package io.goshawkdb.client;

import io.netty.handler.ssl.SslContext;
import io.netty.handler.ssl.SslContextBuilder;
import io.netty.handler.ssl.SslProvider;
import io.netty.handler.ssl.util.InsecureTrustManagerFactory;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.io.InputStream;
import java.io.Reader;
import java.security.InvalidKeyException;
import java.security.KeyFactory;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.Security;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.security.spec.InvalidKeySpecException;
import java.security.spec.PKCS8EncodedKeySpec;
import java.security.spec.X509EncodedKeySpec;
import java.util.Arrays;
import javax.net.ssl.SSLException;
import javax.net.ssl.TrustManagerFactory;
import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo;
import org.bouncycastle.asn1.x9.X9ObjectIdentifiers;
import org.bouncycastle.cert.X509CertificateHolder;
import org.bouncycastle.cert.jcajce.JcaX509CertificateConverter;
import org.bouncycastle.jcajce.provider.asymmetric.ec.BCECPublicKey;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.bouncycastle.math.ec.ECPoint;
import org.bouncycastle.openssl.PEMKeyPair;
import org.bouncycastle.openssl.PEMParser;

/* loaded from: input_file:io/goshawkdb/client/Certs.class */
public class Certs {
    public static final String CIPHER = "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256";
    private final KeyFactory keyFactory = KeyFactory.getInstance("ECDSA", "BC");
    private KeyStore keyStore;
    private X509CertificateHolder clientCertificateHolder;
    private X509Certificate clientCertificate;
    private PEMKeyPair clientKeyPair;
    private PrivateKey clientPrivateKey;

    private Certs ensureKeyStore() throws CertificateException, NoSuchAlgorithmException, IOException, KeyStoreException {
        if (this.keyStore == null) {
            this.keyStore = KeyStore.getInstance("JKS");
            this.keyStore.load(null, null);
        }
        return this;
    }

    public Certs setKeyStore(KeyStore keyStore) {
        this.keyStore = keyStore;
        return this;
    }

    private TrustManagerFactory getTrustManagerFactory() throws NoSuchAlgorithmException, KeyStoreException {
        if (this.keyStore == null) {
            return InsecureTrustManagerFactory.INSTANCE;
        }
        TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
        trustManagerFactory.init(this.keyStore);
        return trustManagerFactory;
    }

    public Certs addClusterCertificate(String str, InputStream inputStream) throws CertificateException, NoSuchAlgorithmException, KeyStoreException, IOException {
        try {
            Certificate generateCertificate = CertificateFactory.getInstance("X.509").generateCertificate(inputStream);
            ensureKeyStore();
            this.keyStore.setCertificateEntry(str, generateCertificate);
            inputStream.close();
            return this;
        } catch (Throwable th) {
            inputStream.close();
            throw th;
        }
    }

    public Certs addClusterCertificate(String str, byte[] bArr) throws CertificateException, NoSuchAlgorithmException, KeyStoreException, IOException {
        return addClusterCertificate(str, new ByteArrayInputStream(bArr));
    }

    public Certs setClientCertificateHolder(X509CertificateHolder x509CertificateHolder) throws CertificateException, InvalidKeySpecException, InvalidKeyException, IOException {
        this.clientCertificateHolder = x509CertificateHolder;
        this.clientCertificate = null;
        verifyClient();
        return this;
    }

    public Certs setClientKeyPair(PEMKeyPair pEMKeyPair) throws CertificateException, InvalidKeySpecException, InvalidKeyException, IOException {
        this.clientKeyPair = pEMKeyPair;
        this.clientPrivateKey = null;
        verifyClient();
        return this;
    }

    public Certs parseClientPEM(Reader reader) throws CertificateException, InvalidKeySpecException, InvalidKeyException, IOException {
        PEMParser pEMParser = new PEMParser(reader);
        boolean z = false;
        boolean z2 = false;
        while (true) {
            try {
                Object readObject = pEMParser.readObject();
                if (readObject == null || (z && z2)) {
                    break;
                }
                if (readObject instanceof X509CertificateHolder) {
                    setClientCertificateHolder((X509CertificateHolder) readObject);
                    z = true;
                }
                if (readObject instanceof PEMKeyPair) {
                    setClientKeyPair((PEMKeyPair) readObject);
                    z2 = true;
                }
            } finally {
                pEMParser.close();
            }
        }
        return this;
    }

    private void verifyClient() throws CertificateException, InvalidKeyException, IOException, InvalidKeySpecException {
        SubjectPublicKeyInfo subjectPublicKeyInfo = null;
        SubjectPublicKeyInfo subjectPublicKeyInfo2 = null;
        if (this.clientCertificateHolder != null) {
            subjectPublicKeyInfo = this.clientCertificateHolder.getSubjectPublicKeyInfo();
            if (!X9ObjectIdentifiers.id_ecPublicKey.equals(subjectPublicKeyInfo.getAlgorithm().getAlgorithm())) {
                this.clientCertificateHolder = null;
                throw new CertificateException("ClientCertificateHolder must contain an EC public key");
            }
        }
        if (this.clientKeyPair != null) {
            subjectPublicKeyInfo2 = this.clientKeyPair.getPublicKeyInfo();
            if (!X9ObjectIdentifiers.id_ecPublicKey.equals(subjectPublicKeyInfo2.getAlgorithm().getAlgorithm())) {
                this.clientKeyPair = null;
                throw new InvalidKeyException("ClientKeyPair's Public Key must be an EC public key");
            }
        }
        if (this.clientCertificateHolder == null || this.clientKeyPair == null) {
            return;
        }
        BCECPublicKey generatePublic = this.keyFactory.generatePublic(new X509EncodedKeySpec(subjectPublicKeyInfo.getEncoded()));
        if (!(generatePublic instanceof BCECPublicKey)) {
            this.clientCertificateHolder = null;
            throw new CertificateException("ClientCertificateHolder must contain an EC public key");
        }
        ECPoint q = generatePublic.getQ();
        BCECPublicKey generatePublic2 = this.keyFactory.generatePublic(new X509EncodedKeySpec(subjectPublicKeyInfo2.getEncoded()));
        if (!(generatePublic2 instanceof BCECPublicKey)) {
            this.clientKeyPair = null;
            throw new InvalidKeyException("ClientKeyPair must contain an EC public key");
        }
        if (q.equals(generatePublic2.getQ())) {
            this.clientPrivateKey = this.keyFactory.generatePrivate(new PKCS8EncodedKeySpec(this.clientKeyPair.getPrivateKeyInfo().getEncoded()));
            this.clientCertificate = new JcaX509CertificateConverter().setProvider("BC").getCertificate(this.clientCertificateHolder);
        } else {
            this.clientCertificateHolder = null;
            this.clientKeyPair = null;
            throw new InvalidKeyException("ClientKeyPair's public key does not match the public key in ClientCertificateHolder");
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public SslContext buildClientSslContext() throws KeyStoreException, NoSuchAlgorithmException, SSLException {
        if (this.clientCertificateHolder == null || this.clientKeyPair == null) {
            throw new IllegalStateException("ClientCertificateHolder and ClientKeyPair must be provided");
        }
        return SslContextBuilder.forClient().sslProvider(SslProvider.JDK).trustManager(getTrustManagerFactory()).ciphers(Arrays.asList(CIPHER)).keyManager(this.clientPrivateKey, new X509Certificate[]{this.clientCertificate}).sessionCacheSize(0L).sessionTimeout(0L).build();
    }

    static {
        Security.addProvider(new BouncyCastleProvider());
    }
}
