package com.ibm.ws.security.audit.encryption;

import com.ibm.websphere.ras.Tr;
import com.ibm.websphere.ras.TraceComponent;
import com.ibm.websphere.ras.annotation.ManualTrace;
import com.ibm.websphere.ras.annotation.TraceObjectField;
import com.ibm.websphere.ras.annotation.TraceOptions;
import com.ibm.ws.ffdc.FFDCFilter;
import com.ibm.ws.ras.instrument.annotation.InjectedFFDC;
import com.ibm.wsspi.kernel.service.location.WsLocationAdmin;
import com.ibm.wsspi.kernel.service.utils.AtomicServiceReference;
import com.ibm.wsspi.security.audit.AuditDecryptionException;
import com.ibm.wsspi.security.audit.AuditEncryptingException;
import com.ibm.wsspi.security.audit.AuditSigning;
import com.ibm.wsspi.security.audit.AuditSigningException;
import java.io.File;
import java.io.IOException;
import java.io.InputStream;
import java.net.MalformedURLException;
import java.net.URL;
import java.security.AccessController;
import java.security.Key;
import java.security.KeyException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
import java.security.PublicKey;
import java.security.Signature;
import java.security.UnrecoverableKeyException;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.Date;
import javax.crypto.spec.SecretKeySpec;
import javax.management.ObjectName;

@InjectedFFDC
@TraceObjectField(fieldName = "tc", fieldDesc = "Lcom/ibm/websphere/ras/TraceComponent;")
/* loaded from: input_file:com/ibm/ws/security/audit/encryption/AuditSigningImpl.class */
public class AuditSigningImpl implements AuditSigning {
    private final String KEY_LOCATION_ADMIN = "locationAdmin";
    private final AtomicServiceReference<WsLocationAdmin> locationAdminRef = new AtomicServiceReference<>("locationAdmin");
    AuditCrypto crypto = null;
    String serverName = null;
    int aliasIncrement = 1;
    private Signature signature = null;
    private final byte[] sigBytes = null;
    private final int signerKeyStoreIncrement = 1;
    private final ObjectName mgmScopeObjName = null;
    AuditKeyEncryptor encryptor = null;
    private String signerName = null;
    private final String signerType = null;
    private final String signerProvider = null;
    private String signerKeyFileLocation = null;
    private final String signerPassword = null;
    private String signerAlias = null;
    static final long serialVersionUID = -5289899763318808665L;
    private static final TraceComponent tc = Tr.register(AuditSigningImpl.class, (String) null, "com.ibm.ejs.resources.security");
    private static AuditSigningImpl as = null;
    private static String subjectDN = "CN=auditsigner, OU=SWG, O=IBM, C=US";
    private static String keyStoreName = "auditSignerKeyStore_";
    private static String certLabelPrefix = "auditcert";
    private static String CRYPTO_ALGORITHM = "SHA256withRSA";

    /* JADX INFO: Access modifiers changed from: package-private */
    @InjectedFFDC
    @TraceObjectField(fieldName = "$$$tc$$$", fieldDesc = "Lcom/ibm/websphere/ras/TraceComponent;")
    @TraceOptions
    /* loaded from: input_file:com/ibm/ws/security/audit/encryption/AuditSigningImpl$OpenKeyStoreAction.class */
    public static class OpenKeyStoreAction implements PrivilegedExceptionAction {
        private String file;
        static final long serialVersionUID = 2180325333538092337L;
        private static final /* synthetic */ TraceComponent $$$tc$$$ = Tr.register("com.ibm.ws.security.audit.encryption.AuditSigningImpl$OpenKeyStoreAction", OpenKeyStoreAction.class, "audit", "com.ibm.ws.security.audit.source.internal.resources.AuditMessages");

        public OpenKeyStoreAction(String str) {
            this.file = null;
            this.file = str;
        }

        @Override // java.security.PrivilegedExceptionAction
        public Object run() throws MalformedURLException, IOException {
            File file = new File(this.file);
            if (file.exists() && file.length() == 0) {
                throw new IOException("Keystore file exists, but is empty: " + this.file);
            }
            return (!file.exists() ? new URL(this.file) : new URL("file:" + file.getCanonicalPath())).openStream();
        }
    }

    public AuditSigningImpl(String str, String str2, String str3, String str4, String str5, String str6) throws AuditSigningException {
        try {
            initialize(str, str2, str3, str4, str5, str6);
        } catch (Exception e) {
            FFDCFilter.processException(e, "com.ibm.ws.security.audit.encryption.AuditSigningImpl", "74", this, new Object[]{str, str2, str3, str4, str5, str6});
            Tr.error(tc, "security.audit.signing.init.error", new Object[]{e});
        }
    }

    public void initialize(String str, String str2, String str3, String str4, String str5, String str6) throws AuditSigningException {
        WsLocationAdmin wsLocationAdmin = (WsLocationAdmin) this.locationAdminRef.getService();
        if (wsLocationAdmin != null) {
            this.serverName = wsLocationAdmin.getServerName();
        }
        this.signerAlias = str6;
        this.signerName = str;
        this.signerKeyFileLocation = str2;
        this.crypto = new AuditCrypto();
        try {
            this.signature = Signature.getInstance(CRYPTO_ALGORITHM);
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Initializing audit signer at " + new Date(System.currentTimeMillis()), new Object[0]);
            }
        } catch (Exception e) {
            FFDCFilter.processException(e, "com.ibm.ws.security.audit.encryption.AuditSigningImpl", "103", this, new Object[]{str, str2, str3, str4, str5, str6});
            Tr.error(tc, "security.audit.signing.init.error", new Object[]{e});
            throw new AuditSigningException(e.getMessage());
        }
    }

    public Key generateSharedKey() throws KeyException {
        SecretKeySpec secretKeySpec = null;
        try {
            if (this.crypto != null) {
                AuditCrypto auditCrypto = this.crypto;
                secretKeySpec = new SecretKeySpec(AuditCrypto.generate3DESKey(), 0, 24, "3DES");
            }
            if (secretKeySpec != null) {
                return secretKeySpec;
            }
            throw new com.ibm.websphere.crypto.KeyException("Key could not be generated.");
        } catch (Exception e) {
            FFDCFilter.processException(e, "com.ibm.ws.security.audit.encryption.AuditSigningImpl", "135", this, new Object[0]);
            FFDCFilter.processException(e, "com.ibm.ws.security.audit.AuditEncryptionImpl.generateKey", "98", this);
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Error generating key.", new Object[]{e});
            }
            if (e instanceof KeyException) {
                throw ((KeyException) e);
            }
            throw new KeyException(e.getMessage(), e);
        }
    }

    public String generateAliasForSharedKey() {
        String str = null;
        if (this.serverName != null) {
            str = this.serverName + "Alias" + new Integer(this.aliasIncrement).toString();
        }
        this.aliasIncrement++;
        return str;
    }

    public byte[] encryptSharedKey(Key key, Key key2) throws IOException {
        if (key != null) {
            this.encryptor = new AuditKeyEncryptor(key2.getEncoded());
            return this.encryptor.encrypt(key.getEncoded());
        }
        if (!tc.isDebugEnabled()) {
            return null;
        }
        Tr.debug(tc, "ERROR!!! shared key is null!", new Object[0]);
        return null;
    }

    public byte[] decryptSharedKey(byte[] bArr, Key key) throws IOException {
        if (bArr == null) {
            if (!tc.isDebugEnabled()) {
                return null;
            }
            Tr.debug(tc, "ERROR!!! shared key is null!", new Object[0]);
            return null;
        }
        if (this.encryptor == null) {
            this.encryptor = new AuditKeyEncryptor(key.getEncoded());
        }
        key.getEncoded();
        return this.encryptor.decrypt(bArr);
    }

    public X509Certificate retrieveSignerCertificate() throws Exception {
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "signerAlias: " + this.signerAlias + " signerType: " + this.signerType + " signerProvider: " + this.signerProvider + " signerKeyFileLocation: " + this.signerKeyFileLocation, new Object[0]);
        }
        try {
            KeyStore keyStore = KeyStore.getInstance("JKS");
            openKeyStore(this.signerKeyFileLocation);
            return (X509Certificate) keyStore.getCertificate(this.signerAlias);
        } catch (MalformedURLException e) {
            FFDCFilter.processException(e, "com.ibm.ws.security.audit.encryption.AuditSigningImpl", "244", this, new Object[0]);
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Exception opening keystore: malformed URL", new Object[]{e.getMessage()});
            }
            throw new Exception(e.getMessage());
        } catch (IOException e2) {
            FFDCFilter.processException(e2, "com.ibm.ws.security.audit.encryption.AuditSigningImpl", "252", this, new Object[0]);
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Exception opening keystore.", new Object[]{e2.getMessage()});
            }
            throw new Exception(e2.getMessage());
        } catch (KeyStoreException e3) {
            FFDCFilter.processException(e3, "com.ibm.ws.security.audit.encryption.AuditSigningImpl", "248", this, new Object[0]);
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Exception opening keystore.", new Object[]{e3.getMessage()});
            }
            throw new Exception(e3.getMessage());
        }
    }

    public Key retrievePrivateSignerKey() throws Exception {
        try {
            KeyStore keyStore = KeyStore.getInstance(this.signerType, this.signerProvider);
            keyStore.load(openKeyStore(this.signerKeyFileLocation), this.signerPassword.toCharArray());
            return keyStore.getKey(this.signerAlias, this.signerPassword.toCharArray());
        } catch (MalformedURLException e) {
            FFDCFilter.processException(e, "com.ibm.ws.security.audit.encryption.AuditSigningImpl", "280", this, new Object[0]);
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Exception opening keystore: malformed URL", new Object[]{e.getMessage()});
            }
            throw new Exception(e.getMessage());
        } catch (IOException e2) {
            FFDCFilter.processException(e2, "com.ibm.ws.security.audit.encryption.AuditSigningImpl", "300", this, new Object[0]);
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Exception opening keystore.", new Object[]{e2.getMessage()});
            }
            throw new Exception(e2.getMessage());
        } catch (KeyStoreException e3) {
            FFDCFilter.processException(e3, "com.ibm.ws.security.audit.encryption.AuditSigningImpl", "284", this, new Object[0]);
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Exception opening keystore.", new Object[]{e3.getMessage()});
            }
            throw new Exception(e3.getMessage());
        } catch (NoSuchAlgorithmException e4) {
            FFDCFilter.processException(e4, "com.ibm.ws.security.audit.encryption.AuditSigningImpl", "292", this, new Object[0]);
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Exception opening keystore: no such algorithm", new Object[]{e4.getMessage()});
            }
            throw new Exception(e4.getMessage());
        } catch (NoSuchProviderException e5) {
            FFDCFilter.processException(e5, "com.ibm.ws.security.audit.encryption.AuditSigningImpl", "276", this, new Object[0]);
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Exception opening keystore: no such provider.", new Object[]{e5.getMessage()});
            }
            throw new Exception(e5.getMessage());
        } catch (UnrecoverableKeyException e6) {
            FFDCFilter.processException(e6, "com.ibm.ws.security.audit.encryption.AuditSigningImpl", "288", this, new Object[0]);
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Exception opening keystore.", new Object[]{e6.getMessage()});
            }
            throw new Exception(e6.getMessage());
        } catch (CertificateException e7) {
            FFDCFilter.processException(e7, "com.ibm.ws.security.audit.encryption.AuditSigningImpl", "296", this, new Object[0]);
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Exception getting certificate.", new Object[]{e7.getMessage()});
            }
            throw new Exception(e7.getMessage());
        }
    }

    public Key retrievePublicSignerKey() throws Exception {
        try {
            return retrieveSignerCertificate().getPublicKey();
        } catch (MalformedURLException e) {
            FFDCFilter.processException(e, "com.ibm.ws.security.audit.encryption.AuditSigningImpl", "324", this, new Object[0]);
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Exception opening keystore.", new Object[]{e.getMessage()});
            }
            throw new Exception(e.getMessage());
        } catch (IOException e2) {
            FFDCFilter.processException(e2, "com.ibm.ws.security.audit.encryption.AuditSigningImpl", "328", this, new Object[0]);
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Exception opening keystore.", new Object[]{e2.getMessage()});
            }
            throw new Exception(e2.getMessage());
        } catch (Exception e3) {
            FFDCFilter.processException(e3, "com.ibm.ws.security.audit.encryption.AuditSigningImpl", "332", this, new Object[0]);
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Exception opening keystore.", new Object[]{e3.getMessage()});
            }
            throw new Exception(e3.getMessage());
        }
    }

    public byte[] encrypt(byte[] bArr, Key key) throws AuditEncryptingException {
        if (bArr == null) {
            Tr.error(tc, "security.audit.encryption.data.error", new Object[0]);
            throw new AuditEncryptingException("Invalid data passed into the encryption algorithm.");
        }
        if (key == null) {
            Tr.error(tc, "security.audit.invalid.shared.key.error", new Object[0]);
            throw new AuditEncryptingException("Invalid shared key has been encountered.");
        }
        new AuditCrypto();
        return AuditCrypto.encrypt(bArr, key.getEncoded());
    }

    public byte[] decrypt(byte[] bArr, Key key) throws AuditDecryptionException {
        if (bArr == null) {
            Tr.error(tc, "security.audit.decryption.data.error", new Object[0]);
            throw new AuditDecryptionException("Invalid data passed into the decryption algorithm.");
        }
        if (key == null) {
            Tr.error(tc, "security.audit.invalid.shared.key.error", new Object[0]);
            throw new AuditDecryptionException("An invalid shared key was detected.");
        }
        new AuditCrypto();
        return AuditCrypto.decrypt(bArr, key.getEncoded());
    }

    public byte[] unsign(byte[] bArr, Key key) throws AuditSigningException {
        if (bArr == null) {
            Tr.error(tc, "security.audit.message.digest.error", new Object[0]);
            throw new AuditSigningException("MessageDigest is invalid");
        }
        try {
            return decrypt(bArr, key);
        } catch (AuditDecryptionException e) {
            FFDCFilter.processException(e, "com.ibm.ws.security.audit.encryption.AuditSigningImpl", "409", this, new Object[]{bArr, key});
            throw new AuditSigningException(e);
        }
    }

    @ManualTrace
    public byte[] sign(byte[] bArr, Key key) throws AuditSigningException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "sign", new Object[0]);
        }
        try {
            MessageDigest messageDigest = MessageDigest.getInstance("SHA-256");
            if (bArr == null) {
                Tr.error(tc, "security.audit.signing.data.error", new Object[0]);
                throw new AuditSigningException("Invalid data passed into signing algorithm");
            }
            messageDigest.reset();
            messageDigest.update(bArr);
            byte[] digest = messageDigest.digest();
            if (digest == null) {
                Tr.error(tc, "security.audit.message.digest.error", new Object[0]);
                throw new AuditSigningException("MessageDigest is invalid");
            }
            try {
                return encrypt(digest, key);
            } catch (AuditEncryptingException e) {
                FFDCFilter.processException(e, "com.ibm.ws.security.audit.encryption.AuditSigningImpl", "455", this, new Object[]{bArr, key});
                throw new AuditSigningException(e);
            }
        } catch (NoSuchAlgorithmException e2) {
            FFDCFilter.processException(e2, "com.ibm.ws.security.audit.encryption.AuditSigningImpl", "440", this, new Object[]{bArr, key});
            throw new AuditSigningException(e2);
        }
    }

    @ManualTrace
    public boolean verify(byte[] bArr, Key key) throws AuditSigningException {
        if (this.signature == null) {
            throw new AuditSigningException("Signature is null.  Cannot verify data.");
        }
        try {
            this.signature.initVerify((PublicKey) key);
            this.signature.update(bArr);
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, "verify");
            }
            return this.signature.verify(this.sigBytes);
        } catch (Exception e) {
            FFDCFilter.processException(e, "com.ibm.ws.security.audit.encryption.AuditSigningImpl", "485", this, new Object[]{bArr, key});
            throw new AuditSigningException(e);
        }
    }

    public String getSignerKeyFileLocation() {
        return this.signerKeyFileLocation;
    }

    @ManualTrace
    protected static InputStream openKeyStore(String str) throws MalformedURLException, IOException {
        try {
            OpenKeyStoreAction openKeyStoreAction = new OpenKeyStoreAction(str);
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, "openKeyStore");
            }
            return (InputStream) AccessController.doPrivileged(openKeyStoreAction);
        } catch (PrivilegedActionException e) {
            FFDCFilter.processException(e, "com.ibm.ws.security.audit.encryption.AuditSigningImpl", "648", (Object) null, new Object[]{str});
            Exception exception = e.getException();
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Exception opening keystore.", new Object[]{exception});
            }
            if (exception instanceof MalformedURLException) {
                throw ((MalformedURLException) exception);
            }
            if (exception instanceof IOException) {
                throw ((IOException) exception);
            }
            throw new IOException(exception.getMessage());
        }
    }
}
