package org.jenkinsci.main.modules.instance_identity;

import hudson.ExtensionList;
import hudson.FilePath;
import hudson.Util;
import hudson.model.PageDecorator;
import java.io.File;
import java.io.FileNotFoundException;
import java.io.FileOutputStream;
import java.io.IOException;
import java.nio.charset.StandardCharsets;
import java.nio.file.Files;
import java.nio.file.InvalidPathException;
import java.nio.file.NoSuchFileException;
import java.security.GeneralSecurityException;
import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.SecureRandom;
import java.security.cert.X509Certificate;
import java.security.interfaces.RSAPrivateKey;
import java.security.interfaces.RSAPublicKey;
import java.util.Base64;
import java.util.Date;
import java.util.concurrent.TimeUnit;
import java.util.logging.Level;
import java.util.logging.Logger;
import jenkins.model.Jenkins;
import jenkins.security.CryptoConfidentialKey;
import org.jenkinsci.main.modules.instance_identity.pem.PEMHelper;

/* loaded from: input_file:WEB-INF/lib/instance-identity.jar:org/jenkinsci/main/modules/instance_identity/InstanceIdentity.class */
public class InstanceIdentity {
    private final KeyPair keys;
    private X509Certificate certificate;
    private final CryptoConfidentialKey KEY;
    private static final Logger LOGGER = Logger.getLogger(InstanceIdentity.class.getName());

    public InstanceIdentity() throws IOException {
        this(new File(Jenkins.get().getRootDir(), "identity.key.enc"), new File(Jenkins.get().getRootDir(), "identity.key"));
    }

    public InstanceIdentity(File file) throws IOException {
        this(file, null);
    }

    InstanceIdentity(File file, File file2) throws IOException {
        this.KEY = new CryptoConfidentialKey(InstanceIdentity.class, "KEY");
        try {
            KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA");
            if (file2 != null && file2.exists()) {
                this.keys = read(null, file2, keyPairGenerator);
                write(this.keys, file);
                Util.deleteFile(file2);
                return;
            }
            KeyPair read = read(file, null, keyPairGenerator);
            if (read != null) {
                this.keys = read;
                return;
            }
            keyPairGenerator.initialize(2048, new SecureRandom());
            this.keys = keyPairGenerator.generateKeyPair();
            write(this.keys, file);
        } catch (Exception e) {
            throw new AssertionError(e);
        }
    }

    private KeyPair read(File file, File file2, KeyPairGenerator keyPairGenerator) throws IOException {
        KeyPair keyPair = null;
        if (file != null) {
            try {
                keyPair = PEMHelper.decodePEM(new String(this.KEY.decrypt().doFinal(Files.readAllBytes(file.toPath())), StandardCharsets.UTF_8));
            } catch (FileNotFoundException | NoSuchFileException e) {
                LOGGER.fine("identity.key.enc doesn't exist. New Identity.key.enc will be generated");
                return null;
            } catch (IOException | InvalidPathException e2) {
                LOGGER.log(Level.SEVERE, "failed to access identity.key.enc. Identity.key.enc will be deleted and a new one will be generated", e2);
                return null;
            } catch (GeneralSecurityException e3) {
                LOGGER.log(Level.SEVERE, "identity.key.enc is corrupted. Identity.key.enc will be deleted and a new one will be generated", (Throwable) e3);
                return null;
            }
        } else if (file2 != null) {
            try {
                keyPair = PEMHelper.decodePEM(Files.readString(file2.toPath(), StandardCharsets.UTF_8));
            } catch (InvalidPathException e4) {
                throw new IOException(e4);
            }
        }
        return keyPair;
    }

    private void write(KeyPair keyPair, File file) throws IOException {
        String encodePEM = PEMHelper.encodePEM(keyPair);
        try {
            FileOutputStream fileOutputStream = new FileOutputStream(file);
            try {
                fileOutputStream.write(this.KEY.encrypt().doFinal(encodePEM.getBytes(StandardCharsets.UTF_8)));
                fileOutputStream.close();
                makeReadOnly(file);
            } finally {
            }
        } catch (GeneralSecurityException e) {
            throw new IOException(e);
        }
    }

    private static void makeReadOnly(File file) {
        try {
            new FilePath(file).chmod(384);
        } catch (IOException | InterruptedException e) {
            LOGGER.log(Level.WARNING, "Failed to make read only: " + String.valueOf(file), e);
        }
    }

    public RSAPublicKey getPublic() {
        return (RSAPublicKey) this.keys.getPublic();
    }

    public RSAPrivateKey getPrivate() {
        return (RSAPrivateKey) this.keys.getPrivate();
    }

    public String getEncodedPublicKey() {
        return Base64.getEncoder().encodeToString(getPublic().getEncoded());
    }

    public static InstanceIdentity get() {
        PageDecoratorImpl pageDecoratorImpl = (PageDecoratorImpl) ExtensionList.lookup(PageDecorator.class).get(PageDecoratorImpl.class);
        if (pageDecoratorImpl == null) {
            throw new AssertionError("InstanceIdentity is missing its singleton");
        }
        return pageDecoratorImpl.identity;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public synchronized X509Certificate getCertificate() {
        if (this.certificate == null || System.currentTimeMillis() + TimeUnit.DAYS.toMillis(1L) > this.certificate.getNotAfter().getTime() || System.currentTimeMillis() < this.certificate.getNotBefore().getTime()) {
            try {
                this.certificate = SelfSignedCertificate.forKeyPair(get().keys).cn(Jenkins.get().getLegacyInstanceId()).o("instances").ou("jenkins.io").c("US").validFrom(new Date(System.currentTimeMillis() - TimeUnit.DAYS.toMillis(1L))).validUntil(new Date(System.currentTimeMillis() + TimeUnit.DAYS.toMillis(366L))).sha256().generate();
            } catch (IOException e) {
                LOGGER.log(Level.SEVERE, "Failed to access generate a self-signed identity certificate", (Throwable) e);
                return null;
            }
        }
        return this.certificate;
    }
}
