package com.ibm.ws.crypto.config;

import com.ibm.ejs.ras.Tr;
import com.ibm.ejs.ras.TraceComponent;
import com.ibm.ffdc.Manager;
import com.ibm.websphere.crypto.KeyException;
import com.ibm.websphere.crypto.KeyPair;
import com.ibm.websphere.crypto.KeyPairGenerator;
import com.ibm.ws.security.config.SecurityConfigObject;
import com.ibm.ws.ssl.config.KeyStoreManager;
import com.ibm.ws.ssl.config.WSKeyStore;
import com.ibm.ws.ssl.core.Constants;
import com.ibm.ws.ssl.core.TraceNLSHelper;
import java.io.FileOutputStream;
import java.security.Key;
import java.security.KeyStore;
import java.security.PrivateKey;
import java.security.cert.Certificate;
import javax.crypto.spec.SecretKeySpec;

/* loaded from: input_file:WEB-INF/lib/admin-8.5.0.jar:com/ibm/ws/crypto/config/WSKeyPairReference.class */
public class WSKeyPairReference extends KeyReference {
    private static final TraceComponent tc = Tr.register((Class<?>) WSKeyPairReference.class, "SSL", "com.ibm.ws.ssl.resources.ssl");
    private KeyPair keyPair;
    private KeyPairGenerator keyPairGenerationClassImpl;
    private String keyGenerationClass;

    public WSKeyPairReference(com.ibm.websphere.models.config.ipc.ssl.KeyReference keyReference, WSKeySet wSKeySet, WSKeyStore wSKeyStore) {
        super(keyReference, wSKeySet, wSKeyStore);
        this.keyPair = null;
        this.keyPairGenerationClassImpl = null;
        this.keyGenerationClass = null;
        this.keyGenerationClass = wSKeySet.getKeyGenerationClass();
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "WSKeyPairReference");
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "WSKeyPairReference", new Object[]{toString()});
        }
    }

    public WSKeyPairReference(com.ibm.websphere.models.config.ipc.ssl.KeyReference keyReference, KeyPair keyPair, WSKeySet wSKeySet, WSKeyStore wSKeyStore) throws KeyException {
        super(keyReference, wSKeySet, wSKeyStore);
        this.keyPair = null;
        this.keyPairGenerationClassImpl = null;
        this.keyGenerationClass = null;
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "WSKeyPairReference (with keyPair)");
        }
        try {
            this.keyGenerationClass = wSKeySet.getKeyGenerationClass();
            importKeyPair(keyPair, wSKeyStore.getKeyStore(false, false));
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, "WSKeyPairReference (with keyPair)", new Object[]{toString()});
            }
        } catch (Exception e) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "WSKeyPairReference import key initialization failed.", new Object[]{e});
            }
            if (!(e instanceof KeyException)) {
                throw new KeyException(e.getMessage(), e);
            }
            throw ((KeyException) e);
        }
    }

    public WSKeyPairReference(SecurityConfigObject securityConfigObject, WSKeySet wSKeySet, WSKeyStore wSKeyStore) {
        super(securityConfigObject, wSKeySet, wSKeyStore);
        this.keyPair = null;
        this.keyPairGenerationClassImpl = null;
        this.keyGenerationClass = null;
        this.keyGenerationClass = wSKeySet.getKeyGenerationClass();
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "WSKeyPairReference");
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "WSKeyPairReference", new Object[]{toString()});
        }
    }

    public WSKeyPairReference(SecurityConfigObject securityConfigObject, KeyPair keyPair, WSKeySet wSKeySet, WSKeyStore wSKeyStore) throws KeyException {
        super(securityConfigObject, wSKeySet, wSKeyStore);
        this.keyPair = null;
        this.keyPairGenerationClassImpl = null;
        this.keyGenerationClass = null;
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "WSKeyPairReference (with keyPair)");
        }
        try {
            this.keyGenerationClass = wSKeySet.getKeyGenerationClass();
            importKeyPair(keyPair, wSKeyStore.getKeyStore(false, false));
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, "WSKeyPairReference (with keyPair)", new Object[]{toString()});
            }
        } catch (Exception e) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "WSKeyPairReference import key initialization failed.", new Object[]{e});
            }
            if (!(e instanceof KeyException)) {
                throw new KeyException(e.getMessage(), e);
            }
            throw ((KeyException) e);
        }
    }

    public KeyPair getKeyPair() throws KeyException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "getKeyPair");
        }
        if (this.keyPair == null) {
            getKeyPair(KeyStoreManager.getInstance());
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "getKeyPair");
        }
        return this.keyPair;
    }

    KeyPair getKeyPair(KeyStoreManager keyStoreManager) throws KeyException {
        try {
            KeyStore keyStore = keyStoreManager.getKeyStore(getWSKeyStore().getProperty(Constants.SSLPROP_KEY_STORE_NAME), getWSKeyStore().getProperty("com.ibm.ssl.keyStoreType"), getWSKeyStore().getProperty("com.ibm.ssl.keyStoreProvider"), getWSKeyStore().getProperty("com.ibm.ssl.keyStore"), getWSKeyStore().getProperty("com.ibm.ssl.keyStorePassword"), getWSKeyStore().getProperty(Constants.SSLPROP_KEY_STORE_MGMT_SCOPE), true, null);
            if (keyStore != null) {
                boolean z = false;
                String keyAlias = getKeyAlias();
                String password = getPassword();
                Key key = keyStore.getKey(keyAlias, password.toCharArray());
                Certificate[] certificateChain = keyStore.getCertificateChain(keyAlias);
                if (certificateChain == null || key == null) {
                    Key key2 = keyStore.getKey(keyAlias + "_private", password.toCharArray());
                    Key key3 = keyStore.getKey(keyAlias + "_public", password.toCharArray());
                    if (key2 != null && key3 != null) {
                        if (tc.isDebugEnabled()) {
                            Tr.debug(tc, "Creating a KeyPair from publicKey and privateKey retrieved from KeyStore.");
                        }
                        this.keyPair = new KeyPair(key3, key2);
                        z = true;
                    }
                } else {
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "Creating a KeyPair from Certificate Chain and privateKey retrieved from KeyStore.");
                    }
                    this.keyPair = new KeyPair(certificateChain, (PrivateKey) key);
                }
                if (this.keyPair == null && isValidKeyStoreType(z)) {
                    this.keyPair = initializeReferenceIfNotInKeyStore(keyStore);
                }
            }
            return this.keyPair;
        } catch (Exception e) {
            Tr.debug(tc, "Exception getting KeyPair from KeyStore.", new Object[]{e});
            Manager.Ffdc.log(e, this, "com.ibm.ws.crypto.config.WSKeyPairReference.getKeyPair", "210", this);
            Tr.error(tc, "crypto.key.getkey.error.CWPKI0201E", new Object[]{getKeySetName(), getKeyAlias(), e.getMessage()});
            if (e instanceof KeyException) {
                throw ((KeyException) e);
            }
            throw new KeyException(e.getMessage(), e);
        }
    }

    public KeyPair initializeReferenceIfNotInKeyStore(KeyStore keyStore) throws KeyException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "initializeReferenceIfNotInKeyStore");
        }
        FileOutputStream fileOutputStream = null;
        try {
            try {
                if (keyStore == null) {
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "Cannot generate keys because Java KeyStore cannot be obtained.");
                    }
                    throw new KeyException("Java KeyStore is NULL.");
                }
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "KeyStore type is \"" + keyStore.getType() + "\" and the provider is \"" + keyStore.getProvider() + "\".");
                }
                if (this.keyGenerationClass == null || this.keyGenerationClass.equals("")) {
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "Cannot generate keys as auto-generation class is not specified.");
                    }
                    throw new KeyException("KeyPair is not present and keyGenerationClass is null.");
                }
                KeyPair generateKeyPair = ((KeyPairGenerator) getKeyPairGeneratorImpl()).generateKeyPair();
                if (generateKeyPair == null) {
                    throw new KeyException("KeyPairGenerator " + this.keyGenerationClass + " did not return a KeyPair.");
                }
                String keyAlias = getKeyAlias();
                String password = getPassword();
                Key privateKey = generateKeyPair.getPrivateKey();
                Key publicKey = generateKeyPair.getPublicKey();
                Certificate[] certificateChain = generateKeyPair.getCertificateChain();
                if (certificateChain != null && privateKey != null) {
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "Setting public/private key using alias: " + keyAlias);
                    }
                    keyStore.setKeyEntry(keyAlias, privateKey, password.toCharArray(), certificateChain);
                } else if (privateKey != null && publicKey != null) {
                    String str = keyAlias + "_private";
                    Key secretKeySpec = new SecretKeySpec(privateKey.getEncoded(), privateKey.getAlgorithm());
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "Setting private key (as secret) using alias: " + str);
                    }
                    keyStore.setKeyEntry(str, secretKeySpec, password.toCharArray(), null);
                    String str2 = keyAlias + "_public";
                    Key secretKeySpec2 = new SecretKeySpec(publicKey.getEncoded(), publicKey.getAlgorithm());
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "Setting public key (as secret) using alias: " + str2);
                    }
                    keyStore.setKeyEntry(str2, secretKeySpec2, password.toCharArray(), null);
                    this.keyPair = new KeyPair(secretKeySpec2, secretKeySpec);
                }
                String property = getWSKeyStore().getProperty("com.ibm.ssl.keyStore");
                String property2 = getWSKeyStore().getProperty("com.ibm.ssl.keyStorePassword");
                FileOutputStream fileOutputStream2 = new FileOutputStream(property);
                keyStore.store(fileOutputStream2, property2.toCharArray());
                if (tc.isEntryEnabled()) {
                    Tr.exit(tc, "initializeReferenceIfNotInKeyStore (generated)");
                }
                KeyPair keyPair = this.keyPair;
                if (fileOutputStream2 != null) {
                    try {
                        fileOutputStream2.close();
                    } catch (Exception e) {
                    }
                }
                return keyPair;
            } catch (Exception e2) {
                Tr.debug(tc, "Exception generating Key.", new Object[]{e2});
                Manager.Ffdc.log(e2, this, "com.ibm.ws.crypto.config.WSKeySet.generate", "301", this);
                Tr.error(tc, "crypto.key.generate.configuration.error.CWPKI0200E", new Object[]{getKeySetName(), e2.getMessage()});
                if (e2 instanceof KeyException) {
                    throw ((KeyException) e2);
                }
                throw new KeyException(TraceNLSHelper.getInstance().getFormattedMessage("crypto.key.generate.configuration.error.CWPKI0200E", new Object[]{getKeySetName(), e2.getMessage()}, "An attempt to generate keys using KeySet " + getKeySetName() + " occurred when the KeySet is not configured to generate keys.  The detailed message is: " + e2.getMessage()));
            }
        } catch (Throwable th) {
            if (0 != 0) {
                try {
                    fileOutputStream.close();
                } catch (Exception e3) {
                }
            }
            throw th;
        }
    }

    public void importKeyPair(KeyPair keyPair, KeyStore keyStore) throws KeyException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "importKeyPair");
        }
        FileOutputStream fileOutputStream = null;
        try {
            try {
                if (keyStore == null) {
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "Cannot update keys because Java KeyStore cannot be obtained.");
                    }
                    throw new KeyException("Java KeyStore is NULL.");
                }
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "KeyStore type is \"" + keyStore.getType() + "\" and the provider is \"" + keyStore.getProvider() + "\".");
                }
                if (keyPair == null) {
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "Cannot updates keys as the KeyPair is not specified.");
                    }
                    throw new KeyException("KeyPair was not passed in.");
                }
                String keyAlias = getKeyAlias();
                String password = getPassword();
                Key privateKey = keyPair.getPrivateKey();
                Key publicKey = keyPair.getPublicKey();
                Certificate[] certificateChain = keyPair.getCertificateChain();
                if (certificateChain != null && privateKey != null) {
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "Setting public/private key using alias: " + keyAlias);
                    }
                    keyStore.setKeyEntry(keyAlias, privateKey, password.toCharArray(), certificateChain);
                } else if (privateKey != null && publicKey != null) {
                    String str = keyAlias + "_private";
                    Key secretKeySpec = new SecretKeySpec(privateKey.getEncoded(), privateKey.getAlgorithm());
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "Setting private key (as secret) using alias: " + str);
                    }
                    keyStore.setKeyEntry(str, secretKeySpec, password.toCharArray(), null);
                    String str2 = keyAlias + "_public";
                    Key secretKeySpec2 = new SecretKeySpec(publicKey.getEncoded(), publicKey.getAlgorithm());
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "Setting public key (as secret) using alias: " + str2);
                    }
                    keyStore.setKeyEntry(str2, secretKeySpec2, password.toCharArray(), null);
                }
                String property = getWSKeyStore().getProperty("com.ibm.ssl.keyStore");
                String property2 = getWSKeyStore().getProperty("com.ibm.ssl.keyStorePassword");
                FileOutputStream fileOutputStream2 = new FileOutputStream(property);
                keyStore.store(fileOutputStream2, property2.toCharArray());
                if (tc.isEntryEnabled()) {
                    Tr.exit(tc, "importKeyPair (imported)");
                }
                if (fileOutputStream2 != null) {
                    try {
                        fileOutputStream2.close();
                    } catch (Exception e) {
                    }
                }
            } catch (Exception e2) {
                Tr.debug(tc, "Exception updating KeyStore with keys.", new Object[]{e2});
                Manager.Ffdc.log(e2, this, "com.ibm.ws.crypto.config.WSKeyPairReference.importKeyPair", "389", this);
                Tr.error(tc, "crypto.key.import.error.CWPKI0203E", new Object[]{getKeySetName(), e2.getMessage()});
                if (!(e2 instanceof KeyException)) {
                    throw new KeyException(TraceNLSHelper.getInstance().getFormattedMessage("crypto.key.import.error.CWPKI0203E", new Object[]{getKeySetName(), e2.getMessage()}, "An attempt to generate keys using KeySet " + getKeySetName() + " occurred when the KeySet is not configured to generate keys.  The detailed message is: " + e2.getMessage()));
                }
                throw ((KeyException) e2);
            }
        } catch (Throwable th) {
            if (0 != 0) {
                try {
                    fileOutputStream.close();
                } catch (Exception e3) {
                }
            }
            throw th;
        }
    }

    private Object getKeyPairGeneratorImpl() throws Exception {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "getKeyGeneratorImpl");
        }
        if (this.keyPairGenerationClassImpl != null) {
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, "getKeyGeneratorImpl");
            }
            return this.keyPairGenerationClassImpl;
        }
        if (this.keyGenerationClass == null || this.keyGenerationClass.equals("")) {
            Tr.error(tc, "crypto.key.generate.configuration.error.CWPKI0202E", new Object[]{getKeySetName()});
            throw new KeyException(TraceNLSHelper.getInstance().getFormattedMessage("crypto.key.generate.configuration.error.CWPKI0202E", new Object[]{getKeySetName()}, "An attempt to generate keys using KeySet " + getKeySetName() + " occurred when the KeySet is not configured to generate keys."));
        }
        Object obj = null;
        try {
            obj = Class.forName(this.keyGenerationClass).newInstance();
        } catch (Exception e) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Could not load using class using current class loader.");
            }
        }
        if (obj == null) {
            obj = Class.forName(this.keyGenerationClass, true, Thread.currentThread().getContextClassLoader()).newInstance();
        }
        if (obj == null || !(obj instanceof KeyPairGenerator)) {
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, "getKeyGeneratorImpl is not an implementation of KeyPairGenerator.");
            }
            throw new KeyException("The custom key generator class " + this.keyGenerationClass + " is not an implementation of com.ibm.websphere.crypto.KeyPairGenerator.");
        }
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "Instantiating new KeyPairGenerator: " + this.keyGenerationClass);
        }
        this.keyPairGenerationClassImpl = (KeyPairGenerator) obj;
        if (getWSKeySet().getCustomProperties() != null) {
            this.keyPairGenerationClassImpl.init(getWSKeySet().getCustomProperties());
        }
        return this.keyPairGenerationClassImpl;
    }

    private boolean isValidKeyStoreType(boolean z) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "isValidKeyStoreType");
        }
        if (getWSKeyStore() == null) {
            if (!tc.isEntryEnabled()) {
                return false;
            }
            Tr.exit(tc, "isValidKeyStoreType (null keystore) -> false");
            return false;
        }
        String property = getWSKeyStore().getProperty(Constants.SSLPROP_KEY_STORE_READ_ONLY);
        if (property == null || property.equals("")) {
            property = getWSKeyStore().getProperty(Constants.SSLPROP_TRUST_STORE_READ_ONLY);
        }
        if (property != null && property.equals("true")) {
            if (!tc.isEntryEnabled()) {
                return false;
            }
            Tr.exit(tc, "isValidKeyStoreType (readonly) -> false");
            return false;
        }
        if (z) {
            String property2 = getWSKeyStore().getProperty("com.ibm.ssl.keyStoreType");
            if (property2 == null || property2.equals("")) {
                property2 = getWSKeyStore().getProperty("com.ibm.ssl.trustStoreType");
            }
            if (property2 != null && !property2.equals(Constants.KEYSTORE_TYPE_JCEKS)) {
                if (!tc.isEntryEnabled()) {
                    return false;
                }
                Tr.exit(tc, "isValidKeyStoreType (not jceks) -> false");
                return false;
            }
        }
        if (!tc.isEntryEnabled()) {
            return true;
        }
        Tr.exit(tc, "isValidKeyStoreType -> true");
        return true;
    }
}
