package com.liferay.saml.opensaml.integration.internal.credential;

import com.liferay.portal.kernel.security.auth.CompanyThreadLocal;
import com.liferay.portal.kernel.util.Validator;
import com.liferay.saml.persistence.service.SamlSpIdpConnectionLocalService;
import com.liferay.saml.runtime.SamlException;
import com.liferay.saml.runtime.configuration.SamlProviderConfiguration;
import com.liferay.saml.runtime.configuration.SamlProviderConfigurationHelper;
import com.liferay.saml.runtime.credential.KeyStoreManager;
import com.liferay.saml.runtime.exception.CredentialAuthException;
import com.liferay.saml.runtime.exception.CredentialException;
import com.liferay.saml.runtime.exception.EntityIdException;
import com.liferay.saml.runtime.metadata.LocalEntityManager;
import java.security.GeneralSecurityException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.PrivateKey;
import java.security.UnrecoverableKeyException;
import java.security.cert.Certificate;
import java.security.cert.CertificateEncodingException;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.Collections;
import net.shibboleth.utilities.java.support.resolver.CriteriaSet;
import net.shibboleth.utilities.java.support.resolver.ResolverException;
import org.apache.xml.security.utils.Base64;
import org.opensaml.core.criterion.EntityIdCriterion;
import org.opensaml.security.credential.BasicCredential;
import org.opensaml.security.credential.Credential;
import org.opensaml.security.credential.CredentialResolver;
import org.opensaml.security.credential.UsageType;
import org.opensaml.security.credential.impl.AbstractCredentialResolver;
import org.opensaml.security.criteria.UsageCriterion;
import org.opensaml.security.x509.BasicX509Credential;
import org.opensaml.security.x509.X509Credential;
import org.osgi.service.component.annotations.Component;
import org.osgi.service.component.annotations.Reference;

@Component(configurationPid = {"com.liferay.saml.runtime.configuration.SamlKeyStoreManagerConfiguration"}, immediate = true, service = {CredentialResolver.class, LocalEntityManager.class})
/* loaded from: input_file:com/liferay/saml/opensaml/integration/internal/credential/KeyStoreCredentialResolver.class */
public class KeyStoreCredentialResolver extends AbstractCredentialResolver implements LocalEntityManager {

    @Reference(name = "KeyStoreManager", target = "(default=true)")
    private KeyStoreManager _keyStoreManager;

    @Reference
    private SamlProviderConfigurationHelper _samlProviderConfigurationHelper;

    @Reference
    private SamlSpIdpConnectionLocalService _samlSpIdpConnectionLocalService;

    public void authenticateLocalEntityCertificate(String str, LocalEntityManager.CertificateUsage certificateUsage, String str2) throws CredentialAuthException, CredentialException {
        if ((certificateUsage == LocalEntityManager.CertificateUsage.ENCRYPTION ? _getKeyStoreEntry(_getAlias(str2, UsageType.ENCRYPTION), str) : _getKeyStoreEntry(_getAlias(str2, UsageType.SIGNING), str)) == null) {
            throw new CredentialException("Certificate not found");
        }
    }

    public void deleteLocalEntityCertificate(LocalEntityManager.CertificateUsage certificateUsage) throws KeyStoreException {
        KeyStore keyStore = this._keyStoreManager.getKeyStore();
        keyStore.deleteEntry(_getAlias(getLocalEntityId(), _getUsageType(certificateUsage)));
        try {
            this._keyStoreManager.saveKeyStore(keyStore);
        } catch (Exception e) {
            throw new KeyStoreException(e);
        }
    }

    public String getEncodedLocalEntityCertificate(LocalEntityManager.CertificateUsage certificateUsage) throws SamlException {
        try {
            X509Certificate localEntityCertificate = getLocalEntityCertificate(certificateUsage);
            if (localEntityCertificate == null) {
                return null;
            }
            return Base64.encode(localEntityCertificate.getEncoded(), 76);
        } catch (CertificateEncodingException e) {
            throw new SamlException(e);
        }
    }

    public X509Certificate getLocalEntityCertificate(LocalEntityManager.CertificateUsage certificateUsage) throws SamlException {
        UsageType _getUsageType = _getUsageType(certificateUsage);
        if (_getUsageType == null) {
            return null;
        }
        String localEntityId = getLocalEntityId();
        if (Validator.isBlank(localEntityId)) {
            throw new SamlException(new EntityIdException("An Entity ID must be configured"));
        }
        try {
            X509Credential x509Credential = (X509Credential) resolveSingle(new CriteriaSet(new EntityIdCriterion(localEntityId), new UsageCriterion(_getUsageType)));
            if (x509Credential == null) {
                return null;
            }
            return x509Credential.getEntityCertificate();
        } catch (ResolverException e) {
            throw new SamlException(e);
        }
    }

    public String getLocalEntityId() {
        return _getSamlProviderConfiguration().entityId();
    }

    public boolean hasDefaultIdpRole() {
        return !this._samlSpIdpConnectionLocalService.getSamlSpIdpConnections(CompanyThreadLocal.getCompanyId().longValue()).isEmpty();
    }

    /* JADX WARN: Can't rename method to resolve collision */
    @Override // org.opensaml.security.credential.impl.AbstractCredentialResolver, net.shibboleth.utilities.java.support.resolver.Resolver
    public Iterable<Credential> resolve(CriteriaSet criteriaSet) throws SecurityException {
        _checkCriteriaRequirements(criteriaSet);
        String entityId = ((EntityIdCriterion) criteriaSet.get(EntityIdCriterion.class)).getEntityId();
        SamlProviderConfiguration samlProviderConfiguration = this._samlProviderConfigurationHelper.getSamlProviderConfiguration();
        UsageCriterion usageCriterion = (UsageCriterion) criteriaSet.get(UsageCriterion.class);
        UsageType usageType = UsageType.UNSPECIFIED;
        if (usageCriterion != null) {
            usageType = usageCriterion.getUsage();
        }
        String str = null;
        if (entityId.equals(samlProviderConfiguration.entityId())) {
            str = usageType == UsageType.ENCRYPTION ? samlProviderConfiguration.keyStoreEncryptionCredentialPassword() : samlProviderConfiguration.keyStoreCredentialPassword();
        }
        KeyStore.Entry _getKeyStoreEntry = _getKeyStoreEntry(_getAlias(entityId, usageType), str);
        return _getKeyStoreEntry == null ? Collections.emptySet() : Collections.singleton(_buildCredential(_getKeyStoreEntry, entityId, usageType));
    }

    public void storeLocalEntityCertificate(PrivateKey privateKey, String str, X509Certificate x509Certificate, LocalEntityManager.CertificateUsage certificateUsage) throws Exception {
        KeyStore keyStore = this._keyStoreManager.getKeyStore();
        keyStore.setEntry(_getAlias(getLocalEntityId(), _getUsageType(certificateUsage)), new KeyStore.PrivateKeyEntry(privateKey, new Certificate[]{x509Certificate}), new KeyStore.PasswordProtection(str.toCharArray()));
        this._keyStoreManager.saveKeyStore(keyStore);
    }

    private Credential _buildCredential(KeyStore.Entry entry, String str, UsageType usageType) {
        if (entry instanceof KeyStore.PrivateKeyEntry) {
            return _processPrivateKeyEntry((KeyStore.PrivateKeyEntry) entry, str, usageType);
        }
        if (entry instanceof KeyStore.SecretKeyEntry) {
            return _processSecretKeyEntry((KeyStore.SecretKeyEntry) entry, str, usageType);
        }
        if (entry instanceof KeyStore.TrustedCertificateEntry) {
            return _processTrustedCertificateEntry((KeyStore.TrustedCertificateEntry) entry, str, usageType);
        }
        return null;
    }

    private void _checkCriteriaRequirements(CriteriaSet criteriaSet) {
        if (((EntityIdCriterion) criteriaSet.get(EntityIdCriterion.class)) == null) {
            throw new IllegalArgumentException("No entity ID criterion was available in criteria set");
        }
    }

    private String _getAlias(String str, UsageType usageType) {
        if (!usageType.equals(UsageType.SIGNING) && usageType.equals(UsageType.ENCRYPTION)) {
            return str + "-encryption";
        }
        return str;
    }

    /* JADX WARN: Type inference failed for: r6v0, types: [java.lang.Throwable, T, java.lang.Object] */
    private <T> T _getCauseThrowable(Throwable th, Class<T> cls) {
        if (th == null) {
            return null;
        }
        Throwable cause = th.getCause();
        while (true) {
            ?? r6 = (T) cause;
            if (r6 == 0) {
                return null;
            }
            if (cls.isInstance(r6)) {
                return r6;
            }
            cause = r6.getCause();
        }
    }

    private KeyStore.Entry _getKeyStoreEntry(String str, String str2) throws CredentialAuthException {
        KeyStore.PasswordProtection passwordProtection = null;
        if (str2 != null) {
            passwordProtection = new KeyStore.PasswordProtection(str2.toCharArray());
        }
        try {
            return this._keyStoreManager.getKeyStore().getEntry(str, passwordProtection);
        } catch (GeneralSecurityException e) {
            Class<?> cls = this._keyStoreManager.getClass();
            long longValue = CompanyThreadLocal.getCompanyId().longValue();
            if (!(e instanceof KeyStoreException)) {
                if (e instanceof UnrecoverableKeyException) {
                    throw new CredentialAuthException.InvalidCredentialPassword(String.format("Company %s used an incorrect key credential password to an entry in the SAML key store provided by %s", Long.valueOf(longValue), cls.getSimpleName()), (UnrecoverableKeyException) e);
                }
                throw new CredentialAuthException.GeneralCredentialAuthException(String.format("Unknown exception thrown for company %s using %s", Long.valueOf(longValue), cls.getSimpleName()), e);
            }
            UnrecoverableKeyException unrecoverableKeyException = (UnrecoverableKeyException) _getCauseThrowable(e, UnrecoverableKeyException.class);
            if (unrecoverableKeyException != null) {
                throw new CredentialAuthException.InvalidKeyStorePassword(String.format("Company %s used an incorrect password to access the key store provided by %s", Long.valueOf(longValue), cls.getSimpleName()), unrecoverableKeyException);
            }
            throw new CredentialAuthException.InvalidKeyStore(String.format("Company %s could not load the SAML key store provided by %s", Long.valueOf(longValue), cls.getSimpleName()), e);
        }
    }

    private SamlProviderConfiguration _getSamlProviderConfiguration() {
        return this._samlProviderConfigurationHelper.getSamlProviderConfiguration();
    }

    private UsageType _getUsageType(LocalEntityManager.CertificateUsage certificateUsage) {
        UsageType usageType = null;
        if (certificateUsage == LocalEntityManager.CertificateUsage.ENCRYPTION) {
            usageType = UsageType.ENCRYPTION;
        } else if (certificateUsage == LocalEntityManager.CertificateUsage.SIGNING) {
            usageType = UsageType.SIGNING;
        }
        return usageType;
    }

    private Credential _processPrivateKeyEntry(KeyStore.PrivateKeyEntry privateKeyEntry, String str, UsageType usageType) {
        BasicX509Credential basicX509Credential = new BasicX509Credential((X509Certificate) privateKeyEntry.getCertificate());
        basicX509Credential.setEntityCertificateChain(Arrays.asList((X509Certificate[]) privateKeyEntry.getCertificateChain()));
        basicX509Credential.setEntityId(str);
        basicX509Credential.setPrivateKey(privateKeyEntry.getPrivateKey());
        basicX509Credential.setUsageType(usageType);
        return basicX509Credential;
    }

    private Credential _processSecretKeyEntry(KeyStore.SecretKeyEntry secretKeyEntry, String str, UsageType usageType) {
        BasicCredential basicCredential = new BasicCredential(secretKeyEntry.getSecretKey());
        basicCredential.setEntityId(str);
        basicCredential.setUsageType(usageType);
        return basicCredential;
    }

    private Credential _processTrustedCertificateEntry(KeyStore.TrustedCertificateEntry trustedCertificateEntry, String str, UsageType usageType) {
        X509Certificate x509Certificate = (X509Certificate) trustedCertificateEntry.getTrustedCertificate();
        BasicX509Credential basicX509Credential = new BasicX509Credential(x509Certificate);
        basicX509Credential.setEntityCertificateChain(Arrays.asList(x509Certificate));
        basicX509Credential.setEntityId(str);
        basicX509Credential.setUsageType(usageType);
        return basicX509Credential;
    }
}
