package org.thingsboard.rule.engine.credentials;

import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
import io.netty.handler.ssl.SslContext;
import io.netty.handler.ssl.SslContextBuilder;
import java.io.ByteArrayInputStream;
import java.math.BigInteger;
import java.nio.ByteBuffer;
import java.security.KeyFactory;
import java.security.KeyStore;
import java.security.MessageDigest;
import java.security.PrivateKey;
import java.security.Security;
import java.security.cert.Certificate;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.security.spec.KeySpec;
import java.security.spec.PKCS8EncodedKeySpec;
import java.security.spec.RSAPrivateCrtKeySpec;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import javax.crypto.Cipher;
import javax.crypto.EncryptedPrivateKeyInfo;
import javax.crypto.SecretKeyFactory;
import javax.crypto.spec.IvParameterSpec;
import javax.crypto.spec.PBEKeySpec;
import javax.crypto.spec.SecretKeySpec;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.TrustManagerFactory;
import org.apache.commons.codec.binary.Base64;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.bouncycastle.openssl.PEMEncryptedKeyPair;
import org.bouncycastle.openssl.PEMKeyPair;
import org.bouncycastle.openssl.jcajce.JcaPEMKeyConverter;
import org.bouncycastle.openssl.jcajce.JcePEMDecryptorProviderBuilder;
import org.bouncycastle.util.encoders.Hex;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.thingsboard.rule.engine.debug.TbMsgGeneratorNodeConfiguration;
import org.thingsboard.server.common.data.StringUtils;

@JsonIgnoreProperties(ignoreUnknown = true)
/* loaded from: input_file:org/thingsboard/rule/engine/credentials/CertPemCredentials.class */
public class CertPemCredentials implements ClientCredentials {
    private static final String TLS_VERSION = "TLSv1.2";
    protected String caCert;
    private String cert;
    private String privateKey;
    private String password;
    private static final Logger log = LoggerFactory.getLogger(CertPemCredentials.class);
    static final String OPENSSL_ENCRYPTED_RSA_PRIVATEKEY_REGEX = "\\s*-----BEGIN RSA PRIVATE KEY-----\\s*Proc-Type: 4,ENCRYPTED\\s*DEK-Info:\\s*([^\\s]+)\\s+([\\s\\S]*)-----END RSA PRIVATE KEY-----\\s*";
    static final Pattern OPENSSL_ENCRYPTED_RSA_PRIVATEKEY_PATTERN = Pattern.compile(OPENSSL_ENCRYPTED_RSA_PRIVATEKEY_REGEX);

    @Override // org.thingsboard.rule.engine.credentials.ClientCredentials
    public CredentialsType getType() {
        return CredentialsType.CERT_PEM;
    }

    @Override // org.thingsboard.rule.engine.credentials.ClientCredentials
    public SslContext initSslContext() {
        try {
            Security.addProvider(new BouncyCastleProvider());
            SslContextBuilder forClient = SslContextBuilder.forClient();
            if (StringUtils.hasLength(this.caCert)) {
                forClient.trustManager(createAndInitTrustManagerFactory());
            }
            if (StringUtils.hasLength(this.cert) && StringUtils.hasLength(this.privateKey)) {
                forClient.keyManager(createAndInitKeyManagerFactory());
            }
            return forClient.build();
        } catch (Exception e) {
            log.error("[{}:{}] Creating TLS factory failed!", new Object[]{this.caCert, this.cert, e});
            throw new RuntimeException("Creating TLS factory failed!", e);
        }
    }

    private KeyManagerFactory createAndInitKeyManagerFactory() throws Exception {
        PrivateKey privateKey;
        X509Certificate readCertFile = readCertFile(this.cert);
        PEMEncryptedKeyPair readPrivateKeyFile = readPrivateKeyFile(this.privateKey);
        char[] charArray = "".toCharArray();
        if (!StringUtils.isEmpty(this.password)) {
            charArray = this.password.toCharArray();
        }
        JcaPEMKeyConverter provider = new JcaPEMKeyConverter().setProvider("BC");
        if (readPrivateKeyFile instanceof PEMEncryptedKeyPair) {
            privateKey = provider.getKeyPair(readPrivateKeyFile.decryptKeyPair(new JcePEMDecryptorProviderBuilder().build(charArray))).getPrivate();
        } else if (readPrivateKeyFile instanceof PEMKeyPair) {
            privateKey = provider.getKeyPair((PEMKeyPair) readPrivateKeyFile).getPrivate();
        } else {
            if (!(readPrivateKeyFile instanceof PrivateKey)) {
                throw new RuntimeException("Unable to get private key from object: " + readPrivateKeyFile.getClass());
            }
            privateKey = (PrivateKey) readPrivateKeyFile;
        }
        KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
        keyStore.load(null, null);
        keyStore.setCertificateEntry("cert", readCertFile);
        keyStore.setKeyEntry("private-key", privateKey, charArray, new Certificate[]{readCertFile});
        KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
        keyManagerFactory.init(keyStore, charArray);
        return keyManagerFactory;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public TrustManagerFactory createAndInitTrustManagerFactory() throws Exception {
        X509Certificate readCertFile = readCertFile(this.caCert);
        KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
        keyStore.load(null, null);
        keyStore.setCertificateEntry("caCert-cert", readCertFile);
        TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
        trustManagerFactory.init(keyStore);
        return trustManagerFactory;
    }

    private X509Certificate readCertFile(String str) throws Exception {
        X509Certificate x509Certificate = null;
        if (str != null && !str.trim().isEmpty()) {
            byte[] decodeBase64 = Base64.decodeBase64(str.replace("-----BEGIN CERTIFICATE-----", "").replace("-----END CERTIFICATE-----", "").replaceAll("\\s", ""));
            CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509");
            ByteArrayInputStream byteArrayInputStream = new ByteArrayInputStream(decodeBase64);
            try {
                x509Certificate = (X509Certificate) certificateFactory.generateCertificate(byteArrayInputStream);
                byteArrayInputStream.close();
            } catch (Throwable th) {
                try {
                    byteArrayInputStream.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
                throw th;
            }
        }
        return x509Certificate;
    }

    private PrivateKey readPrivateKeyFile(String str) throws Exception {
        PrivateKey privateKey = null;
        if (str != null && !str.isEmpty()) {
            privateKey = KeyFactory.getInstance("RSA").generatePrivate(getKeySpec(str));
        }
        return privateKey;
    }

    private KeySpec getKeySpec(String str) throws Exception {
        KeySpec pKCS8EncodedKeySpec;
        Matcher matcher = OPENSSL_ENCRYPTED_RSA_PRIVATEKEY_PATTERN.matcher(str);
        if (matcher.matches()) {
            String trim = matcher.group(1).trim();
            byte[] decode = java.util.Base64.getDecoder().decode(matcher.group(2).replaceAll("\\s", ""));
            String[] split = trim.split(",");
            if (split.length != 2) {
                throw new RuntimeException("Wrong encryption details!");
            }
            String str2 = split[0];
            String str3 = split[1];
            byte[] bytes = this.password.getBytes();
            byte[] decode2 = Hex.decode(str3);
            MessageDigest messageDigest = MessageDigest.getInstance("MD5");
            messageDigest.update(bytes);
            messageDigest.update(decode2, 0, 8);
            byte[] digest = messageDigest.digest();
            messageDigest.update(digest);
            messageDigest.update(bytes);
            messageDigest.update(decode2, 0, 8);
            byte[] digest2 = messageDigest.digest();
            Cipher cipher = null;
            SecretKeySpec secretKeySpec = null;
            boolean z = -1;
            switch (str2.hashCode()) {
                case -2020788375:
                    if (str2.equals("DES-CBC")) {
                        z = 4;
                        break;
                    }
                    break;
                case -1390896596:
                    if (str2.equals("AES-256-CBC")) {
                        z = false;
                        break;
                    }
                    break;
                case -165238049:
                    if (str2.equals("DES-EDE3-CBC")) {
                        z = 3;
                        break;
                    }
                    break;
                case 1932526608:
                    if (str2.equals("AES-128-CBC")) {
                        z = 2;
                        break;
                    }
                    break;
                case 2127389539:
                    if (str2.equals("AES-192-CBC")) {
                        z = true;
                        break;
                    }
                    break;
            }
            switch (z) {
                case TbMsgGeneratorNodeConfiguration.UNLIMITED_MSG_COUNT /* 0 */:
                    cipher = Cipher.getInstance("AES/CBC/PKCS5Padding");
                    byte[] bArr = new byte[32];
                    System.arraycopy(digest, 0, bArr, 0, 16);
                    System.arraycopy(digest2, 0, bArr, 16, 16);
                    secretKeySpec = new SecretKeySpec(bArr, "AES");
                    break;
                case true:
                    cipher = Cipher.getInstance("AES/CBC/PKCS5Padding");
                    byte[] bArr2 = new byte[24];
                    System.arraycopy(digest, 0, bArr2, 0, 16);
                    System.arraycopy(digest2, 0, bArr2, 16, 8);
                    secretKeySpec = new SecretKeySpec(bArr2, "AES");
                    break;
                case true:
                    cipher = Cipher.getInstance("AES/CBC/PKCS5Padding");
                    byte[] bArr3 = new byte[16];
                    System.arraycopy(digest, 0, bArr3, 0, 16);
                    secretKeySpec = new SecretKeySpec(bArr3, "AES");
                    break;
                case true:
                    cipher = Cipher.getInstance("DESede/CBC/PKCS5Padding");
                    byte[] bArr4 = new byte[24];
                    System.arraycopy(digest, 0, bArr4, 0, 16);
                    System.arraycopy(digest2, 0, bArr4, 16, 8);
                    secretKeySpec = new SecretKeySpec(bArr4, "DESede");
                    break;
                case true:
                    cipher = Cipher.getInstance("DES/CBC/PKCS5Padding");
                    byte[] bArr5 = new byte[8];
                    System.arraycopy(digest, 0, bArr5, 0, 8);
                    secretKeySpec = new SecretKeySpec(bArr5, "DES");
                    break;
            }
            if (cipher == null) {
                throw new RuntimeException("Unknown Encryption algorithm!");
            }
            cipher.init(2, secretKeySpec, new IvParameterSpec(decode2));
            pKCS8EncodedKeySpec = decodeRSAPrivatePKCS1(cipher.doFinal(decode));
        } else {
            byte[] decodeBase64 = Base64.decodeBase64(str.replaceAll(".*BEGIN.*PRIVATE KEY.*", "").replaceAll(".*END.*PRIVATE KEY.*", "").replaceAll("\\s", ""));
            if (this.password == null || this.password.isEmpty()) {
                pKCS8EncodedKeySpec = new PKCS8EncodedKeySpec(decodeBase64);
            } else {
                PBEKeySpec pBEKeySpec = new PBEKeySpec(this.password.toCharArray());
                EncryptedPrivateKeyInfo encryptedPrivateKeyInfo = new EncryptedPrivateKeyInfo(decodeBase64);
                String algName = encryptedPrivateKeyInfo.getAlgName();
                Cipher cipher2 = Cipher.getInstance(algName);
                cipher2.init(2, SecretKeyFactory.getInstance(algName).generateSecret(pBEKeySpec), encryptedPrivateKeyInfo.getAlgParameters());
                pKCS8EncodedKeySpec = encryptedPrivateKeyInfo.getKeySpec(cipher2);
            }
        }
        return pKCS8EncodedKeySpec;
    }

    private static BigInteger derint(ByteBuffer byteBuffer) {
        byte[] bArr = new byte[der(byteBuffer, 2)];
        byteBuffer.get(bArr);
        return new BigInteger(1, bArr);
    }

    private static int der(ByteBuffer byteBuffer, int i) {
        if ((byteBuffer.get() & 255) != i) {
            throw new IllegalArgumentException("Unexpected tag");
        }
        int i2 = byteBuffer.get() & 255;
        if (i2 < 128) {
            return i2;
        }
        int i3 = i2 & 127;
        if (i3 < 1 || i3 > 2) {
            throw new IllegalArgumentException("Invalid length");
        }
        int i4 = 0;
        while (true) {
            int i5 = i4;
            int i6 = i3;
            i3--;
            if (i6 <= 0) {
                return i5;
            }
            i4 = (i5 << 8) | (byteBuffer.get() & 255);
        }
    }

    static RSAPrivateCrtKeySpec decodeRSAPrivatePKCS1(byte[] bArr) {
        ByteBuffer wrap = ByteBuffer.wrap(bArr);
        if (der(wrap, 48) != wrap.remaining()) {
            throw new IllegalArgumentException("Excess data");
        }
        if (BigInteger.ZERO.equals(derint(wrap))) {
            return new RSAPrivateCrtKeySpec(derint(wrap), derint(wrap), derint(wrap), derint(wrap), derint(wrap), derint(wrap), derint(wrap), derint(wrap));
        }
        throw new IllegalArgumentException("Unsupported version");
    }

    public String getCaCert() {
        return this.caCert;
    }

    public String getCert() {
        return this.cert;
    }

    public String getPrivateKey() {
        return this.privateKey;
    }

    public String getPassword() {
        return this.password;
    }

    public void setCaCert(String str) {
        this.caCert = str;
    }

    public void setCert(String str) {
        this.cert = str;
    }

    public void setPrivateKey(String str) {
        this.privateKey = str;
    }

    public void setPassword(String str) {
        this.password = str;
    }

    public boolean equals(Object obj) {
        if (obj == this) {
            return true;
        }
        if (!(obj instanceof CertPemCredentials)) {
            return false;
        }
        CertPemCredentials certPemCredentials = (CertPemCredentials) obj;
        if (!certPemCredentials.canEqual(this)) {
            return false;
        }
        String caCert = getCaCert();
        String caCert2 = certPemCredentials.getCaCert();
        if (caCert == null) {
            if (caCert2 != null) {
                return false;
            }
        } else if (!caCert.equals(caCert2)) {
            return false;
        }
        String cert = getCert();
        String cert2 = certPemCredentials.getCert();
        if (cert == null) {
            if (cert2 != null) {
                return false;
            }
        } else if (!cert.equals(cert2)) {
            return false;
        }
        String privateKey = getPrivateKey();
        String privateKey2 = certPemCredentials.getPrivateKey();
        if (privateKey == null) {
            if (privateKey2 != null) {
                return false;
            }
        } else if (!privateKey.equals(privateKey2)) {
            return false;
        }
        String password = getPassword();
        String password2 = certPemCredentials.getPassword();
        return password == null ? password2 == null : password.equals(password2);
    }

    protected boolean canEqual(Object obj) {
        return obj instanceof CertPemCredentials;
    }

    public int hashCode() {
        String caCert = getCaCert();
        int hashCode = (1 * 59) + (caCert == null ? 43 : caCert.hashCode());
        String cert = getCert();
        int hashCode2 = (hashCode * 59) + (cert == null ? 43 : cert.hashCode());
        String privateKey = getPrivateKey();
        int hashCode3 = (hashCode2 * 59) + (privateKey == null ? 43 : privateKey.hashCode());
        String password = getPassword();
        return (hashCode3 * 59) + (password == null ? 43 : password.hashCode());
    }

    public String toString() {
        return "CertPemCredentials(caCert=" + getCaCert() + ", cert=" + getCert() + ", privateKey=" + getPrivateKey() + ", password=" + getPassword() + ")";
    }
}
