package org.wildfly.security.credential.store.impl;

import java.io.File;
import java.io.FileInputStream;
import java.io.FileOutputStream;
import java.io.IOException;
import java.io.Serializable;
import java.nio.charset.StandardCharsets;
import java.security.GeneralSecurityException;
import java.security.InvalidKeyException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.UnrecoverableEntryException;
import java.security.cert.CertificateException;
import java.security.spec.InvalidKeySpecException;
import java.text.Normalizer;
import java.util.Arrays;
import java.util.Collections;
import java.util.Enumeration;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Map;
import java.util.Set;
import java.util.concurrent.ConcurrentHashMap;
import java.util.stream.Collectors;
import javax.crypto.BadPaddingException;
import javax.crypto.Cipher;
import javax.crypto.IllegalBlockSizeException;
import javax.crypto.KeyGenerator;
import javax.crypto.NoSuchPaddingException;
import javax.crypto.SecretKey;
import javax.crypto.spec.SecretKeySpec;
import org.wildfly.common.Assert;
import org.wildfly.security._private.ElytronMessages;
import org.wildfly.security.asn1.ASN1;
import org.wildfly.security.credential.Credential;
import org.wildfly.security.credential.PasswordCredential;
import org.wildfly.security.credential.store.CredentialStoreException;
import org.wildfly.security.credential.store.CredentialStoreSpi;
import org.wildfly.security.credential.store.UnsupportedCredentialTypeException;
import org.wildfly.security.password.Password;
import org.wildfly.security.password.PasswordFactory;
import org.wildfly.security.password.interfaces.ClearPassword;
import org.wildfly.security.password.spec.ClearPasswordSpec;
import org.wildfly.security.util.ByteIterator;
import org.wildfly.security.util.ByteStringBuilder;

/* loaded from: input_file:org/wildfly/security/credential/store/impl/KeystorePasswordStore.class */
public class KeystorePasswordStore extends CredentialStoreSpi {
    public static final String KEY_STORE_PASSWORD_STORE = "KeyStorePasswordStore";
    public static final String NAME = "store.name";
    public static final String STORE_FILE = "store.file";
    public static final String STORE_PASSWORD = "store.password";
    public static final String MODIFIABLE = "store.modifiable";
    public static final String STORE_BASE = "store.base";
    public static final String CREATE_STORAGE = "create.storage";
    public static final String KEY_ALIAS = "key.alias";
    public static final String KEY_PASSWORD = "key.password";
    public static final String KEY_SIZE = "key.size";
    public static final String CRYPTO_ALGORITHM = "crypto.algorithm";
    public static final String RELOADABLE = "reloadable";
    public static final String DEFAULT_ADMIN_KEY_ALIAS = "ELY_ADMIN_KEY";
    private static final String KEYSTORE_TYPE = "JCEKS";
    private static final char[] EMPTY_PASSWORD = new char[0];
    private static final Set<String> supportedConfigurationAttributes;
    private String storeName;
    private boolean reloadable = false;
    private boolean modifiable = false;
    private File storeFile = null;
    private String storeBase = "";
    private char[] storagePassword = null;
    private String adminKeyAlias = null;
    private SecretKey adminKey = null;
    private int keySize = ASN1.CONTEXT_SPECIFIC_MASK;
    private String cryptographicAlgorithm = "AES";
    private boolean createStorage = false;
    private KeyStore.ProtectionParameter adminKeyProtectionParam = null;
    private final ConcurrentHashMap<String, Entry> storage = new ConcurrentHashMap<>();

    /* loaded from: input_file:org/wildfly/security/credential/store/impl/KeystorePasswordStore$Entry.class */
    public static class Entry implements Serializable {
        private static final int DEFAULT_VERSION = 1;
        private static final long serialVersionUID = -2347975176295725217L;
        private int version;
        private String className;
        private byte[] payload;

        public Entry(String str, byte[] bArr) {
            this(1, str, bArr);
        }

        public Entry(int i, String str, byte[] bArr) {
            this.version = i;
            this.className = str;
            this.payload = bArr;
        }

        public int getVersion() {
            return this.version;
        }

        public String getClassName() {
            return this.className;
        }

        public byte[] getPayload() {
            return this.payload;
        }

        public static byte[] serializeEntry(Entry entry) {
            byte[] bytes = entry.getClassName().getBytes(StandardCharsets.UTF_8);
            ByteStringBuilder byteStringBuilder = new ByteStringBuilder();
            byteStringBuilder.appendBE(entry.getVersion());
            byteStringBuilder.appendBE(bytes.length);
            byteStringBuilder.append(bytes);
            byteStringBuilder.append(entry.getPayload());
            return byteStringBuilder.toArray();
        }

        public static Entry deserializeEntry(byte[] bArr) {
            ByteIterator ofBytes = ByteIterator.ofBytes(bArr);
            return new Entry(ofBytes.getBE32(), ofBytes.drainToUtf8(ofBytes.getBE32()), ofBytes.drain());
        }
    }

    @Override // org.wildfly.security.credential.store.CredentialStoreSpi
    public void initialize(Map<String, String> map) throws CredentialStoreException {
        this.storeName = map.getOrDefault(NAME, "myStore");
        checkValidConfigurationAttributes(map.keySet());
        this.storeBase = map.get(STORE_BASE);
        this.storeFile = resolveFile(map.get(STORE_FILE), this.storeName);
        String str = map.get(STORE_PASSWORD);
        if (str != null) {
            this.storagePassword = convertPassword(loadPassword(str, STORE_PASSWORD, map));
        }
        this.adminKeyAlias = map.get(KEY_ALIAS);
        if (this.adminKeyAlias == null) {
            this.adminKeyAlias = DEFAULT_ADMIN_KEY_ALIAS;
        }
        if (map.get(KEY_SIZE) != null) {
            this.keySize = Integer.parseInt(map.get(KEY_SIZE));
        }
        if (map.get(CRYPTO_ALGORITHM) != null) {
            this.cryptographicAlgorithm = map.get(CRYPTO_ALGORITHM);
        }
        if (map.get(MODIFIABLE) != null) {
            this.modifiable = Boolean.parseBoolean(map.get(MODIFIABLE));
        }
        if (map.get(CREATE_STORAGE) != null) {
            this.createStorage = Boolean.parseBoolean(map.get(CREATE_STORAGE));
        }
        String str2 = map.get(KEY_PASSWORD);
        if (str2 != null) {
            char[] convertPassword = convertPassword(loadPassword(str2, KEY_PASSWORD, map));
            this.adminKeyProtectionParam = new KeyStore.PasswordProtection(convertPassword);
            destroyPassword(convertPassword);
        } else {
            this.adminKeyProtectionParam = new KeyStore.PasswordProtection(this.storagePassword);
        }
        readKeyStore();
        this.initialized = true;
    }

    @Override // org.wildfly.security.credential.store.CredentialStoreSpi
    public boolean isModifiable() {
        return this.modifiable;
    }

    @Override // org.wildfly.security.credential.store.CredentialStoreSpi
    public <C extends Credential> boolean exists(String str, Class<C> cls) throws CredentialStoreException, UnsupportedCredentialTypeException {
        if (cls.isAssignableFrom(PasswordCredential.class)) {
            return this.storage.get(str) != null;
        }
        throw new UnsupportedCredentialTypeException(resolveCredentialClassName(cls));
    }

    @Override // org.wildfly.security.credential.store.CredentialStoreSpi
    public <C extends Credential> void store(String str, C c) throws CredentialStoreException, UnsupportedCredentialTypeException {
        if (!isInitialized()) {
            ElytronMessages.log.credentialStoreNotInitialized(this.storeName);
        }
        if (this.reloadable) {
            throw ElytronMessages.log.reloadablecredentialStoreIsReadOnly(this.storeName);
        }
        if (!(c instanceof PasswordCredential)) {
            throw new UnsupportedCredentialTypeException(resolveCredentialClassName(c.getClass()));
        }
        try {
            this.storage.put(str, new Entry(resolveCredentialClassName(c.getClass()), encryptEntry((PasswordCredential) c)));
            storeToFile();
        } catch (GeneralSecurityException e) {
            throw new CredentialStoreException(e);
        }
    }

    @Override // org.wildfly.security.credential.store.CredentialStoreSpi
    public <C extends Credential> C retrieve(String str, Class<C> cls) throws CredentialStoreException, UnsupportedCredentialTypeException {
        if (!cls.isAssignableFrom(PasswordCredential.class)) {
            throw new UnsupportedCredentialTypeException(resolveCredentialClassName(cls));
        }
        Entry entry = this.storage.get(str);
        if (entry == null) {
            throw ElytronMessages.log.credentialAliasNotFoundNotFound(str, this.storeName);
        }
        byte[] payload = entry.getPayload();
        if (payload == null) {
            throw ElytronMessages.log.credentialAliasNotFoundNotFound(str, this.storeName);
        }
        try {
            return cls.cast(decryptEntry(payload));
        } catch (GeneralSecurityException e) {
            throw new CredentialStoreException(e);
        }
    }

    @Override // org.wildfly.security.credential.store.CredentialStoreSpi
    public <C extends Credential> void remove(String str, Class<C> cls) throws CredentialStoreException, UnsupportedCredentialTypeException {
        if (!cls.isAssignableFrom(PasswordCredential.class)) {
            throw new UnsupportedCredentialTypeException(resolveCredentialClassName(cls));
        }
        if (this.storage.get(str) != null) {
            if (this.reloadable) {
                throw ElytronMessages.log.reloadablecredentialStoreIsReadOnly(this.storeName);
            }
            this.storage.remove(str);
            storeToFile();
        }
    }

    @Override // org.wildfly.security.credential.store.CredentialStoreSpi
    public Set<String> getAliases() throws UnsupportedOperationException, CredentialStoreException {
        return Collections.unmodifiableSet(this.storage.keySet());
    }

    private <C extends Credential> String resolveCredentialClassName(Class<C> cls) throws UnsupportedCredentialTypeException {
        return cls.getName();
    }

    private synchronized void storeToFile() throws CredentialStoreException, UnsupportedCredentialTypeException {
        boolean z = false;
        if (this.createStorage && !this.storeFile.exists()) {
            try {
                this.storeFile.createNewFile();
                z = true;
            } catch (IOException e) {
                throw ElytronMessages.log.cannotWriteStorageFie(this.storeFile.getAbsolutePath(), this.storeName);
            }
        }
        try {
            KeyStore keyStore = KeyStore.getInstance(KEYSTORE_TYPE);
            keyStore.load(null, null);
            packToKeyStore(keyStore);
            if (!this.storeFile.canWrite()) {
                throw ElytronMessages.log.cannotWriteStorageFie(this.storeFile.getAbsolutePath(), this.storeName);
            }
            FileOutputStream fileOutputStream = new FileOutputStream(this.storeFile);
            Throwable th = null;
            try {
                try {
                    keyStore.store(fileOutputStream, this.storagePassword);
                    if (fileOutputStream != null) {
                        if (0 != 0) {
                            try {
                                fileOutputStream.close();
                            } catch (Throwable th2) {
                                th.addSuppressed(th2);
                            }
                        } else {
                            fileOutputStream.close();
                        }
                    }
                } finally {
                }
            } finally {
            }
        } catch (IOException | GeneralSecurityException e2) {
            if (z) {
                this.storeFile.delete();
            }
            throw new CredentialStoreException(e2);
        }
    }

    private void packToKeyStore(KeyStore keyStore) throws KeyStoreException, NoSuchAlgorithmException, InvalidKeySpecException, UnsupportedCredentialTypeException {
        keyStore.setEntry(this.adminKeyAlias, new KeyStore.SecretKeyEntry(this.adminKey), this.adminKeyProtectionParam);
        Iterator it = this.storage.keySet().iterator();
        while (it.hasNext()) {
            String str = (String) it.next();
            keyStore.setEntry(str, new KeyStore.SecretKeyEntry(new SecretKeyWrap(Entry.serializeEntry(this.storage.get(str)), ClearPassword.ALGORITHM_CLEAR)), this.adminKeyProtectionParam);
        }
    }

    private void checkValidConfigurationAttributes(Set<String> set) throws CredentialStoreException {
        StringBuilder sb = new StringBuilder();
        set.stream().filter(str -> {
            return !str.startsWith("store.password.");
        }).filter(str2 -> {
            return !str2.startsWith("key.password.");
        }).filter(str3 -> {
            return !supportedConfigurationAttributes.contains(str3);
        }).forEach(str4 -> {
            sb.append(", ").append(str4);
        });
        if (sb.length() > 0) {
            throw ElytronMessages.log.unsupportedPasswordStorageConfigurationAttributes(this.storeName, sb.substring(2));
        }
    }

    private void readKeyStore() throws CredentialStoreException {
        if (this.createStorage && (!this.storeFile.exists() || !this.storeFile.canRead())) {
            try {
                this.adminKey = generateSecretKey();
                return;
            } catch (NoSuchAlgorithmException e) {
                ElytronMessages.log.info("Storage exception:", e);
                throw new CredentialStoreException(e);
            }
        }
        try {
            KeyStore keyStore = KeyStore.getInstance(KEYSTORE_TYPE);
            FileInputStream fileInputStream = new FileInputStream(this.storeFile);
            Throwable th = null;
            try {
                try {
                    keyStore.load(fileInputStream, this.storagePassword);
                    if (fileInputStream != null) {
                        if (0 != 0) {
                            try {
                                fileInputStream.close();
                            } catch (Throwable th2) {
                                th.addSuppressed(th2);
                            }
                        } else {
                            fileInputStream.close();
                        }
                    }
                    Enumeration<String> aliases = keyStore.aliases();
                    while (aliases.hasMoreElements()) {
                        String nextElement = aliases.nextElement();
                        if (!nextElement.equalsIgnoreCase(this.adminKeyAlias)) {
                            KeyStore.SecretKeyEntry secretKeyEntry = (KeyStore.SecretKeyEntry) keyStore.getEntry(nextElement, this.adminKeyProtectionParam);
                            if (secretKeyEntry.getSecretKey() != null) {
                                this.storage.put(nextElement, Entry.deserializeEntry(secretKeyEntry.getSecretKey().getEncoded()));
                            } else {
                                ElytronMessages.log.warn("Stored for alias='" + nextElement + "' is null.");
                            }
                        }
                    }
                    KeyStore.Entry entry = keyStore.getEntry(this.adminKeyAlias, this.adminKeyProtectionParam);
                    this.adminKey = entry != null ? ((KeyStore.SecretKeyEntry) entry).getSecretKey() : null;
                    if (this.adminKey == null) {
                        throw ElytronMessages.log.storeAdminKeyNotPresent(this.storeName, this.adminKeyAlias);
                    }
                } finally {
                }
            } finally {
            }
        } catch (IOException | KeyStoreException | NoSuchAlgorithmException | UnrecoverableEntryException | CertificateException e2) {
            throw ElytronMessages.log.cannotReadVaultStorage(this.storeFile.toString(), this.storeName, e2);
        }
    }

    private SecretKey generateSecretKey() throws NoSuchAlgorithmException {
        KeyGenerator keyGenerator = KeyGenerator.getInstance(this.cryptographicAlgorithm);
        keyGenerator.init(this.keySize);
        return keyGenerator.generateKey();
    }

    private byte[] encryptEntry(PasswordCredential passwordCredential) throws NoSuchAlgorithmException, NoSuchPaddingException, InvalidKeyException, BadPaddingException, IllegalBlockSizeException {
        Assert.assertNotNull(passwordCredential);
        Cipher cipher = getCipher(1);
        if (ClearPassword.ALGORITHM_CLEAR.equals(passwordCredential.getAlgorithm())) {
            return cipher.doFinal(charArrayEncode(((ClearPassword) passwordCredential.getPassword()).getPassword()));
        }
        throw new NoSuchAlgorithmException(passwordCredential.getAlgorithm());
    }

    private PasswordCredential decryptEntry(byte[] bArr) throws NoSuchPaddingException, NoSuchAlgorithmException, InvalidKeyException, BadPaddingException, IllegalBlockSizeException, InvalidKeySpecException {
        Assert.assertNotNull(bArr);
        return new PasswordCredential(PasswordFactory.getInstance(ClearPassword.ALGORITHM_CLEAR).generatePassword(new ClearPasswordSpec(byteArrayDecode(getCipher(2).doFinal(bArr)))));
    }

    static char[] byteArrayDecode(byte[] bArr) {
        return new String(bArr, StandardCharsets.UTF_8).toCharArray();
    }

    static byte[] charArrayEncode(char[] cArr) {
        return Normalizer.normalize(new String(cArr), Normalizer.Form.NFKC).getBytes(StandardCharsets.UTF_8);
    }

    private Cipher getCipher(int i) throws NoSuchPaddingException, NoSuchAlgorithmException, InvalidKeyException {
        SecretKeySpec secretKeySpec = new SecretKeySpec(this.adminKey.getEncoded(), this.cryptographicAlgorithm);
        Cipher cipher = Cipher.getInstance(this.cryptographicAlgorithm);
        cipher.init(i, secretKeySpec);
        return cipher;
    }

    private void destroyPassword(char[] cArr) {
        if (cArr != null) {
            Arrays.fill(cArr, (char) 0);
        }
    }

    private Credential loadPassword(String str, String str2, Map<String, String> map) throws CredentialStoreException {
        return resolveMasterCredential(str, PasswordCredential.class, (Map) map.entrySet().stream().filter(entry -> {
            return !((String) entry.getKey()).equals(str2) && ((String) entry.getKey()).startsWith(str2);
        }).collect(Collectors.toMap(entry2 -> {
            return ((String) entry2.getKey()).substring(str2.length() + 1);
        }, (v0) -> {
            return v0.getValue();
        })));
    }

    private char[] convertPassword(Object obj) {
        if (obj == null) {
            return EMPTY_PASSWORD;
        }
        if (obj instanceof String) {
            return ((String) obj).toCharArray();
        }
        if (obj instanceof ClearPassword) {
            return ((ClearPassword) obj).getPassword();
        }
        if (!(obj instanceof PasswordCredential)) {
            return Arrays.copyOf((char[]) obj, ((char[]) obj).length);
        }
        Password password = ((PasswordCredential) obj).getPassword();
        return password instanceof ClearPassword ? ((ClearPassword) password).getPassword() : EMPTY_PASSWORD;
    }

    private File resolveFile(String str, String str2) {
        return new File(((this.storeBase == null || this.storeBase.isEmpty()) ? "" : this.storeBase + "/") + (str != null ? str : str2));
    }

    static {
        HashSet hashSet = new HashSet();
        Collections.addAll(hashSet, NAME, STORE_FILE, STORE_PASSWORD, STORE_BASE, CREATE_STORAGE, KEY_ALIAS, KEY_PASSWORD, KEY_SIZE, CRYPTO_ALGORITHM, RELOADABLE);
        supportedConfigurationAttributes = Collections.unmodifiableSet(hashSet);
    }
}
