package io.airlift.security.pem;

import ch.qos.logback.core.net.ssl.SSL;
import com.google.common.io.Files;
import com.microsoft.azure.keyvault.webkey.JsonWebKeyType;
import java.io.ByteArrayInputStream;
import java.io.File;
import java.io.IOException;
import java.nio.charset.StandardCharsets;
import java.security.GeneralSecurityException;
import java.security.KeyFactory;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.security.spec.InvalidKeySpecException;
import java.security.spec.PKCS8EncodedKeySpec;
import java.security.spec.X509EncodedKeySpec;
import java.util.ArrayList;
import java.util.Base64;
import java.util.List;
import java.util.Optional;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import javax.crypto.Cipher;
import javax.crypto.EncryptedPrivateKeyInfo;
import javax.crypto.SecretKey;
import javax.crypto.SecretKeyFactory;
import javax.crypto.spec.PBEKeySpec;

/* loaded from: input_file:io/airlift/security/pem/PemReader.class */
public final class PemReader {
    private static final Pattern CERT_PATTERN = Pattern.compile("-+BEGIN\\s+.*CERTIFICATE[^-]*-+(?:\\s|\\r|\\n)+([a-z0-9+/=\\r\\n]+)-+END\\s+.*CERTIFICATE[^-]*-+", 2);
    private static final Pattern PRIVATE_KEY_PATTERN = Pattern.compile("-+BEGIN\\s+.*PRIVATE\\s+KEY[^-]*-+(?:\\s|\\r|\\n)+([a-z0-9+/=\\r\\n]+)-+END\\s+.*PRIVATE\\s+KEY[^-]*-+", 2);
    private static final Pattern PUBLIC_KEY_PATTERN = Pattern.compile("-+BEGIN\\s+.*PUBLIC\\s+KEY[^-]*-+(?:\\s|\\r|\\n)+([a-z0-9+/=\\r\\n]+)-+END\\s+.*PUBLIC\\s+KEY[^-]*-+", 2);

    private PemReader() {
    }

    public static KeyStore loadTrustStore(File file) throws IOException, GeneralSecurityException {
        KeyStore keyStore = KeyStore.getInstance(SSL.DEFAULT_KEYSTORE_TYPE);
        keyStore.load(null, null);
        for (X509Certificate x509Certificate : readCertificateChain(file)) {
            keyStore.setCertificateEntry(x509Certificate.getSubjectX500Principal().getName("RFC2253"), x509Certificate);
        }
        return keyStore;
    }

    public static KeyStore loadKeyStore(File file, File file2, Optional<String> optional) throws IOException, GeneralSecurityException {
        PrivateKey loadPrivateKey = loadPrivateKey(file2, optional);
        List<X509Certificate> readCertificateChain = readCertificateChain(file);
        if (readCertificateChain.isEmpty()) {
            throw new CertificateException("Certificate file does not contain any certificates: " + file);
        }
        KeyStore keyStore = KeyStore.getInstance(SSL.DEFAULT_KEYSTORE_TYPE);
        keyStore.load(null, null);
        keyStore.setKeyEntry("key", loadPrivateKey, optional.orElse("").toCharArray(), (Certificate[]) readCertificateChain.toArray(new Certificate[0]));
        return keyStore;
    }

    public static List<X509Certificate> readCertificateChain(File file) throws IOException, GeneralSecurityException {
        return readCertificateChain(Files.asCharSource(file, StandardCharsets.US_ASCII).read());
    }

    public static List<X509Certificate> readCertificateChain(String str) throws CertificateException {
        Matcher matcher = CERT_PATTERN.matcher(str);
        CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509");
        ArrayList arrayList = new ArrayList();
        for (int i = 0; matcher.find(i); i = matcher.end()) {
            arrayList.add((X509Certificate) certificateFactory.generateCertificate(new ByteArrayInputStream(base64Decode(matcher.group(1)))));
        }
        return arrayList;
    }

    public static PrivateKey loadPrivateKey(File file, Optional<String> optional) throws IOException, GeneralSecurityException {
        return loadPrivateKey(Files.asCharSource(file, StandardCharsets.US_ASCII).read(), optional);
    }

    public static PrivateKey loadPrivateKey(String str, Optional<String> optional) throws IOException, GeneralSecurityException {
        PKCS8EncodedKeySpec pKCS8EncodedKeySpec;
        Matcher matcher = PRIVATE_KEY_PATTERN.matcher(str);
        if (!matcher.find()) {
            throw new KeyStoreException("did not find a private key");
        }
        byte[] base64Decode = base64Decode(matcher.group(1));
        if (optional.isPresent()) {
            EncryptedPrivateKeyInfo encryptedPrivateKeyInfo = new EncryptedPrivateKeyInfo(base64Decode);
            SecretKey generateSecret = SecretKeyFactory.getInstance(encryptedPrivateKeyInfo.getAlgName()).generateSecret(new PBEKeySpec(optional.get().toCharArray()));
            Cipher cipher = Cipher.getInstance(encryptedPrivateKeyInfo.getAlgName());
            cipher.init(2, generateSecret, encryptedPrivateKeyInfo.getAlgParameters());
            pKCS8EncodedKeySpec = encryptedPrivateKeyInfo.getKeySpec(cipher);
        } else {
            pKCS8EncodedKeySpec = new PKCS8EncodedKeySpec(base64Decode);
        }
        try {
            return KeyFactory.getInstance(JsonWebKeyType.RSA).generatePrivate(pKCS8EncodedKeySpec);
        } catch (InvalidKeySpecException e) {
            try {
                return KeyFactory.getInstance(JsonWebKeyType.EC).generatePrivate(pKCS8EncodedKeySpec);
            } catch (InvalidKeySpecException e2) {
                return KeyFactory.getInstance("DSA").generatePrivate(pKCS8EncodedKeySpec);
            }
        }
    }

    public static PublicKey loadPublicKey(File file) throws IOException, GeneralSecurityException {
        return loadPublicKey(Files.asCharSource(file, StandardCharsets.US_ASCII).read());
    }

    public static PublicKey loadPublicKey(String str) throws GeneralSecurityException {
        Matcher matcher = PUBLIC_KEY_PATTERN.matcher(str);
        if (!matcher.find()) {
            throw new KeyStoreException("did not find a public key");
        }
        X509EncodedKeySpec x509EncodedKeySpec = new X509EncodedKeySpec(base64Decode(matcher.group(1)));
        try {
            return KeyFactory.getInstance(JsonWebKeyType.RSA).generatePublic(x509EncodedKeySpec);
        } catch (InvalidKeySpecException e) {
            try {
                return KeyFactory.getInstance(JsonWebKeyType.EC).generatePublic(x509EncodedKeySpec);
            } catch (InvalidKeySpecException e2) {
                return KeyFactory.getInstance("DSA").generatePublic(x509EncodedKeySpec);
            }
        }
    }

    private static byte[] base64Decode(String str) {
        return Base64.getMimeDecoder().decode(str.getBytes(StandardCharsets.US_ASCII));
    }
}
