package org.keycloak.crypto.fips;

import java.io.IOException;
import java.net.InetAddress;
import java.net.InetSocketAddress;
import java.net.Socket;
import java.net.SocketAddress;
import java.net.UnknownHostException;
import java.security.InvalidAlgorithmParameterException;
import java.security.KeyFactory;
import java.security.KeyPairGenerator;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.Provider;
import java.security.SecureRandom;
import java.security.Security;
import java.security.Signature;
import java.security.cert.CertPathBuilder;
import java.security.cert.CertStore;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.CollectionCertStoreParameters;
import java.security.spec.ECField;
import java.security.spec.ECFieldF2m;
import java.security.spec.ECFieldFp;
import java.security.spec.ECParameterSpec;
import java.security.spec.ECPoint;
import java.security.spec.EllipticCurve;
import java.util.Arrays;
import java.util.Collections;
import java.util.Map;
import java.util.Set;
import java.util.concurrent.ConcurrentHashMap;
import javax.crypto.Cipher;
import javax.crypto.NoSuchPaddingException;
import javax.crypto.SecretKeyFactory;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.SNIHostName;
import javax.net.ssl.SSLParameters;
import javax.net.ssl.SSLSocket;
import javax.net.ssl.SSLSocketFactory;
import javax.net.ssl.TrustManagerFactory;
import org.bouncycastle.asn1.x9.ECNamedCurveTable;
import org.bouncycastle.asn1.x9.X9ECParameters;
import org.bouncycastle.crypto.fips.FipsRSA;
import org.bouncycastle.crypto.fips.FipsSHS;
import org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider;
import org.bouncycastle.jsse.provider.BouncyCastleJsseProvider;
import org.bouncycastle.jsse.util.CustomSSLSocketFactory;
import org.bouncycastle.math.ec.ECCurve;
import org.bouncycastle.util.IPAddress;
import org.jboss.logging.Logger;
import org.keycloak.common.crypto.CertificateUtilsProvider;
import org.keycloak.common.crypto.CryptoProvider;
import org.keycloak.common.crypto.ECDSACryptoProvider;
import org.keycloak.common.crypto.PemUtilsProvider;
import org.keycloak.common.crypto.UserIdentityExtractorProvider;
import org.keycloak.common.util.BouncyIntegration;
import org.keycloak.common.util.KeystoreUtil;
import org.keycloak.crypto.JavaAlgorithm;

/* loaded from: input_file:org/keycloak/crypto/fips/FIPS1402Provider.class */
public class FIPS1402Provider implements CryptoProvider {
    private static final Logger log = Logger.getLogger(FIPS1402Provider.class);
    private final BouncyCastleFipsProvider bcFipsProvider;
    private final Map<String, Object> providers = new ConcurrentHashMap();

    /* renamed from: org.keycloak.crypto.fips.FIPS1402Provider$1, reason: invalid class name */
    /* loaded from: input_file:org/keycloak/crypto/fips/FIPS1402Provider$1.class */
    class AnonymousClass1 extends CustomSSLSocketFactory {
        AnonymousClass1(SSLSocketFactory sSLSocketFactory) {
            super(sSLSocketFactory);
        }

        public Socket createSocket() throws IOException {
            Socket createSocket = this.delegate.createSocket();
            return createSocket instanceof SSLSocket ? new AbstractDelegatingSSLSocket((SSLSocket) createSocket) { // from class: org.keycloak.crypto.fips.FIPS1402Provider.1.1
                @Override // org.keycloak.crypto.fips.AbstractDelegatingSSLSocket, java.net.Socket
                public void connect(SocketAddress socketAddress) throws IOException {
                    FIPS1402Provider.log.tracef("Calling connect(%s)", socketAddress);
                    if (socketAddress instanceof InetSocketAddress) {
                        AnonymousClass1.this.configureSocket(getDelegate(), ((InetSocketAddress) socketAddress).getHostName());
                    }
                    super.connect(socketAddress);
                }

                @Override // org.keycloak.crypto.fips.AbstractDelegatingSSLSocket, java.net.Socket
                public void connect(SocketAddress socketAddress, int i) throws IOException {
                    FIPS1402Provider.log.tracef("Calling connect(%s, %d)", socketAddress, Integer.valueOf(i));
                    if (socketAddress instanceof InetSocketAddress) {
                        AnonymousClass1.this.configureSocket(getDelegate(), ((InetSocketAddress) socketAddress).getHostName());
                    }
                    super.connect(socketAddress, i);
                }
            } : createSocket;
        }

        public Socket createSocket(String str, int i) throws IOException, UnknownHostException {
            return configureSocket(this.delegate.createSocket(str, i), str);
        }

        public Socket createSocket(String str, int i, InetAddress inetAddress, int i2) throws IOException, UnknownHostException {
            return configureSocket(this.delegate.createSocket(str, i, inetAddress, i2), str);
        }

        protected Socket configureSocket(Socket socket) {
            if (socket instanceof SSLSocket) {
                if (socket.getInetAddress() == null) {
                    throw new IllegalArgumentException("Socket not connected before trying to configure SSL Hostname");
                }
                configureSocket(socket, socket.getInetAddress().getHostName());
            }
            return socket;
        }

        private Socket configureSocket(Socket socket, String str) {
            if (socket instanceof SSLSocket) {
                SSLSocket sSLSocket = (SSLSocket) socket;
                SNIHostName sNIHostName = getSNIHostName(str);
                FIPS1402Provider.log.tracef("Configuration of SSL Socket - using sniHostname '%s' for the socket host '%s'", sNIHostName, str);
                if (sNIHostName != null) {
                    SSLParameters sSLParameters = sSLSocket.getSSLParameters();
                    if (sSLParameters == null) {
                        sSLParameters = new SSLParameters();
                    }
                    sSLParameters.setServerNames(Collections.singletonList(sNIHostName));
                    sSLSocket.setSSLParameters(sSLParameters);
                }
            }
            return socket;
        }

        private SNIHostName getSNIHostName(String str) {
            if (IPAddress.isValid(str)) {
                return null;
            }
            try {
                return new SNIHostName(str);
            } catch (RuntimeException e) {
                FIPS1402Provider.log.warnf(e, "Not possible to create SNIHostName from the host '%s'", str);
                return null;
            }
        }
    }

    public FIPS1402Provider() {
        BouncyCastleFipsProvider provider = Security.getProvider("BCFIPS");
        this.bcFipsProvider = provider == null ? new BouncyCastleFipsProvider() : provider;
        this.providers.put("A128KW", new FIPSAesKeyWrapAlgorithmProvider());
        this.providers.put("RSA1_5", new FIPSRsaKeyEncryptionJWEAlgorithmProvider(FipsRSA.WRAP_PKCS1v1_5));
        this.providers.put("RSA-OAEP", new FIPSRsaKeyEncryptionJWEAlgorithmProvider(FipsRSA.WRAP_OAEP));
        this.providers.put("RSA-OAEP-256", new FIPSRsaKeyEncryptionJWEAlgorithmProvider(FipsRSA.WRAP_OAEP.withDigest(FipsSHS.Algorithm.SHA256)));
        Security.insertProviderAt(new KeycloakFipsSecurityProvider(this.bcFipsProvider), 1);
        if (provider != null) {
            log.debugf("Security provider %s already loaded", provider.getName());
            return;
        }
        checkSecureRandom(() -> {
            Security.insertProviderAt(this.bcFipsProvider, 2);
        });
        BouncyCastleJsseProvider bouncyCastleJsseProvider = new BouncyCastleJsseProvider("fips:BCFIPS");
        Security.insertProviderAt(bouncyCastleJsseProvider, 3);
        modifyKeyTrustManagerSecurityProperties(bouncyCastleJsseProvider);
        log.debugf("Inserted security providers: %s", Arrays.asList(this.bcFipsProvider.getName(), bouncyCastleJsseProvider.getName()));
    }

    public Provider getBouncyCastleProvider() {
        return this.bcFipsProvider;
    }

    public <T> T getAlgorithmProvider(Class<T> cls, String str) {
        Object obj = this.providers.get(str);
        if (obj == null) {
            throw new IllegalArgumentException("Not found provider of algorithm: " + str);
        }
        return cls.cast(obj);
    }

    public CertificateUtilsProvider getCertificateUtils() {
        return new BCFIPSCertificateUtilsProvider();
    }

    public PemUtilsProvider getPemUtils() {
        return new BCFIPSPemUtilsProvider();
    }

    public ECParameterSpec createECParams(String str) {
        ECField eCFieldFp;
        X9ECParameters byName = ECNamedCurveTable.getByName(str);
        ECCurve.F2m curve = byName.getCurve();
        if (curve instanceof ECCurve.F2m) {
            ECCurve.F2m f2m = curve;
            eCFieldFp = new ECFieldF2m(f2m.getM(), new int[]{f2m.getK1(), f2m.getK2(), f2m.getK3()});
        } else {
            if (!(curve instanceof ECCurve.Fp)) {
                throw new RuntimeException("Unsupported curve");
            }
            eCFieldFp = new ECFieldFp(((ECCurve.Fp) curve).getQ());
        }
        return new ECParameterSpec(new EllipticCurve(eCFieldFp, curve.getA().toBigInteger(), curve.getB().toBigInteger(), byName.getSeed()), new ECPoint(byName.getG().getXCoord().toBigInteger(), byName.getG().getYCoord().toBigInteger()), byName.getN(), byName.getH().intValue());
    }

    public UserIdentityExtractorProvider getIdentityExtractorProvider() {
        return new BCFIPSUserIdentityExtractorProvider();
    }

    public ECDSACryptoProvider getEcdsaCryptoProvider() {
        return new BCFIPSECDSACryptoProvider();
    }

    public <T> T getOCSPProver(Class<T> cls) {
        return cls.cast(new BCFIPSOCSPProvider());
    }

    public KeyPairGenerator getKeyPairGen(String str) throws NoSuchAlgorithmException, NoSuchProviderException {
        return KeyPairGenerator.getInstance(str, BouncyIntegration.PROVIDER);
    }

    public KeyFactory getKeyFactory(String str) throws NoSuchAlgorithmException, NoSuchProviderException {
        return KeyFactory.getInstance(str, BouncyIntegration.PROVIDER);
    }

    public Cipher getAesCbcCipher() throws NoSuchAlgorithmException, NoSuchProviderException, NoSuchPaddingException {
        return Cipher.getInstance("AES/CBC/PKCS7Padding", BouncyIntegration.PROVIDER);
    }

    public Cipher getAesGcmCipher() throws NoSuchAlgorithmException, NoSuchProviderException, NoSuchPaddingException {
        return Cipher.getInstance("AES/GCM/NoPadding", BouncyIntegration.PROVIDER);
    }

    public SecretKeyFactory getSecretKeyFact(String str) throws NoSuchAlgorithmException, NoSuchProviderException {
        return SecretKeyFactory.getInstance(str, BouncyIntegration.PROVIDER);
    }

    public KeyStore getKeyStore(KeystoreUtil.KeystoreFormat keystoreFormat) throws KeyStoreException, NoSuchProviderException {
        return KeyStore.getInstance(keystoreFormat.toString(), BouncyIntegration.PROVIDER);
    }

    public CertificateFactory getX509CertFactory() throws CertificateException, NoSuchProviderException {
        return CertificateFactory.getInstance("X.509", BouncyIntegration.PROVIDER);
    }

    public CertStore getCertStore(CollectionCertStoreParameters collectionCertStoreParameters) throws InvalidAlgorithmParameterException, NoSuchAlgorithmException, NoSuchProviderException {
        return CertStore.getInstance("Collection", collectionCertStoreParameters, BouncyIntegration.PROVIDER);
    }

    public CertPathBuilder getCertPathBuilder() throws NoSuchAlgorithmException, NoSuchProviderException {
        return CertPathBuilder.getInstance("PKIX", BouncyIntegration.PROVIDER);
    }

    public Signature getSignature(String str) throws NoSuchAlgorithmException, NoSuchProviderException {
        return Signature.getInstance(JavaAlgorithm.getJavaAlgorithm(str), BouncyIntegration.PROVIDER);
    }

    public SSLSocketFactory wrapFactoryForTruststore(SSLSocketFactory sSLSocketFactory) {
        return new AnonymousClass1(sSLSocketFactory);
    }

    private void checkSecureRandom(Runnable runnable) {
        try {
            SecureRandom instanceStrong = SecureRandom.getInstanceStrong();
            log.debugf("Strong secure random available. Algorithm: %s, Provider: %s", instanceStrong.getAlgorithm(), instanceStrong.getProvider());
            runnable.run();
        } catch (NoSuchAlgorithmException e) {
            SecureRandom secureRandom = new SecureRandom();
            String property = Security.getProperty("securerandom.strongAlgorithms");
            String str = secureRandom.getAlgorithm() + ":" + secureRandom.getProvider().getName();
            log.debugf("Strong secure random not available. Tried algorithms: %s. Using algorithm as a fallback for strong secure random: %s", property, str);
            Security.setProperty("securerandom.strongAlgorithms", property == null ? str : str + "," + property);
            try {
                try {
                    runnable.run();
                    SecureRandom.getInstance("DEFAULT", "BCFIPS");
                    log.debugf("Initialized BCFIPS secured random", new Object[0]);
                    Security.setProperty("securerandom.strongAlgorithms", property != null ? property : "");
                } catch (NoSuchAlgorithmException | NoSuchProviderException e2) {
                    throw new IllegalStateException("Not possible to initiate BCFIPS secure random", e2);
                }
            } catch (Throwable th) {
                Security.setProperty("securerandom.strongAlgorithms", property != null ? property : "");
                throw th;
            }
        }
    }

    private static void modifyKeyTrustManagerSecurityProperties(Provider provider) {
        boolean z = provider.getService(KeyManagerFactory.class.getSimpleName(), KeyManagerFactory.getDefaultAlgorithm()) == null;
        boolean z2 = provider.getService(TrustManagerFactory.class.getSimpleName(), TrustManagerFactory.getDefaultAlgorithm()) == null;
        if (z || z2) {
            Set<Provider.Service> services = provider.getServices();
            if (services != null) {
                for (Provider.Service service : services) {
                    if (z && KeyManagerFactory.class.getSimpleName().equals(service.getType())) {
                        Security.setProperty("ssl.KeyManagerFactory.algorithm", service.getAlgorithm());
                        z = false;
                        if (!z2) {
                            return;
                        }
                    } else if (z2 && TrustManagerFactory.class.getSimpleName().equals(service.getType())) {
                        Security.setProperty("ssl.TrustManagerFactory.algorithm", service.getAlgorithm());
                        z2 = false;
                        if (!z) {
                            return;
                        }
                    }
                }
            }
            throw new IllegalStateException("Provider " + provider.getName() + " does not provide KeyManagerFactory or TrustManagerFactory algorithms for TLS");
        }
    }
}
