package com.evolveum.midpoint.prism.crypto;

import com.evolveum.midpoint.schema.constants.MidPointConstants;
import com.evolveum.midpoint.util.exception.SchemaException;
import com.evolveum.midpoint.util.exception.SystemException;
import com.evolveum.midpoint.util.logging.Trace;
import com.evolveum.midpoint.util.logging.TraceManager;
import com.evolveum.prism.xml.ns._public.types_3.CipherDataType;
import com.evolveum.prism.xml.ns._public.types_3.EncryptedDataType;
import com.evolveum.prism.xml.ns._public.types_3.EncryptionMethodType;
import com.evolveum.prism.xml.ns._public.types_3.KeyInfoType;
import com.evolveum.prism.xml.ns._public.types_3.ProtectedStringType;
import java.io.File;
import java.io.FileInputStream;
import java.io.InputStream;
import java.security.InvalidAlgorithmParameterException;
import java.security.InvalidKeyException;
import java.security.Key;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.UnrecoverableKeyException;
import java.util.ArrayList;
import java.util.Enumeration;
import java.util.List;
import javax.crypto.BadPaddingException;
import javax.crypto.Cipher;
import javax.crypto.IllegalBlockSizeException;
import javax.crypto.NoSuchPaddingException;
import javax.crypto.SecretKey;
import javax.crypto.spec.IvParameterSpec;
import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory;
import net.sf.json.util.JSONUtils;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.lang.Validate;
import org.apache.xml.security.Init;
import org.apache.xml.security.algorithms.JCEMapper;
import org.apache.xml.security.utils.Base64;

/* loaded from: input_file:WEB-INF/lib/prism-3.3.2-SNAPSHOT.jar:com/evolveum/midpoint/prism/crypto/AESProtector.class */
public class AESProtector extends BaseProtector {
    private static final String KEY_DIGEST_TYPE = "SHA1";
    private static final String DEFAULT_ENCRYPTION_ALGORITHM = "http://www.w3.org/2001/04/xmlenc#aes128-cbc";
    private static final char[] KEY_PASSWORD = MidPointConstants.FUNCTION_LIBRARY_MIDPOINT_VARIABLE_NAME.toCharArray();
    private static final Trace LOGGER = TraceManager.getTrace(AESProtector.class);
    private String keyStorePath;
    private String keyStorePassword;
    private String encryptionKeyAlias = "default";
    private String requestedJceProviderName = null;
    private String encryptionAlgorithm;
    private List<TrustManager> trustManagers;
    private static final KeyStore keyStore;

    static {
        try {
            keyStore = KeyStore.getInstance("jceks");
        } catch (KeyStoreException e) {
            throw new SystemException(e.getMessage(), e);
        }
    }

    public void init() {
        InputStream resourceAsStream;
        try {
            File file = new File(getKeyStorePath());
            if (file.exists()) {
                LOGGER.info("Using file keystore at {}", getKeyStorePath());
                if (!file.canRead()) {
                    LOGGER.error("Provided keystore file {} is unreadable.", getKeyStorePath());
                    throw new EncryptionException("Provided keystore file " + getKeyStorePath() + " is unreadable.");
                }
                resourceAsStream = new FileInputStream(file);
            } else {
                LOGGER.warn("Using default keystore from classpath ({}).", getKeyStorePath());
                resourceAsStream = AESProtector.class.getClassLoader().getResourceAsStream(getKeyStorePath());
                if (resourceAsStream == null) {
                    resourceAsStream = AESProtector.class.getClassLoader().getResourceAsStream("com/../../" + getKeyStorePath());
                }
            }
            if (resourceAsStream == null) {
                throw new EncryptionException("Couldn't load keystore as resource '" + getKeyStorePath() + JSONUtils.SINGLE_QUOTE);
            }
            keyStore.load(resourceAsStream, getKeyStorePassword().toCharArray());
            resourceAsStream.close();
            TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
            trustManagerFactory.init(keyStore);
            this.trustManagers = new ArrayList();
            for (TrustManager trustManager : trustManagerFactory.getTrustManagers()) {
                this.trustManagers.add(trustManager);
            }
            Init.init();
        } catch (Exception e) {
            LOGGER.error("Unable to work with keystore {}, reason {}.", new Object[]{getKeyStorePath(), e.getMessage()}, e);
            throw new SystemException(e.getMessage(), e);
        }
    }

    public String getRequestedJceProviderName() {
        return this.requestedJceProviderName;
    }

    public void setRequestedJceProviderName(String str) {
        this.requestedJceProviderName = str;
    }

    public String getEncryptionAlgorithm() {
        return this.encryptionAlgorithm;
    }

    public void setEncryptionAlgorithm(String str) {
        this.encryptionAlgorithm = str;
    }

    private String getCipherAlgorithm() {
        return this.encryptionAlgorithm != null ? this.encryptionAlgorithm : "http://www.w3.org/2001/04/xmlenc#aes128-cbc";
    }

    private String getEncryptionKeyAlias() {
        if (StringUtils.isEmpty(this.encryptionKeyAlias)) {
            throw new IllegalStateException("Encryption key alias was not defined (is null or empty).");
        }
        return this.encryptionKeyAlias;
    }

    @Override // com.evolveum.midpoint.prism.crypto.BaseProtector
    protected <T> byte[] decryptBytes(ProtectedData<T> protectedData) throws SchemaException, EncryptionException {
        EncryptedDataType encryptedDataType = protectedData.getEncryptedDataType();
        EncryptionMethodType encryptionMethod = encryptedDataType.getEncryptionMethod();
        if (encryptionMethod == null) {
            throw new SchemaException("No encryptionMethod element in protected data");
        }
        String algorithm = encryptionMethod.getAlgorithm();
        if (StringUtils.isBlank(algorithm)) {
            throw new SchemaException("No algorithm URI in encryptionMethod element in protected data");
        }
        KeyInfoType keyInfo = encryptedDataType.getKeyInfo();
        if (keyInfo == null) {
            throw new SchemaException("No keyInfo element in protected data");
        }
        String keyName = keyInfo.getKeyName();
        if (StringUtils.isBlank(keyName)) {
            throw new SchemaException("No keyName defined in keyInfo element in protected data");
        }
        SecretKey secretKeyByDigest = getSecretKeyByDigest(keyName);
        CipherDataType cipherData = encryptedDataType.getCipherData();
        if (cipherData == null) {
            throw new SchemaException("No cipherData element in protected data");
        }
        byte[] cipherValue = cipherData.getCipherValue();
        if (cipherValue == null || cipherValue.length == 0) {
            throw new SchemaException("No cipherValue in cipherData element in protected data");
        }
        try {
            return decryptBytes(cipherValue, algorithm, secretKeyByDigest);
        } catch (InvalidAlgorithmParameterException | InvalidKeyException | NoSuchAlgorithmException | NoSuchProviderException | BadPaddingException | IllegalBlockSizeException | NoSuchPaddingException e) {
            throw new EncryptionException(e.getMessage(), e);
        }
    }

    @Override // com.evolveum.midpoint.prism.crypto.Protector
    public <T> void encrypt(ProtectedData<T> protectedData) throws EncryptionException {
        if (protectedData.isEncrypted()) {
            throw new IllegalArgumentException("Attempt to encrypt protected data that are already encrypted");
        }
        SecretKey secretKeyByAlias = getSecretKeyByAlias(getEncryptionKeyAlias());
        String cipherAlgorithm = getCipherAlgorithm();
        try {
            byte[] encryptBytes = encryptBytes(protectedData.getClearBytes(), cipherAlgorithm, secretKeyByAlias);
            EncryptedDataType encryptedDataType = new EncryptedDataType();
            EncryptionMethodType encryptionMethodType = new EncryptionMethodType();
            encryptionMethodType.setAlgorithm(cipherAlgorithm);
            encryptedDataType.setEncryptionMethod(encryptionMethodType);
            KeyInfoType keyInfoType = new KeyInfoType();
            keyInfoType.setKeyName(getSecretKeyDigest(secretKeyByAlias));
            encryptedDataType.setKeyInfo(keyInfoType);
            CipherDataType cipherDataType = new CipherDataType();
            cipherDataType.setCipherValue(encryptBytes);
            encryptedDataType.setCipherData(cipherDataType);
            protectedData.setEncryptedData(encryptedDataType);
            protectedData.destroyCleartext();
        } catch (InvalidAlgorithmParameterException | InvalidKeyException | NoSuchAlgorithmException | NoSuchProviderException | BadPaddingException | IllegalBlockSizeException | NoSuchPaddingException e) {
            throw new EncryptionException(e.getMessage(), e);
        }
    }

    private byte[] encryptBytes(byte[] bArr, String str, Key key) throws NoSuchAlgorithmException, NoSuchPaddingException, NoSuchProviderException, InvalidKeyException, IllegalBlockSizeException, BadPaddingException, InvalidAlgorithmParameterException {
        Cipher cipher = getCipher(1, str);
        cipher.init(1, key);
        byte[] doFinal = cipher.doFinal(bArr);
        byte[] iv = cipher.getIV();
        byte[] bArr2 = new byte[iv.length + doFinal.length];
        System.arraycopy(iv, 0, bArr2, 0, iv.length);
        System.arraycopy(doFinal, 0, bArr2, iv.length, doFinal.length);
        return bArr2;
    }

    private byte[] decryptBytes(byte[] bArr, String str, Key key) throws NoSuchAlgorithmException, NoSuchPaddingException, NoSuchProviderException, InvalidKeyException, IllegalBlockSizeException, BadPaddingException, InvalidAlgorithmParameterException {
        Cipher cipher = getCipher(2, str);
        int blockSize = cipher.getBlockSize();
        byte[] bArr2 = new byte[blockSize];
        System.arraycopy(bArr, 0, bArr2, 0, blockSize);
        cipher.init(2, key, new IvParameterSpec(bArr2));
        return cipher.doFinal(bArr, blockSize, bArr.length - blockSize);
    }

    private Cipher getCipher(int i, String str) throws NoSuchAlgorithmException, NoSuchPaddingException, NoSuchProviderException, InvalidKeyException, InvalidAlgorithmParameterException {
        String translateURItoJCEID = JCEMapper.translateURItoJCEID(str);
        Cipher cipher = this.requestedJceProviderName == null ? Cipher.getInstance(translateURItoJCEID) : Cipher.getInstance(translateURItoJCEID, this.requestedJceProviderName);
        if (LOGGER.isTraceEnabled()) {
            LOGGER.trace("{} data by JCE algorithm {} (URI {}), cipher {}, provider {}", i == 1 ? "Encrypting" : i == 2 ? "Decrypting" : "Ciphering (mode " + i + ")", translateURItoJCEID, str, cipher.getAlgorithm(), cipher.getProvider().getName());
        }
        return cipher;
    }

    public String getSecretKeyDigest(SecretKey secretKey) throws EncryptionException {
        try {
            return Base64.encode(MessageDigest.getInstance(KEY_DIGEST_TYPE).digest(secretKey.getEncoded()));
        } catch (NoSuchAlgorithmException e) {
            throw new EncryptionException(e.getMessage(), e);
        }
    }

    @Override // com.evolveum.midpoint.prism.crypto.Protector
    public List<TrustManager> getTrustManagers() {
        return this.trustManagers;
    }

    @Override // com.evolveum.midpoint.prism.crypto.Protector
    public KeyStore getKeyStore() {
        return keyStore;
    }

    public void setEncryptionKeyAlias(String str) {
        Validate.notEmpty(str, "Encryption key alias must not be null or empty.");
        this.encryptionKeyAlias = str;
    }

    public void setKeyStorePassword(String str) {
        Validate.notNull(str, "Keystore password must not be null.");
        this.keyStorePassword = str;
    }

    private String getKeyStorePassword() {
        if (this.keyStorePassword == null) {
            throw new IllegalStateException("Keystore password was not defined (null).");
        }
        return this.keyStorePassword;
    }

    public void setKeyStorePath(String str) {
        Validate.notEmpty(str, "Key store path must not be null.");
        this.keyStorePath = str;
    }

    public String getKeyStorePath() {
        if (StringUtils.isEmpty(this.keyStorePath)) {
            throw new IllegalStateException("Keystore path was not defined (is null or empty).");
        }
        return this.keyStorePath;
    }

    private SecretKey getSecretKeyByAlias(String str) throws EncryptionException {
        try {
            Key key = keyStore.getKey(str, KEY_PASSWORD);
            if (key == null || !(key instanceof SecretKey)) {
                throw new EncryptionException("Key with alias '" + str + "' is not instance of SecretKey, but '" + key + "'.");
            }
            return (SecretKey) key;
        } catch (Exception e) {
            throw new EncryptionException("Couldn't obtain key '" + str + "' from keystore, reason: " + e.getMessage(), e);
        }
    }

    private SecretKey getSecretKeyByDigest(String str) throws EncryptionException {
        try {
            Enumeration<String> aliases = keyStore.aliases();
            while (aliases.hasMoreElements()) {
                String nextElement = aliases.nextElement();
                if (keyStore.isKeyEntry(nextElement)) {
                    try {
                        Key key = keyStore.getKey(nextElement, KEY_PASSWORD);
                        if ((key instanceof SecretKey) && str.equals(getSecretKeyDigest((SecretKey) key))) {
                            return (SecretKey) key;
                        }
                    } catch (UnrecoverableKeyException e) {
                        LOGGER.trace("Couldn't recover key {} from keystore, reason: {}", nextElement, e.getMessage());
                    }
                }
            }
            throw new EncryptionException("Key '" + str + "' is not in keystore.");
        } catch (Exception e2) {
            throw new EncryptionException(e2.getMessage(), e2);
        }
    }

    @Override // com.evolveum.midpoint.prism.crypto.Protector
    public boolean compare(ProtectedStringType protectedStringType, ProtectedStringType protectedStringType2) throws EncryptionException {
        if (protectedStringType == null && protectedStringType2 == null) {
            return true;
        }
        if (protectedStringType == null || protectedStringType2 == null) {
            return false;
        }
        String decryptString = decryptString(protectedStringType);
        String decryptString2 = decryptString(protectedStringType2);
        if (decryptString == null && decryptString2 == null) {
            return true;
        }
        if (decryptString == null || decryptString2 == null) {
            return false;
        }
        return decryptString.equals(decryptString2);
    }
}
