package org.gluu.radius.service;

import java.io.File;
import java.io.FileWriter;
import java.security.PrivateKey;
import java.util.Calendar;
import java.util.GregorianCalendar;
import java.util.List;
import java.util.concurrent.locks.ReadWriteLock;
import java.util.concurrent.locks.ReentrantReadWriteLock;
import org.apache.log4j.Logger;
import org.bouncycastle.openssl.jcajce.JcaMiscPEMGenerator;
import org.bouncycastle.openssl.jcajce.JcaPEMWriter;
import org.bouncycastle.openssl.jcajce.JcePEMEncryptorBuilder;
import org.gluu.oxauth.client.supergluu.impl.ICryptoProviderFactory;
import org.gluu.oxauth.model.crypto.AbstractCryptoProvider;
import org.gluu.oxauth.model.crypto.OxAuthCryptoProvider;
import org.gluu.oxauth.model.crypto.encryption.KeyEncryptionAlgorithm;
import org.gluu.oxauth.model.crypto.signature.SignatureAlgorithm;
import org.gluu.oxauth.model.jwk.Algorithm;
import org.gluu.oxauth.model.jwk.JSONWebKey;
import org.gluu.oxauth.model.jwk.JSONWebKeySet;
import org.gluu.oxauth.model.jwk.KeyType;
import org.gluu.oxauth.model.jwk.Use;
import org.gluu.oxauth.model.util.StringUtils;
import org.json.JSONArray;
import org.json.JSONObject;

/* loaded from: input_file:org/gluu/radius/service/CryptoService.class */
public class CryptoService implements ICryptoProviderFactory {
    private static final Logger log = Logger.getLogger(CryptoService.class);
    private static final String dnName = "CN=Gluu Radius CA Certificates";
    private static final String PRIVATE_KEY_ENC_ALGORITHM = "AES-256-CBC";
    private static final String PRIVATE_KEY_FILENAME = "/gluu-radius.private-key.pem";
    private BootstrapConfigService bcService;
    private JSONObject serverKeyset = new JSONObject();
    private OxAuthCryptoProvider cryptoProvider;
    private List<Algorithm> signAlgorithms;
    private int expiration;
    private int expiration_hours;
    private String authSigningKeyId;
    private ReadWriteLock cryptoLock;

    public CryptoService(BootstrapConfigService bootstrapConfigService, List<Algorithm> list, int i, int i2) throws Exception {
        this.bcService = bootstrapConfigService;
        this.signAlgorithms = list;
        this.expiration = i;
        this.expiration_hours = i2;
        this.serverKeyset.put("keys", new JSONArray());
        String jwtKeyStoreFile = bootstrapConfigService.getJwtKeyStoreFile();
        String jwtKeyStorePin = bootstrapConfigService.getJwtKeyStorePin();
        this.authSigningKeyId = bootstrapConfigService.getJwtAuthKeyId();
        this.cryptoProvider = new OxAuthCryptoProvider(jwtKeyStoreFile, jwtKeyStorePin, dnName);
        this.authSigningKeyId = this.cryptoProvider.getAliasByAlgorithmForDeletion(Algorithm.fromString(bootstrapConfigService.getJwtAuthSignAlgo().getName()), "", Use.SIGNATURE);
        log.info(String.format("Auth signing keyId: %s", this.authSigningKeyId));
        this.cryptoLock = new ReentrantReadWriteLock();
    }

    public JSONObject getServerKeyset() {
        return this.serverKeyset;
    }

    public void setServerKeyset(JSONObject jSONObject) {
        this.serverKeyset = jSONObject;
    }

    public AbstractCryptoProvider getCryptoProvider() {
        OxAuthCryptoProvider oxAuthCryptoProvider;
        synchronized (this.cryptoProvider) {
            oxAuthCryptoProvider = this.cryptoProvider;
        }
        return oxAuthCryptoProvider;
    }

    public AbstractCryptoProvider newCryptoProvider() {
        return getCryptoProvider();
    }

    public String getAuthSigningKeyId() {
        return this.authSigningKeyId;
    }

    public final void beginReadOpts() {
        this.cryptoLock.readLock().lock();
    }

    public final void endReadOpts() {
        this.cryptoLock.readLock().unlock();
    }

    public final void beginWriteOpts() {
        this.cryptoLock.writeLock().lock();
    }

    public final void endWriteOpts() {
        this.cryptoLock.writeLock().unlock();
    }

    public PrivateKey getAuthenticationPrivateKey() throws Exception {
        return this.cryptoProvider.getPrivateKey(this.authSigningKeyId);
    }

    public JSONWebKeySet generateKeys() throws Exception {
        JSONWebKeySet jSONWebKeySet = new JSONWebKeySet();
        GregorianCalendar gregorianCalendar = new GregorianCalendar();
        gregorianCalendar.add(5, this.expiration);
        gregorianCalendar.add(10, this.expiration_hours);
        for (Algorithm algorithm : this.signAlgorithms) {
            JSONWebKey generateKey = generateKey(gregorianCalendar, algorithm, Use.SIGNATURE);
            if (this.bcService.getJwtAuthSignAlgo() == SignatureAlgorithm.fromString(algorithm.name())) {
                this.authSigningKeyId = generateKey.getKid();
            }
            jSONWebKeySet.getKeys().add(generateKey);
            String aliasByAlgorithmForDeletion = this.cryptoProvider.getAliasByAlgorithmForDeletion(algorithm, generateKey.getKid(), Use.SIGNATURE);
            if (aliasByAlgorithmForDeletion != null) {
                this.cryptoProvider.deleteKey(aliasByAlgorithmForDeletion);
            }
        }
        return jSONWebKeySet;
    }

    public void exportAuthPrivateKeyToPem() throws Exception {
        String parent = new File(this.bcService.getJwtKeyStoreFile()).getParent();
        if (parent != null) {
            exportAuthPrivateKeyToPem(new File(parent + PRIVATE_KEY_FILENAME));
        }
    }

    public void exportAuthPrivateKeyToPem(File file) throws Exception {
        exportAuthPrivateKeyToPem(file, this.bcService.getJwtKeyStorePin());
    }

    public void exportAuthPrivateKeyToPem(File file, String str) throws Exception {
        FileWriter fileWriter = null;
        JcaPEMWriter jcaPEMWriter = null;
        try {
            if (!file.canWrite()) {
                log.warn(String.format("The private key file %s is not writable.", file.getAbsolutePath()));
                if (0 != 0) {
                    jcaPEMWriter.close();
                }
                if (0 != 0) {
                    fileWriter.close();
                    return;
                }
                return;
            }
            JcaMiscPEMGenerator jcaMiscPEMGenerator = new JcaMiscPEMGenerator(this.cryptoProvider.getPrivateKey(this.authSigningKeyId), new JcePEMEncryptorBuilder(PRIVATE_KEY_ENC_ALGORITHM).build(str.toCharArray()));
            FileWriter fileWriter2 = new FileWriter(file);
            JcaPEMWriter jcaPEMWriter2 = new JcaPEMWriter(fileWriter2);
            jcaPEMWriter2.writeObject(jcaMiscPEMGenerator);
            if (jcaPEMWriter2 != null) {
                jcaPEMWriter2.close();
            }
            if (fileWriter2 != null) {
                fileWriter2.close();
            }
        } catch (Throwable th) {
            if (0 != 0) {
                jcaPEMWriter.close();
            }
            if (0 != 0) {
                fileWriter.close();
            }
            throw th;
        }
    }

    private final JSONWebKey generateKey(Calendar calendar, Algorithm algorithm, Use use) throws Exception {
        JSONObject generateKey = this.cryptoProvider.generateKey(algorithm, Long.valueOf(calendar.getTimeInMillis()), use);
        JSONWebKey jSONWebKey = new JSONWebKey();
        jSONWebKey.setKid(generateKey.getString("kid"));
        jSONWebKey.setUse(use);
        jSONWebKey.setAlg(algorithm);
        if (use == Use.SIGNATURE) {
            SignatureAlgorithm fromString = SignatureAlgorithm.fromString(algorithm.name());
            jSONWebKey.setKty(KeyType.fromString(fromString.getFamily().toString()));
            jSONWebKey.setCrv(fromString.getCurve());
        } else if (use == Use.ENCRYPTION) {
            jSONWebKey.setKty(KeyType.fromString(KeyEncryptionAlgorithm.fromName(algorithm.name()).getFamily()));
        }
        jSONWebKey.setExp(Long.valueOf(generateKey.optLong("exp")));
        jSONWebKey.setN(generateKey.optString("n"));
        jSONWebKey.setE(generateKey.optString("e"));
        jSONWebKey.setX(generateKey.optString("x"));
        jSONWebKey.setY(generateKey.optString("y"));
        jSONWebKey.setX5c(StringUtils.toList(generateKey.optJSONArray("x5c")));
        return jSONWebKey;
    }
}
