package com.netflix.spinnaker.kork.crypto;

import java.io.IOException;
import java.io.InputStream;
import java.io.UncheckedIOException;
import java.nio.file.Files;
import java.nio.file.LinkOption;
import java.nio.file.OpenOption;
import java.nio.file.Path;
import java.security.GeneralSecurityException;
import java.security.KeyStore;
import java.security.NoSuchAlgorithmException;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.time.Instant;
import java.util.Arrays;
import java.util.Enumeration;

/* loaded from: input_file:com/netflix/spinnaker/kork/crypto/PasswordProtectedKeyStoreIdentitySource.class */
public class PasswordProtectedKeyStoreIdentitySource implements X509IdentitySource {
    private final Path keystoreFile;
    private final String keystoreType;
    private final PasswordProvider keystorePasswordProvider;
    private final PasswordProvider privateKeyPasswordProvider;
    private Instant lastLoaded = Instant.MIN;
    private Instant expiresAt = Instant.MAX;

    @Override // com.netflix.spinnaker.kork.crypto.X509IdentitySource
    public Instant getLastModified() {
        try {
            return Files.getLastModifiedTime(this.keystoreFile, new LinkOption[0]).toInstant();
        } catch (IOException e) {
            throw new UncheckedIOException(e);
        }
    }

    @Override // com.netflix.spinnaker.kork.crypto.X509IdentitySource
    public X509Identity load() throws IOException {
        char[] password;
        try {
            try {
                KeyStore keyStore = KeyStore.getInstance(this.keystoreType);
                password = this.keystorePasswordProvider.password();
                try {
                    InputStream newInputStream = Files.newInputStream(this.keystoreFile, new OpenOption[0]);
                    try {
                        keyStore.load(newInputStream, password);
                        if (newInputStream != null) {
                            newInputStream.close();
                        }
                        try {
                            try {
                                password = this.privateKeyPasswordProvider.password();
                                X509Identity findIdentity = findIdentity(keyStore, new KeyStore.PasswordProtection(password));
                                Arrays.fill(password, (char) 0);
                                for (X509Certificate x509Certificate : findIdentity.getCertificateChain()) {
                                    Instant instant = x509Certificate.getNotAfter().toInstant();
                                    if (this.expiresAt.isAfter(instant)) {
                                        this.expiresAt = instant;
                                    }
                                }
                                this.lastLoaded = Instant.now();
                                return findIdentity;
                            } catch (GeneralSecurityException e) {
                                throw new NestedSecurityIOException(e);
                            }
                        } catch (Throwable th) {
                            Arrays.fill(password, (char) 0);
                            throw th;
                        }
                    } catch (Throwable th2) {
                        if (newInputStream != null) {
                            try {
                                newInputStream.close();
                            } catch (Throwable th3) {
                                th2.addSuppressed(th3);
                            }
                        }
                        throw th2;
                    }
                } catch (NoSuchAlgorithmException | CertificateException e2) {
                    throw new NestedSecurityIOException(e2);
                }
            } catch (GeneralSecurityException e3) {
                throw new NestedSecurityIOException(e3);
            }
        } finally {
            Arrays.fill(password, (char) 0);
        }
    }

    private X509Identity findIdentity(KeyStore keyStore, KeyStore.ProtectionParameter protectionParameter) throws GeneralSecurityException {
        Enumeration<String> aliases = keyStore.aliases();
        while (aliases.hasMoreElements()) {
            String nextElement = aliases.nextElement();
            if (keyStore.isKeyEntry(nextElement)) {
                KeyStore.Entry entry = keyStore.getEntry(nextElement, protectionParameter);
                if (entry instanceof KeyStore.PrivateKeyEntry) {
                    KeyStore.PrivateKeyEntry privateKeyEntry = (KeyStore.PrivateKeyEntry) entry;
                    Certificate[] certificateChain = privateKeyEntry.getCertificateChain();
                    if (certificateChain instanceof X509Certificate[]) {
                        return new StaticX509Identity(privateKeyEntry.getPrivateKey(), (X509Certificate[]) certificateChain);
                    }
                } else {
                    continue;
                }
            }
        }
        throw new IllegalArgumentException("No private key entry found in keystore: " + this.keystoreFile);
    }

    public PasswordProtectedKeyStoreIdentitySource(Path path, String str, PasswordProvider passwordProvider, PasswordProvider passwordProvider2) {
        this.keystoreFile = path;
        this.keystoreType = str;
        this.keystorePasswordProvider = passwordProvider;
        this.privateKeyPasswordProvider = passwordProvider2;
    }

    @Override // com.netflix.spinnaker.kork.crypto.X509IdentitySource
    public Instant getLastLoaded() {
        return this.lastLoaded;
    }

    @Override // com.netflix.spinnaker.kork.crypto.X509IdentitySource
    public Instant getExpiresAt() {
        return this.expiresAt;
    }
}
