package com.cloudbees.plugins.credentials.impl;

import com.cloudbees.plugins.credentials.CredentialsScope;
import com.cloudbees.plugins.credentials.CredentialsStore;
import com.cloudbees.plugins.credentials.SecretBytes;
import com.cloudbees.plugins.credentials.common.StandardCertificateCredentials;
import com.cloudbees.plugins.credentials.impl.BaseStandardCredentials;
import edu.umd.cs.findbugs.annotations.CheckForNull;
import edu.umd.cs.findbugs.annotations.NonNull;
import edu.umd.cs.findbugs.annotations.Nullable;
import hudson.Extension;
import hudson.Util;
import hudson.model.AbstractDescribableImpl;
import hudson.model.Descriptor;
import hudson.model.Items;
import hudson.util.FormValidation;
import hudson.util.Secret;
import io.jenkins.plugins.junit.checks.JUnitChecksPublisher;
import java.io.ByteArrayInputStream;
import java.io.File;
import java.io.IOException;
import java.io.ObjectStreamException;
import java.io.Serializable;
import java.io.UnsupportedEncodingException;
import java.nio.charset.StandardCharsets;
import java.nio.file.Files;
import java.nio.file.InvalidPathException;
import java.nio.file.Paths;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.UnrecoverableEntryException;
import java.security.cert.CertificateException;
import java.util.Arrays;
import java.util.Base64;
import java.util.Enumeration;
import java.util.Objects;
import java.util.logging.Level;
import java.util.logging.LogRecord;
import java.util.logging.Logger;
import jenkins.model.Jenkins;
import net.jcip.annotations.GuardedBy;
import org.apache.commons.fileupload.FileItem;
import org.apache.commons.lang.StringUtils;
import org.jenkinsci.Symbol;
import org.kohsuke.accmod.Restricted;
import org.kohsuke.accmod.restrictions.NoExternalUse;
import org.kohsuke.stapler.DataBoundConstructor;
import org.kohsuke.stapler.HttpResponse;
import org.kohsuke.stapler.QueryParameter;
import org.kohsuke.stapler.StaplerRequest;
import org.kohsuke.stapler.interceptor.RequirePOST;

/* loaded from: input_file:test-dependencies/credentials.hpi:WEB-INF/lib/credentials.jar:com/cloudbees/plugins/credentials/impl/CertificateCredentialsImpl.class */
public class CertificateCredentialsImpl extends BaseStandardCredentials implements StandardCertificateCredentials {
    private static final long serialVersionUID = 1;
    private static final Logger LOGGER = Logger.getLogger(CertificateCredentialsImpl.class.getName());
    private final KeyStoreSource keyStoreSource;
    private final Secret password;

    @CheckForNull
    @GuardedBy("this")
    private transient KeyStore keyStore;

    @GuardedBy("this")
    private transient long keyStoreLastModified;

    @Extension(ordinal = -1.0d)
    @Symbol({"certificate"})
    /* loaded from: input_file:test-dependencies/credentials.hpi:WEB-INF/lib/credentials.jar:com/cloudbees/plugins/credentials/impl/CertificateCredentialsImpl$DescriptorImpl.class */
    public static class DescriptorImpl extends BaseStandardCredentials.BaseStandardCredentialsDescriptor {
        @NonNull
        public String getDisplayName() {
            return Messages.CertificateCredentialsImpl_DisplayName();
        }

        @Override // com.cloudbees.plugins.credentials.CredentialsDescriptor
        public String getIconClassName() {
            return "icon-application-certificate";
        }

        @Override // com.cloudbees.plugins.credentials.impl.BaseStandardCredentials.BaseStandardCredentialsDescriptor
        public /* bridge */ /* synthetic */ String getCheckIdUrl(CredentialsStore credentialsStore) throws UnsupportedEncodingException {
            return super.getCheckIdUrl(credentialsStore);
        }
    }

    @Deprecated
    /* loaded from: input_file:test-dependencies/credentials.hpi:WEB-INF/lib/credentials.jar:com/cloudbees/plugins/credentials/impl/CertificateCredentialsImpl$FileOnMasterKeyStoreSource.class */
    public static class FileOnMasterKeyStoreSource extends KeyStoreSource {
        private static final Logger LOGGER = Logger.getLogger(FileOnMasterKeyStoreSource.class.getName());
        private final String keyStoreFile;

        public FileOnMasterKeyStoreSource(String str) {
            this.keyStoreFile = str;
        }

        @Override // com.cloudbees.plugins.credentials.impl.CertificateCredentialsImpl.KeyStoreSource
        @NonNull
        public byte[] getKeyStoreBytes() {
            try {
                return Files.readAllBytes(Paths.get(this.keyStoreFile, new String[0]));
            } catch (IOException | InvalidPathException e) {
                LOGGER.log(Level.WARNING, "Could not read private key file " + this.keyStoreFile, e);
                return new byte[0];
            }
        }

        @Override // com.cloudbees.plugins.credentials.impl.CertificateCredentialsImpl.KeyStoreSource
        public long getKeyStoreLastModified() {
            return new File(this.keyStoreFile).lastModified();
        }

        public String toString() {
            return "FileOnMasterKeyStoreSource{keyStoreFile='" + this.keyStoreFile + "'}";
        }

        private Object readResolve() {
            if (!Jenkins.get().hasPermission(Jenkins.RUN_SCRIPTS)) {
                LOGGER.warning("SECURITY-1322: Permission failure migrating FileOnMasterKeyStoreSource to UploadedKeyStoreSource for a Certificate. An administrator may need to perform the migration.");
                Jenkins.get().checkPermission(Jenkins.RUN_SCRIPTS);
            }
            LOGGER.log(Level.INFO, "SECURITY-1322: Migrating FileOnMasterKeyStoreSource to UploadedKeyStoreSource. The containing item may need to be saved to complete the migration.");
            return new UploadedKeyStoreSource(SecretBytes.fromBytes(getKeyStoreBytes()));
        }
    }

    /* loaded from: input_file:test-dependencies/credentials.hpi:WEB-INF/lib/credentials.jar:com/cloudbees/plugins/credentials/impl/CertificateCredentialsImpl$KeyStoreSource.class */
    public static abstract class KeyStoreSource extends AbstractDescribableImpl<KeyStoreSource> {
        @NonNull
        public abstract byte[] getKeyStoreBytes();

        public abstract long getKeyStoreLastModified();

        @Deprecated
        public boolean isSnapshotSource() {
            return false;
        }
    }

    /* loaded from: input_file:test-dependencies/credentials.hpi:WEB-INF/lib/credentials.jar:com/cloudbees/plugins/credentials/impl/CertificateCredentialsImpl$KeyStoreSourceDescriptor.class */
    public static abstract class KeyStoreSourceDescriptor extends Descriptor<KeyStoreSource> {
        protected KeyStoreSourceDescriptor() {
        }

        protected KeyStoreSourceDescriptor(Class<? extends KeyStoreSource> cls) {
            super(cls);
        }

        @NonNull
        protected static FormValidation validateCertificateKeystore(String str, byte[] bArr, String str2) {
            if (bArr == null || bArr.length == 0) {
                return FormValidation.warning(Messages.CertificateCredentialsImpl_LoadKeystoreFailed());
            }
            char[] charArray = CertificateCredentialsImpl.toCharArray(Secret.fromString(str2));
            try {
                try {
                    KeyStore keyStore = KeyStore.getInstance(str);
                    keyStore.load(new ByteArrayInputStream(bArr), charArray);
                    if (keyStore.size() == 0) {
                        FormValidation warning = FormValidation.warning(Messages.CertificateCredentialsImpl_EmptyKeystore());
                        if (charArray != null) {
                            Arrays.fill(charArray, ' ');
                        }
                        return warning;
                    }
                    StringBuilder sb = new StringBuilder();
                    boolean z = true;
                    Enumeration<String> aliases = keyStore.aliases();
                    while (aliases.hasMoreElements()) {
                        String nextElement = aliases.nextElement();
                        if (z) {
                            z = false;
                        } else {
                            sb.append(JUnitChecksPublisher.SEPARATOR);
                        }
                        sb.append(nextElement);
                        if (keyStore.isCertificateEntry(nextElement)) {
                            keyStore.getCertificate(nextElement);
                        } else if (!keyStore.isKeyEntry(nextElement)) {
                            continue;
                        } else {
                            if (charArray == null) {
                                FormValidation warning2 = FormValidation.warning(Messages.CertificateCredentialsImpl_LoadKeyFailedQueryEmptyPassword(nextElement));
                                if (charArray != null) {
                                    Arrays.fill(charArray, ' ');
                                }
                                return warning2;
                            }
                            try {
                                keyStore.getKey(nextElement, charArray);
                            } catch (UnrecoverableEntryException e) {
                                FormValidation warning3 = FormValidation.warning(e, Messages.CertificateCredentialsImpl_LoadKeyFailed(nextElement));
                                if (charArray != null) {
                                    Arrays.fill(charArray, ' ');
                                }
                                return warning3;
                            }
                        }
                    }
                    FormValidation ok = FormValidation.ok(StringUtils.defaultIfEmpty(StandardCertificateCredentials.NameProvider.getSubjectDN(keyStore), sb.toString()));
                    if (charArray != null) {
                        Arrays.fill(charArray, ' ');
                    }
                    return ok;
                } catch (IOException | KeyStoreException | NoSuchAlgorithmException | CertificateException e2) {
                    FormValidation warning4 = FormValidation.warning(e2, Messages.CertificateCredentialsImpl_LoadKeystoreFailed());
                    if (charArray != null) {
                        Arrays.fill(charArray, ' ');
                    }
                    return warning4;
                }
            } catch (Throwable th) {
                if (charArray != null) {
                    Arrays.fill(charArray, ' ');
                }
                throw th;
            }
        }
    }

    /* loaded from: input_file:test-dependencies/credentials.hpi:WEB-INF/lib/credentials.jar:com/cloudbees/plugins/credentials/impl/CertificateCredentialsImpl$UploadedKeyStoreSource.class */
    public static class UploadedKeyStoreSource extends KeyStoreSource implements Serializable {
        private static final long serialVersionUID = 1;

        @CheckForNull
        @Deprecated
        private transient Secret uploadedKeystore;

        @CheckForNull
        private final SecretBytes uploadedKeystoreBytes;

        @Extension
        /* loaded from: input_file:test-dependencies/credentials.hpi:WEB-INF/lib/credentials.jar:com/cloudbees/plugins/credentials/impl/CertificateCredentialsImpl$UploadedKeyStoreSource$DescriptorImpl.class */
        public static class DescriptorImpl extends KeyStoreSourceDescriptor {
            public static final String DEFAULT_VALUE = UploadedKeyStoreSource.class.getName() + ".default-value";

            @NonNull
            public static byte[] toByteArray(@Nullable Secret secret) {
                byte[] decode;
                return (secret == null || null == (decode = Base64.getDecoder().decode(secret.getPlainText()))) ? new byte[0] : decode;
            }

            @CheckForNull
            @Deprecated
            public static Secret toSecret(@Nullable byte[] bArr) {
                if (bArr == null || bArr.length == 0) {
                    return null;
                }
                return Secret.fromString(Base64.getEncoder().encodeToString(bArr));
            }

            @NonNull
            public String getDisplayName() {
                return Messages.CertificateCredentialsImpl_UploadedKeyStoreSourceDisplayName();
            }

            @RequirePOST
            @Restricted({NoExternalUse.class})
            public FormValidation doCheckUploadedKeystore(@QueryParameter String str, @QueryParameter String str2, @QueryParameter String str3) {
                if (StringUtils.isNotEmpty(str2)) {
                    return validateCertificateKeystore("PKCS12", Base64.getDecoder().decode(str2.getBytes(StandardCharsets.UTF_8)), str3);
                }
                if (StringUtils.isBlank(str)) {
                    return FormValidation.error(Messages.CertificateCredentialsImpl_NoCertificateUploaded());
                }
                if (DEFAULT_VALUE.equals(str)) {
                    return FormValidation.ok();
                }
                byte[] plainData = SecretBytes.fromString(str).getPlainData();
                return (plainData == null || plainData.length == 0) ? FormValidation.error(Messages.CertificateCredentialsImpl_LoadKeystoreFailed()) : validateCertificateKeystore("PKCS12", plainData, str3);
            }

            @Restricted({NoExternalUse.class})
            public Upload getUpload(String str) {
                return new Upload(str, null);
            }
        }

        @Deprecated
        /* loaded from: input_file:test-dependencies/credentials.hpi:WEB-INF/lib/credentials.jar:com/cloudbees/plugins/credentials/impl/CertificateCredentialsImpl$UploadedKeyStoreSource$Upload.class */
        public static class Upload {

            @NonNull
            private final String divId;

            @CheckForNull
            private final SecretBytes uploadedKeystore;

            public Upload(@NonNull String str, @CheckForNull SecretBytes secretBytes) {
                this.divId = str;
                this.uploadedKeystore = secretBytes;
            }

            @NonNull
            public String getDivId() {
                return this.divId;
            }

            @CheckForNull
            public SecretBytes getUploadedKeystore() {
                return this.uploadedKeystore;
            }

            @NonNull
            public HttpResponse doUpload(@NonNull StaplerRequest staplerRequest) {
                return FormValidation.ok("This endpoint is no longer required/supported due to the inlining of the file input. If you came to this endpoint due to another plugin, you will have to update that plugin to be compatible with Credentials Plugin 2.4+. It will be deleted soon.");
            }
        }

        @Deprecated
        public UploadedKeyStoreSource(String str) {
            this.uploadedKeystoreBytes = StringUtils.isBlank(str) ? null : SecretBytes.fromBytes(DescriptorImpl.toByteArray(Secret.fromString(str)));
        }

        @Deprecated
        public UploadedKeyStoreSource(@CheckForNull SecretBytes secretBytes) {
            this.uploadedKeystoreBytes = secretBytes;
        }

        @DataBoundConstructor
        public UploadedKeyStoreSource(FileItem fileItem, @CheckForNull SecretBytes secretBytes) {
            if (fileItem != null) {
                byte[] bArr = fileItem.get();
                if (bArr.length != 0) {
                    secretBytes = SecretBytes.fromBytes(bArr);
                }
            }
            this.uploadedKeystoreBytes = secretBytes;
        }

        private Object readResolve() throws ObjectStreamException {
            return (this.uploadedKeystore == null || this.uploadedKeystoreBytes != null) ? this : new UploadedKeyStoreSource(SecretBytes.fromBytes(DescriptorImpl.toByteArray(this.uploadedKeystore)));
        }

        public SecretBytes getUploadedKeystore() {
            return this.uploadedKeystoreBytes;
        }

        @Override // com.cloudbees.plugins.credentials.impl.CertificateCredentialsImpl.KeyStoreSource
        @NonNull
        public byte[] getKeyStoreBytes() {
            return SecretBytes.getPlainData(this.uploadedKeystoreBytes);
        }

        @Override // com.cloudbees.plugins.credentials.impl.CertificateCredentialsImpl.KeyStoreSource
        public long getKeyStoreLastModified() {
            return 0L;
        }

        @Override // com.cloudbees.plugins.credentials.impl.CertificateCredentialsImpl.KeyStoreSource
        public boolean isSnapshotSource() {
            return true;
        }

        public String toString() {
            return "UploadedKeyStoreSource{uploadedKeystoreBytes=******}";
        }
    }

    @DataBoundConstructor
    public CertificateCredentialsImpl(@CheckForNull CredentialsScope credentialsScope, @CheckForNull String str, @CheckForNull String str2, @CheckForNull String str3, @NonNull KeyStoreSource keyStoreSource) {
        super(credentialsScope, str, str2);
        Objects.requireNonNull(keyStoreSource);
        this.password = Secret.fromString(str3);
        this.keyStoreSource = keyStoreSource;
    }

    @CheckForNull
    private static char[] toCharArray(@NonNull Secret secret) {
        String fixEmpty = Util.fixEmpty(secret.getPlainText());
        if (fixEmpty == null) {
            return null;
        }
        return fixEmpty.toCharArray();
    }

    @Override // com.cloudbees.plugins.credentials.common.CertificateCredentials
    @NonNull
    public synchronized KeyStore getKeyStore() {
        long keyStoreLastModified = this.keyStoreSource.getKeyStoreLastModified();
        if (this.keyStore == null || this.keyStoreLastModified < keyStoreLastModified) {
            try {
                KeyStore keyStore = KeyStore.getInstance("PKCS12");
                try {
                    keyStore.load(new ByteArrayInputStream(this.keyStoreSource.getKeyStoreBytes()), toCharArray(this.password));
                } catch (IOException | NoSuchAlgorithmException | CertificateException e) {
                    LogRecord logRecord = new LogRecord(Level.WARNING, "Credentials ID {0}: Could not load keystore from {1}");
                    logRecord.setParameters(new Object[]{getId(), this.keyStoreSource});
                    logRecord.setThrown(e);
                    LOGGER.log(logRecord);
                }
                this.keyStore = keyStore;
                this.keyStoreLastModified = keyStoreLastModified;
            } catch (KeyStoreException e2) {
                throw new IllegalStateException("PKCS12 is a keystore type per the JLS spec", e2);
            }
        }
        return this.keyStore;
    }

    @Override // com.cloudbees.plugins.credentials.common.PasswordCredentials
    @NonNull
    public Secret getPassword() {
        return this.password;
    }

    public boolean isPasswordEmpty() {
        return StringUtils.isEmpty(this.password.getPlainText());
    }

    public KeyStoreSource getKeyStoreSource() {
        return this.keyStoreSource;
    }

    static {
        Items.XSTREAM2.addCriticalField(CertificateCredentialsImpl.class, "keyStoreSource");
    }
}
