package biz.netcentric.cq.tools.actool.configmodel.pkcs;

import biz.netcentric.cq.tools.actool.crypto.DecryptionService;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.io.InputStream;
import java.nio.charset.StandardCharsets;
import java.security.GeneralSecurityException;
import java.security.InvalidKeyException;
import java.security.KeyFactory;
import java.security.KeyPair;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.Signature;
import java.security.SignatureException;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.security.interfaces.DSAPublicKey;
import java.security.interfaces.RSAPublicKey;
import java.security.spec.InvalidKeySpecException;
import java.security.spec.PKCS8EncodedKeySpec;
import java.security.spec.X509EncodedKeySpec;
import java.util.Arrays;
import javax.crypto.BadPaddingException;
import javax.crypto.Cipher;
import javax.crypto.IllegalBlockSizeException;
import javax.crypto.NoSuchPaddingException;
import org.apache.commons.lang3.StringUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:biz/netcentric/cq/tools/actool/configmodel/pkcs/Key.class */
public class Key {
    public static final Logger LOG = LoggerFactory.getLogger(Key.class);
    private final PublicKey publicKey;
    private final PrivateKey privateKey;
    private final X509Certificate certificate;

    public static Key createFromKeyPair(DecryptionService decryptionService, String str, String str2, String str3, PrivateKeyDecryptor privateKeyDecryptor) throws IOException, GeneralSecurityException {
        return new Key(decryptionService, str, str2, str3, null, privateKeyDecryptor);
    }

    public static Key createFromPrivateKeyAndCertificate(DecryptionService decryptionService, String str, String str2, String str3, PrivateKeyDecryptor privateKeyDecryptor) throws IOException, GeneralSecurityException {
        return new Key(decryptionService, str, str2, null, str3, privateKeyDecryptor);
    }

    private Key(DecryptionService decryptionService, String str, String str2, String str3, String str4, PrivateKeyDecryptor privateKeyDecryptor) throws IOException, GeneralSecurityException {
        if (!StringUtils.isBlank(str4)) {
            DerData parseFromPem = DerData.parseFromPem(str4);
            if (parseFromPem.getType() != DerType.CERTIFICATE) {
                throw new InvalidKeyException("The given certificate is of wrong type " + parseFromPem.getType());
            }
            ByteArrayInputStream byteArrayInputStream = new ByteArrayInputStream(parseFromPem.getData());
            Throwable th = null;
            try {
                try {
                    this.certificate = getCertificate(byteArrayInputStream);
                    this.publicKey = null;
                    if (byteArrayInputStream != null) {
                        if (0 != 0) {
                            try {
                                byteArrayInputStream.close();
                            } catch (Throwable th2) {
                                th.addSuppressed(th2);
                            }
                        } else {
                            byteArrayInputStream.close();
                        }
                    }
                } finally {
                }
            } catch (Throwable th3) {
                if (byteArrayInputStream != null) {
                    if (th != null) {
                        try {
                            byteArrayInputStream.close();
                        } catch (Throwable th4) {
                            th.addSuppressed(th4);
                        }
                    } else {
                        byteArrayInputStream.close();
                    }
                }
                throw th3;
            }
        } else {
            if (StringUtils.isBlank(str3)) {
                throw new InvalidKeyException("Either the public key or the certicate must not be blank!");
            }
            DerData parseFromPem2 = DerData.parseFromPem(str3);
            if (parseFromPem2.getType() != DerType.PUBLIC_KEY) {
                throw new InvalidKeyException("The given public key is of wrong type " + parseFromPem2.getType());
            }
            this.publicKey = getPublicKey(new X509EncodedKeySpec(parseFromPem2.getData()));
            this.certificate = null;
        }
        if (StringUtils.isBlank(str)) {
            throw new InvalidKeyException("The private key must not be blank!");
        }
        DerData parseFromPem3 = DerData.parseFromPem(decryptionService.decrypt(str));
        switch (parseFromPem3.getType()) {
            case ENCRYPTED_PRIVATE_KEY:
                this.privateKey = privateKeyDecryptor.decrypt(decryptionService.decrypt(str2).toCharArray(), parseFromPem3.getData());
                break;
            case PRIVATE_KEY:
                this.privateKey = getPrivateKey(new PKCS8EncodedKeySpec(parseFromPem3.getData()));
                break;
            default:
                throw new InvalidKeyException("The private key has wrong format " + parseFromPem3.getType());
        }
        if (!isMatchingKeyPair(getPublicKey(), this.privateKey)) {
            throw new InvalidKeyException("The public and private keys are not matching");
        }
    }

    public KeyPair getKeyPair() {
        return new KeyPair(this.publicKey, this.privateKey);
    }

    public PrivateKey getPrivateKey() {
        return this.privateKey;
    }

    public Certificate getCertificate() {
        return this.certificate;
    }

    public PublicKey getPublicKey() {
        return this.certificate != null ? this.certificate.getPublicKey() : this.publicKey;
    }

    static PublicKey getPublicKey(X509EncodedKeySpec x509EncodedKeySpec) throws NoSuchAlgorithmException, InvalidKeySpecException {
        try {
            return KeyFactory.getInstance("RSA").generatePublic(x509EncodedKeySpec);
        } catch (InvalidKeySpecException e) {
            return KeyFactory.getInstance("DSA").generatePublic(x509EncodedKeySpec);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static PrivateKey getPrivateKey(PKCS8EncodedKeySpec pKCS8EncodedKeySpec) throws NoSuchAlgorithmException, InvalidKeySpecException {
        try {
            return KeyFactory.getInstance("RSA").generatePrivate(pKCS8EncodedKeySpec);
        } catch (InvalidKeySpecException e) {
            return KeyFactory.getInstance("DSA").generatePrivate(pKCS8EncodedKeySpec);
        }
    }

    static X509Certificate getCertificate(InputStream inputStream) throws CertificateException {
        return (X509Certificate) CertificateFactory.getInstance("X.509").generateCertificate(inputStream);
    }

    public String toString() {
        return "Key [privateKey=" + this.privateKey + ", publicKey=" + this.publicKey + ", certificate=" + this.certificate + "]";
    }

    private static boolean isMatchingKeyPair(PublicKey publicKey, PrivateKey privateKey) throws NoSuchAlgorithmException {
        if (publicKey instanceof RSAPublicKey) {
            return isMatchingRsaKeyPair((RSAPublicKey) publicKey, privateKey);
        }
        if (publicKey instanceof DSAPublicKey) {
            return isMatchingDsaKeyPair((DSAPublicKey) publicKey, privateKey);
        }
        throw new IllegalArgumentException("Only public keys for RSA and DSA are supported but found: " + publicKey.getClass());
    }

    private static boolean isMatchingRsaKeyPair(RSAPublicKey rSAPublicKey, PrivateKey privateKey) throws NoSuchAlgorithmException {
        byte[] bytes = "test".getBytes(StandardCharsets.US_ASCII);
        try {
            Cipher cipher = Cipher.getInstance("RSA/ECB/OAEPWithSHA-256AndMGF1Padding");
            cipher.init(1, rSAPublicKey);
            byte[] doFinal = cipher.doFinal(bytes);
            cipher.init(2, privateKey);
            return Arrays.equals(bytes, cipher.doFinal(doFinal));
        } catch (InvalidKeyException | BadPaddingException | IllegalBlockSizeException | NoSuchPaddingException e) {
            LOG.warn("RSA key pair does not match {}", e, e);
            return false;
        }
    }

    private static boolean isMatchingDsaKeyPair(DSAPublicKey dSAPublicKey, PrivateKey privateKey) throws NoSuchAlgorithmException {
        byte[] bytes = "test".getBytes(StandardCharsets.US_ASCII);
        try {
            Signature signature = Signature.getInstance("SHA/DSA");
            signature.initSign(privateKey);
            signature.update(bytes);
            byte[] sign = signature.sign();
            signature.initVerify(dSAPublicKey);
            signature.update(bytes);
            return signature.verify(sign);
        } catch (InvalidKeyException | SignatureException e) {
            LOG.warn("DSA key pair does not match {}", e, e);
            return false;
        }
    }
}
