package be.ehealth.technicalconnector.service.etee;

import be.ehealth.technicalconnector.config.ConfigFactory;
import be.ehealth.technicalconnector.exception.ConfigurationException;
import be.ehealth.technicalconnector.exception.TechnicalConnectorException;
import be.ehealth.technicalconnector.service.sts.security.Credential;
import be.ehealth.technicalconnector.session.Session;
import be.ehealth.technicalconnector.session.SessionItem;
import be.ehealth.technicalconnector.utils.ConfigurableFactoryHelper;
import be.ehealth.technicalconnector.utils.ConnectorIOUtils;
import be.ehealth.technicalconnector.utils.KeyStoreManager;
import be.fgov.ehealth.etee.crypto.policies.OCSPOption;
import be.fgov.ehealth.etee.crypto.policies.OCSPPolicy;
import be.fgov.ehealth.etee.crypto.policies.SigningOption;
import java.io.InputStream;
import java.security.InvalidAlgorithmParameterException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.cert.CertStore;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.CollectionCertStoreParameters;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
import java.util.EnumMap;
import java.util.Enumeration;
import java.util.HashMap;
import java.util.Iterator;
import java.util.Map;
import org.apache.commons.lang3.StringUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:be/ehealth/technicalconnector/service/etee/CryptoFactory.class */
public final class CryptoFactory {
    public static final String SIGNING_TIME_EXPIRATION = "be.fgov.ehealth.etee.crypto.policies.SigningOption.SIGNING_TIME_EXPIRATION";
    public static final String SIGNING_CLOCK_SKEW = "be.fgov.ehealth.etee.crypto.policies.SigningOption.CLOCK_SKEW";
    public static final String SIGNING_TIME_TRUST_IMPLICIT = "be.fgov.ehealth.etee.crypto.policies.SigningOption.SIGNING_TIME_TRUST_IMPLICIT";
    public static final String SIGNING_TSA_CERT_STORE = "be.fgov.ehealth.etee.crypto.policies.SigningOption.TSA_CERT_STORE";
    public static final String OCSP_URI = "be.fgov.ehealth.etee.crypto.policies.OCSPOption.OCSP_URI";
    public static final String OCSP_INJECT_RESPONSE = "be.fgov.ehealth.etee.crypto.policies.OCSPOption.INJECT_RESPONSE";
    public static final String OCSP_CLOCK_SKEW = "be.fgov.ehealth.etee.crypto.policies.OCSPOption.CLOCK_SKEW";
    public static final String OCSP_CONNECTION_TIMEOUT = "be.fgov.ehealth.etee.crypto.policies.OCSPOption.CONNECTION_TIMEOUT";
    public static final String OCSP_CERT_STORE = "be.fgov.ehealth.etee.crypto.policies.OCSPOption.CERT_STORE";
    public static final String OCSP_READ_TIMEOUT = "be.fgov.ehealth.etee.crypto.policies.OCSPOption.READ_TIMEOUT";
    public static final String OCSP_CONNECTION_USER_INTERACTION = "be.fgov.ehealth.etee.crypto.policies.OCSPOption.CONNECTION_USER_INTERACTION";
    private static final String TIMESTAMP_SIGNATURE_KEYSTORE_PWD = "timestamp.signature.keystore.pwd";
    private static final String TIMESTAMP_SIGNATURE_KEYSTORE_PATH = "timestamp.signature.keystore.path";
    private static final String PROP_CAKEYSTORE_PATH = "CAKEYSTORE_LOCATION";
    private static final String PROP_CAKEYSTORE_PASSWORD = "CAKEYSTORE_PASSWORD";
    private static final String PROP_KEYSTORE_DIR = "KEYSTORE_DIR";
    private static final Logger LOG = LoggerFactory.getLogger(CryptoFactory.class);
    public static final String PROPS_CRYPTO_CLASS = "crypto.classname";
    private static final String DEFAULT_CERT_CHECKER_CLASS = "be.ehealth.technicalconnector.service.etee.impl.CryptoImpl";
    private static final ConfigurableFactoryHelper<Crypto> helper = new ConfigurableFactoryHelper<>(PROPS_CRYPTO_CLASS, DEFAULT_CERT_CHECKER_CLASS);

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:be/ehealth/technicalconnector/service/etee/CryptoFactory$OCSPOptionHolder.class */
    public static class OCSPOptionHolder {
        private static Map<OCSPOption, Object> ocspOptionMap;

        private OCSPOptionHolder() {
        }

        public static synchronized Map<OCSPOption, Object> load() {
            if (ocspOptionMap == null) {
                EnumMap enumMap = new EnumMap(OCSPOption.class);
                enumMap.put((EnumMap) OCSPOption.OCSP_URI, (OCSPOption) ConfigFactory.getConfigValidator().getProperty(CryptoFactory.OCSP_URI));
                KeyStore caCertificateStore = CryptoFactory.getCaCertificateStore();
                enumMap.put((EnumMap) OCSPOption.TRUST_STORE, (OCSPOption) caCertificateStore);
                enumMap.put((EnumMap) OCSPOption.CERT_STORE, (OCSPOption) CryptoFactory.generateCertStore(CryptoFactory.OCSP_CERT_STORE, caCertificateStore));
                enumMap.put((EnumMap) OCSPOption.INJECT_RESPONSE, (OCSPOption) ConfigFactory.getConfigValidator().getBooleanProperty(CryptoFactory.OCSP_INJECT_RESPONSE, Boolean.FALSE));
                enumMap.put((EnumMap) OCSPOption.CLOCK_SKEW, (OCSPOption) ConfigFactory.getConfigValidator().getLongProperty(CryptoFactory.OCSP_CLOCK_SKEW, 300000L));
                enumMap.put((EnumMap) OCSPOption.CONNECTION_TIMEOUT, (OCSPOption) ConfigFactory.getConfigValidator().getIntegerProperty(CryptoFactory.OCSP_CONNECTION_TIMEOUT, 3000));
                enumMap.put((EnumMap) OCSPOption.READ_TIMEOUT, (OCSPOption) ConfigFactory.getConfigValidator().getIntegerProperty(CryptoFactory.OCSP_READ_TIMEOUT, 3000));
                enumMap.put((EnumMap) OCSPOption.CONNECTION_USER_INTERACTION, (OCSPOption) ConfigFactory.getConfigValidator().getBooleanProperty(CryptoFactory.OCSP_CONNECTION_USER_INTERACTION, Boolean.FALSE));
                ocspOptionMap = Collections.unmodifiableMap(enumMap);
            }
            return ocspOptionMap;
        }

        public static synchronized void invalidate() {
            ocspOptionMap = null;
        }
    }

    private CryptoFactory() {
    }

    public static Crypto getCrypto(Credential credential, Map<String, PrivateKey> map, String str) throws TechnicalConnectorException {
        HashMap hashMap = new HashMap();
        hashMap.put(Crypto.DATASEALER_CREDENTIAL, credential);
        hashMap.put(Crypto.DATAUNSEALER_PKMAP, map);
        hashMap.put(Crypto.OCSP_POLICY, OCSPPolicy.valueOf(str));
        EnumMap enumMap = new EnumMap(SigningOption.class);
        enumMap.put((EnumMap) SigningOption.SIGNING_TIME_EXPIRATION, (SigningOption) ConfigFactory.getConfigValidator().getIntegerProperty(SIGNING_TIME_EXPIRATION, 5));
        enumMap.put((EnumMap) SigningOption.CLOCK_SKEW, (SigningOption) ConfigFactory.getConfigValidator().getLongProperty(SIGNING_CLOCK_SKEW, 300000L));
        enumMap.put((EnumMap) SigningOption.SIGNING_TIME_TRUST_IMPLICIT, (SigningOption) ConfigFactory.getConfigValidator().getBooleanProperty(SIGNING_TIME_TRUST_IMPLICIT, Boolean.FALSE));
        enumMap.put((EnumMap) SigningOption.TSA_TRUST_STORE, (SigningOption) getKeyStore(TIMESTAMP_SIGNATURE_KEYSTORE_PATH, TIMESTAMP_SIGNATURE_KEYSTORE_PWD));
        enumMap.put((EnumMap) SigningOption.TSA_CERT_STORE, (SigningOption) generateCertStore(SIGNING_TSA_CERT_STORE, new KeyStore[0]));
        hashMap.put(Crypto.SIGNING_OPTIONMAP, enumMap);
        hashMap.put(Crypto.OCSP_OPTIONMAP, getOCSPOptions());
        return helper.getImplementation(hashMap);
    }

    public static Map<OCSPOption, Object> getOCSPOptions() {
        return OCSPOptionHolder.load();
    }

    public static void resetOCSPOptions() {
        OCSPOptionHolder.invalidate();
        OCSPOptionHolder.load();
    }

    public static KeyStore getCaCertificateStore() {
        return getKeyStore(PROP_CAKEYSTORE_PATH, PROP_CAKEYSTORE_PASSWORD);
    }

    private static KeyStore getKeyStore(String str, String str2) {
        try {
            KeyStore keyStore = null;
            char[] charArray = ConfigFactory.getConfigValidator().getProperty(str2, "").toCharArray();
            String property = ConfigFactory.getConfigValidator().getProperty(str, "");
            if (StringUtils.isNotBlank(property)) {
                keyStore = loadKeyStore(null, charArray, ConfigFactory.getConfigValidator().getProperty(PROP_KEYSTORE_DIR, "") + property);
            }
            if (keyStore == null) {
                keyStore = KeyStore.getInstance("JKS");
                keyStore.load(null, str2.toCharArray());
            }
            LOG.debug("Current keystore [{}] content is: ", str);
            dump(keyStore);
            return keyStore;
        } catch (Exception e) {
            throw new ConfigurationException(e);
        }
    }

    private static void dump(KeyStore keyStore) throws KeyStoreException {
        if (LOG.isDebugEnabled()) {
            Enumeration<String> aliases = keyStore.aliases();
            ArrayList<String> arrayList = new ArrayList();
            while (aliases.hasMoreElements()) {
                arrayList.add(aliases.nextElement());
            }
            Collections.sort(arrayList);
            for (String str : arrayList) {
                LOG.debug(" .[{}] {} ", str, ((X509Certificate) keyStore.getCertificate(str)).getSubjectX500Principal().getName("RFC1779"));
            }
        }
    }

    private static KeyStore loadKeyStore(KeyStore keyStore, char[] cArr, String str) {
        try {
            keyStore = new KeyStoreManager(str, cArr).getKeyStore();
        } catch (TechnicalConnectorException e) {
            LOG.info("Unable to load keystore.", e);
        }
        return keyStore;
    }

    public static Crypto getCrypto(Credential credential, Map<String, PrivateKey> map) throws TechnicalConnectorException {
        return getCrypto(credential, map, "NONE");
    }

    public static Crypto getCryptoFromSession() throws TechnicalConnectorException {
        SessionItem session = Session.getInstance().getSession();
        return getCrypto(session.getEncryptionCredential(), session.getEncryptionPrivateKeys());
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static CertStore generateCertStore(String str, KeyStore... keyStoreArr) {
        try {
            ArrayList arrayList = new ArrayList();
            for (KeyStore keyStore : keyStoreArr) {
                process(arrayList, keyStore);
            }
            CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509");
            Iterator<String> it = ConfigFactory.getConfigValidator().getMatchingProperties(str + ".CERT").iterator();
            while (it.hasNext()) {
                processCERT(arrayList, certificateFactory, it.next());
            }
            Iterator<String> it2 = ConfigFactory.getConfigValidator().getMatchingProperties(str + ".CRL").iterator();
            while (it2.hasNext()) {
                processCRL(arrayList, certificateFactory, it2.next());
            }
            return CertStore.getInstance("Collection", new CollectionCertStoreParameters(arrayList));
        } catch (InvalidAlgorithmParameterException | NoSuchAlgorithmException | CertificateException e) {
            LOG.error(e.getClass().getName() + ":" + e.getMessage(), e);
            return null;
        }
    }

    private static void processCRL(Collection collection, CertificateFactory certificateFactory, String str) {
        try {
            InputStream resourceAsStream = ConnectorIOUtils.getResourceAsStream(str);
            Throwable th = null;
            try {
                try {
                    collection.add(certificateFactory.generateCRL(resourceAsStream));
                    LOG.info("Added {} as CRL in CertStore.", str);
                    if (resourceAsStream != null) {
                        if (0 != 0) {
                            try {
                                resourceAsStream.close();
                            } catch (Throwable th2) {
                                th.addSuppressed(th2);
                            }
                        } else {
                            resourceAsStream.close();
                        }
                    }
                } catch (Throwable th3) {
                    th = th3;
                    throw th3;
                }
            } finally {
            }
        } catch (Exception e) {
            LOG.error(e.getClass().getName() + ":" + e.getMessage(), e);
        }
    }

    private static void processCERT(Collection collection, CertificateFactory certificateFactory, String str) {
        try {
            InputStream resourceAsStream = ConnectorIOUtils.getResourceAsStream(str);
            Throwable th = null;
            try {
                collection.add(certificateFactory.generateCertificate(resourceAsStream));
                LOG.info("Added " + str + " as CERT in CertStore.");
                if (resourceAsStream != null) {
                    if (0 != 0) {
                        try {
                            resourceAsStream.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    } else {
                        resourceAsStream.close();
                    }
                }
            } finally {
            }
        } catch (Exception e) {
            LOG.error(e.getClass().getName() + ":" + e.getMessage(), e);
        }
    }

    private static void process(Collection collection, KeyStore keyStore) {
        try {
            Enumeration<String> aliases = keyStore.aliases();
            while (aliases.hasMoreElements()) {
                Certificate certificate = keyStore.getCertificate(aliases.nextElement());
                if (LOG.isDebugEnabled() && (certificate instanceof X509Certificate)) {
                    LOG.debug("Adding certificate {}", ((X509Certificate) certificate).getSubjectX500Principal().getName("RFC1779"));
                }
                collection.add(certificate);
            }
            LOG.info("Added truststore in CertStore.");
        } catch (KeyStoreException e) {
            LOG.warn("Unable to add truststore to CertStore", e);
        }
    }
}
