package org.jivesoftware.openfire.certificate;

import java.io.ByteArrayOutputStream;
import java.io.InputStream;
import java.security.KeyFactory;
import java.security.KeyStore;
import java.security.PrivateKey;
import java.security.cert.CertificateParsingException;
import java.security.cert.X509Certificate;
import java.security.spec.PKCS8EncodedKeySpec;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
import java.util.List;
import java.util.Locale;
import javax.crypto.Cipher;
import javax.crypto.EncryptedPrivateKeyInfo;
import javax.crypto.SecretKey;
import javax.crypto.SecretKeyFactory;
import javax.crypto.spec.PBEKeySpec;
import org.apache.commons.io.IOUtils;
import org.apache.jcs.JCS;
import org.apache.jcs.access.exception.CacheException;
import org.directtruststandards.timplus.common.cert.CertStoreUtils;
import org.directtruststandards.timplus.common.cert.CertUtils;
import org.directtruststandards.timplus.common.crypto.KeyStoreProtectionManager;
import org.directtruststandards.timplus.common.crypto.WrappableKeyProtectionManager;
import org.jivesoftware.openfire.XMPPServer;
import org.jivesoftware.util.JiveGlobals;
import org.jivesoftware.util.PrivateKeyType;
import org.jivesoftware.util.SystemProperty;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/jivesoftware/openfire/certificate/CertificateManager.class */
public class CertificateManager {
    public static final String XMPP_CERT_MANAGER_CACHE_MAX_ITEMS = "xmpp.certmanager.cache.maxitems";
    public static final String XMPP_CERT_MANAGER_CACHE_TTL = "xmpp.certmanager.cache.ttl";
    private static final String DOMAIN_CACHE_NAME = "CERTIFICATE_MANAGER_DOMAIN_CERT_CACHE";
    private static final String TP_CACHE_NAME = "CERTIFICATE_MANAGER_TP_CERT_CACHE";
    protected static final String DEFAULT_MAX_CAHCE_ITEMS = "1000";
    protected static final String DEFAULT_CACHE_TTL = "3600";
    private static final int DNSName_TYPE = 2;
    private static final Logger Log = LoggerFactory.getLogger(CertificateManager.class);
    public static final SystemProperty<Class> CERTIFICATE_PROVIDER = SystemProperty.Builder.ofType(Class.class).setKey("provider.certificate.className").setBaseClass(CertificateProvider.class).setDefaultValue(DefaultCertificateProvider.class).addListener(CertificateManager::initProvider).setDynamic(true).build();
    private static CertificateProvider provider;
    protected JCS domainCertCache;
    protected JCS tpCertCache;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/jivesoftware/openfire/certificate/CertificateManager$CertificateContainer.class */
    public static class CertificateContainer {
        private static CertificateManager instance = new CertificateManager();

        private CertificateContainer() {
        }
    }

    /* loaded from: input_file:org/jivesoftware/openfire/certificate/CertificateManager$DefaultCertManagerCachePolicy.class */
    public static class DefaultCertManagerCachePolicy implements CertStoreCachePolicy {
        protected final int maxItems = Integer.parseInt(JiveGlobals.getProperty(CertificateManager.XMPP_CERT_MANAGER_CACHE_MAX_ITEMS, CertificateManager.DEFAULT_MAX_CAHCE_ITEMS));
        protected final int subjectTTL = Integer.parseInt(JiveGlobals.getProperty(CertificateManager.XMPP_CERT_MANAGER_CACHE_TTL, CertificateManager.DEFAULT_CACHE_TTL));

        @Override // org.jivesoftware.openfire.certificate.CertStoreCachePolicy
        public int getMaxItems() {
            return this.maxItems;
        }

        @Override // org.jivesoftware.openfire.certificate.CertStoreCachePolicy
        public int getSubjectTTL() {
            return this.subjectTTL;
        }
    }

    private static void initProvider(Class<?> cls) {
        if (provider == null || !cls.equals(provider.getClass())) {
            try {
                provider = (CertificateProvider) cls.newInstance();
            } catch (Exception e) {
                Log.error("Error loading certificate provider: " + cls.getName(), e);
                provider = new DefaultCertificateProvider();
            }
        }
    }

    public static CertificateManager getInstance() {
        return CertificateContainer.instance;
    }

    private CertificateManager() {
        initProvider(CERTIFICATE_PROVIDER.getValue());
        createCaches();
    }

    private void createCaches() {
        try {
            this.domainCertCache = CertCacheFactory.getInstance().getCertCache(DOMAIN_CACHE_NAME, getDefaultCertCachePolicy());
            this.tpCertCache = CertCacheFactory.getInstance().getCertCache(TP_CACHE_NAME, getDefaultCertCachePolicy());
        } catch (CacheException e) {
            Log.warn("CertificateManager - Could not create certificate caches", e);
        }
    }

    private synchronized JCS getDomainCache() {
        if (this.domainCertCache == null) {
            createCaches();
        }
        return this.domainCertCache;
    }

    private synchronized JCS getTPCache() {
        if (this.tpCertCache == null) {
            createCaches();
        }
        return this.tpCertCache;
    }

    public Collection<Certificate> getCertificates() throws CertificateException {
        return provider.getCertificates();
    }

    public Collection<Certificate> getCertificatesByDomain(String str) throws CertificateException {
        Collection<Certificate> collection = null;
        JCS domainCache = getDomainCache();
        if (domainCache != null) {
            collection = (Collection) domainCache.get(str.toUpperCase());
        }
        if (domainCache == null || collection == null || collection.size() == 0) {
            collection = provider.getCertificatesByDomain(str);
            if (collection != null && collection.size() != 0) {
                try {
                    domainCache.put(str.toUpperCase(), collection);
                } catch (Exception e) {
                    Log.warn("Failed to insert certificates into domain cache.", e);
                }
            }
        }
        return collection;
    }

    public Certificate getCertificateByThumbprint(String str) throws CertificateException {
        Collection collection;
        Certificate certificate = null;
        JCS tPCache = getTPCache();
        if (tPCache != null && (collection = (Collection) tPCache.get(str.toUpperCase())) != null && collection.size() > 0) {
            certificate = (Certificate) collection.iterator().next();
        }
        if (tPCache == null || certificate == null) {
            certificate = provider.getCertificateByThumbprint(str);
            if (certificate != null) {
                try {
                    tPCache.put(str.toUpperCase(), Collections.singleton(certificate));
                } catch (Exception e) {
                    Log.warn("Failed to insert certificate into thumbprint cache.", e);
                }
            }
        }
        return certificate;
    }

    public Certificate addCertificate(Certificate certificate) throws CertificateException {
        return provider.addCertificate(certificate);
    }

    public void deleteCertificate(String str) throws CertificateException {
        provider.deleteCertificate(str);
    }

    public Certificate certFromUpdloadRequest(PrivateKeyType privateKeyType, String str, InputStream inputStream, InputStream inputStream2) throws CertificateException {
        try {
            byte[] byteArray = IOUtils.toByteArray(inputStream);
            byte[] bArr = null;
            if (privateKeyType == PrivateKeyType.PKCS_12_PASSPHRASE || privateKeyType == PrivateKeyType.PKCS_12_UNPROTECTED) {
                byteArray = CertUtils.pkcs12ToStrippedPkcs12(byteArray, str);
            } else if (privateKeyType != PrivateKeyType.NONE) {
                try {
                    bArr = IOUtils.toByteArray(inputStream2);
                    if (privateKeyType == PrivateKeyType.PKCS8_PASSPHRASE) {
                        try {
                            EncryptedPrivateKeyInfo encryptedPrivateKeyInfo = new EncryptedPrivateKeyInfo(bArr);
                            Cipher cipher = Cipher.getInstance(encryptedPrivateKeyInfo.getAlgName());
                            cipher.init(2, SecretKeyFactory.getInstance(encryptedPrivateKeyInfo.getAlgName()).generateSecret(new PBEKeySpec(str.toCharArray())), encryptedPrivateKeyInfo.getAlgParameters());
                            bArr = KeyFactory.getInstance("RSA").generatePrivate(encryptedPrivateKeyInfo.getKeySpec(cipher)).getEncoded();
                        } catch (Exception e) {
                            throw new CertificateException("Could not normalize the private key.", e);
                        }
                    }
                } catch (Exception e2) {
                    throw new CertificateException("Could not extract private key data from input stream", e2);
                }
            }
            Certificate certificate = new Certificate();
            certificate.setCertData(toCertDataFormat(byteArray, bArr, privateKeyType));
            certificate.setDomain(getDomainFromCert(certificate.asX509Certificate()));
            certificate.setStatus(CertificateStatus.GOOD);
            return certificate;
        } catch (Exception e3) {
            throw new CertificateException("Could not extract cert data from input stream", e3);
        }
    }

    private byte[] toCertDataFormat(byte[] bArr, byte[] bArr2, PrivateKeyType privateKeyType) throws CertificateException {
        try {
            if (privateKeyType == PrivateKeyType.NONE) {
                return bArr;
            }
            CertStoreUtils.CertContainer certContainer = CertStoreUtils.toCertContainer(bArr);
            WrappableKeyProtectionManager wrappableKeyProtectionManager = null;
            if (XMPPServer.getInstance().getKeyStoreProtectionManager() != null && (XMPPServer.getInstance().getKeyStoreProtectionManager() instanceof WrappableKeyProtectionManager)) {
                wrappableKeyProtectionManager = (WrappableKeyProtectionManager) WrappableKeyProtectionManager.class.cast(XMPPServer.getInstance().getKeyStoreProtectionManager());
            }
            if ((privateKeyType == PrivateKeyType.PKCS_12_PASSPHRASE) || (privateKeyType == PrivateKeyType.PKCS_12_UNPROTECTED)) {
                return wrappableKeyProtectionManager == null ? bArr : CertStoreUtils.certAndWrappedKeyToRawByteFormat(wrappableKeyProtectionManager.wrapWithSecretKey((SecretKey) ((KeyStoreProtectionManager) wrappableKeyProtectionManager).getPrivateKeyProtectionKey(), certContainer.getKey()), certContainer.getCert());
            }
            if (privateKeyType == PrivateKeyType.PKCS8_WRAPPED) {
                return CertStoreUtils.certAndWrappedKeyToRawByteFormat(bArr2, certContainer.getCert());
            }
            PrivateKey generatePrivate = KeyFactory.getInstance("RSA", "BC").generatePrivate(new PKCS8EncodedKeySpec(bArr2));
            if (wrappableKeyProtectionManager != null) {
                return CertStoreUtils.certAndWrappedKeyToRawByteFormat(wrappableKeyProtectionManager.wrapWithSecretKey((SecretKey) ((KeyStoreProtectionManager) wrappableKeyProtectionManager).getPrivateKeyProtectionKey(), generatePrivate), certContainer.getCert());
            }
            KeyStore keyStore = KeyStore.getInstance("PKCS12", "BC");
            keyStore.load(null, null);
            keyStore.setKeyEntry("privCert", generatePrivate, "".toCharArray(), new java.security.cert.Certificate[]{certContainer.getCert()});
            ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
            Throwable th = null;
            try {
                try {
                    keyStore.store(byteArrayOutputStream, "".toCharArray());
                    byte[] byteArray = byteArrayOutputStream.toByteArray();
                    if (byteArrayOutputStream != null) {
                        if (0 != 0) {
                            try {
                                byteArrayOutputStream.close();
                            } catch (Throwable th2) {
                                th.addSuppressed(th2);
                            }
                        } else {
                            byteArrayOutputStream.close();
                        }
                    }
                    return byteArray;
                } finally {
                }
            } finally {
            }
        } catch (Exception e) {
            throw new CertificateException("Failed to conver certificate and key to cert data format: " + e.getMessage(), e);
        }
    }

    protected String getDomainFromCert(X509Certificate x509Certificate) throws CertificateException {
        ArrayList arrayList = new ArrayList();
        try {
            Collection<List<?>> subjectAlternativeNames = x509Certificate.getSubjectAlternativeNames();
            if (subjectAlternativeNames != null) {
                for (List<?> list : subjectAlternativeNames) {
                    if (list.size() >= 2 && ((Integer) list.get(0)).intValue() == 2) {
                        arrayList.add(((String) list.get(1)).toLowerCase(Locale.getDefault()));
                    }
                }
            }
            return String.join(",", arrayList);
        } catch (CertificateParsingException e) {
            throw new CertificateException("Could not get certificate subject alt names.");
        }
    }

    private CertStoreCachePolicy getDefaultCertCachePolicy() {
        return new DefaultCertManagerCachePolicy();
    }
}
