package org.xdi.oxauth.model.crypto;

import java.io.File;
import java.io.FileInputStream;
import java.io.FileOutputStream;
import java.math.BigInteger;
import java.security.InvalidKeyException;
import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.SecureRandom;
import java.security.Signature;
import java.security.SignatureException;
import java.security.UnrecoverableKeyException;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.security.interfaces.ECPublicKey;
import java.security.interfaces.RSAPublicKey;
import java.security.spec.ECGenParameterSpec;
import java.util.Collections;
import java.util.Date;
import java.util.List;
import java.util.UUID;
import javax.crypto.Mac;
import javax.crypto.spec.SecretKeySpec;
import org.apache.commons.codec.binary.Base64;
import org.apache.log4j.Logger;
import org.bouncycastle.asn1.ASN1Encodable;
import org.bouncycastle.asn1.ASN1EncodableVector;
import org.bouncycastle.asn1.ASN1ObjectIdentifier;
import org.bouncycastle.asn1.DERSequence;
import org.bouncycastle.asn1.x500.X500Name;
import org.bouncycastle.asn1.x509.KeyPurposeId;
import org.bouncycastle.cert.CertIOException;
import org.bouncycastle.cert.jcajce.JcaX509CertificateConverter;
import org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.bouncycastle.operator.OperatorCreationException;
import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder;
import org.codehaus.jettison.json.JSONArray;
import org.codehaus.jettison.json.JSONException;
import org.codehaus.jettison.json.JSONObject;
import org.xdi.oxauth.model.crypto.signature.SignatureAlgorithm;
import org.xdi.oxauth.model.crypto.signature.SignatureAlgorithmFamily;
import org.xdi.oxauth.model.jwk.JWKParameter;
import org.xdi.oxauth.model.jwk.Use;
import org.xdi.oxauth.model.util.Base64Util;
import org.xdi.oxauth.model.util.Util;

/* loaded from: input_file:org/xdi/oxauth/model/crypto/OxAuthCryptoProvider.class */
public class OxAuthCryptoProvider extends AbstractCryptoProvider {
    private static final Logger LOG = Logger.getLogger(OxAuthCryptoProvider.class);
    private KeyStore keyStore;
    private String keyStoreFile;
    private String keyStoreSecret;
    private String dnName;

    public OxAuthCryptoProvider() throws Exception {
        this(null, null, null);
    }

    public OxAuthCryptoProvider(String str, String str2, String str3) throws Exception {
        if (Util.isNullOrEmpty(str) || Util.isNullOrEmpty(str2)) {
            return;
        }
        this.keyStoreFile = str;
        this.keyStoreSecret = str2;
        this.dnName = str3;
        this.keyStore = KeyStore.getInstance("JKS");
        try {
            if (!new File(str).exists()) {
                this.keyStore.load(null, str2.toCharArray());
                FileOutputStream fileOutputStream = new FileOutputStream(str);
                this.keyStore.store(fileOutputStream, str2.toCharArray());
                fileOutputStream.close();
            }
            this.keyStore.load(new FileInputStream(str), str2.toCharArray());
        } catch (Exception e) {
            LOG.error(e.getMessage(), e);
        }
    }

    @Override // org.xdi.oxauth.model.crypto.AbstractCryptoProvider
    public JSONObject generateKey(SignatureAlgorithm signatureAlgorithm, Long l) throws Exception {
        KeyPairGenerator keyPairGenerator;
        if (signatureAlgorithm == null) {
            throw new RuntimeException("The signature algorithm parameter cannot be null");
        }
        if ("RSA".equals(signatureAlgorithm.getFamily())) {
            keyPairGenerator = KeyPairGenerator.getInstance(signatureAlgorithm.getFamily(), BouncyCastleProvider.PROVIDER_NAME);
            keyPairGenerator.initialize(2048, new SecureRandom());
        } else {
            if (!SignatureAlgorithmFamily.EC.equals(signatureAlgorithm.getFamily())) {
                throw new RuntimeException("The provided signature algorithm parameter is not supported");
            }
            ECGenParameterSpec eCGenParameterSpec = new ECGenParameterSpec(signatureAlgorithm.getCurve().getAlias());
            keyPairGenerator = KeyPairGenerator.getInstance(signatureAlgorithm.getFamily(), BouncyCastleProvider.PROVIDER_NAME);
            keyPairGenerator.initialize(eCGenParameterSpec, new SecureRandom());
        }
        KeyPair generateKeyPair = keyPairGenerator.generateKeyPair();
        java.security.PrivateKey privateKey = generateKeyPair.getPrivate();
        X509Certificate generateV3Certificate = generateV3Certificate(generateKeyPair, this.dnName, signatureAlgorithm.getAlgorithm(), l);
        X509Certificate[] x509CertificateArr = {generateV3Certificate};
        String uuid = UUID.randomUUID().toString();
        this.keyStore.setKeyEntry(uuid, privateKey, this.keyStoreSecret.toCharArray(), x509CertificateArr);
        this.keyStore.store(new FileOutputStream(this.keyStoreFile), this.keyStoreSecret.toCharArray());
        java.security.PublicKey publicKey = generateKeyPair.getPublic();
        JSONObject jSONObject = new JSONObject();
        jSONObject.put("kty", signatureAlgorithm.getFamily());
        jSONObject.put("kid", uuid);
        jSONObject.put("use", Use.SIGNATURE);
        jSONObject.put("alg", signatureAlgorithm.getName());
        jSONObject.put("exp", l);
        if (publicKey instanceof RSAPublicKey) {
            RSAPublicKey rSAPublicKey = (RSAPublicKey) publicKey;
            jSONObject.put("n", Base64Util.base64urlencodeUnsignedBigInt(rSAPublicKey.getModulus()));
            jSONObject.put("e", Base64Util.base64urlencodeUnsignedBigInt(rSAPublicKey.getPublicExponent()));
        } else if (publicKey instanceof ECPublicKey) {
            ECPublicKey eCPublicKey = (ECPublicKey) publicKey;
            jSONObject.put("crv", signatureAlgorithm.getCurve());
            jSONObject.put("x", Base64Util.base64urlencodeUnsignedBigInt(eCPublicKey.getW().getAffineX()));
            jSONObject.put("y", Base64Util.base64urlencodeUnsignedBigInt(eCPublicKey.getW().getAffineY()));
        }
        JSONArray jSONArray = new JSONArray();
        jSONArray.put(Base64.encodeBase64String(generateV3Certificate.getEncoded()));
        jSONObject.put("x5c", jSONArray);
        return jSONObject;
    }

    @Override // org.xdi.oxauth.model.crypto.AbstractCryptoProvider
    public String sign(String str, String str2, String str3, SignatureAlgorithm signatureAlgorithm) throws Exception {
        if (signatureAlgorithm == SignatureAlgorithm.NONE) {
            return "";
        }
        if (SignatureAlgorithmFamily.HMAC.equals(signatureAlgorithm.getFamily())) {
            SecretKeySpec secretKeySpec = new SecretKeySpec(str3.getBytes("UTF-8"), signatureAlgorithm.getAlgorithm());
            Mac mac = Mac.getInstance(signatureAlgorithm.getAlgorithm());
            mac.init(secretKeySpec);
            return Base64Util.base64urlencode(mac.doFinal(str.getBytes()));
        }
        java.security.PrivateKey privateKey = getPrivateKey(str2);
        Signature signature = Signature.getInstance(signatureAlgorithm.getAlgorithm(), BouncyCastleProvider.PROVIDER_NAME);
        signature.initSign(privateKey);
        signature.update(str.getBytes());
        return Base64Util.base64urlencode(signature.sign());
    }

    @Override // org.xdi.oxauth.model.crypto.AbstractCryptoProvider
    public boolean verifySignature(String str, String str2, String str3, JSONObject jSONObject, String str4, SignatureAlgorithm signatureAlgorithm) throws Exception {
        boolean z;
        java.security.PublicKey publicKey;
        if (signatureAlgorithm == SignatureAlgorithm.NONE) {
            return Util.isNullOrEmpty(str2);
        }
        if (SignatureAlgorithmFamily.HMAC.equals(signatureAlgorithm.getFamily())) {
            return sign(str, null, str4, signatureAlgorithm).equals(str2);
        }
        try {
            publicKey = jSONObject == null ? getPublicKey(str3) : getPublicKey(str3, jSONObject);
        } catch (InvalidKeyException e) {
            LOG.error(e.getMessage(), e);
            z = false;
        } catch (NoSuchAlgorithmException e2) {
            LOG.error(e2.getMessage(), e2);
            z = false;
        } catch (SignatureException e3) {
            LOG.error(e3.getMessage(), e3);
            z = false;
        } catch (Exception e4) {
            LOG.error(e4.getMessage(), e4);
            z = false;
        }
        if (publicKey == null) {
            return false;
        }
        byte[] base64urldecode = Base64Util.base64urldecode(str2);
        Signature signature = Signature.getInstance(signatureAlgorithm.getAlgorithm(), BouncyCastleProvider.PROVIDER_NAME);
        signature.initVerify(publicKey);
        signature.update(str.getBytes());
        z = signature.verify(base64urldecode);
        return z;
    }

    private String getJWKSValue(JSONObject jSONObject, String str) throws JSONException {
        try {
            return jSONObject.getString(str);
        } catch (Exception e) {
            return jSONObject.getJSONObject(JWKParameter.PUBLIC_KEY).getString(str);
        }
    }

    @Override // org.xdi.oxauth.model.crypto.AbstractCryptoProvider
    public boolean deleteKey(String str) throws Exception {
        this.keyStore.deleteEntry(str);
        this.keyStore.store(new FileOutputStream(this.keyStoreFile), this.keyStoreSecret.toCharArray());
        return true;
    }

    public java.security.PublicKey getPublicKey(String str) {
        java.security.cert.Certificate certificate;
        java.security.PublicKey publicKey = null;
        try {
        } catch (KeyStoreException e) {
            e.printStackTrace();
        }
        if (Util.isNullOrEmpty(str) || (certificate = this.keyStore.getCertificate(str)) == null) {
            return null;
        }
        publicKey = certificate.getPublicKey();
        return publicKey;
    }

    public java.security.PrivateKey getPrivateKey(String str) throws UnrecoverableKeyException, NoSuchAlgorithmException, KeyStoreException {
        java.security.Key key;
        if (Util.isNullOrEmpty(str) || (key = this.keyStore.getKey(str, this.keyStoreSecret.toCharArray())) == null) {
            return null;
        }
        return (java.security.PrivateKey) key;
    }

    public X509Certificate generateV3Certificate(KeyPair keyPair, String str, String str2, Long l) throws CertIOException, OperatorCreationException, CertificateException {
        java.security.PrivateKey privateKey = keyPair.getPrivate();
        java.security.PublicKey publicKey = keyPair.getPublic();
        JcaX509v3CertificateBuilder jcaX509v3CertificateBuilder = new JcaX509v3CertificateBuilder(new X500Name(str), new BigInteger(256, new SecureRandom()), new Date(System.currentTimeMillis() - 10000), new Date(l.longValue()), new X500Name(str), publicKey);
        ASN1EncodableVector aSN1EncodableVector = new ASN1EncodableVector();
        aSN1EncodableVector.add(KeyPurposeId.id_kp_serverAuth);
        aSN1EncodableVector.add(KeyPurposeId.id_kp_clientAuth);
        aSN1EncodableVector.add(KeyPurposeId.anyExtendedKeyUsage);
        jcaX509v3CertificateBuilder.addExtension(new ASN1ObjectIdentifier("2.5.29.37").intern(), false, (ASN1Encodable) new DERSequence(aSN1EncodableVector));
        return new JcaX509CertificateConverter().setProvider(BouncyCastleProvider.PROVIDER_NAME).getCertificate(jcaX509v3CertificateBuilder.build(new JcaContentSignerBuilder(str2).setProvider(BouncyCastleProvider.PROVIDER_NAME).build(privateKey)));
    }

    public List<String> getKeyAliases() throws KeyStoreException {
        return Collections.list(this.keyStore.aliases());
    }

    public SignatureAlgorithm getSignatureAlgorithm(String str) throws UnrecoverableKeyException, NoSuchAlgorithmException, KeyStoreException {
        java.security.cert.Certificate[] certificateChain = this.keyStore.getCertificateChain(str);
        if (certificateChain == null || certificateChain.length == 0) {
            return null;
        }
        String sigAlgName = ((X509Certificate) certificateChain[0]).getSigAlgName();
        for (SignatureAlgorithm signatureAlgorithm : SignatureAlgorithm.values()) {
            if (sigAlgName.equalsIgnoreCase(signatureAlgorithm.getAlgorithm())) {
                return signatureAlgorithm;
            }
        }
        return null;
    }
}
