package org.apache.solr.util;

import com.google.common.collect.ImmutableMap;
import java.io.IOException;
import java.io.InputStream;
import java.lang.invoke.MethodHandles;
import java.net.URL;
import java.nio.ByteBuffer;
import java.nio.charset.StandardCharsets;
import java.security.InvalidKeyException;
import java.security.KeyFactory;
import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.Signature;
import java.security.SignatureException;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.security.spec.InvalidKeySpecException;
import java.security.spec.PKCS8EncodedKeySpec;
import java.security.spec.X509EncodedKeySpec;
import java.util.Base64;
import java.util.Collection;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.stream.Collectors;
import javax.crypto.BadPaddingException;
import javax.crypto.Cipher;
import javax.crypto.IllegalBlockSizeException;
import org.apache.solr.common.SolrException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/solr/util/CryptoKeys.class */
public final class CryptoKeys {
    private static final Logger log = LoggerFactory.getLogger(MethodHandles.lookup().lookupClass());
    private final Map<String, PublicKey> keys;
    private Exception exception;

    /* loaded from: input_file:org/apache/solr/util/CryptoKeys$RSAKeyPair.class */
    public static class RSAKeyPair {
        private final String pubKeyStr;
        private final PublicKey publicKey;
        private final PrivateKey privateKey;
        private static final int DEFAULT_KEYPAIR_LENGTH = 2048;

        public RSAKeyPair() {
            try {
                KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA");
                keyPairGenerator.initialize(2048);
                KeyPair genKeyPair = keyPairGenerator.genKeyPair();
                this.privateKey = genKeyPair.getPrivate();
                this.publicKey = genKeyPair.getPublic();
                this.pubKeyStr = Base64.getEncoder().encodeToString(this.publicKey.getEncoded());
            } catch (NoSuchAlgorithmException e) {
                throw new AssertionError("JVM spec is required to support RSA", e);
            }
        }

        public RSAKeyPair(URL url, URL url2) throws IOException, InvalidKeySpecException {
            try {
                InputStream openStream = url.openStream();
                try {
                    this.privateKey = KeyFactory.getInstance("RSA").generatePrivate(new PKCS8EncodedKeySpec(Base64.getMimeDecoder().decode(new String(openStream.readAllBytes(), StandardCharsets.UTF_8).replaceAll("-----(BEGIN|END) PRIVATE KEY-----", ""))));
                    if (openStream != null) {
                        openStream.close();
                    }
                    InputStream openStream2 = url2.openStream();
                    try {
                        this.publicKey = CryptoKeys.getX509PublicKey(openStream2.readAllBytes());
                        this.pubKeyStr = Base64.getEncoder().encodeToString(this.publicKey.getEncoded());
                        if (openStream2 != null) {
                            openStream2.close();
                        }
                    } catch (Throwable th) {
                        if (openStream2 != null) {
                            try {
                                openStream2.close();
                            } catch (Throwable th2) {
                                th.addSuppressed(th2);
                            }
                        }
                        throw th;
                    }
                } catch (Throwable th3) {
                    if (openStream != null) {
                        try {
                            openStream.close();
                        } catch (Throwable th4) {
                            th3.addSuppressed(th4);
                        }
                    }
                    throw th3;
                }
            } catch (NoSuchAlgorithmException e) {
                throw new AssertionError("JVM spec is required to support RSA", e);
            }
        }

        public String getPublicKeyStr() {
            return this.pubKeyStr;
        }

        public PublicKey getPublicKey() {
            return this.publicKey;
        }

        public byte[] encrypt(ByteBuffer byteBuffer) {
            try {
                Cipher cipher = Cipher.getInstance("RSA/ECB/nopadding");
                cipher.init(1, this.privateKey);
                return cipher.doFinal(byteBuffer.array(), byteBuffer.arrayOffset() + byteBuffer.position(), byteBuffer.limit());
            } catch (Exception e) {
                throw new SolrException(SolrException.ErrorCode.SERVER_ERROR, e);
            }
        }

        public byte[] signSha256(byte[] bArr) {
            try {
                Signature signature = Signature.getInstance("SHA256withRSA");
                try {
                    signature.initSign(this.privateKey);
                    signature.update(bArr, 0, bArr.length);
                    return signature.sign();
                } catch (InvalidKeyException | SignatureException e) {
                    throw new SolrException(SolrException.ErrorCode.SERVER_ERROR, "Error generating PKI Signature", e);
                }
            } catch (NoSuchAlgorithmException e2) {
                throw new InternalError("SHA256withRSA is required to be supported by the JVM.", e2);
            }
        }
    }

    public CryptoKeys(Map<String, byte[]> map) throws Exception {
        HashMap hashMap = new HashMap();
        for (Map.Entry<String, byte[]> entry : map.entrySet()) {
            hashMap.put(entry.getKey(), getX509PublicKey(entry.getValue()));
        }
        this.keys = ImmutableMap.copyOf(hashMap);
    }

    public String verify(String str, ByteBuffer byteBuffer) {
        boolean verify;
        this.exception = null;
        for (Map.Entry<String, PublicKey> entry : this.keys.entrySet()) {
            try {
                verify = verify(entry.getValue(), Base64.getDecoder().decode(str), byteBuffer);
                log.debug("verified {} ", Boolean.valueOf(verify));
            } catch (Exception e) {
                this.exception = e;
                log.debug("NOT verified  ");
            }
            if (verify) {
                return entry.getKey();
            }
            continue;
        }
        return null;
    }

    public String verify(String str, InputStream inputStream) {
        boolean verify;
        this.exception = null;
        for (Map.Entry<String, PublicKey> entry : this.keys.entrySet()) {
            try {
                verify = verify(entry.getValue(), Base64.getDecoder().decode(str), inputStream);
                log.debug("verified {} ", Boolean.valueOf(verify));
            } catch (Exception e) {
                this.exception = e;
                log.debug("NOT verified  ");
            }
            if (verify) {
                return entry.getKey();
            }
            continue;
        }
        return null;
    }

    public static PublicKey getX509PublicKey(byte[] bArr) throws InvalidKeySpecException {
        try {
            return KeyFactory.getInstance("RSA").generatePublic(new X509EncodedKeySpec(bArr));
        } catch (NoSuchAlgorithmException e) {
            throw new AssertionError("JVM spec is required to support RSA", e);
        }
    }

    public static boolean verify(PublicKey publicKey, byte[] bArr, ByteBuffer byteBuffer) throws InvalidKeyException, SignatureException {
        ByteBuffer wrap = ByteBuffer.wrap(byteBuffer.array(), byteBuffer.arrayOffset(), byteBuffer.limit());
        try {
            Signature signature = Signature.getInstance("SHA1withRSA");
            signature.initVerify(publicKey);
            signature.update(wrap);
            return signature.verify(bArr);
        } catch (NoSuchAlgorithmException e) {
            throw new SolrException(SolrException.ErrorCode.SERVER_ERROR, e);
        }
    }

    public static boolean verify(PublicKey publicKey, byte[] bArr, InputStream inputStream) throws InvalidKeyException, SignatureException, IOException {
        try {
            Signature signature = Signature.getInstance("SHA1withRSA");
            signature.initVerify(publicKey);
            byte[] bArr2 = new byte[1024];
            while (true) {
                int read = inputStream.read(bArr2);
                if (read == -1) {
                    try {
                        return signature.verify(bArr);
                    } catch (SignatureException e) {
                        return false;
                    }
                }
                signature.update(bArr2, 0, read);
            }
        } catch (NoSuchAlgorithmException e2) {
            throw new SolrException(SolrException.ErrorCode.SERVER_ERROR, e2);
        }
    }

    public static PublicKey deserializeX509PublicKey(String str) {
        try {
            return KeyFactory.getInstance("RSA").generatePublic(new X509EncodedKeySpec(Base64.getDecoder().decode(str)));
        } catch (Exception e) {
            throw new SolrException(SolrException.ErrorCode.SERVER_ERROR, e);
        }
    }

    public static byte[] decryptRSA(byte[] bArr, PublicKey publicKey) throws InvalidKeyException, BadPaddingException, IllegalBlockSizeException {
        try {
            Cipher cipher = Cipher.getInstance("RSA/ECB/nopadding");
            cipher.init(2, publicKey);
            return cipher.doFinal(bArr, 0, bArr.length);
        } catch (Exception e) {
            throw new SolrException(SolrException.ErrorCode.SERVER_ERROR, e);
        }
    }

    public static boolean verifySha256(byte[] bArr, byte[] bArr2, PublicKey publicKey) throws SignatureException, InvalidKeyException {
        try {
            Signature signature = Signature.getInstance("SHA256withRSA");
            signature.initVerify(publicKey);
            signature.update(bArr);
            return signature.verify(bArr2);
        } catch (NoSuchAlgorithmException e) {
            throw new InternalError("SHA256withRSA must be supported by the JVM.");
        }
    }

    public static Collection<X509Certificate> parseX509Certs(InputStream inputStream) {
        try {
            List list = (List) CertificateFactory.getInstance("X.509").generateCertificates(inputStream).stream().filter(certificate -> {
                return certificate instanceof X509Certificate;
            }).map(certificate2 -> {
                return (X509Certificate) certificate2;
            }).collect(Collectors.toList());
            if (list.size() > 0) {
                return list;
            }
            throw new SolrException(SolrException.ErrorCode.SERVER_ERROR, "Wrong type of certificates. Must be DER or PEM format");
        } catch (CertificateException e) {
            throw new SolrException(SolrException.ErrorCode.SERVER_ERROR, "Failed loading certificate(s) from input stream", e);
        }
    }

    public static String extractCertificateFromPem(String str) {
        return str.substring(str.indexOf("-----BEGIN CERTIFICATE-----"), str.lastIndexOf("-----END CERTIFICATE-----") + 25);
    }
}
