package com.azure.security.keyvault.jca.implementation;

import com.azure.security.keyvault.jca.implementation.model.AccessToken;
import com.azure.security.keyvault.jca.implementation.model.CertificateBundle;
import com.azure.security.keyvault.jca.implementation.model.CertificateItem;
import com.azure.security.keyvault.jca.implementation.model.CertificateListResult;
import com.azure.security.keyvault.jca.implementation.model.SecretBundle;
import com.azure.security.keyvault.jca.implementation.model.SignResult;
import com.azure.security.keyvault.jca.implementation.shaded.org.bouncycastle.pkcs.PKCSException;
import com.azure.security.keyvault.jca.implementation.utils.AccessTokenUtil;
import com.azure.security.keyvault.jca.implementation.utils.CertificateUtil;
import com.azure.security.keyvault.jca.implementation.utils.HttpUtil;
import com.azure.security.keyvault.jca.implementation.utils.JsonConverterUtil;
import java.io.BufferedReader;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.io.StringReader;
import java.io.UnsupportedEncodingException;
import java.net.URLEncoder;
import java.security.Key;
import java.security.KeyFactory;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.PrivateKey;
import java.security.UnrecoverableKeyException;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.security.spec.InvalidKeySpecException;
import java.security.spec.PKCS8EncodedKeySpec;
import java.util.ArrayList;
import java.util.Base64;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Optional;
import java.util.logging.Level;
import java.util.logging.Logger;

/* loaded from: input_file:com/azure/security/keyvault/jca/implementation/KeyVaultClient.class */
public class KeyVaultClient {
    private static final Logger LOGGER = Logger.getLogger(KeyVaultClient.class.getName());
    private final String keyVaultBaseUri;
    private final String keyVaultUri;
    private final String tenantId;
    private final String clientId;
    private final String clientSecret;
    private String managedIdentity;
    private AccessToken accessToken;
    private final boolean disableChallengeResourceVerification;

    KeyVaultClient(String str, String str2) {
        this(str, null, null, null, str2, false);
    }

    public KeyVaultClient(String str, String str2, String str3, String str4) {
        this(str, str2, str3, str4, null, false);
    }

    public KeyVaultClient(String str, String str2, String str3, String str4, String str5, boolean z) {
        LOGGER.log(Level.INFO, "Using Azure Key Vault: {0}", str);
        this.keyVaultUri = HttpUtil.addTrailingSlashIfRequired(HttpUtil.validateUri(str, "Azure Key Vault URI"));
        this.keyVaultBaseUri = HttpUtil.HTTPS_PREFIX + ((String) Optional.of(this.keyVaultUri).map(str6 -> {
            return str6.split("\\.", 2)[1];
        }).map(str7 -> {
            return str7.substring(0, str7.length() - 1);
        }).orElse(null));
        this.tenantId = str2;
        this.clientId = str3;
        this.clientSecret = str4;
        this.managedIdentity = str5;
        this.disableChallengeResourceVerification = z;
    }

    public static KeyVaultClient createKeyVaultClientBySystemProperty() {
        return new KeyVaultClient(System.getProperty("azure.keyvault.uri"), System.getProperty("azure.keyvault.tenant-id"), System.getProperty("azure.keyvault.client-id"), System.getProperty("azure.keyvault.client-secret"), System.getProperty("azure.keyvault.managed-identity"), Boolean.parseBoolean(System.getProperty("azure.keyvault.disable-challenge-resource-verification")));
    }

    private String getAccessToken() {
        if (this.accessToken != null && !this.accessToken.isExpired()) {
            return this.accessToken.getAccessToken();
        }
        this.accessToken = getAccessTokenByHttpRequest();
        return this.accessToken.getAccessToken();
    }

    private AccessToken getAccessTokenByHttpRequest() {
        LOGGER.entering("KeyVaultClient", "getAccessTokenByHttpRequest");
        AccessToken accessToken = null;
        try {
            String encode = URLEncoder.encode(this.keyVaultBaseUri, "UTF-8");
            if (this.managedIdentity != null) {
                this.managedIdentity = URLEncoder.encode(this.managedIdentity, "UTF-8");
            }
            accessToken = (this.tenantId == null || this.clientId == null || this.clientSecret == null) ? AccessTokenUtil.getAccessToken(encode, this.managedIdentity) : AccessTokenUtil.getAccessToken(encode, AccessTokenUtil.getLoginUri(this.keyVaultUri + "certificates" + HttpUtil.API_VERSION_POSTFIX, this.disableChallengeResourceVerification), this.tenantId, this.clientId, this.clientSecret);
        } catch (UnsupportedEncodingException e) {
            LOGGER.log(Level.WARNING, "Could not obtain access token to authenticate with.", (Throwable) e);
        }
        LOGGER.exiting("KeyVaultClient", "getAccessTokenByHttpRequest", accessToken);
        return accessToken;
    }

    public List<String> getAliases() {
        LOGGER.entering("KeyVaultClient", "getAliases");
        ArrayList arrayList = new ArrayList();
        HashMap hashMap = new HashMap();
        hashMap.put("Authorization", "Bearer " + getAccessToken());
        String str = this.keyVaultUri + "certificates" + HttpUtil.API_VERSION_POSTFIX;
        while (str != null && !str.isEmpty()) {
            String str2 = HttpUtil.get(str, hashMap);
            CertificateListResult certificateListResult = null;
            if (str2 != null) {
                try {
                    certificateListResult = (CertificateListResult) JsonConverterUtil.fromJson(CertificateListResult::fromJson, str2);
                } catch (IOException e) {
                    LOGGER.log(Level.WARNING, "Failed to parse certificate list response", (Throwable) e);
                }
            }
            if (certificateListResult != null) {
                str = certificateListResult.getNextLink();
                Iterator<CertificateItem> it = certificateListResult.getValue().iterator();
                while (it.hasNext()) {
                    arrayList.add(CertificateUtil.getCertificateNameFromCertificateItemId(it.next().getId()));
                }
            } else {
                str = null;
            }
        }
        LOGGER.exiting("KeyVaultClient", "getAliases", arrayList);
        return arrayList;
    }

    private CertificateBundle getCertificateBundle(String str) {
        LOGGER.entering("KeyVaultClient", "getCertificateBundle", str);
        CertificateBundle certificateBundle = null;
        HashMap hashMap = new HashMap();
        hashMap.put("Authorization", "Bearer " + getAccessToken());
        String str2 = HttpUtil.get(this.keyVaultUri + "certificates/" + str + HttpUtil.API_VERSION_POSTFIX, hashMap);
        if (str2 != null) {
            try {
                certificateBundle = (CertificateBundle) JsonConverterUtil.fromJson(CertificateBundle::fromJson, str2);
            } catch (IOException e) {
                LOGGER.log(Level.WARNING, "Failed to parse certificate bundle response", (Throwable) e);
            }
        }
        LOGGER.exiting("KeyVaultClient", "getCertificateBundle", certificateBundle);
        return certificateBundle;
    }

    public Certificate getCertificate(String str) {
        String cer;
        LOGGER.entering("KeyVaultClient", "getCertificate", str);
        LOGGER.log(Level.INFO, "Getting certificate for alias: {0}", str);
        X509Certificate x509Certificate = null;
        CertificateBundle certificateBundle = getCertificateBundle(str);
        if (certificateBundle != null && (cer = certificateBundle.getCer()) != null) {
            try {
                x509Certificate = (X509Certificate) CertificateFactory.getInstance("X.509").generateCertificate(new ByteArrayInputStream(Base64.getDecoder().decode(cer)));
            } catch (CertificateException e) {
                LOGGER.log(Level.WARNING, "Certificate error", (Throwable) e);
            }
        }
        LOGGER.exiting("KeyVaultClient", "getCertificate", x509Certificate);
        return x509Certificate;
    }

    public Certificate[] getCertificateChain(String str) {
        LOGGER.entering("KeyVaultClient", "getCertificateChain", str);
        LOGGER.log(Level.INFO, "Getting certificate chain for alias: {0}", str);
        HashMap hashMap = new HashMap();
        hashMap.put("Authorization", "Bearer " + getAccessToken());
        String str2 = HttpUtil.get(this.keyVaultUri + "secrets/" + str + HttpUtil.API_VERSION_POSTFIX, hashMap);
        if (str2 == null) {
            throw new NullPointerException();
        }
        SecretBundle secretBundle = null;
        try {
            secretBundle = (SecretBundle) JsonConverterUtil.fromJson(SecretBundle::fromJson, str2);
        } catch (IOException e) {
            LOGGER.log(Level.WARNING, "Failed to parse secret bundle response", (Throwable) e);
        }
        Certificate[] certificateArr = new Certificate[0];
        try {
            certificateArr = CertificateUtil.loadCertificatesFromSecretBundleValue(secretBundle.getValue());
        } catch (PKCSException | IOException | KeyStoreException | NoSuchAlgorithmException | NoSuchProviderException | CertificateException e2) {
            LOGGER.log(Level.WARNING, "Unable to decode certificate chain", e2);
        }
        LOGGER.exiting("KeyVaultClient", "getCertificate", str);
        return certificateArr;
    }

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r0v46, types: [java.security.Key] */
    public Key getKey(String str, char[] cArr) {
        LOGGER.entering("KeyVaultClient", "getKey", new Object[]{str, cArr});
        LOGGER.log(Level.INFO, "Getting key for alias: {0}", str);
        CertificateBundle certificateBundle = getCertificateBundle(str);
        boolean booleanValue = ((Boolean) Optional.ofNullable(certificateBundle).map((v0) -> {
            return v0.getPolicy();
        }).map((v0) -> {
            return v0.getKeyProperties();
        }).map((v0) -> {
            return v0.isExportable();
        }).orElse(false)).booleanValue();
        String str2 = (String) Optional.ofNullable(certificateBundle).map((v0) -> {
            return v0.getPolicy();
        }).map((v0) -> {
            return v0.getKeyProperties();
        }).map((v0) -> {
            return v0.getKty();
        }).orElse(null);
        if (!booleanValue) {
            String substring = str2.contains("-HSM") ? str2.substring(0, str2.indexOf("-HSM")) : str2;
            KeyVaultPrivateKey keyVaultPrivateKey = (KeyVaultPrivateKey) Optional.ofNullable(certificateBundle).map((v0) -> {
                return v0.getKid();
            }).map(str3 -> {
                return new KeyVaultPrivateKey(substring, str3, this);
            }).orElse(null);
            LOGGER.exiting("KeyVaultClient", "getKey", keyVaultPrivateKey);
            return keyVaultPrivateKey;
        }
        String sid = certificateBundle.getSid();
        HashMap hashMap = new HashMap();
        hashMap.put("Authorization", "Bearer " + getAccessToken());
        String str4 = HttpUtil.get(sid + HttpUtil.API_VERSION_POSTFIX, hashMap);
        if (str4 == null) {
            LOGGER.exiting("KeyVaultClient", "getKey", null);
            return null;
        }
        PrivateKey privateKey = null;
        SecretBundle secretBundle = null;
        String str5 = null;
        try {
            secretBundle = (SecretBundle) JsonConverterUtil.fromJson(SecretBundle::fromJson, str4);
            str5 = secretBundle.getContentType();
        } catch (IOException e) {
            LOGGER.log(Level.WARNING, "Failed to parse secret bundle response.", (Throwable) e);
        }
        if ("application/x-pkcs12".equals(str5)) {
            try {
                KeyStore keyStore = KeyStore.getInstance("PKCS12");
                keyStore.load(new ByteArrayInputStream(Base64.getDecoder().decode(secretBundle.getValue())), "".toCharArray());
                privateKey = keyStore.getKey(keyStore.aliases().nextElement(), "".toCharArray());
            } catch (IOException | KeyStoreException | NoSuchAlgorithmException | UnrecoverableKeyException | CertificateException e2) {
                LOGGER.log(Level.WARNING, "Unable to decode key", e2);
            }
        } else if ("application/x-pem-file".equals(str5)) {
            try {
                privateKey = createPrivateKeyFromPem(secretBundle.getValue(), str2);
            } catch (IOException | IllegalArgumentException | NoSuchAlgorithmException | InvalidKeySpecException e3) {
                LOGGER.log(Level.WARNING, "Unable to decode key", e3);
            }
        }
        LOGGER.exiting("KeyVaultClient", "getKey", privateKey);
        return privateKey;
    }

    public byte[] getSignedWithPrivateKey(String str, String str2, String str3) {
        LOGGER.entering("KeyVaultClient", "getSignedWithPrivateKey", new Object[]{str, str2, str3});
        SignResult signResult = null;
        String format = String.format("{\"alg\": \"" + str + "\", \"value\": \"%s\"}", str2);
        HashMap hashMap = new HashMap();
        hashMap.put("Authorization", "Bearer " + getAccessToken());
        String post = HttpUtil.post(str3 + "/sign" + HttpUtil.API_VERSION_POSTFIX, hashMap, format, "application/json");
        if (post != null) {
            try {
                signResult = (SignResult) JsonConverterUtil.fromJson(SignResult::fromJson, post);
            } catch (IOException e) {
                LOGGER.log(Level.WARNING, "Failed to parse sign result response.", (Throwable) e);
            }
        } else {
            LOGGER.log(Level.WARNING, "Can not get signature. It can be caused by missing 'sign' permission. To know how to add 'sign' permission, see https://github.com/Azure/azure-sdk-for-java/tree/main/sdk/keyvault/azure-security-keyvault-jca#key-less-certificates.");
        }
        byte[] decode = signResult != null ? Base64.getUrlDecoder().decode(signResult.getValue()) : new byte[0];
        LOGGER.exiting("KeyVaultClient", "getSignedWithPrivateKey", decode);
        return decode;
    }

    private PrivateKey createPrivateKeyFromPem(String str, String str2) throws IOException, NoSuchAlgorithmException, InvalidKeySpecException {
        LOGGER.entering("KeyVaultClient", "createPrivateKeyFromPem", new Object[]{str, str2});
        StringBuilder sb = new StringBuilder();
        BufferedReader bufferedReader = new BufferedReader(new StringReader(str));
        try {
            String readLine = bufferedReader.readLine();
            if (readLine == null || !readLine.contains("BEGIN PRIVATE KEY")) {
                throw new IllegalArgumentException("No PRIVATE KEY found");
            }
            for (String str3 = ""; str3 != null && !str3.contains("END PRIVATE KEY"); str3 = bufferedReader.readLine()) {
                sb.append(str3);
            }
            bufferedReader.close();
            PrivateKey generatePrivate = KeyFactory.getInstance(str2).generatePrivate(new PKCS8EncodedKeySpec(Base64.getDecoder().decode(sb.toString())));
            LOGGER.exiting("KeyVaultClient", "createPrivateKeyFromPem", generatePrivate);
            return generatePrivate;
        } catch (Throwable th) {
            try {
                bufferedReader.close();
            } catch (Throwable th2) {
                th.addSuppressed(th2);
            }
            throw th;
        }
    }
}
