package eu.emi.security.authn.x509.impl;

import eu.emi.security.authn.x509.X509Credential;
import eu.emi.security.authn.x509.helpers.CachedPEMReader;
import eu.emi.security.authn.x509.helpers.CertificateHelpers;
import eu.emi.security.authn.x509.helpers.CharArrayPasswordFinder;
import eu.emi.security.authn.x509.helpers.FlexiblePEMReader;
import eu.emi.security.authn.x509.helpers.KeyStoreHelper;
import eu.emi.security.authn.x509.helpers.PKCS8DERReader;
import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.io.InputStream;
import java.io.InputStreamReader;
import java.io.OutputStream;
import java.io.OutputStreamWriter;
import java.nio.charset.Charset;
import java.security.Key;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.SecureRandom;
import java.security.Security;
import java.security.UnrecoverableKeyException;
import java.security.cert.Certificate;
import java.security.cert.CertificateEncodingException;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
import java.util.Iterator;
import javax.crypto.BadPaddingException;
import org.bouncycastle.asn1.ASN1ObjectIdentifier;
import org.bouncycastle.asn1.pkcs.PrivateKeyInfo;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.bouncycastle.openssl.PEMEncryptedKeyPair;
import org.bouncycastle.openssl.PEMKeyPair;
import org.bouncycastle.openssl.PEMParser;
import org.bouncycastle.openssl.PasswordFinder;
import org.bouncycastle.openssl.jcajce.JcaMiscPEMGenerator;
import org.bouncycastle.openssl.jcajce.JcaPEMKeyConverter;
import org.bouncycastle.openssl.jcajce.JcaPEMWriter;
import org.bouncycastle.openssl.jcajce.JcaPKCS8Generator;
import org.bouncycastle.openssl.jcajce.JceOpenSSLPKCS8DecryptorProviderBuilder;
import org.bouncycastle.openssl.jcajce.JceOpenSSLPKCS8EncryptorBuilder;
import org.bouncycastle.openssl.jcajce.JcePEMDecryptorProviderBuilder;
import org.bouncycastle.openssl.jcajce.JcePEMEncryptorBuilder;
import org.bouncycastle.operator.OperatorCreationException;
import org.bouncycastle.operator.OutputEncryptor;
import org.bouncycastle.pkcs.PKCS8EncryptedPrivateKeyInfo;
import org.bouncycastle.pkcs.PKCSException;
import org.bouncycastle.util.io.pem.PemObject;
import org.bouncycastle.util.io.pem.PemWriter;

/* loaded from: input_file:eu/emi/security/authn/x509/impl/CertificateUtils.class */
public class CertificateUtils {
    public static final String DEFAULT_KEYSTORE_ALIAS = "default";
    public static final Charset ASCII;

    /* loaded from: input_file:eu/emi/security/authn/x509/impl/CertificateUtils$Encoding.class */
    public enum Encoding {
        PEM,
        DER
    }

    public static void configureSecProvider() {
        if (Security.getProvider("BC") == null) {
            Security.addProvider(new BouncyCastleProvider());
        }
    }

    public static X509Certificate[] convertToX509Chain(Certificate[] certificateArr) throws ClassCastException {
        X509Certificate[] x509CertificateArr = new X509Certificate[certificateArr.length];
        for (int i = 0; i < certificateArr.length; i++) {
            x509CertificateArr[i] = (X509Certificate) certificateArr[i];
        }
        return x509CertificateArr;
    }

    public static String format(X509Certificate x509Certificate, FormatMode formatMode) {
        return new X509Formatter(formatMode).format(x509Certificate);
    }

    public static String format(X509Certificate[] x509CertificateArr, FormatMode formatMode) {
        return new X509Formatter(formatMode).format(x509CertificateArr);
    }

    public static X509Certificate loadCertificate(InputStream inputStream, Encoding encoding) throws IOException {
        InputStream inputStream2 = inputStream;
        if (encoding.equals(Encoding.PEM)) {
            ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream(4096);
            FlexiblePEMReader flexiblePEMReader = new FlexiblePEMReader(new InputStreamReader(inputStream, ASCII));
            try {
                PemObject readPemObject = flexiblePEMReader.readPemObject();
                if (readPemObject == null) {
                    throw new IOException("PEM data not found in the stream and its end was reached");
                }
                CertificateHelpers.PEMContentsType pEMType = CertificateHelpers.getPEMType(readPemObject.getType());
                if (!pEMType.equals(CertificateHelpers.PEMContentsType.CERTIFICATE)) {
                    throw new IOException("Expected PEM encoded certificate but found: " + pEMType);
                }
                byteArrayOutputStream.write(readPemObject.getContent());
                inputStream2 = new ByteArrayInputStream(byteArrayOutputStream.toByteArray());
                flexiblePEMReader.close();
            } catch (Throwable th) {
                flexiblePEMReader.close();
                throw th;
            }
        }
        Certificate readDERCertificate = CertificateHelpers.readDERCertificate(inputStream2);
        if (readDERCertificate instanceof X509Certificate) {
            return (X509Certificate) readDERCertificate;
        }
        throw new IOException("The DER input contains a certificate which is not a X.509Certificate, it is " + readDERCertificate.getClass().getName());
    }

    public static PrivateKey loadPrivateKey(InputStream inputStream, Encoding encoding, char[] cArr) throws IOException {
        return encoding.equals(Encoding.PEM) ? loadPEMPrivateKey(inputStream, getPF(cArr)) : loadDERPrivateKey(inputStream, cArr);
    }

    public static PrivateKey loadPEMPrivateKey(InputStream inputStream, PasswordFinder passwordFinder) throws IOException {
        return internalLoadPK(new FlexiblePEMReader(new InputStreamReader(inputStream, Charset.forName("US-ASCII"))), "PEM", passwordFinder);
    }

    private static PrivateKey parsePEMPrivateKey(PemObject pemObject, PasswordFinder passwordFinder) throws IOException {
        return internalLoadPK(new CachedPEMReader(pemObject), "PEM", passwordFinder);
    }

    private static PrivateKey internalLoadPK(PEMParser pEMParser, String str, PasswordFinder passwordFinder) throws IOException {
        try {
            Object readObject = pEMParser.readObject();
            if (readObject == null) {
                throw new IOException("Can not load the " + str + " private key: no input data (empty source?)");
            }
            return convertToPrivateKey(readObject, str, passwordFinder);
        } catch (IOException e) {
            if (e.getCause() == null || !(e.getCause() instanceof BadPaddingException)) {
                throw new IOException("Can not load the " + str + " private key: " + e);
            }
            throw new IOException("Can not load " + str + " private key: the password is incorrect or the " + str + " data is corrupted.", e);
        }
    }

    private static PrivateKey convertToPrivateKey(Object obj, String str, PasswordFinder passwordFinder) throws IOException {
        try {
            return new JcaPEMKeyConverter().getPrivateKey(resolvePK(str, obj, passwordFinder));
        } catch (PKCSException e) {
            throw new IOException("Error decrypting private key: the password is incorrect or the " + str + " data is corrupted.", e);
        } catch (OperatorCreationException e2) {
            throw new IOException("Can't initialize decryption infrastructure", e2);
        }
    }

    private static PrivateKeyInfo resolvePK(String str, Object obj, PasswordFinder passwordFinder) throws IOException, OperatorCreationException, PKCSException {
        if (obj instanceof PrivateKeyInfo) {
            return (PrivateKeyInfo) obj;
        }
        if (obj instanceof PEMKeyPair) {
            return ((PEMKeyPair) obj).getPrivateKeyInfo();
        }
        if (obj instanceof PKCS8EncryptedPrivateKeyInfo) {
            return ((PKCS8EncryptedPrivateKeyInfo) obj).decryptPrivateKeyInfo(new JceOpenSSLPKCS8DecryptorProviderBuilder().build(passwordFinder.getPassword()));
        }
        if (!(obj instanceof PEMEncryptedKeyPair)) {
            throw new IOException("The " + str + " input does not contain a private key, it was parsed as " + obj.getClass().getName());
        }
        return ((PEMEncryptedKeyPair) obj).decryptKeyPair(new JcePEMDecryptorProviderBuilder().build(passwordFinder.getPassword())).getPrivateKeyInfo();
    }

    private static PrivateKey loadDERPrivateKey(InputStream inputStream, char[] cArr) throws IOException {
        PKCS8DERReader pKCS8DERReader = new PKCS8DERReader(inputStream, cArr != null);
        try {
            Object readObject = pKCS8DERReader.readObject();
            pKCS8DERReader.close();
            if (readObject == null) {
                throw new IOException("Can not load the DER private key: no input data (empty source?)");
            }
            return convertToPrivateKey(readObject, "DER", getPF(cArr));
        } catch (IOException e) {
            if (e.getCause() == null || !(e.getCause() instanceof BadPaddingException)) {
                throw new IOException("Can not load the DER private key: ", e);
            }
            throw new IOException("Can not load DER private key: the password is incorrect or the DER data is corrupted.", e);
        }
    }

    public static X509Certificate[] loadCertificateChain(InputStream inputStream, Encoding encoding) throws IOException {
        InputStream inputStream2 = inputStream;
        if (encoding.equals(Encoding.PEM)) {
            boolean z = false;
            ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream(4096);
            FlexiblePEMReader flexiblePEMReader = new FlexiblePEMReader(new InputStreamReader(inputStream, ASCII));
            while (true) {
                try {
                    PemObject readPemObject = flexiblePEMReader.readPemObject();
                    if (readPemObject == null && !z) {
                        throw new IOException("PEM data not found in the stream and its end was reached");
                    }
                    if (readPemObject == null) {
                        inputStream2 = new ByteArrayInputStream(byteArrayOutputStream.toByteArray());
                        break;
                    }
                    CertificateHelpers.PEMContentsType pEMType = CertificateHelpers.getPEMType(readPemObject.getType());
                    if (!pEMType.equals(CertificateHelpers.PEMContentsType.CERTIFICATE)) {
                        throw new IOException("Expected PEM encoded certificate but found: " + pEMType);
                    }
                    z = true;
                    byteArrayOutputStream.write(readPemObject.getContent());
                } finally {
                    flexiblePEMReader.close();
                }
            }
        }
        X509Certificate[] loadDERCertificateChain = loadDERCertificateChain(inputStream2);
        ArrayList arrayList = new ArrayList();
        Collections.addAll(arrayList, loadDERCertificateChain);
        return CertificateHelpers.sortChain(arrayList);
    }

    private static X509Certificate[] loadDERCertificateChain(InputStream inputStream) throws IOException {
        Collection<? extends Certificate> readDERCertificates = CertificateHelpers.readDERCertificates(inputStream);
        Iterator<? extends Certificate> it = readDERCertificates.iterator();
        X509Certificate[] x509CertificateArr = new X509Certificate[readDERCertificates.size()];
        for (int i = 0; i < x509CertificateArr.length; i++) {
            Certificate next = it.next();
            if (!(next instanceof X509Certificate)) {
                throw new IOException("The DER input contains a certificate which is not a X.509Certificate, it is " + next.getClass().getName());
            }
            x509CertificateArr[i] = (X509Certificate) next;
        }
        return x509CertificateArr;
    }

    public static KeyStore loadPEMKeystore(InputStream inputStream, char[] cArr, char[] cArr2) throws IOException {
        return loadPEMKeystore(inputStream, getPF(cArr), cArr2);
    }

    public static KeyStore loadPEMKeystore(InputStream inputStream, PasswordFinder passwordFinder, char[] cArr) throws IOException {
        PrivateKey privateKey = null;
        ArrayList arrayList = new ArrayList();
        FlexiblePEMReader flexiblePEMReader = new FlexiblePEMReader(new InputStreamReader(inputStream, ASCII));
        while (true) {
            try {
                PemObject readPemObject = flexiblePEMReader.readPemObject();
                if (readPemObject == null) {
                    if (privateKey == null) {
                        throw new IOException("Private key was not found in the PEM keystore (" + arrayList.size() + " certificate(s) was (were) found).");
                    }
                    X509Certificate[] sortChain = CertificateHelpers.sortChain(arrayList);
                    try {
                        KeyStore instanceForCredential = KeyStoreHelper.getInstanceForCredential("JKS");
                        instanceForCredential.load(null, null);
                        instanceForCredential.setKeyEntry(DEFAULT_KEYSTORE_ALIAS, privateKey, cArr, sortChain);
                        return instanceForCredential;
                    } catch (KeyStoreException e) {
                        throw new IOException("Can't setup the JKS keystore", e);
                    } catch (NoSuchAlgorithmException e2) {
                        throw new IOException("Can't setup the JKS keystore", e2);
                    } catch (CertificateException e3) {
                        throw new IOException("Can't setup the JKS keystore", e3);
                    }
                }
                CertificateHelpers.PEMContentsType pEMType = CertificateHelpers.getPEMType(readPemObject.getType());
                if (pEMType.equals(CertificateHelpers.PEMContentsType.PRIVATE_KEY) || pEMType.equals(CertificateHelpers.PEMContentsType.LEGACY_OPENSSL_PRIVATE_KEY)) {
                    if (privateKey != null) {
                        throw new IOException("Multiple private keys were found");
                    }
                    privateKey = parsePEMPrivateKey(readPemObject, passwordFinder);
                } else {
                    if (!pEMType.equals(CertificateHelpers.PEMContentsType.CERTIFICATE)) {
                        throw new IOException("Unsupported PEM object found in the input: " + pEMType);
                    }
                    for (X509Certificate x509Certificate : loadDERCertificateChain(new ByteArrayInputStream(readPemObject.getContent()))) {
                        arrayList.add(x509Certificate);
                    }
                }
            } finally {
                flexiblePEMReader.close();
            }
        }
    }

    public static void saveCertificate(OutputStream outputStream, X509Certificate x509Certificate, Encoding encoding) throws IOException {
        if (encoding.equals(Encoding.PEM)) {
            JcaPEMWriter jcaPEMWriter = new JcaPEMWriter(new OutputStreamWriter(outputStream, ASCII));
            jcaPEMWriter.writeObject(x509Certificate);
            jcaPEMWriter.flush();
        } else {
            try {
                outputStream.write(x509Certificate.getEncoded());
                outputStream.flush();
            } catch (CertificateEncodingException e) {
                throw new IOException("Can't encode the certificate into ASN.1 DER format", e);
            }
        }
    }

    public static void savePrivateKey(OutputStream outputStream, PrivateKey privateKey, Encoding encoding, String str, char[] cArr) throws IOException, IllegalArgumentException {
        savePrivateKey(outputStream, privateKey, encoding, str, cArr, false);
    }

    public static void savePrivateKey(OutputStream outputStream, PrivateKey privateKey, Encoding encoding, String str, char[] cArr, boolean z) throws IOException, IllegalArgumentException {
        JcaPKCS8Generator jcaPKCS8Generator;
        if (str != null) {
            try {
                if (z) {
                    JcePEMEncryptorBuilder jcePEMEncryptorBuilder = new JcePEMEncryptorBuilder(str);
                    jcePEMEncryptorBuilder.setProvider("BC");
                    jcePEMEncryptorBuilder.setSecureRandom(new SecureRandom());
                    jcaPKCS8Generator = new JcaMiscPEMGenerator(privateKey, jcePEMEncryptorBuilder.build(cArr));
                } else {
                    JceOpenSSLPKCS8EncryptorBuilder jceOpenSSLPKCS8EncryptorBuilder = new JceOpenSSLPKCS8EncryptorBuilder(new ASN1ObjectIdentifier(str));
                    jceOpenSSLPKCS8EncryptorBuilder.setProvider("BC");
                    jceOpenSSLPKCS8EncryptorBuilder.setPasssword(cArr);
                    jcaPKCS8Generator = new JcaPKCS8Generator(privateKey, jceOpenSSLPKCS8EncryptorBuilder.build());
                }
            } catch (OperatorCreationException e) {
                throw new IllegalArgumentException("Can't setup encryption modules, likely the parameters (as algorithm) are invalid", e);
            }
        } else {
            jcaPKCS8Generator = !z ? new JcaPKCS8Generator(privateKey, (OutputEncryptor) null) : new JcaMiscPEMGenerator(privateKey);
        }
        if (encoding.equals(Encoding.PEM)) {
            PemWriter pemWriter = new PemWriter(new OutputStreamWriter(outputStream, ASCII));
            pemWriter.writeObject(jcaPKCS8Generator);
            pemWriter.flush();
        } else {
            if (str == null) {
                outputStream.write(privateKey.getEncoded());
            } else {
                outputStream.write(jcaPKCS8Generator.generate().getContent());
            }
            outputStream.flush();
        }
    }

    /* JADX WARN: Multi-variable type inference failed */
    public static void saveCertificateChain(OutputStream outputStream, X509Certificate[] x509CertificateArr, Encoding encoding) throws IOException {
        if (encoding.equals(Encoding.PEM)) {
            for (X509Certificate x509Certificate : x509CertificateArr) {
                saveCertificate(outputStream, x509Certificate, Encoding.PEM);
            }
            return;
        }
        byte[] bArr = new byte[x509CertificateArr.length];
        for (int i = 0; i < x509CertificateArr.length; i++) {
            try {
                bArr[i] = x509CertificateArr[i].getEncoded();
            } catch (CertificateEncodingException e) {
                throw new IOException("Can't encode the certificate into ASN1 DER format", e);
            }
        }
        for (byte[] bArr2 : bArr) {
            outputStream.write(bArr2);
        }
        outputStream.flush();
    }

    public static void savePEMKeystore(OutputStream outputStream, KeyStore keyStore, String str, String str2, char[] cArr, char[] cArr2) throws IOException, KeyStoreException, IllegalArgumentException, UnrecoverableKeyException, NoSuchAlgorithmException {
        savePEMKeystore(outputStream, keyStore, str, str2, cArr, cArr2, false);
    }

    public static void savePEMKeystore(OutputStream outputStream, X509Credential x509Credential, String str, char[] cArr, boolean z) throws IOException, KeyStoreException, IllegalArgumentException, UnrecoverableKeyException, NoSuchAlgorithmException {
        savePEMKeystore(outputStream, x509Credential.getKeyStore(), x509Credential.getKeyAlias(), str, x509Credential.getKeyPassword(), cArr, z);
    }

    public static void savePEMKeystore(OutputStream outputStream, KeyStore keyStore, String str, String str2, char[] cArr, char[] cArr2, boolean z) throws IOException, KeyStoreException, IllegalArgumentException, UnrecoverableKeyException, NoSuchAlgorithmException {
        Key key = keyStore.getKey(str, cArr);
        if (key == null) {
            throw new IllegalArgumentException("The specified alias does not correspond to any key entry");
        }
        if (!(key instanceof PrivateKey)) {
            throw new IllegalArgumentException("The alias corresponds to a secret key, not to the private key");
        }
        savePrivateKey(outputStream, (PrivateKey) key, Encoding.PEM, str2, cArr2, z);
        saveCertificateChain(outputStream, convertToX509Chain(keyStore.getCertificateChain(str)), Encoding.PEM);
        outputStream.close();
    }

    public static PasswordFinder getPF(char[] cArr) {
        if (cArr == null) {
            return null;
        }
        return new CharArrayPasswordFinder(cArr);
    }

    static {
        configureSecProvider();
        ASCII = Charset.forName("US-ASCII");
    }
}
