package it.anyplace.sync.core.security;

import com.google.common.base.Function;
import com.google.common.base.Joiner;
import com.google.common.base.Objects;
import com.google.common.base.Preconditions;
import com.google.common.base.Splitter;
import com.google.common.cache.Cache;
import com.google.common.cache.CacheBuilder;
import com.google.common.collect.Iterables;
import com.google.common.hash.Hashing;
import com.google.common.io.BaseEncoding;
import it.anyplace.sync.core.configuration.ConfigurationService;
import it.anyplace.sync.core.interfaces.RelayConnection;
import it.anyplace.sync.core.utils.PathUtils;
import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.math.BigInteger;
import java.net.InetSocketAddress;
import java.net.Socket;
import java.security.KeyManagementException;
import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.Security;
import java.security.UnrecoverableKeyException;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.Date;
import java.util.List;
import javax.net.ssl.KeyManager;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLPeerUnverifiedException;
import javax.net.ssl.SSLSocket;
import javax.net.ssl.SSLSocketFactory;
import javax.net.ssl.TrustManager;
import javax.net.ssl.X509TrustManager;
import javax.security.auth.x500.X500Principal;
import org.apache.commons.lang3.StringUtils;
import org.apache.commons.lang3.tuple.Pair;
import org.bouncycastle.cert.X509CertificateHolder;
import org.bouncycastle.cert.jcajce.JcaX509CertificateConverter;
import org.bouncycastle.cert.jcajce.JcaX509v1CertificateBuilder;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder;
import org.eclipse.jetty.alpn.ALPN;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:it/anyplace/sync/core/security/KeystoreHandler.class */
public class KeystoreHandler {
    private static final String JKS_PASSWORD = "password";
    private static final String KEY_PASSWORD = "password";
    private static final String KEY_ALGO = "RSA";
    private static final String SIGNATURE_ALGO = "SHA1withRSA";
    private static final String CERTIFICATE_CN = "CN=syncthing";
    private static final String BC_PROVIDER = "BC";
    private static final String TLS_VERSION = "TLSv1.2";
    public static final String CONFIGURATION_KEYSTORE_PROP = "keystore";
    public static final String CONFIGURATION_DEVICEID_PROP = "deviceid";
    private static final int KEY_SIZE = 3072;
    private static final int SOCKET_TIMEOUT = 2000;
    private final Logger logger;
    private final ConfigurationService configuration;
    private final KeyStore keyStore;
    public static final String BEP = "bep/1.0";
    public static final String RELAY = "bep-relay";

    /* loaded from: input_file:it/anyplace/sync/core/security/KeystoreHandler$Loader.class */
    public static class Loader {
        private final Logger logger;
        private static final Cache<String, KeystoreHandler> keystoreHandlersCacheByHash = CacheBuilder.newBuilder().maximumSize(10).build();

        private Loader() {
            this.logger = LoggerFactory.getLogger(getClass());
        }

        public KeystoreHandler loadAndStore(ConfigurationService configurationService) {
            KeystoreHandler keystoreHandler;
            synchronized (keystoreHandlersCacheByHash) {
                boolean z = false;
                byte[] keystore = configurationService.getKeystore();
                if (keystore != null && (keystoreHandler = (KeystoreHandler) keystoreHandlersCacheByHash.getIfPresent(BaseEncoding.base32().encode(Hashing.sha256().hashBytes(keystore).asBytes()))) != null) {
                    return keystoreHandler;
                }
                String keystoreAlgo = configurationService.getKeystoreAlgo();
                if (StringUtils.isBlank(keystoreAlgo)) {
                    keystoreAlgo = KeyStore.getDefaultType();
                    Preconditions.checkNotNull(keystoreAlgo);
                    this.logger.debug("keystore algo set to {}", keystoreAlgo);
                    configurationService.edit().setKeystoreAlgo(keystoreAlgo);
                }
                Pair<KeyStore, String> pair = null;
                if (keystore != null) {
                    try {
                        pair = importKeystore(keystore, configurationService);
                    } catch (Exception e) {
                        this.logger.error("error importing keystore", e);
                    }
                }
                if (pair == null) {
                    try {
                        pair = generateKeystore(configurationService);
                        z = true;
                    } catch (Exception e2) {
                        this.logger.error("error generating keystore", e2);
                    }
                }
                Preconditions.checkNotNull(pair, "unable to aquire keystore");
                KeystoreHandler keystoreHandler2 = new KeystoreHandler(configurationService, (KeyStore) pair.getLeft());
                if (z) {
                    ConfigurationService.Editor deviceId = configurationService.edit().setDeviceId((String) pair.getRight());
                    byte[] exportKeystoreToData = keystoreHandler2.exportKeystoreToData();
                    keystore = exportKeystoreToData;
                    deviceId.setKeystore(exportKeystoreToData).setKeystoreAlgo(keystoreAlgo).persistLater();
                }
                keystoreHandlersCacheByHash.put(BaseEncoding.base32().encode(Hashing.sha256().hashBytes(keystore).asBytes()), keystoreHandler2);
                this.logger.info("keystore ready, device id = {}", configurationService.getDeviceId());
                return keystoreHandler2;
            }
        }

        private Pair<KeyStore, String> generateKeystore(ConfigurationService configurationService) throws Exception {
            this.logger.debug("generating key");
            KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance(KeystoreHandler.KEY_ALGO, KeystoreHandler.BC_PROVIDER);
            keyPairGenerator.initialize(KeystoreHandler.KEY_SIZE);
            KeyPair genKeyPair = keyPairGenerator.genKeyPair();
            X509CertificateHolder build = new JcaX509v1CertificateBuilder(new X500Principal(KeystoreHandler.CERTIFICATE_CN), BigInteger.ZERO, new Date(System.currentTimeMillis() - 86400000), new Date(System.currentTimeMillis() + 1827387392), new X500Principal(KeystoreHandler.CERTIFICATE_CN), genKeyPair.getPublic()).build(new JcaContentSignerBuilder(KeystoreHandler.SIGNATURE_ALGO).setProvider(KeystoreHandler.BC_PROVIDER).build(genKeyPair.getPrivate()));
            byte[] encoded = build.getEncoded();
            this.logger.info("generated cert =\n{}", KeystoreHandler.derToPem(encoded));
            String derDataToDeviceIdString = KeystoreHandler.derDataToDeviceIdString(encoded);
            this.logger.info("device id from cert = {}", derDataToDeviceIdString);
            KeyStore keyStore = KeyStore.getInstance(configurationService.getKeystoreAlgo());
            keyStore.load(null, null);
            keyStore.setKeyEntry("key", genKeyPair.getPrivate(), "password".toCharArray(), new Certificate[]{new JcaX509CertificateConverter().setProvider(KeystoreHandler.BC_PROVIDER).getCertificate(build)});
            return Pair.of(keyStore, derDataToDeviceIdString);
        }

        private Pair<KeyStore, String> importKeystore(byte[] bArr, ConfigurationService configurationService) throws Exception {
            KeyStore keyStore = KeyStore.getInstance(configurationService.getKeystoreAlgo());
            keyStore.load(new ByteArrayInputStream(bArr), "password".toCharArray());
            Certificate certificate = keyStore.getCertificate(keyStore.aliases().nextElement());
            Preconditions.checkArgument(certificate instanceof X509Certificate);
            String derDataToDeviceIdString = KeystoreHandler.derDataToDeviceIdString(certificate.getEncoded());
            this.logger.debug("loaded device id from cert = {}", derDataToDeviceIdString);
            return Pair.of(keyStore, derDataToDeviceIdString);
        }
    }

    private KeystoreHandler(ConfigurationService configurationService, KeyStore keyStore) {
        this.logger = LoggerFactory.getLogger(getClass());
        Preconditions.checkNotNull(configurationService);
        Preconditions.checkNotNull(keyStore);
        this.configuration = configurationService;
        this.keyStore = keyStore;
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static String derToPem(byte[] bArr) {
        return "-----BEGIN CERTIFICATE-----\n" + BaseEncoding.base64().withSeparator("\n", 76).encode(bArr) + "\n-----END CERTIFICATE-----";
    }

    /* JADX INFO: Access modifiers changed from: private */
    public byte[] exportKeystoreToData() {
        ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
        try {
            this.keyStore.store(byteArrayOutputStream, "password".toCharArray());
            return byteArrayOutputStream.toByteArray();
        } catch (IOException | KeyStoreException | NoSuchAlgorithmException | CertificateException e) {
            throw new RuntimeException(e);
        }
    }

    public static String derDataToDeviceIdString(byte[] bArr) {
        return hashDataToDeviceIdString(Hashing.sha256().hashBytes(bArr).asBytes());
    }

    public static String hashDataToDeviceIdString(byte[] bArr) {
        Preconditions.checkArgument(bArr.length == Hashing.sha256().bits() / 8);
        return Joiner.on("-").join(Splitter.fixedLength(7).split(Joiner.on(PathUtils.ROOT_PATH).join(Iterables.transform(Splitter.fixedLength(13).split(BaseEncoding.base32().encode(bArr).replaceAll("=+$", PathUtils.ROOT_PATH)), new Function<String, String>() { // from class: it.anyplace.sync.core.security.KeystoreHandler.1
            public String apply(String str) {
                return str + KeystoreHandler.generateLuhn32Checksum(str);
            }
        }))));
    }

    public static byte[] deviceIdStringToHashData(String str) {
        Preconditions.checkArgument(str.matches("^[A-Z0-9]{7}-[A-Z0-9]{7}-[A-Z0-9]{7}-[A-Z0-9]{7}-[A-Z0-9]{7}-[A-Z0-9]{7}-[A-Z0-9]{7}-[A-Z0-9]{7}$"), "device id syntax error for deviceId = %s", new Object[]{str});
        byte[] decode = BaseEncoding.base32().decode(str.replaceFirst("(.{7})-(.{6}).-(.{7})-(.{6}).-(.{7})-(.{6}).-(.{7})-(.{6}).", "$1$2$3$4$5$6$7$8") + "===");
        Preconditions.checkArgument(decode.length == Hashing.sha256().bits() / 8);
        return decode;
    }

    public static void validateDeviceId(String str) {
        Preconditions.checkArgument(Objects.equal(hashDataToDeviceIdString(deviceIdStringToHashData(str)), str));
    }

    public KeyManager[] getKeyManagers() throws KeyStoreException, NoSuchAlgorithmException, UnrecoverableKeyException {
        KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
        keyManagerFactory.init(this.keyStore, "password".toCharArray());
        return keyManagerFactory.getKeyManagers();
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static char generateLuhn32Checksum(String str) {
        int i = 1;
        int i2 = 0;
        int length = "ABCDEFGHIJKLMNOPQRSTUVWXYZ234567".length();
        for (char c : str.toCharArray()) {
            int indexOf = "ABCDEFGHIJKLMNOPQRSTUVWXYZ234567".indexOf(c);
            Preconditions.checkArgument(indexOf >= 0);
            int i3 = i * indexOf;
            i = i == 2 ? 1 : 2;
            i2 += (i3 / length) + (i3 % length);
        }
        return "ABCDEFGHIJKLMNOPQRSTUVWXYZ234567".charAt((length - (i2 % length)) % length);
    }

    private SSLSocketFactory getSocketFactory() throws KeyManagementException, NoSuchAlgorithmException, KeyStoreException, UnrecoverableKeyException {
        SSLContext sSLContext = SSLContext.getInstance(TLS_VERSION);
        sSLContext.init(getKeyManagers(), new TrustManager[]{new X509TrustManager() { // from class: it.anyplace.sync.core.security.KeystoreHandler.2
            @Override // javax.net.ssl.X509TrustManager
            public void checkClientTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
            }

            @Override // javax.net.ssl.X509TrustManager
            public void checkServerTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
            }

            @Override // javax.net.ssl.X509TrustManager
            public X509Certificate[] getAcceptedIssuers() {
                return null;
            }
        }}, null);
        return sSLContext.getSocketFactory();
    }

    public Socket wrapSocket(Socket socket, boolean z, String... strArr) throws KeyManagementException, NoSuchAlgorithmException, KeyStoreException, UnrecoverableKeyException, IOException {
        this.logger.debug("wrapping plain socket, server mode = {}", Boolean.valueOf(z));
        SSLSocket sSLSocket = (SSLSocket) getSocketFactory().createSocket(socket, (String) null, socket.getPort(), true);
        if (z) {
            sSLSocket.setUseClientMode(false);
        }
        enableALPN(sSLSocket, strArr);
        return sSLSocket;
    }

    public Socket createSocket(InetSocketAddress inetSocketAddress, String... strArr) throws Exception {
        SSLSocket sSLSocket = (SSLSocket) getSocketFactory().createSocket();
        sSLSocket.connect(inetSocketAddress, SOCKET_TIMEOUT);
        enableALPN(sSLSocket, strArr);
        return sSLSocket;
    }

    private void enableALPN(final SSLSocket sSLSocket, final String... strArr) {
        try {
            Class.forName("org.eclipse.jetty.alpn.ALPN");
            ALPN.put(sSLSocket, new ALPN.ClientProvider() { // from class: it.anyplace.sync.core.security.KeystoreHandler.3
                public List<String> protocols() {
                    return Arrays.asList(strArr);
                }

                public void unsupported() {
                    ALPN.remove(sSLSocket);
                }

                public void selected(String str) {
                    ALPN.remove(sSLSocket);
                    KeystoreHandler.this.logger.debug("ALPN select protocol = {}", str);
                }
            });
        } catch (ClassNotFoundException | NoClassDefFoundError e) {
            this.logger.warn("ALPN not available, org.eclipse.jetty.alpn.ALPN not found! ( requires java -Xbootclasspath/p:path/to/alpn-boot.jar )");
        }
    }

    public void checkSocketCerificate(SSLSocket sSLSocket, String str) throws SSLPeerUnverifiedException, CertificateException {
        Certificate certificate = CertificateFactory.getInstance("X.509").generateCertPath(Arrays.asList(sSLSocket.getSession().getPeerCertificates())).getCertificates().get(0);
        Preconditions.checkArgument(certificate instanceof X509Certificate);
        byte[] encoded = certificate.getEncoded();
        String derDataToDeviceIdString = derDataToDeviceIdString(encoded);
        this.logger.trace("remote pem certificate =\n{}", derToPem(encoded));
        Preconditions.checkArgument(Objects.equal(derDataToDeviceIdString, str), "device id mismatch! expected = %s, got = %s", new Object[]{str, derDataToDeviceIdString});
        this.logger.debug("remote ssl certificate match deviceId = {}", str);
    }

    public Socket wrapSocket(RelayConnection relayConnection, String... strArr) throws Exception {
        return wrapSocket(relayConnection.getSocket(), relayConnection.isServerSocket(), strArr);
    }

    public static Loader newLoader() {
        return new Loader();
    }

    static {
        Security.addProvider(new BouncyCastleProvider());
    }
}
