package org.apache.cxf.xkms.crypto.impl;

import java.math.BigInteger;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.cert.X509Certificate;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.security.auth.callback.CallbackHandler;
import org.apache.cxf.common.logging.LogUtils;
import org.apache.cxf.xkms.cache.EHCacheXKMSClientCache;
import org.apache.cxf.xkms.cache.XKMSCacheToken;
import org.apache.cxf.xkms.cache.XKMSClientCache;
import org.apache.cxf.xkms.crypto.CryptoProviderException;
import org.apache.cxf.xkms.handlers.Applications;
import org.apache.ws.security.WSSecurityException;
import org.apache.ws.security.components.crypto.Crypto;
import org.apache.ws.security.components.crypto.CryptoBase;
import org.apache.ws.security.components.crypto.CryptoType;
import org.w3._2002._03.xkms_wsdl.XKMSPortType;

/* loaded from: input_file:org/apache/cxf/xkms/crypto/impl/XkmsCryptoProvider.class */
public class XkmsCryptoProvider extends CryptoBase {
    private static final Logger LOG = LogUtils.getL7dLogger(XkmsCryptoProvider.class);
    private final XKMSInvoker xkmsInvoker;
    private Crypto fallbackCrypto;
    private XKMSClientCache xkmsClientCache;
    private boolean allowX509FromJKS;

    public XkmsCryptoProvider(XKMSPortType xKMSPortType) {
        this(xKMSPortType, null);
    }

    public XkmsCryptoProvider(XKMSPortType xKMSPortType, Crypto crypto) {
        this(xKMSPortType, crypto, new EHCacheXKMSClientCache(), true);
    }

    public XkmsCryptoProvider(XKMSPortType xKMSPortType, Crypto crypto, boolean z) {
        this(xKMSPortType, crypto, new EHCacheXKMSClientCache(), z);
    }

    public XkmsCryptoProvider(XKMSPortType xKMSPortType, Crypto crypto, XKMSClientCache xKMSClientCache, boolean z) {
        this.allowX509FromJKS = true;
        if (xKMSPortType == null) {
            throw new IllegalArgumentException("xkmsConsumer may not be null");
        }
        this.xkmsInvoker = new XKMSInvoker(xKMSPortType);
        this.fallbackCrypto = crypto;
        this.xkmsClientCache = xKMSClientCache;
        this.allowX509FromJKS = z;
    }

    public X509Certificate[] getX509Certificates(CryptoType cryptoType) throws WSSecurityException {
        if (LOG.isLoggable(Level.INFO)) {
            LOG.info(String.format("XKMS Runtime: getting public certificate for alias: %s; issuer: %s; subjectDN: %s", cryptoType.getAlias(), cryptoType.getIssuer(), cryptoType.getSubjectDN()));
        }
        X509Certificate[] x509 = getX509(cryptoType);
        if (x509 == null) {
            LOG.warning(String.format("Cannot find certificate for alias: %s, issuer: %s; subjectDN: %s", cryptoType.getAlias(), cryptoType.getIssuer(), cryptoType.getSubjectDN()));
        }
        return x509;
    }

    public String getX509Identifier(X509Certificate x509Certificate) throws WSSecurityException {
        assertDefaultCryptoProvider();
        return this.fallbackCrypto.getX509Identifier(x509Certificate);
    }

    public PrivateKey getPrivateKey(X509Certificate x509Certificate, CallbackHandler callbackHandler) throws WSSecurityException {
        assertDefaultCryptoProvider();
        return this.fallbackCrypto.getPrivateKey(x509Certificate, callbackHandler);
    }

    public PrivateKey getPrivateKey(String str, String str2) throws WSSecurityException {
        assertDefaultCryptoProvider();
        return this.fallbackCrypto.getPrivateKey(str, str2);
    }

    public boolean verifyTrust(X509Certificate[] x509CertificateArr) throws WSSecurityException {
        return verifyTrust(x509CertificateArr, false);
    }

    public boolean verifyTrust(X509Certificate[] x509CertificateArr, boolean z) throws WSSecurityException {
        if (x509CertificateArr != null) {
            LOG.fine(String.format("Verifying certificate id: %s", x509CertificateArr[0].getSubjectDN()));
        }
        XKMSCacheToken xKMSCacheToken = null;
        if (x509CertificateArr != null && x509CertificateArr.length > 0 && this.xkmsClientCache != null) {
            xKMSCacheToken = this.xkmsClientCache.get(x509CertificateArr[0].getSubjectX500Principal().getName());
            if (xKMSCacheToken == null) {
                xKMSCacheToken = this.xkmsClientCache.get(getKeyForIssuerSerial(x509CertificateArr[0].getIssuerX500Principal().getName(), x509CertificateArr[0].getSerialNumber()));
            }
            if (xKMSCacheToken != null && xKMSCacheToken.isXkmsValidated()) {
                LOG.fine("Certificate has already been validated by the XKMS service");
                return true;
            }
        }
        if (x509CertificateArr == null || x509CertificateArr[0] == null || !this.xkmsInvoker.validateCertificate(x509CertificateArr[0])) {
            throw new CryptoProviderException("The given certificate is not valid");
        }
        if (xKMSCacheToken != null) {
            xKMSCacheToken.setXkmsValidated(true);
        }
        storeCertificateInCache(x509CertificateArr[0], null, true);
        return true;
    }

    public boolean verifyTrust(PublicKey publicKey) throws WSSecurityException {
        throw new CryptoProviderException("PublicKeys cannot be verified");
    }

    private void assertDefaultCryptoProvider() {
        if (this.fallbackCrypto == null) {
            throw new UnsupportedOperationException("Not supported by this crypto provider");
        }
    }

    private X509Certificate[] getX509(CryptoType cryptoType) {
        X509Certificate[] certificateLocally;
        if (this.allowX509FromJKS && this.fallbackCrypto != null && (certificateLocally = getCertificateLocally(cryptoType)) != null && certificateLocally.length > 0) {
            return certificateLocally;
        }
        CryptoType.TYPE type = cryptoType.getType();
        if (type == CryptoType.TYPE.SUBJECT_DN) {
            return getX509FromXKMSByID(Applications.PKIX, cryptoType.getSubjectDN());
        }
        if (type == CryptoType.TYPE.ALIAS) {
            return getX509FromXKMSByID(!isServiceName(cryptoType) ? Applications.PKIX : Applications.SERVICE_SOAP, cryptoType.getAlias());
        }
        if (type == CryptoType.TYPE.ISSUER_SERIAL) {
            return getX509FromXKMSByIssuerSerial(cryptoType.getIssuer(), cryptoType.getSerial());
        }
        throw new IllegalArgumentException("Unsupported type " + type);
    }

    private X509Certificate[] getX509FromXKMSByID(Applications applications, String str) {
        XKMSCacheToken xKMSCacheToken;
        LOG.fine(String.format("Getting public certificate from XKMS for application:%s; id: %s", applications, str));
        if (str == null) {
            throw new IllegalArgumentException("Id is not specified for certificate request");
        }
        if (this.xkmsClientCache != null && (xKMSCacheToken = this.xkmsClientCache.get(str.toLowerCase())) != null && xKMSCacheToken.getX509Certificate() != null) {
            return new X509Certificate[]{xKMSCacheToken.getX509Certificate()};
        }
        X509Certificate certificateForId = this.xkmsInvoker.getCertificateForId(applications, str);
        storeCertificateInCache(certificateForId, str.toLowerCase(), false);
        return new X509Certificate[]{certificateForId};
    }

    private X509Certificate[] getX509FromXKMSByIssuerSerial(String str, BigInteger bigInteger) {
        XKMSCacheToken xKMSCacheToken;
        LOG.fine(String.format("Getting public certificate from XKMS for issuer:%s; serial: %x", str, bigInteger));
        String keyForIssuerSerial = getKeyForIssuerSerial(str, bigInteger);
        if (this.xkmsClientCache != null && (xKMSCacheToken = this.xkmsClientCache.get(keyForIssuerSerial)) != null && xKMSCacheToken.getX509Certificate() != null) {
            return new X509Certificate[]{xKMSCacheToken.getX509Certificate()};
        }
        X509Certificate certificateForIssuerSerial = this.xkmsInvoker.getCertificateForIssuerSerial(str, bigInteger);
        storeCertificateInCache(certificateForIssuerSerial, keyForIssuerSerial, false);
        return new X509Certificate[]{certificateForIssuerSerial};
    }

    private X509Certificate[] getCertificateLocally(CryptoType cryptoType) {
        if (this.fallbackCrypto == null) {
            return null;
        }
        X509Certificate[] x509CertificateArr = null;
        try {
            x509CertificateArr = this.fallbackCrypto.getX509Certificates(cryptoType);
        } catch (Exception e) {
            LOG.info("Certificate is not found in local keystore using desired CryptoType: " + cryptoType.getType().name());
        }
        if (x509CertificateArr == null && cryptoType.getType() == CryptoType.TYPE.ALIAS) {
            CryptoType cryptoType2 = new CryptoType(CryptoType.TYPE.SUBJECT_DN);
            cryptoType2.setSubjectDN(cryptoType.getAlias());
            try {
                x509CertificateArr = this.fallbackCrypto.getX509Certificates(cryptoType2);
            } catch (Exception e2) {
                LOG.info("Certificate is not found in local keystore and will be requested from XKMS (first trying the cache): " + cryptoType.getAlias());
            }
        }
        return x509CertificateArr;
    }

    private boolean isServiceName(CryptoType cryptoType) {
        return cryptoType.getAlias().contains("{");
    }

    private String getKeyForIssuerSerial(String str, BigInteger bigInteger) {
        return str + "-" + bigInteger.toString(16);
    }

    private void storeCertificateInCache(X509Certificate x509Certificate, String str, boolean z) {
        if (x509Certificate == null || this.xkmsClientCache == null) {
            return;
        }
        XKMSCacheToken xKMSCacheToken = new XKMSCacheToken(x509Certificate);
        xKMSCacheToken.setXkmsValidated(z);
        if (str != null) {
            this.xkmsClientCache.put(str, xKMSCacheToken);
        }
        String keyForIssuerSerial = getKeyForIssuerSerial(x509Certificate.getIssuerX500Principal().getName(), x509Certificate.getSerialNumber());
        if (!keyForIssuerSerial.equals(str)) {
            this.xkmsClientCache.put(keyForIssuerSerial, xKMSCacheToken);
        }
        String name = x509Certificate.getSubjectX500Principal().getName();
        if (name.equals(str)) {
            return;
        }
        this.xkmsClientCache.put(name, xKMSCacheToken);
    }
}
