package com.facebook.presto.jdbc.internal.com.facebook.airlift.security.pem;

import com.facebook.presto.jdbc.internal.com.facebook.airlift.security.der.DerUtils;
import com.facebook.presto.jdbc.internal.guava.collect.ImmutableSet;
import com.facebook.presto.jdbc.internal.guava.io.Files;
import java.io.ByteArrayInputStream;
import java.io.File;
import java.io.IOException;
import java.nio.charset.StandardCharsets;
import java.security.GeneralSecurityException;
import java.security.KeyFactory;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.Signature;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.security.interfaces.DSAKey;
import java.security.interfaces.ECPrivateKey;
import java.security.interfaces.ECPublicKey;
import java.security.interfaces.RSAPrivateKey;
import java.security.interfaces.RSAPublicKey;
import java.security.spec.InvalidKeySpecException;
import java.security.spec.PKCS8EncodedKeySpec;
import java.security.spec.X509EncodedKeySpec;
import java.util.ArrayList;
import java.util.Base64;
import java.util.Iterator;
import java.util.List;
import java.util.Locale;
import java.util.Optional;
import java.util.Set;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import javax.crypto.Cipher;
import javax.crypto.EncryptedPrivateKeyInfo;
import javax.crypto.SecretKey;
import javax.crypto.SecretKeyFactory;
import javax.crypto.spec.PBEKeySpec;

/* loaded from: input_file:com/facebook/presto/jdbc/internal/com/facebook/airlift/security/pem/PemReader.class */
public final class PemReader {
    private static final Pattern CERT_PATTERN = Pattern.compile("-+BEGIN\\s+.*CERTIFICATE[^-]*-+(?:\\s|\\r|\\n)+([a-z0-9+/=\\r\\n]+)-+END\\s+.*CERTIFICATE[^-]*-+", 2);
    static final Pattern PRIVATE_KEY_PATTERN = Pattern.compile("-+BEGIN\\s+(?:(.*)\\s+)?PRIVATE\\s+KEY[^-]*-+(?:\\s|\\r|\\n)+([a-z0-9+/=\\r\\n]+)-+END\\s+.*PRIVATE\\s+KEY[^-]*-+", 2);
    private static final Pattern PUBLIC_KEY_PATTERN = Pattern.compile("-+BEGIN\\s+.*PUBLIC\\s+KEY[^-]*-+(?:\\s|\\r|\\n)+([a-z0-9+/=\\r\\n]+)-+END\\s+.*PUBLIC\\s+KEY[^-]*-+", 2);
    private static final byte[] TEST_SIGNATURE_DATA = "01234567890123456789".getBytes(StandardCharsets.US_ASCII);
    private static final Set<String> SUPPORTED_KEY_TYPES = ImmutableSet.of("RSA", "EC", "DSA");
    private static final byte[] VERSION_0_ENCODED = {2, 1, 0};
    private static final byte[] RSA_KEY_OID = DerUtils.encodeOid("1.2.840.113549.1.1.1");
    private static final byte[] DSA_KEY_OID = DerUtils.encodeOid("1.2.840.10040.4.1");
    private static final byte[] EC_KEY_OID = DerUtils.encodeOid("1.2.840.10045.2.1");
    private static final byte[] DER_NULL = {5, 0};

    private PemReader() {
    }

    public static boolean isPem(File file) throws IOException {
        return isPem(Files.asCharSource(file, StandardCharsets.US_ASCII).read());
    }

    public static boolean isPem(String str) {
        return CERT_PATTERN.matcher(str).find() || PUBLIC_KEY_PATTERN.matcher(str).find() || PRIVATE_KEY_PATTERN.matcher(str).find();
    }

    public static KeyStore loadTrustStore(File file) throws IOException, GeneralSecurityException {
        KeyStore keyStore = KeyStore.getInstance("JKS");
        keyStore.load(null, null);
        for (X509Certificate x509Certificate : readCertificateChain(file)) {
            keyStore.setCertificateEntry(x509Certificate.getSubjectX500Principal().getName("RFC2253"), x509Certificate);
        }
        return keyStore;
    }

    public static KeyStore loadKeyStore(File file, File file2, Optional<String> optional) throws IOException, GeneralSecurityException {
        return loadKeyStore(file, file2, optional, false);
    }

    public static KeyStore loadKeyStore(File file, File file2, Optional<String> optional, boolean z) throws IOException, GeneralSecurityException {
        PrivateKey loadPrivateKey = loadPrivateKey(file2, optional);
        List<X509Certificate> readCertificateChain = readCertificateChain(file);
        if (readCertificateChain.isEmpty()) {
            throw new CertificateException("Certificate file does not contain any certificates: " + file);
        }
        KeyStore keyStore = KeyStore.getInstance("JKS");
        keyStore.load(null, null);
        Certificate[] certificateArr = (Certificate[]) readCertificateChain.toArray(new Certificate[0]);
        boolean z2 = false;
        int i = 0;
        while (true) {
            if (i >= certificateArr.length) {
                break;
            }
            Certificate certificate = certificateArr[i];
            if (matches(loadPrivateKey, certificate)) {
                z2 = true;
                certificateArr[i] = certificateArr[0];
                certificateArr[0] = certificate;
                break;
            }
            i++;
        }
        if (!z2) {
            throw new KeyStoreException("Private key does not match the public key of any certificate");
        }
        keyStore.setKeyEntry("key", loadPrivateKey, optional.filter(str -> {
            return z;
        }).orElse("").toCharArray(), certificateArr);
        return keyStore;
    }

    public static List<X509Certificate> readCertificateChain(File file) throws IOException, GeneralSecurityException {
        return readCertificateChain(Files.asCharSource(file, StandardCharsets.US_ASCII).read());
    }

    public static List<X509Certificate> readCertificateChain(String str) throws CertificateException {
        Matcher matcher = CERT_PATTERN.matcher(str);
        CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509");
        ArrayList arrayList = new ArrayList();
        for (int i = 0; matcher.find(i); i = matcher.end()) {
            arrayList.add((X509Certificate) certificateFactory.generateCertificate(new ByteArrayInputStream(base64Decode(matcher.group(1)))));
        }
        return arrayList;
    }

    public static PrivateKey loadPrivateKey(File file, Optional<String> optional) throws IOException, GeneralSecurityException {
        return loadPrivateKey(Files.asCharSource(file, StandardCharsets.US_ASCII).read(), optional);
    }

    public static PrivateKey loadPrivateKey(String str, Optional<String> optional) throws IOException, GeneralSecurityException {
        PKCS8EncodedKeySpec keySpec;
        Matcher matcher = PRIVATE_KEY_PATTERN.matcher(str);
        if (!matcher.find()) {
            throw new KeyStoreException("did not find a private key");
        }
        String group = matcher.group(1);
        String group2 = matcher.group(2);
        if (group2.toLowerCase(Locale.US).startsWith("proc-type")) {
            throw new InvalidKeySpecException("Password protected PKCS 1 private keys are not supported");
        }
        byte[] base64Decode = base64Decode(group2);
        if (group == null) {
            keySpec = new PKCS8EncodedKeySpec(base64Decode);
        } else {
            if (!"ENCRYPTED".equals(group)) {
                return loadPkcs1PrivateKey(group, base64Decode);
            }
            if (!optional.isPresent()) {
                throw new KeyStoreException("Private key is encrypted, but no password was provided");
            }
            EncryptedPrivateKeyInfo encryptedPrivateKeyInfo = new EncryptedPrivateKeyInfo(base64Decode);
            SecretKey generateSecret = SecretKeyFactory.getInstance(encryptedPrivateKeyInfo.getAlgName()).generateSecret(new PBEKeySpec(optional.get().toCharArray()));
            Cipher cipher = Cipher.getInstance(encryptedPrivateKeyInfo.getAlgName());
            cipher.init(2, generateSecret, encryptedPrivateKeyInfo.getAlgParameters());
            keySpec = encryptedPrivateKeyInfo.getKeySpec(cipher);
        }
        ImmutableSet of = ImmutableSet.of("RSA", "EC", "DSA");
        Iterator<E> it = of.iterator();
        while (it.hasNext()) {
            try {
                return KeyFactory.getInstance((String) it.next()).generatePrivate(keySpec);
            } catch (InvalidKeySpecException e) {
            }
        }
        throw new InvalidKeySpecException("Key type must be one of " + of);
    }

    private static PrivateKey loadPkcs1PrivateKey(String str, byte[] bArr) throws GeneralSecurityException {
        byte[] ecPkcs1ToPkcs8;
        boolean z = -1;
        switch (str.hashCode()) {
            case 2206:
                if (str.equals("EC")) {
                    z = 2;
                    break;
                }
                break;
            case 67986:
                if (str.equals("DSA")) {
                    z = true;
                    break;
                }
                break;
            case 81440:
                if (str.equals("RSA")) {
                    z = false;
                    break;
                }
                break;
        }
        switch (z) {
            case false:
                ecPkcs1ToPkcs8 = rsaPkcs1ToPkcs8(bArr);
                break;
            case true:
                ecPkcs1ToPkcs8 = dsaPkcs1ToPkcs8(bArr);
                break;
            case true:
                ecPkcs1ToPkcs8 = ecPkcs1ToPkcs8(bArr);
                break;
            default:
                throw new InvalidKeySpecException("Key type must be one of " + SUPPORTED_KEY_TYPES);
        }
        try {
            return KeyFactory.getInstance(str).generatePrivate(new PKCS8EncodedKeySpec(ecPkcs1ToPkcs8));
        } catch (InvalidKeySpecException e) {
            throw new InvalidKeySpecException(String.format("Invalid PKCS 1 %s private key", str), e);
        }
    }

    /* JADX WARN: Type inference failed for: r0v1, types: [byte[], byte[][]] */
    /* JADX WARN: Type inference failed for: r0v4, types: [byte[], byte[][]] */
    static byte[] rsaPkcs1ToPkcs8(byte[] bArr) {
        return DerUtils.encodeSequence(new byte[]{VERSION_0_ENCODED, DerUtils.encodeSequence(new byte[]{RSA_KEY_OID, DER_NULL}), DerUtils.encodeOctetString(bArr)});
    }

    /* JADX WARN: Type inference failed for: r0v5, types: [byte[], byte[][]] */
    /* JADX WARN: Type inference failed for: r0v8, types: [byte[], byte[][]] */
    /* JADX WARN: Type inference failed for: r3v2, types: [byte[], byte[][]] */
    static byte[] dsaPkcs1ToPkcs8(byte[] bArr) throws InvalidKeySpecException {
        List<byte[]> decodeSequence = DerUtils.decodeSequence(bArr);
        if (decodeSequence.size() != 6) {
            throw new InvalidKeySpecException("Expected DSA key to have 6 elements");
        }
        return DerUtils.encodeSequence(new byte[]{VERSION_0_ENCODED, DerUtils.encodeSequence(new byte[]{DSA_KEY_OID, DerUtils.encodeSequence(new byte[]{decodeSequence.get(1), decodeSequence.get(2), decodeSequence.get(3)})}), DerUtils.encodeOctetString(decodeSequence.get(5))});
    }

    /* JADX WARN: Type inference failed for: r0v12, types: [byte[], byte[][]] */
    /* JADX WARN: Type inference failed for: r0v9, types: [byte[], byte[][]] */
    /* JADX WARN: Type inference failed for: r3v5, types: [byte[], byte[][]] */
    static byte[] ecPkcs1ToPkcs8(byte[] bArr) throws InvalidKeySpecException {
        List<byte[]> decodeSequence = DerUtils.decodeSequence(bArr);
        if (decodeSequence.size() != 4) {
            throw new InvalidKeySpecException("Expected EC key to have 4 elements");
        }
        return DerUtils.encodeSequence(new byte[]{VERSION_0_ENCODED, DerUtils.encodeSequence(new byte[]{EC_KEY_OID, DerUtils.decodeSequenceOptionalElement(decodeSequence.get(2))}), DerUtils.encodeOctetString(DerUtils.encodeSequence(new byte[]{decodeSequence.get(0), decodeSequence.get(1), decodeSequence.get(3)}))});
    }

    public static PublicKey loadPublicKey(File file) throws IOException, GeneralSecurityException {
        return loadPublicKey(Files.asCharSource(file, StandardCharsets.US_ASCII).read());
    }

    public static PublicKey loadPublicKey(String str) throws GeneralSecurityException {
        Matcher matcher = PUBLIC_KEY_PATTERN.matcher(str);
        if (!matcher.find()) {
            throw new KeyStoreException("did not find a public key");
        }
        X509EncodedKeySpec x509EncodedKeySpec = new X509EncodedKeySpec(base64Decode(matcher.group(1)));
        Iterator<String> it = SUPPORTED_KEY_TYPES.iterator();
        while (it.hasNext()) {
            try {
                return KeyFactory.getInstance(it.next()).generatePublic(x509EncodedKeySpec);
            } catch (InvalidKeySpecException e) {
            }
        }
        throw new InvalidKeySpecException("Key type must be one of " + SUPPORTED_KEY_TYPES);
    }

    private static boolean matches(PrivateKey privateKey, Certificate certificate) {
        try {
            PublicKey publicKey = certificate.getPublicKey();
            Signature createSignature = createSignature(privateKey, publicKey);
            createSignature.initSign(privateKey);
            createSignature.update(TEST_SIGNATURE_DATA);
            byte[] sign = createSignature.sign();
            createSignature.initVerify(publicKey);
            createSignature.update(TEST_SIGNATURE_DATA);
            return createSignature.verify(sign);
        } catch (GeneralSecurityException e) {
            return false;
        }
    }

    private static Signature createSignature(PrivateKey privateKey, PublicKey publicKey) throws GeneralSecurityException {
        if ((privateKey instanceof RSAPrivateKey) && (publicKey instanceof RSAPublicKey)) {
            return Signature.getInstance("NONEwithRSA");
        }
        if ((privateKey instanceof ECPrivateKey) && (publicKey instanceof ECPublicKey)) {
            return Signature.getInstance("NONEwithECDSA");
        }
        if ((privateKey instanceof DSAKey) && (publicKey instanceof DSAKey)) {
            return Signature.getInstance("NONEwithDSA");
        }
        throw new InvalidKeySpecException("Key type must be one of " + SUPPORTED_KEY_TYPES);
    }

    public static byte[] base64Decode(String str) {
        return Base64.getMimeDecoder().decode(str.getBytes(StandardCharsets.US_ASCII));
    }
}
