package com.sequenceiq.cloudbreak.certificate;

import com.google.common.io.BaseEncoding;
import java.io.BufferedReader;
import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.io.DataOutputStream;
import java.io.IOException;
import java.io.OutputStreamWriter;
import java.io.StringReader;
import java.math.BigInteger;
import java.security.KeyFactory;
import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.SecureRandom;
import java.security.Security;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.security.interfaces.RSAPublicKey;
import java.security.spec.InvalidKeySpecException;
import java.security.spec.PKCS8EncodedKeySpec;
import java.security.spec.RSAPrivateKeySpec;
import java.security.spec.X509EncodedKeySpec;
import java.util.Calendar;
import java.util.Collections;
import java.util.Date;
import java.util.LinkedHashMap;
import java.util.List;
import java.util.Map;
import javax.security.auth.x500.X500Principal;
import org.apache.commons.codec.binary.Base64;
import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers;
import org.bouncycastle.asn1.x500.X500Name;
import org.bouncycastle.asn1.x509.AlgorithmIdentifier;
import org.bouncycastle.asn1.x509.Extension;
import org.bouncycastle.asn1.x509.ExtensionsGenerator;
import org.bouncycastle.asn1.x509.GeneralName;
import org.bouncycastle.asn1.x509.GeneralNames;
import org.bouncycastle.cert.X509v3CertificateBuilder;
import org.bouncycastle.crypto.CipherParameters;
import org.bouncycastle.crypto.CryptoException;
import org.bouncycastle.crypto.digests.SHA256Digest;
import org.bouncycastle.crypto.engines.RSAEngine;
import org.bouncycastle.crypto.params.AsymmetricKeyParameter;
import org.bouncycastle.crypto.params.RSAKeyParameters;
import org.bouncycastle.crypto.signers.PSSSigner;
import org.bouncycastle.crypto.util.PrivateKeyFactory;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.bouncycastle.openssl.PEMKeyPair;
import org.bouncycastle.openssl.PEMParser;
import org.bouncycastle.openssl.jcajce.JcaPEMKeyConverter;
import org.bouncycastle.openssl.jcajce.JcaPEMWriter;
import org.bouncycastle.operator.DefaultDigestAlgorithmIdentifierFinder;
import org.bouncycastle.operator.DefaultSignatureAlgorithmIdentifierFinder;
import org.bouncycastle.operator.bc.BcRSAContentSignerBuilder;
import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder;
import org.bouncycastle.pkcs.PKCS10CertificationRequest;
import org.bouncycastle.pkcs.PKCS10CertificationRequestBuilder;
import org.bouncycastle.pkcs.jcajce.JcaPKCS10CertificationRequestBuilder;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.util.CollectionUtils;

/* loaded from: input_file:com/sequenceiq/cloudbreak/certificate/PkiUtil.class */
public class PkiUtil {
    private static final int KEY_SIZE = 2048;
    private static final int CERT_VALIDITY_YEAR = 10;
    private static final Logger LOGGER = LoggerFactory.getLogger(PkiUtil.class);
    private static final Integer SALT_LENGTH = 20;
    private static final Integer MAX_CACHE_SIZE = 200;
    private static final Map<String, RSAKeyParameters> CACHE = Collections.synchronizedMap(new LinkedHashMap<String, RSAKeyParameters>((MAX_CACHE_SIZE.intValue() * 4) / 3, 0.75f, true) { // from class: com.sequenceiq.cloudbreak.certificate.PkiUtil.1
        @Override // java.util.LinkedHashMap
        protected boolean removeEldestEntry(Map.Entry<String, RSAKeyParameters> entry) {
            return size() > PkiUtil.MAX_CACHE_SIZE.intValue();
        }
    });

    private PkiUtil() {
    }

    public static byte[] getPublicKeyDer(String str) {
        try {
            PEMParser pEMParser = new PEMParser(new StringReader(clarifyPemKey(str)));
            try {
                byte[] encoded = ((PEMKeyPair) pEMParser.readObject()).getPublicKeyInfo().getEncoded();
                pEMParser.close();
                return encoded;
            } finally {
            }
        } catch (IOException e) {
            throw new SecurityException(e);
        }
    }

    public static String generateSignature(String str, byte[] bArr) {
        CipherParameters cipherParameters = (RSAKeyParameters) CACHE.get(str);
        if (cipherParameters == null) {
            try {
                PEMParser pEMParser = new PEMParser(new StringReader(clarifyPemKey(str)));
                try {
                    PEMKeyPair pEMKeyPair = (PEMKeyPair) pEMParser.readObject();
                    KeyFactory keyFactory = KeyFactory.getInstance("RSA");
                    RSAPrivateKeySpec rSAPrivateKeySpec = (RSAPrivateKeySpec) keyFactory.getKeySpec(new KeyPair(keyFactory.generatePublic(new X509EncodedKeySpec(pEMKeyPair.getPublicKeyInfo().getEncoded())), keyFactory.generatePrivate(new PKCS8EncodedKeySpec(pEMKeyPair.getPrivateKeyInfo().getEncoded()))).getPrivate(), RSAPrivateKeySpec.class);
                    cipherParameters = new RSAKeyParameters(true, rSAPrivateKeySpec.getModulus(), rSAPrivateKeySpec.getPrivateExponent());
                    CACHE.put(str, cipherParameters);
                    pEMParser.close();
                } finally {
                }
            } catch (IOException | NoSuchAlgorithmException | InvalidKeySpecException e) {
                throw new SecurityException(e);
            }
        }
        PSSSigner pSSSigner = new PSSSigner(new RSAEngine(), new SHA256Digest(), SALT_LENGTH.intValue());
        pSSSigner.init(true, cipherParameters);
        pSSSigner.update(bArr, 0, bArr.length);
        try {
            return BaseEncoding.base64().encode(pSSSigner.generateSignature());
        } catch (CryptoException e2) {
            throw new SecurityException((Throwable) e2);
        }
    }

    public static KeyPair generateKeypair() {
        try {
            KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA");
            keyPairGenerator.initialize(KEY_SIZE, new SecureRandom());
            return keyPairGenerator.generateKeyPair();
        } catch (Exception e) {
            throw new PkiException("Failed to generate PK for the cluster!", e);
        }
    }

    public static X509Certificate cert(KeyPair keyPair, String str, KeyPair keyPair2) {
        try {
            return selfsign(generateCsr(keyPair, str), str, keyPair2);
        } catch (Exception e) {
            throw new PkiException("Failed to create signed cert for the cluster!", e);
        }
    }

    public static PKCS10CertificationRequest csr(KeyPair keyPair, String str, List<String> list) {
        if (keyPair == null) {
            throw new PkiException("Failed to generate CSR because KeyPair hasn't been specified for the method!");
        }
        try {
            String format = String.format("C=US, CN=%s, O=Cloudera", str);
            LOGGER.info("Generate CSR with X.500 distinguished name: '{}' and list of SAN: '{}'", format, String.join(",", list));
            return generateCsrWithName(keyPair, format, list);
        } catch (Exception e) {
            throw new PkiException("Failed to generate csr for the cluster!", e);
        }
    }

    public static String convert(PrivateKey privateKey) {
        try {
            return convertToString(privateKey);
        } catch (Exception e) {
            throw new PkiException("Failed to convert Private Key for the cluster!", e);
        }
    }

    public static String convert(PublicKey publicKey) {
        try {
            return convertToString(publicKey);
        } catch (Exception e) {
            throw new PkiException("Failed to convert Public Key for the cluster!", e);
        }
    }

    public static String convert(X509Certificate x509Certificate) {
        try {
            return convertToString(x509Certificate);
        } catch (Exception e) {
            throw new PkiException("Failed to convert signed cert to String", e);
        }
    }

    public static String convertOpenSshPublicKey(PublicKey publicKey) {
        ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
        try {
            try {
                DataOutputStream dataOutputStream = new DataOutputStream(byteArrayOutputStream);
                try {
                    RSAPublicKey rSAPublicKey = (RSAPublicKey) publicKey;
                    dataOutputStream.writeInt("ssh-rsa".getBytes().length);
                    dataOutputStream.write("ssh-rsa".getBytes());
                    dataOutputStream.writeInt(rSAPublicKey.getPublicExponent().toByteArray().length);
                    dataOutputStream.write(rSAPublicKey.getPublicExponent().toByteArray());
                    dataOutputStream.writeInt(rSAPublicKey.getModulus().toByteArray().length);
                    dataOutputStream.write(rSAPublicKey.getModulus().toByteArray());
                    String str = "ssh-rsa " + new String(Base64.encodeBase64(byteArrayOutputStream.toByteArray()));
                    dataOutputStream.close();
                    return str;
                } catch (Throwable th) {
                    try {
                        dataOutputStream.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                    throw th;
                }
            } catch (Exception e) {
                throw new PkiException("Failed to convert public key for the cluster!", e);
            }
        } finally {
            try {
                byteArrayOutputStream.close();
            } catch (IOException e2) {
                LOGGER.debug("Failed to close streams while converting public key", e2);
            }
        }
    }

    public static KeyPair fromPrivateKeyPem(String str) {
        BufferedReader bufferedReader = new BufferedReader(new StringReader(str));
        Security.addProvider(new BouncyCastleProvider());
        try {
            PEMParser pEMParser = new PEMParser(bufferedReader);
            try {
                KeyPair keyPair = new JcaPEMKeyConverter().getKeyPair((PEMKeyPair) pEMParser.readObject());
                pEMParser.close();
                return keyPair;
            } finally {
            }
        } catch (IOException e) {
            LOGGER.info("Cannot parse KeyPair from private key pem content, skip it. {}", e.getMessage(), e);
            return null;
        }
    }

    private static X509Certificate selfsign(PKCS10CertificationRequest pKCS10CertificationRequest, String str, KeyPair keyPair) throws Exception {
        AlgorithmIdentifier find = new DefaultSignatureAlgorithmIdentifierFinder().find("SHA256withRSA");
        AlgorithmIdentifier find2 = new DefaultDigestAlgorithmIdentifierFinder().find(find);
        AsymmetricKeyParameter createKey = PrivateKeyFactory.createKey(keyPair.getPrivate().getEncoded());
        Calendar calendar = Calendar.getInstance();
        Date time = calendar.getTime();
        calendar.add(1, CERT_VALIDITY_YEAR);
        return (X509Certificate) CertificateFactory.getInstance("X.509").generateCertificate(new ByteArrayInputStream(new X509v3CertificateBuilder(new X500Name(String.format("cn=%s", str)), new BigInteger("1"), time, calendar.getTime(), pKCS10CertificationRequest.getSubject(), pKCS10CertificationRequest.getSubjectPublicKeyInfo()).build(new BcRSAContentSignerBuilder(find, find2).build(createKey)).toASN1Structure().getEncoded()));
    }

    private static PKCS10CertificationRequest generateCsr(KeyPair keyPair, String str) throws Exception {
        return generateCsrWithName(keyPair, String.format("cn=%s", str), null);
    }

    private static PKCS10CertificationRequest generateCsrWithName(KeyPair keyPair, String str, List<String> list) throws Exception {
        PKCS10CertificationRequestBuilder jcaPKCS10CertificationRequestBuilder = new JcaPKCS10CertificationRequestBuilder(new X500Principal(str), keyPair.getPublic());
        if (!CollectionUtils.isEmpty(list)) {
            jcaPKCS10CertificationRequestBuilder = addSubjectAlternativeNames(jcaPKCS10CertificationRequestBuilder, list);
        }
        return jcaPKCS10CertificationRequestBuilder.build(new JcaContentSignerBuilder("SHA256withRSA").build(keyPair.getPrivate()));
    }

    private static PKCS10CertificationRequestBuilder addSubjectAlternativeNames(PKCS10CertificationRequestBuilder pKCS10CertificationRequestBuilder, List<String> list) throws IOException {
        GeneralNames generalNames = new GeneralNames((GeneralName[]) list.stream().map(str -> {
            return new GeneralName(2, str);
        }).toArray(i -> {
            return new GeneralName[i];
        }));
        ExtensionsGenerator extensionsGenerator = new ExtensionsGenerator();
        extensionsGenerator.addExtension(Extension.subjectAlternativeName, false, generalNames);
        return pKCS10CertificationRequestBuilder.addAttribute(PKCSObjectIdentifiers.pkcs_9_at_extensionRequest, extensionsGenerator.generate());
    }

    private static String convertToString(Object obj) throws IOException {
        ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
        JcaPEMWriter jcaPEMWriter = new JcaPEMWriter(new OutputStreamWriter(byteArrayOutputStream));
        try {
            jcaPEMWriter.writeObject(obj);
            jcaPEMWriter.close();
            return byteArrayOutputStream.toString();
        } catch (Throwable th) {
            try {
                jcaPEMWriter.close();
            } catch (Throwable th2) {
                th.addSuppressed(th2);
            }
            throw th;
        }
    }

    private static String clarifyPemKey(String str) {
        return "-----BEGIN RSA PRIVATE KEY-----\n" + str.replaceAll("-----(.*)-----|\n", "") + "\n-----END RSA PRIVATE KEY-----";
    }
}
