package com.oracle.svm.hosted;

import com.oracle.graal.pointsto.meta.AnalysisMethod;
import com.oracle.graal.pointsto.reports.ReportUtils;
import com.oracle.svm.core.SubstrateOptions;
import com.oracle.svm.core.SubstrateUtil;
import com.oracle.svm.core.TypeResult;
import com.oracle.svm.core.feature.AutomaticallyRegisteredFeature;
import com.oracle.svm.core.feature.InternalFeature;
import com.oracle.svm.core.fieldvaluetransformer.FieldValueTransformerWithAvailability;
import com.oracle.svm.core.jdk.JNIRegistrationUtil;
import com.oracle.svm.core.jdk.NativeLibrarySupport;
import com.oracle.svm.core.jdk.PlatformNativeLibrarySupport;
import com.oracle.svm.core.option.HostedOptionKey;
import com.oracle.svm.core.option.LocatableMultiOptionValue;
import com.oracle.svm.core.util.UserError;
import com.oracle.svm.core.util.VMError;
import com.oracle.svm.hosted.FeatureImpl;
import com.oracle.svm.hosted.c.NativeLibraries;
import com.oracle.svm.util.ModuleSupport;
import com.oracle.svm.util.ReflectionUtil;
import com.oracle.truffle.js.runtime.util.TRegexUtil;
import java.io.File;
import java.io.FileWriter;
import java.io.IOException;
import java.io.PrintWriter;
import java.lang.ref.WeakReference;
import java.lang.reflect.Executable;
import java.lang.reflect.Field;
import java.lang.reflect.InvocationTargetException;
import java.lang.reflect.Method;
import java.lang.reflect.Modifier;
import java.security.AlgorithmParameterGenerator;
import java.security.AlgorithmParameters;
import java.security.KeyFactory;
import java.security.KeyPairGenerator;
import java.security.KeyStore;
import java.security.MessageDigest;
import java.security.Policy;
import java.security.Provider;
import java.security.SecureRandom;
import java.security.Security;
import java.security.Signature;
import java.security.cert.CertPathBuilder;
import java.security.cert.CertPathValidator;
import java.security.cert.CertStore;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Set;
import java.util.concurrent.ConcurrentHashMap;
import java.util.function.BiConsumer;
import java.util.function.Function;
import javax.crypto.Cipher;
import javax.crypto.KeyAgreement;
import javax.crypto.KeyGenerator;
import javax.crypto.Mac;
import javax.crypto.SecretKeyFactory;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.SSLContext;
import javax.net.ssl.TrustManagerFactory;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.login.Configuration;
import jdk.graal.compiler.debug.Assertions;
import jdk.graal.compiler.serviceprovider.JavaVersionUtil;
import org.graalvm.nativeimage.ImageSingletons;
import org.graalvm.nativeimage.hosted.Feature;
import org.graalvm.nativeimage.hosted.RuntimeJNIAccess;
import org.graalvm.nativeimage.hosted.RuntimeReflection;
import org.graalvm.nativeimage.impl.RuntimeClassInitializationSupport;
import org.graalvm.shadowed.com.ibm.icu.impl.number.Padder;
import sun.security.jca.ProviderList;
import sun.security.provider.NativePRNG;
import sun.security.x509.Extension;
import sun.security.x509.OIDMap;

@AutomaticallyRegisteredFeature
/* loaded from: input_file:com/oracle/svm/hosted/SecurityServicesFeature.class */
public class SecurityServicesFeature extends JNIRegistrationUtil implements InternalFeature {
    private static final String SECURE_RANDOM_SERVICE = "SecureRandom";
    private static final String SIGNATURE_SERVICE = "Signature";
    private static final String CIPHER_SERVICE = "Cipher";
    private static final String KEY_AGREEMENT_SERVICE = "KeyAgreement";
    private static final String KEY_STORE = "KeyStore";
    private static final String CERTIFICATE_FACTORY = "CertificateFactory";
    private static final String JKS = "JKS";
    private static final String X509 = "X.509";
    private static final String[] emptyStringArray;
    private static final List<Class<?>> knownServices;
    private static final boolean isMscapiModulePresent;
    private ImageClassLoader loader;
    private Function<String, Class<?>> ctrParamClassAccessor;
    private Method getSpiClassMethod;
    private Map<String, Set<Provider.Service>> availableServices;
    private Field verificationResultsField;
    private Field providerListField;
    private Field oidTableField;
    private Field oidMapField;
    private Field classCacheField;
    private Field constructorCacheField;
    private ConcurrentHashMap<WeakReference<Provider>, Object> cachedVerificationCache;
    private ProviderList cachedProviders;
    private Class<?> jceSecurityClass;
    private Class<?> classSaslClient;
    private Class<?> classSaslServer;
    static final /* synthetic */ boolean $assertionsDisabled;
    private final Set<Provider> usedProviders = ConcurrentHashMap.newKeySet();
    private final Set<String> manuallyMarkedUsedProviderClassNames = new HashSet();
    ConcurrentHashMap<String, Boolean> processedServiceClasses = new ConcurrentHashMap<>();

    /* loaded from: input_file:com/oracle/svm/hosted/SecurityServicesFeature$Options.class */
    public static class Options {
        public static final HostedOptionKey<Boolean> EnableSecurityServicesFeature = new HostedOptionKey<>(true);
        public static final HostedOptionKey<Boolean> TraceSecurityServices = new HostedOptionKey<>(false);
        public static final HostedOptionKey<LocatableMultiOptionValue.Strings> AdditionalSecurityServiceTypes = new HostedOptionKey<>(LocatableMultiOptionValue.Strings.build());
        public static final HostedOptionKey<LocatableMultiOptionValue.Strings> AdditionalSecurityProviders = new HostedOptionKey<>(LocatableMultiOptionValue.Strings.build());
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:com/oracle/svm/hosted/SecurityServicesFeature$SecurityServicesPrinter.class */
    public static class SecurityServicesPrinter {
        private static final int INDENT = 4;
        private static final boolean enabled = Options.TraceSecurityServices.getValue().booleanValue();
        private static final SecurityServicesPrinter instance;
        private final PrintWriter writer;
        private int indent = 0;

        SecurityServicesPrinter() {
            File reportFile = reportFile(SubstrateOptions.reportsPath());
            System.out.println("# Printing security services automatic registration to: " + String.valueOf(reportFile));
            try {
                this.writer = new PrintWriter(new FileWriter(reportFile));
            } catch (IOException e) {
                throw VMError.shouldNotReachHere(e);
            }
        }

        static void trace(Function<String, String> function) {
            if (enabled) {
                instance.writer.print(function.apply(instance.indent > 0 ? String.format("%" + instance.indent + "s", Padder.FALLBACK_PADDING_STRING) : ""));
            }
        }

        static void indent() {
            if (enabled) {
                instance.indent += 4;
            }
        }

        static void dedent() {
            if (enabled) {
                instance.indent -= 4;
            }
        }

        static void endTracing() {
            if (enabled) {
                instance.writer.close();
            }
        }

        private static File reportFile(String str) {
            return ReportUtils.reportFile(str, "security_services", "txt");
        }

        static {
            instance = enabled ? new SecurityServicesPrinter() : null;
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:com/oracle/svm/hosted/SecurityServicesFeature$TracingAutoCloseable.class */
    public static abstract class TracingAutoCloseable implements AutoCloseable {
        TracingAutoCloseable() {
        }

        @Override // java.lang.AutoCloseable
        public abstract void close();
    }

    @Override // org.graalvm.nativeimage.hosted.Feature
    public void afterRegistration(Feature.AfterRegistrationAccess afterRegistrationAccess) {
        ModuleSupport.accessPackagesToClass(ModuleSupport.Access.OPEN, getClass(), false, "java.base", "sun.security.x509");
        ModuleSupport.accessModuleByClass(ModuleSupport.Access.OPEN, getClass(), Security.class);
        ((RuntimeClassInitializationSupport) ImageSingletons.lookup(RuntimeClassInitializationSupport.class)).initializeAtBuildTime("javax.security.auth.kerberos.KeyTab", "Force initialization of sun.security.krb5.KerberosSecrets.javaxSecurityAuthKerberosAccess");
    }

    @Override // org.graalvm.nativeimage.hosted.Feature
    public void duringSetup(Feature.DuringSetupAccess duringSetupAccess) {
        FeatureImpl.DuringSetupAccessImpl duringSetupAccessImpl = (FeatureImpl.DuringSetupAccessImpl) duringSetupAccess;
        addManuallyConfiguredUsedProviders(duringSetupAccess);
        this.verificationResultsField = duringSetupAccessImpl.findField("javax.crypto.JceSecurity", "verificationResults");
        this.providerListField = duringSetupAccessImpl.findField("sun.security.jca.Providers", "providerList");
        this.oidTableField = duringSetupAccessImpl.findField("sun.security.util.ObjectIdentifier", "oidTable");
        this.oidMapField = duringSetupAccessImpl.findField(OIDMap.class, "oidMap");
        this.classCacheField = duringSetupAccessImpl.findField(Provider.Service.class, "classCache");
        this.constructorCacheField = duringSetupAccessImpl.findField(Provider.Service.class, "constructorCache");
        RuntimeClassInitializationSupport runtimeClassInitializationSupport = (RuntimeClassInitializationSupport) ImageSingletons.lookup(RuntimeClassInitializationSupport.class);
        runtimeClassInitializationSupport.initializeAtRunTime(NativePRNG.class, "for substitutions");
        runtimeClassInitializationSupport.initializeAtRunTime(NativePRNG.Blocking.class, "for substitutions");
        runtimeClassInitializationSupport.initializeAtRunTime(NativePRNG.NonBlocking.class, "for substitutions");
        runtimeClassInitializationSupport.initializeAtRunTime(clazz(duringSetupAccessImpl, "sun.security.provider.SeedGenerator"), "for substitutions");
        runtimeClassInitializationSupport.initializeAtRunTime(clazz(duringSetupAccessImpl, "sun.security.provider.SecureRandom$SeederHolder"), "for substitutions");
        runtimeClassInitializationSupport.initializeAtRunTime(clazz(duringSetupAccessImpl, "sun.security.provider.AbstractDrbg$SeederHolder"), "for substitutions");
        if (isMscapiModulePresent) {
            runtimeClassInitializationSupport.initializeAtRunTime(clazz(duringSetupAccessImpl, "sun.security.mscapi.PRNG"), "for substitutions");
        }
        runtimeClassInitializationSupport.initializeAtRunTime(clazz(duringSetupAccessImpl, "sun.security.provider.FileInputStreamPool"), "for substitutions");
        runtimeClassInitializationSupport.initializeAtRunTime(clazz(duringSetupAccessImpl, "java.util.UUID$Holder"), "for substitutions");
        runtimeClassInitializationSupport.initializeAtRunTime(clazz(duringSetupAccessImpl, "sun.security.jca.JCAUtil$CachedSecureRandomHolder"), "for substitutions");
        runtimeClassInitializationSupport.initializeAtRunTime(clazz(duringSetupAccessImpl, "com.sun.crypto.provider.SunJCE$SecureRandomHolder"), "for substitutions");
        optionalClazz(duringSetupAccessImpl, "sun.security.krb5.Confounder").ifPresent(cls -> {
            runtimeClassInitializationSupport.initializeAtRunTime((Class<?>) cls, "for substitutions");
        });
        optionalClazz(duringSetupAccessImpl, "sun.security.krb5.Config").ifPresent(cls2 -> {
            runtimeClassInitializationSupport.initializeAtRunTime((Class<?>) cls2, "Reset the value of lazily initialized field sun.security.krb5.Config#singleton");
        });
        runtimeClassInitializationSupport.initializeAtRunTime(clazz(duringSetupAccessImpl, "sun.security.jca.JCAUtil"), "JCAUtil.def holds a SecureRandom.");
        runtimeClassInitializationSupport.initializeAtRunTime(clazz(duringSetupAccessImpl, "sun.security.ssl.SSLContextImpl$DefaultManagersHolder"), "for reading properties at run time");
        runtimeClassInitializationSupport.initializeAtRunTime(clazz(duringSetupAccessImpl, "sun.security.ssl.SSLLogger"), "for reading properties at run time");
    }

    @Override // org.graalvm.nativeimage.hosted.Feature
    public void beforeAnalysis(Feature.BeforeAnalysisAccess beforeAnalysisAccess) {
        FeatureImpl.BeforeAnalysisAccessImpl beforeAnalysisAccessImpl = (FeatureImpl.BeforeAnalysisAccessImpl) beforeAnalysisAccess;
        this.loader = beforeAnalysisAccessImpl.getImageClassLoader();
        this.jceSecurityClass = this.loader.findClassOrFail("javax.crypto.JceSecurity");
        beforeAnalysisAccessImpl.ensureInitialized("java.security.cert.TrustAnchor");
        beforeAnalysisAccessImpl.ensureInitialized("javax.crypto.spec.SecretKeySpec");
        beforeAnalysisAccessImpl.ensureInitialized("javax.crypto.SealedObject");
        beforeAnalysisAccessImpl.ensureInitialized("java.security.Signature");
        beforeAnalysisAccessImpl.ensureInitialized("sun.security.util.AnchorCertificates");
        if (Options.EnableSecurityServicesFeature.getValue().booleanValue()) {
            registerServiceReachabilityHandlers(beforeAnalysisAccessImpl);
        }
        if (isPosix()) {
            optionalMethod(beforeAnalysisAccessImpl, "com.sun.security.auth.module.UnixSystem", "getUnixInfo", new Class[0]).ifPresent(method -> {
                beforeAnalysisAccessImpl.registerReachabilityHandler(SecurityServicesFeature::linkJaas, method);
                PlatformNativeLibrarySupport.singleton().addBuiltinPkgNativePrefix("com_sun_security_auth_module_UnixSystem");
            });
        }
        if (isMscapiModulePresent) {
            beforeAnalysisAccessImpl.registerReachabilityHandler((v0) -> {
                registerSunMSCAPIConfig(v0);
            }, clazz(beforeAnalysisAccessImpl, "sun.security.mscapi.SunMSCAPI"));
            PlatformNativeLibrarySupport.singleton().addBuiltinPkgNativePrefix("sun_security_mscapi");
        }
        beforeAnalysisAccessImpl.registerFieldValueTransformer(this.providerListField, new FieldValueTransformerWithAvailability() { // from class: com.oracle.svm.hosted.SecurityServicesFeature.1
            static final /* synthetic */ boolean $assertionsDisabled;

            @Override // com.oracle.svm.core.fieldvaluetransformer.FieldValueTransformerWithAvailability
            public FieldValueTransformerWithAvailability.ValueAvailability valueAvailability() {
                return FieldValueTransformerWithAvailability.ValueAvailability.AfterAnalysis;
            }

            @Override // org.graalvm.nativeimage.hosted.FieldValueTransformer
            public Object transform(Object obj, Object obj2) {
                if (SecurityServicesFeature.this.cachedProviders != null) {
                    if (SubstrateUtil.assertionsEnabled()) {
                        List<Provider> filterProviderList = SecurityServicesFeature.this.filterProviderList(obj2);
                        if (!$assertionsDisabled && !SecurityServicesFeature.this.cachedProviders.providers().equals(filterProviderList)) {
                            throw new AssertionError(Assertions.errorMessage(SecurityServicesFeature.this.cachedProviders.providers(), filterProviderList));
                        }
                    }
                    if (Options.TraceSecurityServices.getValue().booleanValue()) {
                        SecurityServicesFeature.traceRemovedProviders(((ProviderList) obj2).providers().stream().filter(provider -> {
                            return SecurityServicesFeature.this.shouldRemoveProvider(provider);
                        }).toList());
                    }
                }
                return SecurityServicesFeature.this.cachedProviders;
            }

            static {
                $assertionsDisabled = !SecurityServicesFeature.class.desiredAssertionStatus();
            }
        });
        beforeAnalysisAccessImpl.registerFieldValueTransformer(this.verificationResultsField, new FieldValueTransformerWithAvailability() { // from class: com.oracle.svm.hosted.SecurityServicesFeature.2
            static final /* synthetic */ boolean $assertionsDisabled;

            @Override // com.oracle.svm.core.fieldvaluetransformer.FieldValueTransformerWithAvailability
            public FieldValueTransformerWithAvailability.ValueAvailability valueAvailability() {
                return FieldValueTransformerWithAvailability.ValueAvailability.AfterAnalysis;
            }

            @Override // org.graalvm.nativeimage.hosted.FieldValueTransformer
            public Object transform(Object obj, Object obj2) {
                if (SecurityServicesFeature.this.cachedVerificationCache != null && SubstrateUtil.assertionsEnabled()) {
                    ConcurrentHashMap<WeakReference<Provider>, Object> filterVerificationCache = SecurityServicesFeature.this.filterVerificationCache(obj2);
                    if (!$assertionsDisabled && !SecurityServicesFeature.this.cachedVerificationCache.equals(filterVerificationCache)) {
                        throw new AssertionError(Assertions.errorMessage(SecurityServicesFeature.this.cachedVerificationCache, filterVerificationCache));
                    }
                }
                return SecurityServicesFeature.this.cachedVerificationCache;
            }

            static {
                $assertionsDisabled = !SecurityServicesFeature.class.desiredAssertionStatus();
            }
        });
    }

    private ConcurrentHashMap<WeakReference<Provider>, Object> filterVerificationCache(Object obj) {
        ConcurrentHashMap<WeakReference<Provider>, Object> concurrentHashMap = new ConcurrentHashMap<>((ConcurrentHashMap) obj);
        concurrentHashMap.keySet().removeIf(weakReference -> {
            return shouldRemoveProvider((Provider) weakReference.get());
        });
        return concurrentHashMap;
    }

    private List<Provider> filterProviderList(Object obj) {
        return ((ProviderList) obj).providers().stream().filter(provider -> {
            return !shouldRemoveProvider(provider);
        }).toList();
    }

    private void addManuallyConfiguredUsedProviders(Feature.DuringSetupAccess duringSetupAccess) {
        Iterator<String> it = Options.AdditionalSecurityProviders.getValue().values().iterator();
        while (it.hasNext()) {
            for (String str : it.next().split(",")) {
                UserError.guarantee(duringSetupAccess.findClassByName(str) != null, "Manually marked security provider class doesn't exist: %s. Make sure that the class name is correct and that the class is on the image builder classpath.", str);
                trace("Marked provider %s as used", str);
                this.manuallyMarkedUsedProviderClassNames.add(str);
            }
        }
    }

    public boolean shouldRemoveProvider(Provider provider) {
        if (provider == null) {
            return true;
        }
        return (this.usedProviders.contains(provider) || this.manuallyMarkedUsedProviderClassNames.contains(provider.getClass().getName())) ? false : true;
    }

    private static void traceRemovedProviders(List<Provider> list) {
        if (list == null || list.isEmpty()) {
            trace("No security providers have been removed.", new Object[0]);
            return;
        }
        trace("The following security providers were deemed to be unused and removed:", new Object[0]);
        SecurityServicesPrinter.indent();
        trace("ProviderName - ProviderClass", new Object[0]);
        for (Provider provider : list) {
            trace("%s - %s", provider.getName(), provider.getClass().getName());
        }
        SecurityServicesPrinter.dedent();
    }

    private static void registerSunMSCAPIConfig(Feature.BeforeAnalysisAccess beforeAnalysisAccess) {
        NativeLibraries nativeLibraries = ((FeatureImpl.DuringAnalysisAccessImpl) beforeAnalysisAccess).getNativeLibraries();
        NativeLibrarySupport.singleton().preregisterUninitializedBuiltinLibrary("sunmscapi");
        nativeLibraries.addStaticJniLibrary("sunmscapi", new String[0]);
        nativeLibraries.addDynamicNonJniLibrary("ncrypt");
        nativeLibraries.addDynamicNonJniLibrary("crypt32");
        registerForThrowNew(beforeAnalysisAccess, "java.security.cert.CertificateParsingException", "java.security.InvalidKeyException", "java.security.KeyException", "java.security.KeyStoreException", "java.security.ProviderException", "java.security.SignatureException", "java.lang.OutOfMemoryError");
        if (isMscapiModulePresent) {
            beforeAnalysisAccess.registerReachabilityHandler(SecurityServicesFeature::registerLoadKeysOrCertificateChains, optionalMethod(beforeAnalysisAccess, "sun.security.mscapi.CKeyStore", "loadKeysOrCertificateChains", String.class, Integer.TYPE).orElseGet(() -> {
                return method(beforeAnalysisAccess, "sun.security.mscapi.CKeyStore", "loadKeysOrCertificateChains", String.class);
            }));
            beforeAnalysisAccess.registerReachabilityHandler(SecurityServicesFeature::registerGenerateCKeyPair, method(beforeAnalysisAccess, "sun.security.mscapi.CKeyPairGenerator$RSA", "generateCKeyPair", String.class, Integer.TYPE, String.class));
            beforeAnalysisAccess.registerReachabilityHandler(SecurityServicesFeature::registerCPrivateKeyOf, method(beforeAnalysisAccess, "sun.security.mscapi.CKeyStore", "storePrivateKey", String.class, byte[].class, String.class, Integer.TYPE));
            beforeAnalysisAccess.registerReachabilityHandler(SecurityServicesFeature::registerCPublicKeyOf, method(beforeAnalysisAccess, "sun.security.mscapi.CSignature", "importECPublicKey", String.class, byte[].class, Integer.TYPE), method(beforeAnalysisAccess, "sun.security.mscapi.CSignature", "importPublicKey", String.class, byte[].class, Integer.TYPE));
        }
    }

    private static void registerLoadKeysOrCertificateChains(Feature.DuringAnalysisAccess duringAnalysisAccess) {
        RuntimeJNIAccess.register(constructor(duringAnalysisAccess, "java.util.ArrayList", new Class[0]));
        RuntimeJNIAccess.register(method(duringAnalysisAccess, "sun.security.mscapi.CKeyStore", "generateCertificate", byte[].class, Collection.class));
        RuntimeJNIAccess.register(method(duringAnalysisAccess, "sun.security.mscapi.CKeyStore", "generateCertificateChain", String.class, Collection.class));
        RuntimeJNIAccess.register(method(duringAnalysisAccess, "sun.security.mscapi.CKeyStore", "generateKeyAndCertificateChain", Boolean.TYPE, String.class, Long.TYPE, Long.TYPE, Integer.TYPE, Collection.class));
    }

    private static void registerGenerateCKeyPair(Feature.DuringAnalysisAccess duringAnalysisAccess) {
        RuntimeJNIAccess.register(constructor(duringAnalysisAccess, "sun.security.mscapi.CKeyPair", String.class, Long.TYPE, Long.TYPE, Integer.TYPE));
    }

    private static void registerCPrivateKeyOf(Feature.DuringAnalysisAccess duringAnalysisAccess) {
        RuntimeJNIAccess.register(method(duringAnalysisAccess, "sun.security.mscapi.CPrivateKey", "of", String.class, Long.TYPE, Long.TYPE, Integer.TYPE));
    }

    private static void registerCPublicKeyOf(Feature.DuringAnalysisAccess duringAnalysisAccess) {
        RuntimeJNIAccess.register(method(duringAnalysisAccess, "sun.security.mscapi.CPublicKey", "of", String.class, Long.TYPE, Long.TYPE, Integer.TYPE));
    }

    private static void linkJaas(Feature.DuringAnalysisAccess duringAnalysisAccess) {
        RuntimeJNIAccess.register(fields(duringAnalysisAccess, "com.sun.security.auth.module.UnixSystem", "username", "uid", "gid", TRegexUtil.Props.CompiledRegex.GROUPS));
        NativeLibraries nativeLibraries = ((FeatureImpl.DuringAnalysisAccessImpl) duringAnalysisAccess).getNativeLibraries();
        NativeLibrarySupport.singleton().preregisterUninitializedBuiltinLibrary("jaas");
        nativeLibraries.addStaticJniLibrary("jaas", new String[0]);
    }

    private static Set<Class<?>> computeKnownServices(Feature.BeforeAnalysisAccess beforeAnalysisAccess) {
        HashSet hashSet = new HashSet(knownServices);
        Iterator<String> it = Options.AdditionalSecurityServiceTypes.getValue().values().iterator();
        while (it.hasNext()) {
            for (String str : it.next().split(",")) {
                Class<?> findClassByName = beforeAnalysisAccess.findClassByName(str);
                UserError.guarantee(findClassByName != null, "Unable to find additional security service class %s", str);
                hashSet.add(findClassByName);
            }
        }
        return hashSet;
    }

    private void registerSASLReachabilityHandlers(Feature.BeforeAnalysisAccess beforeAnalysisAccess) {
        try {
            TypeResult<Class<?>> findClass = this.loader.findClass("javax.security.sasl.Sasl");
            if (!findClass.isPresent()) {
                trace("Failed to enable automatic SASL provider registration: %s", "javax.security.sasl.Sasl");
                return;
            }
            Class<?> orFail = findClass.getOrFail();
            this.classSaslClient = ReflectionUtil.lookupClass(false, "javax.security.sasl.SaslClient");
            this.classSaslServer = ReflectionUtil.lookupClass(false, "javax.security.sasl.SaslServer");
            Method lookupMethod = ReflectionUtil.lookupMethod(orFail, "createSaslClient", String[].class, String.class, String.class, String.class, Map.class, CallbackHandler.class);
            beforeAnalysisAccess.registerReachabilityHandler(duringAnalysisAccess -> {
                registerServices(duringAnalysisAccess, lookupMethod, this.classSaslClient);
            }, lookupMethod);
            Method lookupMethod2 = ReflectionUtil.lookupMethod(orFail, "createSaslServer", String.class, String.class, String.class, Map.class, CallbackHandler.class);
            beforeAnalysisAccess.registerReachabilityHandler(duringAnalysisAccess2 -> {
                registerServices(duringAnalysisAccess2, lookupMethod2, this.classSaslServer);
            }, lookupMethod2);
        } catch (ReflectionUtil.ReflectionUtilError e) {
            trace("Failed to enable automatic SASL provider registration: %s", e);
        }
    }

    private void registerServiceReachabilityHandlers(Feature.BeforeAnalysisAccess beforeAnalysisAccess) {
        this.ctrParamClassAccessor = getConstructorParameterClassAccessor(this.loader);
        this.getSpiClassMethod = getSpiClassMethod();
        this.availableServices = computeAvailableServices();
        for (Class<?> cls : computeKnownServices(beforeAnalysisAccess)) {
            BiConsumer<Feature.DuringAnalysisAccess, Executable> biConsumer = (duringAnalysisAccess, executable) -> {
                registerServices(duringAnalysisAccess, executable, (Class<?>) cls);
            };
            for (Method method : cls.getMethods()) {
                if (method.getName().equals("getInstance")) {
                    checkGetInstanceMethod(method);
                    beforeAnalysisAccess.registerMethodOverrideReachabilityHandler(biConsumer, method);
                }
            }
        }
        if (ModuleLayer.boot().findModule("java.security.sasl").isPresent()) {
            registerSASLReachabilityHandlers(beforeAnalysisAccess);
        }
        optionalMethod(beforeAnalysisAccess, "java.security.Provider", "getDefaultSecureRandomService", new Class[0]).ifPresent(method2 -> {
            beforeAnalysisAccess.registerMethodOverrideReachabilityHandler((duringAnalysisAccess2, executable2) -> {
                registerServices(duringAnalysisAccess2, executable2, SECURE_RANDOM_SERVICE);
            }, method2);
        });
    }

    private void registerServices(Feature.DuringAnalysisAccess duringAnalysisAccess, Object obj, Class<?> cls) {
        String serviceType = getServiceType(cls);
        if (cls.getPackage().getName().equals("java.security")) {
            registerSpiClass(this.getSpiClassMethod, serviceType);
        }
        registerServices(duringAnalysisAccess, obj, serviceType);
    }

    private String getServiceType(Class<?> cls) {
        Objects.requireNonNull(cls);
        return (cls == this.classSaslClient || cls == this.classSaslServer) ? cls.getSimpleName() + "Factory" : cls.getSimpleName();
    }

    private void registerServices(Feature.DuringAnalysisAccess duringAnalysisAccess, Object obj, String str) {
        this.processedServiceClasses.computeIfAbsent(str, str2 -> {
            doRegisterServices(duringAnalysisAccess, obj, str);
            return true;
        });
    }

    private void doRegisterServices(Feature.DuringAnalysisAccess duringAnalysisAccess, Object obj, String str) {
        TracingAutoCloseable trace = trace(duringAnalysisAccess, obj, str);
        try {
            Iterator<Provider.Service> it = this.availableServices.get(str).iterator();
            while (it.hasNext()) {
                registerService(duringAnalysisAccess, it.next());
            }
            if (trace != null) {
                trace.close();
            }
        } catch (Throwable th) {
            if (trace != null) {
                try {
                    trace.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    private static void checkGetInstanceMethod(Method method) {
        VMError.guarantee(Modifier.isPublic(method.getModifiers()));
        VMError.guarantee(Modifier.isStatic(method.getModifiers()));
        VMError.guarantee(method.getReturnType().equals(method.getDeclaringClass()));
    }

    private static Map<String, Set<Provider.Service>> computeAvailableServices() {
        HashMap hashMap = new HashMap();
        for (Provider provider : Security.getProviders()) {
            for (Provider.Service service : provider.getServices()) {
                if (isValid(service)) {
                    ((Set) hashMap.computeIfAbsent(service.getType(), str -> {
                        return new HashSet();
                    })).add(service);
                }
            }
        }
        return hashMap;
    }

    private static boolean isValid(Provider.Service service) {
        return (service.getType() == null || service.getAlgorithm() == null || service.getClassName() == null) ? false : true;
    }

    private static Function<String, Class<?>> getConstructorParameterClassAccessor(ImageClassLoader imageClassLoader) {
        Map map = (Map) ReflectionUtil.readStaticField(Provider.class, "knownEngines");
        Field lookupField = ReflectionUtil.lookupField(imageClassLoader.findClassOrFail("java.security.Provider$EngineDescription"), JavaVersionUtil.JAVA_SPEC >= 23 ? "constructorParameterClass" : "constructorParameterClassName");
        return str -> {
            try {
                Object obj = map.get(str);
                if (obj == null) {
                    return null;
                }
                if (JavaVersionUtil.JAVA_SPEC >= 23) {
                    return (Class) lookupField.get(obj);
                }
                String str = (String) lookupField.get(obj);
                if (str != null) {
                    return imageClassLoader.findClass(str).get();
                }
                return null;
            } catch (IllegalAccessException e) {
                VMError.shouldNotReachHere(e);
                return null;
            }
        };
    }

    private static Method getSpiClassMethod() {
        try {
            Method declaredMethod = Security.class.getDeclaredMethod("getSpiClass", String.class);
            declaredMethod.setAccessible(true);
            return declaredMethod;
        } catch (NoSuchMethodException e) {
            throw VMError.shouldNotReachHere(e);
        }
    }

    private static void registerSpiClass(Method method, String str) {
        try {
            RuntimeReflection.register((Class<?>[]) new Class[]{(Class) method.invoke(null, str)});
        } catch (IllegalAccessException | InvocationTargetException e) {
            throw VMError.shouldNotReachHere(e);
        }
    }

    private void registerProvider(Provider provider) {
        if (this.usedProviders.add(provider)) {
            registerForReflection(provider.getClass());
            provider.entrySet();
            try {
                ReflectionUtil.lookupMethod(this.jceSecurityClass, "getVerificationResult", Provider.class).invoke(null, provider);
            } catch (ReflectiveOperationException e) {
                throw VMError.shouldNotReachHere(e);
            }
        }
    }

    private void registerService(Feature.DuringAnalysisAccess duringAnalysisAccess, Provider.Service service) {
        TypeResult<Class<?>> findClass = this.loader.findClass(service.getClassName());
        if (!findClass.isPresent()) {
            trace("Cannot register service %s. Reason: %s.", asString(service), findClass.getException());
            return;
        }
        TracingAutoCloseable trace = trace(service);
        try {
            registerForReflection(findClass.get());
            Class<?> apply = this.ctrParamClassAccessor.apply(service.getType());
            if (apply != null) {
                registerForReflection(apply);
                trace("Registered service constructor parameter class: %s", apply.getName());
            }
            if (isSignature(service) || isCipher(service) || isKeyAgreement(service)) {
                for (String str : getSupportedKeyClasses(service)) {
                    this.loader.findClass(str).ifPresent(SecurityServicesFeature::registerForReflection);
                }
            }
            if (isKeyStore(service) && service.getAlgorithm().equals("JKS")) {
                registerJks(this.loader);
            }
            if (isCertificateFactory(service) && service.getAlgorithm().equals(X509)) {
                registerX509Extensions(duringAnalysisAccess);
            }
            registerProvider(service.getProvider());
            if (trace != null) {
                trace.close();
            }
        } catch (Throwable th) {
            if (trace != null) {
                try {
                    trace.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    private static void registerJks(ImageClassLoader imageClassLoader) {
        Class<?> findClassOrFail = imageClassLoader.findClassOrFail("sun.security.provider.JavaKeyStore$JKS");
        registerForReflection(findClassOrFail);
        trace("Registered KeyStore.JKS implementation class: %s", findClassOrFail.getName());
    }

    private void registerX509Extensions(Feature.DuringAnalysisAccess duringAnalysisAccess) {
        FeatureImpl.DuringAnalysisAccessImpl duringAnalysisAccessImpl = (FeatureImpl.DuringAnalysisAccessImpl) duringAnalysisAccess;
        Iterator it = ((Map) ReflectionUtil.readStaticField(OIDMap.class, "nameMap")).keySet().iterator();
        while (it.hasNext()) {
            try {
                Class cls = OIDMap.getClass((String) it.next());
                if (!$assertionsDisabled && !Extension.class.isAssignableFrom(cls)) {
                    throw new AssertionError();
                }
                registerForReflection(cls);
                trace("Registered X.509 extension class: %s", cls.getName());
            } catch (CertificateException e) {
                throw VMError.shouldNotReachHere(e);
            }
        }
        duringAnalysisAccessImpl.rescanRoot(this.oidMapField);
    }

    @Override // org.graalvm.nativeimage.hosted.Feature
    public void duringAnalysis(Feature.DuringAnalysisAccess duringAnalysisAccess) {
        FeatureImpl.DuringAnalysisAccessImpl duringAnalysisAccessImpl = (FeatureImpl.DuringAnalysisAccessImpl) duringAnalysisAccess;
        maybeScanVerificationResultsField(duringAnalysisAccessImpl);
        maybeScanProvidersField(duringAnalysisAccessImpl);
        duringAnalysisAccessImpl.rescanRoot(this.oidTableField);
        if (this.cachedProviders != null) {
            Iterator it = this.cachedProviders.providers().iterator();
            while (it.hasNext()) {
                for (Provider.Service service : ((Provider) it.next()).getServices()) {
                    duringAnalysisAccessImpl.rescanField(service, this.classCacheField);
                    duringAnalysisAccessImpl.rescanField(service, this.constructorCacheField);
                }
            }
        }
    }

    private void maybeScanVerificationResultsField(FeatureImpl.DuringAnalysisAccessImpl duringAnalysisAccessImpl) {
        if (duringAnalysisAccessImpl.getMetaAccess().lookupJavaField(this.verificationResultsField).isRead()) {
            try {
                ConcurrentHashMap<WeakReference<Provider>, Object> filterVerificationCache = filterVerificationCache(this.verificationResultsField.get(null));
                if (this.cachedVerificationCache == null || !this.cachedVerificationCache.equals(filterVerificationCache)) {
                    this.cachedVerificationCache = filterVerificationCache;
                    duringAnalysisAccessImpl.rescanObject(this.cachedVerificationCache);
                }
            } catch (IllegalAccessException e) {
                throw VMError.shouldNotReachHere("Cannot access field: " + this.verificationResultsField.getName(), e);
            }
        }
    }

    private void maybeScanProvidersField(FeatureImpl.DuringAnalysisAccessImpl duringAnalysisAccessImpl) {
        if (duringAnalysisAccessImpl.getMetaAccess().lookupJavaField(this.providerListField).isRead()) {
            try {
                List<Provider> filterProviderList = filterProviderList(this.providerListField.get(null));
                if (this.cachedProviders == null || !this.cachedProviders.providers().equals(filterProviderList)) {
                    this.cachedProviders = ProviderList.newList((Provider[]) filterProviderList.toArray(new Provider[0]));
                    duringAnalysisAccessImpl.rescanObject(this.cachedProviders);
                }
            } catch (IllegalAccessException e) {
                throw VMError.shouldNotReachHere("Cannot access field: " + this.providerListField.getName(), e);
            }
        }
    }

    @Override // org.graalvm.nativeimage.hosted.Feature
    public void afterHeapLayout(Feature.AfterHeapLayoutAccess afterHeapLayoutAccess) {
        SecurityServicesPrinter.endTracing();
    }

    private static void registerForReflection(Class<?> cls) {
        RuntimeReflection.register((Class<?>[]) new Class[]{cls});
        RuntimeReflection.register(cls.getConstructors());
    }

    private static boolean isSignature(Provider.Service service) {
        return service.getType().equals(SIGNATURE_SERVICE);
    }

    private static boolean isCipher(Provider.Service service) {
        return service.getType().equals(CIPHER_SERVICE);
    }

    private static boolean isKeyAgreement(Provider.Service service) {
        return service.getType().equals(KEY_AGREEMENT_SERVICE);
    }

    private static boolean isKeyStore(Provider.Service service) {
        return service.getType().equals(KEY_STORE);
    }

    private static boolean isCertificateFactory(Provider.Service service) {
        return service.getType().equals(CERTIFICATE_FACTORY);
    }

    private static String[] getSupportedKeyClasses(Provider.Service service) {
        if (!$assertionsDisabled && !isSignature(service) && !isCipher(service) && !isKeyAgreement(service)) {
            throw new AssertionError();
        }
        String attribute = service.getAttribute("SupportedKeyClasses");
        return attribute != null ? attribute.split("\\|") : emptyStringArray;
    }

    private static void trace(String str, Object... objArr) {
        SecurityServicesPrinter.trace(str2 -> {
            return str2 + String.format(str + "%n", objArr);
        });
    }

    private static TracingAutoCloseable trace(final Provider.Service service) {
        return new TracingAutoCloseable() { // from class: com.oracle.svm.hosted.SecurityServicesFeature.3
            {
                Provider.Service service2 = service;
                SecurityServicesPrinter.trace(str -> {
                    return String.format("%s%s%n", str, SecurityServicesFeature.asString(service2));
                });
                SecurityServicesPrinter.indent();
            }

            @Override // com.oracle.svm.hosted.SecurityServicesFeature.TracingAutoCloseable, java.lang.AutoCloseable
            public void close() {
                SecurityServicesPrinter.dedent();
            }
        };
    }

    private static TracingAutoCloseable trace(final Feature.DuringAnalysisAccess duringAnalysisAccess, final Object obj, final String str) {
        return new TracingAutoCloseable() { // from class: com.oracle.svm.hosted.SecurityServicesFeature.4
            {
                SecurityServicesPrinter.indent();
                Object obj2 = obj;
                Feature.DuringAnalysisAccess duringAnalysisAccess2 = duringAnalysisAccess;
                String str2 = str;
                SecurityServicesPrinter.trace(str3 -> {
                    AnalysisMethod lookupJavaMethod = ((FeatureImpl.DuringAnalysisAccessImpl) duringAnalysisAccess2).getMetaAccess().lookupJavaMethod((Executable) obj2);
                    return (String.format("Service factory method %s is reachable.%n", lookupJavaMethod.asStackTraceElement(0)) + String.format("%sAnalysis parsing context: %s", str3, ReportUtils.parsingContext(lookupJavaMethod, str3 + "    "))) + String.format("%sReachability of %s service type API triggers registration of following services:%n", str3, str2);
                });
                SecurityServicesPrinter.indent();
            }

            @Override // com.oracle.svm.hosted.SecurityServicesFeature.TracingAutoCloseable, java.lang.AutoCloseable
            public void close() {
                SecurityServicesPrinter.dedent();
                SecurityServicesPrinter.dedent();
                SecurityServicesFeature.trace("", new Object[0]);
            }
        };
    }

    private static String asString(Provider.Service service) {
        String str = ((("" + "Type: " + service.getType() + ", ") + "Provider: " + service.getProvider().getName() + ", ") + "Algorithm: " + service.getAlgorithm() + ", ") + "Class: " + service.getClassName();
        if (isSignature(service) || isCipher(service) || isKeyAgreement(service)) {
            str = str + ", SupportedKeyClasses: " + Arrays.toString(getSupportedKeyClasses(service));
        }
        return str;
    }

    static {
        $assertionsDisabled = !SecurityServicesFeature.class.desiredAssertionStatus();
        emptyStringArray = new String[0];
        ArrayList arrayList = new ArrayList(List.of((Object[]) new Class[]{AlgorithmParameterGenerator.class, AlgorithmParameters.class, CertPathBuilder.class, CertPathValidator.class, CertStore.class, CertificateFactory.class, Cipher.class, Configuration.class, KeyAgreement.class, KeyFactory.class, KeyGenerator.class, KeyManagerFactory.class, KeyPairGenerator.class, KeyStore.class, Mac.class, MessageDigest.class, Policy.class, SSLContext.class, SecretKeyFactory.class, SecureRandom.class, Signature.class, TrustManagerFactory.class}));
        if (ModuleLayer.boot().findModule("java.security.sasl").isPresent()) {
            arrayList.add(ReflectionUtil.lookupClass(false, "javax.security.sasl.SaslClientFactory"));
            arrayList.add(ReflectionUtil.lookupClass(false, "javax.security.sasl.SaslServerFactory"));
        }
        if (ModuleLayer.boot().findModule("java.xml.crypto").isPresent()) {
            arrayList.add(ReflectionUtil.lookupClass(false, "javax.xml.crypto.dsig.TransformService"));
            arrayList.add(ReflectionUtil.lookupClass(false, "javax.xml.crypto.dsig.XMLSignatureFactory"));
            arrayList.add(ReflectionUtil.lookupClass(false, "javax.xml.crypto.dsig.keyinfo.KeyInfoFactory"));
        }
        if (ModuleLayer.boot().findModule("java.smartcardio").isPresent()) {
            arrayList.add(ReflectionUtil.lookupClass(false, "javax.smartcardio.TerminalFactory"));
        }
        isMscapiModulePresent = ModuleLayer.boot().findModule("jdk.crypto.mscapi").isPresent();
        knownServices = Collections.unmodifiableList(arrayList);
    }
}
