package org.ogf.graap.wsag.security.core.keystore;

import java.io.IOException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.text.MessageFormat;
import java.util.Map;
import java.util.Properties;
import javax.security.auth.Subject;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.security.auth.login.LoginException;
import javax.security.auth.spi.LoginModule;
import javax.security.auth.x500.X500Principal;
import javax.security.auth.x500.X500PrivateCredential;
import org.apache.log4j.Logger;
import org.apache.ws.security.WSSecurityException;
import org.apache.ws.security.components.crypto.Crypto;
import org.apache.ws.security.components.crypto.CryptoBase;
import org.ogf.graap.wsag.api.configuration.WSAG4JConfiguration;
import org.ogf.graap.wsag.security.core.SecurityConstants;
import org.ogf.graap.wsag.security.core.server.Merlin;

/* loaded from: input_file:WEB-INF/lib/wsag4j-security-1.0.3.jar:org/ogf/graap/wsag/security/core/keystore/KeystoreLoginModule.class */
public class KeystoreLoginModule implements LoginModule {
    private static final Logger LOG = Logger.getLogger(KeystoreLoginModule.class);
    private Subject klmSubject;
    private CallbackHandler cbHandler;
    private Map klmOptions;
    private KeyStore keystore;
    private String keystoreType;
    private String keystoreFile;
    private String keystorePassword;
    private String alias;
    private String privateKeyPassword;
    private String truststoreType;
    private String truststoreFile;
    private String truststorePassword;
    private Crypto userCrypto;
    private X500Principal userPrincipal;
    private boolean login = false;
    private boolean commit = false;

    public void initialize(Subject subject, CallbackHandler callbackHandler, Map map, Map map2) {
        this.klmSubject = subject;
        this.cbHandler = callbackHandler;
        this.klmOptions = map2;
        initializeOptions();
    }

    private void initializeOptions() {
        this.keystoreFile = (String) this.klmOptions.get("keyStoreURL");
        this.keystoreType = (String) this.klmOptions.get("keyStoreType");
        this.alias = (String) this.klmOptions.get("keyStoreAlias");
        this.truststoreFile = (String) this.klmOptions.get("trustStoreURL");
        this.truststoreType = (String) this.klmOptions.get("trustStoreType");
        this.keystoreType = this.keystoreType == null ? "JKS" : this.keystoreType;
        this.truststoreType = this.truststoreType == null ? "JKS" : this.truststoreType;
    }

    public boolean login() throws LoginException {
        KeystoreCallback keystoreCallback = new KeystoreCallback();
        try {
            this.cbHandler.handle(new Callback[]{keystoreCallback});
            this.keystorePassword = keystoreCallback.getKeystorePassword();
            this.truststorePassword = keystoreCallback.getTruststorePassword();
            this.privateKeyPassword = keystoreCallback.getPrivateKeyPassword();
            if (this.keystoreFile == null || this.keystorePassword == null || this.privateKeyPassword == null) {
                throw new LoginException("Missing required parameter. The KeystoreLoginModule requires the following parameters: [keystoreFilename, keystorePassword, alias, privateKeyPassword]");
            }
            loadKeyStore();
            this.login = true;
            return true;
        } catch (IOException e) {
            LoginException loginException = new LoginException("IO error during login");
            loginException.initCause(e);
            throw loginException;
        } catch (UnsupportedCallbackException e2) {
            LoginException loginException2 = new LoginException("Invalid callback handler. Callback not supported.");
            loginException2.initCause(e2);
            throw loginException2;
        }
    }

    public boolean commit() throws LoginException {
        if (!this.login) {
            return false;
        }
        try {
            X509Certificate[] certificates = getCertificates(this.alias);
            PrivateKey privateKey = (PrivateKey) this.keystore.getKey(this.alias, this.privateKeyPassword.toCharArray());
            if (certificates == null) {
                throw new LoginException(MessageFormat.format("No certificates found for user {0}", this.alias));
            }
            X500PrivateCredential x500PrivateCredential = new X500PrivateCredential(certificates[0], privateKey);
            this.userCrypto = loadUserCrypto(x500PrivateCredential, certificates, this.keystore);
            this.userPrincipal = new X500Principal(x500PrivateCredential.getCertificate().getSubjectX500Principal().getName());
            this.klmSubject.getPrivateCredentials().add(this.userCrypto);
            this.klmSubject.getPrivateCredentials().add(x500PrivateCredential);
            this.klmSubject.getPrincipals().add(this.userPrincipal);
            this.commit = true;
            return true;
        } catch (KeyStoreException e) {
            LoginException loginException = new LoginException("Could not get default certificate from KeyStoreManager");
            loginException.initCause(e);
            throw loginException;
        } catch (Exception e2) {
            LoginException loginException2 = new LoginException("Could not get private key from KeyStoreManager");
            loginException2.initCause(e2);
            throw loginException2;
        }
    }

    public boolean abort() throws LoginException {
        if (!this.login) {
            return false;
        }
        if (!this.login || this.commit) {
            logout();
            return true;
        }
        this.login = false;
        this.klmSubject.getPrincipals().remove(this.userPrincipal);
        this.klmSubject.getPublicCredentials().remove(this.userCrypto);
        this.userCrypto = null;
        this.userPrincipal = null;
        this.keystore = null;
        this.keystoreFile = null;
        this.keystorePassword = null;
        this.keystoreType = null;
        this.alias = null;
        this.privateKeyPassword = null;
        return true;
    }

    public boolean logout() throws LoginException {
        this.klmSubject.getPrincipals().remove(this.userCrypto);
        this.klmSubject.getPrincipals().remove(this.userPrincipal);
        this.login = false;
        this.commit = false;
        this.userCrypto = null;
        this.userPrincipal = null;
        this.keystore = null;
        this.keystoreFile = null;
        this.keystorePassword = null;
        this.keystoreType = null;
        this.alias = null;
        this.privateKeyPassword = null;
        return true;
    }

    private synchronized KeyStore getKeystore() throws LoginException {
        if (this.keystore == null) {
            loadKeyStore();
        }
        return this.keystore;
    }

    private void loadKeyStore() throws LoginException {
        try {
            this.keystore = KeyStore.getInstance(this.keystoreType == null ? KeyStore.getDefaultType() : this.keystoreType);
            if (this.keystoreFile == null) {
                throw new IOException("No keystore specified by user.");
            }
            this.keystore.load(WSAG4JConfiguration.findResource(this.keystoreFile), this.keystorePassword.toCharArray());
        } catch (IOException e) {
            throw new LoginException(e.getMessage());
        } catch (KeyStoreException e2) {
            throw new LoginException(e2.getMessage());
        } catch (NoSuchAlgorithmException e3) {
            throw new LoginException(e3.getMessage());
        } catch (CertificateException e4) {
            throw new LoginException(e4.getMessage());
        }
    }

    private X509Certificate[] getCertificates(String str) throws KeyStoreException, LoginException {
        Certificate[] certificateArr = null;
        Certificate certificate = null;
        KeyStore keystore = getKeystore();
        if (keystore != null) {
            certificateArr = keystore.getCertificateChain(str);
            if (certificateArr == null || certificateArr.length == 0) {
                certificate = keystore.getCertificate(str);
            }
        }
        if (certificate != null) {
            certificateArr = new Certificate[]{certificate};
        } else if (certificateArr == null) {
            return null;
        }
        X509Certificate[] x509CertificateArr = new X509Certificate[certificateArr.length];
        for (int i = 0; i < certificateArr.length; i++) {
            x509CertificateArr[i] = (X509Certificate) certificateArr[i];
        }
        return x509CertificateArr;
    }

    private Crypto loadUserCrypto(final X500PrivateCredential x500PrivateCredential, final X509Certificate[] x509CertificateArr, KeyStore keyStore) {
        Properties properties = new Properties();
        properties.setProperty(SecurityConstants.PROP_CRYPTO_PROVIDER, Merlin.class.getName());
        properties.setProperty(SecurityConstants.PROP_KEYSTORE_TYPE, this.keystoreType);
        properties.setProperty(SecurityConstants.PROP_KEYSTORE_PASS, this.keystorePassword);
        properties.setProperty(SecurityConstants.PROP_KEYSTORE_ALIAS, this.alias);
        properties.setProperty(SecurityConstants.PROP_KEYSTORE_ALIAS_PASS, this.privateKeyPassword);
        properties.setProperty(SecurityConstants.PROP_KEYSTORE_FILE, this.keystoreFile);
        if (this.truststoreFile != null) {
            properties.setProperty(SecurityConstants.PROP_TRUSTSTORE_FILE, this.truststoreFile);
        }
        if (this.truststorePassword != null) {
            properties.setProperty(SecurityConstants.PROP_TRUSTSTORE_PASS, this.truststorePassword);
        }
        if (this.truststoreType != null) {
            properties.setProperty(SecurityConstants.PROP_TRUSTSTORE_TYPE, this.truststoreType);
        }
        try {
            return new Merlin(properties);
        } catch (Exception e) {
            LOG.error(MessageFormat.format("Could not load user crypto. Reason: {0}", e.getMessage()));
            LOG.error("Try fallback... Does eventually not work for PKCS12 keystore.");
            CryptoBase cryptoBase = new CryptoBase() { // from class: org.ogf.graap.wsag.security.core.keystore.KeystoreLoginModule.1
                @Override // org.apache.ws.security.components.crypto.CryptoBase
                protected String getCryptoProvider() {
                    return null;
                }

                @Override // org.apache.ws.security.components.crypto.Crypto
                public String getDefaultX509Alias() {
                    return SecurityConstants.DEFAULT_ALIAS;
                }

                @Override // org.apache.ws.security.components.crypto.CryptoBase, org.apache.ws.security.components.crypto.Crypto
                public PrivateKey getPrivateKey(String str, String str2) throws Exception {
                    return SecurityConstants.DEFAULT_ALIAS.equals(str) ? x500PrivateCredential.getPrivateKey() : (PrivateKey) this.keystore.getKey(str, str2.toCharArray());
                }

                @Override // org.apache.ws.security.components.crypto.CryptoBase, org.apache.ws.security.components.crypto.Crypto
                public X509Certificate[] getCertificates(String str) throws WSSecurityException {
                    if (!SecurityConstants.DEFAULT_ALIAS.equals(str)) {
                        return super.getCertificates(str);
                    }
                    if (x509CertificateArr != null) {
                        return x509CertificateArr;
                    }
                    KeystoreLoginModule.LOG.warn("No certificate chain not provided in the login context.");
                    return new X509Certificate[]{x500PrivateCredential.getCertificate()};
                }
            };
            cryptoBase.setKeyStore(keyStore);
            return cryptoBase;
        }
    }
}
