package org.nhindirect.common.crypto.impl;

import java.io.ByteArrayInputStream;
import java.io.File;
import java.io.FileInputStream;
import java.io.InputStream;
import java.security.Key;
import java.security.KeyStore;
import java.security.Provider;
import java.security.Security;
import java.util.Enumeration;
import java.util.HashMap;
import java.util.Map;
import java.util.Properties;
import javax.crypto.Cipher;
import javax.crypto.SecretKey;
import javax.crypto.spec.IvParameterSpec;
import javax.crypto.spec.SecretKeySpec;
import org.apache.commons.io.FileUtils;
import org.apache.commons.io.IOUtils;
import org.apache.commons.lang3.StringUtils;
import org.nhindirect.common.crypto.MutableKeyStoreProtectionManager;
import org.nhindirect.common.crypto.PKCS11Credential;
import org.nhindirect.common.crypto.WrappableKeyProtectionManager;
import org.nhindirect.common.crypto.exceptions.CryptoException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:BOOT-INF/lib/direct-common-8.0.0.jar:org/nhindirect/common/crypto/impl/AbstractPKCS11TokenKeyStoreProtectionManager.class */
public abstract class AbstractPKCS11TokenKeyStoreProtectionManager implements MutableKeyStoreProtectionManager, WrappableKeyProtectionManager {
    public static final String SUNPKCS11_KEYSTORE_PROVIDER_NAME = "sun.security.pkcs11.SunPKCS11";
    public static final String DEFAULT_KESTORE_TYPE = "PKCS11";
    public static final String WRAP_ALGO = "AES/CBC/PKCS5Padding";
    protected PKCS11Credential credential;
    protected String keyStorePassPhraseAlias;
    protected String privateKeyPassPhraseAlias;
    protected KeyStore ks;
    protected String keyStoreType;
    protected String keyStoreProviderName;
    protected String pcks11ConfigFile;
    protected InputStream keyStoreSource;
    private static final Logger log = LoggerFactory.getLogger((Class<?>) AbstractPKCS11TokenKeyStoreProtectionManager.class);
    public static final byte[] IV_BYTES = {16, 55, 101, 18, 115, 39, 65, 39, 20, 51, 82, 7, 32, 96, 73, 1};

    public AbstractPKCS11TokenKeyStoreProtectionManager() throws CryptoException {
        this.credential = null;
        this.keyStorePassPhraseAlias = "";
        this.privateKeyPassPhraseAlias = "";
        this.keyStoreType = DEFAULT_KESTORE_TYPE;
        this.keyStoreProviderName = "";
        this.pcks11ConfigFile = "";
        this.keyStoreSource = null;
    }

    public AbstractPKCS11TokenKeyStoreProtectionManager(PKCS11Credential pKCS11Credential, String str, String str2) throws CryptoException {
        this.credential = pKCS11Credential;
        this.keyStorePassPhraseAlias = str;
        this.privateKeyPassPhraseAlias = str2;
        this.keyStoreType = DEFAULT_KESTORE_TYPE;
        this.keyStoreProviderName = "";
        this.pcks11ConfigFile = "";
        this.keyStoreSource = null;
        initTokenStore();
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void loadProvider() throws CryptoException {
        try {
            if (!StringUtils.isEmpty(this.keyStoreProviderName)) {
                if (!this.keyStoreProviderName.equals(SUNPKCS11_KEYSTORE_PROVIDER_NAME)) {
                    Class<?> loadClass = getClass().getClassLoader().loadClass(this.keyStoreProviderName);
                    boolean z = false;
                    Provider[] providers = Security.getProviders();
                    int length = providers.length;
                    int i = 0;
                    while (true) {
                        if (i >= length) {
                            break;
                        }
                        if (providers[i].getClass().equals(loadClass)) {
                            z = true;
                            break;
                        }
                        i++;
                    }
                    if (!z) {
                        Security.addProvider((Provider) loadClass.newInstance());
                    }
                } else {
                    if (StringUtils.isEmpty(this.pcks11ConfigFile)) {
                        throw new IllegalStateException("SunPKCS11 providers require a configuration file.  There is not one set.");
                    }
                    FileInputStream openInputStream = FileUtils.openInputStream(new File(this.pcks11ConfigFile));
                    Properties properties = new Properties();
                    properties.load(openInputStream);
                    IOUtils.closeQuietly((InputStream) openInputStream);
                    boolean z2 = false;
                    String property = properties.getProperty("name");
                    if (!StringUtils.isEmpty(property) && Security.getProvider(property) != null) {
                        z2 = true;
                    }
                    if (!z2) {
                        Security.addProvider((Provider) getClass().getClassLoader().loadClass(SUNPKCS11_KEYSTORE_PROVIDER_NAME).getConstructor(String.class).newInstance(this.pcks11ConfigFile));
                    }
                }
            }
        } catch (Exception e) {
            throw new CryptoException("Error loading PKCS11 provder", e);
        }
    }

    public void setCredential(PKCS11Credential pKCS11Credential) {
        this.credential = pKCS11Credential;
    }

    public void setKeyStorePassPhraseAlias(String str) {
        this.keyStorePassPhraseAlias = str;
    }

    public void setPrivateKeyPassPhraseAlias(String str) {
        this.privateKeyPassPhraseAlias = str;
    }

    public void setKeyStoreType(String str) {
        this.keyStoreType = str;
    }

    public void setKeyStoreSource(InputStream inputStream) {
        this.keyStoreSource = inputStream;
    }

    public void setKeyStoreSourceAsString(String str) {
        try {
            this.keyStoreSource = new ByteArrayInputStream(str.getBytes("UTF-8"));
        } catch (Exception e) {
        }
    }

    public void setKeyStoreProviderName(String str) {
        this.keyStoreProviderName = str;
    }

    public void setPcks11ConfigFile(String str) {
        this.pcks11ConfigFile = str;
    }

    public abstract void initTokenStore() throws CryptoException;

    @Override // org.nhindirect.common.crypto.KeyStoreProtectionManager
    public synchronized Map<String, Key> getAllKeys() throws CryptoException {
        HashMap hashMap = new HashMap();
        try {
            Enumeration<String> aliases = this.ks.aliases();
            while (aliases.hasMoreElements()) {
                String nextElement = aliases.nextElement();
                if (this.ks.isKeyEntry(nextElement)) {
                    try {
                        Key key = this.ks.getKey(nextElement, null);
                        if (key instanceof SecretKey) {
                            hashMap.put(nextElement, key);
                        }
                    } catch (Exception e) {
                    }
                }
            }
            return hashMap;
        } catch (Exception e2) {
            throw new CryptoException("Error extracting keys from PKCS11 token", e2);
        }
    }

    @Override // org.nhindirect.common.crypto.KeyStoreProtectionManager
    public Key getKey(String str) throws CryptoException {
        return safeGetKeyWithRetry(str);
    }

    @Override // org.nhindirect.common.crypto.KeyStoreProtectionManager
    public Key getPrivateKeyProtectionKey() throws CryptoException {
        return safeGetKeyWithRetry(this.privateKeyPassPhraseAlias);
    }

    @Override // org.nhindirect.common.crypto.KeyStoreProtectionManager
    public Key getKeyStoreProtectionKey() throws CryptoException {
        return safeGetKeyWithRetry(this.keyStorePassPhraseAlias);
    }

    @Override // org.nhindirect.common.crypto.KeyStoreProtectionManager
    public Map<String, KeyStore.Entry> getAllEntries() throws CryptoException {
        HashMap hashMap = new HashMap();
        try {
            Enumeration<String> aliases = this.ks.aliases();
            while (aliases.hasMoreElements()) {
                String nextElement = aliases.nextElement();
                if (this.ks.isKeyEntry(nextElement)) {
                    try {
                        hashMap.put(nextElement, this.ks.getEntry(nextElement, null));
                    } catch (Exception e) {
                    }
                }
            }
            return hashMap;
        } catch (Exception e2) {
            throw new CryptoException("Error extracting entries from PKCS11 token", e2);
        }
    }

    @Override // org.nhindirect.common.crypto.KeyStoreProtectionManager
    public KeyStore.Entry getEntry(String str) throws CryptoException {
        return getSafeEntryWtihRetry(str);
    }

    @Override // org.nhindirect.common.crypto.MutableKeyStoreProtectionManager
    public void setPrivateKeyProtectionKey(Key key) throws CryptoException {
        safeSetKeyWithRetry(this.privateKeyPassPhraseAlias, key);
    }

    @Override // org.nhindirect.common.crypto.MutableKeyStoreProtectionManager
    public void setPrivateKeyProtectionKeyAsBytes(byte[] bArr) throws CryptoException {
        try {
            safeSetKeyWithRetry(this.privateKeyPassPhraseAlias, new SecretKeySpec(bArr, ""));
        } catch (CryptoException e) {
            throw e;
        } catch (Exception e2) {
            throw new CryptoException("Error storing key store protection into PKCS11 token", e2);
        }
    }

    @Override // org.nhindirect.common.crypto.MutableKeyStoreProtectionManager
    public void setPrivateKeyProtectionKeyAsString(String str) throws CryptoException {
        try {
            safeSetKeyWithRetry(this.privateKeyPassPhraseAlias, new SecretKeySpec(str.getBytes(), ""));
        } catch (CryptoException e) {
            throw e;
        } catch (Exception e2) {
            throw new CryptoException("Error storing key store protection into PKCS11 token", e2);
        }
    }

    @Override // org.nhindirect.common.crypto.MutableKeyStoreProtectionManager
    public void clearPrivateKeyProtectionKey() throws CryptoException {
        safeDeleteKeyWithRetry(this.privateKeyPassPhraseAlias);
    }

    @Override // org.nhindirect.common.crypto.MutableKeyStoreProtectionManager
    public void setKeyStoreProtectionKey(Key key) throws CryptoException {
        safeSetKeyWithRetry(this.keyStorePassPhraseAlias, key);
    }

    @Override // org.nhindirect.common.crypto.MutableKeyStoreProtectionManager
    public void setKeyStoreProtectionKeyAsBytes(byte[] bArr) throws CryptoException {
        try {
            safeSetKeyWithRetry(this.keyStorePassPhraseAlias, new SecretKeySpec(bArr, ""));
        } catch (CryptoException e) {
            throw e;
        } catch (Exception e2) {
            throw new CryptoException("Error storing key store protection into PKCS11 token", e2);
        }
    }

    @Override // org.nhindirect.common.crypto.MutableKeyStoreProtectionManager
    public void setKeyStoreProtectionKeyAsString(String str) throws CryptoException {
        try {
            safeSetKeyWithRetry(this.keyStorePassPhraseAlias, new SecretKeySpec(str.getBytes(), ""));
        } catch (CryptoException e) {
            throw e;
        } catch (Exception e2) {
            throw new CryptoException("Error storing key store protection into PKCS11 token", e2);
        }
    }

    @Override // org.nhindirect.common.crypto.MutableKeyStoreProtectionManager
    public void clearKeyStoreProtectionKey() throws CryptoException {
        safeDeleteKeyWithRetry(this.keyStorePassPhraseAlias);
    }

    @Override // org.nhindirect.common.crypto.MutableKeyStoreProtectionManager
    public void setKey(String str, Key key) throws CryptoException {
        safeSetKeyWithRetry(str, key);
    }

    @Override // org.nhindirect.common.crypto.MutableKeyStoreProtectionManager
    public void clearKey(String str) throws CryptoException {
        if (getKey(str) != null) {
            safeDeleteKeyWithRetry(str);
        }
    }

    @Override // org.nhindirect.common.crypto.MutableKeyStoreProtectionManager
    public void setEntry(String str, KeyStore.Entry entry) throws CryptoException {
        safeSetEntryWithRetry(str, entry);
    }

    @Override // org.nhindirect.common.crypto.MutableKeyStoreProtectionManager
    public void clearEntry(String str) throws CryptoException {
        if (getEntry(str) != null) {
            safeDeleteKeyWithRetry(str);
        }
    }

    protected synchronized void safeSetKeyWithRetry(String str, Key key) throws CryptoException {
        boolean z = false;
        try {
            this.ks.setKeyEntry(str, key, null, null);
        } catch (Exception e) {
            log.warn("Could not set key entry on first attemp.  Will attempt to reload the key store and try again");
            z = true;
        }
        if (z) {
            reloadKeyStore();
            try {
                this.ks.setKeyEntry(str, key, null, null);
            } catch (Exception e2) {
                throw new CryptoException("Error setting key in PKCS11 token", e2);
            }
        }
    }

    protected synchronized void safeDeleteKeyWithRetry(String str) throws CryptoException {
        boolean z = false;
        try {
            this.ks.deleteEntry(str);
        } catch (Exception e) {
            log.warn("Could not delete key entry on first attemp.  Will attempt to reload the key store and try again");
            z = true;
        }
        if (z) {
            reloadKeyStore();
            try {
                this.ks.deleteEntry(str);
            } catch (Exception e2) {
                throw new CryptoException("Error deleting key from PKCS11 token", e2);
            }
        }
    }

    protected void safeSetEntryWithRetry(String str, KeyStore.Entry entry) throws CryptoException {
        boolean z = false;
        try {
            this.ks.setEntry(str, entry, null);
        } catch (Exception e) {
            log.warn("Could not set entry on first attemp.  Will attempt to reload the key store and try again");
            z = true;
        }
        if (z) {
            synchronized (this) {
                reloadKeyStore();
            }
            try {
                this.ks.setEntry(str, entry, null);
            } catch (Exception e2) {
                throw new CryptoException("Error setting entry in PKCS11 token", e2);
            }
        }
    }

    protected Key safeGetKeyWithRetry(String str) throws CryptoException {
        try {
            return this.ks.getKey(str, null);
        } catch (Exception e) {
            log.warn("Loading key {}", str);
            log.warn("Could not get key entry on first attemp.  Will attempt to reload the key store and try again", (Throwable) e);
            if (1 == 0) {
                return null;
            }
            synchronized (this) {
                reloadKeyStore();
                try {
                    return this.ks.getKey(str, null);
                } catch (Exception e2) {
                    throw new CryptoException("Error getting key from PKCS11 token", e2);
                }
            }
        }
    }

    protected KeyStore.Entry getSafeEntryWtihRetry(String str) throws CryptoException {
        try {
            return this.ks.getEntry(str, null);
        } catch (Exception e) {
            log.info("Loading key {}", str);
            log.warn("Could not get entry on first attemp.  Will attempt to reload the key store and try again", (Throwable) e);
            if (1 == 0) {
                return null;
            }
            synchronized (this) {
                reloadKeyStore();
                try {
                    return this.ks.getEntry(str, null);
                } catch (Exception e2) {
                    throw new CryptoException("Error getting entry from PKCS11 token", e2);
                }
            }
        }
    }

    protected void reloadKeyStore() throws CryptoException {
        this.ks = null;
        initTokenStore();
    }

    @Override // org.nhindirect.common.crypto.MutableKeyStoreProtectionManager
    public KeyStore getKS() {
        return this.ks;
    }

    @Override // org.nhindirect.common.crypto.WrappableKeyProtectionManager
    public byte[] wrapWithSecretKey(SecretKey secretKey, Key key) throws CryptoException {
        IvParameterSpec ivParameterSpec = new IvParameterSpec(IV_BYTES);
        try {
            Cipher cipher = Cipher.getInstance(WRAP_ALGO, this.ks.getProvider().getName());
            cipher.init(3, secretKey, ivParameterSpec);
            return cipher.wrap(key);
        } catch (Exception e) {
            throw new CryptoException("Failed to wrap key: " + e.getMessage(), e);
        }
    }

    @Override // org.nhindirect.common.crypto.WrappableKeyProtectionManager
    public Key unwrapWithSecretKey(SecretKey secretKey, byte[] bArr, String str, int i) throws CryptoException {
        IvParameterSpec ivParameterSpec = new IvParameterSpec(IV_BYTES);
        try {
            Cipher cipher = Cipher.getInstance(WRAP_ALGO, this.ks.getProvider().getName());
            cipher.init(4, secretKey, ivParameterSpec);
            return cipher.unwrap(bArr, str, i);
        } catch (Exception e) {
            throw new CryptoException("Failed to unwrap key: " + e.getMessage(), e);
        }
    }
}
