package com.evolveum.midpoint.prism.impl.crypto;

import com.evolveum.midpoint.common.configuration.api.MidpointConfiguration;
import com.evolveum.midpoint.prism.PrismConstants;
import com.evolveum.midpoint.prism.crypto.EncryptionException;
import com.evolveum.midpoint.prism.crypto.KeyStoreBasedProtector;
import com.evolveum.midpoint.prism.crypto.KeyStoreBasedProtectorBuilder;
import com.evolveum.midpoint.prism.crypto.ProtectedData;
import com.evolveum.midpoint.util.QNameUtil;
import com.evolveum.midpoint.util.exception.SchemaException;
import com.evolveum.midpoint.util.exception.SystemException;
import com.evolveum.midpoint.util.logging.Trace;
import com.evolveum.midpoint.util.logging.TraceManager;
import com.evolveum.prism.xml.ns._public.types_3.CipherDataType;
import com.evolveum.prism.xml.ns._public.types_3.DigestMethodType;
import com.evolveum.prism.xml.ns._public.types_3.EncryptedDataType;
import com.evolveum.prism.xml.ns._public.types_3.EncryptionMethodType;
import com.evolveum.prism.xml.ns._public.types_3.HashedDataType;
import com.evolveum.prism.xml.ns._public.types_3.KeyInfoType;
import com.evolveum.prism.xml.ns._public.types_3.ProtectedStringType;
import java.io.File;
import java.io.FileInputStream;
import java.io.InputStream;
import java.security.InvalidAlgorithmParameterException;
import java.security.InvalidKeyException;
import java.security.Key;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.SecureRandom;
import java.security.UnrecoverableKeyException;
import java.security.spec.InvalidKeySpecException;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Enumeration;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Random;
import javax.crypto.BadPaddingException;
import javax.crypto.Cipher;
import javax.crypto.IllegalBlockSizeException;
import javax.crypto.NoSuchPaddingException;
import javax.crypto.SecretKey;
import javax.crypto.SecretKeyFactory;
import javax.crypto.spec.IvParameterSpec;
import javax.crypto.spec.PBEKeySpec;
import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory;
import javax.xml.namespace.QName;
import org.apache.commons.codec.binary.Base64;
import org.apache.commons.lang3.StringUtils;
import org.apache.commons.lang3.Validate;
import org.jetbrains.annotations.NotNull;

/* loaded from: input_file:BOOT-INF/lib/prism-impl-4.10-M4.jar:com/evolveum/midpoint/prism/impl/crypto/KeyStoreBasedProtectorImpl.class */
public class KeyStoreBasedProtectorImpl extends BaseProtector implements KeyStoreBasedProtector {
    private static final String KEY_DIGEST_TYPE = "SHA1";
    private static final String DEFAULT_ENCRYPTION_ALGORITHM = "http://www.w3.org/2001/04/xmlenc#aes256-cbc";
    private Random randomNumberGenerator;
    private String keyStorePath;
    private String keyStorePassword;
    private String encryptionKeyAlias = "default";
    private String requestedJceProviderName = null;
    private String encryptionAlgorithm;
    private String digestAlgorithm;
    private String fixedSalt;
    private List<TrustManager> trustManagers;
    private static final KeyStore KEY_STORE;
    private static final String ALGORITHM_PBKDF2_NAME = "PBKDF2WithHmacSHA512";
    private static final QName ALGORITHM_PBKDF2_WITH_HMAC_SHA512_QNAME = new QName(PrismConstants.NS_CRYPTO_ALGORITHM_PBKD, ALGORITHM_PBKDF2_NAME);
    private static final String ALGORITHM_PBKDF2_WITH_HMAC_SHA512_URI = QNameUtil.qNameToUri(ALGORITHM_PBKDF2_WITH_HMAC_SHA512_QNAME);
    private static final char[] KEY_PASSWORD = MidpointConfiguration.ROOT_MIDPOINT_CONFIGURATION.toCharArray();
    private static final String DEFAULT_DIGEST_ALGORITHM = ALGORITHM_PBKDF2_WITH_HMAC_SHA512_URI;
    private static final Trace LOGGER = TraceManager.getTrace((Class<?>) KeyStoreBasedProtectorImpl.class);
    private static final Map<String, SecretKey> ALIAS_TO_SECRET_KEY_HASH_MAP = new HashMap();
    private static final Map<String, SecretKey> DIGEST_TO_SECRET_KEY_HASH_MAP = new HashMap();
    private static final Map<String, String> XMLSEC_TO_JCE_ALGORITHM_MAP = new HashMap();

    public KeyStoreBasedProtectorImpl() {
    }

    public KeyStoreBasedProtectorImpl(KeyStoreBasedProtectorBuilder keyStoreBasedProtectorBuilder) {
        setKeyStorePath(keyStoreBasedProtectorBuilder.getKeyStorePath());
        setKeyStorePassword(keyStoreBasedProtectorBuilder.getKeyStorePassword());
        if (keyStoreBasedProtectorBuilder.getEncryptionKeyAlias() != null) {
            setEncryptionKeyAlias(keyStoreBasedProtectorBuilder.getEncryptionKeyAlias());
        }
        setRequestedJceProviderName(keyStoreBasedProtectorBuilder.getRequestedJceProviderName());
        setEncryptionAlgorithm(keyStoreBasedProtectorBuilder.getEncryptionAlgorithm());
        setFixedSalt(keyStoreBasedProtectorBuilder.getFixedSalt());
        this.digestAlgorithm = keyStoreBasedProtectorBuilder.getDigestAlgorithm();
        this.trustManagers = keyStoreBasedProtectorBuilder.getTrustManagers();
    }

    public void init() {
        InputStream resourceAsStream;
        validateConfiguration();
        try {
            File file = new File(getKeyStorePath());
            if (file.exists()) {
                LOGGER.info("Using file keystore at {}", getKeyStorePath());
                if (!file.canRead()) {
                    LOGGER.error("Provided keystore file {} is unreadable.", getKeyStorePath());
                    throw new EncryptionException("Provided keystore file " + getKeyStorePath() + " is unreadable.");
                }
                resourceAsStream = new FileInputStream(file);
            } else {
                LOGGER.warn("Using default keystore from classpath ({}).", getKeyStorePath());
                resourceAsStream = KeyStoreBasedProtectorImpl.class.getClassLoader().getResourceAsStream(getKeyStorePath());
                if (resourceAsStream == null) {
                    resourceAsStream = KeyStoreBasedProtectorImpl.class.getClassLoader().getResourceAsStream("com/../../" + getKeyStorePath());
                }
            }
            if (resourceAsStream == null) {
                throw new EncryptionException("Couldn't load keystore as resource '" + getKeyStorePath() + "'");
            }
            KEY_STORE.load(resourceAsStream, getKeyStorePassword().toCharArray());
            Enumeration<String> aliases = KEY_STORE.aliases();
            try {
                MessageDigest messageDigest = MessageDigest.getInstance(KEY_DIGEST_TYPE);
                while (aliases.hasMoreElements()) {
                    String nextElement = aliases.nextElement();
                    try {
                    } catch (UnrecoverableKeyException e) {
                        LOGGER.trace("Couldn't recover key {} from keystore, reason: {}", nextElement, e.getMessage());
                    }
                    if (KEY_STORE.isKeyEntry(nextElement)) {
                        Key key = KEY_STORE.getKey(nextElement, KEY_PASSWORD);
                        if (key instanceof SecretKey) {
                            SecretKey secretKey = (SecretKey) key;
                            LOGGER.trace("Found secret key for alias {}", nextElement);
                            ALIAS_TO_SECRET_KEY_HASH_MAP.put(nextElement, secretKey);
                            String encodeBase64String = Base64.encodeBase64String(messageDigest.digest(key.getEncoded()));
                            LOGGER.trace("Calculated digest {} for key alias {}", encodeBase64String, key);
                            DIGEST_TO_SECRET_KEY_HASH_MAP.put(encodeBase64String, secretKey);
                        }
                    } else {
                        LOGGER.trace("Alias {} is not a key entry and shall be skipped", nextElement);
                    }
                }
                LOGGER.trace("Found {} aliases in keystore identified as secret keys", Integer.valueOf(ALIAS_TO_SECRET_KEY_HASH_MAP.size()));
                resourceAsStream.close();
                TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
                trustManagerFactory.init(KEY_STORE);
                this.trustManagers = new ArrayList();
                this.trustManagers.addAll(Arrays.asList(trustManagerFactory.getTrustManagers()));
                this.randomNumberGenerator = new SecureRandom();
            } catch (NoSuchAlgorithmException e2) {
                throw new EncryptionException(e2.getMessage(), e2);
            }
        } catch (Exception e3) {
            LOGGER.error("Unable to work with keystore {}, reason {}.", new Object[]{getKeyStorePath(), e3.getMessage()}, e3);
            throw new SystemException(e3.getMessage(), e3);
        }
    }

    public String getRequestedJceProviderName() {
        return this.requestedJceProviderName;
    }

    public void setRequestedJceProviderName(String str) {
        this.requestedJceProviderName = str;
    }

    public String getEncryptionAlgorithm() {
        return this.encryptionAlgorithm;
    }

    public void setEncryptionAlgorithm(String str) {
        this.encryptionAlgorithm = str;
    }

    private String getCipherAlgorithm() {
        return this.encryptionAlgorithm != null ? this.encryptionAlgorithm : "http://www.w3.org/2001/04/xmlenc#aes256-cbc";
    }

    private String getDigestAlgorithm() {
        return this.digestAlgorithm != null ? this.digestAlgorithm : DEFAULT_DIGEST_ALGORITHM;
    }

    private int getPbkdKeyLength() {
        return 256;
    }

    private int getPbkdIterations() {
        return 10000;
    }

    private int getPbkdSaltLength() {
        return 32;
    }

    private void validateConfiguration() {
        Validate.notEmpty(this.encryptionKeyAlias, "Encryption key alias must not be null or empty.", new Object[0]);
        Validate.notNull(this.keyStorePassword, "Keystore password must not be null.", new Object[0]);
        Validate.notEmpty(this.keyStorePath, "Key store path must not be null.", new Object[0]);
    }

    private String getEncryptionKeyAlias() {
        return this.encryptionKeyAlias;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // com.evolveum.midpoint.prism.impl.crypto.BaseProtector
    public <T> byte[] decryptBytes(ProtectedData<T> protectedData) throws SchemaException, EncryptionException {
        EncryptedDataType encryptedDataType = protectedData.getEncryptedDataType();
        EncryptionMethodType encryptionMethod = encryptedDataType.getEncryptionMethod();
        if (encryptionMethod == null) {
            throw new SchemaException("No encryptionMethod element in protected data");
        }
        String algorithm = encryptionMethod.getAlgorithm();
        if (StringUtils.isBlank(algorithm)) {
            throw new SchemaException("No algorithm URI in encryptionMethod element in protected data");
        }
        KeyInfoType keyInfo = encryptedDataType.getKeyInfo();
        if (keyInfo == null) {
            throw new SchemaException("No keyInfo element in protected data");
        }
        String keyName = keyInfo.getKeyName();
        if (StringUtils.isBlank(keyName)) {
            throw new SchemaException("No keyName defined in keyInfo element in protected data");
        }
        SecretKey secretKeyByDigest = getSecretKeyByDigest(keyName);
        CipherDataType cipherData = encryptedDataType.getCipherData();
        if (cipherData == null) {
            throw new SchemaException("No cipherData element in protected data");
        }
        byte[] cipherValue = cipherData.getCipherValue();
        if (cipherValue == null || cipherValue.length == 0) {
            throw new SchemaException("No cipherValue in cipherData element in protected data");
        }
        try {
            return decryptBytes(cipherValue, algorithm, secretKeyByDigest);
        } catch (InvalidAlgorithmParameterException | InvalidKeyException | NoSuchAlgorithmException | NoSuchProviderException | BadPaddingException | IllegalBlockSizeException | NoSuchPaddingException e) {
            throw new EncryptionException(e.getMessage(), e);
        }
    }

    @Override // com.evolveum.midpoint.prism.crypto.Protector
    public <T> void encrypt(ProtectedData<T> protectedData) throws EncryptionException {
        if (protectedData.isExternal()) {
            protectedData.destroyCleartext();
            return;
        }
        if (protectedData.isEncrypted()) {
            throw new IllegalArgumentException("Attempt to encrypt protected data that are already encrypted");
        }
        SecretKey secretKeyByAlias = getSecretKeyByAlias(getEncryptionKeyAlias());
        String cipherAlgorithm = getCipherAlgorithm();
        try {
            byte[] encryptBytes = encryptBytes(protectedData.getClearBytes(), cipherAlgorithm, secretKeyByAlias);
            EncryptedDataType encryptedDataType = new EncryptedDataType();
            EncryptionMethodType encryptionMethodType = new EncryptionMethodType();
            encryptionMethodType.setAlgorithm(cipherAlgorithm);
            encryptedDataType.setEncryptionMethod(encryptionMethodType);
            KeyInfoType keyInfoType = new KeyInfoType();
            keyInfoType.setKeyName(getSecretKeyDigest(secretKeyByAlias));
            encryptedDataType.setKeyInfo(keyInfoType);
            CipherDataType cipherDataType = new CipherDataType();
            cipherDataType.setCipherValue(encryptBytes);
            encryptedDataType.setCipherData(cipherDataType);
            protectedData.setEncryptedData(encryptedDataType);
            protectedData.destroyCleartext();
        } catch (InvalidKeyException | NoSuchAlgorithmException | NoSuchProviderException | BadPaddingException | IllegalBlockSizeException | NoSuchPaddingException e) {
            throw new EncryptionException(e.getMessage(), e);
        }
    }

    private byte[] encryptBytes(byte[] bArr, String str, Key key) throws NoSuchAlgorithmException, NoSuchPaddingException, NoSuchProviderException, InvalidKeyException, IllegalBlockSizeException, BadPaddingException {
        Cipher cipher = getCipher(1, str);
        cipher.init(1, key);
        byte[] doFinal = cipher.doFinal(bArr);
        byte[] iv = cipher.getIV();
        byte[] bArr2 = new byte[iv.length + doFinal.length];
        System.arraycopy(iv, 0, bArr2, 0, iv.length);
        System.arraycopy(doFinal, 0, bArr2, iv.length, doFinal.length);
        return bArr2;
    }

    private byte[] decryptBytes(byte[] bArr, String str, Key key) throws NoSuchAlgorithmException, NoSuchPaddingException, NoSuchProviderException, InvalidKeyException, IllegalBlockSizeException, BadPaddingException, InvalidAlgorithmParameterException {
        Cipher cipher = getCipher(2, str);
        int blockSize = cipher.getBlockSize();
        byte[] bArr2 = new byte[blockSize];
        System.arraycopy(bArr, 0, bArr2, 0, blockSize);
        cipher.init(2, key, new IvParameterSpec(bArr2));
        return cipher.doFinal(bArr, blockSize, bArr.length - blockSize);
    }

    private Cipher getCipher(int i, String str) throws NoSuchAlgorithmException, NoSuchPaddingException, NoSuchProviderException {
        String str2 = XMLSEC_TO_JCE_ALGORITHM_MAP.get(str);
        Cipher cipher = this.requestedJceProviderName == null ? Cipher.getInstance(str2) : Cipher.getInstance(str2, this.requestedJceProviderName);
        if (LOGGER.isTraceEnabled()) {
            LOGGER.trace("{} data by JCE algorithm {} (URI {}), cipher {}, provider {}", i == 1 ? "Encrypting" : i == 2 ? "Decrypting" : "Ciphering (mode " + i + ")", str2, str, cipher.getAlgorithm(), cipher.getProvider().getName());
        }
        return cipher;
    }

    @Override // com.evolveum.midpoint.prism.crypto.KeyStoreBasedProtector
    @Deprecated
    public String getSecretKeyDigest(SecretKey secretKey) throws EncryptionException {
        for (Map.Entry<String, SecretKey> entry : DIGEST_TO_SECRET_KEY_HASH_MAP.entrySet()) {
            if (entry.getValue().equals(secretKey)) {
                return entry.getKey();
            }
        }
        throw new EncryptionException("Could not find hash for secret key algorithm " + secretKey.getAlgorithm() + ". Hash values for keys must be recomputed during initialization");
    }

    @Override // com.evolveum.midpoint.prism.crypto.Protector
    public List<TrustManager> getTrustManagers() {
        return this.trustManagers;
    }

    @Override // com.evolveum.midpoint.prism.crypto.Protector
    public KeyStore getKeyStore() {
        return KEY_STORE;
    }

    public void setEncryptionKeyAlias(String str) {
        this.encryptionKeyAlias = str;
    }

    public void setKeyStorePassword(String str) {
        this.keyStorePassword = str;
    }

    private String getKeyStorePassword() {
        return this.keyStorePassword;
    }

    public void setKeyStorePath(String str) {
        this.keyStorePath = str;
    }

    @Override // com.evolveum.midpoint.prism.crypto.KeyStoreBasedProtector
    public String getKeyStorePath() {
        return this.keyStorePath;
    }

    public void setFixedSalt(String str) {
        this.fixedSalt = str;
    }

    private String getFixedSalt() {
        return this.fixedSalt;
    }

    private SecretKey getSecretKeyByAlias(String str) throws EncryptionException {
        if (str == null || str.isEmpty()) {
            throw new EncryptionException("Key alias must be specified and cannot be blank.");
        }
        if (ALIAS_TO_SECRET_KEY_HASH_MAP.containsKey(str)) {
            return ALIAS_TO_SECRET_KEY_HASH_MAP.get(str);
        }
        throw new EncryptionException("No key mapped to alias " + str + " could be found in the keystore. Keys by aliases must be recomputed during initialization");
    }

    private SecretKey getSecretKeyByDigest(String str) throws EncryptionException {
        if (str == null || str.isEmpty()) {
            throw new EncryptionException("Key digest must be specified and cannot be blank.");
        }
        if (DIGEST_TO_SECRET_KEY_HASH_MAP.containsKey(str)) {
            return DIGEST_TO_SECRET_KEY_HASH_MAP.get(str);
        }
        throw new EncryptionException("No key mapped to key digest " + str + " could be found in the keystore. Keys digests must be recomputed during initialization");
    }

    @Override // com.evolveum.midpoint.prism.crypto.Protector
    public <T> void hash(ProtectedData<T> protectedData) throws EncryptionException, SchemaException {
        if (protectedData.isHashed()) {
            throw new IllegalArgumentException("Attempt to hash protected data that are already hashed");
        }
        String digestAlgorithm = getDigestAlgorithm();
        QName uriToQName = QNameUtil.uriToQName(digestAlgorithm);
        String namespaceURI = uriToQName.getNamespaceURI();
        if (namespaceURI == null) {
            throw new SchemaException("No algorithm namespace");
        }
        if (!PrismConstants.NS_CRYPTO_ALGORITHM_PBKD.equals(namespaceURI)) {
            throw new SchemaException("Unknown namespace " + namespaceURI);
        }
        if (!protectedData.canSupportType(String.class)) {
            throw new SchemaException("Non-string protected data");
        }
        protectedData.setHashedData(hashPbkd(protectedData, digestAlgorithm, uriToQName.getLocalPart()));
        protectedData.destroyCleartext();
        protectedData.setEncryptedData(null);
    }

    private HashedDataType hashPbkd(ProtectedData<String> protectedData, String str, String str2) throws EncryptionException {
        char[] clearChars = getClearChars(protectedData);
        byte[] bytes = getFixedSalt() != null ? getFixedSalt().getBytes() : generatePbkdSalt();
        int pbkdIterations = getPbkdIterations();
        try {
            try {
                byte[] encoded = SecretKeyFactory.getInstance(str2).generateSecret(new PBEKeySpec(clearChars, bytes, pbkdIterations, getPbkdKeyLength())).getEncoded();
                HashedDataType hashedDataType = new HashedDataType();
                DigestMethodType digestMethodType = new DigestMethodType();
                digestMethodType.setAlgorithm(str);
                digestMethodType.setSalt(bytes);
                digestMethodType.setWorkFactor(Integer.valueOf(pbkdIterations));
                hashedDataType.setDigestMethod(digestMethodType);
                hashedDataType.setDigestValue(encoded);
                return hashedDataType;
            } catch (InvalidKeySpecException e) {
                throw new EncryptionException(e.getMessage(), e);
            }
        } catch (NoSuchAlgorithmException e2) {
            throw new EncryptionException(e2.getMessage(), e2);
        }
    }

    private char[] getClearChars(ProtectedData<String> protectedData) throws EncryptionException {
        if (protectedData.isEncrypted()) {
            return decryptString(protectedData).toCharArray();
        }
        if (protectedData.isExternal()) {
            throw new EncryptionException("This protector implementation can't resolve external data");
        }
        return protectedData.getClearValue().toCharArray();
    }

    private byte[] generatePbkdSalt() {
        byte[] bArr = new byte[getPbkdSaltLength() / 8];
        this.randomNumberGenerator.nextBytes(bArr);
        return bArr;
    }

    @Override // com.evolveum.midpoint.prism.crypto.Protector
    public boolean compareCleartext(ProtectedStringType protectedStringType, ProtectedStringType protectedStringType2) throws EncryptionException, SchemaException {
        ProtectedStringType protectedStringType3;
        String decryptString;
        if (protectedStringType == protectedStringType2) {
            return true;
        }
        if (protectedStringType == null || protectedStringType2 == null) {
            return false;
        }
        if (protectedStringType.isHashed() && protectedStringType2.isHashed()) {
            throw new SchemaException("Cannot compare two hashed protected strings");
        }
        if (!protectedStringType.isHashed() && !protectedStringType2.isHashed()) {
            return compareEncryptedCleartext(protectedStringType, protectedStringType2);
        }
        if (protectedStringType.isHashed()) {
            protectedStringType3 = protectedStringType;
            decryptString = decryptString(protectedStringType2);
        } else {
            protectedStringType3 = protectedStringType2;
            decryptString = decryptString(protectedStringType);
        }
        if (decryptString == null) {
            return false;
        }
        return compareHashed(protectedStringType3, decryptString.toCharArray());
    }

    private boolean compareEncryptedCleartext(ProtectedStringType protectedStringType, ProtectedStringType protectedStringType2) throws EncryptionException {
        String decryptString = decryptString(protectedStringType);
        String decryptString2 = decryptString(protectedStringType2);
        if (decryptString == null && decryptString2 == null) {
            return true;
        }
        if (decryptString == null || decryptString2 == null) {
            return false;
        }
        return decryptString.equals(decryptString2);
    }

    private boolean compareHashed(ProtectedStringType protectedStringType, char[] cArr) throws SchemaException, EncryptionException {
        HashedDataType hashedDataType = protectedStringType.getHashedDataType();
        DigestMethodType digestMethod = hashedDataType.getDigestMethod();
        if (digestMethod == null) {
            throw new SchemaException("No digest type");
        }
        QName uriToQName = QNameUtil.uriToQName(digestMethod.getAlgorithm());
        String namespaceURI = uriToQName.getNamespaceURI();
        if (namespaceURI == null) {
            throw new SchemaException("No algorithm namespace");
        }
        if (PrismConstants.NS_CRYPTO_ALGORITHM_PBKD.equals(namespaceURI)) {
            return compareHashedPbkd(hashedDataType, uriToQName.getLocalPart(), cArr);
        }
        throw new SchemaException("Unknown namespace " + namespaceURI);
    }

    private boolean compareHashedPbkd(HashedDataType hashedDataType, String str, char[] cArr) throws EncryptionException {
        DigestMethodType digestMethod = hashedDataType.getDigestMethod();
        byte[] salt = digestMethod.getSalt();
        Integer workFactor = digestMethod.getWorkFactor();
        byte[] digestValue = hashedDataType.getDigestValue();
        try {
            try {
                return Arrays.equals(digestValue, SecretKeyFactory.getInstance(str).generateSecret(new PBEKeySpec(cArr, salt, workFactor.intValue(), digestValue.length * 8)).getEncoded());
            } catch (InvalidKeySpecException e) {
                throw new EncryptionException(e.getMessage(), e);
            }
        } catch (NoSuchAlgorithmException e2) {
            throw new EncryptionException(e2.getMessage(), e2);
        }
    }

    @Override // com.evolveum.midpoint.prism.crypto.Protector
    public boolean areEquivalent(ProtectedStringType protectedStringType, ProtectedStringType protectedStringType2) {
        if (protectedStringType == protectedStringType2) {
            return true;
        }
        if (protectedStringType == null || protectedStringType2 == null) {
            return false;
        }
        if (protectedStringType.isHashed()) {
            if (protectedStringType2.isHashed()) {
                return areEquivalentHashed(protectedStringType, protectedStringType2);
            }
            return false;
        }
        if (protectedStringType.isEncrypted()) {
            if (protectedStringType2.isEncrypted()) {
                return areEquivalentEncrypted(protectedStringType, protectedStringType2);
            }
            return false;
        }
        if (!protectedStringType.isExternal()) {
            return Objects.equals(protectedStringType.getClearValue(), protectedStringType2.getClearValue());
        }
        if (protectedStringType2.isExternal()) {
            return areEquivalentExternal(protectedStringType, protectedStringType2);
        }
        return false;
    }

    private boolean areEquivalentHashed(ProtectedStringType protectedStringType, ProtectedStringType protectedStringType2) {
        return Objects.equals(protectedStringType.getHashedDataType(), protectedStringType2.getHashedDataType());
    }

    private boolean areEquivalentExternal(ProtectedStringType protectedStringType, ProtectedStringType protectedStringType2) {
        return Objects.equals(protectedStringType.getExternalData(), protectedStringType2.getExternalData());
    }

    private boolean areEquivalentEncrypted(ProtectedStringType protectedStringType, ProtectedStringType protectedStringType2) {
        EncryptedDataType encryptedDataType = protectedStringType.getEncryptedDataType();
        EncryptedDataType encryptedDataType2 = protectedStringType2.getEncryptedDataType();
        if (!Objects.equals(encryptedDataType.getEncryptionMethod(), encryptedDataType2.getEncryptionMethod()) || !Objects.equals(encryptedDataType.getKeyInfo(), encryptedDataType2.getKeyInfo())) {
            return false;
        }
        if (Objects.equals(encryptedDataType.getCipherData(), encryptedDataType2.getCipherData())) {
            return true;
        }
        try {
            return compareEncryptedCleartext(protectedStringType, protectedStringType2);
        } catch (EncryptionException e) {
            LOGGER.warn("Cannot decrypt a value for comparison: " + e.getMessage(), (Throwable) e);
            return false;
        }
    }

    @Override // com.evolveum.midpoint.prism.crypto.Protector
    public boolean isEncryptedByCurrentKey(@NotNull EncryptedDataType encryptedDataType) throws EncryptionException {
        String keyName = encryptedDataType.getKeyInfo().getKeyName();
        if (keyName == null) {
            throw new IllegalStateException("No key name in encrypted data: " + String.valueOf(encryptedDataType));
        }
        return getSecretKeyByAlias(getEncryptionKeyAlias()).equals(getSecretKeyByDigest(keyName));
    }

    static {
        try {
            KEY_STORE = KeyStore.getInstance("jceks");
            XMLSEC_TO_JCE_ALGORITHM_MAP.put("http://www.w3.org/2001/04/xmlenc#aes128-cbc", "AES/CBC/ISO10126Padding");
            XMLSEC_TO_JCE_ALGORITHM_MAP.put("http://www.w3.org/2001/04/xmlenc#aes256-cbc", "AES/CBC/ISO10126Padding");
        } catch (KeyStoreException e) {
            throw new SystemException(e.getMessage(), e);
        }
    }
}
