package com.oracle.svm.hosted;

import com.oracle.svm.core.SubstrateOptions;
import com.oracle.svm.core.annotate.AutomaticFeature;
import com.oracle.svm.core.jdk.JNIRegistrationUtil;
import com.oracle.svm.core.jdk.NativeLibrarySupport;
import com.oracle.svm.core.jdk.PlatformNativeLibrarySupport;
import com.oracle.svm.core.jni.JNIRuntimeAccess;
import com.oracle.svm.core.option.HostedOptionKey;
import com.oracle.svm.core.util.VMError;
import com.oracle.svm.hosted.FeatureImpl;
import com.oracle.svm.hosted.c.NativeLibraries;
import com.oracle.svm.util.ReflectionUtil;
import java.lang.reflect.Field;
import java.security.Provider;
import java.security.cert.CertificateException;
import java.util.Arrays;
import java.util.Collections;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.function.Function;
import javax.net.ssl.SSLContext;
import org.graalvm.compiler.options.Option;
import org.graalvm.compiler.serviceprovider.JavaVersionUtil;
import org.graalvm.nativeimage.ImageSingletons;
import org.graalvm.nativeimage.hosted.Feature;
import org.graalvm.nativeimage.hosted.RuntimeReflection;
import org.graalvm.nativeimage.impl.RuntimeClassInitializationSupport;
import sun.security.jca.Providers;
import sun.security.provider.NativePRNG;
import sun.security.x509.Extension;
import sun.security.x509.OIDMap;

@AutomaticFeature
/* loaded from: input_file:com/oracle/svm/hosted/SecurityServicesFeature.class */
public class SecurityServicesFeature extends JNIRegistrationUtil implements Feature {
    private static final String SUN_PROVIDER = "SUN";
    private static final String SECURE_RANDOM_SERVICE = "SecureRandom";
    private static final String MESSAGE_DIGEST_SERVICE = "MessageDigest";
    private static final String SIGNATURE_SERVICE = "Signature";
    private static final String CIPHER_SERVICE = "Cipher";
    private static final String KEY_AGREEMENT_SERVICE = "KeyAgreement";
    private static final String[] emptyStringArray;
    private static final String SEP = " , ";
    static final /* synthetic */ boolean $assertionsDisabled;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:com/oracle/svm/hosted/SecurityServicesFeature$Options.class */
    public static class Options {

        @Option(help = {"Enable the feature that provides support for security services."})
        public static final HostedOptionKey<Boolean> EnableSecurityServicesFeature = new HostedOptionKey<>(true);

        @Option(help = {"Enable trace logging for the security services feature."})
        static final HostedOptionKey<Boolean> TraceSecurityServices = new HostedOptionKey<>(false);

        Options() {
        }
    }

    public boolean isInConfiguration(Feature.IsInConfigurationAccess isInConfigurationAccess) {
        return Options.EnableSecurityServicesFeature.getValue().booleanValue();
    }

    public void duringSetup(Feature.DuringSetupAccess duringSetupAccess) {
        ((RuntimeClassInitializationSupport) ImageSingletons.lookup(RuntimeClassInitializationSupport.class)).rerunInitialization(NativePRNG.class, "for substitutions");
        ((RuntimeClassInitializationSupport) ImageSingletons.lookup(RuntimeClassInitializationSupport.class)).rerunInitialization(NativePRNG.Blocking.class, "for substitutions");
        ((RuntimeClassInitializationSupport) ImageSingletons.lookup(RuntimeClassInitializationSupport.class)).rerunInitialization(NativePRNG.NonBlocking.class, "for substitutions");
        ((RuntimeClassInitializationSupport) ImageSingletons.lookup(RuntimeClassInitializationSupport.class)).rerunInitialization(clazz(duringSetupAccess, "sun.security.provider.SeedGenerator"), "for substitutions");
        ((RuntimeClassInitializationSupport) ImageSingletons.lookup(RuntimeClassInitializationSupport.class)).rerunInitialization(clazz(duringSetupAccess, "sun.security.provider.SecureRandom$SeederHolder"), "for substitutions");
        if (JavaVersionUtil.JAVA_SPEC >= 11) {
            ((RuntimeClassInitializationSupport) ImageSingletons.lookup(RuntimeClassInitializationSupport.class)).rerunInitialization(clazz(duringSetupAccess, "sun.security.provider.AbstractDrbg$SeederHolder"), "for substitutions");
        }
        if (JavaVersionUtil.JAVA_SPEC > 8) {
            ((RuntimeClassInitializationSupport) ImageSingletons.lookup(RuntimeClassInitializationSupport.class)).rerunInitialization(clazz(duringSetupAccess, "sun.security.provider.FileInputStreamPool"), "for substitutions");
        }
        ((RuntimeClassInitializationSupport) ImageSingletons.lookup(RuntimeClassInitializationSupport.class)).rerunInitialization(clazz(duringSetupAccess, "java.util.UUID$Holder"), "for substitutions");
        ((RuntimeClassInitializationSupport) ImageSingletons.lookup(RuntimeClassInitializationSupport.class)).rerunInitialization(clazz(duringSetupAccess, "sun.security.jca.JCAUtil$CachedSecureRandomHolder"), "for substitutions");
        ((RuntimeClassInitializationSupport) ImageSingletons.lookup(RuntimeClassInitializationSupport.class)).rerunInitialization(clazz(duringSetupAccess, "com.sun.crypto.provider.SunJCE$SecureRandomHolder"), "for substitutions");
        ((RuntimeClassInitializationSupport) ImageSingletons.lookup(RuntimeClassInitializationSupport.class)).rerunInitialization(clazz(duringSetupAccess, "sun.security.krb5.Confounder"), "for substitutions");
        ((RuntimeClassInitializationSupport) ImageSingletons.lookup(RuntimeClassInitializationSupport.class)).rerunInitialization(SSLContext.class, "for substitutions");
        ((RuntimeClassInitializationSupport) ImageSingletons.lookup(RuntimeClassInitializationSupport.class)).rerunInitialization(clazz(duringSetupAccess, "sun.security.ssl.SSLContextImpl$DefaultManagersHolder"), "for reading properties at run time");
        if (SubstrateOptions.EnableAllSecurityServices.getValue().booleanValue()) {
            prepareSunEC();
        }
    }

    private static void prepareSunEC() {
        JNIRuntimeAccess.register((Class<?>[]) new Class[]{byte[].class});
    }

    private static List<Provider> getProviders(boolean z) {
        if (z) {
            return Providers.getProviderList().providers();
        }
        Provider sunProvider = Providers.getSunProvider();
        if ($assertionsDisabled || isSunProvider(sunProvider)) {
            return Collections.singletonList(sunProvider);
        }
        throw new AssertionError();
    }

    public void beforeAnalysis(Feature.BeforeAnalysisAccess beforeAnalysisAccess) {
        beforeAnalysisAccess.registerReachabilityHandler((v0) -> {
            registerServicesForReflection(v0);
        }, new Object[]{method(beforeAnalysisAccess, "java.security.Provider$Service", "newInstance", Object.class)});
        beforeAnalysisAccess.registerReachabilityHandler(SecurityServicesFeature::linkSunEC, new Object[]{method(beforeAnalysisAccess, "sun.security.ec.ECDSASignature", "signDigest", byte[].class, byte[].class, byte[].class, byte[].class, Integer.TYPE), method(beforeAnalysisAccess, "sun.security.ec.ECDSASignature", "verifySignedDigest", byte[].class, byte[].class, byte[].class, byte[].class)});
        if (isPosix()) {
            beforeAnalysisAccess.registerReachabilityHandler(SecurityServicesFeature::linkJaas, new Object[]{method(beforeAnalysisAccess, "com.sun.security.auth.module.UnixSystem", "getUnixInfo", new Class[0])});
        }
    }

    private static void registerServicesForReflection(Feature.BeforeAnalysisAccess beforeAnalysisAccess) {
        boolean booleanValue = SubstrateOptions.EnableAllSecurityServices.getValue().booleanValue();
        Function<String, Class<?>> consParamClassAccessor = getConsParamClassAccessor(beforeAnalysisAccess);
        trace("Registering security services...");
        for (Provider provider : getProviders(booleanValue)) {
            register(provider);
            for (Provider.Service service : provider.getServices()) {
                if (booleanValue || isMessageDigest(service) || isSecureRandom(service)) {
                    register(beforeAnalysisAccess, service, consParamClassAccessor);
                }
            }
        }
        if (booleanValue) {
            Class findClassByName = beforeAnalysisAccess.findClassByName("sun.security.provider.JavaKeyStore$JKS");
            registerForReflection(findClassByName);
            trace("Class registered for reflection: " + findClassByName);
            Iterator it = ((Map) ReflectionUtil.readStaticField(OIDMap.class, "nameMap")).keySet().iterator();
            while (it.hasNext()) {
                try {
                    Class cls = OIDMap.getClass((String) it.next());
                    if (!$assertionsDisabled && !Extension.class.isAssignableFrom(cls)) {
                        throw new AssertionError();
                    }
                    registerForReflection(cls);
                    trace("Class registered for reflection: " + cls);
                } catch (CertificateException e) {
                    throw VMError.shouldNotReachHere(e);
                }
            }
        }
    }

    private static void linkSunEC(Feature.DuringAnalysisAccess duringAnalysisAccess) {
        NativeLibraries nativeLibraries = ((FeatureImpl.DuringAnalysisAccessImpl) duringAnalysisAccess).getNativeLibraries();
        if (nativeLibraries.getStaticLibraryPath("sunec") != null) {
            PlatformNativeLibrarySupport.singleton();
            NativeLibrarySupport.singleton().preregisterUninitializedBuiltinLibrary("sunec");
            PlatformNativeLibrarySupport.singleton().addBuiltinPkgNativePrefix("sun_security_ec");
            nativeLibraries.addLibrary("sunec", true);
            if (isPosix()) {
                nativeLibraries.addLibrary("stdc++", false);
            }
        }
    }

    private static void linkJaas(Feature.DuringAnalysisAccess duringAnalysisAccess) {
        JNIRuntimeAccess.register(fields(duringAnalysisAccess, "com.sun.security.auth.module.UnixSystem", "username", "uid", "gid", "groups"));
        NativeLibraries nativeLibraries = ((FeatureImpl.DuringAnalysisAccessImpl) duringAnalysisAccess).getNativeLibraries();
        if (nativeLibraries.getStaticLibraryPath("jaas") != null) {
            NativeLibrarySupport.singleton().preregisterUninitializedBuiltinLibrary(JavaVersionUtil.JAVA_SPEC >= 11 ? "jaas" : "jaas_unix");
            PlatformNativeLibrarySupport.singleton().addBuiltinPkgNativePrefix("com_sun_security_auth_module_UnixSystem");
            nativeLibraries.addLibrary("jaas", true);
        }
    }

    private static Function<String, Class<?>> getConsParamClassAccessor(Feature.BeforeAnalysisAccess beforeAnalysisAccess) {
        Map map = (Map) ReflectionUtil.readStaticField(Provider.class, "knownEngines");
        Field lookupField = ReflectionUtil.lookupField(beforeAnalysisAccess.findClassByName("java.security.Provider$EngineDescription"), "constructorParameterClassName");
        return str -> {
            String str;
            try {
                Object obj = map.get(str);
                if (obj == null || (str = (String) lookupField.get(obj)) == null) {
                    return null;
                }
                return beforeAnalysisAccess.findClassByName(str);
            } catch (IllegalAccessException e) {
                VMError.shouldNotReachHere(e);
                return null;
            }
        };
    }

    private static void register(Provider provider) {
        registerForReflection(provider.getClass());
        try {
            ReflectionUtil.lookupMethod(Class.forName("javax.crypto.JceSecurity"), "getVerificationResult", new Class[]{Provider.class}).invoke(null, provider);
        } catch (ReflectiveOperationException e) {
            throw VMError.shouldNotReachHere(e);
        }
    }

    private static void register(Feature.BeforeAnalysisAccess beforeAnalysisAccess, Provider.Service service, Function<String, Class<?>> function) {
        Class findClassByName = beforeAnalysisAccess.findClassByName(service.getClassName());
        if (findClassByName == null) {
            trace("Service registration failed: " + asString(service) + ". Cause: class not found " + service.getClassName());
            return;
        }
        registerForReflection(findClassByName);
        Class<?> apply = function.apply(service.getType());
        if (apply != null) {
            registerForReflection(apply);
            trace("Parameter class registered: " + apply);
        }
        if (isSignature(service) || isCipher(service) || isKeyAgreement(service)) {
            for (String str : getSupportedKeyClasses(service)) {
                Class findClassByName2 = beforeAnalysisAccess.findClassByName(str);
                if (findClassByName2 != null) {
                    registerForReflection(findClassByName2);
                }
            }
        }
        trace("Service registered: " + asString(service));
    }

    private static void registerForReflection(Class<?> cls) {
        RuntimeReflection.register(new Class[]{cls});
        RuntimeReflection.register(cls.getConstructors());
    }

    private static boolean isSunProvider(Provider provider) {
        return provider.getName().equals(SUN_PROVIDER);
    }

    private static boolean isSecureRandom(Provider.Service service) {
        return service.getType().equals(SECURE_RANDOM_SERVICE);
    }

    private static boolean isMessageDigest(Provider.Service service) {
        return service.getType().equals(MESSAGE_DIGEST_SERVICE);
    }

    private static boolean isSignature(Provider.Service service) {
        return service.getType().equals(SIGNATURE_SERVICE);
    }

    private static boolean isCipher(Provider.Service service) {
        return service.getType().equals(CIPHER_SERVICE);
    }

    private static boolean isKeyAgreement(Provider.Service service) {
        return service.getType().equals(KEY_AGREEMENT_SERVICE);
    }

    private static String[] getSupportedKeyClasses(Provider.Service service) {
        if (!$assertionsDisabled && !isSignature(service) && !isCipher(service) && !isKeyAgreement(service)) {
            throw new AssertionError();
        }
        String attribute = service.getAttribute("SupportedKeyClasses");
        return attribute != null ? attribute.split("\\|") : emptyStringArray;
    }

    private static String asString(Provider.Service service) {
        String str = ((("Provider = " + service.getProvider().getName() + SEP) + "Type = " + service.getType() + SEP) + "Algorithm = " + service.getAlgorithm() + SEP) + "Class = " + service.getClassName();
        if (isSignature(service) || isCipher(service) || isKeyAgreement(service)) {
            str = str + " , SupportedKeyClasses = " + Arrays.toString(getSupportedKeyClasses(service));
        }
        return str;
    }

    private static void trace(String str) {
        if (Options.TraceSecurityServices.getValue().booleanValue()) {
            System.out.println(str);
        }
    }

    static {
        $assertionsDisabled = !SecurityServicesFeature.class.desiredAssertionStatus();
        emptyStringArray = new String[0];
    }
}
