package org.apache.wss4j.common.crypto;

import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.io.InputStream;
import java.lang.reflect.Constructor;
import java.security.MessageDigest;
import java.security.NoSuchProviderException;
import java.security.cert.CertPath;
import java.security.cert.Certificate;
import java.security.cert.CertificateEncodingException;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.Collection;
import java.util.Iterator;
import java.util.List;
import java.util.regex.Pattern;
import javax.security.auth.x500.X500Principal;
import org.apache.wss4j.common.ext.WSSecurityException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:META-INF/repository/fuse-eap-distro-6.3.0.redhat-310-04.zip:modules/system/layers/fuse/org/apache/ws/security/2.1/wss4j-ws-security-common-2.1.7.jar:org/apache/wss4j/common/crypto/CryptoBase.class */
public abstract class CryptoBase implements Crypto {
    public static final String SKI_OID = "2.5.29.14";
    public static final String NAME_CONSTRAINTS_OID = "2.5.29.30";
    private static final Logger LOG = LoggerFactory.getLogger(CryptoBase.class);
    private static final Constructor<?> BC_509CLASS_CONS;
    protected CertificateFactory certificateFactory;
    private String defaultAlias;
    private String cryptoProvider;
    private String trustProvider;

    @Override // org.apache.wss4j.common.crypto.Crypto
    public String getCryptoProvider() {
        return this.cryptoProvider;
    }

    @Override // org.apache.wss4j.common.crypto.Crypto
    public void setCryptoProvider(String str) {
        this.cryptoProvider = str;
    }

    @Override // org.apache.wss4j.common.crypto.Crypto
    public void setTrustProvider(String str) {
        this.trustProvider = str;
    }

    @Override // org.apache.wss4j.common.crypto.Crypto
    public String getTrustProvider() {
        return this.trustProvider;
    }

    @Override // org.apache.wss4j.common.crypto.Crypto
    public String getDefaultX509Identifier() throws WSSecurityException {
        return this.defaultAlias;
    }

    @Override // org.apache.wss4j.common.crypto.Crypto
    public void setDefaultX509Identifier(String str) {
        this.defaultAlias = str;
    }

    @Override // org.apache.wss4j.common.crypto.Crypto
    public void setCertificateFactory(CertificateFactory certificateFactory) {
        this.certificateFactory = certificateFactory;
    }

    @Override // org.apache.wss4j.common.crypto.Crypto
    public CertificateFactory getCertificateFactory() throws WSSecurityException {
        if (this.certificateFactory != null) {
            return this.certificateFactory;
        }
        try {
            String cryptoProvider = getCryptoProvider();
            if (cryptoProvider == null || cryptoProvider.length() == 0) {
                this.certificateFactory = CertificateFactory.getInstance("X.509");
            } else {
                this.certificateFactory = CertificateFactory.getInstance("X.509", cryptoProvider);
            }
            return this.certificateFactory;
        } catch (NoSuchProviderException e) {
            throw new WSSecurityException(WSSecurityException.ErrorCode.SECURITY_TOKEN_UNAVAILABLE, e, "noSecProvider");
        } catch (CertificateException e2) {
            throw new WSSecurityException(WSSecurityException.ErrorCode.SECURITY_TOKEN_UNAVAILABLE, e2, "unsupportedCertType");
        }
    }

    @Override // org.apache.wss4j.common.crypto.Crypto
    public X509Certificate loadCertificate(InputStream inputStream) throws WSSecurityException {
        try {
            return (X509Certificate) getCertificateFactory().generateCertificate(inputStream);
        } catch (CertificateException e) {
            throw new WSSecurityException(WSSecurityException.ErrorCode.SECURITY_TOKEN_UNAVAILABLE, e, "parseError");
        }
    }

    @Override // org.apache.wss4j.common.crypto.Crypto
    public byte[] getSKIBytesFromCert(X509Certificate x509Certificate) throws WSSecurityException {
        byte[] extensionValue = x509Certificate.getExtensionValue("2.5.29.14");
        if (x509Certificate.getVersion() < 3 || extensionValue == null) {
            try {
                return MessageDigest.getInstance("SHA-1").digest(new X509SubjectPublicKeyInfo(x509Certificate.getPublicKey()).getSubjectPublicKey());
            } catch (Exception e) {
                throw new WSSecurityException(WSSecurityException.ErrorCode.UNSUPPORTED_SECURITY_TOKEN, e, "noSKIHandling", new Object[]{"No SKI certificate extension and no SHA1 message digest available"});
            }
        }
        DERDecoder dERDecoder = new DERDecoder(extensionValue);
        dERDecoder.expect((byte) 4);
        dERDecoder.getLength();
        dERDecoder.expect((byte) 4);
        return dERDecoder.getBytes(dERDecoder.getLength());
    }

    @Override // org.apache.wss4j.common.crypto.Crypto
    public byte[] getBytesFromCertificates(X509Certificate[] x509CertificateArr) throws WSSecurityException {
        try {
            return getCertificateFactory().generateCertPath(Arrays.asList(x509CertificateArr)).getEncoded();
        } catch (CertificateEncodingException e) {
            throw new WSSecurityException(WSSecurityException.ErrorCode.SECURITY_TOKEN_UNAVAILABLE, e, "encodeError");
        } catch (CertificateException e2) {
            throw new WSSecurityException(WSSecurityException.ErrorCode.SECURITY_TOKEN_UNAVAILABLE, e2, "parseError");
        }
    }

    @Override // org.apache.wss4j.common.crypto.Crypto
    public X509Certificate[] getCertificatesFromBytes(byte[] bArr) throws WSSecurityException {
        try {
            ByteArrayInputStream byteArrayInputStream = new ByteArrayInputStream(bArr);
            Throwable th = null;
            try {
                try {
                    CertPath generateCertPath = getCertificateFactory().generateCertPath(byteArrayInputStream);
                    if (byteArrayInputStream != null) {
                        if (0 != 0) {
                            try {
                                byteArrayInputStream.close();
                            } catch (Throwable th2) {
                                th.addSuppressed(th2);
                            }
                        } else {
                            byteArrayInputStream.close();
                        }
                    }
                    List<? extends Certificate> certificates = generateCertPath.getCertificates();
                    X509Certificate[] x509CertificateArr = new X509Certificate[certificates.size()];
                    int i = 0;
                    Iterator<? extends Certificate> it = certificates.iterator();
                    while (it.hasNext()) {
                        int i2 = i;
                        i++;
                        x509CertificateArr[i2] = (X509Certificate) it.next();
                    }
                    return x509CertificateArr;
                } finally {
                }
            } finally {
            }
        } catch (IOException | CertificateException e) {
            throw new WSSecurityException(WSSecurityException.ErrorCode.SECURITY_TOKEN_UNAVAILABLE, e, "parseError");
        }
    }

    @Override // org.apache.wss4j.common.crypto.Crypto
    public void verifyDirectTrust(X509Certificate[] x509CertificateArr) throws WSSecurityException {
        verifyTrust(x509CertificateArr, true, null);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public Object createBCX509Name(String str) {
        if (BC_509CLASS_CONS != null) {
            try {
                return BC_509CLASS_CONS.newInstance(str);
            } catch (Exception e) {
            }
        }
        return new X500Principal(str);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public boolean matches(X509Certificate x509Certificate, Collection<Pattern> collection) {
        if (collection == null || collection.isEmpty()) {
            LOG.warn("No Subject DN Certificate Constraints were defined. This could be a security issue");
            return true;
        }
        if (collection.isEmpty()) {
            return true;
        }
        if (x509Certificate == null) {
            LOG.debug("The certificate is null so no constraints matching was possible");
            return false;
        }
        String name = x509Certificate.getSubjectX500Principal().getName();
        boolean z = false;
        Iterator<Pattern> it = collection.iterator();
        while (true) {
            if (!it.hasNext()) {
                break;
            }
            Pattern next = it.next();
            if (next.matcher(name).matches()) {
                if (LOG.isDebugEnabled()) {
                    LOG.debug("Subject DN " + name + " matches with pattern " + next);
                }
                z = true;
            }
        }
        return z;
    }

    static {
        Constructor<?> constructor = null;
        try {
            constructor = Class.forName("org.bouncycastle.asn1.x500.X500Name").getConstructor(String.class);
        } catch (Exception e) {
        }
        BC_509CLASS_CONS = constructor;
    }
}
