package com.oath.auth;

import java.io.ByteArrayInputStream;
import java.io.File;
import java.io.FileInputStream;
import java.io.FileNotFoundException;
import java.io.IOException;
import java.io.InputStream;
import java.io.InputStreamReader;
import java.io.UncheckedIOException;
import java.nio.charset.StandardCharsets;
import java.nio.file.Paths;
import java.security.KeyManagementException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.Security;
import java.security.UnrecoverableKeyException;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.security.interfaces.ECKey;
import java.security.interfaces.RSAKey;
import java.security.spec.ECParameterSpec;
import java.util.Iterator;
import java.util.List;
import java.util.concurrent.TimeUnit;
import java.util.function.Supplier;
import javax.net.ssl.KeyManager;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.SSLContext;
import javax.net.ssl.TrustManager;
import org.bouncycastle.asn1.pkcs.PrivateKeyInfo;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.bouncycastle.openssl.PEMKeyPair;
import org.bouncycastle.openssl.PEMParser;
import org.bouncycastle.openssl.jcajce.JcaPEMKeyConverter;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/oath/auth/Utils.class */
public class Utils {
    private static final String SSLCONTEXT_ALGORITHM_TLS12 = "TLSv1.2";
    private static final String SSLCONTEXT_ALGORITHM_TLS13 = "TLSv1.3";
    private static final String PROP_TLS_ALGORITHM = "athenz.cert_refresher.tls_algorithm";
    private static final String PROP_SKIP_BC_PROVIDER = "athenz.cert_refresher.skip_bc_provider";
    private static final String DEFAULT_KEYSTORE_TYPE = "JKS";
    private static final Logger LOG = LoggerFactory.getLogger(Utils.class);
    private static final char[] KEYSTORE_PASSWORD = "secret".toCharArray();
    private static final String PROP_KEY_WAIT_TIME = "athenz.cert_refresher.key_wait_time";
    private static final long KEY_WAIT_TIME_MILLIS = TimeUnit.MINUTES.toMillis(Integer.parseInt(System.getProperty(PROP_KEY_WAIT_TIME, "10")));
    private static final String PROP_DISABLE_PUB_KEY_CHECK = "athenz.cert_refresher.disable_public_key_check";
    private static boolean disablePublicKeyCheck = Boolean.parseBoolean(System.getProperty(PROP_DISABLE_PUB_KEY_CHECK, "false"));

    public static void setDisablePublicKeyCheck(boolean z) {
        disablePublicKeyCheck = z;
    }

    public static KeyStore getKeyStore(String str) throws IOException, KeyRefresherException {
        return getKeyStore(str, KEYSTORE_PASSWORD);
    }

    public static KeyStore getKeyStore(String str, char[] cArr) throws IOException, KeyRefresherException {
        if (str == null || str.isEmpty()) {
            throw new FileNotFoundException("jksFilePath is empty");
        }
        String str2 = "Unable to load " + str + " as a KeyStore.  Please check the validity of the file.";
        try {
            KeyStore keyStore = KeyStore.getInstance(DEFAULT_KEYSTORE_TYPE);
            if (Paths.get(str, new String[0]).isAbsolute()) {
                try {
                    FileInputStream fileInputStream = new FileInputStream(str);
                    try {
                        keyStore.load(fileInputStream, cArr);
                        fileInputStream.close();
                        return keyStore;
                    } catch (Throwable th) {
                        try {
                            fileInputStream.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                        throw th;
                    }
                } catch (NoSuchAlgorithmException | CertificateException e) {
                    throw new KeyRefresherException(str2, e);
                }
            }
            try {
                InputStream resourceAsStream = Utils.class.getClassLoader().getResourceAsStream(str);
                try {
                    keyStore.load(resourceAsStream, cArr);
                    if (resourceAsStream != null) {
                        resourceAsStream.close();
                    }
                    return keyStore;
                } catch (Throwable th3) {
                    if (resourceAsStream != null) {
                        try {
                            resourceAsStream.close();
                        } catch (Throwable th4) {
                            th3.addSuppressed(th4);
                        }
                    }
                    throw th3;
                }
            } catch (NoSuchAlgorithmException | CertificateException e2) {
                throw new KeyRefresherException(str2, e2);
            }
        } catch (KeyStoreException e3) {
            LOG.error("No Provider supports a KeyStoreSpi implementation for the specified type.", e3);
            return null;
        }
        LOG.error("No Provider supports a KeyStoreSpi implementation for the specified type.", e3);
        return null;
    }

    public static KeyManager[] getKeyManagers(String str, String str2) throws IOException, InterruptedException, KeyRefresherException {
        return getKeyManagersFromKeyStore(createKeyStore(str, str2));
    }

    public static KeyManager[] getKeyManagersFromPems(String str, String str2) throws IOException, KeyRefresherException {
        return getKeyManagersFromKeyStore(createKeyStoreFromPems(str, str2));
    }

    private static KeyManager[] getKeyManagersFromKeyStore(KeyStore keyStore) throws KeyRefresherException {
        try {
            KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
            keyManagerFactory.init(keyStore, KEYSTORE_PASSWORD);
            return keyManagerFactory.getKeyManagers();
        } catch (KeyStoreException e) {
            throw new KeyRefresherException("Unable to initialize KeyManagerFactory.", e);
        } catch (NoSuchAlgorithmException e2) {
            throw new KeyRefresherException("No Provider supports a KeyManagerFactorySpi implementation for the specified algorithm.", e2);
        } catch (UnrecoverableKeyException e3) {
            throw new KeyRefresherException("key cannot be recovered (e.g. the given password is wrong).", e3);
        }
    }

    public static KeyRefresher generateKeyRefresher(String str, String str2, String str3) throws FileNotFoundException, IOException, InterruptedException, KeyRefresherException {
        return generateKeyRefresher(str, KEYSTORE_PASSWORD, str2, str3, null);
    }

    public static KeyRefresher generateKeyRefresher(String str, String str2, String str3, String str4) throws FileNotFoundException, IOException, InterruptedException, KeyRefresherException {
        return generateKeyRefresher(str, str2.toCharArray(), str3, str4, null);
    }

    public static KeyRefresher generateKeyRefresher(String str, char[] cArr, String str2, String str3) throws FileNotFoundException, IOException, InterruptedException, KeyRefresherException {
        return generateKeyRefresher(str, cArr, str2, str3, null);
    }

    public static KeyRefresher generateKeyRefresher(String str, char[] cArr, String str2, String str3, KeyRefresherListener keyRefresherListener) throws FileNotFoundException, IOException, InterruptedException, KeyRefresherException {
        return getKeyRefresher(str2, str3, new TrustStore(str, new JavaKeyStoreProvider(str, cArr)), keyRefresherListener);
    }

    public static KeyRefresher generateKeyRefresherFromCaCert(String str, String str2, String str3) throws IOException, InterruptedException, KeyRefresherException {
        return getKeyRefresher(str2, str3, new TrustStore(str, new CaCertKeyStoreProvider(str)));
    }

    static KeyRefresher getKeyRefresher(String str, String str2, TrustStore trustStore) throws IOException, InterruptedException, KeyRefresherException {
        return getKeyRefresher(str, str2, trustStore, null);
    }

    static KeyRefresher getKeyRefresher(String str, String str2, TrustStore trustStore, KeyRefresherListener keyRefresherListener) throws IOException, InterruptedException, KeyRefresherException {
        try {
            return new KeyRefresher(str, str2, trustStore, new KeyManagerProxy(getKeyManagers(str, str2)), new TrustManagerProxy(trustStore.getTrustManagers()), keyRefresherListener);
        } catch (NoSuchAlgorithmException e) {
            throw new KeyRefresherException(e);
        }
    }

    public static SSLContext buildSSLContext(KeyManagerProxy keyManagerProxy, TrustManagerProxy trustManagerProxy, String str) throws KeyRefresherException {
        try {
            SSLContext sSLContext = SSLContext.getInstance(str);
            sSLContext.init(new KeyManager[]{keyManagerProxy}, trustManagerProxy == null ? null : new TrustManager[]{trustManagerProxy}, null);
            return sSLContext;
        } catch (KeyManagementException e) {
            throw new KeyRefresherException("Unable to create SSLContext.", e);
        } catch (NoSuchAlgorithmException e2) {
            throw new KeyRefresherException("No Provider supports a SSLContextSpi implementation for the specified protocol " + str, e2);
        }
    }

    public static SSLContext buildSSLContext(KeyManagerProxy keyManagerProxy, TrustManagerProxy trustManagerProxy) throws KeyRefresherException {
        String property = System.getProperty(PROP_TLS_ALGORITHM);
        if (property != null && !property.isEmpty()) {
            return buildSSLContext(keyManagerProxy, trustManagerProxy, property);
        }
        try {
            return buildSSLContext(keyManagerProxy, trustManagerProxy, SSLCONTEXT_ALGORITHM_TLS13);
        } catch (KeyRefresherException e) {
            return buildSSLContext(keyManagerProxy, trustManagerProxy, SSLCONTEXT_ALGORITHM_TLS12);
        }
    }

    public static SSLContext buildSSLContext(String str, String str2, String str3) throws KeyRefresherException, IOException {
        TrustManagerProxy trustManagerProxy = null;
        if (str != null) {
            trustManagerProxy = new TrustManagerProxy(new TrustStore(null, new CaCertKeyStoreProvider(inputStreamSupplierFromString(str))).getTrustManagers());
        }
        return buildSSLContext(new KeyManagerProxy(getKeyManagersFromPems(str2, str3)), trustManagerProxy, System.getProperty(PROP_TLS_ALGORITHM, SSLCONTEXT_ALGORITHM_TLS13));
    }

    static Supplier<InputStream> inputStreamSupplierFromFile(File file) throws UncheckedIOException {
        return () -> {
            try {
                return new FileInputStream(file);
            } catch (FileNotFoundException e) {
                throw new UncheckedIOException(e);
            }
        };
    }

    static Supplier<InputStream> inputStreamSupplierFromResource(String str) throws UncheckedIOException {
        return () -> {
            InputStream resourceAsStream = Utils.class.getClassLoader().getResourceAsStream(str);
            if (resourceAsStream == null) {
                throw new UncheckedIOException(new FileNotFoundException("Certificate or private key file is empty " + str));
            }
            return resourceAsStream;
        };
    }

    static Supplier<InputStream> inputStreamSupplierFromString(String str) throws UncheckedIOException {
        return () -> {
            return new ByteArrayInputStream(str.getBytes(StandardCharsets.UTF_8));
        };
    }

    public static KeyStore createKeyStore(String str, String str2) throws FileNotFoundException, IOException, InterruptedException, KeyRefresherException {
        Supplier<InputStream> inputStreamSupplierFromResource;
        Supplier<InputStream> inputStreamSupplierFromResource2;
        if (str == null || str.isEmpty()) {
            throw new FileNotFoundException("athenzPublicCert can not be empty");
        }
        if (str2 == null || str2.isEmpty()) {
            throw new FileNotFoundException("athenzPrivateKey can not be empty");
        }
        Supplier supplier = () -> {
            return str;
        };
        Supplier supplier2 = () -> {
            return str2;
        };
        if (Paths.get(str, new String[0]).isAbsolute() && Paths.get(str2, new String[0]).isAbsolute()) {
            File file = new File(str);
            File file2 = new File(str2);
            inputStreamSupplierFromResource = inputStreamSupplierFromFile(file);
            inputStreamSupplierFromResource2 = inputStreamSupplierFromFile(file2);
            long currentTimeMillis = System.currentTimeMillis();
            while (true) {
                if (!file.exists() || !file2.exists()) {
                    long currentTimeMillis2 = System.currentTimeMillis() - currentTimeMillis;
                    if (currentTimeMillis2 > KEY_WAIT_TIME_MILLIS) {
                        KeyRefresherException keyRefresherException = new KeyRefresherException("KeyRefresher waited " + currentTimeMillis2 + " ms for valid public cert: " + keyRefresherException + " or private key: " + str + " files. Giving up.");
                        throw keyRefresherException;
                    }
                    LOG.error("Missing Athenz public certificate {} or private key {} files. Waiting {} ms", new Object[]{str, str2, Long.valueOf(currentTimeMillis2)});
                    Thread.sleep(1000L);
                }
            }
        } else {
            inputStreamSupplierFromResource = inputStreamSupplierFromResource(str);
            inputStreamSupplierFromResource2 = inputStreamSupplierFromResource(str2);
        }
        try {
            return createKeyStore(inputStreamSupplierFromResource, supplier, inputStreamSupplierFromResource2, supplier2);
        } catch (UncheckedIOException e) {
            throw e.getCause();
        }
    }

    public static KeyStore createKeyStoreFromPems(String str, String str2) throws IOException, KeyRefresherException {
        return createKeyStore(inputStreamSupplierFromString(str), () -> {
            return "in memory certificate pem";
        }, inputStreamSupplierFromString(str2), () -> {
            return "in memory private key pem";
        });
    }

    public static KeyStore createKeyStore(Supplier<InputStream> supplier, Supplier<String> supplier2, Supplier<InputStream> supplier3, Supplier<String> supplier4) throws IOException, KeyRefresherException {
        InputStream inputStream;
        InputStream inputStream2;
        PEMParser pEMParser;
        PrivateKey privateKey;
        List list;
        KeyStore keyStore = null;
        try {
            inputStream = supplier.get();
            try {
                inputStream2 = supplier3.get();
                try {
                    pEMParser = new PEMParser(new InputStreamReader(inputStream2));
                    try {
                        CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509");
                        JcaPEMKeyConverter jcaPEMKeyConverter = new JcaPEMKeyConverter();
                        Object readObject = pEMParser.readObject();
                        if (readObject instanceof PEMKeyPair) {
                            privateKey = jcaPEMKeyConverter.getPrivateKey(((PEMKeyPair) readObject).getPrivateKeyInfo());
                        } else {
                            if (!(readObject instanceof PrivateKeyInfo)) {
                                throw new KeyRefresherException("Unknown object type: " + (readObject == null ? "null" : readObject.getClass().getName()));
                            }
                            privateKey = jcaPEMKeyConverter.getPrivateKey((PrivateKeyInfo) readObject);
                        }
                        list = (List) certificateFactory.generateCertificates(inputStream);
                    } catch (Throwable th) {
                        try {
                            pEMParser.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                        throw th;
                    }
                } catch (Throwable th3) {
                    if (inputStream2 != null) {
                        try {
                            inputStream2.close();
                        } catch (Throwable th4) {
                            th3.addSuppressed(th4);
                        }
                    }
                    throw th3;
                }
            } finally {
            }
        } catch (KeyStoreException e) {
            LOG.error("No Provider supports a KeyStoreSpi implementation for the specified type.", e);
        } catch (NoSuchAlgorithmException | CertificateException e2) {
            throw new KeyRefresherException("Unable to load private key: " + supplier4.get() + " and certificate: " + supplier2.get() + " as a KeyStore. Please check the validity of the files.", e2);
        }
        if (list.isEmpty()) {
            throw new KeyRefresherException("Certificate file contains empty certificate or an invalid certificate.");
        }
        String name = ((X509Certificate) list.get(0)).getSubjectX500Principal().getName();
        if (LOG.isDebugEnabled()) {
            LOG.debug("{} number of certificates found. Using {} alias to create the keystore", Integer.valueOf(list.size()), name);
        }
        verifyPrivateKeyCertsMatch(privateKey, list);
        keyStore = KeyStore.getInstance(DEFAULT_KEYSTORE_TYPE);
        keyStore.load(null);
        keyStore.setKeyEntry(name, privateKey, KEYSTORE_PASSWORD, (Certificate[]) list.toArray(new X509Certificate[list.size()]));
        pEMParser.close();
        if (inputStream2 != null) {
            inputStream2.close();
        }
        if (inputStream != null) {
            inputStream.close();
        }
        return keyStore;
    }

    static boolean verifyPrivatePublicKeyMatch(PrivateKey privateKey, PublicKey publicKey) {
        if (publicKey instanceof RSAKey) {
            return (privateKey instanceof RSAKey) && ((RSAKey) publicKey).getModulus().compareTo(((RSAKey) privateKey).getModulus()) == 0;
        }
        if (!(publicKey instanceof ECKey) || !(privateKey instanceof ECKey)) {
            return false;
        }
        ECParameterSpec params = ((ECKey) publicKey).getParams();
        ECParameterSpec params2 = ((ECKey) privateKey).getParams();
        return params.getCurve().equals(params2.getCurve()) && params.getGenerator().equals(params2.getGenerator()) && params.getOrder().compareTo(params2.getOrder()) == 0 && params.getCofactor() == params2.getCofactor();
    }

    static void verifyPrivateKeyCertsMatch(PrivateKey privateKey, List<? extends Certificate> list) throws KeyRefresherException {
        if (disablePublicKeyCheck) {
            return;
        }
        Iterator<? extends Certificate> it = list.iterator();
        while (it.hasNext()) {
            if (verifyPrivatePublicKeyMatch(privateKey, it.next().getPublicKey())) {
                return;
            }
        }
        throw new KeyRefresherException("Public key mismatch");
    }

    public static KeyStore generateTrustStore(InputStream inputStream) throws IOException, KeyRefresherException {
        KeyStore keyStore = null;
        try {
            CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509");
            keyStore = KeyStore.getInstance(DEFAULT_KEYSTORE_TYPE);
            keyStore.load(null);
            for (Certificate certificate : certificateFactory.generateCertificates(inputStream)) {
                keyStore.setCertificateEntry(((X509Certificate) certificate).getSubjectX500Principal().getName(), certificate);
            }
        } catch (KeyStoreException e) {
            LOG.error("No Provider supports a KeyStoreSpi implementation for the specified type {}", DEFAULT_KEYSTORE_TYPE, e);
        } catch (NoSuchAlgorithmException | CertificateException e2) {
            throw new KeyRefresherException("Unable to load the input stream as a KeyStore. Please check the content.", e2);
        }
        return keyStore;
    }

    static {
        if (Boolean.parseBoolean(System.getProperty(PROP_SKIP_BC_PROVIDER, "false"))) {
            return;
        }
        Security.addProvider(new BouncyCastleProvider());
    }
}
