package io.jans.as.model.crypto;

import com.google.common.collect.Lists;
import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.crypto.impl.ECDSA;
import io.jans.as.model.configuration.AppConfiguration;
import io.jans.as.model.crypto.encryption.KeyEncryptionAlgorithm;
import io.jans.as.model.crypto.signature.AlgorithmFamily;
import io.jans.as.model.crypto.signature.RSAKeyFactory;
import io.jans.as.model.crypto.signature.SignatureAlgorithm;
import io.jans.as.model.exception.CryptoProviderException;
import io.jans.as.model.fido.u2f.message.RawAuthenticateResponse;
import io.jans.as.model.jwk.Algorithm;
import io.jans.as.model.jwk.JSONWebKey;
import io.jans.as.model.jwk.JSONWebKeySet;
import io.jans.as.model.jwk.JWKParameter;
import io.jans.as.model.jwk.KeyOpsType;
import io.jans.as.model.jwk.KeySelectionStrategy;
import io.jans.as.model.jwk.Use;
import io.jans.as.model.util.Base64Util;
import io.jans.as.model.util.CertUtils;
import io.jans.as.model.util.Util;
import io.jans.util.security.SecurityProviderUtility;
import java.io.File;
import java.io.FileInputStream;
import java.io.FileOutputStream;
import java.io.IOException;
import java.math.BigInteger;
import java.nio.charset.StandardCharsets;
import java.security.InvalidAlgorithmParameterException;
import java.security.InvalidKeyException;
import java.security.InvalidParameterException;
import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.SecureRandom;
import java.security.Signature;
import java.security.SignatureException;
import java.security.UnrecoverableKeyException;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.security.interfaces.ECPublicKey;
import java.security.interfaces.RSAPublicKey;
import java.security.spec.AlgorithmParameterSpec;
import java.security.spec.ECGenParameterSpec;
import java.util.ArrayList;
import java.util.Collections;
import java.util.Date;
import java.util.Iterator;
import java.util.List;
import java.util.UUID;
import java.util.stream.Collectors;
import javax.crypto.Mac;
import javax.crypto.spec.SecretKeySpec;
import org.apache.commons.codec.binary.Base64;
import org.apache.commons.io.FilenameUtils;
import org.apache.commons.lang3.StringUtils;
import org.apache.log4j.Logger;
import org.bouncycastle.asn1.ASN1EncodableVector;
import org.bouncycastle.asn1.ASN1ObjectIdentifier;
import org.bouncycastle.asn1.DERSequence;
import org.bouncycastle.asn1.x500.X500Name;
import org.bouncycastle.asn1.x509.KeyPurposeId;
import org.bouncycastle.cert.CertIOException;
import org.bouncycastle.cert.jcajce.JcaX509CertificateConverter;
import org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder;
import org.bouncycastle.jcajce.interfaces.EdDSAPublicKey;
import org.bouncycastle.jcajce.spec.EdDSAParameterSpec;
import org.bouncycastle.operator.OperatorCreationException;
import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder;
import org.json.JSONArray;
import org.json.JSONObject;

/* loaded from: input_file:io/jans/as/model/crypto/AuthCryptoProvider.class */
public class AuthCryptoProvider extends AbstractCryptoProvider {
    protected static final Logger LOG = Logger.getLogger(AuthCryptoProvider.class);
    private KeyStore keyStore;
    private String keyStoreFile;
    private String keyStoreSecret;
    private String dnName;
    private final boolean rejectNoneAlg;
    private final KeySelectionStrategy keySelectionStrategy;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* renamed from: io.jans.as.model.crypto.AuthCryptoProvider$1, reason: invalid class name */
    /* loaded from: input_file:io/jans/as/model/crypto/AuthCryptoProvider$1.class */
    public static /* synthetic */ class AnonymousClass1 {
        static final /* synthetic */ int[] $SwitchMap$io$jans$util$security$SecurityProviderUtility$KeyStorageType;
        static final /* synthetic */ int[] $SwitchMap$io$jans$as$model$crypto$signature$AlgorithmFamily;
        static final /* synthetic */ int[] $SwitchMap$io$jans$util$security$SecurityProviderUtility$SecurityModeType = new int[SecurityProviderUtility.SecurityModeType.values().length];

        static {
            try {
                $SwitchMap$io$jans$util$security$SecurityProviderUtility$SecurityModeType[SecurityProviderUtility.SecurityModeType.BCFIPS_SECURITY_MODE.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$io$jans$util$security$SecurityProviderUtility$SecurityModeType[SecurityProviderUtility.SecurityModeType.BCPROV_SECURITY_MODE.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
            $SwitchMap$io$jans$as$model$crypto$signature$AlgorithmFamily = new int[AlgorithmFamily.values().length];
            try {
                $SwitchMap$io$jans$as$model$crypto$signature$AlgorithmFamily[AlgorithmFamily.RSA.ordinal()] = 1;
            } catch (NoSuchFieldError e3) {
            }
            try {
                $SwitchMap$io$jans$as$model$crypto$signature$AlgorithmFamily[AlgorithmFamily.EC.ordinal()] = 2;
            } catch (NoSuchFieldError e4) {
            }
            try {
                $SwitchMap$io$jans$as$model$crypto$signature$AlgorithmFamily[AlgorithmFamily.ED.ordinal()] = 3;
            } catch (NoSuchFieldError e5) {
            }
            $SwitchMap$io$jans$util$security$SecurityProviderUtility$KeyStorageType = new int[SecurityProviderUtility.KeyStorageType.values().length];
            try {
                $SwitchMap$io$jans$util$security$SecurityProviderUtility$KeyStorageType[SecurityProviderUtility.KeyStorageType.JKS_KS.ordinal()] = 1;
            } catch (NoSuchFieldError e6) {
            }
            try {
                $SwitchMap$io$jans$util$security$SecurityProviderUtility$KeyStorageType[SecurityProviderUtility.KeyStorageType.PKCS12_KS.ordinal()] = 2;
            } catch (NoSuchFieldError e7) {
            }
            try {
                $SwitchMap$io$jans$util$security$SecurityProviderUtility$KeyStorageType[SecurityProviderUtility.KeyStorageType.BCFKS_KS.ordinal()] = 3;
            } catch (NoSuchFieldError e8) {
            }
        }
    }

    public AuthCryptoProvider() throws KeyStoreException {
        this(null, null, null);
    }

    public AuthCryptoProvider(String str, String str2, String str3) throws KeyStoreException {
        this(str, str2, str3, false);
    }

    public AuthCryptoProvider(String str, String str2, String str3, boolean z) throws KeyStoreException {
        this(str, str2, str3, z, AppConfiguration.DEFAULT_KEY_SELECTION_STRATEGY);
    }

    public AuthCryptoProvider(String str, String str2, String str3, boolean z, KeySelectionStrategy keySelectionStrategy) throws KeyStoreException {
        this.rejectNoneAlg = z;
        this.keySelectionStrategy = keySelectionStrategy != null ? keySelectionStrategy : AppConfiguration.DEFAULT_KEY_SELECTION_STRATEGY;
        if (Util.isNullOrEmpty(str) || Util.isNullOrEmpty(str2)) {
            return;
        }
        this.keyStoreFile = str;
        this.keyStoreSecret = str2;
        this.dnName = str3;
        SecurityProviderUtility.KeyStorageType solveKeyStorageType = solveKeyStorageType();
        switch (AnonymousClass1.$SwitchMap$io$jans$util$security$SecurityProviderUtility$KeyStorageType[solveKeyStorageType.ordinal()]) {
            case RawAuthenticateResponse.USER_PRESENT_FLAG /* 1 */:
                this.keyStore = KeyStore.getInstance("JKS");
                break;
            case AppConfiguration.DEFAULT_STATUS_LIST_BIT_SIZE /* 2 */:
                this.keyStore = KeyStore.getInstance("PKCS12", SecurityProviderUtility.getBCProvider());
                break;
            case 3:
                this.keyStore = KeyStore.getInstance("BCFKS", SecurityProviderUtility.getBCProvider());
                break;
        }
        try {
            if (!new File(str).exists()) {
                this.keyStore.load(null, str2.toCharArray());
                store();
            }
            load();
            LOG.debug("Loaded keys from keystore.");
            LOG.debug("Security Mode: " + SecurityProviderUtility.getSecurityMode().toString());
            LOG.debug("Keystore Type: " + solveKeyStorageType.toString());
            LOG.trace("Loaded keys:" + getKeys());
        } catch (Exception e) {
            LOG.error(e.getMessage(), e);
            LOG.error("Check type of keystorage. Expected keystorage type: '" + solveKeyStorageType.toString() + "'");
        }
    }

    private void store() throws IOException, KeyStoreException, NoSuchAlgorithmException, CertificateException {
        FileOutputStream fileOutputStream = new FileOutputStream(this.keyStoreFile);
        try {
            this.keyStore.store(fileOutputStream, this.keyStoreSecret.toCharArray());
            fileOutputStream.close();
        } catch (Throwable th) {
            try {
                fileOutputStream.close();
            } catch (Throwable th2) {
                th.addSuppressed(th2);
            }
            throw th;
        }
    }

    public void load() throws IOException, NoSuchAlgorithmException, CertificateException {
        FileInputStream fileInputStream = new FileInputStream(this.keyStoreFile);
        try {
            this.keyStore.load(fileInputStream, this.keyStoreSecret.toCharArray());
            LOG.debug("Loaded keys from JKS.");
            LOG.trace("Loaded keys:" + getKeys());
            fileInputStream.close();
        } catch (Throwable th) {
            try {
                fileInputStream.close();
            } catch (Throwable th2) {
                th.addSuppressed(th2);
            }
            throw th;
        }
    }

    public String getKeyStoreFile() {
        return this.keyStoreFile;
    }

    public String getKeyStoreSecret() {
        return this.keyStoreSecret;
    }

    public String getDnName() {
        return this.dnName;
    }

    @Override // io.jans.as.model.crypto.AbstractCryptoProvider
    public JSONObject generateKey(Algorithm algorithm, Long l) throws CryptoProviderException {
        return generateKey(algorithm, l, RSAKeyFactory.DEF_KEYLENGTH);
    }

    @Override // io.jans.as.model.crypto.AbstractCryptoProvider
    public JSONObject generateKey(Algorithm algorithm, Long l, int i, KeyOpsType keyOpsType) throws CryptoProviderException {
        if (algorithm == null) {
            throw new IllegalArgumentException("The signature algorithm parameter cannot be null");
        }
        JSONObject jSONObject = null;
        try {
            Use use = algorithm.getUse();
            if (use == Use.SIGNATURE) {
                jSONObject = generateKeySignature(algorithm, l, i, keyOpsType);
            } else if (use == Use.ENCRYPTION) {
                jSONObject = generateKeyEncryption(algorithm, l, i, keyOpsType);
            }
            return jSONObject;
        } catch (IOException | InvalidAlgorithmParameterException | KeyStoreException | NoSuchAlgorithmException | NoSuchProviderException | OperatorCreationException | CertificateException e) {
            throw new CryptoProviderException(e);
        }
    }

    @Override // io.jans.as.model.crypto.AbstractCryptoProvider
    public JSONObject generateKey(Algorithm algorithm, Long l, int i) throws CryptoProviderException {
        return generateKey(algorithm, l, i, KeyOpsType.CONNECT);
    }

    private static String getKidSuffix(Algorithm algorithm) {
        return "_" + algorithm.getUse().getParamName().toLowerCase() + "_" + algorithm.getParamName().toLowerCase();
    }

    public String getAliasByAlgorithmForDeletion(Algorithm algorithm, String str, KeyOpsType keyOpsType) throws KeyStoreException {
        Iterator it = Collections.list(this.keyStore.aliases()).iterator();
        while (it.hasNext()) {
            String str2 = (String) it.next();
            if (!str.equals(str2) && str2.startsWith(keyOpsType.getValue()) && str2.endsWith(getKidSuffix(algorithm))) {
                return str2;
            }
        }
        return null;
    }

    @Override // io.jans.as.model.crypto.AbstractCryptoProvider
    public boolean containsKey(String str) {
        try {
            if (StringUtils.isBlank(str)) {
                return false;
            }
            return this.keyStore.getKey(str, this.keyStoreSecret.toCharArray()) != null;
        } catch (Exception e) {
            LOG.error(e.getMessage(), e);
            return false;
        }
    }

    @Override // io.jans.as.model.crypto.AbstractCryptoProvider
    public String sign(String str, String str2, String str3, SignatureAlgorithm signatureAlgorithm) throws CryptoProviderException {
        try {
            if (signatureAlgorithm == SignatureAlgorithm.NONE) {
                return "";
            }
            if (AlgorithmFamily.HMAC.equals(signatureAlgorithm.getFamily())) {
                SecretKeySpec secretKeySpec = new SecretKeySpec(str3.getBytes(StandardCharsets.UTF_8), signatureAlgorithm.getAlgorithm());
                Mac mac = Mac.getInstance(signatureAlgorithm.getAlgorithm());
                mac.init(secretKeySpec);
                return Base64Util.base64urlencode(mac.doFinal(str.getBytes()));
            }
            java.security.PrivateKey privateKey = getPrivateKey(str2);
            if (privateKey == null) {
                String str4 = "Failed to find private key by kid: " + str2 + ", signatureAlgorithm: " + signatureAlgorithm + "(check whether web keys JSON in persistence corresponds to keystore file), keySelectionStrategy: " + this.keySelectionStrategy;
                LOG.error(str4);
                throw new IllegalStateException(str4);
            }
            Signature signature = Signature.getInstance(signatureAlgorithm.getAlgorithm(), SecurityProviderUtility.getBCProvider());
            signature.initSign(privateKey);
            signature.update(str.getBytes());
            byte[] sign = signature.sign();
            if (AlgorithmFamily.EC.equals(signatureAlgorithm.getFamily())) {
                sign = ECDSA.transcodeSignatureToConcat(sign, ECDSA.getSignatureByteArrayLength(signatureAlgorithm.getJwsAlgorithm()));
            }
            return Base64Util.base64urlencode(sign);
        } catch (InvalidKeyException | NoSuchAlgorithmException | SignatureException | JOSEException e) {
            throw new CryptoProviderException(e);
        }
    }

    @Override // io.jans.as.model.crypto.AbstractCryptoProvider
    public boolean verifySignature(String str, String str2, String str3, JSONObject jSONObject, String str4, SignatureAlgorithm signatureAlgorithm) throws CryptoProviderException {
        if (!this.rejectNoneAlg || signatureAlgorithm != SignatureAlgorithm.NONE) {
            return signatureAlgorithm == SignatureAlgorithm.NONE ? Util.isNullOrEmpty(str2) : AlgorithmFamily.HMAC.equals(signatureAlgorithm.getFamily()) ? sign(str, null, str4, signatureAlgorithm).equals(str2) : verifySignatureEcEdRSA(str, str2, str3, jSONObject, signatureAlgorithm);
        }
        LOG.trace("None algorithm is forbidden by `rejectJwtWithNoneAlg` property.");
        return false;
    }

    @Override // io.jans.as.model.crypto.AbstractCryptoProvider
    public boolean deleteKey(String str) throws CryptoProviderException {
        try {
            this.keyStore.deleteEntry(str);
            try {
                FileOutputStream fileOutputStream = new FileOutputStream(this.keyStoreFile);
                try {
                    this.keyStore.store(fileOutputStream, this.keyStoreSecret.toCharArray());
                    fileOutputStream.close();
                    return true;
                } finally {
                }
            } catch (IOException | KeyStoreException | NoSuchAlgorithmException | CertificateException e) {
                throw new CryptoProviderException(e);
            }
        } catch (KeyStoreException e2) {
            throw new CryptoProviderException(e2);
        }
    }

    @Override // io.jans.as.model.crypto.AbstractCryptoProvider
    public java.security.PublicKey getPublicKey(String str) throws CryptoProviderException {
        if (Util.isNullOrEmpty(str) || this.keyStore == null) {
            return null;
        }
        try {
            java.security.cert.Certificate certificate = this.keyStore.getCertificate(str);
            if (certificate == null) {
                return null;
            }
            checkKeyExpiration(str);
            return certificate.getPublicKey();
        } catch (KeyStoreException e) {
            throw new CryptoProviderException(e);
        }
    }

    @Override // io.jans.as.model.crypto.AbstractCryptoProvider
    public String getKeyId(JSONWebKeySet jSONWebKeySet, Algorithm algorithm, Use use, KeyOpsType keyOpsType) throws CryptoProviderException {
        if (algorithm == null || AlgorithmFamily.HMAC.equals(algorithm.getFamily())) {
            return null;
        }
        try {
            String str = null;
            List<JSONWebKey> keys = jSONWebKeySet.getKeys();
            LOG.trace("WebKeys:" + keys.stream().map((v0) -> {
                return v0.getKid();
            }).collect(Collectors.toList()));
            LOG.trace("KeyStoreKeys:" + getKeys());
            ArrayList arrayList = new ArrayList();
            for (JSONWebKey jSONWebKey : keys) {
                boolean z = keyOpsType == null || jSONWebKey.getKeyOpsType() == null || jSONWebKey.getKeyOpsType().isEmpty() || jSONWebKey.getKeyOpsType().contains(keyOpsType);
                if (algorithm == jSONWebKey.getAlg() && ((use == null || use == jSONWebKey.getUse()) && z)) {
                    str = jSONWebKey.getKid();
                    if (this.keyStore.getKey(str, this.keyStoreSecret.toCharArray()) != null) {
                        arrayList.add(jSONWebKey);
                    }
                }
            }
            if (arrayList.isEmpty()) {
                LOG.trace("kid is not in keystore, algorithm: {}" + algorithm + ", kid: " + str + ", keyStorePath:" + this.keyStoreFile + ", keyOpsType: " + keyOpsType + ", use: " + use);
                return str;
            }
            JSONWebKey select = this.keySelectionStrategy.select(arrayList);
            String kid = select != null ? select.getKid() : null;
            LOG.trace("Selected kid: " + kid + ", keySelection Strategy: " + this.keySelectionStrategy);
            return kid;
        } catch (KeyStoreException | NoSuchAlgorithmException | UnrecoverableKeyException e) {
            throw new CryptoProviderException(e);
        }
    }

    @Override // io.jans.as.model.crypto.AbstractCryptoProvider
    public java.security.PrivateKey getPrivateKey(String str) throws CryptoProviderException {
        if (Util.isNullOrEmpty(str)) {
            return null;
        }
        try {
            java.security.Key key = this.keyStore.getKey(str, this.keyStoreSecret.toCharArray());
            if (key == null) {
                return null;
            }
            java.security.PrivateKey privateKey = (java.security.PrivateKey) key;
            checkKeyExpiration(str);
            return privateKey;
        } catch (KeyStoreException | NoSuchAlgorithmException | UnrecoverableKeyException e) {
            throw new CryptoProviderException(e);
        }
    }

    public X509Certificate generateV3Certificate(KeyPair keyPair, String str, String str2, Long l) throws CertIOException, OperatorCreationException, CertificateException {
        java.security.PrivateKey privateKey = keyPair.getPrivate();
        java.security.PublicKey publicKey = keyPair.getPublic();
        JcaX509v3CertificateBuilder jcaX509v3CertificateBuilder = new JcaX509v3CertificateBuilder(new X500Name(str), new BigInteger(256, new SecureRandom()), new Date(System.currentTimeMillis() - 10000), new Date(l.longValue()), new X500Name(str), publicKey);
        ASN1EncodableVector aSN1EncodableVector = new ASN1EncodableVector();
        aSN1EncodableVector.add(KeyPurposeId.id_kp_serverAuth);
        aSN1EncodableVector.add(KeyPurposeId.id_kp_clientAuth);
        aSN1EncodableVector.add(KeyPurposeId.anyExtendedKeyUsage);
        jcaX509v3CertificateBuilder.addExtension(new ASN1ObjectIdentifier("2.5.29.37").intern(), false, new DERSequence(aSN1EncodableVector));
        return new JcaX509CertificateConverter().setProvider(SecurityProviderUtility.getBCProvider()).getCertificate(jcaX509v3CertificateBuilder.build(new JcaContentSignerBuilder(str2).setProvider(SecurityProviderUtility.getBCProvider()).build(privateKey)));
    }

    @Override // io.jans.as.model.crypto.AbstractCryptoProvider
    public List<String> getKeys() {
        try {
            return Collections.list(this.keyStore.aliases());
        } catch (KeyStoreException e) {
            LOG.error(e.getMessage(), e);
            return Lists.newArrayList();
        }
    }

    public SignatureAlgorithm getSignatureAlgorithm(String str) throws KeyStoreException {
        java.security.cert.Certificate[] certificateChain = this.keyStore.getCertificateChain(str);
        if (certificateChain == null || certificateChain.length == 0) {
            return null;
        }
        return CertUtils.getSignatureAlgorithm((X509Certificate) certificateChain[0]);
    }

    private void checkKeyExpiration(String str) {
        try {
            checkKeyExpiration(str, Long.valueOf(((X509Certificate) this.keyStore.getCertificate(str)).getNotAfter().getTime()));
        } catch (KeyStoreException e) {
            e.printStackTrace();
        }
    }

    public KeyStore getKeyStore() {
        return this.keyStore;
    }

    private JSONObject generateKeySignature(Algorithm algorithm, Long l, int i, KeyOpsType keyOpsType) throws NoSuchAlgorithmException, NoSuchProviderException, InvalidAlgorithmParameterException, OperatorCreationException, CertificateException, KeyStoreException, IOException {
        KeyPairGenerator keyPairGenerator;
        SignatureAlgorithm fromString = SignatureAlgorithm.fromString(algorithm.getParamName());
        if (fromString == null) {
            algorithm = Algorithm.ES384;
            fromString = SignatureAlgorithm.ES384;
        }
        AlgorithmFamily family = algorithm.getFamily();
        switch (AnonymousClass1.$SwitchMap$io$jans$as$model$crypto$signature$AlgorithmFamily[family.ordinal()]) {
            case RawAuthenticateResponse.USER_PRESENT_FLAG /* 1 */:
                keyPairGenerator = KeyPairGenerator.getInstance(family.toString(), SecurityProviderUtility.getBCProvider());
                keyPairGenerator.initialize(i, new SecureRandom());
                break;
            case AppConfiguration.DEFAULT_STATUS_LIST_BIT_SIZE /* 2 */:
                ECGenParameterSpec eCGenParameterSpec = new ECGenParameterSpec(fromString.getCurve().getAlias());
                keyPairGenerator = KeyPairGenerator.getInstance(family.toString(), SecurityProviderUtility.getBCProvider());
                keyPairGenerator.initialize(eCGenParameterSpec, new SecureRandom());
                break;
            case 3:
                if (!SecurityProviderUtility.isBcProvMode()) {
                    throw new InvalidParameterException("Wrong CryptoProvider Mode. EdDSA can be used, when BCPROV mode is initialized");
                }
                EdDSAParameterSpec edDSAParameterSpec = new EdDSAParameterSpec(fromString.getCurve().getAlias());
                keyPairGenerator = KeyPairGenerator.getInstance(fromString.getName(), SecurityProviderUtility.getBCProvider());
                keyPairGenerator.initialize((AlgorithmParameterSpec) edDSAParameterSpec, new SecureRandom());
                break;
            default:
                throw new IllegalStateException("The provided signature algorithm parameter is not supported: algorithmFamily = " + family);
        }
        return getJson(algorithm, keyPairGenerator, fromString.getAlgorithm(), l, keyOpsType);
    }

    private JSONObject generateKeyEncryption(Algorithm algorithm, Long l, int i, KeyOpsType keyOpsType) throws NoSuchAlgorithmException, NoSuchProviderException, InvalidAlgorithmParameterException, OperatorCreationException, CertificateException, KeyStoreException, IOException {
        KeyPairGenerator keyPairGenerator;
        String str;
        KeyEncryptionAlgorithm fromName = KeyEncryptionAlgorithm.fromName(algorithm.getParamName());
        if (fromName == null) {
            algorithm = Algorithm.RS256;
            fromName = KeyEncryptionAlgorithm.RSA1_5;
        }
        AlgorithmFamily family = algorithm.getFamily();
        switch (AnonymousClass1.$SwitchMap$io$jans$as$model$crypto$signature$AlgorithmFamily[family.ordinal()]) {
            case RawAuthenticateResponse.USER_PRESENT_FLAG /* 1 */:
                keyPairGenerator = KeyPairGenerator.getInstance(family.toString(), SecurityProviderUtility.getBCProvider());
                keyPairGenerator.initialize(i, new SecureRandom());
                str = SignatureAlgorithm.DEF_SHA256WITHRSA;
                break;
            case AppConfiguration.DEFAULT_STATUS_LIST_BIT_SIZE /* 2 */:
                ECGenParameterSpec eCGenParameterSpec = new ECGenParameterSpec(fromName.getCurve().getAlias());
                keyPairGenerator = KeyPairGenerator.getInstance(family.toString(), SecurityProviderUtility.getBCProvider());
                keyPairGenerator.initialize(eCGenParameterSpec, new SecureRandom());
                str = SignatureAlgorithm.DEF_SHA256WITHECDSA;
                break;
            default:
                throw new IllegalStateException("The provided key encryption algorithm parameter is not supported: algorithmFamily = " + family);
        }
        return getJson(algorithm, keyPairGenerator, str, l, keyOpsType);
    }

    private String getKid(Algorithm algorithm, KeyOpsType keyOpsType) {
        if (keyOpsType == null) {
            keyOpsType = KeyOpsType.CONNECT;
        }
        return keyOpsType.getValue() + "_" + UUID.randomUUID().toString() + getKidSuffix(algorithm);
    }

    private JSONObject getJson(Algorithm algorithm, KeyPairGenerator keyPairGenerator, String str, Long l, KeyOpsType keyOpsType) throws NoSuchAlgorithmException, OperatorCreationException, CertificateException, KeyStoreException, IOException {
        KeyPair generateKeyPair = keyPairGenerator.generateKeyPair();
        java.security.PrivateKey privateKey = generateKeyPair.getPrivate();
        X509Certificate generateV3Certificate = generateV3Certificate(generateKeyPair, this.dnName, str, l);
        X509Certificate[] x509CertificateArr = {generateV3Certificate};
        String kid = getKid(algorithm, keyOpsType);
        this.keyStore.setKeyEntry(kid, privateKey, this.keyStoreSecret.toCharArray(), x509CertificateArr);
        String aliasByAlgorithmForDeletion = getAliasByAlgorithmForDeletion(algorithm, kid, keyOpsType);
        if (StringUtils.isNotBlank(aliasByAlgorithmForDeletion)) {
            this.keyStore.deleteEntry(aliasByAlgorithmForDeletion);
            LOG.trace("New key: " + kid + ", deleted key: " + aliasByAlgorithmForDeletion);
        }
        FileOutputStream fileOutputStream = new FileOutputStream(this.keyStoreFile);
        try {
            this.keyStore.store(fileOutputStream, this.keyStoreSecret.toCharArray());
            fileOutputStream.close();
            EdDSAPublicKey edDSAPublicKey = generateKeyPair.getPublic();
            Use use = algorithm.getUse();
            JSONObject jSONObject = new JSONObject();
            algorithm.fill(jSONObject);
            jSONObject.put("kid", kid);
            jSONObject.put("exp", l);
            if (edDSAPublicKey instanceof RSAPublicKey) {
                RSAPublicKey rSAPublicKey = (RSAPublicKey) edDSAPublicKey;
                jSONObject.put(JWKParameter.MODULUS, Base64Util.base64urlencodeUnsignedBigInt(rSAPublicKey.getModulus()));
                jSONObject.put(JWKParameter.EXPONENT, Base64Util.base64urlencodeUnsignedBigInt(rSAPublicKey.getPublicExponent()));
            } else if (edDSAPublicKey instanceof ECPublicKey) {
                ECPublicKey eCPublicKey = (ECPublicKey) edDSAPublicKey;
                if (use == Use.SIGNATURE) {
                    jSONObject.put(JWKParameter.CURVE, SignatureAlgorithm.fromString(algorithm.getParamName()).getCurve().getName());
                } else if (use == Use.ENCRYPTION) {
                    jSONObject.put(JWKParameter.CURVE, KeyEncryptionAlgorithm.fromName(algorithm.getParamName()).getCurve().getName());
                }
                jSONObject.put(JWKParameter.X, Base64Util.base64urlencodeUnsignedBigInt(eCPublicKey.getW().getAffineX()));
                jSONObject.put(JWKParameter.Y, Base64Util.base64urlencodeUnsignedBigInt(eCPublicKey.getW().getAffineY()));
            }
            if (SecurityProviderUtility.isBcProvMode() && use == Use.SIGNATURE && (edDSAPublicKey instanceof EdDSAPublicKey)) {
                jSONObject.put(JWKParameter.CURVE, SignatureAlgorithm.fromString(algorithm.getParamName()).getCurve().getName());
                jSONObject.put(JWKParameter.X, Base64Util.base64urlencode(edDSAPublicKey.getEncoded()));
            }
            JSONArray jSONArray = new JSONArray();
            jSONArray.put(Base64.encodeBase64String(generateV3Certificate.getEncoded()));
            jSONObject.put(JWKParameter.CERTIFICATE_CHAIN, jSONArray);
            return jSONObject;
        } catch (Throwable th) {
            try {
                fileOutputStream.close();
            } catch (Throwable th2) {
                th.addSuppressed(th2);
            }
            throw th;
        }
    }

    private boolean verifySignatureEcEdRSA(String str, String str2, String str3, JSONObject jSONObject, SignatureAlgorithm signatureAlgorithm) {
        try {
            java.security.PublicKey publicKey = jSONObject == null ? getPublicKey(str3) : getPublicKey(str3, jSONObject, signatureAlgorithm.getAlg());
            if (publicKey == null) {
                return false;
            }
            return verifySignatureEcEdRSA(str, str2, signatureAlgorithm, publicKey);
        } catch (Exception e) {
            LOG.error(e.getMessage(), e);
            return false;
        }
    }

    private boolean verifySignatureEcEdRSA(String str, String str2, SignatureAlgorithm signatureAlgorithm, java.security.PublicKey publicKey) throws JOSEException, NoSuchAlgorithmException, NoSuchProviderException, InvalidKeyException, SignatureException {
        byte[] base64urldecode = Base64Util.base64urldecode(str2);
        byte[] bArr = base64urldecode;
        if (AlgorithmFamily.EC.equals(signatureAlgorithm.getFamily())) {
            bArr = ECDSA.transcodeSignatureToDER(bArr);
        }
        Signature signature = Signature.getInstance(signatureAlgorithm.getAlgorithm(), SecurityProviderUtility.getBCProvider());
        signature.initVerify(publicKey);
        signature.update(str.getBytes());
        try {
            return signature.verify(bArr);
        } catch (SignatureException e) {
            return signature.verify(base64urldecode);
        }
    }

    private SecurityProviderUtility.KeyStorageType solveKeyStorageType() {
        SecurityProviderUtility.SecurityModeType securityMode = SecurityProviderUtility.getSecurityMode();
        if (securityMode == null) {
            throw new InvalidParameterException("Security Mode wasn't initialized. Call installBCProvider() before");
        }
        SecurityProviderUtility.KeyStorageType fromExtension = SecurityProviderUtility.KeyStorageType.fromExtension(FilenameUtils.getExtension(this.keyStoreFile));
        boolean z = false;
        SecurityProviderUtility.KeyStorageType[] keystorageTypes = securityMode.getKeystorageTypes();
        int length = keystorageTypes.length;
        int i = 0;
        while (true) {
            if (i >= length) {
                break;
            }
            if (fromExtension == keystorageTypes[i]) {
                z = true;
                break;
            }
            i++;
        }
        if (!z) {
            switch (AnonymousClass1.$SwitchMap$io$jans$util$security$SecurityProviderUtility$SecurityModeType[securityMode.ordinal()]) {
                case RawAuthenticateResponse.USER_PRESENT_FLAG /* 1 */:
                    fromExtension = SecurityProviderUtility.KeyStorageType.BCFKS_KS;
                    break;
                case AppConfiguration.DEFAULT_STATUS_LIST_BIT_SIZE /* 2 */:
                    fromExtension = SecurityProviderUtility.KeyStorageType.PKCS12_KS;
                    break;
            }
        }
        return fromExtension;
    }
}
