package weblogic.wsee.security.bst;

import com.oracle.webservices.impl.internalspi.platform.CredentialServiceFactory;
import java.io.File;
import java.security.AccessController;
import java.security.Key;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.Provider;
import java.security.Security;
import java.security.UnrecoverableKeyException;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.List;
import java.util.logging.Level;
import java.util.logging.Logger;
import weblogic.management.provider.ManagementService;
import weblogic.management.provider.RuntimeAccess;
import weblogic.security.acl.internal.AuthenticatedSubject;
import weblogic.security.service.ContextHandler;
import weblogic.security.service.PrivilegedActions;
import weblogic.security.utils.KeyStoreConfigurationHelper;
import weblogic.security.utils.KeyStoreInfo;
import weblogic.security.utils.KeyStoreUtils;
import weblogic.security.utils.MBeanKeyStoreConfiguration;
import weblogic.wsee.security.configuration.MBeanConstants;
import weblogic.wsee.security.configuration.WssConfigurationException;
import weblogic.xml.crypto.utils.CertUtils;
import weblogic.xml.crypto.wss.BSTUtils;
import weblogic.xml.crypto.wss.WssPolicyContextHandler;
import weblogic.xml.crypto.wss.X509Credential;
import weblogic.xml.crypto.wss.provider.Purpose;

/* loaded from: input_file:weblogic/wsee/security/bst/ServerBSTCredentialProvider.class */
public class ServerBSTCredentialProvider extends BST11CredentialProvider {
    private X509Credential credForIntegrity = null;
    private X509Credential credForConfidentiality = null;
    private static final Logger LOGGER = Logger.getLogger(ServerBSTCredentialProvider.class.getName());
    private static X509Credential SSLKeyPairCredential = null;
    private static final AuthenticatedSubject kernelId = (AuthenticatedSubject) AccessController.doPrivileged(PrivilegedActions.getKernelIdentityAction());

    @Override // weblogic.xml.crypto.wss.provider.CredentialProvider
    public Object getCredential(String str, String str2, ContextHandler contextHandler, Purpose purpose) {
        if (contextHandler instanceof WssPolicyContextHandler) {
            if (isForEncryption(purpose)) {
                return this.credForConfidentiality;
            }
            return null;
        }
        if (isForEncryption(purpose)) {
            return null;
        }
        if ((isForSigning(purpose) || isForIdentity(purpose)) && BSTUtils.matches(this.credForIntegrity, contextHandler)) {
            return this.credForIntegrity;
        }
        if (isForDecryption(purpose) && BSTUtils.matches(this.credForConfidentiality, contextHandler)) {
            return this.credForConfidentiality;
        }
        if (isForVerification(purpose) && BSTUtils.matches(this.credForIntegrity, contextHandler)) {
            return this.credForIntegrity;
        }
        return null;
    }

    public void initCredentials(WssPolicyContextHandler wssPolicyContextHandler) throws WssConfigurationException {
        KeyStoreConfigurationHelper keyStoreConfigurationHelper = new KeyStoreConfigurationHelper(MBeanKeyStoreConfiguration.getInstance());
        if (SSLKeyPairCredential == null) {
            initSSLCredential(keyStoreConfigurationHelper);
        }
        this.credForIntegrity = initCredentialFromContext(wssPolicyContextHandler, keyStoreConfigurationHelper, true);
        this.credForConfidentiality = initCredentialFromContext(wssPolicyContextHandler, keyStoreConfigurationHelper, false);
    }

    private static X509Credential initCredentialFromContext(WssPolicyContextHandler wssPolicyContextHandler, KeyStoreConfigurationHelper keyStoreConfigurationHelper, boolean z) throws WssConfigurationException {
        String str;
        char[] cArr;
        String str2;
        char[] cArr2;
        KeyStore keystore;
        if (z) {
            str = (String) wssPolicyContextHandler.getValue(MBeanConstants.PROP_INTE_KEY_ALIAS);
            cArr = (char[]) convertToCharArrayObject(wssPolicyContextHandler.getValue(MBeanConstants.PROP_INTE_KEY_PASS));
            str2 = (String) wssPolicyContextHandler.getValue(MBeanConstants.PROP_INTE_KEY_STORE);
            cArr2 = (char[]) convertToCharArrayObject(wssPolicyContextHandler.getValue(MBeanConstants.PROP_INTE_KEY_STORE_PASS));
        } else {
            str = (String) wssPolicyContextHandler.getValue(MBeanConstants.PROP_CONF_KEY_ALIAS);
            cArr = (char[]) convertToCharArrayObject(wssPolicyContextHandler.getValue(MBeanConstants.PROP_CONF_KEY_PASS));
            str2 = (String) wssPolicyContextHandler.getValue(MBeanConstants.PROP_CONF_KEY_STORE);
            cArr2 = (char[]) convertToCharArrayObject(wssPolicyContextHandler.getValue(MBeanConstants.PROP_CONF_KEY_STORE_PASS));
        }
        if (str == null) {
            return SSLKeyPairCredential;
        }
        if (cArr == null) {
            throw new WssConfigurationException("Must specify private key pass for alias: " + str);
        }
        if (str2 == null) {
            KeyStoreInfo identityKeyStore = keyStoreConfigurationHelper.getIdentityKeyStore();
            if (identityKeyStore == null || identityKeyStore.getFileName() == null) {
                throw new WssConfigurationException("can't find the keystore of alias: " + str);
            }
            String fileName = identityKeyStore.getFileName();
            if (fileName.startsWith("kss:")) {
                try {
                    char[] passPhrase = identityKeyStore.getPassPhrase();
                    keystore = CredentialServiceFactory.getCredentialService().getKeystore(fileName, passPhrase != null ? new String(passPhrase) : null, "KSS");
                } catch (KeyStoreException e) {
                    throw new WssConfigurationException("Failed to get KeyStore " + fileName + " Exception " + e);
                }
            } else {
                keystore = KeyStoreUtils.load(getKeyStoreFile(fileName), identityKeyStore.getPassPhrase(), identityKeyStore.getType());
            }
        } else {
            if (cArr2 == null) {
                throw new WssConfigurationException("Must specify keystore passphase for keystore: " + str2);
            }
            if (str2.startsWith("kss:")) {
                try {
                    keystore = CredentialServiceFactory.getCredentialService().getKeystore(str2, new String(cArr2), "KSS");
                } catch (KeyStoreException e2) {
                    throw new WssConfigurationException("Failed to get KeyStore " + str2 + " Exception " + e2);
                }
            } else {
                keystore = KeyStoreUtils.load(getKeyStoreFile(str2), cArr2, getKeyStoreType(wssPolicyContextHandler));
            }
        }
        X509Credential x509Credential = getX509Credential(keystore, str, cArr);
        if (z && !CertUtils.supportsSign(x509Credential.getCertificate())) {
            throw new WssConfigurationException("Key/Certificate specified for integrity does not support signing.");
        }
        if (z || CertUtils.supportsKeyEncrypt(x509Credential.getCertificate())) {
            return x509Credential;
        }
        throw new WssConfigurationException("Key/Certificate specified for confidentiality does not support key encryption.");
    }

    private static String getKeyStoreType(WssPolicyContextHandler wssPolicyContextHandler) {
        String str = (String) wssPolicyContextHandler.getValue(MBeanConstants.PROP_KEY_STORE_TYPE);
        if (str == null) {
            str = "JKS";
        }
        return str;
    }

    private static X509Credential getX509Credential(KeyStore keyStore, String str, char[] cArr) throws WssConfigurationException {
        try {
            if (keyStore == null) {
                throw new WssConfigurationException("Key Store not found");
            }
            Key key = keyStore.getKey(str, cArr);
            if (!(key instanceof PrivateKey)) {
                throw new WssConfigurationException("Private Key not found");
            }
            Certificate[] certificateChain = keyStore.getCertificateChain(str);
            if (certificateChain == null) {
                throw new WssConfigurationException("Can not find any public key for alias: " + str);
            }
            List asList = Arrays.asList(certificateChain);
            if (asList.size() < 1) {
                throw new WssConfigurationException("Certificate not found");
            }
            return new X509Credential((X509Certificate) asList.get(0), (PrivateKey) key);
        } catch (KeyStoreException e) {
            throw new WssConfigurationException(e);
        } catch (NoSuchAlgorithmException e2) {
            throw new WssConfigurationException(e2);
        } catch (UnrecoverableKeyException e3) {
            throw new WssConfigurationException(e3);
        }
    }

    private static File getKeyStoreFile(String str) throws WssConfigurationException {
        File file = new File(str);
        if (!file.exists()) {
            file = new File(ManagementService.getRuntimeAccess(kernelId).getServer().getRootDirectory(), str);
            if (!file.exists()) {
                throw new WssConfigurationException("KeyStoreFile " + str + " does not exist!");
            }
        }
        return file;
    }

    private void initSSLCredential(KeyStoreConfigurationHelper keyStoreConfigurationHelper) throws WssConfigurationException {
        KeyStore keystore;
        KeyStoreInfo identityKeyStore = keyStoreConfigurationHelper.getIdentityKeyStore();
        if (identityKeyStore == null) {
            return;
        }
        String fileName = identityKeyStore.getFileName();
        if (fileName == null || fileName.length() == 0) {
            throw new WssConfigurationException("KeyStoreFilename not supplied");
        }
        String type = identityKeyStore.getType();
        char[] passPhrase = identityKeyStore.getPassPhrase();
        String identityAlias = keyStoreConfigurationHelper.getIdentityAlias();
        char[] identityPrivateKeyPassPhrase = keyStoreConfigurationHelper.getIdentityPrivateKeyPassPhrase();
        if (identityAlias == null || identityAlias.length() == 0) {
            throw new WssConfigurationException("Certificate Alias not supplied");
        }
        if (identityPrivateKeyPassPhrase == null) {
            throw new WssConfigurationException("PassPhrase not supplied");
        }
        if (fileName.startsWith("kss:")) {
            try {
                keystore = CredentialServiceFactory.getCredentialService().getKeystore(fileName, passPhrase != null ? new String(passPhrase) : null, "KSS");
            } catch (KeyStoreException e) {
                throw new WssConfigurationException("Failed to get KeyStore " + fileName + " Exception " + e);
            }
        } else {
            File keyStoreFile = getKeyStoreFile(fileName);
            if (LOGGER.isLoggable(Level.FINE)) {
                LOGGER.log(Level.FINE, "KeyStore File:  " + keyStoreFile.getAbsolutePath());
                LOGGER.log(Level.FINE, "KeyStore Type:  " + type);
                LOGGER.log(Level.FINE, "KeyStore Alias: " + identityAlias);
                Provider[] providers = Security.getProviders();
                LOGGER.log(Level.FINE, "Security Providers:  ");
                for (int i = 0; i < providers.length; i++) {
                    LOGGER.log(Level.FINE, "  " + providers[i].getName() + "  " + providers[i].getVersion());
                }
            }
            keystore = KeyStoreUtils.load(keyStoreFile, passPhrase, type);
        }
        if (keystore == null) {
            throw new WssConfigurationException("Unable to load KeyStore");
        }
        SSLKeyPairCredential = getX509Credential(keystore, identityAlias, identityPrivateKeyPassPhrase);
        this.credForIntegrity = SSLKeyPairCredential;
        this.credForConfidentiality = SSLKeyPairCredential;
    }

    public static boolean isSSLUsingKeyStores() {
        RuntimeAccess runtimeAccess = ManagementService.getRuntimeAccess(kernelId);
        if (runtimeAccess != null) {
            return "KeyStores".equals(runtimeAccess.getServer().getSSL().getIdentityAndTrustLocations());
        }
        return false;
    }

    private static Object convertToCharArrayObject(Object obj) {
        return obj instanceof String ? ((String) obj).toCharArray() : obj;
    }
}
