package org.postgresql.ssl;

import com.sshtools.common.ssh.components.jce.JCEAlgorithms;
import java.io.FileInputStream;
import java.io.FileNotFoundException;
import java.io.IOException;
import java.io.RandomAccessFile;
import java.net.Socket;
import java.security.GeneralSecurityException;
import java.security.KeyFactory;
import java.security.NoSuchAlgorithmException;
import java.security.Principal;
import java.security.PrivateKey;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.security.spec.InvalidKeySpecException;
import java.security.spec.PKCS8EncodedKeySpec;
import java.util.Collection;
import javax.crypto.Cipher;
import javax.crypto.EncryptedPrivateKeyInfo;
import javax.crypto.NoSuchPaddingException;
import javax.crypto.SecretKeyFactory;
import javax.crypto.spec.PBEKeySpec;
import javax.net.ssl.X509KeyManager;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.PasswordCallback;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.security.auth.x500.X500Principal;
import org.postgresql.ssl.LibPQFactory;
import org.postgresql.util.GT;
import org.postgresql.util.PSQLException;
import org.postgresql.util.PSQLState;

/* loaded from: input_file:org/postgresql/ssl/LazyKeyManager.class */
public class LazyKeyManager implements X509KeyManager {
    private X509Certificate[] cert;
    private PrivateKey key;
    private final String certfile;
    private final String keyfile;
    private final CallbackHandler cbh;
    private final boolean defaultfile;
    private PSQLException error;

    public LazyKeyManager(String str, String str2, CallbackHandler callbackHandler, boolean z) {
        this.certfile = str;
        this.keyfile = str2;
        this.cbh = callbackHandler;
        this.defaultfile = z;
    }

    public void throwKeyManagerException() throws PSQLException {
        if (this.error != null) {
            throw this.error;
        }
    }

    @Override // javax.net.ssl.X509KeyManager
    public String chooseClientAlias(String[] strArr, Principal[] principalArr, Socket socket) {
        if (this.certfile == null) {
            return null;
        }
        if (principalArr == null || principalArr.length == 0) {
            return "user";
        }
        X509Certificate[] certificateChain = getCertificateChain("user");
        if (certificateChain == null) {
            return null;
        }
        X509Certificate x509Certificate = certificateChain[certificateChain.length - 1];
        X500Principal issuerX500Principal = x509Certificate.getIssuerX500Principal();
        String algorithm = x509Certificate.getPublicKey().getAlgorithm();
        boolean z = false;
        boolean z2 = false;
        if (strArr == null || strArr.length <= 0) {
            z = true;
        } else {
            for (String str : strArr) {
                if (str.equalsIgnoreCase(algorithm)) {
                    z = true;
                }
            }
        }
        if (z) {
            for (Principal principal : principalArr) {
                if (issuerX500Principal.equals(principal)) {
                    z2 = z;
                }
            }
        }
        if (z2) {
            return "user";
        }
        return null;
    }

    @Override // javax.net.ssl.X509KeyManager
    public String chooseServerAlias(String str, Principal[] principalArr, Socket socket) {
        return null;
    }

    @Override // javax.net.ssl.X509KeyManager
    public X509Certificate[] getCertificateChain(String str) {
        if (this.cert == null && this.certfile != null) {
            try {
                CertificateFactory certificateFactory = CertificateFactory.getInstance(JCEAlgorithms.JCE_X509);
                FileInputStream fileInputStream = null;
                try {
                    try {
                        fileInputStream = new FileInputStream(this.certfile);
                        Collection<? extends Certificate> generateCertificates = certificateFactory.generateCertificates(fileInputStream);
                        if (fileInputStream != null) {
                            try {
                                fileInputStream.close();
                            } catch (IOException e) {
                                if (!this.defaultfile) {
                                    this.error = new PSQLException(GT.tr("Could not close SSL certificate file {0}.", this.certfile), PSQLState.CONNECTION_FAILURE, e);
                                }
                            }
                        }
                        this.cert = (X509Certificate[]) generateCertificates.toArray(new X509Certificate[0]);
                    } catch (Throwable th) {
                        if (fileInputStream != null) {
                            try {
                                fileInputStream.close();
                            } catch (IOException e2) {
                                if (!this.defaultfile) {
                                    this.error = new PSQLException(GT.tr("Could not close SSL certificate file {0}.", this.certfile), PSQLState.CONNECTION_FAILURE, e2);
                                }
                            }
                        }
                        throw th;
                    }
                } catch (FileNotFoundException e3) {
                    if (!this.defaultfile) {
                        this.error = new PSQLException(GT.tr("Could not open SSL certificate file {0}.", this.certfile), PSQLState.CONNECTION_FAILURE, e3);
                    }
                    if (fileInputStream != null) {
                        try {
                            fileInputStream.close();
                        } catch (IOException e4) {
                            if (!this.defaultfile) {
                                this.error = new PSQLException(GT.tr("Could not close SSL certificate file {0}.", this.certfile), PSQLState.CONNECTION_FAILURE, e4);
                            }
                        }
                    }
                    return null;
                } catch (CertificateException e5) {
                    this.error = new PSQLException(GT.tr("Loading the SSL certificate {0} into a KeyManager failed.", this.certfile), PSQLState.CONNECTION_FAILURE, e5);
                    if (fileInputStream != null) {
                        try {
                            fileInputStream.close();
                        } catch (IOException e6) {
                            if (!this.defaultfile) {
                                this.error = new PSQLException(GT.tr("Could not close SSL certificate file {0}.", this.certfile), PSQLState.CONNECTION_FAILURE, e6);
                            }
                        }
                    }
                    return null;
                }
            } catch (CertificateException e7) {
                this.error = new PSQLException(GT.tr("Could not find a java cryptographic algorithm: X.509 CertificateFactory not available.", new Object[0]), PSQLState.CONNECTION_FAILURE, e7);
                return null;
            }
        }
        return this.cert;
    }

    @Override // javax.net.ssl.X509KeyManager
    public String[] getClientAliases(String str, Principal[] principalArr) {
        String chooseClientAlias = chooseClientAlias(new String[]{str}, principalArr, (Socket) null);
        return chooseClientAlias == null ? new String[0] : new String[]{chooseClientAlias};
    }

    private static byte[] readFileFully(String str) throws IOException {
        RandomAccessFile randomAccessFile = new RandomAccessFile(str, "r");
        try {
            byte[] bArr = new byte[(int) randomAccessFile.length()];
            randomAccessFile.readFully(bArr);
            randomAccessFile.close();
            return bArr;
        } catch (Throwable th) {
            randomAccessFile.close();
            throw th;
        }
    }

    @Override // javax.net.ssl.X509KeyManager
    public PrivateKey getPrivateKey(String str) {
        try {
            if (this.key == null && this.keyfile != null) {
                X509Certificate[] certificateChain = getCertificateChain("user");
                if (certificateChain == null || certificateChain.length == 0) {
                    return null;
                }
                try {
                    byte[] readFileFully = readFileFully(this.keyfile);
                    KeyFactory keyFactory = KeyFactory.getInstance(certificateChain[0].getPublicKey().getAlgorithm());
                    try {
                        this.key = keyFactory.generatePrivate(new PKCS8EncodedKeySpec(readFileFully));
                    } catch (InvalidKeySpecException e) {
                        EncryptedPrivateKeyInfo encryptedPrivateKeyInfo = new EncryptedPrivateKeyInfo(readFileFully);
                        try {
                            Cipher cipher = Cipher.getInstance(encryptedPrivateKeyInfo.getAlgName());
                            PasswordCallback passwordCallback = new PasswordCallback(GT.tr("Enter SSL password: ", new Object[0]), false);
                            try {
                                this.cbh.handle(new Callback[]{passwordCallback});
                                try {
                                    PBEKeySpec pBEKeySpec = new PBEKeySpec(passwordCallback.getPassword());
                                    passwordCallback.clearPassword();
                                    cipher.init(2, SecretKeyFactory.getInstance(encryptedPrivateKeyInfo.getAlgName()).generateSecret(pBEKeySpec), encryptedPrivateKeyInfo.getAlgParameters());
                                    this.key = keyFactory.generatePrivate(encryptedPrivateKeyInfo.getKeySpec(cipher));
                                } catch (GeneralSecurityException e2) {
                                    this.error = new PSQLException(GT.tr("Could not decrypt SSL key file {0}.", this.keyfile), PSQLState.CONNECTION_FAILURE, e2);
                                    return null;
                                }
                            } catch (UnsupportedCallbackException e3) {
                                if ((this.cbh instanceof LibPQFactory.ConsoleCallbackHandler) && "Console is not available".equals(e3.getMessage())) {
                                    this.error = new PSQLException(GT.tr("Could not read password for SSL key file, console is not available.", new Object[0]), PSQLState.CONNECTION_FAILURE, e3);
                                    return null;
                                }
                                this.error = new PSQLException(GT.tr("Could not read password for SSL key file by callbackhandler {0}.", this.cbh.getClass().getName()), PSQLState.CONNECTION_FAILURE, e3);
                                return null;
                            }
                        } catch (NoSuchPaddingException e4) {
                            throw new NoSuchAlgorithmException(e4.getMessage(), e4);
                        }
                    }
                } catch (FileNotFoundException e5) {
                    if (this.defaultfile) {
                        return null;
                    }
                    throw e5;
                }
            }
        } catch (IOException e6) {
            this.error = new PSQLException(GT.tr("Could not read SSL key file {0}.", this.keyfile), PSQLState.CONNECTION_FAILURE, e6);
        } catch (NoSuchAlgorithmException e7) {
            this.error = new PSQLException(GT.tr("Could not find a java cryptographic algorithm: {0}.", e7.getMessage()), PSQLState.CONNECTION_FAILURE, e7);
            return null;
        }
        return this.key;
    }

    @Override // javax.net.ssl.X509KeyManager
    public String[] getServerAliases(String str, Principal[] principalArr) {
        return new String[0];
    }
}
