore = loadKeyStore();
            String confidenceLinkAlias = confidenceLinkAlias(pOPNode, str);
            if (Collections.list(loadKeyStore.aliases()).contains(confidenceLinkAlias) ^ z) {
                return;
            }
            loadKeyStore.setCertificateEntry(confidenceLinkAlias, certificate);
            storeKeyStore(loadKeyStore);
        } catch (Exception e) {
            throw new IOException("Failed to save Confidence Link in KeyStore.");
        }
    }

    public static void addConfidenceLink(POPNode pOPNode, Certificate certificate, String str) throws IOException {
        addConfidenceLink(pOPNode, certificate, str, false);
    }

    public static void replaceConfidenceLink(POPNode pOPNode, Certificate certificate, String str) throws IOException {
        addConfidenceLink(pOPNode, certificate, str, true);
    }

    public static void removeConfidenceLink(POPNode pOPNode, String str) throws IOException {
        removeAlias(confidenceLinkAlias(pOPNode, str));
    }

    public static void removeAlias(String str) throws IOException {
        try {
            KeyStore loadKeyStore = loadKeyStore();
            if (Collections.list(loadKeyStore.aliases()).contains(str)) {
                loadKeyStore.deleteEntry(str);
                storeKeyStore(loadKeyStore);
            }
        } catch (Exception e) {
            throw new IOException("Failed to remove alias [" + str + "] from KeyStore.");
        }
    }

    public static String certificateFingerprint(byte[] bArr) {
        try {
            ByteArrayInputStream byteArrayInputStream = new ByteArrayInputStream(bArr);
            Certificate generateCertificate = certFactory.generateCertificate(byteArrayInputStream);
            byteArrayInputStream.close();
            return certificateFingerprint(generateCertificate);
        } catch (IOException | CertificateException e) {
            return null;
        }
    }

    public static String certificateFingerprint(Certificate certificate) {
        try {
            MessageDigest messageDigest = MessageDigest.getInstance("SHA-1");
            messageDigest.update(certificate.getEncoded());
            byte[] digest = messageDigest.digest();
            StringBuilder sb = new StringBuilder();
            for (byte b : digest) {
                sb.append(String.format("%02X", Byte.valueOf(b)));
            }
            return sb.toString();
        } catch (NoSuchAlgorithmException | CertificateEncodingException e) {
            return null;
        }
    }

    public static byte[] certificateBytes(Certificate certificate) {
        StringBuilder sb = new StringBuilder();
        try {
            sb.append("-----BEGIN CERTIFICATE-----\n");
            sb.append(Base64.getEncoder().encodeToString(certificate.getEncoded())).append("\n");
            sb.append("-----END CERTIFICATE-----\n");
        } catch (CertificateEncodingException e) {
        }
        return sb.toString().getBytes(StandardCharsets.UTF_8);
    }

    public static Certificate certificateFromBytes(byte[] bArr) throws CertificateException {
        Certificate certificate = null;
        try {
            ByteArrayInputStream byteArrayInputStream = new ByteArrayInputStream(bArr);
            Throwable th = null;
            try {
                try {
                    certificate = certFactory.generateCertificate(byteArrayInputStream);
                    $closeResource(null, byteArrayInputStream);
                } finally {
                }
            } catch (Throwable th2) {
                $closeResource(th, byteArrayInputStream);
                throw th2;
            }
        } catch (IOException e) {
            LogWriter.writeDebugInfo("[SSLUtils] invalid array for certificate conversion: %s", e.getMessage());
        }
        return certificate;
    }

    public static boolean isCertificateKnown(Certificate certificate) {
        ensureManagerCreation();
        return trustManager.isCertificateKnown(certificate);
    }

    public static String getNetworkFromFingerprint(String str) {
        ensureManagerCreation();
        return trustManager.getNetworkFromFingerprint(str);
    }

    public static Certificate getCertificate(String str) {
        ensureManagerCreation();
        return trustManager.getCertificate(str);
    }

    public static Certificate getCertificateFromAlias(String str) {
        ensureManagerCreation();
        return trustManager.getCertificateFromAlias(str);
    }

    public static boolean isConfidenceLink(String str) {
        ensureManagerCreation();
        return trustManager.isConfidenceLink(str);
    }

    public static void addCertToTempStore(byte[] bArr) {
        addCertToTempStore(bArr, true);
    }

    public static void addCertToTempStore(byte[] bArr, boolean z) {
        ensureManagerCreation();
        try {
            Certificate certificateFromBytes = certificateFromBytes(bArr);
            if (trustManager.isCertificateKnown(certificateFromBytes)) {
                return;
            }
            Files.write(conf.getSSLTemporaryCertificateLocation().toPath().resolve(certificateFingerprint(certificateFromBytes) + ".cer"), bArr, new OpenOption[0]);
            if (z) {
                trustManager.reloadTrustManager();
            }
        } catch (Exception e) {
            LogWriter.writeDebugInfo("[SSLUtils] failed to save certificate: ", e.getMessage());
        }
    }

    private static void ensureManagerCreation() {
        try {
            getSSLContext();
        } catch (Exception e) {
        }
    }

    public static boolean generateKeyStore(KeyStoreDetails keyStoreDetails, KeyPairDetails keyPairDetails) {
        boolean z;
        try {
            addKeyEntryToKeyStore(keyStoreDetails, keyPairDetails, ensureKeyPairGeneration(keyPairDetails), false);
            z = true;
        } catch (IOException | KeyStoreException | NoSuchAlgorithmException | UnrecoverableKeyException | CertificateException e) {
            LogWriter.writeDebugInfo("[KeyStore] Generation failed with message: %s.", e.getMessage());
            z = false;
        }
        return z;
    }

    public static void addKeyEntryToKeyStore(KeyStoreDetails keyStoreDetails, KeyPairDetails keyPairDetails, KeyStore.PrivateKeyEntry privateKeyEntry) throws IOException, KeyStoreException, NoSuchAlgorithmException, CertificateException, UnrecoverableKeyException {
        addKeyEntryToKeyStore(keyStoreDetails, keyPairDetails, privateKeyEntry, true);
    }

    private static void addKeyEntryToKeyStore(KeyStoreDetails keyStoreDetails, KeyPairDetails keyPairDetails, KeyStore.PrivateKeyEntry privateKeyEntry, boolean z) throws IOException, KeyStoreException, NoSuchAlgorithmException, CertificateException, UnrecoverableKeyException {
        FileInputStream fileInputStream;
        Throwable th;
        KeyStore keyStore = KeyStore.getInstance(keyStoreDetails.getKeyStoreFormat().name());
        try {
            fileInputStream = new FileInputStream(keyStoreDetails.getKeyStoreFile());
            th = null;
        } catch (Exception e) {
            keyStore.load(null);
        }
        try {
            try {
                keyStore.load(fileInputStream, keyStoreDetails.getKeyStorePassword().toCharArray());
                $closeResource(null, fileInputStream);
                keyStore.setEntry(keyPairDetails.getAlias(), privateKeyEntry, new KeyStore.PasswordProtection(keyStoreDetails.getPrivateKeyPassword().toCharArray()));
                ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
                keyStore.store(byteArrayOutputStream, keyStoreDetails.getKeyStorePassword().toCharArray());
                byteArrayOutputStream.close();
                ByteArrayInputStream byteArrayInputStream = new ByteArrayInputStream(byteArrayOutputStream.toByteArray());
                KeyStore keyStore2 = KeyStore.getInstance(keyStoreDetails.getKeyStoreFormat().name());
                keyStore2.load(byteArrayInputStream, keyStoreDetails.getKeyStorePassword().toCharArray());
                keyStore2.store(new FileOutputStream(keyStoreDetails.getKeyStoreFile()), keyStoreDetails.getKeyStorePassword().toCharArray());
                if (!z || trustManager == null) {
                    return;
                }
                trustManager.reloadTrustManager();
                keyManager.reloadKeyManager();
            } catch (Throwable th2) {
                th = th2;
                throw th2;
            }
        } catch (Throwable th3) {
            $closeResource(th, fileInputStream);
            throw th3;
        }
    }

    public static KeyStore.PrivateKeyEntry ensureKeyPairGeneration(KeyPairDetails keyPairDetails) {
        boolean z = true;
        KeyStore.PrivateKeyEntry privateKeyEntry = null;
        do {
            try {
                privateKeyEntry = generateKeyPair(keyPairDetails);
                z = false;
            } catch (IOException | IllegalArgumentException | NoSuchAlgorithmException | CertificateException | OperatorCreationException e) {
                LogWriter.writeDebugInfo("[KeyStore] Secure Private Key generation problem. Retrying after message: %s.", e.getMessage());
            }
        } while (z);
        return privateKeyEntry;
    }

    public static KeyStore.PrivateKeyEntry generateKeyPair(KeyPairDetails keyPairDetails) throws NoSuchAlgorithmException, IOException, OperatorCreationException, CertificateException, IllegalArgumentException {
        keyPairDetails.validate();
        KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA");
        keyPairGenerator.initialize(keyPairDetails.getPrivateKeySize());
        KeyPair generateKeyPair = keyPairGenerator.generateKeyPair();
        RSAPublicKey rSAPublicKey = (RSAPublicKey) generateKeyPair.getPublic();
        RSAPrivateKey rSAPrivateKey = (RSAPrivateKey) generateKeyPair.getPrivate();
        ByteArrayInputStream byteArrayInputStream = new ByteArrayInputStream(rSAPublicKey.getEncoded());
        try {
            ASN1InputStream aSN1InputStream = new ASN1InputStream(byteArrayInputStream);
            Throwable th = null;
            try {
                try {
                    SubjectPublicKeyInfo subjectPublicKeyInfo = SubjectPublicKeyInfo.getInstance(aSN1InputStream.readObject());
                    $closeResource(null, aSN1InputStream);
                    X500NameBuilder x500NameBuilder = new X500NameBuilder(new BCStrictStyle());
                    for (Map.Entry<ASN1ObjectIdentifier, String> entry : keyPairDetails.getRDN().entrySet()) {
                        x500NameBuilder.addRDN(entry.getKey(), entry.getValue());
                    }
                    X500Name build = x500NameBuilder.build();
                    X509v3CertificateBuilder x509v3CertificateBuilder = new X509v3CertificateBuilder(build, BigInteger.valueOf(RANDOM.nextInt()), GregorianCalendar.getInstance().getTime(), keyPairDetails.getValidUntil(), build, subjectPublicKeyInfo);
                    AlgorithmIdentifier find = new DefaultSignatureAlgorithmIdentifierFinder().find("SHA1withRSA");
                    return new KeyStore.PrivateKeyEntry(rSAPrivateKey, new Certificate[]{new JcaX509CertificateConverter().getCertificate(x509v3CertificateBuilder.build(new BcRSAContentSignerBuilder(find, new DefaultDigestAlgorithmIdentifierFinder().find(find)).build(new RSAKeyParameters(true, rSAPrivateKey.getPrivateExponent(), rSAPrivateKey.getModulus()))))});
                } finally {
                }
            } catch (Throwable th2) {
                $closeResource(th, aSN1InputStream);
                throw th2;
            }
        } finally {
            $closeResource(null, byteArrayInputStream);
        }
    }

    private static /* synthetic */ void $closeResource(Throwable th, AutoCloseable autoCloseable) {
        if (th == null) {
            autoCloseable.close();
            return;
        }
        try {
            autoCloseable.close();
        } catch (Throwable th2) {
            th.addSuppressed(th2);
        }
    }

    static {
        try {
            certFactory = CertificateFactory.getInstance("X.509");
        } catch (Exception e) {
        }
    }
}
