package com.evolveum.midpoint.common.crypto;

import com.evolveum.midpoint.prism.ItemDefinition;
import com.evolveum.midpoint.prism.Itemable;
import com.evolveum.midpoint.prism.PrismObject;
import com.evolveum.midpoint.prism.PrismPropertyValue;
import com.evolveum.midpoint.prism.Visitable;
import com.evolveum.midpoint.prism.Visitor;
import com.evolveum.midpoint.prism.crypto.EncryptionException;
import com.evolveum.midpoint.prism.crypto.Protector;
import com.evolveum.midpoint.prism.delta.ItemDelta;
import com.evolveum.midpoint.prism.delta.ObjectDelta;
import com.evolveum.midpoint.schema.result.OperationResult;
import com.evolveum.midpoint.schema.result.OperationResultStatus;
import com.evolveum.midpoint.util.exception.TunnelException;
import com.evolveum.midpoint.util.logging.Trace;
import com.evolveum.midpoint.util.logging.TraceManager;
import com.evolveum.midpoint.xml.ns._public.common.common_3.MailServerConfigurationType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.NotificationConfigurationType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.ObjectType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.SmsConfigurationType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.SmsGatewayConfigurationType;
import com.evolveum.prism.xml.ns._public.types_3.ProtectedStringType;
import com.ibm.icu.text.PluralRules;
import java.io.ByteArrayOutputStream;
import java.security.Provider;
import java.security.Security;
import java.util.Collection;
import java.util.Iterator;
import javax.crypto.Cipher;
import javax.crypto.KeyGenerator;
import javax.crypto.SecretKey;
import javax.crypto.spec.IvParameterSpec;
import javax.xml.namespace.QName;
import org.opensaml.security.crypto.JCAConstants;

/* loaded from: input_file:com/evolveum/midpoint/common/crypto/CryptoUtil.class */
public class CryptoUtil {
    private static final Trace LOGGER = TraceManager.getTrace(CryptoUtil.class);
    private static final byte[] DEFAULT_IV_BYTES = {81, 101, 34, 35, 100, 5, 106, -66, 81, 101, 34, 35, 100, 5, 106, -66};

    public static <T extends ObjectType> void encryptValues(final Protector protector, PrismObject<T> prismObject) throws EncryptionException {
        try {
            prismObject.accept(new Visitor() { // from class: com.evolveum.midpoint.common.crypto.CryptoUtil.1
                @Override // com.evolveum.midpoint.prism.Visitor
                public void visit(Visitable visitable) {
                    if (visitable instanceof PrismPropertyValue) {
                        try {
                            CryptoUtil.encryptValue(Protector.this, (PrismPropertyValue) visitable);
                        } catch (EncryptionException e) {
                            throw new TunnelException(e);
                        }
                    }
                }
            });
        } catch (TunnelException e) {
            throw ((EncryptionException) e.getCause());
        }
    }

    public static <T extends ObjectType> void encryptValues(final Protector protector, ObjectDelta<T> objectDelta) throws EncryptionException {
        try {
            objectDelta.accept(new Visitor() { // from class: com.evolveum.midpoint.common.crypto.CryptoUtil.2
                @Override // com.evolveum.midpoint.prism.Visitor
                public void visit(Visitable visitable) {
                    if (visitable instanceof PrismPropertyValue) {
                        try {
                            CryptoUtil.encryptValue(Protector.this, (PrismPropertyValue) visitable);
                        } catch (EncryptionException e) {
                            throw new TunnelException(e);
                        }
                    }
                }
            });
        } catch (TunnelException e) {
            throw ((EncryptionException) e.getCause());
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static <T extends ObjectType> void encryptValue(Protector protector, PrismPropertyValue<?> prismPropertyValue) throws EncryptionException {
        ItemDefinition definition;
        Itemable parent = prismPropertyValue.getParent();
        if (parent == null || (definition = parent.getDefinition()) == null || definition.getTypeName() == null) {
            return;
        }
        if (definition.getTypeName().equals(ProtectedStringType.COMPLEX_TYPE)) {
            encryptProtectedStringType(protector, (ProtectedStringType) prismPropertyValue.getValue(), parent.getElementName().getLocalPart());
            if (prismPropertyValue.getParent() == null) {
                prismPropertyValue.setParent(parent);
                return;
            }
            return;
        }
        if (definition.getTypeName().equals(NotificationConfigurationType.COMPLEX_TYPE)) {
            NotificationConfigurationType notificationConfigurationType = (NotificationConfigurationType) prismPropertyValue.getValue();
            if (notificationConfigurationType.getMail() != null) {
                Iterator<MailServerConfigurationType> it = notificationConfigurationType.getMail().getServer().iterator();
                while (it.hasNext()) {
                    encryptProtectedStringType(protector, it.next().getPassword(), "mail server password");
                }
            }
            if (notificationConfigurationType.getSms() != null) {
                Iterator<SmsConfigurationType> it2 = notificationConfigurationType.getSms().iterator();
                while (it2.hasNext()) {
                    Iterator<SmsGatewayConfigurationType> it3 = it2.next().getGateway().iterator();
                    while (it3.hasNext()) {
                        encryptProtectedStringType(protector, it3.next().getPassword(), "sms gateway password");
                    }
                }
            }
        }
    }

    private static void encryptProtectedStringType(Protector protector, ProtectedStringType protectedStringType, String str) throws EncryptionException {
        if (protectedStringType == null || protectedStringType.getClearValue() == null) {
            return;
        }
        try {
            protector.encrypt(protectedStringType);
        } catch (EncryptionException e) {
            throw new EncryptionException("Failed to encrypt value for field " + str + PluralRules.KEYWORD_RULE_SEPARATOR + e.getMessage(), e);
        }
    }

    public static <T extends ObjectType> void checkEncrypted(PrismObject<T> prismObject) {
        try {
            prismObject.accept(new Visitor() { // from class: com.evolveum.midpoint.common.crypto.CryptoUtil.3
                @Override // com.evolveum.midpoint.prism.Visitor
                public void visit(Visitable visitable) {
                    if (visitable instanceof PrismPropertyValue) {
                        CryptoUtil.checkEncrypted((PrismPropertyValue<?>) visitable);
                    }
                }
            });
        } catch (IllegalStateException e) {
            throw new IllegalStateException(e.getMessage() + " in " + prismObject, e);
        }
    }

    public static <T extends ObjectType> void checkEncrypted(ObjectDelta<T> objectDelta) {
        try {
            objectDelta.accept(new Visitor() { // from class: com.evolveum.midpoint.common.crypto.CryptoUtil.4
                @Override // com.evolveum.midpoint.prism.Visitor
                public void visit(Visitable visitable) {
                    if (visitable instanceof PrismPropertyValue) {
                        CryptoUtil.checkEncrypted((PrismPropertyValue<?>) visitable);
                    }
                }
            });
        } catch (IllegalStateException e) {
            throw new IllegalStateException(e.getMessage() + " in delta " + objectDelta, e);
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static <T extends ObjectType> void checkEncrypted(PrismPropertyValue<?> prismPropertyValue) {
        ItemDefinition definition;
        Itemable parent = prismPropertyValue.getParent();
        if (parent == null || (definition = parent.getDefinition()) == null || definition.getTypeName() == null) {
            return;
        }
        if (definition.getTypeName().equals(ProtectedStringType.COMPLEX_TYPE)) {
            QName elementName = parent.getElementName();
            if (((ProtectedStringType) prismPropertyValue.getValue()).getClearValue() != null) {
                throw new IllegalStateException("Unencrypted value in field " + elementName);
            }
            return;
        }
        if (definition.getTypeName().equals(NotificationConfigurationType.COMPLEX_TYPE)) {
            NotificationConfigurationType notificationConfigurationType = (NotificationConfigurationType) prismPropertyValue.getValue();
            if (notificationConfigurationType.getMail() != null) {
                for (MailServerConfigurationType mailServerConfigurationType : notificationConfigurationType.getMail().getServer()) {
                    if (mailServerConfigurationType.getPassword() != null && mailServerConfigurationType.getPassword().getClearValue() != null) {
                        throw new IllegalStateException("Unencrypted value in mail server config password entry");
                    }
                }
            }
            if (notificationConfigurationType.getSms() != null) {
                Iterator<SmsConfigurationType> it = notificationConfigurationType.getSms().iterator();
                while (it.hasNext()) {
                    for (SmsGatewayConfigurationType smsGatewayConfigurationType : it.next().getGateway()) {
                        if (smsGatewayConfigurationType.getPassword() != null && smsGatewayConfigurationType.getPassword().getClearValue() != null) {
                            throw new IllegalStateException("Unencrypted value in SMS gateway config password entry");
                        }
                    }
                }
            }
        }
    }

    public static void checkEncrypted(Collection<? extends ItemDelta> collection) {
        Visitor visitor = new Visitor() { // from class: com.evolveum.midpoint.common.crypto.CryptoUtil.5
            @Override // com.evolveum.midpoint.prism.Visitor
            public void visit(Visitable visitable) {
                if (visitable instanceof PrismPropertyValue) {
                    CryptoUtil.checkEncrypted((PrismPropertyValue<?>) visitable);
                }
            }
        };
        for (ItemDelta itemDelta : collection) {
            try {
                itemDelta.accept(visitor);
            } catch (IllegalStateException e) {
                throw new IllegalStateException(e.getMessage() + " in modification " + itemDelta, e);
            }
        }
    }

    public static void securitySelfTest(OperationResult operationResult) {
        OperationResult createSubresult = operationResult.createSubresult(CryptoUtil.class.getName() + ".securitySelfTest");
        for (Provider provider : Security.getProviders()) {
            String name = provider.getName();
            OperationResult createSubresult2 = createSubresult.createSubresult(CryptoUtil.class.getName() + ".securitySelfTest.provider." + name);
            try {
                createSubresult2.addContext("info", provider.getInfo());
                ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
                provider.storeToXML(byteArrayOutputStream, "Crypto provider " + name);
                createSubresult2.addContext("properties", byteArrayOutputStream.toString());
                createSubresult2.recordSuccess();
            } catch (Throwable th) {
                LOGGER.error("Security self test (provider properties) failed: ", th.getMessage(), th);
                createSubresult2.recordFatalError(th);
            }
        }
        securitySelfTestAlgorithm(JCAConstants.KEY_ALGO_AES, "AES/CBC/PKCS5Padding", null, false, createSubresult);
        OperationResult lastSubresult = createSubresult.getLastSubresult();
        if (lastSubresult.isError()) {
            securitySelfTestAlgorithm(JCAConstants.KEY_ALGO_AES, "AES/CBC/PKCS5Padding", 128, true, createSubresult);
            if (createSubresult.getLastSubresult().isSuccess()) {
                lastSubresult.setStatus(OperationResultStatus.HANDLED_ERROR);
            }
        }
        createSubresult.computeStatus();
    }

    private static void securitySelfTestAlgorithm(String str, String str2, Integer num, boolean z, OperationResult operationResult) {
        OperationResult createSubresult = operationResult.createSubresult(CryptoUtil.class.getName() + ".securitySelfTest.algorithm." + str);
        try {
            KeyGenerator keyGenerator = KeyGenerator.getInstance(str);
            if (num != null) {
                keyGenerator.init(num.intValue());
            }
            createSubresult.addReturn("keyGeneratorProvider", keyGenerator.getProvider().getName());
            createSubresult.addReturn("keyGeneratorAlgorithm", keyGenerator.getAlgorithm());
            createSubresult.addReturn("keyGeneratorKeySize", num);
            SecretKey generateKey = keyGenerator.generateKey();
            createSubresult.addReturn("keyAlgorithm", generateKey.getAlgorithm());
            createSubresult.addReturn("keyLength", Integer.valueOf(generateKey.getEncoded().length * 8));
            createSubresult.addReturn("keyFormat", generateKey.getFormat());
            createSubresult.recordSuccess();
            IvParameterSpec ivParameterSpec = new IvParameterSpec(DEFAULT_IV_BYTES);
            Cipher cipher = Cipher.getInstance(str2);
            createSubresult.addReturn("cipherAlgorithmName", str);
            createSubresult.addReturn("cipherTansfromationName", str2);
            createSubresult.addReturn("cipherAlgorithm", cipher.getAlgorithm());
            createSubresult.addReturn("cipherBlockSize", Integer.valueOf(cipher.getBlockSize()));
            createSubresult.addReturn("cipherProvider", cipher.getProvider().getName());
            createSubresult.addReturn("cipherMaxAllowedKeyLength", Integer.valueOf(Cipher.getMaxAllowedKeyLength(str2)));
            cipher.init(1, generateKey, ivParameterSpec);
            byte[] doFinal = cipher.doFinal("Scurvy seadog".getBytes());
            Cipher cipher2 = Cipher.getInstance(str2);
            cipher2.init(2, generateKey, ivParameterSpec);
            String str3 = new String(cipher2.doFinal(doFinal));
            if ("Scurvy seadog".equals(str3)) {
                createSubresult.recordSuccess();
            } else {
                createSubresult.recordFatalError("Encryptor roundtrip failed; encrypted=Scurvy seadog, decrypted=" + str3);
            }
            LOGGER.debug("Security self test (algorithmName={}, transformationName={}, keySize={}) success", new Object[]{str, str2, num});
        } catch (Throwable th) {
            if (z) {
                LOGGER.error("Security self test (algorithmName={}, transformationName={}, keySize={}) failed: {}", new Object[]{str, str2, num, th.getMessage(), th});
                createSubresult.recordFatalError(th);
            } else {
                LOGGER.warn("Security self test (algorithmName={}, transformationName={}, keySize={}) failed: {} (failure is expected in some cases)", new Object[]{str, str2, num, th.getMessage(), th});
                createSubresult.recordWarning(th);
            }
        }
    }
}
