package com.github.felfert.sslutils;

import java.io.ByteArrayInputStream;
import java.math.BigInteger;
import java.nio.charset.Charset;
import java.security.KeyFactory;
import java.security.KeyPair;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.spec.DSAPrivateKeySpec;
import java.security.spec.DSAPublicKeySpec;
import java.security.spec.InvalidKeySpecException;
import java.security.spec.KeySpec;
import java.security.spec.RSAPrivateCrtKeySpec;
import java.security.spec.RSAPublicKeySpec;
import java.util.Collection;
import java.util.Locale;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import javax.crypto.Cipher;
import javax.crypto.spec.IvParameterSpec;
import javax.crypto.spec.SecretKeySpec;
import javax.xml.bind.DatatypeConverter;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/github/felfert/sslutils/PEMDecoder.class */
public final class PEMDecoder {
    static final Logger LOGGER = LoggerFactory.getLogger(PEMDecoder.class);
    private static final Pattern PRIVKEY_DSA_BEGIN = Pattern.compile("^-----BEGIN DSA PRIVATE KEY-----\n");
    private static final Pattern PRIVKEY_DSA_END = Pattern.compile("\n-----END DSA PRIVATE KEY-----\\s*$");
    private static final Pattern PRIVKEY_RSA_BEGIN = Pattern.compile("^-----BEGIN RSA PRIVATE KEY-----\n");
    private static final Pattern PRIVKEY_RSA_END = Pattern.compile("\n-----END RSA PRIVATE KEY-----\\s*$");
    private static final Pattern PRIVKEY_EC_BEGIN = Pattern.compile("^-----BEGIN EC PRIVATE KEY-----\n");
    private static final Pattern PRIVKEY_EC_END = Pattern.compile("-----END EC PRIVATE KEY-----\\s*$");
    private static final Pattern PRIVKEY_PROCTYPE = Pattern.compile("^Proc-Type:\\s+4,ENCRYPTED\n");
    private static final Pattern PRIVKEY_DEKINFO = Pattern.compile("^DEK-Info:\\s+([^,]+),(\\S+)\n");

    /* loaded from: input_file:com/github/felfert/sslutils/PEMDecoder$KeyAlgo.class */
    private enum KeyAlgo {
        UNKNOWN,
        AES_128_CBC,
        AES_192_CBC,
        AES_256_CBC,
        DES_EDE3_CBC,
        DES_CBC
    }

    /* loaded from: input_file:com/github/felfert/sslutils/PEMDecoder$KeyType.class */
    private enum KeyType {
        UNKNOWN,
        RSA,
        DSA,
        EC
    }

    public Collection<? extends Certificate> decodeCertificates(String str) throws CertificateException {
        if (null == str || str.isEmpty()) {
            throw new IllegalArgumentException("PEM data is null or empty");
        }
        try {
            return CertificateFactory.getInstance("X.509").generateCertificates(new ByteArrayInputStream(str.getBytes(Charset.defaultCharset())));
        } catch (Throwable th) {
            LOGGER.warn("", th);
            throw th;
        }
    }

    public KeyPair decodePrivKey(String str, String str2) {
        boolean z = false;
        KeyType keyType = KeyType.UNKNOWN;
        KeyAlgo keyAlgo = KeyAlgo.UNKNOWN;
        String str3 = null;
        byte[] bArr = null;
        if (null == str) {
            throw new IllegalArgumentException("Not a PEM-encoded private key");
        }
        if (PRIVKEY_RSA_BEGIN.matcher(str).find() && PRIVKEY_RSA_END.matcher(str).find()) {
            str3 = PRIVKEY_RSA_END.matcher(PRIVKEY_RSA_BEGIN.matcher(str).replaceFirst("")).replaceFirst("").trim();
            keyType = KeyType.RSA;
        }
        if (PRIVKEY_DSA_BEGIN.matcher(str).find() && PRIVKEY_DSA_END.matcher(str).find()) {
            str3 = PRIVKEY_DSA_END.matcher(PRIVKEY_DSA_BEGIN.matcher(str).replaceFirst("")).replaceFirst("").trim();
            keyType = KeyType.DSA;
        }
        if (PRIVKEY_EC_BEGIN.matcher(str).find() && PRIVKEY_EC_END.matcher(str).find()) {
            str3 = PRIVKEY_EC_END.matcher(PRIVKEY_EC_BEGIN.matcher(str).replaceFirst("")).replaceFirst("").trim();
            keyType = KeyType.EC;
        }
        if (keyType.equals(KeyType.UNKNOWN)) {
            throw new IllegalArgumentException("Not a PEM-encoded private key");
        }
        if (PRIVKEY_PROCTYPE.matcher(str3).find()) {
            z = true;
            String trim = PRIVKEY_PROCTYPE.matcher(str3).replaceFirst("").trim();
            Matcher matcher = PRIVKEY_DEKINFO.matcher(trim);
            if (!matcher.find()) {
                throw new IllegalArgumentException("Missing or invalid DEK-Info header");
            }
            try {
                keyAlgo = KeyAlgo.valueOf(matcher.group(1).replaceAll("-", "_"));
                String group = matcher.group(2);
                if (0 != group.length() % 2 || group.length() < 16) {
                    throw new IllegalArgumentException("Length of hex salt in DEK-Info is less than 16 or not a multiple of 2");
                }
                bArr = DatatypeConverter.parseHexBinary(group.toUpperCase(Locale.getDefault()));
                str3 = PRIVKEY_DEKINFO.matcher(trim).replaceFirst("").trim();
            } catch (Throwable th) {
                throw new IllegalArgumentException("Invalid or unsupported algorithm in DEK-Info", th);
            }
        }
        byte[] parseBase64Binary = DatatypeConverter.parseBase64Binary(str3);
        if (z) {
            if (null == str2) {
                throw new IllegalArgumentException("PEM is encrypted, but no password was specified");
            }
            parseBase64Binary = decryptPEM(parseBase64Binary, keyAlgo, bArr, str2.getBytes(Charset.defaultCharset()));
        }
        return decodePrivKey(parseBase64Binary, keyType);
    }

    private KeyPair decodePrivKey(byte[] bArr, KeyType keyType) {
        SimpleDERReader simpleDERReader = new SimpleDERReader(bArr);
        byte[] readSequenceAsByteArray = simpleDERReader.readSequenceAsByteArray();
        if (simpleDERReader.available() != 0) {
            throw new IllegalArgumentException("Padding in PRIVATE KEY DER stream.");
        }
        simpleDERReader.resetInput(readSequenceAsByteArray);
        BigInteger readInt = simpleDERReader.readInt();
        switch (keyType) {
            case DSA:
                if (readInt.compareTo(BigInteger.ZERO) != 0) {
                    throw new IllegalArgumentException("Wrong version (" + readInt + ") in DSA PRIVATE KEY DER stream.");
                }
                BigInteger readInt2 = simpleDERReader.readInt();
                BigInteger readInt3 = simpleDERReader.readInt();
                BigInteger readInt4 = simpleDERReader.readInt();
                BigInteger readInt5 = simpleDERReader.readInt();
                BigInteger readInt6 = simpleDERReader.readInt();
                if (simpleDERReader.available() != 0) {
                    throw new IllegalArgumentException("Padding in DSA PRIVATE KEY DER stream.");
                }
                return generateKeyPair("DSA", new DSAPrivateKeySpec(readInt6, readInt2, readInt3, readInt4), new DSAPublicKeySpec(readInt5, readInt2, readInt3, readInt4));
            case RSA:
                if (readInt.compareTo(BigInteger.ZERO) != 0 && readInt.compareTo(BigInteger.ONE) != 0) {
                    throw new IllegalArgumentException("Wrong version (" + readInt + ") in RSA PRIVATE KEY DER stream.");
                }
                BigInteger readInt7 = simpleDERReader.readInt();
                BigInteger readInt8 = simpleDERReader.readInt();
                return generateKeyPair("RSA", new RSAPrivateCrtKeySpec(readInt7, readInt8, simpleDERReader.readInt(), simpleDERReader.readInt(), simpleDERReader.readInt(), simpleDERReader.readInt(), simpleDERReader.readInt(), simpleDERReader.readInt()), new RSAPublicKeySpec(readInt7, readInt8));
            case EC:
                if (readInt.compareTo(BigInteger.ZERO) != 0) {
                    throw new IllegalArgumentException("Wrong version (" + readInt + ") in EC PRIVATE KEY DER stream.");
                }
                throw new IllegalArgumentException("Not yet");
            default:
                throw new IllegalArgumentException("Unknown key type");
        }
    }

    private byte[] decryptPEM(byte[] bArr, KeyAlgo keyAlgo, byte[] bArr2, byte[] bArr3) {
        Cipher cipher;
        SecretKeySpec secretKeySpec;
        try {
            switch (keyAlgo) {
                case AES_128_CBC:
                    cipher = Cipher.getInstance("AES/CBC/NoPadding");
                    int maxAllowedKeyLength = Cipher.getMaxAllowedKeyLength("AES/CBC/NoPadding");
                    if (maxAllowedKeyLength >= 128) {
                        secretKeySpec = new SecretKeySpec(generateKeyFromPasswordSaltWithMD5(bArr3, bArr2, 16), "AES");
                        break;
                    } else {
                        throw new IllegalArgumentException("Maximum key size for AES is " + maxAllowedKeyLength + ". cryptograpy export restrictions?");
                    }
                case AES_192_CBC:
                    cipher = Cipher.getInstance("AES/CBC/NoPadding");
                    int maxAllowedKeyLength2 = Cipher.getMaxAllowedKeyLength("AES/CBC/NoPadding");
                    if (maxAllowedKeyLength2 >= 192) {
                        secretKeySpec = new SecretKeySpec(generateKeyFromPasswordSaltWithMD5(bArr3, bArr2, 24), "AES");
                        break;
                    } else {
                        throw new IllegalArgumentException("Maximum key size for AES is " + maxAllowedKeyLength2 + ". cryptography export restrictions?");
                    }
                case AES_256_CBC:
                    cipher = Cipher.getInstance("AES/CBC/NoPadding");
                    int maxAllowedKeyLength3 = Cipher.getMaxAllowedKeyLength("AES/CBC/NoPadding");
                    if (maxAllowedKeyLength3 >= 256) {
                        secretKeySpec = new SecretKeySpec(generateKeyFromPasswordSaltWithMD5(bArr3, bArr2, 32), "AES");
                        break;
                    } else {
                        throw new IllegalArgumentException("Maximum key size for AES is " + maxAllowedKeyLength3 + ". cryptography export restrictions?");
                    }
                case DES_EDE3_CBC:
                    cipher = Cipher.getInstance("DESede/CBC/NoPadding");
                    int maxAllowedKeyLength4 = Cipher.getMaxAllowedKeyLength("DESede/CBC/NoPadding");
                    if (maxAllowedKeyLength4 >= 192) {
                        secretKeySpec = new SecretKeySpec(generateKeyFromPasswordSaltWithMD5(bArr3, bArr2, 24), "DESede");
                        break;
                    } else {
                        throw new IllegalArgumentException("Maximum key size for TripleDES is " + maxAllowedKeyLength4 + ". cryptography export restrictions?");
                    }
                case DES_CBC:
                    cipher = Cipher.getInstance("DES/CBC/NoPadding");
                    int maxAllowedKeyLength5 = Cipher.getMaxAllowedKeyLength("DES/CBC/NoPadding");
                    if (maxAllowedKeyLength5 >= 64) {
                        secretKeySpec = new SecretKeySpec(generateKeyFromPasswordSaltWithMD5(bArr3, bArr2, 8), "DES");
                        break;
                    } else {
                        throw new IllegalArgumentException("Maximum key size for DES is " + maxAllowedKeyLength5 + ". cryptography export restrictions?");
                    }
                default:
                    throw new IllegalArgumentException("Invalid key encryption algorithm");
            }
            cipher.init(2, secretKeySpec, new IvParameterSpec(bArr2));
            return removePadding(cipher.doFinal(bArr), cipher.getBlockSize());
        } catch (Throwable th) {
            LOGGER.debug("", th);
            if (th instanceof IllegalArgumentException) {
                throw ((IllegalArgumentException) th);
            }
            throw new IllegalArgumentException("Unable to decrypt key data", th);
        }
    }

    private byte[] removePadding(byte[] bArr, int i) {
        int i2 = bArr[bArr.length - 1] & 255;
        if (i2 < 1 || i2 > i) {
            throw new IllegalArgumentException("Decrypted PEM has wrong padding, did you specify the correct password?");
        }
        for (int i3 = 2; i3 <= i2; i3++) {
            if (bArr[bArr.length - i3] != i2) {
                throw new IllegalArgumentException("Decrypted PEM has wrong padding, did you specify the correct password?");
            }
        }
        byte[] bArr2 = new byte[bArr.length - i2];
        System.arraycopy(bArr, 0, bArr2, 0, bArr.length - i2);
        return bArr2;
    }

    private byte[] generateKeyFromPasswordSaltWithMD5(byte[] bArr, byte[] bArr2, int i) {
        try {
            MessageDigest messageDigest = MessageDigest.getInstance("MD5");
            byte[] bArr3 = new byte[i];
            byte[] bArr4 = new byte[messageDigest.getDigestLength()];
            int i2 = i;
            while (true) {
                messageDigest.update(bArr, 0, bArr.length);
                messageDigest.update(bArr2, 0, 8);
                int length = i2 < bArr4.length ? i2 : bArr4.length;
                try {
                    messageDigest.digest(bArr4, 0, bArr4.length);
                    System.arraycopy(bArr4, 0, bArr3, bArr3.length - i2, length);
                    i2 -= length;
                    if (i2 <= 0) {
                        return bArr3;
                    }
                    messageDigest.update(bArr4, 0, bArr4.length);
                } catch (Throwable th) {
                    throw new IllegalArgumentException("Could not digest password", th);
                }
            }
        } catch (NoSuchAlgorithmException e) {
            throw new IllegalArgumentException("JVM does not support MD5", e);
        }
    }

    private KeyPair generateKeyPair(String str, KeySpec keySpec, KeySpec keySpec2) {
        try {
            KeyFactory keyFactory = KeyFactory.getInstance(str);
            return new KeyPair(keyFactory.generatePublic(keySpec2), keyFactory.generatePrivate(keySpec));
        } catch (NoSuchAlgorithmException | InvalidKeySpecException e) {
            throw new IllegalArgumentException(e);
        }
    }
}
