package in.neuw.aws.rolesanywhere.utils;

import in.neuw.aws.rolesanywhere.credentials.models.X509CertificateChain;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.io.InputStreamReader;
import java.io.StringWriter;
import java.nio.charset.StandardCharsets;
import java.security.InvalidKeyException;
import java.security.KeyFactory;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.PrivateKey;
import java.security.Security;
import java.security.SignatureException;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.security.spec.InvalidKeySpecException;
import java.security.spec.PKCS8EncodedKeySpec;
import java.util.ArrayList;
import java.util.Base64;
import java.util.Iterator;
import java.util.List;
import lombok.Generated;
import org.bouncycastle.asn1.ASN1ObjectIdentifier;
import org.bouncycastle.asn1.pkcs.PrivateKeyInfo;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.bouncycastle.openssl.PEMKeyPair;
import org.bouncycastle.openssl.PEMParser;
import org.bouncycastle.openssl.jcajce.JcaPEMWriter;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import software.amazon.awssdk.utils.StringUtils;

/* loaded from: input_file:in/neuw/aws/rolesanywhere/utils/CertAndKeyParserAndLoader.class */
public class CertAndKeyParserAndLoader {

    @Generated
    private static final Logger log = LoggerFactory.getLogger(CertAndKeyParserAndLoader.class);
    public static final String BEGIN_CERT = "-----BEGIN CERTIFICATE-----";
    public static final String EC_OID = "1.2.840.10045.2.1";
    public static final String RSA_OID = "1.2.840.113549.1.1.1";
    public static final String EC = "EC";
    public static final String RSA = "RSA";
    public static final String SHA256_RSA = "SHA256withRSA";
    public static final String SHA256_EC_DSA = "SHA256withECDSA";

    public static X509Certificate extractCertificate(String str) {
        try {
            X509Certificate x509Certificate = (X509Certificate) CertificateFactory.getInstance("X.509").generateCertificate(new ByteArrayInputStream(Base64.getDecoder().decode(str)));
            log.info("Certificate expires at {}", x509Certificate.getNotAfter());
            return x509Certificate;
        } catch (CertificateException e) {
            log.error("Error while extracting certificate, {}", e.getMessage());
            throw new RuntimeException(e);
        }
    }

    public static List<X509Certificate> extractCertificates(String str) throws CertificateException, NoSuchProviderException {
        Security.addProvider(new BouncyCastleProvider());
        CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509", "BC");
        ByteArrayInputStream byteArrayInputStream = new ByteArrayInputStream(Base64.getDecoder().decode(str));
        ArrayList arrayList = new ArrayList();
        Iterator<? extends Certificate> it = certificateFactory.generateCertificates(byteArrayInputStream).iterator();
        while (it.hasNext()) {
            arrayList.add((X509Certificate) it.next());
        }
        return arrayList;
    }

    public static boolean possibleChainOfCerts(String str) {
        String str2 = new String(Base64.getDecoder().decode(str));
        if (countOccurrencesOfBEGINCERT(str2) == 1) {
            log.info("only one cert provided");
            return false;
        }
        if (countOccurrencesOfBEGINCERT(str2) > 1) {
            log.info("possible chain of certificates");
            return true;
        }
        log.error("cert not provided correctly");
        throw new RuntimeException("cert not provided correctly");
    }

    public static X509CertificateChain resolveCertificateChain(String str) throws CertificateException, NoSuchProviderException {
        X509CertificateChain x509CertificateChain = new X509CertificateChain();
        x509CertificateChain.setBase64EncodedCertificate(str);
        if (possibleChainOfCerts(str)) {
            for (X509Certificate x509Certificate : extractCertificates(str)) {
                if (isRootCA(x509Certificate)) {
                    log.info("root CA expires at, {}", x509Certificate.getNotAfter());
                    x509CertificateChain.setRootCACertificate(x509Certificate);
                } else if (ifX509CertIsCA(x509Certificate)) {
                    log.info("intermediate CA expires at, {}", x509Certificate.getNotAfter());
                    x509CertificateChain.setIntermediateCACertificate(x509Certificate);
                } else {
                    log.info("leaf cert expires at, {}", x509Certificate.getNotAfter());
                    x509CertificateChain.setLeafCertificate(x509Certificate);
                }
            }
        } else {
            x509CertificateChain.setLeafCertificate(extractCertificate(str));
        }
        return x509CertificateChain;
    }

    public static String convertToBase64PEMString(X509Certificate x509Certificate) {
        Security.addProvider(new BouncyCastleProvider());
        StringWriter stringWriter = new StringWriter();
        try {
            JcaPEMWriter jcaPEMWriter = new JcaPEMWriter(stringWriter);
            try {
                jcaPEMWriter.writeObject(x509Certificate);
                jcaPEMWriter.close();
                return Base64.getEncoder().encodeToString(stringWriter.toString().getBytes(StandardCharsets.UTF_8));
            } finally {
            }
        } catch (IOException e) {
            throw new RuntimeException(e);
        }
    }

    public static final PrivateKey extractPrivateKey(String str) {
        try {
            return privateKeyResolver(Base64.getDecoder().decode(str));
        } catch (IOException | NoSuchAlgorithmException | NoSuchProviderException | InvalidKeySpecException e) {
            throw new RuntimeException(e);
        }
    }

    public static String resolveSignatureAlgorithm(PrivateKey privateKey) {
        if (RSA.equals(privateKey.getAlgorithm())) {
            return SHA256_RSA;
        }
        if (EC.equals(privateKey.getAlgorithm())) {
            return SHA256_EC_DSA;
        }
        throw new IllegalArgumentException("key algorithm not recognized");
    }

    public static String resolveAndValidateAlgorithm(PrivateKey privateKey) {
        if (EC.equals(privateKey.getAlgorithm()) || RSA.equals(privateKey.getAlgorithm())) {
            return privateKey.getAlgorithm();
        }
        throw new IllegalArgumentException("key algorithm not recognized");
    }

    public static String resolveKeyType(ASN1ObjectIdentifier aSN1ObjectIdentifier) {
        String str;
        if (aSN1ObjectIdentifier.equals(new ASN1ObjectIdentifier(RSA_OID))) {
            log.info("The key is an RSA private key.");
            str = RSA;
        } else {
            if (!aSN1ObjectIdentifier.equals(new ASN1ObjectIdentifier(EC_OID))) {
                throw new RuntimeException("Unsupported key algorithm: " + String.valueOf(aSN1ObjectIdentifier));
            }
            log.info("The key is an EC private key.");
            str = EC;
        }
        return str;
    }

    public static PrivateKey privateKeyResolver(byte[] bArr) throws InvalidKeySpecException, IOException, NoSuchAlgorithmException, NoSuchProviderException {
        Security.addProvider(new BouncyCastleProvider());
        PrivateKeyInfo privateKeyInfo = ((PEMKeyPair) new PEMParser(new InputStreamReader(new ByteArrayInputStream(bArr))).readObject()).getPrivateKeyInfo();
        byte[] encoded = privateKeyInfo.getEncoded();
        ASN1ObjectIdentifier algorithm = privateKeyInfo.getPrivateKeyAlgorithm().getAlgorithm();
        PrivateKey generatePrivate = KeyFactory.getInstance(resolveKeyType(algorithm), "BC").generatePrivate(new PKCS8EncodedKeySpec(encoded));
        log.info("Private key algorithm is : {}", generatePrivate.getAlgorithm());
        log.info("Private key format is : {}", generatePrivate.getFormat());
        log.info("Private key successfully loaded.");
        return generatePrivate;
    }

    public static boolean ifX509CertIsCA(X509Certificate x509Certificate) {
        return x509Certificate.getBasicConstraints() != -1 && x509Certificate.getKeyUsage()[5];
    }

    public static boolean isRootCA(X509Certificate x509Certificate) {
        try {
            x509Certificate.verify(x509Certificate.getPublicKey());
            log.info("this is root CA");
            return true;
        } catch (InvalidKeyException e) {
            log.error("this is not root CA, invalid key");
            return false;
        } catch (NoSuchAlgorithmException | NoSuchProviderException | CertificateException e2) {
            log.error("this is not Root CA, exception", e2.getCause());
            return false;
        } catch (SignatureException e3) {
            log.warn("the cert with name = {} is not Root CA signature issue", x509Certificate.getSubjectX500Principal().getName());
            return false;
        }
    }

    private static int countOccurrencesOfBEGINCERT(String str) {
        if (StringUtils.isBlank(str) || StringUtils.isBlank(BEGIN_CERT)) {
            return 0;
        }
        int i = 0;
        int i2 = 0;
        while (true) {
            int indexOf = str.indexOf(BEGIN_CERT, i2);
            if (indexOf == -1) {
                return i;
            }
            i++;
            i2 = indexOf + BEGIN_CERT.length();
        }
    }
}
