package nl.nn.adapterframework.pipes;

import com.mchange.v2.c3p0.subst.C3P0Substitutions;
import java.io.BufferedInputStream;
import java.io.IOException;
import java.net.URL;
import java.security.InvalidKeyException;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.Signature;
import java.security.SignatureException;
import java.security.UnrecoverableKeyException;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.security.spec.InvalidKeySpecException;
import java.util.Arrays;
import java.util.LinkedHashSet;
import java.util.Set;
import javax.net.ssl.KeyManager;
import javax.net.ssl.TrustManager;
import javax.net.ssl.X509KeyManager;
import javax.net.ssl.X509TrustManager;
import nl.nn.adapterframework.configuration.ConfigurationException;
import nl.nn.adapterframework.core.IPipeLineSession;
import nl.nn.adapterframework.core.ParameterException;
import nl.nn.adapterframework.core.PipeForward;
import nl.nn.adapterframework.core.PipeRunException;
import nl.nn.adapterframework.core.PipeRunResult;
import nl.nn.adapterframework.core.PipeStartException;
import nl.nn.adapterframework.doc.IbisDoc;
import nl.nn.adapterframework.stream.Message;
import nl.nn.adapterframework.util.ClassUtils;
import nl.nn.adapterframework.util.PkiUtil;
import org.antlr.runtime.debug.Profiler;
import org.apache.commons.codec.binary.Base64;
import org.apache.commons.lang.StringUtils;

/* loaded from: input_file:adapterframework.war:WEB-INF/lib/ibis-adapterframework-core-7.6.5.jar:nl/nn/adapterframework/pipes/SignaturePipe.class */
public class SignaturePipe extends FixedForwardPipe {
    private String algorithm;
    private String provider;
    private String keystore;
    private String keystoreAlias;
    private String keystoreAuthAlias;
    private String keystorePassword;
    private PrivateKey privateKey;
    private PublicKey publicKey;
    private PipeForward failureForward;
    public final String ACTION_SIGN = "sign";
    public final String ACTION_VERIFY = "verify";
    public final String PARAMETER_SIGNATURE = "signature";
    public final String ALGORITHM_DEFAULT = "SHA256withRSA";
    public final String[] ACTIONS = {"sign", "verify"};
    private Set<String> actions = new LinkedHashSet(Arrays.asList(this.ACTIONS));
    private String action = "sign";
    private boolean signatureBase64 = true;
    private String keystoreType = "pkcs12";
    private String keyManagerAlgorithm = null;
    private URL keystoreUrl = null;

    @Override // nl.nn.adapterframework.pipes.FixedForwardPipe, nl.nn.adapterframework.pipes.AbstractPipe, nl.nn.adapterframework.core.TransactionAttributes, nl.nn.adapterframework.core.IPipe, nl.nn.adapterframework.core.IConfigurable
    public void configure() throws ConfigurationException {
        super.configure();
        if (!this.actions.contains(getAction())) {
            throw new ConfigurationException("unknown or invalid action [" + this.action + "] supported actions are " + this.actions.toString() + "");
        }
        if (StringUtils.isEmpty(getAlgorithm())) {
            setAlgorithm("SHA256withRSA");
        }
        if (StringUtils.isEmpty(getKeystore())) {
            throw new ConfigurationException("keystore must be specified");
        }
        this.keystoreUrl = ClassUtils.getResourceURL(this, getKeystore());
        if (this.keystoreUrl == null) {
            throw new ConfigurationException("cannot find URL for keystore resource [" + getKeystore() + "]");
        }
        this.log.debug("resolved keystore-URL to [" + this.keystoreUrl.toString() + "]");
        if (getAction().equals("verify")) {
            if (getParameterList().findParameter("signature") == null) {
                throw new ConfigurationException("Parameter [signature] must be specfied for action [" + this.action + "]");
            }
            this.failureForward = findForward("failure");
            if (this.failureForward == null) {
                throw new ConfigurationException("Forward [failure] must be specfied for action [" + this.action + "]");
            }
        }
    }

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r0v30, types: [java.security.cert.Certificate] */
    @Override // nl.nn.adapterframework.pipes.AbstractPipe, nl.nn.adapterframework.core.IPipe
    public void start() throws PipeStartException {
        X509Certificate x509Certificate;
        super.start();
        if (getAction().equals("sign")) {
            try {
                if ("pem".equals(getKeystoreType())) {
                    this.privateKey = PkiUtil.getPrivateKeyFromPem(this.keystoreUrl);
                } else {
                    KeyManager[] createKeyManagers = PkiUtil.createKeyManagers(PkiUtil.createKeyStore(this.keystoreUrl, this.keystorePassword, this.keystoreType, "Keys for action [" + getAction() + "]"), this.keystorePassword, this.keyManagerAlgorithm);
                    if (createKeyManagers == null || createKeyManagers.length == 0) {
                        throw new PipeStartException("No keymanager found for keystore [" + this.keystoreUrl + "]");
                    }
                    this.privateKey = ((X509KeyManager) createKeyManagers[0]).getPrivateKey(getKeystoreAlias());
                }
                if (this.privateKey == null) {
                    throw new PipeStartException("No Signing Key found in alias [" + getKeystoreAlias() + "] of keystore [" + this.keystoreUrl + "]");
                }
                return;
            } catch (IOException | KeyStoreException | NoSuchAlgorithmException | UnrecoverableKeyException | CertificateException | InvalidKeySpecException e) {
                throw new PipeStartException("cannot get Private Key for signing in alias [" + getKeystoreAlias() + "] of keystore [" + this.keystoreUrl + "]", e);
            }
        }
        try {
            if ("pem".equals(getKeystoreType())) {
                x509Certificate = PkiUtil.getCertificateFromPem(this.keystoreUrl);
            } else {
                TrustManager[] createTrustManagers = PkiUtil.createTrustManagers(PkiUtil.createKeyStore(this.keystoreUrl, this.keystorePassword, this.keystoreType, "Keys for action [" + getAction() + "]"), this.keyManagerAlgorithm);
                if (createTrustManagers == null || createTrustManagers.length == 0) {
                    throw new PipeStartException("No trustmanager for keystore [" + this.keystoreUrl + "]");
                }
                X509Certificate[] acceptedIssuers = ((X509TrustManager) createTrustManagers[0]).getAcceptedIssuers();
                if (acceptedIssuers == null || acceptedIssuers.length == 0) {
                    throw new PipeStartException("No Verfication Key found in keystore [" + this.keystoreUrl + "]");
                }
                x509Certificate = acceptedIssuers[0];
            }
            this.publicKey = x509Certificate.getPublicKey();
        } catch (IOException | KeyStoreException | NoSuchAlgorithmException | CertificateException e2) {
            throw new PipeStartException("cannot get Public Key for verification in keystore [" + this.keystoreUrl + "]", e2);
        }
    }

    /* JADX WARN: Finally extract failed */
    @Override // nl.nn.adapterframework.pipes.AbstractPipe, nl.nn.adapterframework.core.IPipe
    public PipeRunResult doPipe(Message message, IPipeLineSession iPipeLineSession) throws PipeRunException {
        try {
            Signature signature = StringUtils.isNotEmpty(getProvider()) ? Signature.getInstance(getAlgorithm(), getProvider()) : Signature.getInstance(getAlgorithm());
            if (getAction().equals("sign")) {
                signature.initSign(this.privateKey);
            } else {
                signature.initVerify(this.publicKey);
                message.preserve();
            }
            BufferedInputStream bufferedInputStream = new BufferedInputStream(message.asInputStream());
            Throwable th = null;
            try {
                byte[] bArr = new byte[1024];
                while (true) {
                    int read = bufferedInputStream.read(bArr);
                    if (read < 0) {
                        break;
                    }
                    signature.update(bArr, 0, read);
                }
                if (bufferedInputStream != null) {
                    if (0 != 0) {
                        try {
                            bufferedInputStream.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    } else {
                        bufferedInputStream.close();
                    }
                }
                if (getAction().equals("sign")) {
                    return new PipeRunResult(getForward(), isSignatureBase64() ? Base64.encodeBase64String(signature.sign()) : signature.sign());
                }
                Message asMessage = Message.asMessage(getParameterList().getValues(message, iPipeLineSession).getValueMap().get("signature"));
                return new PipeRunResult(signature.verify(isSignatureBase64() ? Base64.decodeBase64(asMessage.asString()) : asMessage.asByteArray()) ? getForward() : this.failureForward, message);
            } catch (Throwable th3) {
                if (bufferedInputStream != null) {
                    if (0 != 0) {
                        try {
                            bufferedInputStream.close();
                        } catch (Throwable th4) {
                            th.addSuppressed(th4);
                        }
                    } else {
                        bufferedInputStream.close();
                    }
                }
                throw th3;
            }
        } catch (IOException | InvalidKeyException | NoSuchAlgorithmException | NoSuchProviderException | SignatureException | ParameterException e) {
            throw new PipeRunException(this, "Could not execute action [" + getAction() + "]", e);
        }
    }

    @IbisDoc({"1", "Action to be taken when pipe is executed. It can be one of the followed: sign (Signs the input), verify (verifies a signature)", "sign"})
    public void setAction(String str) {
        this.action = str;
    }

    @IbisDoc({"2", "The signing algorithm", "SHA256withRSA"})
    public void setAlgorithm(String str) {
        this.algorithm = str;
    }

    @IbisDoc({Profiler.Version, ""})
    public void setProvider(String str) {
        this.provider = str;
    }

    @IbisDoc({"4", "if true, the signature is (expected to be) base64 encoded", "true"})
    public void setSignatureBase64(boolean z) {
        this.signatureBase64 = z;
    }

    @IbisDoc({C3P0Substitutions.TRACE, "Keystore to obtain signing key", ""})
    public void setKeystore(String str) {
        this.keystore = str;
    }

    @IbisDoc({"11", "Type of keystore, can be pkcs12 or pem", "pkcs12"})
    public void setKeystoreType(String str) {
        this.keystoreType = str;
    }

    @IbisDoc({"12", "Alias used to obtain keystore password"})
    public void setKeystoreAuthAlias(String str) {
        this.keystoreAuthAlias = str;
    }

    @IbisDoc({"13", "Keystore password"})
    public void setKeystorePassword(String str) {
        this.keystorePassword = str;
    }

    @IbisDoc({"14", "Alias in keystore", ""})
    public void setKeystoreAlias(String str) {
        this.keystoreAlias = str;
    }

    @IbisDoc({"15", "", " "})
    public void setKeyManagerAlgorithm(String str) {
        this.keyManagerAlgorithm = str;
    }

    public String getAction() {
        return this.action;
    }

    public String getAlgorithm() {
        return this.algorithm;
    }

    public String getProvider() {
        return this.provider;
    }

    public boolean isSignatureBase64() {
        return this.signatureBase64;
    }

    public String getKeystore() {
        return this.keystore;
    }

    public String getKeystoreType() {
        return this.keystoreType;
    }

    public String getKeystoreAlias() {
        return this.keystoreAlias;
    }

    public String getKeystoreAuthAlias() {
        return this.keystoreAuthAlias;
    }

    public String getKeystorePassword() {
        return this.keystorePassword;
    }

    public String getKeyManagerAlgorithm() {
        return this.keyManagerAlgorithm;
    }
}
