package org.eclipse.jgit.internal.transport.sshd.pkcs11;

import java.io.IOException;
import java.nio.file.Path;
import java.security.GeneralSecurityException;
import java.security.KeyPair;
import java.security.KeyStore;
import java.security.PrivateKey;
import java.security.Provider;
import java.security.PublicKey;
import java.security.Security;
import java.security.Signature;
import java.security.cert.Certificate;
import java.security.cert.CertificateExpiredException;
import java.security.cert.CertificateNotYetValidException;
import java.security.cert.X509Certificate;
import java.util.AbstractMap;
import java.util.ArrayList;
import java.util.Enumeration;
import java.util.Map;
import java.util.concurrent.ConcurrentHashMap;
import java.util.concurrent.atomic.AtomicInteger;
import javax.security.auth.login.FailedLoginException;
import org.apache.sshd.agent.SshAgent;
import org.apache.sshd.agent.SshAgentKeyConstraint;
import org.apache.sshd.client.auth.pubkey.KeyAgentIdentity;
import org.apache.sshd.common.session.SessionContext;
import org.apache.sshd.common.signature.BuiltinSignatures;
import org.eclipse.jgit.annotations.NonNull;
import org.eclipse.jgit.transport.URIish;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:META-INF/jars/org.eclipse.jgit.ssh.apache-6.10.0.202406032230-r.jar:org/eclipse/jgit/internal/transport/sshd/pkcs11/Pkcs11Provider.class */
public class Pkcs11Provider {
    private static final Logger LOG = LoggerFactory.getLogger(Pkcs11Provider.class);
    private static final SshAgent NULL_AGENT = new SshAgent() { // from class: org.eclipse.jgit.internal.transport.sshd.pkcs11.Pkcs11Provider.1
        @Override // java.nio.channels.Channel
        public boolean isOpen() {
            return true;
        }

        @Override // java.nio.channels.Channel, java.io.Closeable, java.lang.AutoCloseable
        public void close() throws IOException {
        }

        @Override // org.apache.sshd.agent.SshAgent
        public Iterable<? extends Map.Entry<PublicKey, String>> getIdentities() throws IOException {
            throw new UnsupportedOperationException();
        }

        @Override // org.apache.sshd.agent.SshAgent
        public Map.Entry<String, byte[]> sign(SessionContext sessionContext, PublicKey publicKey, String str, byte[] bArr) throws IOException {
            throw new UnsupportedOperationException();
        }

        @Override // org.apache.sshd.agent.SshAgent
        public void addIdentity(KeyPair keyPair, String str, SshAgentKeyConstraint... sshAgentKeyConstraintArr) throws IOException {
            throw new UnsupportedOperationException();
        }

        @Override // org.apache.sshd.agent.SshAgent
        public void removeIdentity(PublicKey publicKey) throws IOException {
            throw new UnsupportedOperationException();
        }

        @Override // org.apache.sshd.agent.SshAgent
        public void removeAllIdentities() throws IOException {
            throw new UnsupportedOperationException();
        }
    };
    private static final Map<String, Pkcs11Provider> PROVIDERS = new ConcurrentHashMap();
    private static final AtomicInteger COUNT = new AtomicInteger();
    private final Provider provider;
    private final SecurityCallback prompter;
    private final KeyStore.Builder builder;
    private KeyStore keys;

    /* loaded from: input_file:META-INF/jars/org.eclipse.jgit.ssh.apache-6.10.0.202406032230-r.jar:org/eclipse/jgit/internal/transport/sshd/pkcs11/Pkcs11Provider$Pkcs11Identity.class */
    private class Pkcs11Identity extends KeyAgentIdentity {
        Pkcs11Identity(PublicKey publicKey, String str) {
            super(Pkcs11Provider.NULL_AGENT, publicKey, str);
        }

        @Override // org.apache.sshd.client.auth.pubkey.KeyAgentIdentity, org.apache.sshd.client.auth.pubkey.PublicKeyIdentity
        public Map.Entry<String, byte[]> sign(SessionContext sessionContext, String str, byte[] bArr) throws Exception {
            return new AbstractMap.SimpleImmutableEntry(str, Pkcs11Provider.this.sign(sessionContext, BuiltinSignatures.fromFactoryName(str).create().getAlgorithm(), getComment(), bArr));
        }
    }

    public static Pkcs11Provider getProvider(@NonNull Path path, int i) throws IOException {
        int i2 = i < 0 ? 0 : i;
        Path absolutePath = path.toAbsolutePath();
        return PROVIDERS.computeIfAbsent(absolutePath.toString() + "/" + i2, str -> {
            Provider provider = Security.getProvider("SunPKCS11");
            if (provider == null) {
                throw new UnsupportedOperationException();
            }
            String str = "JGit-" + i2 + "-" + absolutePath.getFileName().toString().replaceAll("\\s", "");
            String str2 = "pkcs11-" + COUNT.incrementAndGet() + "-" + str;
            System.setProperty(str2, absolutePath.toString());
            String str3 = "--name = " + str + "\nlibrary = ${" + str2 + "}\nslotListIndex = " + i2 + "\n";
            if (LOG.isDebugEnabled()) {
                LOG.debug("{}: configuring provider with system property {}={} and config:{}{}", new Object[]{str, str2, absolutePath, System.lineSeparator(), str3});
            }
            Provider configure = provider.configure(str3);
            String str4 = "pkcs11:?module-path=" + String.valueOf(absolutePath);
            if (i > 0) {
                str4 = str4 + "&slot-list-index=" + i;
            }
            return new Pkcs11Provider(configure, new SecurityCallback(new URIish().setPath(str4)));
        });
    }

    private Pkcs11Provider(Provider provider, SecurityCallback securityCallback) {
        this.provider = provider;
        this.prompter = securityCallback;
        this.builder = KeyStore.Builder.newInstance("PKCS11", this.provider, new KeyStore.CallbackHandlerProtection(securityCallback));
    }

    private synchronized void load(SessionContext sessionContext) throws GeneralSecurityException, IOException {
        if (this.keys == null) {
            int init = this.prompter.init(sessionContext);
            int i = 0;
            while (i < init) {
                i++;
                try {
                    if (LOG.isDebugEnabled()) {
                        LOG.debug("{}: Loading PKCS#11 KeyStore (attempt {})", getName(), Integer.toString(i));
                    }
                    this.keys = this.builder.getKeyStore();
                    this.prompter.passwordTried(null);
                    return;
                } catch (GeneralSecurityException e) {
                    if (!this.prompter.passwordTried(e) || i >= init || !isWrongPin(e)) {
                        throw e;
                    }
                }
            }
        }
    }

    synchronized byte[] sign(SessionContext sessionContext, String str, String str2, byte[] bArr) throws GeneralSecurityException, IOException {
        int init = this.prompter.init(sessionContext);
        int i = 0;
        while (i < init) {
            i++;
            try {
                if (LOG.isDebugEnabled()) {
                    LOG.debug("{}: Signing with PKCS#11 key {}, algorithm {} (attempt {})", new Object[]{getName(), str2, str, Integer.toString(i)});
                }
                Signature signature = Signature.getInstance(str, this.provider);
                signature.initSign((PrivateKey) this.keys.getKey(str2, null));
                signature.update(bArr);
                byte[] sign = signature.sign();
                this.prompter.passwordTried(null);
                return sign;
            } catch (GeneralSecurityException e) {
                if (!this.prompter.passwordTried(e) || i >= init || !isWrongPin(e)) {
                    throw e;
                }
            }
        }
        return null;
    }

    private boolean isWrongPin(Throwable th) {
        Throwable th2 = th;
        while (true) {
            Throwable th3 = th2;
            if (th3 == null) {
                return false;
            }
            if (th3 instanceof FailedLoginException) {
                return true;
            }
            th2 = th3.getCause();
        }
    }

    public String getName() {
        return this.provider.getName();
    }

    public Iterable<KeyAgentIdentity> getKeys(SessionContext sessionContext) throws IOException, GeneralSecurityException {
        String str;
        load(sessionContext);
        ArrayList arrayList = new ArrayList(2);
        Enumeration<String> aliases = this.keys.aliases();
        while (aliases.hasMoreElements()) {
            String nextElement = aliases.nextElement();
            Certificate certificate = this.keys.getCertificate(nextElement);
            if (certificate != null) {
                PublicKey publicKey = certificate.getPublicKey();
                if (publicKey != null) {
                    if (LOG.isDebugEnabled()) {
                        if (certificate instanceof X509Certificate) {
                            X509Certificate x509Certificate = (X509Certificate) certificate;
                            try {
                                x509Certificate.checkValidity();
                                str = "Certificate is valid";
                            } catch (CertificateExpiredException | CertificateNotYetValidException e) {
                                str = "Certificate is INVALID";
                            }
                            boolean[] keyUsage = x509Certificate.getKeyUsage();
                            if (keyUsage != null) {
                                str = str + ", signing " + (keyUsage[0] ? "allowed" : "NOT allowed");
                            }
                            LOG.debug("{}: Loaded X.509 certificate {}, key type {}. {}.", new Object[]{getName(), nextElement, publicKey.getAlgorithm(), str});
                        } else {
                            LOG.debug("{}: Loaded certificate {}, key type {}.", new Object[]{getName(), nextElement, publicKey.getAlgorithm()});
                        }
                    }
                    arrayList.add(new Pkcs11Identity(publicKey, nextElement));
                } else if (LOG.isDebugEnabled()) {
                    LOG.debug("{}: certificate {} has no public key??", getName(), nextElement);
                }
            }
        }
        return arrayList;
    }
}
