package io.fusionauth.pem;

import io.fusionauth.der.DerInputStream;
import io.fusionauth.der.DerOutputStream;
import io.fusionauth.der.DerValue;
import io.fusionauth.der.ObjectIdentifier;
import io.fusionauth.jwt.domain.KeyType;
import io.fusionauth.pem.domain.PEM;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.math.BigInteger;
import java.nio.file.Files;
import java.nio.file.Path;
import java.security.InvalidKeyException;
import java.security.InvalidParameterException;
import java.security.KeyFactory;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.interfaces.ECPrivateKey;
import java.security.interfaces.RSAPrivateCrtKey;
import java.security.spec.InvalidKeySpecException;
import java.security.spec.PKCS8EncodedKeySpec;
import java.security.spec.RSAPrivateCrtKeySpec;
import java.security.spec.RSAPublicKeySpec;
import java.security.spec.X509EncodedKeySpec;
import java.util.Base64;
import java.util.Objects;

/* loaded from: input_file:io/fusionauth/pem/PEMDecoder.class */
public class PEMDecoder {
    private static final byte[] EC_ENCRYPTION_OID = {42, -122, 72, -50, 61, 2, 1};

    public PEM decode(Path path) {
        Objects.requireNonNull(path);
        try {
            return decode(Files.readAllBytes(path));
        } catch (IOException e) {
            throw new PEMDecoderException("Unable to read the file from path [" + path.toAbsolutePath().toString() + "]", e);
        }
    }

    public PEM decode(byte[] bArr) {
        Objects.requireNonNull(bArr);
        return decode(new String(bArr));
    }

    public PEM decode(String str) {
        Objects.requireNonNull(str);
        try {
            if (str.contains(PEM.PKCS_1_PUBLIC_KEY_PREFIX)) {
                return decode_PKCS_1_Public(str);
            }
            if (str.contains(PEM.X509_PUBLIC_KEY_PREFIX)) {
                return decode_X_509(str);
            }
            if (str.contains(PEM.X509_CERTIFICATE_PREFIX)) {
                return new PEM(CertificateFactory.getInstance("X.509").generateCertificate(new ByteArrayInputStream(getKeyBytes(str, PEM.X509_CERTIFICATE_PREFIX, PEM.X509_CERTIFICATE_SUFFIX))));
            }
            if (str.contains(PEM.PKCS_1_PRIVATE_KEY_PREFIX)) {
                return decode_PKCS_1_Private(str);
            }
            if (str.contains(PEM.PKCS_8_PRIVATE_KEY_PREFIX)) {
                return decode_PKCS_8(str);
            }
            if (str.contains(PEM.EC_PRIVATE_KEY_SUFFIX)) {
                return decode_EC_privateKey(str);
            }
            throw new PEMDecoderException(new InvalidParameterException("Unexpected PEM Format"));
        } catch (IOException | InvalidKeyException | NoSuchAlgorithmException | CertificateException | InvalidKeySpecException e) {
            throw new PEMDecoderException(e);
        }
    }

    private PEM decode_EC_privateKey(String str) throws IOException, NoSuchAlgorithmException, InvalidKeySpecException {
        byte[] keyBytes = getKeyBytes(str, PEM.EC_PRIVATE_KEY_PREFIX, PEM.EC_PRIVATE_KEY_SUFFIX);
        DerValue[] sequence = new DerInputStream(keyBytes).getSequence();
        BigInteger bigInteger = sequence[0].getBigInteger();
        if (!bigInteger.equals(BigInteger.valueOf(1L))) {
            throw new PEMDecoderException("Expected version [1] but found version of [" + bigInteger + "]");
        }
        if (sequence.length == 2) {
            throw new PEMDecoderException("Unable to decode the provided PEM, the EC private key does not contain the curve identifier necessary to convert to a PKCS#8 format before building a private key");
        }
        ECPrivateKey eCPrivateKey = (ECPrivateKey) KeyFactory.getInstance("EC").generatePrivate(new PKCS8EncodedKeySpec(new DerOutputStream().writeValue(new DerValue(48, new DerOutputStream().writeValue(new DerValue(BigInteger.valueOf(0L))).writeValue(new DerValue(48, new DerOutputStream().writeValue(new DerValue(6, EC_ENCRYPTION_OID)).writeValue(new DerValue(6, sequence[2].getOID().value)))).writeValue(new DerValue(4, keyBytes)))).toByteArray()));
        return new PEM(eCPrivateKey, getPublicKeyFromPrivateEC(new DerInputStream(sequence[3]).readDerValue(), eCPrivateKey));
    }

    private PEM decode_PKCS_1_Private(String str) throws IOException, NoSuchAlgorithmException, InvalidKeySpecException {
        DerValue[] sequence = new DerInputStream(getKeyBytes(str, PEM.PKCS_1_PRIVATE_KEY_PREFIX, PEM.PKCS_1_PRIVATE_KEY_SUFFIX)).getSequence();
        if (sequence.length < 9) {
            throw new PEMDecoderException(new InvalidKeyException("Could not build a PKCS#1 private key. Expected at least 9 values in the DER encoded sequence."));
        }
        BigInteger bigInteger = sequence[1].getBigInteger();
        BigInteger bigInteger2 = sequence[2].getBigInteger();
        return new PEM(KeyFactory.getInstance("RSA").generatePrivate(new RSAPrivateCrtKeySpec(bigInteger, bigInteger2, sequence[3].getBigInteger(), sequence[4].getBigInteger(), sequence[5].getBigInteger(), sequence[6].getBigInteger(), sequence[7].getBigInteger(), sequence[8].getBigInteger())), KeyFactory.getInstance("RSA").generatePublic(new RSAPublicKeySpec(bigInteger, bigInteger2)));
    }

    private PEM decode_PKCS_1_Public(String str) throws IOException, NoSuchAlgorithmException, InvalidKeySpecException, InvalidKeyException {
        DerValue[] sequence = new DerInputStream(getKeyBytes(str, PEM.PKCS_1_PUBLIC_KEY_PREFIX, PEM.PKCS_1_PUBLIC_KEY_SUFFIX)).getSequence();
        if (sequence.length != 2 || !sequence[0].tag.is(2) || !sequence[1].tag.is(2)) {
            throw new InvalidKeyException("Could not build this PKCS#1 public key. Expecting values in the DER encoded sequence in the following format [ Integer | Integer ]");
        }
        return new PEM(KeyFactory.getInstance("RSA").generatePublic(new RSAPublicKeySpec(sequence[0].getBigInteger(), sequence[1].getBigInteger())));
    }

    private PEM decode_PKCS_8(String str) throws NoSuchAlgorithmException, IOException, InvalidKeySpecException, InvalidKeyException {
        byte[] keyBytes = getKeyBytes(str, PEM.PKCS_8_PRIVATE_KEY_PREFIX, PEM.PKCS_8_PRIVATE_KEY_SUFFIX);
        DerValue[] sequence = new DerInputStream(keyBytes).getSequence();
        if (sequence.length != 3 || !sequence[0].tag.is(2) || !sequence[1].tag.is(48) || !sequence[2].tag.is(4)) {
            throw new InvalidKeyException("Could not decode the private key. Expecting values in the DER encoded sequence in the following format [ Integer | Sequence | OctetString ]");
        }
        ObjectIdentifier oid = new DerInputStream(sequence[1].toByteArray()).getOID();
        KeyType keyTypeFromOid = KeyType.getKeyTypeFromOid(oid.decode());
        if (keyTypeFromOid == null) {
            throw new InvalidKeyException("Could not decode the private key. Expected an EC or RSA key type but found OID [" + oid.decode() + "] and was unable to match that to a supported algorithm.");
        }
        PrivateKey generatePrivate = KeyFactory.getInstance(keyTypeFromOid.name()).generatePrivate(new PKCS8EncodedKeySpec(keyBytes));
        if (generatePrivate instanceof ECPrivateKey) {
            DerValue[] sequence2 = new DerInputStream(sequence[2]).getSequence();
            return (sequence2.length == 3 && sequence2[2].tag.rawByte == -95) ? new PEM(generatePrivate, getPublicKeyFromPrivateEC(new DerInputStream(sequence2[2]).readDerValue(), (ECPrivateKey) generatePrivate)) : new PEM(generatePrivate);
        }
        if (generatePrivate instanceof RSAPrivateCrtKey) {
            return new PEM(generatePrivate, KeyFactory.getInstance("RSA").generatePublic(new RSAPublicKeySpec(((RSAPrivateCrtKey) generatePrivate).getModulus(), ((RSAPrivateCrtKey) generatePrivate).getPublicExponent())));
        }
        return new PEM(generatePrivate);
    }

    private PEM decode_X_509(String str) throws IOException, NoSuchAlgorithmException, InvalidKeySpecException, InvalidKeyException {
        byte[] keyBytes = getKeyBytes(str, PEM.X509_PUBLIC_KEY_PREFIX, PEM.X509_PUBLIC_KEY_SUFFIX);
        DerValue[] sequence = new DerInputStream(keyBytes).getSequence();
        if (sequence.length != 2 || !sequence[0].tag.is(48) || !sequence[1].tag.is(3)) {
            throw new InvalidKeyException("Could not decode the X.509 public key. Expected values in the DER encoded sequence in the following format [ Sequence | BitString ]");
        }
        KeyType keyTypeFromOid = KeyType.getKeyTypeFromOid(new DerInputStream(sequence[0].toByteArray()).getOID().decode());
        if (keyTypeFromOid == null) {
            throw new InvalidKeyException("Could not decode the X.509 public key. Expected at 2 values in the DER encoded sequence but found [" + sequence.length + "]");
        }
        return new PEM(KeyFactory.getInstance(keyTypeFromOid.name()).generatePublic(new X509EncodedKeySpec(keyBytes)));
    }

    private byte[] getKeyBytes(String str, String str2, String str3) {
        int indexOf = str.indexOf(str2);
        return Base64.getDecoder().decode(str.substring(indexOf + str2.length(), str.indexOf(str3)).replaceAll("\\s+", ""));
    }

    private PublicKey getPublicKeyFromPrivateEC(DerValue derValue, ECPrivateKey eCPrivateKey) throws InvalidKeySpecException, IOException, NoSuchAlgorithmException {
        return KeyFactory.getInstance("EC").generatePublic(new X509EncodedKeySpec(new DerOutputStream().writeValue(new DerValue(48, new DerOutputStream().writeValue(new DerValue(48, new DerInputStream(eCPrivateKey.getEncoded()).getSequence()[1].toByteArray())).writeValue(new DerValue(3, derValue.toByteArray())))).toByteArray()));
    }
}
