package org.apache.cassandra.security;

import com.google.common.collect.ImmutableSet;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.security.AlgorithmParameters;
import java.security.GeneralSecurityException;
import java.security.KeyFactory;
import java.security.PrivateKey;
import java.security.cert.Certificate;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.security.spec.PKCS8EncodedKeySpec;
import java.util.ArrayList;
import java.util.Base64;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import javax.crypto.BadPaddingException;
import javax.crypto.Cipher;
import javax.crypto.EncryptedPrivateKeyInfo;
import javax.crypto.SecretKey;
import javax.crypto.SecretKeyFactory;
import javax.crypto.spec.PBEKeySpec;
import org.apache.commons.lang3.StringUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/cassandra/security/PEMReader.class */
public final class PEMReader {
    public static final Set<String> SUPPORTED_PRIVATE_KEY_ALGORITHMS;
    private static final Logger logger;
    private static final Pattern CERT_PATTERN;
    private static final Pattern KEY_PATTERN;
    static final /* synthetic */ boolean $assertionsDisabled;

    public static PrivateKey extractPrivateKey(String str) throws IOException, GeneralSecurityException {
        return extractPrivateKey(str, null);
    }

    public static PrivateKey extractPrivateKey(String str, String str2) throws IOException, GeneralSecurityException {
        PKCS8EncodedKeySpec pKCS8EncodedKeySpec;
        byte[] decodeBase64 = decodeBase64(extractBase64EncodedKey(str));
        if (StringUtils.isEmpty(str2)) {
            logger.debug("Key length: {}", Integer.valueOf(decodeBase64.length));
            pKCS8EncodedKeySpec = new PKCS8EncodedKeySpec(decodeBase64);
        } else {
            logger.debug("Encrypted key's length: {}, key's password length: {}", Integer.valueOf(decodeBase64.length), Integer.valueOf(str2.length()));
            EncryptedPrivateKeyInfo encryptedPrivateKeyInfo = new EncryptedPrivateKeyInfo(decodeBase64);
            logger.debug("Encrypted private key info's algorithm name: {}", encryptedPrivateKeyInfo.getAlgName());
            AlgorithmParameters algParameters = encryptedPrivateKeyInfo.getAlgParameters();
            PBEKeySpec pBEKeySpec = new PBEKeySpec(str2.toCharArray());
            SecretKey generateSecret = SecretKeyFactory.getInstance(encryptedPrivateKeyInfo.getAlgName()).generateSecret(pBEKeySpec);
            pBEKeySpec.clearPassword();
            logger.debug("Key algorithm: {}, key format: {}", generateSecret.getAlgorithm(), generateSecret.getFormat());
            Cipher cipher = Cipher.getInstance(encryptedPrivateKeyInfo.getAlgName());
            cipher.init(2, generateSecret, algParameters);
            try {
                byte[] doFinal = cipher.doFinal(encryptedPrivateKeyInfo.getEncryptedData());
                logger.debug("Decrypted private key's length: {}", Integer.valueOf(doFinal.length));
                pKCS8EncodedKeySpec = new PKCS8EncodedKeySpec(doFinal);
            } catch (BadPaddingException e) {
                throw new GeneralSecurityException("Failed to decrypt the private key data. Either the password provided for the key is wrong or the private key data is corrupted. msg=" + e.getMessage(), e);
            }
        }
        for (String str3 : SUPPORTED_PRIVATE_KEY_ALGORITHMS) {
            try {
                PrivateKey generatePrivate = KeyFactory.getInstance(str3).generatePrivate(pKCS8EncodedKeySpec);
                logger.info("Parsing for the private key finished with {} algorithm.", str3);
                return generatePrivate;
            } catch (Exception e2) {
                logger.debug("Failed to parse the private key with {} algorithm. Will try the other supported algorithms.", str3);
            }
        }
        throw new GeneralSecurityException("The given private key could not be parsed with any of the supported algorithms. Please see PEMReader#SUPPORTED_PRIVATE_KEY_ALGORITHMS.");
    }

    public static Certificate[] extractCertificates(String str) throws GeneralSecurityException {
        ArrayList arrayList = new ArrayList();
        Iterator<String> it = extractBase64EncodedCerts(str).iterator();
        while (it.hasNext()) {
            arrayList.add(generateCertificate(it.next()));
        }
        return (Certificate[]) arrayList.toArray(new Certificate[0]);
    }

    private static Certificate generateCertificate(String str) throws GeneralSecurityException {
        X509Certificate x509Certificate = (X509Certificate) CertificateFactory.getInstance("X.509").generateCertificate(new ByteArrayInputStream(decodeBase64(str)));
        logCertificateDetails(x509Certificate);
        return x509Certificate;
    }

    private static void logCertificateDetails(X509Certificate x509Certificate) {
        if (!$assertionsDisabled && x509Certificate == null) {
            throw new AssertionError();
        }
        logger.info("*********** Certificate Details *****************");
        logger.info("Subject DN: {}", x509Certificate.getSubjectDN());
        logger.info("Issuer DN: {}", x509Certificate.getIssuerDN());
        logger.info("Serial Number: {}", x509Certificate.getSerialNumber());
        logger.info("Expiry: {}", x509Certificate.getNotAfter());
    }

    private static String extractBase64EncodedKey(String str) throws GeneralSecurityException {
        Matcher matcher = KEY_PATTERN.matcher(str);
        if (matcher.find()) {
            return matcher.group(1).replaceAll("\\s", "");
        }
        throw new GeneralSecurityException("Invalid private key format");
    }

    private static List<String> extractBase64EncodedCerts(String str) throws GeneralSecurityException {
        ArrayList arrayList = new ArrayList();
        Matcher matcher = CERT_PATTERN.matcher(str);
        if (!matcher.find()) {
            throw new GeneralSecurityException("Invalid certificate format");
        }
        for (int i = 0; matcher.find(i); i = matcher.end()) {
            arrayList.add(matcher.group(1).replaceAll("\\s", ""));
        }
        return arrayList;
    }

    private static byte[] decodeBase64(String str) throws GeneralSecurityException {
        try {
            return Base64.getDecoder().decode(str);
        } catch (IllegalArgumentException e) {
            throw new GeneralSecurityException("Failed to decode given base64 input. msg=" + e.getMessage(), e);
        }
    }

    static {
        $assertionsDisabled = !PEMReader.class.desiredAssertionStatus();
        SUPPORTED_PRIVATE_KEY_ALGORITHMS = ImmutableSet.of("RSA", "DSA", "EC");
        logger = LoggerFactory.getLogger((Class<?>) PEMReader.class);
        CERT_PATTERN = Pattern.compile("-+BEGIN\\s+.*CERTIFICATE[^-]*-+(?:\\s|\\r|\\n)+([a-z0-9+/=\\r\\n]+)-+END\\s+.*CERTIFICATE[^-]*-+", 2);
        KEY_PATTERN = Pattern.compile("-+BEGIN\\s+.*PRIVATE\\s+KEY[^-]*-+(?:\\s|\\r|\\n)+([a-z0-9+/=\\r\\n]+)-+END\\s+.*PRIVATE\\s+KEY[^-]*-+", 2);
    }
}
