package org.postgresql.ssl;

import java.io.FileInputStream;
import java.net.Socket;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.Principal;
import java.security.PrivateKey;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import javax.net.ssl.X509KeyManager;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.PasswordCallback;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.security.auth.x500.X500Principal;
import org.postgresql.jdbc.EscapedFunctions;
import org.postgresql.jdbc.ResourceLock;
import org.postgresql.ssl.LibPQFactory;
import org.postgresql.util.GT;
import org.postgresql.util.PSQLException;
import org.postgresql.util.PSQLState;

/* loaded from: input_file:WEB-INF/lib/postgresql-42.7.3.jar:org/postgresql/ssl/PKCS12KeyManager.class */
public class PKCS12KeyManager implements X509KeyManager {
    private final CallbackHandler cbh;
    private PSQLException error;
    private final String keyfile;
    private final KeyStore keyStore;
    boolean keystoreLoaded;
    private final ResourceLock lock = new ResourceLock();

    public PKCS12KeyManager(String str, CallbackHandler callbackHandler) throws PSQLException {
        try {
            this.keyStore = KeyStore.getInstance("pkcs12");
            this.keyfile = str;
            this.cbh = callbackHandler;
        } catch (KeyStoreException e) {
            throw new PSQLException(GT.tr("Unable to find pkcs12 keystore.", new Object[0]), PSQLState.CONNECTION_FAILURE, e);
        }
    }

    public void throwKeyManagerException() throws PSQLException {
        if (this.error != null) {
            throw this.error;
        }
    }

    @Override // javax.net.ssl.X509KeyManager
    public String[] getClientAliases(String str, Principal[] principalArr) {
        String chooseClientAlias = chooseClientAlias(new String[]{str}, principalArr, (Socket) null);
        if (chooseClientAlias == null) {
            return null;
        }
        return new String[]{chooseClientAlias};
    }

    @Override // javax.net.ssl.X509KeyManager
    public String chooseClientAlias(String[] strArr, Principal[] principalArr, Socket socket) {
        if (principalArr == null || principalArr.length == 0) {
            return EscapedFunctions.USER;
        }
        X509Certificate[] certificateChain = getCertificateChain(EscapedFunctions.USER);
        if (certificateChain == null) {
            return null;
        }
        X509Certificate x509Certificate = certificateChain[certificateChain.length - 1];
        X500Principal issuerX500Principal = x509Certificate.getIssuerX500Principal();
        String algorithm = x509Certificate.getPublicKey().getAlgorithm();
        boolean z = false;
        boolean z2 = false;
        if (strArr == null || strArr.length <= 0) {
            z = true;
        } else {
            for (String str : strArr) {
                if (str.equalsIgnoreCase(algorithm)) {
                    z = true;
                }
            }
        }
        if (z) {
            for (Principal principal : principalArr) {
                if (issuerX500Principal.equals(principal)) {
                    z2 = z;
                }
            }
        }
        if (z2) {
            return EscapedFunctions.USER;
        }
        return null;
    }

    @Override // javax.net.ssl.X509KeyManager
    public String[] getServerAliases(String str, Principal[] principalArr) {
        return new String[0];
    }

    @Override // javax.net.ssl.X509KeyManager
    public String chooseServerAlias(String str, Principal[] principalArr, Socket socket) {
        return null;
    }

    @Override // javax.net.ssl.X509KeyManager
    public X509Certificate[] getCertificateChain(String str) {
        try {
            loadKeyStore();
            Certificate[] certificateChain = this.keyStore.getCertificateChain(str);
            if (certificateChain == null) {
                return null;
            }
            X509Certificate[] x509CertificateArr = new X509Certificate[certificateChain.length];
            int i = 0;
            for (Certificate certificate : certificateChain) {
                int i2 = i;
                i++;
                x509CertificateArr[i2] = (X509Certificate) certificate;
            }
            return x509CertificateArr;
        } catch (Exception e) {
            this.error = new PSQLException(GT.tr("Could not find a java cryptographic algorithm: X.509 CertificateFactory not available.", new Object[0]), PSQLState.CONNECTION_FAILURE, e);
            return null;
        }
    }

    @Override // javax.net.ssl.X509KeyManager
    public PrivateKey getPrivateKey(String str) {
        try {
            loadKeyStore();
            PasswordCallback passwordCallback = new PasswordCallback(GT.tr("Enter SSL password: ", new Object[0]), false);
            this.cbh.handle(new Callback[]{passwordCallback});
            KeyStore.PrivateKeyEntry privateKeyEntry = (KeyStore.PrivateKeyEntry) this.keyStore.getEntry(EscapedFunctions.USER, new KeyStore.PasswordProtection(passwordCallback.getPassword()));
            if (privateKeyEntry == null) {
                return null;
            }
            return privateKeyEntry.getPrivateKey();
        } catch (Exception e) {
            this.error = new PSQLException(GT.tr("Could not read SSL key file {0}.", this.keyfile), PSQLState.CONNECTION_FAILURE, e);
            return null;
        }
    }

    private void loadKeyStore() throws Exception {
        ResourceLock obtain = this.lock.obtain();
        try {
            if (this.keystoreLoaded) {
                if (obtain != null) {
                    obtain.close();
                    return;
                }
                return;
            }
            PasswordCallback passwordCallback = new PasswordCallback(GT.tr("Enter SSL password: ", new Object[0]), false);
            try {
                this.cbh.handle(new Callback[]{passwordCallback});
            } catch (UnsupportedCallbackException e) {
                if ((this.cbh instanceof LibPQFactory.ConsoleCallbackHandler) && "Console is not available".equals(e.getMessage())) {
                    this.error = new PSQLException(GT.tr("Could not read password for SSL key file, console is not available.", new Object[0]), PSQLState.CONNECTION_FAILURE, e);
                } else {
                    this.error = new PSQLException(GT.tr("Could not read password for SSL key file by callbackhandler {0}.", this.cbh.getClass().getName()), PSQLState.CONNECTION_FAILURE, e);
                }
            }
            this.keyStore.load(new FileInputStream(this.keyfile), passwordCallback.getPassword());
            this.keystoreLoaded = true;
            if (obtain != null) {
                obtain.close();
            }
        } catch (Throwable th) {
            if (obtain != null) {
                try {
                    obtain.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }
}
