package org.jivesoftware.openfire.keystore;

import java.io.IOException;
import java.security.GeneralSecurityException;
import java.security.Key;
import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.SecureRandom;
import java.security.UnrecoverableKeyException;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.CertificateParsingException;
import java.security.cert.X509Certificate;
import java.util.Collection;
import java.util.Collections;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import java.util.stream.Collectors;
import javax.net.ssl.KeyManagerFactory;
import org.bouncycastle.operator.OperatorCreationException;
import org.jivesoftware.openfire.XMPPServer;
import org.jivesoftware.openfire.XMPPServerInfo;
import org.jivesoftware.openfire.domain.DomainManager;
import org.jivesoftware.openfire.net.DNSUtil;
import org.jivesoftware.util.CertificateManager;
import org.jivesoftware.util.JiveGlobals;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/jivesoftware/openfire/keystore/IdentityStore.class */
public class IdentityStore extends CertificateStore {
    private static final Logger Log = LoggerFactory.getLogger(IdentityStore.class);

    public IdentityStore(CertificateStoreConfiguration certificateStoreConfiguration, boolean z) throws CertificateStoreConfigException {
        super(certificateStoreConfiguration, z);
        KeyManagerFactory keyManagerFactory;
        try {
            try {
                keyManagerFactory = KeyManagerFactory.getInstance("NewSunX509");
            } catch (NoSuchAlgorithmException e) {
                Log.info("Unable to load the 'NewSunX509' KeyManager implementation. Will fall back to the default.");
                keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
            }
            keyManagerFactory.init(getStore(), certificateStoreConfiguration.getPassword());
        } catch (KeyStoreException | NoSuchAlgorithmException | UnrecoverableKeyException e2) {
            throw new CertificateStoreConfigException("Unable to initialize identity store (a common cause: the password for a key is different from the password of the entire store).", e2);
        }
    }

    public String generateCSR(String str) throws CertificateStoreConfigException {
        if (str == null || str.trim().isEmpty()) {
            throw new IllegalArgumentException("Argument 'alias' cannot be null or an empty String.");
        }
        String trim = str.trim();
        try {
            if (!this.store.containsAlias(trim)) {
                throw new CertificateStoreConfigException("Cannot generate CSR for alias '" + trim + "': the alias does not exist in the store.");
            }
            Certificate certificate = this.store.getCertificate(trim);
            if (certificate == null || !(certificate instanceof X509Certificate)) {
                throw new CertificateStoreConfigException("Cannot generate CSR for alias '" + trim + "': there is no corresponding certificate in the store, or it is not an X509 certificate.");
            }
            Key key = this.store.getKey(trim, this.configuration.getPassword());
            if (key == null || !(key instanceof PrivateKey)) {
                throw new CertificateStoreConfigException("Cannot generate CSR for alias '" + trim + "': there is no corresponding key in the store, or it is not a private key.");
            }
            return CertificateManager.createSigningRequest((X509Certificate) certificate, (PrivateKey) key);
        } catch (IOException | KeyStoreException | NoSuchAlgorithmException | UnrecoverableKeyException | OperatorCreationException | CertificateParsingException e) {
            throw new CertificateStoreConfigException("Cannot generate CSR for alias '" + trim + "'", e);
        }
    }

    public void installCSRReply(String str, String str2) throws CertificateStoreConfigException {
        if (str == null || str.trim().isEmpty()) {
            throw new IllegalArgumentException("Argument 'alias' cannot be null or an empty String.");
        }
        if (str2 == null || str2.trim().isEmpty()) {
            throw new IllegalArgumentException("Argument 'pemCertificates' cannot be null or an empty String.");
        }
        String trim = str.trim();
        try {
            Collection<X509Certificate> parseCertificates = CertificateManager.parseCertificates(str2.trim());
            if (parseCertificates.isEmpty()) {
                throw new CertificateStoreConfigException("No certificate was found in the input.");
            }
            List<X509Certificate> order = CertificateUtils.order(parseCertificates);
            if (!isForThisDomain(order.get(0))) {
                throw new CertificateStoreConfigException("The supplied certificate chain does not cover the domain of this XMPP service.");
            }
            if (!corresponds(trim, order)) {
                throw new IllegalArgumentException("The provided CSR reply does not match an existing certificate in the store under the provided alias '" + trim + "'.");
            }
            this.store.setKeyEntry(trim, this.store.getKey(trim, this.configuration.getPassword()), this.configuration.getPassword(), (Certificate[]) order.toArray(new X509Certificate[order.size()]));
        } catch (IOException | RuntimeException | KeyStoreException | NoSuchAlgorithmException | UnrecoverableKeyException | CertificateException e) {
            reload();
            throw new CertificateStoreConfigException("Unable to install a singing reply into an identity store.", e);
        }
    }

    protected boolean corresponds(String str, List<X509Certificate> list) throws KeyStoreException, UnrecoverableKeyException, NoSuchAlgorithmException {
        Key key;
        Certificate certificate;
        return this.store.containsAlias(str) && (key = this.store.getKey(str, this.configuration.getPassword())) != null && (key instanceof PrivateKey) && (certificate = this.store.getCertificate(str)) != null && (certificate instanceof X509Certificate) && ((X509Certificate) certificate).getPublicKey().equals(list.get(0).getPublicKey());
    }

    public String replaceCertificate(String str, String str2, String str3) throws CertificateStoreConfigException {
        if (str == null || str.trim().isEmpty()) {
            throw new IllegalArgumentException("Argument 'pemCertificates' cannot be null or an empty String.");
        }
        if (str2 == null || str2.trim().isEmpty()) {
            throw new IllegalArgumentException("Argument 'pemPrivateKey' cannot be null or an empty String.");
        }
        try {
            Collection<X509Certificate> parseCertificates = CertificateManager.parseCertificates(str.trim());
            if (parseCertificates.isEmpty()) {
                throw new CertificateStoreConfigException("No certificate was found in the input.");
            }
            List<X509Certificate> order = CertificateUtils.order(parseCertificates);
            if (!isForThisDomain(order.get(0))) {
                throw new CertificateStoreConfigException("The supplied certificate chain does not cover the domain of this XMPP service.");
            }
            PrivateKey parsePrivateKey = CertificateManager.parsePrivateKey(str2, str3);
            removeAllDomainEntries();
            String generateUniqueAlias = generateUniqueAlias();
            this.store.setKeyEntry(generateUniqueAlias, parsePrivateKey, this.configuration.getPassword(), (Certificate[]) order.toArray(new X509Certificate[order.size()]));
            persist();
            Log.info("Replaced all private keys and corresponding certificate chains with a new private key and certificate chain.");
            return generateUniqueAlias;
        } catch (IOException | KeyStoreException | CertificateException e) {
            reload();
            throw new CertificateStoreConfigException("Unable to install a certificate into an identity store.", e);
        }
    }

    public String installCertificate(String str, String str2, String str3) throws CertificateStoreConfigException {
        String generateUniqueAlias = generateUniqueAlias();
        installCertificate(generateUniqueAlias, str, str2, str3);
        return generateUniqueAlias;
    }

    public void installCertificate(String str, String str2, String str3, String str4) throws CertificateStoreConfigException {
        if (str == null || str.trim().isEmpty()) {
            throw new IllegalArgumentException("Argument 'alias' cannot be null or an empty String.");
        }
        if (str2 == null || str2.trim().isEmpty()) {
            throw new IllegalArgumentException("Argument 'pemCertificates' cannot be null or an empty String.");
        }
        if (str3 == null || str3.trim().isEmpty()) {
            throw new IllegalArgumentException("Argument 'pemPrivateKey' cannot be null or an empty String.");
        }
        String trim = str.trim();
        String trim2 = str2.trim();
        try {
            if (this.store.containsAlias(trim)) {
                throw new CertificateStoreConfigException("Certificate already exists for alias: " + trim);
            }
            Collection<X509Certificate> parseCertificates = CertificateManager.parseCertificates(trim2);
            if (parseCertificates.isEmpty()) {
                throw new CertificateStoreConfigException("No certificate was found in the input.");
            }
            List<X509Certificate> order = CertificateUtils.order(parseCertificates);
            if (!isForThisDomain(order.get(0))) {
                throw new CertificateStoreConfigException("The supplied certificate chain does not cover the domain of this XMPP service.");
            }
            this.store.setKeyEntry(trim, CertificateManager.parsePrivateKey(str3, str4), this.configuration.getPassword(), (Certificate[]) order.toArray(new X509Certificate[order.size()]));
            persist();
            Log.info("Installed a new private key and corresponding certificate chain.");
        } catch (IOException | KeyStoreException | CertificateException e) {
            reload();
            throw new CertificateStoreConfigException("Unable to install a certificate into an identity store.", e);
        }
    }

    public synchronized void ensureDomainCertificate() throws CertificateStoreConfigException {
        Log.debug("Verifying that a domain certificate is available in this store.");
        if (containsDomainCertificate()) {
            return;
        }
        Log.debug("Store does not contain a domain certificate. A self-signed certificate will be generated.");
        addSelfSignedDomainCertificate();
    }

    @Deprecated
    public synchronized void ensureDomainCertificates(String... strArr) throws CertificateStoreConfigException {
        for (String str : strArr) {
            Log.debug("Verifying that a domain certificate ({} algorithm) is available in this store.", str);
            if (!containsDomainCertificate(str)) {
                Log.debug("Store does not contain a domain certificate ({} algorithm). A self-signed certificate will be generated.", str);
                addSelfSignedDomainCertificate(str);
            }
        }
    }

    public synchronized boolean containsDomainCertificate() throws CertificateStoreConfigException {
        return containsDomainCertificate(null);
    }

    @Deprecated
    public synchronized boolean containsDomainCertificate(String str) throws CertificateStoreConfigException {
        if (str != null && str.isEmpty()) {
            throw new IllegalArgumentException("Argument 'algorithm' cannot be empty (but is allowed to be null).");
        }
        String xMPPDomain = XMPPServer.getInstance().getServerInfo().getXMPPDomain();
        try {
            Iterator it = Collections.list(this.store.aliases()).iterator();
            while (it.hasNext()) {
                Certificate certificate = this.store.getCertificate((String) it.next());
                if ((certificate instanceof X509Certificate) && (str == null || certificate.getPublicKey().getAlgorithm().equalsIgnoreCase(str))) {
                    Iterator<String> it2 = CertificateManager.getServerIdentities((X509Certificate) certificate).iterator();
                    while (it2.hasNext()) {
                        if (DNSUtil.isNameCoveredByPattern(xMPPDomain, it2.next())) {
                            return true;
                        }
                    }
                }
            }
            return false;
        } catch (KeyStoreException e) {
            throw new CertificateStoreConfigException("An exception occurred while searching for " + str + " certificates that match the Openfire domain.", e);
        }
    }

    public synchronized boolean containsAllIdentityCertificate() throws CertificateStoreConfigException {
        return containsAllIdentityCertificate(null);
    }

    @Deprecated
    public synchronized boolean containsAllIdentityCertificate(String str) throws CertificateStoreConfigException {
        if (str != null && str.isEmpty()) {
            throw new IllegalArgumentException("Argument 'algorithm' cannot be empty (but is allowed to be null).");
        }
        Set<String> determineSubjectAlternateNameDnsNameValues = CertificateManager.determineSubjectAlternateNameDnsNameValues();
        try {
            Iterator it = Collections.list(this.store.aliases()).iterator();
            while (it.hasNext()) {
                String str2 = (String) it.next();
                HashSet hashSet = new HashSet();
                Certificate certificate = this.store.getCertificate(str2);
                if ((certificate instanceof X509Certificate) && (str == null || certificate.getPublicKey().getAlgorithm().equalsIgnoreCase(str))) {
                    List<String> serverIdentities = CertificateManager.getServerIdentities((X509Certificate) certificate);
                    for (String str3 : determineSubjectAlternateNameDnsNameValues) {
                        boolean z = false;
                        Iterator<String> it2 = serverIdentities.iterator();
                        while (true) {
                            if (!it2.hasNext()) {
                                break;
                            }
                            if (DNSUtil.isNameCoveredByPattern(str3, it2.next())) {
                                z = true;
                                break;
                            }
                        }
                        if (!z) {
                            Log.info("Certificate with alias '{}' is missing DNS identity '{}'.", str2, str3);
                            hashSet.add(str3);
                        }
                    }
                    if (hashSet.isEmpty()) {
                        return true;
                    }
                }
            }
            return false;
        } catch (KeyStoreException e) {
            throw new CertificateStoreConfigException("An exception occurred while searching for " + (str == null ? "" : str + " ") + "certificates that match the Openfire domain.", e);
        }
    }

    public synchronized void addSelfSignedDomainCertificate() throws CertificateStoreConfigException {
        addSelfSignedDomainCertificate(null);
    }

    @Deprecated
    public synchronized void addSelfSignedDomainCertificate(String str) throws CertificateStoreConfigException {
        int intProperty;
        String property;
        if (str != null && str.isEmpty()) {
            throw new IllegalArgumentException("Argument 'algorithm' cannot be empty (but is allowed to be null).");
        }
        if (str == null) {
            str = JiveGlobals.getProperty("cert.algorithm", "RSA");
        }
        String upperCase = str.toUpperCase();
        boolean z = -1;
        switch (upperCase.hashCode()) {
            case 67986:
                if (upperCase.equals("DSA")) {
                    z = true;
                    break;
                }
                break;
            case 81440:
                if (upperCase.equals("RSA")) {
                    z = false;
                    break;
                }
                break;
        }
        switch (z) {
            case false:
                intProperty = JiveGlobals.getIntProperty("cert.rsa.keysize", 2048);
                property = JiveGlobals.getProperty("cert.rsa.algorithm", "SHA256WITHRSAENCRYPTION");
                break;
            case true:
                intProperty = JiveGlobals.getIntProperty("cert.dsa.keysize", 1024);
                property = JiveGlobals.getProperty("cert.dsa.algorithm", "SHA256withDSA");
                break;
            default:
                throw new IllegalArgumentException("Unsupported algorithm '" + str + "'. Use 'RSA' or 'DSA'.");
        }
        String lowerCase = XMPPServerInfo.XMPP_DOMAIN.getValue().toLowerCase();
        String str2 = lowerCase + "_" + str.toLowerCase();
        int intProperty2 = JiveGlobals.getIntProperty("cert.validity-days", 1825);
        Set<String> determineSubjectAlternateNameDnsNameValues = CertificateManager.determineSubjectAlternateNameDnsNameValues();
        if (JiveGlobals.getBooleanProperty("cert.wildcard", true)) {
            String str3 = "*." + XMPPServer.getInstance().getServerInfo().getXMPPDomain();
            determineSubjectAlternateNameDnsNameValues = (Set) determineSubjectAlternateNameDnsNameValues.stream().filter(str4 -> {
                return !DNSUtil.isNameCoveredByPattern(str4, str3);
            }).collect(Collectors.toSet());
            determineSubjectAlternateNameDnsNameValues.add(XMPPServer.getInstance().getServerInfo().getXMPPDomain());
            determineSubjectAlternateNameDnsNameValues.add(str3);
        }
        Log.info("Generating a new private key and corresponding self-signed certificate for domain name '{}', using the {} algorithm (sign-algorithm: {} with a key size of {} bits). Certificate will be valid for {} days.", new Object[]{lowerCase, str, property, Integer.valueOf(intProperty), Integer.valueOf(intProperty2)});
        try {
            KeyPair generateKeyPair = generateKeyPair(str.toUpperCase(), intProperty);
            this.store.setKeyEntry(str2, generateKeyPair.getPrivate(), this.configuration.getPassword(), new X509Certificate[]{CertificateManager.createX509V3Certificate(generateKeyPair, intProperty2, lowerCase, lowerCase, lowerCase, property, determineSubjectAlternateNameDnsNameValues)});
            persist();
        } catch (IOException | GeneralSecurityException | CertificateStoreConfigException e) {
            reload();
            throw new CertificateStoreConfigException("Unable to generate new self-signed " + str + " certificate.", e);
        }
    }

    protected static synchronized KeyPair generateKeyPair(String str, int i) throws GeneralSecurityException {
        KeyPairGenerator keyPairGenerator = PROVIDER == null ? KeyPairGenerator.getInstance(str) : KeyPairGenerator.getInstance(str, PROVIDER);
        keyPairGenerator.initialize(i, new SecureRandom());
        return keyPairGenerator.generateKeyPair();
    }

    public static boolean isForThisDomain(X509Certificate x509Certificate) {
        for (String str : DomainManager.getInstance().getDomainNames(false)) {
            Iterator<String> it = CertificateManager.getServerIdentities(x509Certificate).iterator();
            while (it.hasNext()) {
                if (DNSUtil.isNameCoveredByPattern(str, it.next())) {
                    return true;
                }
            }
        }
        Log.info("The supplied certificate chain does not cover the domain of this XMPP service. Instead, it covers ");
        return false;
    }

    protected synchronized String generateUniqueAlias() throws CertificateStoreConfigException {
        String xMPPDomain = XMPPServer.getInstance().getServerInfo().getXMPPDomain();
        int i = 1;
        String str = xMPPDomain + "_1";
        while (this.store.containsAlias(str)) {
            try {
                i++;
                str = xMPPDomain + "_" + i;
            } catch (KeyStoreException e) {
                throw new CertificateStoreConfigException("Unable to generate a unique alias for this identity store.", e);
            }
        }
        return str;
    }

    protected synchronized void removeAllDomainEntries() throws KeyStoreException {
        String xMPPDomain = XMPPServer.getInstance().getServerInfo().getXMPPDomain();
        HashSet hashSet = new HashSet();
        Iterator it = Collections.list(this.store.aliases()).iterator();
        while (it.hasNext()) {
            String str = (String) it.next();
            Certificate certificate = this.store.getCertificate(str);
            if (certificate instanceof X509Certificate) {
                Iterator<String> it2 = CertificateManager.getServerIdentities((X509Certificate) certificate).iterator();
                while (true) {
                    if (!it2.hasNext()) {
                        break;
                    } else if (DNSUtil.isNameCoveredByPattern(xMPPDomain, it2.next())) {
                        hashSet.add(str);
                        break;
                    }
                }
            }
        }
        Iterator it3 = hashSet.iterator();
        while (it3.hasNext()) {
            this.store.deleteEntry((String) it3.next());
        }
    }
}
