package org.picketbox.plugins.vault;

import java.io.File;
import java.io.FileInputStream;
import java.io.FileOutputStream;
import java.io.IOException;
import java.io.InputStream;
import java.io.ObjectInputStream;
import java.io.ObjectOutputStream;
import java.io.OutputStream;
import java.nio.channels.FileChannel;
import java.security.GeneralSecurityException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.util.Enumeration;
import java.util.Map;
import java.util.Set;
import java.util.StringTokenizer;
import javax.crypto.SecretKey;
import javax.crypto.SecretKeyFactory;
import javax.crypto.spec.PBEKeySpec;
import javax.crypto.spec.PBEParameterSpec;
import javax.crypto.spec.SecretKeySpec;
import org.jboss.security.PicketBoxLogger;
import org.jboss.security.PicketBoxMessages;
import org.jboss.security.Util;
import org.jboss.security.plugins.PBEUtils;
import org.jboss.security.vault.SecurityVault;
import org.jboss.security.vault.SecurityVaultException;
import org.picketbox.util.EncryptionUtil;
import org.picketbox.util.KeyStoreUtil;
import org.picketbox.util.StringUtil;
import org.picketlink.idm.model.basic.Group;

/* loaded from: input_file:WEB-INF/lib/picketbox-4.1.1.Final-redhat-1.jar:org/picketbox/plugins/vault/PicketBoxSecurityVault.class */
public class PicketBoxSecurityVault implements SecurityVault {
    private SecretKey adminKey;
    private String decodedEncFileDir;
    public static final String ENC_FILE_DIR = "ENC_FILE_DIR";
    public static final String KEYSTORE_URL = "KEYSTORE_URL";
    public static final String KEYSTORE_PASSWORD = "KEYSTORE_PASSWORD";
    public static final String KEYSTORE_ALIAS = "KEYSTORE_ALIAS";
    public static final String SALT = "SALT";
    public static final String ITERATION_COUNT = "ITERATION_COUNT";
    public static final String PASS_MASK_PREFIX = "MASK-";
    public static final String PUBLIC_CERT = "PUBLIC_CERT";
    public static final String KEY_SIZE = "KEY_SIZE";
    public static final String CREATE_KEYSTORE = "CREATE_KEYSTORE";
    public static final String KEYSTORE_TYPE = "KEYSTORE_TYPE";
    private static final String ENCODED_FILE = "ENC.dat";
    private static final String SHARED_KEY_FILE = "Shared.dat";
    private static final String ADMIN_KEY = "ADMIN_KEY";
    protected static final String VAULT_CONTENT_FILE = "VAULT.dat";
    protected static final String defaultKeyStoreType = "JCEKS";
    protected boolean finishedInit = false;
    protected KeyStore keystore = null;
    protected String encryptionAlgorithm = "AES";
    protected int keySize = 128;
    private char[] keyStorePWD = null;
    private String alias = null;
    private SecurityVaultData vaultContent = null;
    private boolean createKeyStore = false;
    private String keyStoreType = defaultKeyStoreType;

    @Override // org.jboss.security.vault.SecurityVault
    public void init(Map<String, Object> map) throws SecurityVaultException {
        if (map == null || map.isEmpty()) {
            throw PicketBoxMessages.MESSAGES.invalidNullOrEmptyOptionMap("options");
        }
        String str = (String) map.get(KEYSTORE_URL);
        if (str == null) {
            throw new SecurityVaultException(PicketBoxMessages.MESSAGES.invalidNullOrEmptyOptionMessage(KEYSTORE_URL));
        }
        if (str.contains("${")) {
            str = str.replaceAll(":", StringUtil.PROPERTY_DEFAULT_SEPARATOR);
        }
        String systemPropertyAsString = StringUtil.getSystemPropertyAsString(str);
        String str2 = (String) map.get(KEYSTORE_PASSWORD);
        if (str2 == null) {
            throw new SecurityVaultException(PicketBoxMessages.MESSAGES.invalidNullOrEmptyOptionMessage(KEYSTORE_PASSWORD));
        }
        if (!str2.startsWith("MASK-") && !Util.isPasswordCommand(str2)) {
            throw new SecurityVaultException(PicketBoxMessages.MESSAGES.invalidKeystorePasswordFormatMessage());
        }
        String str3 = (String) map.get(SALT);
        if (str3 == null) {
            throw new SecurityVaultException(PicketBoxMessages.MESSAGES.invalidNullOrEmptyOptionMessage(SALT));
        }
        String str4 = (String) map.get(ITERATION_COUNT);
        if (str4 == null) {
            throw new SecurityVaultException(PicketBoxMessages.MESSAGES.invalidNullOrEmptyOptionMessage(ITERATION_COUNT));
        }
        int parseInt = Integer.parseInt(str4);
        this.alias = (String) map.get(KEYSTORE_ALIAS);
        if (this.alias == null) {
            throw new SecurityVaultException(PicketBoxMessages.MESSAGES.invalidNullOrEmptyOptionMessage(KEYSTORE_ALIAS));
        }
        String str5 = (String) map.get(KEY_SIZE);
        if (str5 != null) {
            this.keySize = Integer.parseInt(str5);
        }
        String str6 = (String) map.get(ENC_FILE_DIR);
        if (str6 == null) {
            throw new SecurityVaultException(PicketBoxMessages.MESSAGES.invalidNullOrEmptyOptionMessage(ENC_FILE_DIR));
        }
        this.createKeyStore = map.get(CREATE_KEYSTORE) != null ? Boolean.parseBoolean((String) map.get(CREATE_KEYSTORE)) : false;
        this.keyStoreType = map.get(KEYSTORE_TYPE) != null ? (String) map.get(KEYSTORE_TYPE) : defaultKeyStoreType;
        try {
            this.keyStorePWD = loadKeystorePassword(str2, str3, parseInt);
            this.keystore = getKeyStore(systemPropertyAsString);
            checkAndConvertKeyStoreToJCEKS(systemPropertyAsString);
            readVaultContent(systemPropertyAsString, str6);
            PicketBoxLogger.LOGGER.infoVaultInitialized();
            this.finishedInit = true;
        } catch (Exception e) {
            throw new SecurityVaultException(e);
        }
    }

    @Override // org.jboss.security.vault.SecurityVault
    public boolean isInitialized() {
        return this.finishedInit;
    }

    @Override // org.jboss.security.vault.SecurityVault
    public byte[] handshake(Map<String, Object> map) throws SecurityVaultException {
        return new byte[this.keySize];
    }

    @Override // org.jboss.security.vault.SecurityVault
    public Set<String> keyList() throws SecurityVaultException {
        return this.vaultContent.getVaultDataKeys();
    }

    @Override // org.jboss.security.vault.SecurityVault
    public void store(String str, String str2, char[] cArr, byte[] bArr) throws SecurityVaultException {
        if (StringUtil.isNullOrEmpty(str)) {
            throw PicketBoxMessages.MESSAGES.invalidNullArgument("vaultBlock");
        }
        if (StringUtil.isNullOrEmpty(str2)) {
            throw PicketBoxMessages.MESSAGES.invalidNullArgument("attributeName");
        }
        String str3 = new String(cArr);
        EncryptionUtil encryptionUtil = new EncryptionUtil(this.encryptionAlgorithm, this.keySize);
        try {
            this.vaultContent.addVaultData(this.alias, str, str2, encryptionUtil.encrypt(str3.getBytes(), new SecretKeySpec(this.adminKey.getEncoded(), this.encryptionAlgorithm)));
            try {
                writeVaultData();
            } catch (IOException e) {
                throw new SecurityVaultException(PicketBoxMessages.MESSAGES.unableToWriteVaultDataFileMessage(VAULT_CONTENT_FILE), e);
            }
        } catch (Exception e2) {
            throw new SecurityVaultException(PicketBoxMessages.MESSAGES.unableToEncryptDataMessage(), e2);
        }
    }

    @Override // org.jboss.security.vault.SecurityVault
    public char[] retrieve(String str, String str2, byte[] bArr) throws SecurityVaultException {
        if (StringUtil.isNullOrEmpty(str)) {
            throw PicketBoxMessages.MESSAGES.invalidNullArgument("vaultBlock");
        }
        if (StringUtil.isNullOrEmpty(str2)) {
            throw PicketBoxMessages.MESSAGES.invalidNullArgument("attributeName");
        }
        try {
            return new String(new EncryptionUtil(this.encryptionAlgorithm, this.keySize).decrypt(this.vaultContent.getVaultData(this.alias, str, str2), new SecretKeySpec(this.adminKey.getEncoded(), this.encryptionAlgorithm))).toCharArray();
        } catch (Exception e) {
            throw new SecurityVaultException(e);
        }
    }

    @Override // org.jboss.security.vault.SecurityVault
    public boolean exists(String str, String str2) throws SecurityVaultException {
        return this.vaultContent.getVaultData(this.alias, str, str2) != null;
    }

    @Override // org.jboss.security.vault.SecurityVault
    public boolean remove(String str, String str2, byte[] bArr) throws SecurityVaultException {
        if (StringUtil.isNullOrEmpty(str)) {
            throw PicketBoxMessages.MESSAGES.invalidNullArgument("vaultBlock");
        }
        if (StringUtil.isNullOrEmpty(str2)) {
            throw PicketBoxMessages.MESSAGES.invalidNullArgument("attributeName");
        }
        try {
            if (!this.vaultContent.deleteVaultData(this.alias, str, str2)) {
                return false;
            }
            writeVaultData();
            return true;
        } catch (IOException e) {
            throw new SecurityVaultException(PicketBoxMessages.MESSAGES.unableToWriteVaultDataFileMessage(VAULT_CONTENT_FILE), e);
        } catch (Exception e2) {
            throw new SecurityVaultException(e2);
        }
    }

    private char[] loadKeystorePassword(String str, String str2, int i) throws Exception {
        return str.startsWith("MASK-") ? decode(str, str2, i).toCharArray() : Util.loadPassword(str);
    }

    private String decode(String str, String str2, int i) throws Exception {
        if (str.startsWith("MASK-")) {
            SecretKeyFactory secretKeyFactory = SecretKeyFactory.getInstance("PBEwithMD5andDES");
            char[] charArray = "somearbitrarycrazystringthatdoesnotmatter".toCharArray();
            PBEParameterSpec pBEParameterSpec = new PBEParameterSpec(str2.getBytes(), i);
            str = PBEUtils.decode64(str.substring("MASK-".length()), "PBEwithMD5andDES", secretKeyFactory.generateSecret(new PBEKeySpec(charArray)), pBEParameterSpec);
        }
        return str;
    }

    private void setUpVault(String str, String str2) throws NoSuchAlgorithmException, IOException {
        this.vaultContent = new SecurityVaultData();
        writeVaultData();
        SecretKey adminKey = getAdminKey();
        if (adminKey != null) {
            this.adminKey = adminKey;
            return;
        }
        if (!this.createKeyStore) {
            throw PicketBoxMessages.MESSAGES.vaultDoesnotContainSecretKey(this.alias);
        }
        SecretKey generateKey = new EncryptionUtil(this.encryptionAlgorithm, this.keySize).generateKey();
        try {
            this.keystore.setEntry(this.alias, new KeyStore.SecretKeyEntry(generateKey), new KeyStore.PasswordProtection(this.keyStorePWD));
            this.adminKey = generateKey;
            saveKeyStoreToFile(str);
        } catch (KeyStoreException e) {
            throw PicketBoxMessages.MESSAGES.noSecretKeyandAliasAlreadyUsed(this.alias);
        } catch (Exception e2) {
            throw PicketBoxMessages.MESSAGES.unableToStoreKeyStoreToFile(e2, str);
        }
    }

    private void writeVaultData() throws IOException {
        OutputStream outputStream = null;
        ObjectOutputStream objectOutputStream = null;
        try {
            outputStream = new FileOutputStream(this.decodedEncFileDir + VAULT_CONTENT_FILE);
            objectOutputStream = new ObjectOutputStream(outputStream);
            objectOutputStream.writeObject(this.vaultContent);
            safeClose(objectOutputStream);
            safeClose(outputStream);
        } catch (Throwable th) {
            safeClose(objectOutputStream);
            safeClose(outputStream);
            throw th;
        }
    }

    private boolean vaultFileExists(String str) {
        File file = new File(this.decodedEncFileDir + str);
        return file != null && file.exists();
    }

    private boolean directoryExists(String str) {
        File file = new File(str);
        return file != null && file.exists();
    }

    private void safeClose(InputStream inputStream) {
        if (inputStream != null) {
            try {
                inputStream.close();
            } catch (Exception e) {
            }
        }
    }

    private void safeClose(OutputStream outputStream) {
        if (outputStream != null) {
            try {
                outputStream.close();
            } catch (Exception e) {
            }
        }
    }

    private void readVaultContent(String str, String str2) throws SecurityVaultException {
        try {
            if (str2.contains("${)")) {
                str2 = str2.replaceAll(":", StringUtil.PROPERTY_DEFAULT_SEPARATOR);
            }
            this.decodedEncFileDir = StringUtil.getSystemPropertyAsString(str2);
            if (!directoryExists(this.decodedEncFileDir)) {
                throw new SecurityVaultException(PicketBoxMessages.MESSAGES.fileOrDirectoryDoesNotExistMessage(this.decodedEncFileDir));
            }
            if (!this.decodedEncFileDir.endsWith(Group.PATH_SEPARATOR) && !this.decodedEncFileDir.endsWith("\\")) {
                this.decodedEncFileDir += File.separator;
            }
            if (vaultFileExists(ENCODED_FILE)) {
                if (vaultFileExists(VAULT_CONTENT_FILE)) {
                    PicketBoxLogger.LOGGER.mixedVaultDataFound(VAULT_CONTENT_FILE, ENCODED_FILE, this.decodedEncFileDir + ENCODED_FILE);
                    throw PicketBoxMessages.MESSAGES.mixedVaultDataFound(VAULT_CONTENT_FILE, ENCODED_FILE);
                }
                convertVaultContent(str, this.alias);
            } else if (vaultFileExists(VAULT_CONTENT_FILE)) {
                readVersionedVaultContent();
            } else {
                setUpVault(str, this.decodedEncFileDir);
            }
        } catch (Exception e) {
            throw new SecurityVaultException(e);
        }
    }

    private void convertVaultContent(String str, String str2) throws Exception {
        InputStream inputStream = null;
        ObjectInputStream objectInputStream = null;
        try {
            inputStream = new FileInputStream(this.decodedEncFileDir + ENCODED_FILE);
            objectInputStream = new ObjectInputStream(inputStream);
            Map map = (Map) objectInputStream.readObject();
            safeClose(inputStream);
            safeClose(objectInputStream);
            this.vaultContent = new SecurityVaultData();
            this.adminKey = null;
            for (String str3 : map.keySet()) {
                if (str3.equals(ADMIN_KEY)) {
                    this.adminKey = new SecretKeySpec((byte[]) map.get(str3), this.encryptionAlgorithm);
                } else if (str3.contains("_")) {
                    StringTokenizer stringTokenizer = new StringTokenizer(str3, "_");
                    String nextToken = stringTokenizer.nextToken();
                    String nextToken2 = stringTokenizer.nextToken();
                    if (stringTokenizer.hasMoreTokens()) {
                        nextToken2 = str3.substring(nextToken.length() + 1);
                        PicketBoxLogger.LOGGER.ambiguosKeyForSecurityVaultTransformation("_", nextToken, nextToken2);
                    }
                    this.vaultContent.addVaultData(str2, nextToken, nextToken2, (byte[]) map.get(str3));
                }
            }
            if (this.adminKey == null) {
                throw PicketBoxMessages.MESSAGES.missingAdminKeyInOriginalVaultData();
            }
            KeyStore.SecretKeyEntry secretKeyEntry = new KeyStore.SecretKeyEntry(this.adminKey);
            KeyStore.PasswordProtection passwordProtection = new KeyStore.PasswordProtection(this.keyStorePWD);
            KeyStore.Entry entry = this.keystore.getEntry(str2, passwordProtection);
            if (entry != null) {
                this.keystore.setEntry(str2 + "-original", entry, passwordProtection);
                this.keystore.deleteEntry(str2);
            }
            this.keystore.setEntry(str2, secretKeyEntry, new KeyStore.PasswordProtection(this.keyStorePWD));
            saveKeyStoreToFile(str);
            copyFile(new File(this.decodedEncFileDir + ENCODED_FILE), new File(this.decodedEncFileDir + ENCODED_FILE + ".original"));
            writeVaultData();
            File file = new File(this.decodedEncFileDir + ENCODED_FILE);
            if (!file.delete()) {
                PicketBoxLogger.LOGGER.cannotDeleteOriginalVaultFile(file.getCanonicalPath());
            }
            File file2 = new File(this.decodedEncFileDir + SHARED_KEY_FILE);
            if (file2.delete()) {
                return;
            }
            PicketBoxLogger.LOGGER.cannotDeleteOriginalVaultFile(file2.getCanonicalPath());
        } catch (Throwable th) {
            safeClose(inputStream);
            safeClose(objectInputStream);
            throw th;
        }
    }

    private void saveKeyStoreToFile(String str) throws Exception {
        this.keystore.store(new FileOutputStream(new File(str)), this.keyStorePWD);
    }

    private void checkAndConvertKeyStoreToJCEKS(String str) throws Exception {
        if (this.keystore.getType().equalsIgnoreCase("JKS")) {
            copyFile(new File(str), new File(str + ".original"));
            KeyStore createKeyStore = KeyStoreUtil.createKeyStore(defaultKeyStoreType, this.keyStorePWD);
            Enumeration<String> aliases = this.keystore.aliases();
            while (aliases.hasMoreElements()) {
                String nextElement = aliases.nextElement();
                KeyStore.PasswordProtection passwordProtection = new KeyStore.PasswordProtection(this.keyStorePWD);
                createKeyStore.setEntry(nextElement, this.keystore.getEntry(nextElement, passwordProtection), passwordProtection);
            }
            this.keystore = createKeyStore;
            this.keyStoreType = defaultKeyStoreType;
            saveKeyStoreToFile(str);
            PicketBoxLogger.LOGGER.keyStoreConvertedToJCEKS(KEYSTORE_URL);
        }
    }

    private void readVersionedVaultContent() throws Exception {
        InputStream inputStream = null;
        ObjectInputStream objectInputStream = null;
        try {
            inputStream = new FileInputStream(this.decodedEncFileDir + VAULT_CONTENT_FILE);
            objectInputStream = new ObjectInputStream(inputStream);
            this.vaultContent = (SecurityVaultData) objectInputStream.readObject();
            safeClose(inputStream);
            safeClose(objectInputStream);
            this.adminKey = getAdminKey();
            if (this.adminKey == null) {
                throw PicketBoxMessages.MESSAGES.vaultDoesnotContainSecretKey(this.alias);
            }
        } catch (Throwable th) {
            safeClose(inputStream);
            safeClose(objectInputStream);
            throw th;
        }
    }

    private SecretKey getAdminKey() {
        try {
            KeyStore.Entry entry = this.keystore.getEntry(this.alias, new KeyStore.PasswordProtection(this.keyStorePWD));
            if (entry instanceof KeyStore.SecretKeyEntry) {
                return ((KeyStore.SecretKeyEntry) entry).getSecretKey();
            }
            return null;
        } catch (Exception e) {
            PicketBoxLogger.LOGGER.vaultDoesnotContainSecretKey(this.alias);
            return null;
        }
    }

    public static void copyFile(File file, File file2) throws IOException {
        if (!file2.exists()) {
            file2.createNewFile();
        }
        FileInputStream fileInputStream = null;
        FileOutputStream fileOutputStream = null;
        FileChannel fileChannel = null;
        FileChannel fileChannel2 = null;
        try {
            fileInputStream = new FileInputStream(file);
            fileChannel = fileInputStream.getChannel();
            fileOutputStream = new FileOutputStream(file2);
            fileChannel2 = fileOutputStream.getChannel();
            long j = 0;
            long size = fileChannel.size();
            while (j < size) {
                j += fileChannel2.transferFrom(fileChannel, 0L, fileChannel.size());
                fileChannel2.position(j);
            }
            if (fileChannel != null) {
                fileChannel.close();
            } else if (fileInputStream != null) {
                fileInputStream.close();
            }
            if (fileChannel2 != null) {
                fileChannel2.close();
            } else if (fileOutputStream != null) {
                fileOutputStream.close();
            }
        } catch (Throwable th) {
            if (fileChannel != null) {
                fileChannel.close();
            } else if (fileInputStream != null) {
                fileInputStream.close();
            }
            if (fileChannel2 != null) {
                fileChannel2.close();
            } else if (fileOutputStream != null) {
                fileOutputStream.close();
            }
            throw th;
        }
    }

    private KeyStore getKeyStore(String str) {
        PicketBoxMessages picketBoxMessages;
        try {
            if (this.createKeyStore) {
                return KeyStoreUtil.createKeyStore(this.keyStoreType, this.keyStorePWD);
            }
            try {
                return KeyStoreUtil.getKeyStore(this.keyStoreType, str, this.keyStorePWD);
            } catch (IOException e) {
                throw picketBoxMessages.unableToGetKeyStore(e, str);
            } catch (GeneralSecurityException e2) {
                throw picketBoxMessages.unableToGetKeyStore(e2, str);
            }
        } finally {
            RuntimeException unableToGetKeyStore = PicketBoxMessages.MESSAGES.unableToGetKeyStore(e2, str);
        }
    }
}
