package org.elasticsearch.xpack.core.ssl;

import java.io.BufferedReader;
import java.io.IOException;
import java.math.BigInteger;
import java.nio.charset.StandardCharsets;
import java.nio.file.Files;
import java.nio.file.Path;
import java.security.GeneralSecurityException;
import java.security.KeyFactory;
import java.security.KeyPairGenerator;
import java.security.MessageDigest;
import java.security.PrivateKey;
import java.security.interfaces.ECKey;
import java.security.spec.DSAPrivateKeySpec;
import java.security.spec.ECGenParameterSpec;
import java.security.spec.ECPrivateKeySpec;
import java.security.spec.PKCS8EncodedKeySpec;
import java.security.spec.RSAPrivateCrtKeySpec;
import java.util.Arrays;
import java.util.Base64;
import java.util.HashMap;
import java.util.Map;
import java.util.function.Supplier;
import javax.crypto.Cipher;
import javax.crypto.EncryptedPrivateKeyInfo;
import javax.crypto.SecretKey;
import javax.crypto.SecretKeyFactory;
import javax.crypto.spec.IvParameterSpec;
import javax.crypto.spec.PBEKeySpec;
import javax.crypto.spec.SecretKeySpec;
import org.elasticsearch.common.CharArrays;
import org.elasticsearch.common.hash.MessageDigests;
import org.elasticsearch.license.License;
import org.elasticsearch.protocol.xpack.graph.VertexRequest;
import org.elasticsearch.xpack.core.ml.job.config.DataDescription;
import org.elasticsearch.xpack.core.upgrade.IndexUpgradeCheckVersion;

/* loaded from: input_file:org/elasticsearch/xpack/core/ssl/PemUtils.class */
public class PemUtils {
    private static final String PKCS1_HEADER = "-----BEGIN RSA PRIVATE KEY-----";
    private static final String PKCS1_FOOTER = "-----END RSA PRIVATE KEY-----";
    private static final String OPENSSL_DSA_HEADER = "-----BEGIN DSA PRIVATE KEY-----";
    private static final String OPENSSL_DSA_FOOTER = "-----END DSA PRIVATE KEY-----";
    private static final String OPENSSL_DSA_PARAMS_HEADER = "-----BEGIN DSA PARAMETERS-----";
    private static final String OPENSSL_DSA_PARAMS_FOOTER = "-----END DSA PARAMETERS-----";
    private static final String PKCS8_HEADER = "-----BEGIN PRIVATE KEY-----";
    private static final String PKCS8_FOOTER = "-----END PRIVATE KEY-----";
    private static final String PKCS8_ENCRYPTED_HEADER = "-----BEGIN ENCRYPTED PRIVATE KEY-----";
    private static final String PKCS8_ENCRYPTED_FOOTER = "-----END ENCRYPTED PRIVATE KEY-----";
    private static final String OPENSSL_EC_HEADER = "-----BEGIN EC PRIVATE KEY-----";
    private static final String OPENSSL_EC_FOOTER = "-----END EC PRIVATE KEY-----";
    private static final String OPENSSL_EC_PARAMS_HEADER = "-----BEGIN EC PARAMETERS-----";
    private static final String OPENSSL_EC_PARAMS_FOOTER = "-----END EC PARAMETERS-----";
    private static final String HEADER = "-----BEGIN";

    private PemUtils() {
        throw new IllegalStateException("Utility class should not be instantiated");
    }

    public static PrivateKey readPrivateKey(Path path, Supplier<char[]> supplier) {
        try {
            BufferedReader newBufferedReader = Files.newBufferedReader(path, StandardCharsets.UTF_8);
            try {
                String readLine = newBufferedReader.readLine();
                while (null != readLine && !readLine.startsWith(HEADER)) {
                    readLine = newBufferedReader.readLine();
                }
                if (null == readLine) {
                    throw new IllegalStateException("Error parsing Private Key from: " + path.toString() + ". File is empty");
                }
                if (PKCS8_ENCRYPTED_HEADER.equals(readLine.trim())) {
                    char[] cArr = supplier.get();
                    if (cArr == null) {
                        throw new IllegalArgumentException("cannot read encrypted key without a password");
                    }
                    PrivateKey parsePKCS8Encrypted = parsePKCS8Encrypted(newBufferedReader, cArr);
                    if (newBufferedReader != null) {
                        newBufferedReader.close();
                    }
                    return parsePKCS8Encrypted;
                }
                if (PKCS8_HEADER.equals(readLine.trim())) {
                    PrivateKey parsePKCS8 = parsePKCS8(newBufferedReader);
                    if (newBufferedReader != null) {
                        newBufferedReader.close();
                    }
                    return parsePKCS8;
                }
                if (PKCS1_HEADER.equals(readLine.trim())) {
                    PrivateKey parsePKCS1Rsa = parsePKCS1Rsa(newBufferedReader, supplier);
                    if (newBufferedReader != null) {
                        newBufferedReader.close();
                    }
                    return parsePKCS1Rsa;
                }
                if (OPENSSL_DSA_HEADER.equals(readLine.trim())) {
                    PrivateKey parseOpenSslDsa = parseOpenSslDsa(newBufferedReader, supplier);
                    if (newBufferedReader != null) {
                        newBufferedReader.close();
                    }
                    return parseOpenSslDsa;
                }
                if (OPENSSL_DSA_PARAMS_HEADER.equals(readLine.trim())) {
                    PrivateKey parseOpenSslDsa2 = parseOpenSslDsa(removeDsaHeaders(newBufferedReader), supplier);
                    if (newBufferedReader != null) {
                        newBufferedReader.close();
                    }
                    return parseOpenSslDsa2;
                }
                if (OPENSSL_EC_HEADER.equals(readLine.trim())) {
                    PrivateKey parseOpenSslEC = parseOpenSslEC(newBufferedReader, supplier);
                    if (newBufferedReader != null) {
                        newBufferedReader.close();
                    }
                    return parseOpenSslEC;
                }
                if (!OPENSSL_EC_PARAMS_HEADER.equals(readLine.trim())) {
                    throw new IllegalStateException("Error parsing Private Key from: " + path.toString() + ". File did not contain a supported key format");
                }
                PrivateKey parseOpenSslEC2 = parseOpenSslEC(removeECHeaders(newBufferedReader), supplier);
                if (newBufferedReader != null) {
                    newBufferedReader.close();
                }
                return parseOpenSslEC2;
            } catch (Throwable th) {
                if (newBufferedReader != null) {
                    try {
                        newBufferedReader.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                }
                throw th;
            }
        } catch (IOException | GeneralSecurityException e) {
            throw new IllegalStateException("Error parsing Private Key from: " + path.toString(), e);
        }
    }

    private static BufferedReader removeECHeaders(BufferedReader bufferedReader) throws IOException {
        String str;
        String readLine = bufferedReader.readLine();
        while (true) {
            str = readLine;
            if (str == null || OPENSSL_EC_PARAMS_FOOTER.equals(str.trim())) {
                break;
            }
            readLine = bufferedReader.readLine();
        }
        if (null == str || !OPENSSL_EC_PARAMS_FOOTER.equals(str.trim())) {
            throw new IOException("Malformed PEM file, EC Parameters footer is missing");
        }
        if (OPENSSL_EC_HEADER.equals(bufferedReader.readLine())) {
            return bufferedReader;
        }
        throw new IOException("Malformed PEM file, EC Key header is missing");
    }

    private static BufferedReader removeDsaHeaders(BufferedReader bufferedReader) throws IOException {
        String str;
        String readLine = bufferedReader.readLine();
        while (true) {
            str = readLine;
            if (str == null || OPENSSL_DSA_PARAMS_FOOTER.equals(str.trim())) {
                break;
            }
            readLine = bufferedReader.readLine();
        }
        if (null == str || !OPENSSL_DSA_PARAMS_FOOTER.equals(str.trim())) {
            throw new IOException("Malformed PEM file, DSA Parameters footer is missing");
        }
        if (OPENSSL_DSA_HEADER.equals(bufferedReader.readLine())) {
            return bufferedReader;
        }
        throw new IOException("Malformed PEM file, DSA Key header is missing");
    }

    private static PrivateKey parsePKCS8(BufferedReader bufferedReader) throws IOException, GeneralSecurityException {
        String str;
        StringBuilder sb = new StringBuilder();
        String readLine = bufferedReader.readLine();
        while (true) {
            str = readLine;
            if (str == null || PKCS8_FOOTER.equals(str.trim())) {
                break;
            }
            sb.append(str.trim());
            readLine = bufferedReader.readLine();
        }
        if (null == str || !PKCS8_FOOTER.equals(str.trim())) {
            throw new IOException("Malformed PEM file, PEM footer is invalid or missing");
        }
        byte[] decode = Base64.getDecoder().decode(sb.toString());
        return KeyFactory.getInstance(getKeyAlgorithmIdentifier(decode)).generatePrivate(new PKCS8EncodedKeySpec(decode));
    }

    private static PrivateKey parseOpenSslEC(BufferedReader bufferedReader, Supplier<char[]> supplier) throws IOException, GeneralSecurityException {
        StringBuilder sb = new StringBuilder();
        String readLine = bufferedReader.readLine();
        HashMap hashMap = new HashMap();
        while (readLine != null && !OPENSSL_EC_FOOTER.equals(readLine.trim())) {
            if (readLine.contains(":")) {
                String[] split = readLine.split(":");
                hashMap.put(split[0].trim(), split[1].trim());
            } else {
                sb.append(readLine.trim());
            }
            readLine = bufferedReader.readLine();
        }
        if (null == readLine || !OPENSSL_EC_FOOTER.equals(readLine.trim())) {
            throw new IOException("Malformed PEM file, PEM footer is invalid or missing");
        }
        return KeyFactory.getInstance("EC").generatePrivate(parseEcDer(possiblyDecryptPKCS1Key(hashMap, sb.toString(), supplier)));
    }

    private static PrivateKey parsePKCS1Rsa(BufferedReader bufferedReader, Supplier<char[]> supplier) throws IOException, GeneralSecurityException {
        StringBuilder sb = new StringBuilder();
        String readLine = bufferedReader.readLine();
        HashMap hashMap = new HashMap();
        while (readLine != null && !PKCS1_FOOTER.equals(readLine.trim())) {
            if (readLine.contains(":")) {
                String[] split = readLine.split(":");
                hashMap.put(split[0].trim(), split[1].trim());
            } else {
                sb.append(readLine.trim());
            }
            readLine = bufferedReader.readLine();
        }
        if (null == readLine || !PKCS1_FOOTER.equals(readLine.trim())) {
            throw new IOException("Malformed PEM file, PEM footer is invalid or missing");
        }
        return KeyFactory.getInstance("RSA").generatePrivate(parseRsaDer(possiblyDecryptPKCS1Key(hashMap, sb.toString(), supplier)));
    }

    private static PrivateKey parseOpenSslDsa(BufferedReader bufferedReader, Supplier<char[]> supplier) throws IOException, GeneralSecurityException {
        StringBuilder sb = new StringBuilder();
        String readLine = bufferedReader.readLine();
        HashMap hashMap = new HashMap();
        while (readLine != null && !OPENSSL_DSA_FOOTER.equals(readLine.trim())) {
            if (readLine.contains(":")) {
                String[] split = readLine.split(":");
                hashMap.put(split[0].trim(), split[1].trim());
            } else {
                sb.append(readLine.trim());
            }
            readLine = bufferedReader.readLine();
        }
        if (null == readLine || !OPENSSL_DSA_FOOTER.equals(readLine.trim())) {
            throw new IOException("Malformed PEM file, PEM footer is invalid or missing");
        }
        return KeyFactory.getInstance("DSA").generatePrivate(parseDsaDer(possiblyDecryptPKCS1Key(hashMap, sb.toString(), supplier)));
    }

    private static PrivateKey parsePKCS8Encrypted(BufferedReader bufferedReader, char[] cArr) throws IOException, GeneralSecurityException {
        String str;
        StringBuilder sb = new StringBuilder();
        String readLine = bufferedReader.readLine();
        while (true) {
            str = readLine;
            if (str == null || PKCS8_ENCRYPTED_FOOTER.equals(str.trim())) {
                break;
            }
            sb.append(str.trim());
            readLine = bufferedReader.readLine();
        }
        if (null == str || !PKCS8_ENCRYPTED_FOOTER.equals(str.trim())) {
            throw new IOException("Malformed PEM file, PEM footer is invalid or missing");
        }
        EncryptedPrivateKeyInfo encryptedPrivateKeyInfo = new EncryptedPrivateKeyInfo(Base64.getDecoder().decode(sb.toString()));
        SecretKey generateSecret = SecretKeyFactory.getInstance(encryptedPrivateKeyInfo.getAlgName()).generateSecret(new PBEKeySpec(cArr));
        Cipher cipher = Cipher.getInstance(encryptedPrivateKeyInfo.getAlgName());
        cipher.init(2, generateSecret, encryptedPrivateKeyInfo.getAlgParameters());
        PKCS8EncodedKeySpec keySpec = encryptedPrivateKeyInfo.getKeySpec(cipher);
        return KeyFactory.getInstance(getKeyAlgorithmIdentifier(keySpec.getEncoded())).generatePrivate(keySpec);
    }

    private static byte[] possiblyDecryptPKCS1Key(Map<String, String> map, String str, Supplier<char[]> supplier) throws GeneralSecurityException, IOException {
        byte[] decode = Base64.getDecoder().decode(str);
        if (!"4,ENCRYPTED".equals(map.get("Proc-Type"))) {
            return decode;
        }
        String str2 = map.get("DEK-Info");
        if (null == str2) {
            throw new IOException("Malformed PEM File, DEK-Info header is missing");
        }
        char[] cArr = supplier.get();
        if (cArr == null) {
            throw new IOException("cannot read encrypted key without a password");
        }
        return getCipherFromParameters(str2, cArr).doFinal(decode);
    }

    private static Cipher getCipherFromParameters(String str, char[] cArr) throws GeneralSecurityException, IOException {
        SecretKeySpec secretKeySpec;
        String[] split = str.split(",");
        if (split.length != 2) {
            throw new IOException("Malformed PEM file, DEK-Info PEM header is invalid");
        }
        String str2 = split[0];
        byte[] hexStringToByteArray = hexStringToByteArray(split[1]);
        if ("DES-CBC".equals(str2)) {
            secretKeySpec = new SecretKeySpec(generateOpenSslKey(cArr, hexStringToByteArray, 8), "DES");
        } else if ("DES-EDE3-CBC".equals(str2)) {
            secretKeySpec = new SecretKeySpec(generateOpenSslKey(cArr, hexStringToByteArray, 24), "DESede");
        } else if ("AES-128-CBC".equals(str2)) {
            secretKeySpec = new SecretKeySpec(generateOpenSslKey(cArr, hexStringToByteArray, 16), "AES");
        } else if ("AES-192-CBC".equals(str2)) {
            secretKeySpec = new SecretKeySpec(generateOpenSslKey(cArr, hexStringToByteArray, 24), "AES");
        } else {
            if (!"AES-256-CBC".equals(str2)) {
                throw new GeneralSecurityException("Private Key encrypted with unsupported algorithm: " + str2);
            }
            secretKeySpec = new SecretKeySpec(generateOpenSslKey(cArr, hexStringToByteArray, 32), "AES");
        }
        Cipher cipher = Cipher.getInstance(secretKeySpec.getAlgorithm() + "/CBC/PKCS5Padding");
        cipher.init(2, secretKeySpec, new IvParameterSpec(hexStringToByteArray));
        return cipher;
    }

    private static byte[] generateOpenSslKey(char[] cArr, byte[] bArr, int i) {
        byte[] utf8Bytes = CharArrays.toUtf8Bytes(cArr);
        MessageDigest md5 = MessageDigests.md5();
        byte[] bArr2 = new byte[i];
        int i2 = 0;
        while (i2 < i) {
            int i3 = i - i2;
            md5.update(utf8Bytes, 0, utf8Bytes.length);
            md5.update(bArr, 0, 8);
            byte[] digest = md5.digest();
            int i4 = i3 > 16 ? 16 : i3;
            System.arraycopy(digest, 0, bArr2, i2, i4);
            i2 += i4;
            if (i3 == 0) {
                break;
            }
            md5.update(digest, 0, 16);
        }
        Arrays.fill(utf8Bytes, (byte) 0);
        return bArr2;
    }

    private static byte[] hexStringToByteArray(String str) {
        int length = str.length();
        if (length % 2 != 0) {
            throw new IllegalStateException("Hexadeciamal string length is odd, can't convert to byte array");
        }
        byte[] bArr = new byte[length / 2];
        for (int i = 0; i < length; i += 2) {
            int digit = Character.digit(str.charAt(i), 16);
            int digit2 = Character.digit(str.charAt(i + 1), 16);
            if (digit == -1 || digit2 == -1) {
                throw new IllegalStateException("String is not hexadecimal");
            }
            bArr[i / 2] = (byte) ((digit << 4) + digit2);
        }
        return bArr;
    }

    private static ECPrivateKeySpec parseEcDer(byte[] bArr) throws IOException, GeneralSecurityException {
        DerParser parser = new DerParser(bArr).readAsn1Object().getParser();
        parser.readAsn1Object().getInteger();
        BigInteger bigInteger = new BigInteger(parser.readAsn1Object().getString(), 16);
        String ecCurveNameFromOid = getEcCurveNameFromOid(parser.readAsn1Object().getParser().readAsn1Object().getOid());
        KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("EC");
        keyPairGenerator.initialize(new ECGenParameterSpec(ecCurveNameFromOid));
        return new ECPrivateKeySpec(bigInteger, ((ECKey) keyPairGenerator.generateKeyPair().getPrivate()).getParams());
    }

    private static RSAPrivateCrtKeySpec parseRsaDer(byte[] bArr) throws IOException {
        DerParser parser = new DerParser(bArr).readAsn1Object().getParser();
        parser.readAsn1Object().getInteger();
        return new RSAPrivateCrtKeySpec(parser.readAsn1Object().getInteger(), parser.readAsn1Object().getInteger(), parser.readAsn1Object().getInteger(), parser.readAsn1Object().getInteger(), parser.readAsn1Object().getInteger(), parser.readAsn1Object().getInteger(), parser.readAsn1Object().getInteger(), parser.readAsn1Object().getInteger());
    }

    private static DSAPrivateKeySpec parseDsaDer(byte[] bArr) throws IOException {
        DerParser parser = new DerParser(bArr).readAsn1Object().getParser();
        parser.readAsn1Object().getInteger();
        BigInteger integer = parser.readAsn1Object().getInteger();
        BigInteger integer2 = parser.readAsn1Object().getInteger();
        BigInteger integer3 = parser.readAsn1Object().getInteger();
        parser.readAsn1Object().getInteger();
        return new DSAPrivateKeySpec(parser.readAsn1Object().getInteger(), integer, integer2, integer3);
    }

    private static String getKeyAlgorithmIdentifier(byte[] bArr) throws IOException, GeneralSecurityException {
        DerParser parser = new DerParser(bArr).readAsn1Object().getParser();
        parser.readAsn1Object().getInteger();
        String oid = parser.readAsn1Object().getParser().readAsn1Object().getOid();
        boolean z = -1;
        switch (oid.hashCode()) {
            case -2096004509:
                if (oid.equals("1.2.840.113549.1.1.1")) {
                    z = true;
                    break;
                }
                break;
            case -902557053:
                if (oid.equals("1.2.840.10040.4.1")) {
                    z = false;
                    break;
                }
                break;
            case -897941370:
                if (oid.equals("1.2.840.10045.2.1")) {
                    z = 2;
                    break;
                }
                break;
        }
        switch (z) {
            case false:
                return "DSA";
            case License.VERSION_START /* 1 */:
                return "RSA";
            case true:
                return "EC";
            default:
                throw new GeneralSecurityException("Error parsing key algorithm identifier. Algorithm with OID: " + oid + " is not supported");
        }
    }

    private static String getEcCurveNameFromOid(String str) throws GeneralSecurityException {
        boolean z = -1;
        switch (str.hashCode()) {
            case -897940409:
                if (str.equals("1.2.840.10045.3.1")) {
                    z = false;
                    break;
                }
                break;
            case 318730525:
                if (str.equals("1.3.132.0.1")) {
                    z = true;
                    break;
                }
                break;
            case 367694928:
                if (str.equals("1.2.840.10045.3.1.7")) {
                    z = 6;
                    break;
                }
                break;
            case 1290711736:
                if (str.equals("1.3.132.0.15")) {
                    z = 2;
                    break;
                }
                break;
            case 1290711737:
                if (str.equals("1.3.132.0.16")) {
                    z = 7;
                    break;
                }
                break;
            case 1290711738:
                if (str.equals("1.3.132.0.17")) {
                    z = 8;
                    break;
                }
                break;
            case 1290711768:
                if (str.equals("1.3.132.0.26")) {
                    z = 4;
                    break;
                }
                break;
            case 1290711769:
                if (str.equals("1.3.132.0.27")) {
                    z = 5;
                    break;
                }
                break;
            case 1290711796:
                if (str.equals("1.3.132.0.33")) {
                    z = 3;
                    break;
                }
                break;
            case 1290711797:
                if (str.equals("1.3.132.0.34")) {
                    z = 9;
                    break;
                }
                break;
            case 1290711798:
                if (str.equals("1.3.132.0.35")) {
                    z = 12;
                    break;
                }
                break;
            case 1290711799:
                if (str.equals("1.3.132.0.36")) {
                    z = 10;
                    break;
                }
                break;
            case 1290711800:
                if (str.equals("1.3.132.0.37")) {
                    z = 11;
                    break;
                }
                break;
            case 1290711801:
                if (str.equals("1.3.132.0.38")) {
                    z = 13;
                    break;
                }
                break;
            case 1290711802:
                if (str.equals("1.3.132.0.39")) {
                    z = 14;
                    break;
                }
                break;
        }
        switch (z) {
            case false:
                return "secp192r1";
            case License.VERSION_START /* 1 */:
                return "sect163k1";
            case true:
                return "sect163r2";
            case true:
                return "secp224r1";
            case true:
                return "sect233k1";
            case VertexRequest.DEFAULT_SIZE /* 5 */:
                return "sect233r1";
            case IndexUpgradeCheckVersion.UPGRADE_VERSION /* 6 */:
                return "secp256r1";
            case true:
                return "sect283k1";
            case true:
                return "sect283r1";
            case DataDescription.DEFAULT_DELIMITER /* 9 */:
                return "secp384r1";
            case DataDescription.LINE_ENDING /* 10 */:
                return "sect409k1";
            case true:
                return "sect409r1";
            case true:
                return "secp521r1";
            case true:
                return "sect571k1";
            case true:
                return "sect571r1";
            default:
                throw new GeneralSecurityException("Error parsing EC named curve identifier. Named curve with OID: " + str + " is not supported");
        }
    }
}
