package net.i2p.router.crypto;

import java.io.File;
import java.io.FileFilter;
import java.io.IOException;
import java.security.GeneralSecurityException;
import java.security.PrivateKey;
import java.security.cert.X509CRL;
import java.security.cert.X509Certificate;
import java.util.Collection;
import java.util.Collections;
import java.util.HashMap;
import java.util.Map;
import java.util.Set;
import java.util.concurrent.ConcurrentHashMap;
import net.i2p.crypto.CertUtil;
import net.i2p.crypto.KeyStoreUtil;
import net.i2p.crypto.SigType;
import net.i2p.crypto.SigUtil;
import net.i2p.data.Base64;
import net.i2p.data.DataHelper;
import net.i2p.data.Hash;
import net.i2p.data.Signature;
import net.i2p.data.SigningPrivateKey;
import net.i2p.data.SigningPublicKey;
import net.i2p.data.router.RouterInfo;
import net.i2p.router.RouterContext;
import net.i2p.util.ConcurrentHashSet;
import net.i2p.util.FileSuffixFilter;
import net.i2p.util.Log;
import net.i2p.util.SecureDirectory;
import org.cybergarage.soap.SOAP;

/* loaded from: input_file:net/i2p/router/crypto/FamilyKeyCrypto.class */
public class FamilyKeyCrypto {
    private final RouterContext _context;
    private final Log _log;
    private final Map<Hash, Verified> _verified;
    private final Map<String, SigningPublicKey> _knownKeys;
    private final Map<Hash, Result> _negativeCache;
    private final Set<Hash> _ourFamily;
    private final String _fname;
    private final SigningPrivateKey _privkey;
    private final SigningPublicKey _pubkey;
    public static final String PROP_KEYSTORE_PASSWORD = "netdb.family.keystorePassword";
    public static final String PROP_FAMILY_NAME = "netdb.family.name";
    public static final String PROP_KEY_PASSWORD = "netdb.family.keyPassword";
    public static final String CERT_SUFFIX = ".crt";
    public static final String CRL_SUFFIX = ".crl";
    public static final String KEYSTORE_PREFIX = "family-";
    public static final String KEYSTORE_SUFFIX = ".ks";
    public static final String CN_SUFFIX = ".family.i2p.net";
    private static final int DEFAULT_KEY_VALID_DAYS = 3652;
    private static final String DEFAULT_KEY_ALGORITHM;
    private static final int DEFAULT_KEY_SIZE;
    private static final String KS_DIR = "keystore";
    private static final String CERT_DIR = "certificates/family";
    private static final String CRL_DIR = "crls";
    public static final String OPT_NAME = "family";
    public static final String OPT_SIG = "family.sig";
    public static final String OPT_KEY = "family.key";

    /* loaded from: input_file:net/i2p/router/crypto/FamilyKeyCrypto$Result.class */
    public enum Result {
        NO_FAMILY,
        NO_KEY,
        NO_SIG,
        NAME_CHANGED,
        SIG_CHANGED,
        INVALID_SIG,
        UNSUPPORTED_SIG,
        BAD_KEY,
        BAD_SIG,
        RI_KEY,
        STORED_KEY
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:net/i2p/router/crypto/FamilyKeyCrypto$Verified.class */
    public static class Verified {
        public final String name;
        public final String sig;
        public final Result result;

        public Verified(String str, String str2, Result result) {
            this.name = str;
            this.sig = str2;
            this.result = result;
        }
    }

    public FamilyKeyCrypto(RouterContext routerContext) throws GeneralSecurityException {
        this._context = routerContext;
        this._log = this._context.logManager().getLog(FamilyKeyCrypto.class);
        this._fname = this._context.getProperty(PROP_FAMILY_NAME);
        if (this._fname != null && (this._fname.contains("/") || this._fname.contains("\\") || this._fname.contains("..") || new File(this._fname).isAbsolute() || this._fname.length() <= 0)) {
            throw new GeneralSecurityException("Illegal family name: " + this._fname);
        }
        this._privkey = this._fname != null ? initialize() : null;
        this._pubkey = this._privkey != null ? this._privkey.toPublic() : null;
        this._verified = new ConcurrentHashMap(16);
        this._negativeCache = new ConcurrentHashMap(4);
        this._ourFamily = this._privkey != null ? new ConcurrentHashSet(4) : Collections.emptySet();
        this._knownKeys = new HashMap(8);
        loadCerts();
    }

    private SigningPrivateKey initialize() throws GeneralSecurityException {
        File file = new File((File) new SecureDirectory(this._context.getConfigDir(), KS_DIR), KEYSTORE_PREFIX + this._fname + KEYSTORE_SUFFIX);
        verifyKeyStore(file);
        return getPrivKey(file);
    }

    public void shutdown() {
        this._verified.clear();
        this._negativeCache.clear();
    }

    public Map<String, String> sign(String str, Hash hash) throws GeneralSecurityException {
        if (this._privkey == null) {
            this._log.logAlways(30, "family name now set, must restart router to generate or load keys");
            throw new GeneralSecurityException("family name now set, must restart router to generate or load keys");
        }
        if (hash == null) {
            throw new GeneralSecurityException("null router hash");
        }
        if (!this._fname.equals(str)) {
            this._log.logAlways(30, "family name changed, must restart router to generate or load new keys");
            throw new GeneralSecurityException("family name changed, must restart router to generate or load new keys");
        }
        byte[] utf8 = DataHelper.getUTF8(this._fname);
        byte[] bArr = new byte[utf8.length + 32];
        System.arraycopy(utf8, 0, bArr, 0, utf8.length);
        System.arraycopy(hash.getData(), 0, bArr, utf8.length, 32);
        Signature sign = this._context.dsa().sign(bArr, this._privkey);
        if (sign == null) {
            throw new GeneralSecurityException("sig failed");
        }
        HashMap hashMap = new HashMap(3);
        hashMap.put(OPT_NAME, str);
        hashMap.put(OPT_KEY, this._pubkey.getType().getCode() + SOAP.DELIM + this._pubkey.toBase64());
        hashMap.put(OPT_SIG, sign.toBase64());
        return hashMap;
    }

    public boolean hasFamily() {
        return this._pubkey != null;
    }

    public Set<Hash> getOurFamily() {
        return this._ourFamily;
    }

    public String getOurFamilyName() {
        return this._fname;
    }

    public Result verify(RouterInfo routerInfo) {
        String option = routerInfo.getOption(OPT_NAME);
        if (option == null) {
            return Result.NO_FAMILY;
        }
        Result verify = verify(routerInfo, option);
        if (this._log.shouldInfo()) {
            this._log.info("Result: " + verify + " for " + option + ' ' + routerInfo.getHash());
        }
        return verify;
    }

    public boolean verifyOurFamily(RouterInfo routerInfo) {
        if (this._pubkey == null) {
            return false;
        }
        String option = routerInfo.getOption(OPT_NAME);
        if (!this._fname.equals(option)) {
            return false;
        }
        Hash hash = routerInfo.getHash();
        if (this._ourFamily.contains(hash)) {
            return true;
        }
        if (hash.equals(this._context.routerHash())) {
            return false;
        }
        boolean z = verify(routerInfo, option) == Result.STORED_KEY;
        if (z) {
            this._ourFamily.add(hash);
            this._log.logAlways(20, "Found and verified member of our family (" + this._fname + "): " + hash);
        } else if (this._log.shouldWarn()) {
            this._log.warn("Found spoofed member of our family (" + this._fname + "): " + hash);
        }
        return z;
    }

    private Result verify(RouterInfo routerInfo, String str) {
        SigningPublicKey signingPublicKey;
        boolean z;
        byte[] decode;
        Result result;
        Hash hash = routerInfo.getHash();
        String option = routerInfo.getOption(OPT_SIG);
        if (option == null) {
            return Result.NO_SIG;
        }
        Verified verified = this._verified.get(hash);
        if (verified != null) {
            if (!verified.name.equals(str)) {
                return Result.NAME_CHANGED;
            }
            if (verified.sig.equals(option)) {
                return verified.result;
            }
            this._verified.remove(hash);
        }
        if (str.equals(this._fname)) {
            signingPublicKey = this._pubkey;
            z = true;
        } else {
            Result result2 = this._negativeCache.get(hash);
            if (result2 != null) {
                return result2;
            }
            signingPublicKey = this._knownKeys.get(str);
            z = signingPublicKey != null;
            if (!z) {
                String option2 = routerInfo.getOption(OPT_KEY);
                if (option2 != null) {
                    int indexOf = option2.indexOf(58);
                    if (indexOf < 0) {
                        indexOf = option2.indexOf(59);
                    }
                    if (indexOf > 0) {
                        try {
                            SigType byCode = SigType.getByCode(Integer.parseInt(option2.substring(0, indexOf)));
                            if (byCode != null && (decode = Base64.decode(option2.substring(indexOf + 1))) != null) {
                                signingPublicKey = new SigningPublicKey(byCode, decode);
                            }
                        } catch (ArrayIndexOutOfBoundsException e) {
                            if (this._log.shouldInfo()) {
                                this._log.info("Bad b64 family key: " + routerInfo, e);
                            }
                            this._negativeCache.put(hash, Result.BAD_KEY);
                            return Result.BAD_KEY;
                        } catch (NumberFormatException e2) {
                            if (this._log.shouldInfo()) {
                                this._log.info("Bad b64 family key: " + routerInfo, e2);
                            }
                            this._negativeCache.put(hash, Result.BAD_KEY);
                            return Result.BAD_KEY;
                        } catch (IllegalArgumentException e3) {
                            if (this._log.shouldInfo()) {
                                this._log.info("Bad b64 family key: " + routerInfo, e3);
                            }
                            this._negativeCache.put(hash, Result.BAD_KEY);
                            return Result.BAD_KEY;
                        }
                    }
                }
                if (signingPublicKey == null) {
                    this._negativeCache.put(hash, Result.NO_KEY);
                    return Result.NO_KEY;
                }
            }
        }
        if (!signingPublicKey.getType().isAvailable()) {
            this._negativeCache.put(hash, Result.UNSUPPORTED_SIG);
            return Result.UNSUPPORTED_SIG;
        }
        byte[] decode2 = Base64.decode(option);
        if (decode2 == null) {
            this._negativeCache.put(hash, Result.INVALID_SIG);
            return Result.INVALID_SIG;
        }
        try {
            Signature signature = new Signature(signingPublicKey.getType(), decode2);
            byte[] utf8 = DataHelper.getUTF8(str);
            byte[] bArr = new byte[utf8.length + 32];
            System.arraycopy(utf8, 0, bArr, 0, utf8.length);
            System.arraycopy(routerInfo.getHash().getData(), 0, bArr, utf8.length, 32);
            if (this._context.dsa().verifySignature(signature, bArr, signingPublicKey)) {
                result = z ? Result.STORED_KEY : Result.RI_KEY;
                this._verified.put(hash, new Verified(str, option, result));
            } else {
                result = Result.BAD_SIG;
                this._negativeCache.put(hash, result);
            }
            return result;
        } catch (IllegalArgumentException e4) {
            this._negativeCache.put(hash, Result.INVALID_SIG);
            return Result.INVALID_SIG;
        }
    }

    private void verifyKeyStore(File file) throws GeneralSecurityException {
        if (file.exists()) {
            if (this._context.getProperty(PROP_KEY_PASSWORD) == null) {
                String str = "Family key error, must set netdb.family.keyPassword in " + new File(this._context.getConfigDir(), "router.config").getAbsolutePath();
                this._log.error(str);
                throw new GeneralSecurityException(str);
            }
            return;
        }
        File parentFile = file.getParentFile();
        if (!parentFile.exists() && !new SecureDirectory(parentFile.getAbsolutePath()).mkdirs()) {
            String str2 = "Family key error, must set netdb.family.keyPassword in " + new File(this._context.getConfigDir(), "router.config").getAbsolutePath();
            this._log.error(str2);
            throw new GeneralSecurityException(str2);
        }
        try {
            createKeyStore(file);
        } catch (IOException e) {
            throw new GeneralSecurityException("Failed to create NetDb family keystore", e);
        }
    }

    private void createKeyStore(File file) throws GeneralSecurityException, IOException {
        String randomString = KeyStoreUtil.randomString();
        Object[] createKeysAndCRL = KeyStoreUtil.createKeysAndCRL(file, "changeit", this._fname, this._fname + CN_SUFFIX, OPT_NAME, DEFAULT_KEY_VALID_DAYS, DEFAULT_KEY_ALGORITHM, DEFAULT_KEY_SIZE, randomString);
        HashMap hashMap = new HashMap();
        hashMap.put(PROP_KEYSTORE_PASSWORD, "changeit");
        hashMap.put(PROP_KEY_PASSWORD, randomString);
        hashMap.put(PROP_FAMILY_NAME, this._fname);
        this._context.router().saveConfig(hashMap, (Collection<String>) null);
        this._log.logAlways(20, "Created new private key for netdb family \"" + this._fname + "\" in keystore: " + file.getAbsolutePath() + "\nCopy the keystore to the other routers in the family,\nand add the following entries to their router.config file:\n" + PROP_FAMILY_NAME + '=' + this._fname + '\n' + PROP_KEYSTORE_PASSWORD + "=changeit\n" + PROP_KEY_PASSWORD + '=' + randomString);
        exportCert((X509Certificate) createKeysAndCRL[2]);
        exportCRL(file.getParentFile(), (X509CRL) createKeysAndCRL[3]);
    }

    private void exportCert(X509Certificate x509Certificate) {
        SecureDirectory secureDirectory = new SecureDirectory(this._context.getConfigDir(), CERT_DIR);
        if (!secureDirectory.exists() && !secureDirectory.mkdirs()) {
            this._log.error("Error saving family key certificate");
            return;
        }
        File file = new File((File) secureDirectory, this._fname.replace("@", "_at_") + CERT_SUFFIX);
        if (CertUtil.saveCert(x509Certificate, file)) {
            this._log.logAlways(20, "Created new public key certificate for netdb family \"" + this._fname + "\" in file: " + file.getAbsolutePath() + "\nThe certificate will be associated with your router identity.\nCopy the certificate to the directory $I2P/" + CERT_DIR + " for each of the other routers in the family.\nGive this certificate to an I2P developer for inclusion in the next I2P release.");
        } else {
            this._log.error("Error saving family key certificate");
        }
    }

    private void exportCRL(File file, X509CRL x509crl) {
        SecureDirectory secureDirectory = new SecureDirectory(file, CRL_DIR);
        if (!secureDirectory.exists() && !secureDirectory.mkdirs()) {
            this._log.error("Error saving family key CRL");
            return;
        }
        File file2 = new File((File) secureDirectory, KEYSTORE_PREFIX + this._fname.replace("@", "_at_") + '-' + System.currentTimeMillis() + CRL_SUFFIX);
        if (CertUtil.saveCRL(x509crl, file2)) {
            this._log.logAlways(20, "Created certificate revocation list (CRL) for netdb family \"" + this._fname + "\" in file: " + file2.getAbsolutePath() + "\nBack up the keystore and CRL files and keep them secure.\nIf your private key is ever compromised, give the CRL to an I2P developer for publication.");
        } else {
            this._log.error("Error saving family key CRL");
        }
    }

    private void loadCerts() {
        File[] listFiles = new File(this._context.getBaseDir(), CERT_DIR).listFiles((FileFilter) new FileSuffixFilter(CERT_SUFFIX));
        if (listFiles == null) {
            return;
        }
        for (File file : listFiles) {
            String name = file.getName();
            String substring = name.substring(0, name.length() - CERT_SUFFIX.length());
            SigningPublicKey loadCert = loadCert(file);
            if (loadCert != null) {
                this._knownKeys.put(substring, loadCert);
            }
        }
        if (this._log.shouldInfo()) {
            this._log.info("Loaded " + this._knownKeys.size() + " keys");
        }
    }

    private SigningPublicKey loadCert(File file) {
        try {
            return SigUtil.fromJavaKey(CertUtil.loadKey(file));
        } catch (IOException e) {
            this._log.error("Error loading family key " + file, e);
            return null;
        } catch (GeneralSecurityException e2) {
            this._log.error("Error loading family key " + file, e2);
            return null;
        }
    }

    private SigningPrivateKey getPrivKey(File file) throws GeneralSecurityException {
        String property = this._context.getProperty(PROP_KEYSTORE_PASSWORD, "changeit");
        String property2 = this._context.getProperty(PROP_KEY_PASSWORD);
        if (property2 == null) {
            throw new GeneralSecurityException("No key password, set netdb.family.keyPassword in " + new File(this._context.getConfigDir(), "router.config").getAbsolutePath());
        }
        try {
            PrivateKey privateKey = KeyStoreUtil.getPrivateKey(file, property, this._fname, property2);
            if (privateKey == null) {
                throw new GeneralSecurityException("Family key not found: " + this._fname);
            }
            File file2 = new File(new File(this._context.getBaseDir(), CERT_DIR), this._fname.replace("@", "_at_") + CERT_SUFFIX);
            if (!file2.exists()) {
                KeyStoreUtil.exportCert(file, property, this._fname, file2);
            }
            return SigUtil.fromJavaKey(privateKey);
        } catch (IOException e) {
            throw new GeneralSecurityException("Error loading family key " + this._fname, e);
        }
    }

    public static void main(String[] strArr) {
        if (strArr.length != 2) {
            System.err.println("Usage: FamilyKeyCrypto keystore.ks familyname");
            System.exit(1);
        }
        File file = new File(strArr[0]);
        if (file.exists()) {
            System.err.println("Keystore already exists: " + file);
            System.exit(1);
        }
        String str = strArr[1];
        String str2 = str + CN_SUFFIX;
        String randomString = KeyStoreUtil.randomString();
        try {
            KeyStoreUtil.createKeysAndCRL(file, "changeit", str, str2, OPT_NAME, DEFAULT_KEY_VALID_DAYS, DEFAULT_KEY_ALGORITHM, DEFAULT_KEY_SIZE, randomString);
            System.out.println("Family keys generated and saved in " + file + "\nCopy to " + KS_DIR + '/' + KEYSTORE_PREFIX + str + KEYSTORE_SUFFIX + " in the i2p configuration directory\nFamily key configuration for router.config:\n" + PROP_FAMILY_NAME + '=' + str + '\n' + PROP_KEYSTORE_PASSWORD + "=changeit\n" + PROP_KEY_PASSWORD + '=' + randomString);
        } catch (Exception e) {
            System.err.println("Failed");
            e.printStackTrace();
            System.exit(1);
        }
    }

    static {
        DEFAULT_KEY_ALGORITHM = SigType.ECDSA_SHA256_P256.isAvailable() ? "EC" : "DSA";
        DEFAULT_KEY_SIZE = SigType.ECDSA_SHA256_P256.isAvailable() ? 256 : 1024;
    }
}
