package io.jenkins.cli.shaded.org.apache.sshd.common.config.keys.loader.pem;

import io.jenkins.cli.shaded.org.apache.sshd.common.NamedResource;
import io.jenkins.cli.shaded.org.apache.sshd.common.cipher.ECCurves;
import io.jenkins.cli.shaded.org.apache.sshd.common.config.keys.FilePasswordProvider;
import io.jenkins.cli.shaded.org.apache.sshd.common.config.keys.KeyUtils;
import io.jenkins.cli.shaded.org.apache.sshd.common.session.SessionContext;
import io.jenkins.cli.shaded.org.apache.sshd.common.util.GenericUtils;
import io.jenkins.cli.shaded.org.apache.sshd.common.util.ValidateUtils;
import io.jenkins.cli.shaded.org.apache.sshd.common.util.io.IoUtils;
import io.jenkins.cli.shaded.org.apache.sshd.common.util.io.der.ASN1Object;
import io.jenkins.cli.shaded.org.apache.sshd.common.util.io.der.ASN1Type;
import io.jenkins.cli.shaded.org.apache.sshd.common.util.io.der.DERParser;
import io.jenkins.cli.shaded.org.apache.sshd.common.util.security.Decryptor;
import io.jenkins.cli.shaded.org.apache.sshd.common.util.security.SecurityUtils;
import io.jenkins.cli.shaded.org.apache.sshd.common.util.security.eddsa.Ed25519PEMResourceKeyParser;
import java.io.IOException;
import java.io.InputStream;
import java.security.GeneralSecurityException;
import java.security.KeyPair;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.spec.PKCS8EncodedKeySpec;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.List;
import java.util.Map;
import javax.security.auth.login.CredentialException;

/* loaded from: input_file:WEB-INF/lib/cli-2.415-rc33970.90959b_d46edc.jar:io/jenkins/cli/shaded/org/apache/sshd/common/config/keys/loader/pem/PKCS8PEMResourceKeyPairParser.class */
public class PKCS8PEMResourceKeyPairParser extends AbstractPEMResourceKeyPairParser {
    public static final String BEGIN_MARKER = "BEGIN PRIVATE KEY";
    public static final String BEGIN_ENCRYPTED_MARKER = "BEGIN ENCRYPTED PRIVATE KEY";
    public static final String END_MARKER = "END PRIVATE KEY";
    public static final String END_ENCRYPTED_MARKER = "END ENCRYPTED PRIVATE KEY";
    public static final String PKCS8_FORMAT = "PKCS#8";
    public static final List<String> BEGINNERS = GenericUtils.unmodifiableList("BEGIN PRIVATE KEY", "BEGIN ENCRYPTED PRIVATE KEY");
    public static final List<String> ENDERS = GenericUtils.unmodifiableList("END PRIVATE KEY", "END ENCRYPTED PRIVATE KEY");
    public static final PKCS8PEMResourceKeyPairParser INSTANCE = new PKCS8PEMResourceKeyPairParser();

    public PKCS8PEMResourceKeyPairParser() {
        super("PKCS#8", "PKCS#8", BEGINNERS, ENDERS);
    }

    @Override // io.jenkins.cli.shaded.org.apache.sshd.common.config.keys.loader.AbstractKeyPairResourceParser
    public Collection<KeyPair> extractKeyPairs(SessionContext sessionContext, NamedResource namedResource, String str, String str2, FilePasswordProvider filePasswordProvider, InputStream inputStream, Map<String, String> map) throws IOException, GeneralSecurityException {
        byte[] byteArray = IoUtils.toByteArray(inputStream);
        if (str.contains("BEGIN ENCRYPTED PRIVATE KEY")) {
            return decryptKeyPairs(sessionContext, namedResource, filePasswordProvider, byteArray);
        }
        PKCS8PrivateKeyInfo pKCS8PrivateKeyInfo = new PKCS8PrivateKeyInfo(byteArray);
        try {
            Collection<KeyPair> extractKeyPairs = extractKeyPairs(byteArray, pKCS8PrivateKeyInfo);
            pKCS8PrivateKeyInfo.clear();
            Arrays.fill(byteArray, (byte) 0);
            return extractKeyPairs;
        } catch (Throwable th) {
            pKCS8PrivateKeyInfo.clear();
            Arrays.fill(byteArray, (byte) 0);
            throw th;
        }
    }

    public Collection<KeyPair> decryptKeyPairs(SessionContext sessionContext, NamedResource namedResource, FilePasswordProvider filePasswordProvider, byte[] bArr) throws IOException, GeneralSecurityException {
        if (filePasswordProvider == null) {
            throw new CredentialException("Missing password provider for encrypted resource=" + namedResource);
        }
        Decryptor bouncycastleEncryptedPrivateKeyInfoDecryptor = SecurityUtils.getBouncycastleEncryptedPrivateKeyInfoDecryptor();
        Collection<KeyPair> collection = (Collection) filePasswordProvider.decode(sessionContext, namedResource, str -> {
            char[] charArray = str.toCharArray();
            try {
                byte[] decrypt = bouncycastleEncryptedPrivateKeyInfoDecryptor.decrypt(bArr, charArray);
                PKCS8PrivateKeyInfo pKCS8PrivateKeyInfo = new PKCS8PrivateKeyInfo(decrypt);
                try {
                    Collection<KeyPair> extractKeyPairs = extractKeyPairs(decrypt, pKCS8PrivateKeyInfo);
                    pKCS8PrivateKeyInfo.clear();
                    Arrays.fill(decrypt, (byte) 0);
                    Arrays.fill(charArray, (char) 0);
                    return extractKeyPairs;
                } catch (Throwable th) {
                    pKCS8PrivateKeyInfo.clear();
                    Arrays.fill(decrypt, (byte) 0);
                    throw th;
                }
            } catch (Throwable th2) {
                Arrays.fill(charArray, (char) 0);
                throw th2;
            }
        });
        return collection == null ? Collections.emptyList() : collection;
    }

    public Collection<KeyPair> extractKeyPairs(byte[] bArr, PKCS8PrivateKeyInfo pKCS8PrivateKeyInfo) throws IOException, GeneralSecurityException {
        KeyPair keyPair;
        List<Integer> algorithmIdentifier = pKCS8PrivateKeyInfo.getAlgorithmIdentifier();
        String join = GenericUtils.join((Iterable<?>) algorithmIdentifier, '.');
        if (SecurityUtils.isECCSupported() && "1.2.840.10045.2.1".equals(join)) {
            ASN1Object privateKeyBytes = pKCS8PrivateKeyInfo.getPrivateKeyBytes();
            ASN1Object algorithmParameter = pKCS8PrivateKeyInfo.getAlgorithmParameter();
            List<Integer> emptyList = (algorithmParameter == null ? ASN1Type.NULL : algorithmParameter.getObjType()) == ASN1Type.NULL ? Collections.emptyList() : algorithmParameter.asOID();
            ECCurves eCCurves = null;
            if (GenericUtils.isNotEmpty((Collection<?>) emptyList)) {
                eCCurves = ECCurves.fromOIDValue(emptyList);
                if (eCCurves == null) {
                    throw new NoSuchAlgorithmException("Cannot match EC curve OID=" + emptyList);
                }
            }
            DERParser createParser = privateKeyBytes.createParser();
            try {
                keyPair = ECDSAPEMResourceKeyPairParser.parseECKeyPair(eCCurves, createParser);
                if (createParser != null) {
                    createParser.close();
                }
            } catch (Throwable th) {
                if (createParser != null) {
                    try {
                        createParser.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                }
                throw th;
            }
        } else if (SecurityUtils.isEDDSACurveSupported() && "1.3.101.112".endsWith(join)) {
            keyPair = Ed25519PEMResourceKeyParser.decodeEd25519KeyPair(pKCS8PrivateKeyInfo.getPrivateKeyBytes().getPureValueBytes());
        } else {
            PrivateKey decodePEMPrivateKeyPKCS8 = decodePEMPrivateKeyPKCS8(algorithmIdentifier, bArr);
            keyPair = new KeyPair((PublicKey) ValidateUtils.checkNotNull(KeyUtils.recoverPublicKey(decodePEMPrivateKeyPKCS8), "Failed to recover public key of OID=%s", algorithmIdentifier), decodePEMPrivateKeyPKCS8);
        }
        return Collections.singletonList(keyPair);
    }

    public static PrivateKey decodePEMPrivateKeyPKCS8(List<Integer> list, byte[] bArr) throws GeneralSecurityException {
        ValidateUtils.checkNotNullAndNotEmpty(list, "No PKCS8 algorithm OID", new Object[0]);
        return decodePEMPrivateKeyPKCS8(GenericUtils.join((Iterable<?>) list, '.'), bArr);
    }

    public static PrivateKey decodePEMPrivateKeyPKCS8(String str, byte[] bArr) throws GeneralSecurityException {
        KeyPairPEMResourceParser pEMResourceParserByOid = PEMResourceParserUtils.getPEMResourceParserByOid(ValidateUtils.checkNotNullAndNotEmpty(str, "No PKCS8 algorithm OID"));
        if (pEMResourceParserByOid == null) {
            throw new NoSuchAlgorithmException("decodePEMPrivateKeyPKCS8(" + str + ") unknown algorithm identifier");
        }
        return SecurityUtils.getKeyFactory(ValidateUtils.checkNotNullAndNotEmpty(pEMResourceParserByOid.getAlgorithm(), "No parser algorithm")).generatePrivate(new PKCS8EncodedKeySpec(bArr));
    }
}
