package org.cloudfoundry.identity.uaa.util;

import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.io.InputStreamReader;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.Signature;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import org.bouncycastle.asn1.pkcs.PrivateKeyInfo;
import org.bouncycastle.cert.X509CertificateHolder;
import org.bouncycastle.cert.jcajce.JcaX509CertificateConverter;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.bouncycastle.openssl.PEMEncryptedKeyPair;
import org.bouncycastle.openssl.PEMKeyPair;
import org.bouncycastle.openssl.PEMParser;
import org.bouncycastle.openssl.jcajce.JcaPEMKeyConverter;
import org.bouncycastle.openssl.jcajce.JcePEMDecryptorProviderBuilder;

/* loaded from: input_file:WEB-INF/lib/cloudfoundry-identity-server-4.30.0.jar:org/cloudfoundry/identity/uaa/util/KeyWithCert.class */
public class KeyWithCert {
    private X509Certificate certificate;
    private PrivateKey privateKey;

    public KeyWithCert(String str) throws CertificateException {
        this.certificate = loadCertificate(str);
    }

    public KeyWithCert(String str, String str2, String str3) throws CertificateException {
        this.privateKey = loadPrivateKey(str, str2 == null ? "" : str2);
        this.certificate = loadCertificate(str3);
        if (!keysMatch(this.certificate.getPublicKey(), this.privateKey)) {
            throw new CertificateException("Certificate does not match private key.");
        }
    }

    public X509Certificate getCertificate() {
        return this.certificate;
    }

    public PrivateKey getPrivateKey() {
        return this.privateKey;
    }

    private boolean keysMatch(PublicKey publicKey, PrivateKey privateKey) {
        byte[] bArr = {42};
        String algorithm = privateKey.getAlgorithm();
        String algorithm2 = publicKey.getAlgorithm();
        if (algorithm == "EC") {
            algorithm = "ECDSA";
        }
        if (algorithm2 == "EC") {
            algorithm2 = "ECDSA";
        }
        try {
            Signature signature = Signature.getInstance(algorithm);
            signature.initSign(privateKey);
            signature.update(bArr);
            byte[] sign = signature.sign();
            Signature signature2 = Signature.getInstance(algorithm2);
            signature2.initVerify(publicKey);
            signature2.update(bArr);
            return signature2.verify(sign);
        } catch (Exception e) {
            return false;
        }
    }

    private PrivateKey loadPrivateKey(String str, String str2) throws CertificateException {
        PEMParser pEMParser = new PEMParser(new InputStreamReader(new ByteArrayInputStream(str.getBytes())));
        JcaPEMKeyConverter provider = new JcaPEMKeyConverter().setProvider(BouncyCastleProvider.PROVIDER_NAME);
        PrivateKey privateKey = null;
        try {
            try {
                Object readObject = pEMParser.readObject();
                if (readObject instanceof PEMEncryptedKeyPair) {
                    privateKey = provider.getKeyPair(((PEMEncryptedKeyPair) readObject).decryptKeyPair(new JcePEMDecryptorProviderBuilder().build(str2.toCharArray()))).getPrivate();
                } else if (readObject instanceof PEMKeyPair) {
                    privateKey = provider.getKeyPair((PEMKeyPair) readObject).getPrivate();
                } else if (readObject instanceof PrivateKeyInfo) {
                    privateKey = provider.getPrivateKey((PrivateKeyInfo) readObject);
                }
                try {
                    pEMParser.close();
                    if (privateKey == null) {
                        throw new CertificateException("Failed to read private key. The security provider could not parse it.");
                    }
                    return privateKey;
                } catch (IOException e) {
                    throw new CertificateException("Failed to close key reader", e);
                }
            } catch (IOException e2) {
                throw new CertificateException("Failed to read private key.", e2);
            }
        } catch (Throwable th) {
            try {
                pEMParser.close();
                throw th;
            } catch (IOException e3) {
                throw new CertificateException("Failed to close key reader", e3);
            }
        }
    }

    private X509Certificate loadCertificate(String str) throws CertificateException {
        PEMParser pEMParser = new PEMParser(new InputStreamReader(new ByteArrayInputStream(str.getBytes())));
        try {
            try {
                Object readObject = pEMParser.readObject();
                if (!(readObject instanceof X509CertificateHolder)) {
                    throw new CertificateException("Unsupported certificate type, not an X509CertificateHolder.");
                }
                X509Certificate certificate = new JcaX509CertificateConverter().setProvider(BouncyCastleProvider.PROVIDER_NAME).getCertificate((X509CertificateHolder) readObject);
                try {
                    pEMParser.close();
                    if (certificate == null) {
                        throw new CertificateException("Failed to read certificate. The security provider could not parse it.");
                    }
                    return certificate;
                } catch (IOException e) {
                    throw new CertificateException("Failed to close certificate reader.", e);
                }
            } catch (IOException e2) {
                throw new CertificateException("Failed to read certificate.", e2);
            }
        } catch (Throwable th) {
            try {
                pEMParser.close();
                throw th;
            } catch (IOException e3) {
                throw new CertificateException("Failed to close certificate reader.", e3);
            }
        }
    }
}
