package com.emc.vipr.transform.encryption;

import com.emc.vipr.transform.InputTransform;
import com.emc.vipr.transform.OutputTransform;
import com.emc.vipr.transform.TransformConstants;
import com.emc.vipr.transform.TransformException;
import java.io.IOException;
import java.io.InputStream;
import java.io.OutputStream;
import java.security.GeneralSecurityException;
import java.security.InvalidKeyException;
import java.security.KeyPair;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.Provider;
import java.security.UnrecoverableKeyException;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import java.security.interfaces.RSAPrivateKey;
import java.security.interfaces.RSAPublicKey;
import java.util.Enumeration;
import java.util.HashMap;
import java.util.Map;
import javax.crypto.NoSuchPaddingException;
import javax.crypto.SecretKey;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/emc/vipr/transform/encryption/KeyStoreEncryptionFactory.class */
public class KeyStoreEncryptionFactory extends EncryptionTransformFactory<BasicEncryptionOutputTransform, BasicEncryptionInputTransform> {
    private static final Logger logger = LoggerFactory.getLogger(KeyStoreEncryptionFactory.class);
    private KeyStore keyStore;
    private String masterEncryptionKeyAlias;
    private String masterEncryptionKeyFingerprint;
    private char[] masterKeyPassword;
    private Map<String, String> idToAliasMap;

    public KeyStoreEncryptionFactory(KeyStore keyStore, String str, char[] cArr) throws InvalidKeyException, NoSuchAlgorithmException, NoSuchPaddingException, TransformException {
        this(keyStore, str, cArr, null);
    }

    public KeyStoreEncryptionFactory(KeyStore keyStore, String str, char[] cArr, Provider provider) throws InvalidKeyException, NoSuchAlgorithmException, NoSuchPaddingException, TransformException {
        this.keyStore = keyStore;
        this.masterEncryptionKeyAlias = str;
        this.masterKeyPassword = cArr;
        this.idToAliasMap = new HashMap();
        this.provider = provider;
        try {
            if (!keyStore.containsAlias(str)) {
                throw new InvalidKeyException("No certificate found in keystore for alias " + str);
            }
            try {
                Enumeration<String> aliases = keyStore.aliases();
                while (aliases.hasMoreElements()) {
                    String nextElement = aliases.nextElement();
                    String fingerprint = getFingerprint(nextElement);
                    this.idToAliasMap.put(fingerprint, nextElement);
                    if (nextElement.equals(str)) {
                        this.masterEncryptionKeyFingerprint = fingerprint;
                    }
                }
            } catch (KeyStoreException e) {
                throw new TransformException("Could not init factory from KeyStore", e);
            }
        } catch (KeyStoreException e2) {
            throw new TransformException("Could not access KeyStore", e2);
        }
    }

    private String getFingerprint(String str) throws KeyStoreException, NoSuchAlgorithmException {
        Certificate certificate = this.keyStore.getCertificate(str);
        if (!(certificate instanceof X509Certificate)) {
            return KeyUtils.getRsaPublicKeyFingerprint((RSAPublicKey) certificate.getPublicKey(), this.provider);
        }
        byte[] extensionValue = ((X509Certificate) certificate).getExtensionValue("2.5.29.14");
        if (extensionValue == null) {
            logger.debug("Certificate does not have SKI.  Computing fingerprint.");
            return KeyUtils.getRsaPublicKeyFingerprint((RSAPublicKey) certificate.getPublicKey(), this.provider);
        }
        String hexPadded = KeyUtils.toHexPadded(KeyUtils.extractSubjectKeyIdentifier(extensionValue));
        logger.debug("Alias %s Subject Key Identifier: %s", str, hexPadded);
        return hexPadded;
    }

    @Override // com.emc.vipr.transform.encryption.EncryptionTransformFactory
    public Map<String, String> rekey(Map<String, String> map) throws TransformException, DoesNotNeedRekeyException {
        String str = map.get(TransformConstants.META_ENCRYPTION_KEY_ID);
        if (str == null) {
            throw new TransformException("Metadata does not contain a master key ID");
        }
        if (str.equals(this.masterEncryptionKeyFingerprint)) {
            logger.info("Object is already using the current master key");
            throw new DoesNotNeedRekeyException("Object is already using the current master key");
        }
        if (!this.idToAliasMap.containsKey(str)) {
            throw new TransformException("Master key with fingerprint " + str + " not found");
        }
        KeyPair keyPair = getKeyPair(this.idToAliasMap.get(str));
        String str2 = map.get(TransformConstants.META_ENCRYPTION_OBJECT_KEY);
        if (str2 == null) {
            throw new TransformException("Encrypted object key not found");
        }
        SecretKey decryptKey = KeyUtils.decryptKey(str2, getEncryptionAlgorithm(), this.provider, keyPair.getPrivate());
        KeyPair keyPair2 = getKeyPair(this.masterEncryptionKeyAlias);
        try {
            String encryptKey = KeyUtils.encryptKey(decryptKey, this.provider, keyPair2.getPublic());
            HashMap hashMap = new HashMap();
            hashMap.putAll(map);
            hashMap.remove(TransformConstants.META_ENCRYPTION_META_SIG);
            hashMap.put(TransformConstants.META_ENCRYPTION_OBJECT_KEY, encryptKey);
            hashMap.put(TransformConstants.META_ENCRYPTION_KEY_ID, this.masterEncryptionKeyFingerprint);
            hashMap.put(TransformConstants.META_ENCRYPTION_META_SIG, KeyUtils.signMetadata(hashMap, (RSAPrivateKey) keyPair2.getPrivate(), this.provider));
            return hashMap;
        } catch (GeneralSecurityException e) {
            throw new TransformException("Error encrypting key: " + e, e);
        }
    }

    private KeyPair getKeyPair(String str) throws TransformException {
        try {
            Certificate certificate = this.keyStore.getCertificate(str);
            PrivateKey privateKey = (PrivateKey) this.keyStore.getKey(str, this.masterKeyPassword);
            if (certificate == null) {
                throw new TransformException("Certificate for alias " + this.masterEncryptionKeyAlias + " not found");
            }
            if (privateKey == null) {
                throw new TransformException("Private key for alias " + this.masterEncryptionKeyAlias + " not found");
            }
            return new KeyPair(certificate.getPublicKey(), privateKey);
        } catch (KeyStoreException e) {
            throw new TransformException("Could not access keystore", e);
        } catch (NoSuchAlgorithmException e2) {
            throw new TransformException("Error loading private key from keystore", e2);
        } catch (UnrecoverableKeyException e3) {
            throw new TransformException("Error loading private key from keystore", e3);
        }
    }

    @Override // com.emc.vipr.transform.TransformFactory
    public BasicEncryptionOutputTransform getOutputTransform(OutputStream outputStream, Map<String, String> map) throws IOException, TransformException {
        return new BasicEncryptionOutputTransform(outputStream, map, this.masterEncryptionKeyFingerprint, getKeyPair(this.masterEncryptionKeyAlias), this.encryptionTransform, this.keySize, this.provider);
    }

    @Override // com.emc.vipr.transform.TransformFactory
    public BasicEncryptionOutputTransform getOutputTransform(InputStream inputStream, Map<String, String> map) throws IOException, TransformException {
        return new BasicEncryptionOutputTransform(inputStream, map, this.masterEncryptionKeyFingerprint, getKeyPair(this.masterEncryptionKeyAlias), this.encryptionTransform, this.keySize, this.provider);
    }

    @Override // com.emc.vipr.transform.TransformFactory
    public BasicEncryptionInputTransform getInputTransform(String str, InputStream inputStream, Map<String, String> map) throws IOException, TransformException {
        String[] splitTransformConfig = splitTransformConfig(str);
        if (splitTransformConfig.length != 2) {
            throw new TransformException("Invalid transform configuration: " + str);
        }
        if (!TransformConstants.ENCRYPTION_CLASS.equals(splitTransformConfig[0])) {
            throw new TransformException("Unsupported transform class: " + splitTransformConfig[0]);
        }
        String str2 = map.get(TransformConstants.META_ENCRYPTION_KEY_ID);
        if (str2 == null) {
            throw new TransformException("Could not decrypt object. No master key ID set on object.");
        }
        String str3 = this.idToAliasMap.get(str2);
        if (str3 == null) {
            throw new TransformException("Could not find master key for ID " + str2);
        }
        return new BasicEncryptionInputTransform(splitTransformConfig[1], inputStream, map, getKeyPair(str3), this.provider);
    }

    public String getMasterEncryptionKeyAlias() {
        return this.masterEncryptionKeyAlias;
    }

    public void setMasterEncryptionKeyAlias(String str) throws TransformException {
        try {
            if (!this.keyStore.containsAlias(str)) {
                throw new TransformException("Certificate with alias " + str + " not found in keystore");
            }
            this.masterEncryptionKeyFingerprint = getFingerprint(str);
            this.masterEncryptionKeyAlias = str;
        } catch (KeyStoreException e) {
            throw new TransformException("Could not access keystore", e);
        } catch (NoSuchAlgorithmException e2) {
            throw new TransformException("Could not load certificate for alias " + str);
        }
    }

    @Override // com.emc.vipr.transform.TransformFactory
    public /* bridge */ /* synthetic */ InputTransform getInputTransform(String str, InputStream inputStream, Map map) throws IOException, TransformException {
        return getInputTransform(str, inputStream, (Map<String, String>) map);
    }

    @Override // com.emc.vipr.transform.TransformFactory
    public /* bridge */ /* synthetic */ OutputTransform getOutputTransform(InputStream inputStream, Map map) throws IOException, TransformException {
        return getOutputTransform(inputStream, (Map<String, String>) map);
    }

    @Override // com.emc.vipr.transform.TransformFactory
    public /* bridge */ /* synthetic */ OutputTransform getOutputTransform(OutputStream outputStream, Map map) throws IOException, TransformException {
        return getOutputTransform(outputStream, (Map<String, String>) map);
    }
}
