package io.bdeploy.common.security;

import com.fasterxml.jackson.core.JsonProcessingException;
import com.fasterxml.jackson.databind.ObjectMapper;
import io.bdeploy.common.util.JacksonHelper;
import io.bdeploy.common.util.PathHelper;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.io.InputStream;
import java.io.OutputStream;
import java.nio.charset.StandardCharsets;
import java.nio.file.Files;
import java.nio.file.OpenOption;
import java.nio.file.Path;
import java.security.GeneralSecurityException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.Signature;
import java.security.cert.Certificate;
import java.security.cert.CertificateFactory;
import javax.crypto.Cipher;
import javax.crypto.SecretKeyFactory;
import javax.crypto.spec.IvParameterSpec;
import javax.crypto.spec.PBEKeySpec;
import javax.crypto.spec.SecretKeySpec;
import org.apache.commons.codec.binary.Base64;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:io/bdeploy/common/security/SecurityHelper.class */
public class SecurityHelper {
    public static final String ROOT_ALIAS = "1";
    private static final String TOKEN_ALIAS = "token";
    public static final String CERT_ALIAS = "cert";
    private static final Logger log = LoggerFactory.getLogger((Class<?>) SecurityHelper.class);
    private static final SecurityHelper INSTANCE = new SecurityHelper();
    private static final byte[] DEF_SLT = "@%$&".getBytes(StandardCharsets.UTF_8);

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:io/bdeploy/common/security/SecurityHelper$SignaturePack.class */
    public static class SignaturePack {
        private String c;
        private String t;

        private SignaturePack() {
        }

        public String toString() {
            try {
                return SecurityHelper.encode(SecurityHelper.getMapper().writeValueAsBytes(this));
            } catch (JsonProcessingException e) {
                throw new IllegalStateException("Cannot write JSON", e);
            }
        }

        public static SignaturePack parse(String str) {
            try {
                return (SignaturePack) SecurityHelper.getMapper().readValue(SecurityHelper.decode(str), SignaturePack.class);
            } catch (IOException e) {
                SecurityHelper.log.debug("Invalid token supplied", (Throwable) e);
                throw new IllegalStateException("Security token invalid.");
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:io/bdeploy/common/security/SecurityHelper$SignedPayload.class */
    public static class SignedPayload {
        private String p;
        private String s;

        private SignedPayload() {
        }

        public String toString() {
            try {
                return SecurityHelper.encode(SecurityHelper.getMapper().writeValueAsBytes(this));
            } catch (JsonProcessingException e) {
                throw new IllegalStateException("Cannot write JSON", e);
            }
        }

        public static SignedPayload parse(String str) {
            try {
                return (SignedPayload) SecurityHelper.getMapper().readValue(SecurityHelper.decode(str), SignedPayload.class);
            } catch (IOException e) {
                throw new IllegalStateException("Cannot read JSON", e);
            }
        }
    }

    private SecurityHelper() {
    }

    public static SecurityHelper getInstance() {
        return INSTANCE;
    }

    public static SecretKeySpec createSecretKey(char[] cArr) throws GeneralSecurityException {
        return new SecretKeySpec(SecretKeyFactory.getInstance("PBKDF2WithHmacSHA512").generateSecret(new PBEKeySpec(cArr, DEF_SLT, 1024, 256)).getEncoded(), "AES");
    }

    public static String encrypt(String str, SecretKeySpec secretKeySpec) throws GeneralSecurityException {
        Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5Padding");
        cipher.init(1, secretKeySpec);
        return encode(((IvParameterSpec) cipher.getParameters().getParameterSpec(IvParameterSpec.class)).getIV()) + ":" + encode(cipher.doFinal(str.getBytes(StandardCharsets.UTF_8)));
    }

    public static String decrypt(String str, SecretKeySpec secretKeySpec) throws GeneralSecurityException {
        String str2 = str.split(":")[0];
        String str3 = str.split(":")[1];
        Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5Padding");
        cipher.init(2, secretKeySpec, new IvParameterSpec(decode(str2)));
        return new String(cipher.doFinal(decode(str3)), StandardCharsets.UTF_8);
    }

    public <T> String createSignaturePack(T t, KeyStore keyStore, char[] cArr) throws GeneralSecurityException {
        SignaturePack signaturePack = new SignaturePack();
        signaturePack.t = createToken(t, keyStore, cArr);
        signaturePack.c = encode(getCertificate(keyStore).getEncoded());
        return signaturePack.toString();
    }

    public <T> String createSignaturePack(T t, Path path, char[] cArr) throws GeneralSecurityException, IOException {
        KeyStore loadPrivateKeyStore = loadPrivateKeyStore(path, cArr);
        SignaturePack signaturePack = new SignaturePack();
        signaturePack.t = createToken(t, loadPrivateKeyStore, cArr);
        signaturePack.c = encode(getCertificate(loadPrivateKeyStore).getEncoded());
        return signaturePack.toString();
    }

    public <T> String createToken(T t, KeyStore keyStore, char[] cArr) {
        try {
            return getSignedToken(t, getPrivateKey(keyStore, cArr)).toString();
        } catch (Exception e) {
            throw new IllegalStateException(e);
        }
    }

    public <T> T getVerifiedPayload(String str, Class<T> cls, KeyStore keyStore) throws GeneralSecurityException {
        return (T) doVerifyPayload(cls, SignedPayload.parse(str), getCertificate(keyStore));
    }

    public <T> T getSelfVerifiedPayloadFromPack(String str, Class<T> cls) throws GeneralSecurityException, IOException {
        SignaturePack parse = SignaturePack.parse(str);
        SignedPayload parse2 = SignedPayload.parse(parse.t);
        CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509");
        ByteArrayInputStream byteArrayInputStream = new ByteArrayInputStream(decode(parse.c));
        try {
            Certificate generateCertificate = certificateFactory.generateCertificate(byteArrayInputStream);
            byteArrayInputStream.close();
            return (T) doVerifyPayload(cls, parse2, generateCertificate);
        } catch (Throwable th) {
            try {
                byteArrayInputStream.close();
            } catch (Throwable th2) {
                th.addSuppressed(th2);
            }
            throw th;
        }
    }

    public String getTokenFromPack(String str) {
        return SignaturePack.parse(str).t;
    }

    private <T> T doVerifyPayload(Class<T> cls, SignedPayload signedPayload, Certificate certificate) throws GeneralSecurityException {
        byte[] decode = decode(signedPayload.p);
        try {
            T t = (T) getMapper().readValue(decode, cls);
            Signature signatureAlgorithm = getSignatureAlgorithm();
            signatureAlgorithm.initVerify(certificate.getPublicKey());
            signatureAlgorithm.update(decode);
            if (signatureAlgorithm.verify(decode(signedPayload.s))) {
                return t;
            }
            return null;
        } catch (IOException e) {
            throw new IllegalStateException("Cannot read JSON", e);
        }
    }

    public void importSignaturePack(String str, KeyStore keyStore, char[] cArr) throws GeneralSecurityException, IOException {
        SignaturePack parse = SignaturePack.parse(str);
        if (parse.c == null || parse.t == null) {
            throw new IllegalArgumentException("Given token is not a full authentication pack");
        }
        keyStore.setEntry(TOKEN_ALIAS, new KeyStore.SecretKeyEntry(SecretKeyFactory.getInstance("PBE").generateSecret(new PBEKeySpec(parse.t.toCharArray()))), cArr == null ? null : new KeyStore.PasswordProtection(cArr));
        CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509");
        ByteArrayInputStream byteArrayInputStream = new ByteArrayInputStream(decode(parse.c));
        try {
            Certificate generateCertificate = certificateFactory.generateCertificate(byteArrayInputStream);
            byteArrayInputStream.close();
            keyStore.setCertificateEntry(CERT_ALIAS, generateCertificate);
        } catch (Throwable th) {
            try {
                byteArrayInputStream.close();
            } catch (Throwable th2) {
                th.addSuppressed(th2);
            }
            throw th;
        }
    }

    public void importSignaturePack(String str, Path path, char[] cArr) throws GeneralSecurityException, IOException {
        KeyStore loadPublicKeyStore = loadPublicKeyStore(path, cArr);
        importSignaturePack(str, loadPublicKeyStore, cArr);
        OutputStream newOutputStream = Files.newOutputStream(path, new OpenOption[0]);
        try {
            loadPublicKeyStore.store(newOutputStream, cArr);
            if (newOutputStream != null) {
                newOutputStream.close();
            }
        } catch (Throwable th) {
            if (newOutputStream != null) {
                try {
                    newOutputStream.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    public String getSignedToken(KeyStore keyStore, char[] cArr) throws GeneralSecurityException {
        if (keyStore.containsAlias(TOKEN_ALIAS)) {
            return new String(((PBEKeySpec) SecretKeyFactory.getInstance("PBE").getKeySpec(((KeyStore.SecretKeyEntry) keyStore.getEntry(TOKEN_ALIAS, cArr == null ? null : new KeyStore.PasswordProtection(cArr))).getSecretKey(), PBEKeySpec.class)).getPassword());
        }
        throw new IllegalStateException("No access token found in keystore");
    }

    public KeyStore loadPrivateKeyStore(Path path, char[] cArr) throws GeneralSecurityException, IOException {
        InputStream newInputStream = Files.newInputStream(path, new OpenOption[0]);
        try {
            KeyStore loadPrivateKeyStore = loadPrivateKeyStore(newInputStream, cArr);
            if (newInputStream != null) {
                newInputStream.close();
            }
            return loadPrivateKeyStore;
        } catch (Throwable th) {
            if (newInputStream != null) {
                try {
                    newInputStream.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    public KeyStore loadPrivateKeyStore(InputStream inputStream, char[] cArr) throws GeneralSecurityException, IOException {
        KeyStore keyStore = KeyStore.getInstance("PKCS12");
        keyStore.load(inputStream, cArr);
        return keyStore;
    }

    public KeyStore loadPublicKeyStore(Path path, char[] cArr) throws GeneralSecurityException, IOException {
        KeyStore keyStore = KeyStore.getInstance("JCEKS");
        if (!PathHelper.exists(path)) {
            keyStore.load(null, cArr);
            return keyStore;
        }
        InputStream newInputStream = Files.newInputStream(path, new OpenOption[0]);
        try {
            KeyStore loadPublicKeyStore = loadPublicKeyStore(newInputStream, cArr);
            if (newInputStream != null) {
                newInputStream.close();
            }
            return loadPublicKeyStore;
        } catch (Throwable th) {
            if (newInputStream != null) {
                try {
                    newInputStream.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    public KeyStore loadPublicKeyStore(InputStream inputStream, char[] cArr) throws GeneralSecurityException, IOException {
        KeyStore keyStore = KeyStore.getInstance("JCEKS");
        keyStore.load(inputStream, cArr);
        return keyStore;
    }

    private PrivateKey getPrivateKey(KeyStore keyStore, char[] cArr) throws GeneralSecurityException {
        return (PrivateKey) keyStore.getKey(ROOT_ALIAS, cArr);
    }

    private Certificate getCertificate(KeyStore keyStore) throws KeyStoreException {
        String str = ROOT_ALIAS;
        if (!keyStore.containsAlias(ROOT_ALIAS)) {
            str = CERT_ALIAS;
        }
        Certificate certificate = keyStore.getCertificate(str);
        if (certificate != null) {
            return certificate;
        }
        throw new IllegalStateException("KeyStore does not contain a certificate");
    }

    private String getRawSignature(String str, PrivateKey privateKey) throws GeneralSecurityException {
        Signature signatureAlgorithm = getSignatureAlgorithm();
        signatureAlgorithm.initSign(privateKey);
        signatureAlgorithm.update(str.getBytes(StandardCharsets.UTF_8));
        return encode(signatureAlgorithm.sign());
    }

    private Signature getSignatureAlgorithm() throws NoSuchAlgorithmException {
        return Signature.getInstance("SHA256withRSA");
    }

    private SignedPayload getSignedToken(Object obj, PrivateKey privateKey) throws GeneralSecurityException, IOException {
        String writeValueAsString = getMapper().writeValueAsString(obj);
        String rawSignature = getRawSignature(writeValueAsString, privateKey);
        SignedPayload signedPayload = new SignedPayload();
        signedPayload.p = encode(writeValueAsString.getBytes(StandardCharsets.UTF_8));
        signedPayload.s = rawSignature;
        return signedPayload;
    }

    private static ObjectMapper getMapper() {
        return JacksonHelper.createDefaultObjectMapper();
    }

    private static String encode(byte[] bArr) {
        return Base64.encodeBase64String(bArr);
    }

    private static byte[] decode(String str) {
        return Base64.decodeBase64(str);
    }
}
