package com.cvicse.gmssl.adapter;

import com.cvicse.inforsuite.log.logging.Log;
import com.cvicse.inforsuite.log.logging.LogFactory;
import com.cvicse.inforsuite.util.file.ConfigFileLoader;
import com.cvicse.inforsuite.util.net.SSLContext;
import com.cvicse.inforsuite.util.net.SSLHostConfig;
import com.cvicse.inforsuite.util.net.SSLHostConfigCertificate;
import com.cvicse.inforsuite.util.net.SSLUtil;
import com.cvicse.inforsuite.util.net.jsse.JSSEKeyManager;
import com.cvicse.inforsuite.util.net.jsse.PEMFile;
import com.cvicse.inforsuite.util.res.StringManager;
import java.io.FileNotFoundException;
import java.io.IOException;
import java.io.InputStream;
import java.security.Key;
import java.security.KeyStore;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.cert.CRL;
import java.security.cert.CRLException;
import java.security.cert.CertPathParameters;
import java.security.cert.CertStore;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.CertificateExpiredException;
import java.security.cert.CertificateFactory;
import java.security.cert.CertificateNotYetValidException;
import java.security.cert.CollectionCertStoreParameters;
import java.security.cert.PKIXBuilderParameters;
import java.security.cert.X509CertSelector;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Date;
import java.util.Enumeration;
import java.util.List;
import java.util.Locale;
import javax.net.ssl.CertPathTrustManagerParameters;
import javax.net.ssl.KeyManager;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.SSLSessionContext;
import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory;
import javax.net.ssl.X509KeyManager;
import org.apache.logging.log4j.core.net.ssl.SslConfigurationDefaults;

/* loaded from: input_file:com/cvicse/gmssl/adapter/GMSSLUtil.class */
public class GMSSLUtil implements SSLUtil {
    protected final SSLHostConfigCertificate certificate;
    private final SSLHostConfig sslHostConfig;
    private static Log log = LogFactory.getLog((Class<?>) GMSSLUtil.class);
    private static StringManager sm = StringManager.getManager((Class<?>) GMSSLUtil.class);

    public GMSSLUtil(SSLHostConfigCertificate sSLHostConfigCertificate) {
        this.certificate = sSLHostConfigCertificate;
        this.sslHostConfig = this.certificate.getSSLHostConfig();
    }

    @Override // com.cvicse.inforsuite.util.net.SSLUtil
    public SSLContext createSSLContext(List<String> list) throws NoSuchAlgorithmException, NoSuchProviderException {
        GMSSLASContext gMSSLASContext = new GMSSLASContext(this.sslHostConfig.getSslProtocol());
        try {
            gMSSLASContext.init(getKeyManagers(), getTrustManagers(), null);
        } catch (Exception e) {
            e.printStackTrace();
        }
        SSLSessionContext serverSessionContext = gMSSLASContext.getServerSessionContext();
        if (serverSessionContext != null && serverSessionContext.getSessionCacheSize() > 0) {
            configureSessionContext(serverSessionContext);
        }
        return gMSSLASContext;
    }

    @Override // com.cvicse.inforsuite.util.net.SSLUtil
    public KeyManager[] getKeyManagers() throws Exception {
        String certificateKeyAlias = this.certificate.getCertificateKeyAlias();
        String keyManagerAlgorithm = this.sslHostConfig.getKeyManagerAlgorithm();
        String certificateKeyPassword = this.certificate.getCertificateKeyPassword();
        if (certificateKeyPassword == null) {
            certificateKeyPassword = this.certificate.getCertificateKeystorePassword();
        }
        KeyStore store = getStore(this.certificate.getCertificateKeystoreType(), (String) null, this.certificate.getCertificateKeystoreFile(), this.certificate.getCertificateKeystorePassword());
        KeyStore keyStore = store;
        char[] charArray = certificateKeyPassword.toCharArray();
        if (store == null) {
            if (this.certificate.getCertificateFile() == null) {
                throw new IOException(sm.getString("jsse.noCertFile"));
            }
            PEMFile pEMFile = new PEMFile(SSLHostConfig.adjustRelativePath(this.certificate.getCertificateKeyFile() != null ? this.certificate.getCertificateKeyFile() : this.certificate.getCertificateFile()), certificateKeyPassword);
            PEMFile pEMFile2 = new PEMFile(SSLHostConfig.adjustRelativePath(this.certificate.getCertificateFile()));
            ArrayList arrayList = new ArrayList();
            arrayList.addAll(pEMFile2.getCertificates());
            if (this.certificate.getCertificateChainFile() != null) {
                arrayList.addAll(new PEMFile(SSLHostConfig.adjustRelativePath(this.certificate.getCertificateChainFile())).getCertificates());
            }
            if (certificateKeyAlias == null) {
                certificateKeyAlias = "test7";
            }
            keyStore = getStore("jks", (String) null);
            keyStore.load((InputStream) null, (char[]) null);
            keyStore.setKeyEntry(certificateKeyAlias, pEMFile.getPrivateKey(), certificateKeyPassword.toCharArray(), (Certificate[]) arrayList.toArray(new Certificate[arrayList.size()]));
        } else {
            if (certificateKeyAlias != null && !store.isKeyEntry(certificateKeyAlias)) {
                throw new IOException(sm.getString("jsse.alias_no_key_entry", certificateKeyAlias));
            }
            if (certificateKeyAlias == null) {
                Enumeration<String> aliases = store.aliases();
                if (!aliases.hasMoreElements()) {
                    throw new IOException(sm.getString("jsse.noKeys"));
                }
                while (aliases.hasMoreElements() && certificateKeyAlias == null) {
                    certificateKeyAlias = aliases.nextElement();
                    if (!store.isKeyEntry(certificateKeyAlias)) {
                        certificateKeyAlias = null;
                    }
                }
                if (certificateKeyAlias == null) {
                    throw new IOException(sm.getString("jsse.alias_no_key_entry", null));
                }
            }
            Key key = store.getKey(certificateKeyAlias, charArray);
            if (key != null && "PKCS#8".equalsIgnoreCase(key.getFormat())) {
                String certificateKeystoreProvider = this.certificate.getCertificateKeystoreProvider();
                keyStore = certificateKeystoreProvider == null ? getStore(this.certificate.getCertificateKeystoreType(), (String) null) : getStore(this.certificate.getCertificateKeystoreType(), certificateKeystoreProvider);
                keyStore.load((InputStream) null, (char[]) null);
                keyStore.setKeyEntry(certificateKeyAlias, key, charArray, store.getCertificateChain(certificateKeyAlias));
            }
        }
        KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(keyManagerAlgorithm);
        keyManagerFactory.init(keyStore, charArray);
        KeyManager[] keyManagers = keyManagerFactory.getKeyManagers();
        if (keyManagers != null && keyStore == store) {
            String str = certificateKeyAlias;
            if (SslConfigurationDefaults.KEYSTORE_TYPE.equals(this.certificate.getCertificateKeystoreType())) {
                str = certificateKeyAlias.toLowerCase(Locale.ENGLISH);
            }
            for (int i = 0; i < keyManagers.length; i++) {
                keyManagers[i] = new JSSEKeyManager((X509KeyManager) keyManagers[i], str);
            }
        }
        return keyManagers;
    }

    @Override // com.cvicse.inforsuite.util.net.SSLUtil
    public TrustManager[] getTrustManagers() throws Exception {
        if (this.sslHostConfig.getCertificateVerification().equals(SSLHostConfig.CertificateVerification.NONE)) {
            return new TrustManager[0];
        }
        String trustManagerClassName = this.sslHostConfig.getTrustManagerClassName();
        if (trustManagerClassName != null && trustManagerClassName.length() > 0) {
            Class<?> loadClass = getClass().getClassLoader().loadClass(trustManagerClassName);
            if (TrustManager.class.isAssignableFrom(loadClass)) {
                return new TrustManager[]{(TrustManager) loadClass.getConstructor(new Class[0]).newInstance(new Object[0])};
            }
            throw new InstantiationException(sm.getString("jsse.invalidTrustManagerClassName", trustManagerClassName));
        }
        TrustManager[] trustManagerArr = null;
        KeyStore store = getStore(this.sslHostConfig.getTruststoreType(), null, this.sslHostConfig.getTruststoreFile(), this.sslHostConfig.getTruststorePassword());
        if (store != null) {
            checkTrustStoreEntries(store);
            String truststoreAlgorithm = this.sslHostConfig.getTruststoreAlgorithm();
            String certificateRevocationListFile = this.sslHostConfig.getCertificateRevocationListFile();
            boolean revocationEnabled = this.sslHostConfig.getRevocationEnabled();
            if ("PKIX".equalsIgnoreCase(truststoreAlgorithm)) {
                TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(truststoreAlgorithm);
                trustManagerFactory.init(new CertPathTrustManagerParameters(getParameters(certificateRevocationListFile, store, revocationEnabled)));
                trustManagerArr = trustManagerFactory.getTrustManagers();
            } else {
                TrustManagerFactory trustManagerFactory2 = TrustManagerFactory.getInstance(truststoreAlgorithm);
                trustManagerFactory2.init(store);
                trustManagerArr = trustManagerFactory2.getTrustManagers();
                if (certificateRevocationListFile != null && certificateRevocationListFile.length() > 0) {
                    throw new CRLException(sm.getString("jsseUtil.noCrlSupport", truststoreAlgorithm));
                }
                if (this.sslHostConfig.isCertificateVerificationDepthConfigured()) {
                    log.warn(sm.getString("jsseUtil.noVerificationDepth", truststoreAlgorithm));
                }
            }
        }
        return trustManagerArr;
    }

    private void checkTrustStoreEntries(KeyStore keyStore) throws Exception {
        Enumeration<String> aliases = keyStore.aliases();
        if (aliases != null) {
            Date date = new Date();
            while (aliases.hasMoreElements()) {
                String nextElement = aliases.nextElement();
                if (keyStore.isCertificateEntry(nextElement)) {
                    Certificate certificate = keyStore.getCertificate(nextElement);
                    if (certificate instanceof X509Certificate) {
                        try {
                            ((X509Certificate) certificate).checkValidity(date);
                        } catch (CertificateExpiredException | CertificateNotYetValidException e) {
                            String string = sm.getString("jsseUtil.trustedCertNotValid", nextElement, ((X509Certificate) certificate).getSubjectDN(), e.getMessage());
                            if (log.isDebugEnabled()) {
                                log.debug(string, e);
                            }
                        }
                    } else if (log.isDebugEnabled()) {
                        log.debug(sm.getString("jsseUtil.trustedCertNotChecked", nextElement));
                    }
                }
            }
        }
    }

    @Override // com.cvicse.inforsuite.util.net.SSLUtil
    public void configureSessionContext(SSLSessionContext sSLSessionContext) {
        if (this.sslHostConfig.getSessionCacheSize() >= 0) {
            sSLSessionContext.setSessionCacheSize(this.sslHostConfig.getSessionCacheSize());
        }
        if (this.sslHostConfig.getSessionTimeout() >= 0) {
            sSLSessionContext.setSessionTimeout(this.sslHostConfig.getSessionTimeout());
        }
    }

    protected CertPathParameters getParameters(String str, KeyStore keyStore, boolean z) throws Exception {
        PKIXBuilderParameters pKIXBuilderParameters = new PKIXBuilderParameters(keyStore, new X509CertSelector());
        if (str == null || str.length() <= 0) {
            pKIXBuilderParameters.setRevocationEnabled(z);
        } else {
            pKIXBuilderParameters.addCertStore(CertStore.getInstance("Collection", new CollectionCertStoreParameters(getCRLs(str))));
            pKIXBuilderParameters.setRevocationEnabled(true);
        }
        pKIXBuilderParameters.setMaxPathLength(this.sslHostConfig.getCertificateVerificationDepth());
        return pKIXBuilderParameters;
    }

    protected Collection<? extends CRL> getCRLs(String str) throws IOException, CRLException, CertificateException {
        try {
            CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509");
            InputStream inputStream = ConfigFileLoader.getInputStream(str);
            Throwable th = null;
            try {
                try {
                    Collection<? extends CRL> generateCRLs = certificateFactory.generateCRLs(inputStream);
                    if (inputStream != null) {
                        if (0 != 0) {
                            try {
                                inputStream.close();
                            } catch (Throwable th2) {
                                th.addSuppressed(th2);
                            }
                        } else {
                            inputStream.close();
                        }
                    }
                    return generateCRLs;
                } finally {
                }
            } catch (Throwable th3) {
                if (inputStream != null) {
                    if (th != null) {
                        try {
                            inputStream.close();
                        } catch (Throwable th4) {
                            th.addSuppressed(th4);
                        }
                    } else {
                        inputStream.close();
                    }
                }
                throw th3;
            }
        } catch (IOException e) {
            throw e;
        } catch (CRLException e2) {
            throw e2;
        } catch (CertificateException e3) {
            throw e3;
        }
    }

    @Override // com.cvicse.inforsuite.util.net.SSLUtil
    public String[] getEnabledProtocols() {
        return new String[]{"GMSSLv1.1"};
    }

    @Override // com.cvicse.inforsuite.util.net.SSLUtil
    public String[] getEnabledCiphers() {
        return new String[]{"ECC_SM4_SM3"};
    }

    protected static KeyStore getStore(String str, String str2) throws IOException {
        KeyStore keyStore = null;
        try {
            keyStore = str.equalsIgnoreCase("jks") ? KeyStore.getInstance(str) : str2 == null ? KeyStore.getInstance(str) : KeyStore.getInstance(str, str2);
        } catch (Exception e) {
            e.printStackTrace();
        }
        return keyStore;
    }

    static KeyStore getStore(String str, String str2, String str3, String str4) throws IOException {
        InputStream inputStream = null;
        try {
            try {
                try {
                    KeyStore store = getStore(str, str2);
                    if ((!"PKCS11".equalsIgnoreCase(str) && !"".equalsIgnoreCase(str3)) || "NONE".equalsIgnoreCase(str3)) {
                        inputStream = ConfigFileLoader.getInputStream(str3);
                    }
                    char[] cArr = null;
                    if (str4 != null && !"".equals(str4)) {
                        cArr = str4.toCharArray();
                    }
                    store.load(inputStream, cArr);
                    if (inputStream != null) {
                        try {
                            inputStream.close();
                        } catch (IOException e) {
                        }
                    }
                    return store;
                } catch (FileNotFoundException e2) {
                    throw e2;
                }
            } catch (IOException e3) {
                throw e3;
            } catch (Exception e4) {
                String string = sm.getString("jsse.keystore_load_failed", str, str3, e4.getMessage());
                log.error(string, e4);
                throw new IOException(string);
            }
        } catch (Throwable th) {
            if (inputStream != null) {
                try {
                    inputStream.close();
                } catch (IOException e5) {
                }
            }
            throw th;
        }
    }
}
