package eu.emi.security.authn.x509.helpers;

import eu.emi.security.authn.x509.StoreUpdateListener;
import java.io.IOException;
import java.io.InputStream;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.Signature;
import java.security.SignatureException;
import java.security.cert.CertPath;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.security.interfaces.RSAPrivateKey;
import java.security.interfaces.RSAPublicKey;
import java.util.Arrays;
import java.util.Collection;
import java.util.HashMap;
import java.util.LinkedList;
import java.util.List;
import javax.security.auth.x500.X500Principal;
import org.bouncycastle.asn1.ASN1Primitive;
import org.bouncycastle.asn1.x500.X500Name;

/* loaded from: input_file:eu/emi/security/authn/x509/helpers/CertificateHelpers.class */
public class CertificateHelpers {
    private static final byte[] TEST = {1, 2, 3, 4, 100};

    /* loaded from: input_file:eu/emi/security/authn/x509/helpers/CertificateHelpers$PEMContentsType.class */
    public enum PEMContentsType {
        PRIVATE_KEY,
        LEGACY_OPENSSL_PRIVATE_KEY,
        CERTIFICATE,
        CSR,
        CRL,
        UNKNOWN
    }

    public static PEMContentsType getPEMType(String str) {
        if (str.contains("CERTIFICATE") && !str.contains("REQUEST")) {
            return PEMContentsType.CERTIFICATE;
        }
        if (!str.equals("PRIVATE KEY") && !str.equals("ENCRYPTED PRIVATE KEY")) {
            return str.contains("PRIVATE KEY") ? PEMContentsType.LEGACY_OPENSSL_PRIVATE_KEY : (str.contains("REQUEST") && str.contains("CERTIFICATE")) ? PEMContentsType.CSR : str.contains(StoreUpdateListener.CRL) ? PEMContentsType.CRL : PEMContentsType.UNKNOWN;
        }
        return PEMContentsType.PRIVATE_KEY;
    }

    public static Collection<? extends Certificate> readDERCertificates(InputStream inputStream) throws IOException {
        try {
            try {
                try {
                    Collection<? extends Certificate> generateCertificates = getFactory().generateCertificates(inputStream);
                    inputStream.close();
                    return generateCertificates;
                } catch (ClassCastException e) {
                    throw new IOException("Can not parse the input as it contains a certificate but it is not an X.509 certificate.", e);
                }
            } catch (CertificateException e2) {
                throw new IOException("Can not parse the input data as a certificate", e2);
            }
        } catch (Throwable th) {
            inputStream.close();
            throw th;
        }
    }

    public static Certificate readDERCertificate(InputStream inputStream) throws IOException {
        try {
            try {
                try {
                    Certificate generateCertificate = getFactory().generateCertificate(inputStream);
                    inputStream.close();
                    return generateCertificate;
                } catch (ClassCastException e) {
                    throw new IOException("Can not parse the input as it contains a certificate but it is not an X.509 certificate.", e);
                }
            } catch (CertificateException e2) {
                throw new IOException("Can not parse the input data as a certificate", e2);
            }
        } catch (Throwable th) {
            inputStream.close();
            throw th;
        }
    }

    private static CertificateFactory getFactory() {
        try {
            return CertificateFactory.getInstance("X.509", "BC");
        } catch (NoSuchProviderException e) {
            throw new RuntimeException("Can not initialize CertificateFactory, no BouncyCastle provider, it is a BUG!", e);
        } catch (CertificateException e2) {
            throw new RuntimeException("Can not initialize CertificateFactory, your JDK installation is misconfigured!", e2);
        }
    }

    public static X509Certificate[] sortChain(List<X509Certificate> list) throws IOException {
        if (list.size() == 0) {
            return new X509Certificate[0];
        }
        HashMap hashMap = new HashMap();
        HashMap hashMap2 = new HashMap();
        for (X509Certificate x509Certificate : list) {
            hashMap.put(x509Certificate.getSubjectX500Principal(), x509Certificate);
            if (!x509Certificate.getIssuerX500Principal().equals(x509Certificate.getSubjectX500Principal())) {
                hashMap2.put(x509Certificate.getIssuerX500Principal(), x509Certificate);
            }
        }
        LinkedList linkedList = new LinkedList();
        X509Certificate x509Certificate2 = (X509Certificate) hashMap.remove(list.get(0).getSubjectX500Principal());
        if (!x509Certificate2.getIssuerX500Principal().equals(x509Certificate2.getSubjectX500Principal())) {
            hashMap2.remove(x509Certificate2.getIssuerX500Principal());
        }
        linkedList.add(x509Certificate2);
        while (true) {
            X509Certificate x509Certificate3 = (X509Certificate) hashMap.remove(x509Certificate2.getIssuerX500Principal());
            if (x509Certificate3 == null) {
                break;
            }
            hashMap2.remove(x509Certificate3.getIssuerX500Principal());
            linkedList.add(x509Certificate3);
            x509Certificate2 = x509Certificate3;
        }
        X509Certificate x509Certificate4 = (X509Certificate) linkedList.get(0);
        while (true) {
            X509Certificate x509Certificate5 = (X509Certificate) hashMap2.remove(x509Certificate4.getSubjectX500Principal());
            if (x509Certificate5 == null) {
                break;
            }
            linkedList.add(0, x509Certificate5);
            x509Certificate4 = x509Certificate5;
        }
        if (hashMap2.size() > 0) {
            throw new IOException("The keystore is inconsistent as it contains certificates from different chains");
        }
        return (X509Certificate[]) linkedList.toArray(new X509Certificate[list.size()]);
    }

    public static CertPath toCertPath(X509Certificate[] x509CertificateArr) throws CertificateException {
        try {
            return CertificateFactory.getInstance("X.509").generateCertPath(Arrays.asList(x509CertificateArr));
        } catch (CertificateException e) {
            throw new RuntimeException("No provider supporting X.509 CertificateFactory. JDK is misconfigured?", e);
        }
    }

    public static X500Name toX500Name(X500Principal x500Principal) {
        return new X500Name(new JavaAndBCStyle(), X500Name.getInstance(x500Principal.getEncoded()));
    }

    public static byte[] getExtensionBytes(X509Certificate x509Certificate, String str) throws IOException {
        byte[] extensionValue = x509Certificate.getExtensionValue(str);
        if (extensionValue == null) {
            return null;
        }
        return ASN1Primitive.fromByteArray(extensionValue).getOctets();
    }

    public static void checkKeysMatching(PrivateKey privateKey, PublicKey publicKey) throws InvalidKeyException {
        String algorithm = publicKey.getAlgorithm();
        if (!privateKey.getAlgorithm().equals(algorithm)) {
            throw new InvalidKeyException("Private and public keys are not matching: different algorithms");
        }
        if (algorithm.equals("DSA")) {
            if (!checkKeysViaSignature("SHA1withDSA", privateKey, publicKey)) {
                throw new InvalidKeyException("Private and public keys are not matching: DSA");
            }
            return;
        }
        if (algorithm.equals("RSA")) {
            if (!((RSAPublicKey) publicKey).getModulus().equals(((RSAPrivateKey) privateKey).getModulus())) {
                throw new InvalidKeyException("Private and public keys are not matching: RSA parameters");
            }
            return;
        }
        if (algorithm.equals("GOST3410")) {
            if (!checkKeysViaSignature("GOST3411withGOST3410", privateKey, publicKey)) {
                throw new InvalidKeyException("Private and public keys are not matching: GOST 34.10");
            }
        } else if (algorithm.equals("ECGOST3410")) {
            if (!checkKeysViaSignature("GOST3411withECGOST3410", privateKey, publicKey)) {
                throw new InvalidKeyException("Private and public keys are not matching: EC GOST 34.10");
            }
        } else if (algorithm.equals("ECDSA") && !checkKeysViaSignature("SHA1withECDSA", privateKey, publicKey)) {
            throw new InvalidKeyException("Private and public keys are not matching: EC DSA");
        }
    }

    private static boolean checkKeysViaSignature(String str, PrivateKey privateKey, PublicKey publicKey) throws InvalidKeyException {
        try {
            Signature signature = Signature.getInstance(str);
            signature.initSign(privateKey);
            signature.update(TEST);
            byte[] sign = signature.sign();
            Signature signature2 = Signature.getInstance(str);
            signature2.initVerify(publicKey);
            signature2.update(TEST);
            return signature2.verify(sign);
        } catch (NoSuchAlgorithmException e) {
            throw new RuntimeException("Bug: BC provider not available in checkKeysMatching()", e);
        } catch (SignatureException e2) {
            throw new RuntimeException("Bug: can't sign/verify test data", e2);
        }
    }
}
