package com.google.auth.oauth2;

import com.google.common.annotations.VisibleForTesting;
import com.google.common.base.Preconditions;
import com.google.common.base.Strings;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.nio.charset.StandardCharsets;
import java.nio.file.Files;
import java.nio.file.NoSuchFileException;
import java.nio.file.Paths;
import java.security.cert.Certificate;
import java.security.cert.CertificateEncodingException;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Base64;
import java.util.List;
import java.util.regex.Matcher;
import java.util.regex.Pattern;

/* loaded from: input_file:com/google/auth/oauth2/CertificateIdentityPoolSubjectTokenSupplier.class */
public class CertificateIdentityPoolSubjectTokenSupplier implements IdentityPoolSubjectTokenSupplier {
    private final IdentityPoolCredentialSource credentialSource;
    private static final Pattern PEM_CERT_PATTERN = Pattern.compile("-----BEGIN CERTIFICATE-----.*?-----END CERTIFICATE-----", 32);

    /* JADX INFO: Access modifiers changed from: package-private */
    public CertificateIdentityPoolSubjectTokenSupplier(IdentityPoolCredentialSource identityPoolCredentialSource) {
        this.credentialSource = (IdentityPoolCredentialSource) Preconditions.checkNotNull(identityPoolCredentialSource, "credentialSource cannot be null");
        Preconditions.checkNotNull(identityPoolCredentialSource.getCertificateConfig(), "credentialSource.certificateConfig cannot be null when creating CertificateIdentityPoolSubjectTokenSupplier");
    }

    private static String loadAndEncodeLeafCertificate(String str) throws IOException {
        try {
            return encodeCert(parseCertificate(Files.readAllBytes(Paths.get(str, new String[0]))));
        } catch (NoSuchFileException e) {
            throw new IOException(String.format("Leaf certificate file not found: %s", str), e);
        } catch (IOException e2) {
            throw new IOException(String.format("Failed to read leaf certificate file: %s", str), e2);
        } catch (CertificateException e3) {
            throw new IOException(String.format("Failed to parse leaf certificate from file: %s", str), e3);
        }
    }

    @VisibleForTesting
    static X509Certificate parseCertificate(byte[] bArr) throws CertificateException {
        if (bArr == null || bArr.length == 0) {
            throw new IllegalArgumentException("Invalid certificate data: Certificate file is empty or null.");
        }
        try {
            return (X509Certificate) CertificateFactory.getInstance("X.509").generateCertificate(new ByteArrayInputStream(bArr));
        } catch (CertificateException e) {
            throw new CertificateException("Failed to parse X.509 certificate data.", e);
        }
    }

    private static String encodeCert(X509Certificate x509Certificate) throws CertificateEncodingException {
        return Base64.getEncoder().encodeToString(x509Certificate.getEncoded());
    }

    @Override // com.google.auth.oauth2.IdentityPoolSubjectTokenSupplier
    public String getSubjectToken(ExternalAccountSupplierContext externalAccountSupplierContext) throws IOException {
        String credentialLocation = this.credentialSource.getCredentialLocation();
        String str = null;
        if (this.credentialSource.getCertificateConfig() != null) {
            str = this.credentialSource.getCertificateConfig().getTrustChainPath();
        }
        String loadAndEncodeLeafCertificate = loadAndEncodeLeafCertificate(credentialLocation);
        ArrayList arrayList = new ArrayList();
        arrayList.add(loadAndEncodeLeafCertificate);
        try {
            List<X509Certificate> readTrustChain = readTrustChain(str);
            if (!readTrustChain.isEmpty()) {
                populateCertChainFromTrustChain(arrayList, readTrustChain, loadAndEncodeLeafCertificate);
            }
            return OAuth2Utils.JSON_FACTORY.toString(arrayList);
        } catch (IOException e) {
            throw new IOException(String.format("Failed to read trust chain file: %s", str), e);
        } catch (IllegalArgumentException e2) {
            throw new IOException("Trust chain misconfiguration: " + e2.getMessage(), e2);
        } catch (NoSuchFileException e3) {
            throw new IOException(String.format("Trust chain file not found: %s", str), e3);
        } catch (CertificateException e4) {
            throw new IOException(String.format("Failed to parse certificate(s) from trust chain file: %s", str), e4);
        }
    }

    private void populateCertChainFromTrustChain(List<String> list, List<X509Certificate> list2, String str) throws CertificateEncodingException, IllegalArgumentException {
        String encodeCert = encodeCert(list2.get(0));
        if (!encodeCert.equals(str)) {
            list.add(encodeCert);
        }
        for (int i = 1; i < list2.size(); i++) {
            String encodeCert2 = encodeCert(list2.get(i));
            if (encodeCert2.equals(str)) {
                throw new IllegalArgumentException("The leaf certificate should only appear at the beginning of the trust chain file, or be omitted entirely.");
            }
            list.add(encodeCert2);
        }
    }

    @VisibleForTesting
    static List<X509Certificate> readTrustChain(String str) throws IOException, CertificateException {
        ArrayList arrayList = new ArrayList();
        if (Strings.isNullOrEmpty(str)) {
            return arrayList;
        }
        CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509");
        byte[] readAllBytes = Files.readAllBytes(Paths.get(str, new String[0]));
        Matcher matcher = PEM_CERT_PATTERN.matcher(new String(readAllBytes, StandardCharsets.UTF_8));
        while (matcher.find()) {
            try {
                ByteArrayInputStream byteArrayInputStream = new ByteArrayInputStream(matcher.group(0).getBytes(StandardCharsets.UTF_8));
                Throwable th = null;
                try {
                    try {
                        Certificate generateCertificate = certificateFactory.generateCertificate(byteArrayInputStream);
                        if (!(generateCertificate instanceof X509Certificate)) {
                            throw new CertificateException("Found non-X.509 certificate in trust chain file: " + str);
                        }
                        arrayList.add((X509Certificate) generateCertificate);
                        if (byteArrayInputStream != null) {
                            if (0 != 0) {
                                try {
                                    byteArrayInputStream.close();
                                } catch (Throwable th2) {
                                    th.addSuppressed(th2);
                                }
                            } else {
                                byteArrayInputStream.close();
                            }
                        }
                    } finally {
                    }
                } finally {
                }
            } catch (CertificateException e) {
                throw new CertificateException("Error loading PEM certificates from the trust chain file: " + str + " - " + e.getMessage(), e);
            }
        }
        if (readAllBytes.length <= 0 || !arrayList.isEmpty()) {
            return arrayList;
        }
        throw new CertificateException("Trust chain file was not empty but no PEM certificates were found: " + str);
    }
}
