package pt.unl.fct.di.novasys.babel.core;

import java.io.File;
import java.io.FileOutputStream;
import java.io.IOException;
import java.nio.ByteBuffer;
import java.security.InvalidAlgorithmParameterException;
import java.security.InvalidKeyException;
import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.Provider;
import java.security.PublicKey;
import java.security.SecureRandom;
import java.security.Security;
import java.security.Signature;
import java.security.SignatureException;
import java.security.UnrecoverableEntryException;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.security.spec.AlgorithmParameterSpec;
import java.security.spec.InvalidKeySpecException;
import java.security.spec.RSAKeyGenParameterSpec;
import java.util.Arrays;
import java.util.Base64;
import java.util.Enumeration;
import java.util.HashSet;
import java.util.List;
import java.util.NoSuchElementException;
import java.util.Properties;
import java.util.Set;
import java.util.function.Supplier;
import javax.crypto.KeyGenerator;
import javax.crypto.SecretKey;
import javax.crypto.SecretKeyFactory;
import javax.crypto.spec.GCMParameterSpec;
import javax.crypto.spec.IvParameterSpec;
import javax.crypto.spec.PBEKeySpec;
import javax.crypto.spec.SecretKeySpec;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.PasswordCallback;
import javax.security.auth.callback.UnsupportedCallbackException;
import org.apache.commons.lang3.tuple.Pair;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import pt.unl.fct.di.novasys.babel.core.security.IdFromCertExtractor;
import pt.unl.fct.di.novasys.babel.core.security.IdentityCrypt;
import pt.unl.fct.di.novasys.babel.core.security.IdentityGenerator;
import pt.unl.fct.di.novasys.babel.core.security.IdentityPair;
import pt.unl.fct.di.novasys.babel.core.security.SecretCrypt;
import pt.unl.fct.di.novasys.babel.internal.security.BabelCredentialHandler;
import pt.unl.fct.di.novasys.babel.internal.security.IdAliasMapper;
import pt.unl.fct.di.novasys.babel.internal.security.PeerIdEncoder;
import pt.unl.fct.di.novasys.babel.internal.security.X509BabelKeyManager;
import pt.unl.fct.di.novasys.babel.internal.security.X509BabelTrustManager;
import pt.unl.fct.di.novasys.babel.internal.security.X509CertificateChainPredicate;
import pt.unl.fct.di.novasys.network.security.X509IKeyManager;
import pt.unl.fct.di.novasys.network.security.X509ITrustManager;

/* loaded from: input_file:pt/unl/fct/di/novasys/babel/core/BabelSecurity.class */
public class BabelSecurity {
    private static final Logger logger;
    private static BabelSecurity instance;
    public static final String PREFIX = "babel.security";
    private static final String PAR_KEY_STORE_TYPE = "babel.security.keystore.type";
    private static final String PAR_KEY_STORE_PATH = "babel.security.keystore.path";
    private static final String PAR_KEY_STORE_WRITABLE = "babel.security.keystore.writable";
    private static final String PAR_KEY_STORE_PWD = "babel.security.keystore.password";
    private static final String PAR_KEY_STORE_PROTECTION = "babel.security.keystore.protection_handler";
    private static final String PAR_DEFAULT_ID = "babel.security.keystore.default_identity";
    private static final String PAR_ASYM_KEY_ALG = "babel.security.asym_key_algorithm";
    private static final String PAR_ASYM_KEY_LEN = "babel.security.asym_key_length";
    private static final String PAR_ASYM_KEY_PARAMS = "babel.security.asym_key_parameter_supplier";
    private static final String PAR_ID_EXTRACTOR = "babel.security.identity_extractor";
    private static final String PAR_ID_GENERATOR = "babel.security.identity_generator";
    private static final String PAR_TRUST_STORE_TYPE = "babel.security.truststore.type";
    private static final String PAR_TRUST_STORE_PWD = "babel.security.truststore.password";
    private static final String PAR_TRUST_STORE_PROTECTION = "babel.security.truststore.protection_handler";
    private static final String PAR_TRUST_STORE_PATH = "babel.security.truststore.path";
    private static final String PAR_TRUST_STORE_WRITABLE = "babel.security.truststore.writable";
    private static final String PAR_TRUST_STORE_SAVE_ALL_ENCOUNTERED = "babel.security.truststore.save_all_encountered";
    private static final String PAR_TRUST_MANAGER_POLICY = "babel.security.trustmanager.policy";
    private static final String PAR_TRUST_MANAGER_PERSIST_DISCOVERED_CERTS = "babel.security.trustmanager.persist_discovered_certificates";
    private static final String PAR_TRUST_MANAGER_UNKNOWN_PEER_CALLBACK = "babel.security.trustmanager.unknown_peer_callback";
    private static final String PAR_TRUST_MANAGER_VERIFY_SIGNATURE_CALLBACK = "babel.security.trustmanager.verify_cert_signature_callback";
    private static final String PAR_SECRET_STORE_TYPE = "babel.security.secretstore.type";
    private static final String PAR_SECRET_STORE_PWD = "babel.security.secretstore.password";
    private static final String PAR_SECRET_STORE_PROTECTION = "babel.security.secretstore.protection_handler";
    private static final String PAR_SECRET_STORE_PATH = "babel.security.secretstore.path";
    private static final String DEF_SECRET_STORE_PATH = "babelSecretStore.jks";
    private static final String PAR_SECRET_STORE_WRITABLE = "babel.security.secretstore.writable";
    private static final String PAR_SYM_KEY_ALG = "babel.security.sym_key_algorithm";
    private static final String PAR_SYM_KEY_LEN = "babel.security.secretkey_length";
    private static final String PAR_PBKDF_ALG = "babel.security.pbkdf.algorithm";
    private static final String PAR_PBKDF_PWD = "babel.security.pbkdf.initial_secret_password";
    private static final String PAR_PBKDF_SALT = "babel.security.pbkdf.salt";
    private static final String PAR_PBKDF_ITERATIONS = "babel.security.pbkdf.iterations";
    private static final String PAR_PBKDF_KEY_LEN = "babel.security.pbkdf.key_length";
    public static final String PAR_HASH_ALG = "babel.security.hash_algorithm";
    public static final String PAR_MAC_ALG = "babel.security.mac_algorithm";
    public static final String PAR_CIPHER_TRANSFORM = "babel.security.cipher.transformation";
    public static final String PAR_CIPHER_MODE = "babel.security.cipher.mode";
    public static final String PAR_CIPHER_PADDING = "babel.security.cipher.padding";
    public static final String PAR_CIPHER_IV_SIZE = "babel.security.cipher.iv_size";
    public static final String PAR_CIPHER_PARAM_GEN = "babel.security.cipher.parameter_supplier";
    private KeyStore keyStore;
    private KeyStore ephKeyStore;
    private X509IKeyManager keyManager;
    private KeyStore trustStore;
    private KeyStore ephTrustStore;
    private X509ITrustManager trustManager;
    private KeyStore secretStore;
    private KeyStore ephSecretStore;
    private final IdAliasMapper idAliasMapper;
    private final SecureRandom keyRng;
    private final SecureRandom nonceRng;
    static final /* synthetic */ boolean $assertionsDisabled;
    private final KeyStore.ProtectionParameter EMPTY_PWD = new KeyStore.PasswordProtection(new char[0]);
    private String keyStoreType = "PKCS12";
    private String keyStoreLoadPath = "babelKeyStore.jks";
    private String keyStoreWritePath = null;
    private KeyStore.ProtectionParameter keyStoreProtection = this.EMPTY_PWD;
    private String asymKeyAlgorithm = "RSA";
    private int asymKeyLength = 2048;
    private AlgorithmParameterSpec asymKeyParameters = new RSAKeyGenParameterSpec(this.asymKeyLength, RSAKeyGenParameterSpec.F4);
    private IdFromCertExtractor identityExtractor = new BabelCredentialHandler();
    private IdentityGenerator identityGenerator = (BabelCredentialHandler) this.identityExtractor;
    private String trustStoreType = "PKCS12";
    private KeyStore.ProtectionParameter trustStoreProtection = this.EMPTY_PWD;
    private String trustStoreLoadPath = "babelTrustStore.jks";
    private String trustStoreWritePath = null;
    private boolean trustStoreSaveAll = true;
    private X509BabelTrustManager.TrustPolicy trustManagerPolicy = X509BabelTrustManager.TrustPolicy.UNKNOWN;
    private boolean trustManagerPersistCerts = false;
    private X509CertificateChainPredicate trustManagerUknownPeerCallback = (x509CertificateArr, bArr) -> {
        return false;
    };
    private X509CertificateChainPredicate trustManagerVerifySignatureCallback = (x509CertificateArr, bArr) -> {
        try {
            x509CertificateArr[0].verify(x509CertificateArr[0].getPublicKey());
            return true;
        } catch (InvalidKeyException | NoSuchAlgorithmException | NoSuchProviderException | SignatureException | CertificateException e) {
            throw new CertificateException("Failed self-signed certificate verification.", e);
        }
    };
    private String secretStoreType = "PKCS12";
    private KeyStore.ProtectionParameter secretStoreProtection = this.EMPTY_PWD;
    private String secretStoreLoadPath = null;
    private String secretStoreWritePath = null;
    private String symKeyAlgorithm = "AES";
    private int symKeyLength = 128;
    private String pbkdfAlgorithm = "PBKDF2WithHmacSHA256";
    private String pbkdfPassword = null;
    private byte[] pbkdfSalt = "Babel sa(u)lt defa(u)lt! You (or I?) should change this!!!".getBytes();
    private int pbkdfIterations = 131072;
    private int pbkdfKeyLength = 256;
    private String hashAlgorithm = "SHA256";
    private String macAlgorithm = null;
    private String cipherTransform = null;
    private String cipherMode = "GCM";
    private String cipherPadding = "NoPadding";
    private Supplier<AlgorithmParameterSpec> cipherParameterSupplier = () -> {
        return new GCMParameterSpec(128, generateIv(12));
    };
    public final Provider PROVIDER = new BouncyCastleProvider();

    /* JADX INFO: Access modifiers changed from: private */
    @FunctionalInterface
    /* loaded from: input_file:pt/unl/fct/di/novasys/babel/core/BabelSecurity$KeyStorePredicate.class */
    public interface KeyStorePredicate {
        boolean test(KeyStore keyStore) throws KeyStoreException;
    }

    public static synchronized BabelSecurity getInstance() {
        if (instance == null) {
            instance = new BabelSecurity();
        }
        return instance;
    }

    private BabelSecurity() {
        Security.addProvider(this.PROVIDER);
        try {
            this.keyRng = SecureRandom.getInstance("DEFAULT", this.PROVIDER);
            this.nonceRng = SecureRandom.getInstance("NonceAndIV", this.PROVIDER);
            this.idAliasMapper = new IdAliasMapper();
        } catch (NoSuchAlgorithmException e) {
            throw new AssertionError(e);
        }
    }

    public synchronized KeyStore getKeyStore() {
        if (this.keyStore == null) {
            try {
                this.keyStore = loadOrCreateStore(this.keyStoreLoadPath, this.keyStoreType, this.keyStoreProtection);
                if (this.keyStore.size() == 0) {
                    logger.debug("Empty key store loaded. Generating an identity...");
                    generateIdentityWithAliasPrefix(true, "babel");
                } else {
                    logger.debug("Non-empty key store loaded. Analyzing its private key entries...");
                    this.idAliasMapper.populateFromPrivateKeyStore(this.keyStore, this.keyStoreProtection, this.identityExtractor);
                }
            } catch (KeyStoreException e) {
                throw new AssertionError(e);
            }
        }
        return this.keyStore;
    }

    public synchronized KeyStore getEphemeralKeyStore() {
        if (this.ephKeyStore == null) {
            try {
                logger.debug("Creating new ephemeral key store with an auto-generated identity.");
                this.ephKeyStore = KeyStore.Builder.newInstance(this.keyStoreType, null, this.EMPTY_PWD).getKeyStore();
                generateIdentityWithAliasPrefix(false, "babel");
            } catch (KeyStoreException e) {
                throw new AssertionError(e);
            }
        }
        return this.ephKeyStore;
    }

    public synchronized X509IKeyManager getKeyManager() {
        if (this.keyManager == null) {
            try {
                this.keyManager = new X509BabelKeyManager(this.keyStoreProtection, this.idAliasMapper, getKeyStore(), getEphemeralKeyStore());
            } catch (KeyStoreException e) {
                throw new AssertionError(e);
            }
        }
        return this.keyManager;
    }

    public synchronized KeyStore getTrustStore() {
        if (this.trustStore == null) {
            try {
                this.trustStore = loadOrCreateStore(this.trustStoreLoadPath, this.trustStoreType, this.trustStoreProtection);
            } catch (KeyStoreException e) {
                throw new AssertionError(e);
            }
        }
        return this.trustStore;
    }

    public synchronized KeyStore getEphemeralTrustStore() {
        if (this.ephTrustStore == null) {
            try {
                logger.debug("Creating new ephemeral trust store");
                this.ephTrustStore = KeyStore.Builder.newInstance(this.trustStoreType, null, this.EMPTY_PWD).getKeyStore();
            } catch (KeyStoreException e) {
                throw new AssertionError(e);
            }
        }
        return this.ephTrustStore;
    }

    public synchronized X509ITrustManager getTrustManager() {
        if (this.trustManager == null) {
            try {
                this.trustManager = new X509BabelTrustManager(this.identityExtractor, List.of(getTrustStore(), getEphemeralTrustStore()), this.trustManagerPolicy, this.trustManagerUknownPeerCallback, this.trustManagerPersistCerts ? getTrustStore() : getEphemeralTrustStore(), this.trustManagerVerifySignatureCallback);
            } catch (KeyStoreException e) {
                throw new AssertionError(e);
            }
        }
        return this.trustManager;
    }

    public synchronized KeyStore getSecretStore() {
        if (this.secretStore == null) {
            try {
                this.secretStore = loadOrCreateStore(this.secretStoreLoadPath, this.secretStoreType, this.secretStoreProtection);
            } catch (KeyStoreException e) {
                throw new AssertionError(e);
            }
        }
        return this.secretStore;
    }

    public synchronized KeyStore getEphemeralSecretStore() {
        if (this.ephSecretStore == null) {
            try {
                logger.debug("Creating new ephemeral trust store");
                this.ephSecretStore = KeyStore.Builder.newInstance(this.secretStoreType, null, this.EMPTY_PWD).getKeyStore();
            } catch (KeyStoreException e) {
                throw new AssertionError(e);
            }
        }
        return this.ephSecretStore;
    }

    private static KeyStore loadOrCreateStore(String str, String str2, KeyStore.ProtectionParameter protectionParameter) throws KeyStoreException {
        logger.debug("Loading (or creating) a key store from " + str);
        File file = str != null ? new File(str) : null;
        return (file == null || !file.exists()) ? KeyStore.Builder.newInstance(str2, null, protectionParameter).getKeyStore() : KeyStore.Builder.newInstance(file, protectionParameter).getKeyStore();
    }

    public byte[] generateIv(int i) {
        byte[] bArr = new byte[i];
        this.nonceRng.nextBytes(bArr);
        return bArr;
    }

    public IvParameterSpec generateIvParam(int i) {
        return new IvParameterSpec(generateIv(i));
    }

    public SecureRandom getSecureRandom() {
        return this.keyRng;
    }

    public KeyPair generateKeyPair() {
        KeyPairGenerator keyPairGenerator;
        try {
            keyPairGenerator = KeyPairGenerator.getInstance(this.asymKeyAlgorithm, this.PROVIDER);
        } catch (NoSuchAlgorithmException e) {
            try {
                keyPairGenerator = KeyPairGenerator.getInstance(this.asymKeyAlgorithm);
            } catch (NoSuchAlgorithmException e2) {
                throw new AssertionError(e2);
            }
        }
        try {
            if (this.asymKeyParameters != null) {
                keyPairGenerator.initialize(this.asymKeyParameters, this.keyRng);
            } else {
                keyPairGenerator.initialize(this.asymKeyLength, this.keyRng);
            }
            return keyPairGenerator.generateKeyPair();
        } catch (InvalidAlgorithmParameterException e3) {
            throw new AssertionError(e3);
        }
    }

    private char[] getPassword(KeyStore.ProtectionParameter protectionParameter, String str) throws IOException, UnsupportedCallbackException {
        if (protectionParameter instanceof KeyStore.PasswordProtection) {
            return ((KeyStore.PasswordProtection) protectionParameter).getPassword();
        }
        if (!(protectionParameter instanceof KeyStore.CallbackHandlerProtection)) {
            return null;
        }
        PasswordCallback passwordCallback = new PasswordCallback("Password for " + str, false);
        ((KeyStore.CallbackHandlerProtection) protectionParameter).getCallbackHandler().handle(new Callback[]{passwordCallback});
        return passwordCallback.getPassword();
    }

    public boolean verifySignature(byte[] bArr, PublicKey publicKey, byte[]... bArr2) throws NoSuchAlgorithmException, InvalidKeyException, SignatureException {
        return initVerifySignature(publicKey, bArr2).verify(bArr);
    }

    public boolean verifySignature(byte[] bArr, PublicKey publicKey, ByteBuffer byteBuffer) throws NoSuchAlgorithmException, InvalidKeyException, SignatureException {
        return initVerifySignature(publicKey, byteBuffer).verify(bArr);
    }

    public boolean verifySignature(byte[] bArr, byte[] bArr2, byte[]... bArr3) throws NoSuchAlgorithmException, SignatureException, NoSuchElementException, InvalidKeyException {
        Signature initVerifySignature;
        Certificate trustedCertificate = getTrustedCertificate(bArr2);
        if (trustedCertificate == null) {
            throw new NoSuchElementException("No known certificate for %s that can be used to verify the signature".formatted(PeerIdEncoder.encodeToString(bArr2)));
        }
        if (trustedCertificate instanceof X509Certificate) {
            X509Certificate x509Certificate = (X509Certificate) trustedCertificate;
            initVerifySignature = initVerifySignature(x509Certificate.getSigAlgName(), x509Certificate.getPublicKey(), bArr3);
        } else {
            initVerifySignature = initVerifySignature(trustedCertificate.getPublicKey(), bArr3);
        }
        return initVerifySignature.verify(bArr);
    }

    public boolean verifySignature(byte[] bArr, byte[] bArr2, ByteBuffer byteBuffer) throws NoSuchAlgorithmException, SignatureException, NoSuchElementException, InvalidKeyException {
        Signature initVerifySignature;
        Certificate trustedCertificate = getTrustedCertificate(bArr2);
        if (trustedCertificate == null) {
            throw new NoSuchElementException("No known certificate for %s that can be used to verify the signature".formatted(PeerIdEncoder.encodeToString(bArr2)));
        }
        if (trustedCertificate instanceof X509Certificate) {
            X509Certificate x509Certificate = (X509Certificate) trustedCertificate;
            initVerifySignature = initVerifySignature(x509Certificate.getSigAlgName(), x509Certificate.getPublicKey(), byteBuffer);
        } else {
            initVerifySignature = initVerifySignature(trustedCertificate.getPublicKey(), byteBuffer);
        }
        return initVerifySignature.verify(bArr);
    }

    public boolean verifySignature(String str, byte[] bArr, PublicKey publicKey, byte[]... bArr2) throws NoSuchAlgorithmException, InvalidKeyException, SignatureException {
        return initVerifySignature(str, publicKey, bArr2).verify(bArr);
    }

    public boolean verifySignature(String str, byte[] bArr, PublicKey publicKey, ByteBuffer byteBuffer) throws NoSuchAlgorithmException, InvalidKeyException, SignatureException {
        return initVerifySignature(str, publicKey, byteBuffer).verify(bArr);
    }

    public boolean verifySignature(String str, byte[] bArr, byte[] bArr2, byte[]... bArr3) throws NoSuchAlgorithmException, InvalidKeyException, SignatureException, NoSuchElementException {
        Certificate trustedCertificate = getTrustedCertificate(bArr2);
        if (trustedCertificate == null) {
            throw new NoSuchElementException("No known certificate for %s that can be used to verify the signature".formatted(PeerIdEncoder.encodeToString(bArr2)));
        }
        return initVerifySignature(str, trustedCertificate.getPublicKey(), bArr3).verify(bArr);
    }

    public boolean verifySignature(String str, byte[] bArr, byte[] bArr2, ByteBuffer byteBuffer) throws NoSuchAlgorithmException, InvalidKeyException, SignatureException, NoSuchElementException {
        Certificate trustedCertificate = getTrustedCertificate(bArr2);
        if (trustedCertificate == null) {
            throw new NoSuchElementException("No known certificate for %s that can be used to verify the signature".formatted(PeerIdEncoder.encodeToString(bArr2)));
        }
        return initVerifySignature(str, trustedCertificate.getPublicKey(), byteBuffer).verify(bArr);
    }

    public Signature initVerifySignature(byte[] bArr, byte[]... bArr2) throws NoSuchAlgorithmException, InvalidKeyException {
        Certificate trustedCertificate = getTrustedCertificate(bArr);
        if (trustedCertificate == null) {
            throw new NoSuchElementException("No known certificate for %s that can be used to verify the signature".formatted(PeerIdEncoder.encodeToString(bArr)));
        }
        if (!(trustedCertificate instanceof X509Certificate)) {
            return initVerifySignature(trustedCertificate.getPublicKey(), bArr2);
        }
        X509Certificate x509Certificate = (X509Certificate) trustedCertificate;
        return initVerifySignature(x509Certificate.getSigAlgName(), x509Certificate.getPublicKey(), bArr2);
    }

    public Signature initVerifySignature(byte[] bArr, ByteBuffer byteBuffer) throws NoSuchAlgorithmException, InvalidKeyException, NoSuchElementException {
        Certificate trustedCertificate = getTrustedCertificate(bArr);
        if (trustedCertificate == null) {
            throw new NoSuchElementException("No known certificate for %s that can be used to verify the signature".formatted(PeerIdEncoder.encodeToString(bArr)));
        }
        if (!(trustedCertificate instanceof X509Certificate)) {
            return initVerifySignature(trustedCertificate.getPublicKey(), byteBuffer);
        }
        X509Certificate x509Certificate = (X509Certificate) trustedCertificate;
        return initVerifySignature(x509Certificate.getSigAlgName(), x509Certificate.getPublicKey(), byteBuffer);
    }

    public Signature initVerifySignature(PublicKey publicKey, byte[]... bArr) throws NoSuchAlgorithmException, InvalidKeyException {
        return initVerifySignature(getSignatureAlgorithmFor(publicKey.getAlgorithm()), publicKey, bArr);
    }

    public Signature initVerifySignature(PublicKey publicKey, ByteBuffer byteBuffer) throws NoSuchAlgorithmException, InvalidKeyException {
        return initVerifySignature(getSignatureAlgorithmFor(publicKey.getAlgorithm()), publicKey, byteBuffer);
    }

    public Signature initVerifySignature(String str, byte[] bArr, byte[]... bArr2) throws NoSuchAlgorithmException, InvalidKeyException, NoSuchElementException {
        Certificate trustedCertificate = getTrustedCertificate(bArr);
        if (trustedCertificate == null) {
            throw new NoSuchElementException("No known certificate for %s that can be used to verify the signature".formatted(PeerIdEncoder.encodeToString(bArr)));
        }
        return initVerifySignature(str, trustedCertificate.getPublicKey(), bArr2);
    }

    public Signature initVerifySignature(String str, byte[] bArr, ByteBuffer byteBuffer) throws NoSuchAlgorithmException, InvalidKeyException, NoSuchElementException {
        Certificate trustedCertificate = getTrustedCertificate(bArr);
        if (trustedCertificate == null) {
            throw new NoSuchElementException("No known certificate for %s that can be used to verify the signature".formatted(PeerIdEncoder.encodeToString(bArr)));
        }
        return initVerifySignature(str, trustedCertificate.getPublicKey(), byteBuffer);
    }

    public Signature initVerifySignature(String str, PublicKey publicKey, byte[]... bArr) throws NoSuchAlgorithmException, InvalidKeyException {
        Signature signature;
        try {
            signature = Signature.getInstance(str, this.PROVIDER);
        } catch (NoSuchAlgorithmException e) {
            signature = Signature.getInstance(str);
        }
        signature.initVerify(publicKey);
        try {
            for (byte[] bArr2 : bArr) {
                signature.update(bArr2);
            }
            return signature;
        } catch (SignatureException e2) {
            throw new AssertionError(e2);
        }
    }

    public Signature initVerifySignature(String str, PublicKey publicKey, ByteBuffer byteBuffer) throws NoSuchAlgorithmException, InvalidKeyException {
        Signature signature;
        try {
            signature = Signature.getInstance(str, this.PROVIDER);
        } catch (NoSuchAlgorithmException e) {
            signature = Signature.getInstance(str);
        }
        signature.initVerify(publicKey);
        try {
            signature.update(byteBuffer);
            return signature;
        } catch (SignatureException e2) {
            throw new AssertionError(e2);
        }
    }

    public Pair<KeyStore.PrivateKeyEntry, String> deleteIdentity(byte[] bArr) throws UnrecoverableEntryException {
        Pair<KeyStore.PrivateKeyEntry, String> of;
        synchronized (this.idAliasMapper) {
            String alias = this.idAliasMapper.getAlias(bArr);
            Pair<KeyStore.PrivateKeyEntry, byte[]> deleteIdentity = deleteIdentity(alias);
            if (!$assertionsDisabled && !Arrays.equals(deleteIdentity.getRight(), bArr)) {
                throw new AssertionError();
            }
            of = Pair.of(deleteIdentity.getLeft(), alias);
        }
        return of;
    }

    public Pair<KeyStore.PrivateKeyEntry, byte[]> deleteIdentity(String str) throws UnrecoverableEntryException {
        synchronized (this.idAliasMapper) {
            try {
                Pair<KeyStore, KeyStore.ProtectionParameter> chooseKeyStore = chooseKeyStore(keyStore -> {
                    return keyStore.containsAlias(str);
                });
                KeyStore left = chooseKeyStore.getLeft();
                try {
                    KeyStore.Entry entry = left.getEntry(str, chooseKeyStore.getRight());
                    if (!(entry instanceof KeyStore.PrivateKeyEntry)) {
                        return null;
                    }
                    left.deleteEntry(str);
                    return Pair.of((KeyStore.PrivateKeyEntry) entry, this.idAliasMapper.removeAlias(str));
                } catch (NoSuchAlgorithmException e) {
                    left.deleteEntry(str);
                    return Pair.of(null, this.idAliasMapper.removeAlias(str));
                }
            } catch (KeyStoreException e2) {
                throw new AssertionError(e2);
            }
        }
    }

    public IdentityCrypt generateIdentity(boolean z) {
        try {
            return addIdentity(z, this.identityGenerator.generateRandomCredentials());
        } catch (NoSuchAlgorithmException e) {
            throw new AssertionError(e);
        }
    }

    public IdentityCrypt generateIdentityWithAliasPrefix(boolean z, String str) {
        try {
            return addIdentityWithAliasPrefix(z, str, this.identityGenerator.generateRandomCredentials());
        } catch (NoSuchAlgorithmException e) {
            throw new AssertionError(e);
        }
    }

    public IdentityCrypt generateIdentity(boolean z, String str) {
        try {
            return addIdentity(z, str, this.identityGenerator.generateRandomCredentials());
        } catch (NoSuchAlgorithmException e) {
            throw new AssertionError(e);
        }
    }

    public IdentityCrypt generateIdentity(boolean z, KeyPair keyPair) throws NoSuchAlgorithmException {
        return addIdentity(z, this.identityGenerator.generateCredentials(keyPair));
    }

    public IdentityCrypt generateIdentityWithAliasPrefix(boolean z, String str, KeyPair keyPair) throws NoSuchAlgorithmException {
        return addIdentityWithAliasPrefix(z, str, this.identityGenerator.generateCredentials(keyPair));
    }

    public IdentityCrypt generateIdentity(boolean z, String str, KeyPair keyPair) throws NoSuchAlgorithmException {
        return addIdentity(z, str, this.identityGenerator.generateCredentials(keyPair));
    }

    public IdentityCrypt addIdentity(boolean z, KeyStore.PrivateKeyEntry privateKeyEntry) throws NoSuchAlgorithmException {
        return addIdentity(z, null, privateKeyEntry);
    }

    public IdentityCrypt addIdentityWithAliasPrefix(boolean z, String str, KeyStore.PrivateKeyEntry privateKeyEntry) throws NoSuchAlgorithmException {
        try {
            byte[] extractIdentity = this.identityExtractor.extractIdentity(privateKeyEntry.getCertificate());
            String str2 = str + "." + PeerIdEncoder.encodeToString(extractIdentity);
            addIdentity(z, str2, extractIdentity, privateKeyEntry);
            return getIdentityCrypt(str2, extractIdentity, privateKeyEntry);
        } catch (CertificateException e) {
            throw new RuntimeException(e);
        }
    }

    public IdentityCrypt addIdentity(boolean z, String str, KeyStore.PrivateKeyEntry privateKeyEntry) throws NoSuchAlgorithmException {
        try {
            byte[] extractIdentity = this.identityExtractor.extractIdentity(privateKeyEntry.getCertificate());
            String encodeToString = str == null ? PeerIdEncoder.encodeToString(extractIdentity) : str;
            addIdentity(z, encodeToString, extractIdentity, privateKeyEntry);
            return getIdentityCrypt(encodeToString, extractIdentity, privateKeyEntry);
        } catch (CertificateException e) {
            throw new RuntimeException(e);
        }
    }

    public IdentityCrypt getDefaultIdentityCrypt() throws NoSuchAlgorithmException, UnrecoverableEntryException {
        IdentityPair identityPair = this.idAliasMapper.getDefault();
        return identityPair != null ? getIdentityCrypt(identityPair.alias(), identityPair.identity()) : generateIdentity(false);
    }

    public IdentityCrypt getIdentityCrypt(String str) throws NoSuchAlgorithmException, UnrecoverableEntryException {
        byte[] id = this.idAliasMapper.getId(str);
        if (id == null) {
            return null;
        }
        return getIdentityCrypt(str, id);
    }

    public IdentityCrypt getIdentityCrypt(byte[] bArr) throws NoSuchAlgorithmException, UnrecoverableEntryException {
        String alias = this.idAliasMapper.getAlias(bArr);
        if (alias == null) {
            return null;
        }
        return getIdentityCrypt(alias, bArr);
    }

    public Set<IdentityPair> getAllIdentities() {
        try {
            HashSet hashSet = new HashSet(getKeyStore().size() + getEphemeralKeyStore().size());
            getKeyStore().aliases().asIterator().forEachRemaining(str -> {
                hashSet.add(new IdentityPair(str, this.idAliasMapper.getId(str)));
            });
            getEphemeralKeyStore().aliases().asIterator().forEachRemaining(str2 -> {
                hashSet.add(new IdentityPair(str2, this.idAliasMapper.getId(str2)));
            });
            return hashSet;
        } catch (KeyStoreException e) {
            throw new AssertionError(e);
        }
    }

    public Set<IdentityPair> getAllIdentitiesWithPrefix(String str) {
        try {
            HashSet hashSet = new HashSet(getKeyStore().size() + getEphemeralKeyStore().size());
            for (Enumeration enumeration : List.of(getKeyStore().aliases(), getEphemeralKeyStore().aliases())) {
                while (enumeration.hasMoreElements()) {
                    String str2 = (String) enumeration.nextElement();
                    if (str2.startsWith(str + ".")) {
                        hashSet.add(new IdentityPair(str2, this.idAliasMapper.getId(str2)));
                    }
                }
            }
            return hashSet;
        } catch (KeyStoreException e) {
            throw new AssertionError(e);
        }
    }

    public String getIdentityAlias(byte[] bArr) {
        return this.idAliasMapper.getAlias(bArr);
    }

    public byte[] getAliasIdentity(String str) {
        return this.idAliasMapper.getId(str);
    }

    public IdentityPair getDefaultIdentity() {
        getKeyStore();
        return this.idAliasMapper.getDefault();
    }

    private void addIdentity(boolean z, String str, byte[] bArr, KeyStore.PrivateKeyEntry privateKeyEntry) {
        synchronized (this.idAliasMapper) {
            try {
                Pair<KeyStore, KeyStore.ProtectionParameter> chooseKeyStore = chooseKeyStore(keyStore -> {
                    return z;
                });
                KeyStore left = chooseKeyStore.getLeft();
                KeyStore.ProtectionParameter right = chooseKeyStore.getRight();
                this.idAliasMapper.put(str, bArr);
                left.setEntry(str, privateKeyEntry, right);
                if (z && this.keyStoreWritePath != null) {
                    left.store(new FileOutputStream(this.keyStoreWritePath), getPassword(this.keyStoreProtection, this.keyStoreWritePath));
                }
            } catch (IOException | NoSuchAlgorithmException | CertificateException | UnsupportedCallbackException e) {
                logger.error("Couldn't persist key store to {} after adding identity {}. Cause: {}", this.keyStoreWritePath, str, e);
            } catch (KeyStoreException e2) {
                throw new RuntimeException(e2);
            }
        }
    }

    private IdentityCrypt getIdentityCrypt(String str, byte[] bArr) throws NoSuchAlgorithmException, UnrecoverableEntryException {
        return getIdentityCrypt(str, bArr, (String) null);
    }

    private IdentityCrypt getIdentityCrypt(String str, byte[] bArr, String str2) throws NoSuchAlgorithmException, UnrecoverableEntryException {
        try {
            Pair<KeyStore, KeyStore.ProtectionParameter> chooseKeyStore = chooseKeyStore(keyStore -> {
                return keyStore.containsAlias(str);
            });
            KeyStore.Entry entry = chooseKeyStore.getLeft().getEntry(str, chooseKeyStore.getRight());
            if (!(entry instanceof KeyStore.PrivateKeyEntry)) {
                return null;
            }
            KeyStore.PrivateKeyEntry privateKeyEntry = (KeyStore.PrivateKeyEntry) entry;
            return str2 == null ? getIdentityCrypt(str, bArr, privateKeyEntry) : getIdentityCrypt(str, bArr, privateKeyEntry, str2);
        } catch (KeyStoreException e) {
            throw new AssertionError(e);
        }
    }

    private IdentityCrypt getIdentityCrypt(String str, byte[] bArr, KeyStore.PrivateKeyEntry privateKeyEntry) throws NoSuchAlgorithmException {
        return getIdentityCrypt(str, bArr, privateKeyEntry, getSignatureAlgorithmFor(privateKeyEntry.getPrivateKey().getAlgorithm()));
    }

    private IdentityCrypt getIdentityCrypt(String str, byte[] bArr, KeyStore.PrivateKeyEntry privateKeyEntry, String str2) throws NoSuchAlgorithmException {
        return new IdentityCrypt(str, bArr, privateKeyEntry.getPrivateKey(), privateKeyEntry.getCertificate().getPublicKey(), privateKeyEntry.getCertificateChain(), str2);
    }

    public String getSignatureAlgorithmFor(String str) throws NoSuchAlgorithmException {
        if (str.equals("EdDSA")) {
            return "EdDSA";
        }
        String str2 = this.hashAlgorithm + "WITH" + str;
        if (Security.getAlgorithms("Signature").contains(str2.toUpperCase())) {
            return str2;
        }
        throw new NoSuchAlgorithmException("No such Signature algorithm: " + str2);
    }

    private Pair<KeyStore, KeyStore.ProtectionParameter> chooseKeyStore(KeyStorePredicate keyStorePredicate) throws KeyStoreException {
        KeyStore keyStore = getKeyStore();
        return keyStorePredicate.test(keyStore) ? Pair.of(keyStore, this.keyStoreProtection) : Pair.of(getEphemeralKeyStore(), this.EMPTY_PWD);
    }

    public void addTrustedCertificate(boolean z, Certificate certificate) throws KeyStoreException, CertificateException {
        KeyStore trustStore = z ? getTrustStore() : getEphemeralTrustStore();
        String encodeToString = PeerIdEncoder.encodeToString(this.identityExtractor.extractIdentity(certificate));
        synchronized (trustStore) {
            trustStore.setCertificateEntry(encodeToString, certificate);
            if (z && this.trustStoreWritePath != null) {
                try {
                    trustStore.store(new FileOutputStream(this.trustStoreWritePath), getPassword(this.trustStoreProtection, this.trustStoreWritePath));
                } catch (IOException | KeyStoreException | NoSuchAlgorithmException | CertificateException | UnsupportedCallbackException e) {
                    logger.error("Couldn't persist trust store to {} after adding trusted certificate {}. Cause: {}", this.trustStoreWritePath, encodeToString, e);
                }
            }
        }
    }

    public void addTrustedPeerIdentity(byte[] bArr) {
        getTrustManager().addTrustedId(bArr);
    }

    public void removeTrustedPeerIdentity(byte[] bArr) {
        getTrustManager().removeTrustedId(bArr);
    }

    public Certificate getTrustedCertificate(byte[] bArr) {
        Certificate trustedCertificateFrom = getTrustedCertificateFrom(getTrustStore(), bArr);
        return trustedCertificateFrom != null ? trustedCertificateFrom : getTrustedCertificateFrom(getEphemeralTrustStore(), bArr);
    }

    public boolean setTrustManagerPolicy(X509BabelTrustManager.TrustPolicy trustPolicy) {
        X509ITrustManager trustManager = getTrustManager();
        if (!(trustManager instanceof X509BabelTrustManager)) {
            return false;
        }
        ((X509BabelTrustManager) trustManager).setTrustPolicy(trustPolicy);
        return true;
    }

    private Certificate getTrustedCertificateFrom(KeyStore keyStore, byte[] bArr) {
        try {
            Certificate certificate = keyStore.getCertificate(PeerIdEncoder.encodeToString(bArr));
            if (certificate == null) {
                return null;
            }
            if (Arrays.equals(this.identityExtractor.extractIdentity(certificate), bArr)) {
                return certificate;
            }
            return null;
        } catch (KeyStoreException | CertificateException e) {
            return null;
        }
    }

    public SecretCrypt generateSecretFromPasswordWithAliasPrefix(boolean z, String str, String str2) {
        try {
            return addSecretWithAliasPrefix(z, str, applyPBKDF(str2.toCharArray(), this.pbkdfSalt));
        } catch (NoSuchAlgorithmException e) {
            throw new RuntimeException("PBKDF algorithm is incompatible with some other configured algorithm: " + e.getMessage(), e);
        }
    }

    public SecretCrypt generateSecretFromPasswordWithAliasPrefix(boolean z, String str, String str2, byte[] bArr) {
        try {
            return addSecretWithAliasPrefix(z, str, applyPBKDF(str2.toCharArray(), bArr));
        } catch (NoSuchAlgorithmException e) {
            throw new RuntimeException("PBKDF algorithm is incompatible with some other configured algorithm: " + e.getMessage(), e);
        }
    }

    public SecretCrypt generateSecretFromPassword(boolean z, String str, String str2) {
        try {
            return addSecret(z, str, applyPBKDF(str2.toCharArray(), this.pbkdfSalt));
        } catch (NoSuchAlgorithmException e) {
            throw new RuntimeException("PBKDF algorithm is incompatible with some other configured algorithm: " + e.getMessage(), e);
        }
    }

    public SecretCrypt generateSecretFromPassword(boolean z, String str, String str2, byte[] bArr) {
        try {
            return addSecret(z, str, applyPBKDF(str2.toCharArray(), bArr));
        } catch (NoSuchAlgorithmException e) {
            throw new RuntimeException("PBKDF algorithm is incompatible with some other configured algorithm: " + e.getMessage(), e);
        }
    }

    public SecretCrypt generateSecret(boolean z) {
        try {
            return addSecret(z, generateSecretKey());
        } catch (NoSuchAlgorithmException e) {
            throw new RuntimeException("Generated secret key algorithm is incompatible with some other configured algorithm: " + e.getMessage(), e);
        }
    }

    public SecretCrypt generateSecretWithAliasPrefix(boolean z, String str) {
        try {
            return addSecretWithAliasPrefix(z, str, generateSecretKey());
        } catch (NoSuchAlgorithmException e) {
            throw new RuntimeException("Generated secret key algorithm is incompatible with some other configured algorithm: " + e.getMessage(), e);
        }
    }

    public SecretCrypt generateSecret(boolean z, String str) {
        try {
            return addSecret(z, str, generateSecretKey());
        } catch (NoSuchAlgorithmException e) {
            throw new RuntimeException("Generated secret key algorithm is incompatible with some other configured algorithm: " + e.getMessage(), e);
        }
    }

    public SecretCrypt addSecretWithAliasPrefix(boolean z, String str, SecretKey secretKey) throws NoSuchAlgorithmException {
        return addSecret(z, str + "." + generateSecretAlias(secretKey), secretKey);
    }

    public SecretCrypt addSecret(boolean z, SecretKey secretKey) throws NoSuchAlgorithmException {
        return addSecret(z, generateSecretAlias(secretKey), secretKey);
    }

    public SecretCrypt addSecret(boolean z, String str, SecretKey secretKey) throws NoSuchAlgorithmException {
        try {
            Pair<KeyStore, KeyStore.ProtectionParameter> chooseSecretStore = chooseSecretStore(keyStore -> {
                return z;
            });
            KeyStore left = chooseSecretStore.getLeft();
            synchronized (left) {
                left.setEntry(str, new KeyStore.SecretKeyEntry(secretKey), chooseSecretStore.getRight());
                if (z && this.keyStoreWritePath != null) {
                    left.store(new FileOutputStream(this.secretStoreWritePath), getPassword(this.secretStoreProtection, this.secretStoreWritePath));
                }
            }
        } catch (IOException | NoSuchAlgorithmException | CertificateException | UnsupportedCallbackException e) {
            logger.error("Couldn't persist secret store to {} after adding secret {}. Cause: {}", this.secretStoreWritePath, str, e);
        } catch (KeyStoreException e2) {
            throw new RuntimeException(e2);
        }
        return getSecretCrypt(str, secretKey);
    }

    public SecretCrypt getSecretCrypt(String str) throws NoSuchAlgorithmException, UnrecoverableEntryException {
        try {
            Pair<KeyStore, KeyStore.ProtectionParameter> chooseSecretStore = chooseSecretStore(keyStore -> {
                return keyStore.containsAlias(str);
            });
            KeyStore.Entry entry = chooseSecretStore.getLeft().getEntry(str, chooseSecretStore.getRight());
            if (entry instanceof KeyStore.SecretKeyEntry) {
                return getSecretCrypt(str, ((KeyStore.SecretKeyEntry) entry).getSecretKey());
            }
            return null;
        } catch (KeyStoreException e) {
            throw new AssertionError(e);
        }
    }

    private SecretCrypt getSecretCrypt(String str, SecretKey secretKey) throws NoSuchAlgorithmException {
        String str2 = this.macAlgorithm == null ? "Hmac" + this.hashAlgorithm : this.macAlgorithm;
        return this.cipherTransform == null ? new SecretCrypt(str, secretKey, str2, this.cipherMode, this.cipherPadding, this.cipherParameterSupplier) : new SecretCrypt(str, secretKey, str2, this.cipherTransform, this.cipherParameterSupplier);
    }

    private SecretKey generateSecretKey() {
        try {
            KeyGenerator keyGenerator = KeyGenerator.getInstance(this.symKeyAlgorithm);
            keyGenerator.init(this.symKeyLength, this.keyRng);
            return keyGenerator.generateKey();
        } catch (NoSuchAlgorithmException e) {
            throw new AssertionError(e);
        }
    }

    private Pair<KeyStore, KeyStore.ProtectionParameter> chooseSecretStore(KeyStorePredicate keyStorePredicate) throws KeyStoreException {
        KeyStore secretStore = getSecretStore();
        return keyStorePredicate.test(secretStore) ? Pair.of(secretStore, this.secretStoreProtection) : Pair.of(getEphemeralSecretStore(), this.EMPTY_PWD);
    }

    private String generateSecretAlias(SecretKey secretKey) {
        try {
            MessageDigest messageDigest = MessageDigest.getInstance(this.hashAlgorithm);
            messageDigest.update(secretKey.getEncoded());
            return Base64.getEncoder().encodeToString(messageDigest.digest());
        } catch (NoSuchAlgorithmException e) {
            throw new AssertionError(e);
        }
    }

    private SecretKey applyPBKDF(char[] cArr, byte[] bArr) {
        SecretKeyFactory secretKeyFactory;
        try {
            secretKeyFactory = SecretKeyFactory.getInstance(this.pbkdfAlgorithm, this.PROVIDER);
        } catch (NoSuchAlgorithmException e) {
            try {
                secretKeyFactory = SecretKeyFactory.getInstance(this.pbkdfAlgorithm);
            } catch (NoSuchAlgorithmException e2) {
                throw new AssertionError(e2);
            }
        }
        try {
            return new SecretKeySpec(secretKeyFactory.generateSecret(new PBEKeySpec(cArr, bArr, this.pbkdfIterations, this.pbkdfKeyLength)).getEncoded(), this.symKeyAlgorithm);
        } catch (InvalidKeySpecException e3) {
            throw new AssertionError(e3);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public synchronized void loadConfig(Properties properties) {
        if (this.keyStore != null || this.ephKeyStore != null || this.trustStore != null || this.ephTrustStore != null || this.secretStore != null || this.ephSecretStore != null) {
            logger.warn("Loading configuration after one of the key stores was already loaded. This might lead to unexpected behaviour.");
        }
        this.keyStoreType = properties.getProperty(PAR_KEY_STORE_TYPE, this.keyStoreType);
        this.keyStoreLoadPath = properties.getProperty(PAR_KEY_STORE_PATH, this.keyStoreLoadPath);
        String property = properties.getProperty(PAR_KEY_STORE_WRITABLE);
        this.keyStoreWritePath = (property == null || property.equals("false")) ? null : property.equals("true") ? this.keyStoreLoadPath : property;
        String property2 = properties.getProperty(PAR_KEY_STORE_PWD);
        this.keyStoreProtection = property2 != null ? new KeyStore.PasswordProtection(property2.toCharArray()) : (KeyStore.ProtectionParameter) loadClassParameter(KeyStore.ProtectionParameter.class, properties, PAR_KEY_STORE_PROTECTION, this.keyStoreProtection);
        String property3 = properties.getProperty(PAR_DEFAULT_ID);
        if (property3 != null) {
            this.idAliasMapper.setDefaultAlias(property3);
        }
        this.identityExtractor = (IdFromCertExtractor) loadClassParameter(IdFromCertExtractor.class, properties, PAR_ID_EXTRACTOR, this.identityExtractor);
        this.identityGenerator = (IdentityGenerator) loadClassParameter(IdentityGenerator.class, properties, PAR_ID_GENERATOR, this.identityGenerator);
    }

    private static <T> T loadClassParameter(Class<T> cls, Properties properties, String str, T t) {
        String property = properties.getProperty(str);
        if (property == null) {
            return t;
        }
        try {
            return (T) Class.forName(property).getDeclaredConstructor(new Class[0]).newInstance(new Object[0]);
        } catch (Exception e) {
            logger.error("Failed loading {} paremeter {}. Using default. Cause: {}", str, property, e);
            return t;
        }
    }

    static {
        $assertionsDisabled = !BabelSecurity.class.desiredAssertionStatus();
        logger = LogManager.getLogger((Class<?>) BabelSecurity.class);
    }
}
