package org.nhindirect.gateway.smtp.config.cert.impl;

import java.io.ByteArrayInputStream;
import java.security.Key;
import java.security.KeyStore;
import java.security.PrivateKey;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.util.Enumeration;
import org.apache.commons.lang3.StringUtils;
import org.nhindirect.common.crypto.CryptoExtensions;
import org.nhindirect.common.crypto.KeyStoreProtectionManager;
import org.nhindirect.common.crypto.MutableKeyStoreProtectionManager;
import org.nhindirect.config.model.utils.CertUtils;
import org.nhindirect.stagent.AgentError;
import org.nhindirect.stagent.NHINDException;
import org.nhindirect.stagent.cert.WrappedOnDemandX509CertificateEx;
import org.nhindirect.stagent.cert.X509CertificateEx;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:BOOT-INF/lib/gateway-8.0.0.jar:org/nhindirect/gateway/smtp/config/cert/impl/CertStoreUtils.class */
public class CertStoreUtils {
    private static final Logger log = LoggerFactory.getLogger((Class<?>) CertStoreUtils.class);

    public static X509Certificate certFromData(KeyStoreProtectionManager keyStoreProtectionManager, byte[] bArr) {
        PrivateKey privateKey;
        X509Certificate x509Certificate = null;
        try {
            CertUtils.CertContainer certContainer = CertUtils.toCertContainer(bArr);
            if (certContainer.getWrappedKeyData() != null) {
                if (keyStoreProtectionManager == null) {
                    throw new NHINDException(AgentError.Unexpected, "Resolved certifiate has wrapped data, but resolver has not been configured to unwrap it.");
                }
                return WrappedOnDemandX509CertificateEx.fromX509Certificate(keyStoreProtectionManager, certContainer.getCert(), certContainer.getWrappedKeyData());
            }
            ByteArrayInputStream byteArrayInputStream = new ByteArrayInputStream(bArr);
            try {
                KeyStore keyStore = KeyStore.getInstance("PKCS12", CryptoExtensions.getJCEProviderName());
                keyStore.load(byteArrayInputStream, "".toCharArray());
                Enumeration<String> aliases = keyStore.aliases();
                if (aliases.hasMoreElements()) {
                    String nextElement = aliases.nextElement();
                    X509Certificate x509Certificate2 = (X509Certificate) keyStore.getCertificate(nextElement);
                    Key key = keyStore.getKey(nextElement, "".toCharArray());
                    if (key == null || !(key instanceof PrivateKey)) {
                        x509Certificate = x509Certificate2;
                    } else {
                        x509Certificate = X509CertificateEx.fromX509Certificate(x509Certificate2, (PrivateKey) key);
                    }
                }
            } catch (Exception e) {
            }
            if (x509Certificate == null) {
                byteArrayInputStream.reset();
                byteArrayInputStream = new ByteArrayInputStream(bArr);
                x509Certificate = (X509Certificate) CertificateFactory.getInstance("X.509").generateCertificate(byteArrayInputStream);
            }
            byteArrayInputStream.close();
            if (keyStoreProtectionManager != null && !(x509Certificate instanceof X509CertificateEx) && (keyStoreProtectionManager instanceof MutableKeyStoreProtectionManager)) {
                try {
                    KeyStore ks = ((MutableKeyStoreProtectionManager) keyStoreProtectionManager).getKS();
                    String certificateAlias = ks.getCertificateAlias(x509Certificate);
                    if (!StringUtils.isEmpty(certificateAlias) && (privateKey = (PrivateKey) ks.getKey(certificateAlias, "".toCharArray())) != null) {
                        x509Certificate = X509CertificateEx.fromX509Certificate(x509Certificate, privateKey);
                    }
                } catch (Exception e2) {
                    log.warn("Could not retrieve the private key from the PKCS11 token: " + e2.getMessage(), (Throwable) e2);
                }
            }
            return x509Certificate;
        } catch (Exception e3) {
            throw new NHINDException("Data cannot be converted to a valid X.509 Certificate", e3);
        }
    }
}
