package com.helger.phoss.smp.security;

import com.helger.commons.ValueEnforcer;
import com.helger.commons.annotation.UsedViaReflection;
import com.helger.commons.collection.impl.CommonsArrayList;
import com.helger.commons.exception.InitializationException;
import com.helger.commons.ws.TrustManagerTrustAll;
import com.helger.peppol.utils.PeppolKeyStoreHelper;
import com.helger.phoss.smp.ESMPRESTType;
import com.helger.phoss.smp.config.SMPServerConfiguration;
import com.helger.scope.singleton.AbstractGlobalSingleton;
import com.helger.security.keystore.EKeyStoreLoadError;
import com.helger.security.keystore.KeyStoreHelper;
import com.helger.security.keystore.LoadedKey;
import com.helger.security.keystore.LoadedKeyStore;
import java.io.Serializable;
import java.security.GeneralSecurityException;
import java.security.InvalidAlgorithmParameterException;
import java.security.KeyStore;
import java.security.NoSuchAlgorithmException;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import java.util.concurrent.atomic.AtomicBoolean;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.SSLContext;
import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory;
import javax.xml.crypto.MarshalException;
import javax.xml.crypto.dsig.Reference;
import javax.xml.crypto.dsig.SignedInfo;
import javax.xml.crypto.dsig.XMLSignatureException;
import javax.xml.crypto.dsig.XMLSignatureFactory;
import javax.xml.crypto.dsig.dom.DOMSignContext;
import javax.xml.crypto.dsig.keyinfo.KeyInfoFactory;
import javax.xml.crypto.dsig.spec.C14NMethodParameterSpec;
import javax.xml.crypto.dsig.spec.DigestMethodParameterSpec;
import javax.xml.crypto.dsig.spec.SignatureMethodParameterSpec;
import javax.xml.crypto.dsig.spec.TransformParameterSpec;
import org.apache.logging.log4j.core.net.ssl.SslConfigurationDefaults;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.w3c.dom.Element;

/* loaded from: input_file:WEB-INF/lib/phoss-smp-backend-7.1.4.jar:com/helger/phoss/smp/security/SMPKeyManager.class */
public final class SMPKeyManager extends AbstractGlobalSingleton {
    private static final Logger LOGGER = LoggerFactory.getLogger((Class<?>) SMPKeyManager.class);
    private static final AtomicBoolean KEY_STORE_VALID = new AtomicBoolean(false);
    private static EKeyStoreLoadError s_eInitError;
    private static String s_sInitError;
    private KeyStore m_aKeyStore;
    private KeyStore.PrivateKeyEntry m_aKeyEntry;

    private static void _setKeyStoreValid(boolean z) {
        KEY_STORE_VALID.set(z);
    }

    private static void _loadError(@Nullable EKeyStoreLoadError eKeyStoreLoadError, @Nullable String str) {
        s_eInitError = eKeyStoreLoadError;
        s_sInitError = str;
    }

    private void _loadKeyStore() {
        _setKeyStoreValid(false);
        _loadError(null, null);
        this.m_aKeyStore = null;
        this.m_aKeyEntry = null;
        LoadedKeyStore loadKeyStore = KeyStoreHelper.loadKeyStore(SMPServerConfiguration.getKeyStoreType(), SMPServerConfiguration.getKeyStorePath(), SMPServerConfiguration.getKeyStorePassword());
        if (loadKeyStore.isFailure()) {
            _loadError(loadKeyStore.getError(), PeppolKeyStoreHelper.getLoadError(loadKeyStore));
            throw new InitializationException(s_sInitError);
        }
        this.m_aKeyStore = loadKeyStore.getKeyStore();
        LoadedKey<KeyStore.PrivateKeyEntry> loadPrivateKey = KeyStoreHelper.loadPrivateKey(this.m_aKeyStore, SMPServerConfiguration.getKeyStorePath(), SMPServerConfiguration.getKeyStoreKeyAlias(), SMPServerConfiguration.getKeyStoreKeyPassword());
        if (loadPrivateKey.isFailure()) {
            _loadError(loadPrivateKey.getError(), PeppolKeyStoreHelper.getLoadError(loadPrivateKey));
            throw new InitializationException(s_sInitError);
        }
        this.m_aKeyEntry = loadPrivateKey.getKeyEntry();
        LOGGER.info("SMPKeyManager successfully initialized with keystore '" + SMPServerConfiguration.getKeyStorePath() + "' and alias '" + SMPServerConfiguration.getKeyStoreKeyAlias() + "'");
        _setKeyStoreValid(true);
    }

    @Deprecated
    @UsedViaReflection
    public SMPKeyManager() {
        _loadKeyStore();
    }

    @Nonnull
    public static SMPKeyManager getInstance() {
        return (SMPKeyManager) getGlobalSingleton(SMPKeyManager.class);
    }

    @Nullable
    public KeyStore getKeyStore() {
        return this.m_aKeyStore;
    }

    @Nullable
    public KeyStore.PrivateKeyEntry getPrivateKeyEntry() {
        return this.m_aKeyEntry;
    }

    @Nullable
    public X509Certificate getPrivateKeyCertificate() {
        if (this.m_aKeyEntry == null) {
            return null;
        }
        Certificate certificate = this.m_aKeyEntry.getCertificate();
        if (certificate instanceof X509Certificate) {
            return (X509Certificate) certificate;
        }
        return null;
    }

    @Nonnull
    public SSLContext createSSLContext() throws GeneralSecurityException {
        TrustManager[] trustManagerArr;
        KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
        keyManagerFactory.init(getKeyStore(), SMPServerConfiguration.getKeyStoreKeyPassword());
        if (SMPTrustManager.isTrustStoreValid()) {
            TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
            trustManagerFactory.init(SMPTrustManager.getInstance().getTrustStore());
            trustManagerArr = trustManagerFactory.getTrustManagers();
        } else {
            trustManagerArr = new TrustManager[]{new TrustManagerTrustAll()};
            LOGGER.warn("No truststore is configured, so the build SSL/TLS connection will trust all hosts!");
        }
        SSLContext sSLContext = SSLContext.getInstance(SslConfigurationDefaults.PROTOCOL);
        sSLContext.init(keyManagerFactory.getKeyManagers(), trustManagerArr, null);
        return sSLContext;
    }

    public void signXML(@Nonnull Element element, @Nonnull ESMPRESTType eSMPRESTType) throws NoSuchAlgorithmException, InvalidAlgorithmParameterException, MarshalException, XMLSignatureException {
        String str;
        String str2;
        ValueEnforcer.notNull(element, "ElementToSign");
        ValueEnforcer.notNull(eSMPRESTType, "RESTType");
        XMLSignatureFactory xMLSignatureFactory = XMLSignatureFactory.getInstance("DOM");
        Reference newReference = xMLSignatureFactory.newReference("", xMLSignatureFactory.newDigestMethod("http://www.w3.org/2001/04/xmlenc#sha256", (DigestMethodParameterSpec) null), new CommonsArrayList(xMLSignatureFactory.newTransform("http://www.w3.org/2000/09/xmldsig#enveloped-signature", (TransformParameterSpec) null)), (String) null, (String) null);
        switch (eSMPRESTType) {
            case PEPPOL:
                str = "http://www.w3.org/TR/2001/REC-xml-c14n-20010315";
                str2 = "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256";
                break;
            case OASIS_BDXR_V1:
                str = "http://www.w3.org/TR/2001/REC-xml-c14n-20010315";
                str2 = "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256";
                break;
            case OASIS_BDXR_V2:
                str = "http://www.w3.org/2006/12/xml-c14n11";
                str2 = "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256";
                break;
            default:
                throw new IllegalStateException("Unsupported REST type");
        }
        SignedInfo newSignedInfo = xMLSignatureFactory.newSignedInfo(xMLSignatureFactory.newCanonicalizationMethod(str, (C14NMethodParameterSpec) null), xMLSignatureFactory.newSignatureMethod(str2, (SignatureMethodParameterSpec) null), new CommonsArrayList(newReference));
        KeyInfoFactory keyInfoFactory = xMLSignatureFactory.getKeyInfoFactory();
        X509Certificate x509Certificate = (X509Certificate) this.m_aKeyEntry.getCertificate();
        xMLSignatureFactory.newXMLSignature(newSignedInfo, keyInfoFactory.newKeyInfo(new CommonsArrayList(keyInfoFactory.newX509Data(new CommonsArrayList((Object[]) new Serializable[]{x509Certificate.getSubjectX500Principal().getName(), x509Certificate}))))).sign(new DOMSignContext(this.m_aKeyEntry.getPrivateKey(), element));
    }

    public static boolean isKeyStoreValid() {
        return KEY_STORE_VALID.get();
    }

    @Nullable
    public static EKeyStoreLoadError getInitializationErrorCode() {
        return s_eInitError;
    }

    @Nullable
    public static String getInitializationError() {
        return s_sInitError;
    }

    public static void reloadFromConfiguration() {
        try {
            SMPKeyManager sMPKeyManager = (SMPKeyManager) getGlobalSingletonIfInstantiated(SMPKeyManager.class);
            if (sMPKeyManager != null) {
                sMPKeyManager._loadKeyStore();
            } else {
                getInstance();
            }
        } catch (Exception e) {
            LOGGER.error("Failed to reload from configuration", (Throwable) e);
        }
    }
}
