package com.palantir.conjure.java.config.ssl;

import com.github.benmanes.caffeine.cache.Cache;
import com.github.benmanes.caffeine.cache.Caffeine;
import com.google.common.base.Throwables;
import com.google.common.io.BaseEncoding;
import com.palantir.conjure.java.config.ssl.pkcs1.Pkcs1PrivateKeyReader;
import com.palantir.logsafe.Arg;
import com.palantir.logsafe.exceptions.SafeRuntimeException;
import java.io.BufferedInputStream;
import java.io.ByteArrayInputStream;
import java.io.File;
import java.io.FileFilter;
import java.io.IOException;
import java.io.InputStream;
import java.nio.charset.StandardCharsets;
import java.nio.file.Files;
import java.nio.file.OpenOption;
import java.nio.file.Path;
import java.security.GeneralSecurityException;
import java.security.Key;
import java.security.KeyFactory;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.PrivateKey;
import java.security.cert.Certificate;
import java.security.cert.CertificateEncodingException;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.security.spec.PKCS8EncodedKeySpec;
import java.security.spec.RSAPrivateKeySpec;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Optional;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import java.util.stream.Collectors;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: input_file:com/palantir/conjure/java/config/ssl/KeyStores.class */
public final class KeyStores {
    private static final Cache<EqualByteArray, X509Certificate> certCache = Caffeine.newBuilder().maximumSize(1024).softValues().build();
    private static final Pattern KEY_PATTERN = Pattern.compile("-----BEGIN (RSA)? ?PRIVATE KEY-----\n?(.+?)\n?-----END (RSA)? ?PRIVATE KEY-----", 32);
    private static final Pattern CERT_PATTERN = Pattern.compile("-----BEGIN CERTIFICATE-----\n?(.+?)\n?-----END CERTIFICATE-----", 32);
    private static final FileFilter VISIBLE_FILE_FILTER = new FileFilter() { // from class: com.palantir.conjure.java.config.ssl.KeyStores.1
        @Override // java.io.FileFilter
        public boolean accept(File file) {
            return !file.isHidden();
        }
    };

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:com/palantir/conjure/java/config/ssl/KeyStores$EqualByteArray.class */
    public static class EqualByteArray {
        private final byte[] bytes;
        private int hash;

        EqualByteArray(byte[] bArr) {
            this.bytes = bArr;
        }

        public int hashCode() {
            if (this.hash == 0 && this.bytes.length > 0) {
                this.hash = Arrays.hashCode(this.bytes);
            }
            return this.hash;
        }

        public boolean equals(Object obj) {
            if (this == obj) {
                return true;
            }
            if (obj instanceof EqualByteArray) {
                return Arrays.equals(this.bytes, ((EqualByteArray) obj).bytes);
            }
            return false;
        }
    }

    private KeyStores() {
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static KeyStore createTrustStoreFromCertificates(Path path) {
        KeyStore createKeyStore = createKeyStore();
        for (File file : getFilesForPath(path)) {
            try {
                BufferedInputStream bufferedInputStream = new BufferedInputStream(Files.newInputStream(file.toPath(), new OpenOption[0]));
                try {
                    addCertificatesToKeystore(createKeyStore, file.getName(), readX509Certificates(bufferedInputStream));
                    bufferedInputStream.close();
                } finally {
                }
            } catch (IOException e) {
                throw new RuntimeException(String.format("IOException encountered when opening '%s'", file.toPath()), e);
            } catch (KeyStoreException | CertificateException e2) {
                throw new RuntimeException(String.format("Could not read file at \"%s\" as an X.509 certificate", file.toPath()), e2);
            }
        }
        return createKeyStore;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static KeyStore createTrustStoreFromCertificates(Map<String, PemX509Certificate> map) {
        KeyStore createKeyStore = createKeyStore();
        for (Map.Entry<String, PemX509Certificate> entry : map.entrySet()) {
            try {
                ByteArrayInputStream byteArrayInputStream = new ByteArrayInputStream(entry.getValue().pemCertificate().getBytes(StandardCharsets.UTF_8));
                try {
                    addCertificatesToKeystore(createKeyStore, entry.getKey(), readX509Certificates(byteArrayInputStream));
                    byteArrayInputStream.close();
                } finally {
                }
            } catch (IOException e) {
                throw Throwables.propagate(e);
            } catch (KeyStoreException | CertificateException e2) {
                throw new RuntimeException(String.format("Could not read certificate alias \"%s\" as an X.509 certificate", entry.getKey()), e2);
            }
        }
        return createKeyStore;
    }

    private static void addCertificatesToKeystore(KeyStore keyStore, String str, List<Certificate> list) throws KeyStoreException {
        int i = 0;
        Iterator<Certificate> it = list.iterator();
        while (it.hasNext()) {
            keyStore.setCertificateEntry(str + "-" + i, it.next());
            i++;
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static KeyStore createKeyStoreFromCombinedPems(Path path) {
        try {
            KeyStore keyStore = KeyStore.getInstance("pkcs12");
            keyStore.load(null, null);
            for (File file : getFilesForPath(path)) {
                KeyStore.PrivateKeyEntry readKeyEntryFromPems = readKeyEntryFromPems(file.toPath(), file.toPath());
                keyStore.setKeyEntry(file.getName(), readKeyEntryFromPems.getPrivateKey(), null, readKeyEntryFromPems.getCertificateChain());
            }
            return keyStore;
        } catch (IOException | GeneralSecurityException e) {
            throw Throwables.propagate(e);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static KeyStore createKeyStoreFromPemDirectories(Path path, String str, Path path2, String str2) {
        if (!path.toFile().isDirectory()) {
            throw new IllegalStateException(String.format("keyDirPath is not a directory: \"%s\"", path));
        }
        if (!path2.toFile().isDirectory()) {
            throw new IllegalStateException(String.format("certDirPath is not a directory: \"%s\"", path2));
        }
        try {
            KeyStore keyStore = KeyStore.getInstance("pkcs12");
            keyStore.load(null, null);
            for (File file : getFilesForPath(path)) {
                String name = file.getName();
                if (name.endsWith(str)) {
                    String substring = name.substring(0, name.length() - str.length());
                    KeyStore.PrivateKeyEntry readKeyEntryFromPems = readKeyEntryFromPems(file.toPath(), path2.resolve(substring + str2));
                    keyStore.setKeyEntry(substring, readKeyEntryFromPems.getPrivateKey(), null, readKeyEntryFromPems.getCertificateChain());
                }
            }
            return keyStore;
        } catch (IOException | GeneralSecurityException e) {
            throw new SafeRuntimeException("Failed to create key store from PEM directories", e, new Arg[0]);
        }
    }

    private static File[] getFilesForPath(Path path) {
        File[] fileArr;
        File file = path.toFile();
        if (file.isDirectory()) {
            fileArr = file.listFiles(VISIBLE_FILE_FILTER);
            if (fileArr == null) {
                throw new IllegalStateException(String.format("failed to list visible files in directory %s", path));
            }
        } else {
            fileArr = new File[]{file};
        }
        return fileArr;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static KeyStore loadKeyStore(String str, Path path, Optional<String> optional) {
        try {
            KeyStore keyStore = KeyStore.getInstance(str);
            InputStream newInputStream = Files.newInputStream(path, new OpenOption[0]);
            try {
                keyStore.load(newInputStream, (char[]) optional.map((v0) -> {
                    return v0.toCharArray();
                }).orElse(null));
                if (newInputStream != null) {
                    newInputStream.close();
                }
                return keyStore;
            } finally {
            }
        } catch (IOException | GeneralSecurityException e) {
            throw Throwables.propagate(e);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static KeyStore newKeyStoreWithEntry(KeyStore keyStore, Optional<String> optional, String str) {
        try {
            KeyStore keyStore2 = KeyStore.getInstance(keyStore.getType());
            char[] cArr = (char[]) optional.map((v0) -> {
                return v0.toCharArray();
            }).orElse(null);
            keyStore2.load(null, cArr);
            Key key = keyStore.getKey(str, cArr);
            if (key == null) {
                throw new IllegalStateException(String.format("Could not find key with alias \"%s\" in key store", str));
            }
            Certificate[] certificateChain = keyStore.getCertificateChain(str);
            if (certificateChain == null) {
                throw new IllegalStateException(String.format("Could not find certificate chain with alias \"%s\" in key store", str));
            }
            keyStore2.setKeyEntry(str, key, cArr, certificateChain);
            return keyStore2;
        } catch (IOException | GeneralSecurityException e) {
            throw Throwables.propagate(e);
        }
    }

    private static KeyStore createKeyStore() {
        try {
            KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
            keyStore.load(null, null);
            return keyStore;
        } catch (IOException | GeneralSecurityException e) {
            throw Throwables.propagate(e);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static List<Certificate> readX509Certificates(InputStream inputStream) throws CertificateException {
        return (List) CertificateFactory.getInstance("X.509").generateCertificates(inputStream).stream().map(certificate -> {
            return getCertFromCache((X509Certificate) certificate);
        }).collect(Collectors.toList());
    }

    private static KeyStore.PrivateKeyEntry readKeyEntryFromPems(Path path, Path path2) {
        try {
            String readFileAsString = readFileAsString(path);
            try {
                return new KeyStore.PrivateKeyEntry(getPrivateKeyFromString(readFileAsString), (Certificate[]) getCertificatesFromString(path.equals(path2) ? readFileAsString : readFileAsString(path2)).toArray(new Certificate[0]));
            } catch (IOException | GeneralSecurityException e) {
                throw new RuntimeException(String.format("Failed to read certificates from file at \"%s\"", path2), e);
            }
        } catch (IOException | GeneralSecurityException e2) {
            throw new RuntimeException(String.format("Failed to read private key from file at \"%s\"", path), e2);
        }
    }

    private static String readFileAsString(Path path) throws IOException {
        return new String(Files.readAllBytes(path), StandardCharsets.UTF_8);
    }

    static PrivateKey getPrivateKeyFromString(String str) throws GeneralSecurityException {
        Matcher matcher = KEY_PATTERN.matcher(str);
        if (!matcher.find() || !Objects.equals(matcher.group(1), matcher.group(3))) {
            throw new GeneralSecurityException(String.format("unable to find valid RSA key in the provided string: %s", str));
        }
        byte[] decode = BaseEncoding.base64().decode(matcher.group(2).replace("\n", ""));
        return KeyFactory.getInstance("RSA").generatePrivate("RSA".equals(matcher.group(1)) ? parsePkcs1PrivateKey(decode) : parsePkcs8PrivateKey(decode));
    }

    static RSAPrivateKeySpec parsePkcs1PrivateKey(byte[] bArr) {
        return new Pkcs1PrivateKeyReader(bArr).readRsaKey();
    }

    static PKCS8EncodedKeySpec parsePkcs8PrivateKey(byte[] bArr) {
        return new PKCS8EncodedKeySpec(bArr);
    }

    private static List<Certificate> getCertificatesFromString(String str) throws IOException, CertificateException {
        Matcher matcher = CERT_PATTERN.matcher(str);
        CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509");
        ArrayList arrayList = new ArrayList();
        while (matcher.find()) {
            ByteArrayInputStream byteArrayInputStream = new ByteArrayInputStream(matcher.group().getBytes(StandardCharsets.UTF_8));
            try {
                arrayList.add(getCertFromCache((X509Certificate) certificateFactory.generateCertificate(byteArrayInputStream)));
                byteArrayInputStream.close();
            } catch (Throwable th) {
                try {
                    byteArrayInputStream.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
                throw th;
            }
        }
        return arrayList;
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static X509Certificate getCertFromCache(X509Certificate x509Certificate) {
        try {
            return (X509Certificate) certCache.get(new EqualByteArray(x509Certificate.getEncoded()), equalByteArray -> {
                return x509Certificate;
            });
        } catch (CertificateEncodingException e) {
            throw new SafeRuntimeException("Unable to get certificate bytes", e, new Arg[0]);
        }
    }
}
