package io.jenkins.cli.shaded.org.apache.sshd.common.config.keys.loader.openssh;

import io.jenkins.cli.shaded.org.apache.sshd.common.NamedResource;
import io.jenkins.cli.shaded.org.apache.sshd.common.cipher.BuiltinCiphers;
import io.jenkins.cli.shaded.org.apache.sshd.common.cipher.CipherFactory;
import io.jenkins.cli.shaded.org.apache.sshd.common.config.keys.FilePasswordProvider;
import io.jenkins.cli.shaded.org.apache.sshd.common.config.keys.KeyEntryResolver;
import io.jenkins.cli.shaded.org.apache.sshd.common.config.keys.KeyUtils;
import io.jenkins.cli.shaded.org.apache.sshd.common.config.keys.PrivateKeyEntryDecoder;
import io.jenkins.cli.shaded.org.apache.sshd.common.config.keys.PublicKeyEntryDecoder;
import io.jenkins.cli.shaded.org.apache.sshd.common.config.keys.loader.AbstractKeyPairResourceParser;
import io.jenkins.cli.shaded.org.apache.sshd.common.config.keys.loader.openssh.kdf.BCryptKdfOptions;
import io.jenkins.cli.shaded.org.apache.sshd.common.config.keys.loader.openssh.kdf.RawKdfOptions;
import io.jenkins.cli.shaded.org.apache.sshd.common.session.SessionContext;
import io.jenkins.cli.shaded.org.apache.sshd.common.util.GenericUtils;
import io.jenkins.cli.shaded.org.apache.sshd.common.util.ValidateUtils;
import io.jenkins.cli.shaded.org.apache.sshd.common.util.buffer.BufferUtils;
import io.jenkins.cli.shaded.org.apache.sshd.common.util.io.IoUtils;
import io.jenkins.cli.shaded.org.apache.sshd.common.util.security.SecurityUtils;
import java.io.ByteArrayInputStream;
import java.io.EOFException;
import java.io.IOException;
import java.io.InputStream;
import java.io.StreamCorruptedException;
import java.nio.charset.StandardCharsets;
import java.security.GeneralSecurityException;
import java.security.InvalidKeyException;
import java.security.Key;
import java.security.KeyPair;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.util.AbstractMap;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.TreeMap;
import javax.security.auth.login.FailedLoginException;

/* loaded from: input_file:WEB-INF/lib/cli-2.428-rc34314.e20265373529.jar:io/jenkins/cli/shaded/org/apache/sshd/common/config/keys/loader/openssh/OpenSSHKeyPairResourceParser.class */
public class OpenSSHKeyPairResourceParser extends AbstractKeyPairResourceParser {
    public static final String BEGIN_MARKER = "BEGIN OPENSSH PRIVATE KEY";
    public static final String END_MARKER = "END OPENSSH PRIVATE KEY";
    public static final String AUTH_MAGIC = "openssh-key-v1";
    public static final List<String> BEGINNERS = Collections.unmodifiableList(Collections.singletonList("BEGIN OPENSSH PRIVATE KEY"));
    public static final List<String> ENDERS = Collections.unmodifiableList(Collections.singletonList("END OPENSSH PRIVATE KEY"));
    public static final OpenSSHKeyPairResourceParser INSTANCE = new OpenSSHKeyPairResourceParser();
    private static final byte[] AUTH_MAGIC_BYTES = "openssh-key-v1".getBytes(StandardCharsets.UTF_8);
    private static final Map<String, PrivateKeyEntryDecoder<?, ?>> BY_KEY_TYPE_DECODERS_MAP = new TreeMap(String.CASE_INSENSITIVE_ORDER);
    private static final Map<Class<?>, PrivateKeyEntryDecoder<?, ?>> BY_KEY_CLASS_DECODERS_MAP = new HashMap();

    public OpenSSHKeyPairResourceParser() {
        super(BEGINNERS, ENDERS);
    }

    @Override // io.jenkins.cli.shaded.org.apache.sshd.common.config.keys.loader.AbstractKeyPairResourceParser
    public Collection<KeyPair> extractKeyPairs(SessionContext sessionContext, NamedResource namedResource, String str, String str2, FilePasswordProvider filePasswordProvider, InputStream inputStream, Map<String, String> map) throws IOException, GeneralSecurityException {
        byte[] readRLEBytes;
        boolean isDebugEnabled = this.log.isDebugEnabled();
        InputStream validateStreamMagicMarker = validateStreamMagicMarker(sessionContext, namedResource, inputStream);
        String decodeString = KeyEntryResolver.decodeString(validateStreamMagicMarker, 256);
        OpenSSHKdfOptions resolveKdfOptions = resolveKdfOptions(sessionContext, namedResource, str, str2, validateStreamMagicMarker, map);
        OpenSSHParserContext openSSHParserContext = new OpenSSHParserContext(decodeString, resolveKdfOptions);
        int decodeInt = KeyEntryResolver.decodeInt(validateStreamMagicMarker);
        if (decodeInt <= 0) {
            if (isDebugEnabled) {
                this.log.debug("extractKeyPairs({}) no encoded keys for context={}", namedResource, openSSHParserContext);
            }
            return Collections.emptyList();
        }
        if (isDebugEnabled) {
            this.log.debug("extractKeyPairs({}) decode {} keys using context={}", namedResource, Integer.valueOf(decodeInt), openSSHParserContext);
        }
        ArrayList arrayList = new ArrayList(decodeInt);
        boolean isTraceEnabled = this.log.isTraceEnabled();
        for (int i = 1; i <= decodeInt; i++) {
            PublicKey readPublicKey = readPublicKey(sessionContext, namedResource, openSSHParserContext, validateStreamMagicMarker, map);
            ValidateUtils.checkNotNull(readPublicKey, "Empty public key #%d in %s", Integer.valueOf(i), namedResource);
            if (isTraceEnabled) {
                this.log.trace("extractKeyPairs({}) read public key #{}: {} {}", namedResource, Integer.valueOf(i), KeyUtils.getKeyType(readPublicKey), KeyUtils.getFingerPrint(readPublicKey));
            }
            arrayList.add(readPublicKey);
        }
        if (!openSSHParserContext.isEncrypted()) {
            byte[] readRLEBytes2 = KeyEntryResolver.readRLEBytes(validateStreamMagicMarker, 262136);
            try {
                InputStream byteArrayInputStream = new ByteArrayInputStream(readRLEBytes2);
                try {
                    List<KeyPair> readPrivateKeys = readPrivateKeys(sessionContext, namedResource, openSSHParserContext, arrayList, filePasswordProvider, byteArrayInputStream);
                    byteArrayInputStream.close();
                    Arrays.fill(readRLEBytes2, (byte) 0);
                    return readPrivateKeys;
                } finally {
                }
            } catch (Throwable th) {
                Arrays.fill(readRLEBytes2, (byte) 0);
                throw th;
            }
        }
        if (filePasswordProvider == null) {
            throw new FailedLoginException("No password provider for encrypted key in " + namedResource);
        }
        CipherFactory resolveFactory = BuiltinCiphers.resolveFactory(decodeString);
        if (resolveFactory == null || !resolveFactory.isSupported()) {
            throw new NoSuchAlgorithmException("Unsupported cipher: " + decodeString + " for encrypted key in " + namedResource);
        }
        if (resolveFactory.getAuthenticationTagSize() > 0) {
            int authenticationTagSize = resolveFactory.getAuthenticationTagSize();
            int decodeInt2 = KeyEntryResolver.decodeInt(validateStreamMagicMarker);
            if (decodeInt2 < 0) {
                throw new StreamCorruptedException("Key length " + decodeInt2 + " negative for encrypted key in " + namedResource);
            }
            if (decodeInt2 > 262136) {
                throw new StreamCorruptedException("Key length " + decodeInt2 + " > allowed maximum 262136 for encrypted key in " + namedResource);
            }
            readRLEBytes = new byte[decodeInt2 + authenticationTagSize];
            IoUtils.readFully(validateStreamMagicMarker, readRLEBytes);
        } else {
            readRLEBytes = KeyEntryResolver.readRLEBytes(validateStreamMagicMarker, 262136);
        }
        byte[] bArr = readRLEBytes;
        Collection<KeyPair> collection = (Collection) filePasswordProvider.decode(sessionContext, namedResource, str3 -> {
            byte[] decodePrivateKeyBytes = resolveKdfOptions.decodePrivateKeyBytes(sessionContext, namedResource, resolveFactory, bArr, str3);
            try {
                ByteArrayInputStream byteArrayInputStream2 = new ByteArrayInputStream(decodePrivateKeyBytes);
                try {
                    List<KeyPair> readPrivateKeys2 = readPrivateKeys(sessionContext, namedResource, openSSHParserContext, arrayList, filePasswordProvider, byteArrayInputStream2);
                    byteArrayInputStream2.close();
                    Arrays.fill(decodePrivateKeyBytes, (byte) 0);
                    return readPrivateKeys2;
                } finally {
                }
            } catch (Throwable th2) {
                Arrays.fill(decodePrivateKeyBytes, (byte) 0);
                throw th2;
            }
        });
        return collection == null ? Collections.emptyList() : collection;
    }

    protected OpenSSHKdfOptions resolveKdfOptions(SessionContext sessionContext, NamedResource namedResource, String str, String str2, InputStream inputStream, Map<String, String> map) throws IOException, GeneralSecurityException {
        String decodeString = KeyEntryResolver.decodeString(inputStream, 1024);
        byte[] readRLEBytes = KeyEntryResolver.readRLEBytes(inputStream, 32767);
        OpenSSHKdfOptions bCryptKdfOptions = "bcrypt".equalsIgnoreCase(decodeString) ? new BCryptKdfOptions() : new RawKdfOptions();
        bCryptKdfOptions.initialize(decodeString, readRLEBytes);
        return bCryptKdfOptions;
    }

    /* JADX WARN: Type inference failed for: r0v12, types: [java.security.PublicKey] */
    protected PublicKey readPublicKey(SessionContext sessionContext, NamedResource namedResource, OpenSSHParserContext openSSHParserContext, InputStream inputStream, Map<String, String> map) throws IOException, GeneralSecurityException {
        ByteArrayInputStream byteArrayInputStream = new ByteArrayInputStream(KeyEntryResolver.readRLEBytes(inputStream, 65534));
        try {
            String decodeString = KeyEntryResolver.decodeString(byteArrayInputStream, 256);
            PublicKeyEntryDecoder<?, ?> publicKeyEntryDecoder = KeyUtils.getPublicKeyEntryDecoder(decodeString);
            if (publicKeyEntryDecoder == null) {
                throw new NoSuchAlgorithmException("Unsupported key type (" + decodeString + ") in " + namedResource);
            }
            ?? decodePublicKey = publicKeyEntryDecoder.decodePublicKey(sessionContext, decodeString, byteArrayInputStream, map);
            byteArrayInputStream.close();
            return decodePublicKey;
        } catch (Throwable th) {
            try {
                byteArrayInputStream.close();
            } catch (Throwable th2) {
                th.addSuppressed(th2);
            }
            throw th;
        }
    }

    protected List<KeyPair> readPrivateKeys(SessionContext sessionContext, NamedResource namedResource, OpenSSHParserContext openSSHParserContext, Collection<? extends PublicKey> collection, FilePasswordProvider filePasswordProvider, InputStream inputStream) throws IOException, GeneralSecurityException {
        if (GenericUtils.isEmpty((Collection<?>) collection)) {
            return Collections.emptyList();
        }
        boolean isTraceEnabled = this.log.isTraceEnabled();
        int decodeInt = KeyEntryResolver.decodeInt(inputStream);
        int decodeInt2 = KeyEntryResolver.decodeInt(inputStream);
        if (isTraceEnabled) {
            this.log.trace("readPrivateKeys({}) check1=0x{}, check2=0x{}", namedResource, Integer.toHexString(decodeInt), Integer.toHexString(decodeInt2));
        }
        if (decodeInt != decodeInt2) {
            throw new StreamCorruptedException("Mismatched private key check values (" + Integer.toHexString(decodeInt) + "/" + Integer.toHexString(decodeInt2) + ") in " + namedResource);
        }
        ArrayList arrayList = new ArrayList(collection.size());
        for (PublicKey publicKey : collection) {
            String keyType = KeyUtils.getKeyType(publicKey);
            int size = arrayList.size() + 1;
            if (isTraceEnabled) {
                this.log.trace("extractKeyPairs({}) read private key #{}: {}", namedResource, Integer.valueOf(size), keyType);
            }
            Map.Entry<PrivateKey, String> readPrivateKey = readPrivateKey(sessionContext, namedResource, openSSHParserContext, keyType, filePasswordProvider, inputStream);
            PrivateKey key = readPrivateKey == null ? null : readPrivateKey.getKey();
            ValidateUtils.checkNotNull(key, "Empty private key #%d in %s", Integer.valueOf(size), namedResource);
            String keyType2 = KeyUtils.getKeyType(key);
            ValidateUtils.checkTrue(Objects.equals(keyType, keyType2), "Mismatched public (%s) vs. private (%s) key type #%d in %s", keyType, keyType2, Integer.valueOf(size), namedResource);
            if (isTraceEnabled) {
                this.log.trace("extractKeyPairs({}) add private key #{}: {} {}", namedResource, Integer.valueOf(size), keyType2, readPrivateKey.getValue());
            }
            arrayList.add(new KeyPair(publicKey, key));
        }
        return arrayList;
    }

    protected Map.Entry<PrivateKey, String> readPrivateKey(SessionContext sessionContext, NamedResource namedResource, OpenSSHParserContext openSSHParserContext, String str, FilePasswordProvider filePasswordProvider, InputStream inputStream) throws IOException, GeneralSecurityException {
        String decodeString = KeyEntryResolver.decodeString(inputStream, 256);
        if (!Objects.equals(str, decodeString)) {
            throw new StreamCorruptedException("Mismatched private key type: , expected=" + str + ", actual=" + decodeString + " in " + namedResource);
        }
        PrivateKeyEntryDecoder<?, ?> privateKeyEntryDecoder = getPrivateKeyEntryDecoder(decodeString);
        if (privateKeyEntryDecoder == null) {
            throw new NoSuchAlgorithmException("Unsupported key type (" + decodeString + ") in " + namedResource);
        }
        Object decodePrivateKey = privateKeyEntryDecoder.decodePrivateKey(sessionContext, decodeString, filePasswordProvider, inputStream);
        if (decodePrivateKey == null) {
            throw new InvalidKeyException("Cannot parse key type (" + decodeString + ") in " + namedResource);
        }
        return new AbstractMap.SimpleImmutableEntry(decodePrivateKey, KeyEntryResolver.decodeString(inputStream, 1024));
    }

    protected <S extends InputStream> S validateStreamMagicMarker(SessionContext sessionContext, NamedResource namedResource, S s) throws IOException {
        byte[] bArr = new byte[AUTH_MAGIC_BYTES.length];
        IoUtils.readFully(s, bArr);
        if (!Arrays.equals(AUTH_MAGIC_BYTES, bArr)) {
            throw new StreamCorruptedException(namedResource + ": Mismatched magic marker value: " + BufferUtils.toHex(':', bArr));
        }
        int read = s.read();
        if (read == -1) {
            throw new EOFException(namedResource + ": Premature EOF after magic marker value");
        }
        if (read != 0) {
            throw new StreamCorruptedException(namedResource + ": Missing EOS after magic marker value: 0x" + Integer.toHexString(read));
        }
        return s;
    }

    public static void registerPrivateKeyEntryDecoder(PrivateKeyEntryDecoder<?, ?> privateKeyEntryDecoder) {
        Objects.requireNonNull(privateKeyEntryDecoder, "No decoder specified");
        Class<?> cls = (Class) Objects.requireNonNull(privateKeyEntryDecoder.getPublicKeyType(), "No public key type declared");
        Class<?> cls2 = (Class) Objects.requireNonNull(privateKeyEntryDecoder.getPrivateKeyType(), "No private key type declared");
        synchronized (BY_KEY_CLASS_DECODERS_MAP) {
            BY_KEY_CLASS_DECODERS_MAP.put(cls, privateKeyEntryDecoder);
            BY_KEY_CLASS_DECODERS_MAP.put(cls2, privateKeyEntryDecoder);
        }
        Collection checkNotNullAndNotEmpty = ValidateUtils.checkNotNullAndNotEmpty(privateKeyEntryDecoder.getSupportedKeyTypes(), "No supported key type", new Object[0]);
        synchronized (BY_KEY_TYPE_DECODERS_MAP) {
            Iterator it = checkNotNullAndNotEmpty.iterator();
            while (it.hasNext()) {
                if (BY_KEY_TYPE_DECODERS_MAP.put((String) it.next(), privateKeyEntryDecoder) != null) {
                }
            }
        }
    }

    public static PrivateKeyEntryDecoder<?, ?> getPrivateKeyEntryDecoder(String str) {
        PrivateKeyEntryDecoder<?, ?> privateKeyEntryDecoder;
        if (GenericUtils.isEmpty(str)) {
            return null;
        }
        synchronized (BY_KEY_TYPE_DECODERS_MAP) {
            privateKeyEntryDecoder = BY_KEY_TYPE_DECODERS_MAP.get(str);
        }
        return privateKeyEntryDecoder;
    }

    public static PrivateKeyEntryDecoder<?, ?> getPrivateKeyEntryDecoder(KeyPair keyPair) {
        PrivateKeyEntryDecoder<?, ?> privateKeyEntryDecoder;
        if (keyPair != null && (privateKeyEntryDecoder = getPrivateKeyEntryDecoder(keyPair.getPublic())) == getPrivateKeyEntryDecoder(keyPair.getPrivate())) {
            return privateKeyEntryDecoder;
        }
        return null;
    }

    public static PrivateKeyEntryDecoder<?, ?> getPrivateKeyEntryDecoder(Key key) {
        if (key == null) {
            return null;
        }
        return getPrivateKeyEntryDecoder(key.getClass());
    }

    public static PrivateKeyEntryDecoder<?, ?> getPrivateKeyEntryDecoder(Class<?> cls) {
        if (cls == null || !Key.class.isAssignableFrom(cls)) {
            return null;
        }
        synchronized (BY_KEY_TYPE_DECODERS_MAP) {
            PrivateKeyEntryDecoder<?, ?> privateKeyEntryDecoder = BY_KEY_CLASS_DECODERS_MAP.get(cls);
            if (privateKeyEntryDecoder != null) {
                return privateKeyEntryDecoder;
            }
            for (PrivateKeyEntryDecoder<?, ?> privateKeyEntryDecoder2 : BY_KEY_CLASS_DECODERS_MAP.values()) {
                Class<?> publicKeyType = privateKeyEntryDecoder2.getPublicKeyType();
                Class<?> privateKeyType = privateKeyEntryDecoder2.getPrivateKeyType();
                if (publicKeyType.isAssignableFrom(cls) || privateKeyType.isAssignableFrom(cls)) {
                    return privateKeyEntryDecoder2;
                }
            }
            return null;
        }
    }

    static {
        registerPrivateKeyEntryDecoder(OpenSSHRSAPrivateKeyDecoder.INSTANCE);
        registerPrivateKeyEntryDecoder(OpenSSHDSSPrivateKeyEntryDecoder.INSTANCE);
        if (SecurityUtils.isECCSupported()) {
            registerPrivateKeyEntryDecoder(OpenSSHECDSAPrivateKeyEntryDecoder.INSTANCE);
        }
        if (SecurityUtils.isEDDSACurveSupported()) {
            registerPrivateKeyEntryDecoder(SecurityUtils.getOpenSSHEDDSAPrivateKeyEntryDecoder());
        }
    }
}
