package edu.internet2.middleware.shibboleth.common;

import java.io.BufferedInputStream;
import java.io.BufferedReader;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.io.InputStream;
import java.io.InputStreamReader;
import java.io.StringReader;
import java.security.AlgorithmParameters;
import java.security.GeneralSecurityException;
import java.security.KeyFactory;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.Provider;
import java.security.PublicKey;
import java.security.Security;
import java.security.Signature;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.security.spec.DSAPrivateKeySpec;
import java.security.spec.InvalidKeySpecException;
import java.security.spec.PKCS8EncodedKeySpec;
import java.security.spec.RSAPrivateCrtKeySpec;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Enumeration;
import java.util.List;
import javax.crypto.BadPaddingException;
import javax.crypto.Cipher;
import javax.crypto.EncryptedPrivateKeyInfo;
import javax.crypto.SecretKey;
import javax.crypto.SecretKeyFactory;
import javax.crypto.spec.IvParameterSpec;
import javax.crypto.spec.PBEKeySpec;
import javax.crypto.spec.SecretKeySpec;
import org.apache.log4j.Logger;
import org.bouncycastle.asn1.ASN1InputStream;
import org.bouncycastle.asn1.DEREncodable;
import org.bouncycastle.asn1.DERInteger;
import org.bouncycastle.asn1.DERObject;
import org.bouncycastle.asn1.DERObjectIdentifier;
import org.bouncycastle.asn1.DEROctetString;
import org.bouncycastle.asn1.DERSequence;
import org.bouncycastle.asn1.util.ASN1Dump;
import org.bouncycastle.util.encoders.Base64;
import org.w3c.dom.Element;
import org.w3c.dom.Node;
import org.w3c.dom.NodeList;

/* JADX INFO: Access modifiers changed from: package-private */
/* compiled from: Credentials.java */
/* loaded from: input_file:edu/internet2/middleware/shibboleth/common/FileCredentialResolver.class */
public class FileCredentialResolver implements CredentialResolver {
    private static Logger log;
    static Class class$0;

    /* compiled from: Credentials.java */
    /* loaded from: input_file:edu/internet2/middleware/shibboleth/common/FileCredentialResolver$ByteContainer.class */
    private class ByteContainer {
        private byte[] buffer;
        private int cushion;
        private int currentSize = 0;
        final FileCredentialResolver this$0;

        ByteContainer(FileCredentialResolver fileCredentialResolver, int i, int i2) {
            this.this$0 = fileCredentialResolver;
            this.buffer = new byte[i];
            this.cushion = i2;
        }

        private void grow() {
            int i = this.currentSize + this.cushion;
            byte[] bArr = new byte[i];
            int min = Math.min(this.currentSize, i);
            for (int i2 = 0; i2 < min; i2++) {
                bArr[i2] = this.buffer[i2];
            }
            this.buffer = bArr;
        }

        /* JADX INFO: Access modifiers changed from: private */
        public byte[] toByteArray() {
            byte[] bArr = new byte[this.currentSize];
            System.arraycopy(this.buffer, 0, bArr, 0, this.currentSize);
            return bArr;
        }

        /* JADX INFO: Access modifiers changed from: private */
        public void append(byte b) {
            if (this.currentSize == this.buffer.length) {
                grow();
            }
            this.buffer[this.currentSize] = b;
            this.currentSize++;
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* compiled from: Credentials.java */
    /* loaded from: input_file:edu/internet2/middleware/shibboleth/common/FileCredentialResolver$DERKey.class */
    public class DERKey extends EncodedKey {
        DERSequence rootDerTag;
        final FileCredentialResolver this$0;

        public DERKey(FileCredentialResolver fileCredentialResolver, InputStream inputStream, String str) throws IOException, CredentialFactoryException {
            super(fileCredentialResolver);
            this.this$0 = fileCredentialResolver;
            setEncryptionPassword(str);
            ByteContainer byteContainer = new ByteContainer(fileCredentialResolver, 600, 50);
            int read = inputStream.read();
            while (true) {
                int i = read;
                if (i == -1) {
                    setKeyBytes(byteContainer.toByteArray());
                    parseDerKey();
                    return;
                } else {
                    byteContainer.append((byte) i);
                    read = inputStream.read();
                }
            }
        }

        public DERKey(FileCredentialResolver fileCredentialResolver, byte[] bArr, String str) throws IOException, CredentialFactoryException {
            super(fileCredentialResolver);
            this.this$0 = fileCredentialResolver;
            setEncryptionPassword(str);
            setKeyBytes(bArr);
            parseDerKey();
        }

        @Override // edu.internet2.middleware.shibboleth.common.FileCredentialResolver.EncodedKey
        public PrivateKey getPrivateKey() throws CredentialFactoryException {
            switch (getFormat()) {
                case 0:
                    return !isEncrypted() ? getPkcs8Key() : getEncryptedPkcs8Key();
                case 1:
                    return getRSARawDerKey();
                case 2:
                    return getDSARawDerKey();
                default:
                    throw new CredentialFactoryException("Unable to determine format of DER encoded private key");
            }
        }

        private DERObject getRootDerTag(byte[] bArr) throws IOException {
            BufferedInputStream bufferedInputStream = new BufferedInputStream(new ByteArrayInputStream(getKeyBytes()));
            ASN1InputStream aSN1InputStream = new ASN1InputStream(bufferedInputStream);
            DERObject readObject = aSN1InputStream.readObject();
            bufferedInputStream.close();
            aSN1InputStream.close();
            return readObject;
        }

        private void parseDerKey() throws IOException, CredentialFactoryException {
            if (FileCredentialResolver.log.isDebugEnabled()) {
                FileCredentialResolver.log.debug(new StringBuffer("Starting to parse ").append(getKeyBytes().length).append(" byte DER formatted key.").toString());
            }
            DERSequence rootDerTag = getRootDerTag(getKeyBytes());
            if (FileCredentialResolver.log.isDebugEnabled()) {
                FileCredentialResolver.log.debug(new StringBuffer("Parsed ASN.1 object which has the following structure:\n").append(ASN1Dump.dumpAsString(rootDerTag)).toString());
            }
            if (!(rootDerTag instanceof DERSequence)) {
                FileCredentialResolver.log.error("Private key is not in valid DER format, it does not start with a DER sequence");
                throw new CredentialFactoryException("Private key is not in valid DER format");
            }
            DERSequence dERSequence = rootDerTag;
            if (dERSequence.size() < 2) {
                FileCredentialResolver.log.error("Private key is not in valid DER format; does not contain more than 2 ASN.1 tags");
                throw new CredentialFactoryException("Private key is not in valid DER format");
            }
            DERSequence dERObject = dERSequence.getObjectAt(0).getDERObject();
            if (dERObject instanceof DERSequence) {
                if (FileCredentialResolver.log.isDebugEnabled()) {
                    FileCredentialResolver.log.debug("First ASN.1 tag is a sequence, checking to see if this is an encrypted PKCS8 key");
                }
                DERObject dERObject2 = dERObject.getObjectAt(0).getDERObject();
                if ((dERSequence.getObjectAt(1).getDERObject() instanceof DEROctetString) && (dERObject2 instanceof DERObjectIdentifier)) {
                    if (FileCredentialResolver.log.isDebugEnabled()) {
                        FileCredentialResolver.log.debug("DER encoded key determined to be encrypted PKCS8");
                    }
                    this.rootDerTag = dERSequence;
                    setFormat(0);
                    setEncrypted(true);
                }
            } else if (dERObject instanceof DERInteger) {
                if (FileCredentialResolver.log.isDebugEnabled()) {
                    FileCredentialResolver.log.debug("First child ASN.1 tag is a Integer, checking to see if this is an PKCS8, RSA, or DSA key");
                }
                if (dERSequence.size() == 3) {
                    if (FileCredentialResolver.log.isDebugEnabled()) {
                        FileCredentialResolver.log.debug("First ASN.1 sequence tag has 3 children, checking to see if this is an PKCS8 key");
                    }
                    if ((dERSequence.getObjectAt(0).getDERObject() instanceof DERInteger) && (dERSequence.getObjectAt(1).getDERObject() instanceof DERSequence) && (dERSequence.getObjectAt(2).getDERObject() instanceof DEROctetString)) {
                        if (FileCredentialResolver.log.isDebugEnabled()) {
                            FileCredentialResolver.log.debug("DER encoded key determined to be PKCS8");
                        }
                        this.rootDerTag = dERSequence;
                        setFormat(0);
                        setEncrypted(false);
                    }
                } else {
                    Enumeration objects = dERSequence.getObjects();
                    boolean z = true;
                    while (objects.hasMoreElements()) {
                        if (!(((DEREncodable) objects.nextElement()).getDERObject() instanceof DERInteger)) {
                            z = false;
                        }
                    }
                    if (dERSequence.size() == 6) {
                        if (FileCredentialResolver.log.isDebugEnabled()) {
                            FileCredentialResolver.log.debug("First ASN.1 sequence tag has 6 children, checking to see if this is an DSA key");
                        }
                        if (z) {
                            if (FileCredentialResolver.log.isDebugEnabled()) {
                                FileCredentialResolver.log.debug("DER encoded key determined to be raw DSA");
                            }
                            this.rootDerTag = dERSequence;
                            setFormat(2);
                            setEncrypted(false);
                        }
                    } else if (dERSequence.size() == 9) {
                        if (FileCredentialResolver.log.isDebugEnabled()) {
                            FileCredentialResolver.log.debug("First ASN.1 sequence tag has 9 children, checking to see if this is an DSA key");
                        }
                        if (z) {
                            if (FileCredentialResolver.log.isDebugEnabled()) {
                                FileCredentialResolver.log.debug("DER encoded key determined to be raw RSA");
                            }
                            this.rootDerTag = dERSequence;
                            setFormat(1);
                            setEncrypted(false);
                        }
                    }
                }
            }
            if (getFormat() == -1) {
                FileCredentialResolver.log.error("Private key is not in valid DER format");
                throw new CredentialFactoryException("Private key is not in valid DER format");
            }
        }

        private PrivateKey getEncryptedPkcs8Key() throws CredentialFactoryException {
            if (FileCredentialResolver.log.isDebugEnabled()) {
                FileCredentialResolver.log.debug("Beginning to decrypt encrypted PKCS8 key");
            }
            try {
                Provider provider = Security.getProvider("SunJCE");
                if (provider != null) {
                    provider.setProperty("Alg.Alias.AlgorithmParameters.1.2.840.113549.1.5.3", "PBE");
                    provider.setProperty("Alg.Alias.SecretKeyFactory.1.2.840.113549.1.5.3", "PBEWithMD5AndDES");
                    provider.setProperty("Alg.Alias.Cipher.1.2.840.113549.1.5.3", "PBEWithMD5AndDES");
                }
                if (FileCredentialResolver.log.isDebugEnabled()) {
                    FileCredentialResolver.log.debug("Inspecting key properties");
                }
                EncryptedPrivateKeyInfo encryptedPrivateKeyInfo = new EncryptedPrivateKeyInfo(getKeyBytes());
                if (FileCredentialResolver.log.isDebugEnabled()) {
                    FileCredentialResolver.log.debug(new StringBuffer("Key encryption Algorithim: ").append(encryptedPrivateKeyInfo.getAlgName()).toString());
                    FileCredentialResolver.log.debug(new StringBuffer("Key encryption parameters: ").append(encryptedPrivateKeyInfo.getAlgParameters()).toString());
                }
                AlgorithmParameters algParameters = encryptedPrivateKeyInfo.getAlgParameters();
                if (algParameters == null) {
                    FileCredentialResolver.log.error(new StringBuffer("Unable to decrypt private key.  Installed JCE implementations don't support the (").append(encryptedPrivateKeyInfo.getAlgName()).append(") algorithm.").toString());
                    throw new CredentialFactoryException(new StringBuffer("Unable to load private key; ").append(encryptedPrivateKeyInfo.getAlgName()).append(" is not a supported by this JCE").toString());
                }
                if (FileCredentialResolver.log.isDebugEnabled()) {
                    FileCredentialResolver.log.debug("Key encryption properties determined, decrypting key");
                }
                SecretKey generateSecret = SecretKeyFactory.getInstance(encryptedPrivateKeyInfo.getAlgName()).generateSecret(new PBEKeySpec(getEncryptionPassword().toCharArray()));
                Cipher cipher = Cipher.getInstance(encryptedPrivateKeyInfo.getAlgName());
                cipher.init(2, generateSecret, algParameters);
                PKCS8EncodedKeySpec keySpec = encryptedPrivateKeyInfo.getKeySpec(cipher);
                if (FileCredentialResolver.log.isDebugEnabled()) {
                    FileCredentialResolver.log.debug("Key decrypted, key format now non-encrypted PKCS8");
                }
                setEncrypted(false);
                setKeyBytes(keySpec.getEncoded());
                this.rootDerTag = getRootDerTag(getKeyBytes());
                return getPkcs8Key();
            } catch (IOException e) {
                FileCredentialResolver.log.error(new StringBuffer("Invalid DER encoding for PKCS8 formatted encrypted key: ").append(e).toString());
                throw new CredentialFactoryException("Unable to load private key; invalid key format.");
            } catch (InvalidKeySpecException e2) {
                FileCredentialResolver.log.error("Incorrect password to unlock private key.", e2);
                throw new CredentialFactoryException("Unable to load private key; incorrect key decryption password");
            } catch (GeneralSecurityException e3) {
                FileCredentialResolver.log.error(new StringBuffer("JCE does not support algorithim to decrypt key: ").append(e3).toString());
                throw new CredentialFactoryException("Unable to load private key; JCE does not support algorithim to decrypt key");
            }
        }

        private PrivateKey getPkcs8Key() throws CredentialFactoryException {
            if (FileCredentialResolver.log.isDebugEnabled()) {
                FileCredentialResolver.log.debug("Reading unecrypted PKCS8 key to determine if key is RSA or DSA");
            }
            String id = this.rootDerTag.getObjectAt(1).getDERObject().getObjectAt(0).getDERObject().getId();
            if (id.equals(EncodedKey.RSAKey_OID)) {
                if (FileCredentialResolver.log.isDebugEnabled()) {
                    FileCredentialResolver.log.debug("Found RSA key in PKCS8.");
                }
                return getRSAPkcs8DerKey();
            }
            if (!id.equals(EncodedKey.DSAKey_OID)) {
                FileCredentialResolver.log.error("Unexpected key type.  Only RSA and DSA keys are supported in PKCS8 format.");
                throw new CredentialFactoryException("Unable to load private key; unexpected key type in PKCS8");
            }
            if (FileCredentialResolver.log.isDebugEnabled()) {
                FileCredentialResolver.log.debug("Found DSA key in PKCS8.");
            }
            return getDSAPkcs8DerKey();
        }

        private PrivateKey getRSAPkcs8DerKey() throws CredentialFactoryException {
            if (FileCredentialResolver.log.isDebugEnabled()) {
                FileCredentialResolver.log.debug("Constructing PrivateKey from PKCS8 encoded RSA key data");
            }
            try {
                return KeyFactory.getInstance("RSA").generatePrivate(new PKCS8EncodedKeySpec(getKeyBytes()));
            } catch (Exception e) {
                FileCredentialResolver.log.error(new StringBuffer("Unable to load private key: ").append(e).toString());
                throw new CredentialFactoryException("Unable to load private key.");
            }
        }

        private PrivateKey getDSAPkcs8DerKey() throws CredentialFactoryException {
            if (FileCredentialResolver.log.isDebugEnabled()) {
                FileCredentialResolver.log.debug("Constructing PrivateKey from PKCS8 encoded DSA key data");
            }
            try {
                return KeyFactory.getInstance("DSA").generatePrivate(new PKCS8EncodedKeySpec(getKeyBytes()));
            } catch (Exception e) {
                FileCredentialResolver.log.error(new StringBuffer("Unable to load private key: ").append(e).toString());
                throw new CredentialFactoryException("Unable to load private key.");
            }
        }

        private PrivateKey getRSARawDerKey() throws CredentialFactoryException {
            if (FileCredentialResolver.log.isDebugEnabled()) {
                FileCredentialResolver.log.debug("Constructing PrivateKey from raw RSA key data");
            }
            try {
                return KeyFactory.getInstance("RSA").generatePrivate(new RSAPrivateCrtKeySpec(this.rootDerTag.getObjectAt(1).getValue(), this.rootDerTag.getObjectAt(2).getValue(), this.rootDerTag.getObjectAt(3).getValue(), this.rootDerTag.getObjectAt(4).getValue(), this.rootDerTag.getObjectAt(5).getValue(), this.rootDerTag.getObjectAt(6).getValue(), this.rootDerTag.getObjectAt(7).getValue(), this.rootDerTag.getObjectAt(8).getValue()));
            } catch (GeneralSecurityException e) {
                FileCredentialResolver.log.error(new StringBuffer("Unable to marshall private key: ").append(e).toString());
                throw new CredentialFactoryException("Unable to load private key.");
            }
        }

        private PrivateKey getDSARawDerKey() throws CredentialFactoryException {
            if (FileCredentialResolver.log.isDebugEnabled()) {
                FileCredentialResolver.log.debug("Constructing PrivateKey from raw DSA key data");
            }
            try {
                return KeyFactory.getInstance("DSA").generatePrivate(new DSAPrivateKeySpec(this.rootDerTag.getObjectAt(5).getValue(), this.rootDerTag.getObjectAt(1).getValue(), this.rootDerTag.getObjectAt(2).getValue(), this.rootDerTag.getObjectAt(3).getValue()));
            } catch (GeneralSecurityException e) {
                FileCredentialResolver.log.error(new StringBuffer("Unable to marshall private key: ").append(e).toString());
                throw new CredentialFactoryException("Unable to load private key.");
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* compiled from: Credentials.java */
    /* loaded from: input_file:edu/internet2/middleware/shibboleth/common/FileCredentialResolver$EncodedKey.class */
    public abstract class EncodedKey {
        public static final int DER_ENCODING = 0;
        public static final int PEM_ENCODING = 1;
        public static final String DSAKey_OID = "1.2.840.10040.4.1";
        public static final String RSAKey_OID = "1.2.840.113549.1.1.1";
        public static final int PKCS8 = 0;
        public static final int RSA = 1;
        public static final int DSA = 2;
        public static final int DES_CBC = 0;
        public static final int DES_EDE3_CBC = 1;
        private boolean encrypted;
        private String keyPassword;
        private byte[] keyBytes;
        final FileCredentialResolver this$0;
        private int format = -1;
        private int encAlgo = -1;
        private String initVector = "";

        EncodedKey(FileCredentialResolver fileCredentialResolver) {
            this.this$0 = fileCredentialResolver;
        }

        public int getFormat() {
            return this.format;
        }

        public void setFormat(int i) {
            this.format = i;
        }

        public boolean isEncrypted() {
            return this.encrypted;
        }

        public void setEncrypted(boolean z) {
            this.encrypted = z;
        }

        public String getEncryptionPassword() {
            return this.keyPassword;
        }

        public void setEncryptionPassword(String str) {
            this.keyPassword = str;
        }

        public int getEncryptionAlgorithim() {
            return this.encAlgo;
        }

        public void setEncryptionAlgorithim(int i) {
            this.encAlgo = i;
        }

        public String getInitializationVector() {
            return this.initVector;
        }

        public void setInitializationVector(String str) {
            this.initVector = str;
        }

        public byte[] getKeyBytes() {
            return this.keyBytes;
        }

        public void setKeyBytes(byte[] bArr) {
            this.keyBytes = bArr;
        }

        public abstract PrivateKey getPrivateKey() throws CredentialFactoryException;
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* compiled from: Credentials.java */
    /* loaded from: input_file:edu/internet2/middleware/shibboleth/common/FileCredentialResolver$PEMKey.class */
    public class PEMKey extends EncodedKey {
        private DERKey derKey;
        final FileCredentialResolver this$0;

        public PEMKey(FileCredentialResolver fileCredentialResolver, String str, String str2) throws IOException, CredentialFactoryException {
            super(fileCredentialResolver);
            this.this$0 = fileCredentialResolver;
            setEncryptionPassword(str2);
            parsePEMKey(new BufferedReader(new StringReader(str)));
        }

        public PEMKey(FileCredentialResolver fileCredentialResolver, InputStream inputStream, String str) throws IOException, CredentialFactoryException {
            super(fileCredentialResolver);
            this.this$0 = fileCredentialResolver;
            setEncryptionPassword(str);
            parsePEMKey(new BufferedReader(new InputStreamReader(inputStream)));
        }

        @Override // edu.internet2.middleware.shibboleth.common.FileCredentialResolver.EncodedKey
        public PrivateKey getPrivateKey() throws CredentialFactoryException {
            return this.derKey.getPrivateKey();
        }

        private void parsePEMKey(BufferedReader bufferedReader) throws IOException, CredentialFactoryException {
            if (FileCredentialResolver.log.isDebugEnabled()) {
                FileCredentialResolver.log.debug("Parsing PEM enocded private key");
            }
            String readLine = bufferedReader.readLine();
            if (readLine.matches("^.*-----BEGIN PRIVATE KEY-----.*$")) {
                if (FileCredentialResolver.log.isDebugEnabled()) {
                    FileCredentialResolver.log.debug("Key appears to be in PKCS8 format.");
                }
                setFormat(0);
                setEncrypted(false);
            } else if (readLine.matches("^.*-----BEGIN ENCRYPTED PRIVATE KEY-----.*$")) {
                if (FileCredentialResolver.log.isDebugEnabled()) {
                    FileCredentialResolver.log.debug("Key appears to be in encrypted PKCS8 format.");
                }
                setFormat(0);
                setEncrypted(true);
            } else if (readLine.matches("^.*-----BEGIN RSA PRIVATE KEY-----.*$")) {
                setFormat(1);
                bufferedReader.mark(100);
                if (bufferedReader.readLine().matches("^.*Proc-Type: 4,ENCRYPTED.*$")) {
                    if (FileCredentialResolver.log.isDebugEnabled()) {
                        FileCredentialResolver.log.debug("Key appears to be encrypted RSA in raw format.");
                    }
                    setEncrypted(true);
                } else {
                    if (FileCredentialResolver.log.isDebugEnabled()) {
                        FileCredentialResolver.log.debug("Key appears to be RSA in raw format.");
                    }
                    bufferedReader.reset();
                    setEncrypted(false);
                }
            } else if (readLine.matches("^.*-----BEGIN DSA PRIVATE KEY-----.*$")) {
                setFormat(2);
                bufferedReader.mark(100);
                if (bufferedReader.readLine().matches("^.*Proc-Type: 4,ENCRYPTED.*$")) {
                    if (FileCredentialResolver.log.isDebugEnabled()) {
                        FileCredentialResolver.log.debug("Key appears to be encrypted DSA in raw format.");
                    }
                    setEncrypted(true);
                } else {
                    if (FileCredentialResolver.log.isDebugEnabled()) {
                        FileCredentialResolver.log.debug("Key appears to be DSA in raw format.");
                    }
                    bufferedReader.reset();
                    setEncrypted(false);
                }
            }
            if (isEncrypted() && (getFormat() == 1 || getFormat() == 2)) {
                if (FileCredentialResolver.log.isDebugEnabled()) {
                    FileCredentialResolver.log.debug("Key data is encrypted RSA or DSA, inspecting encryption properties");
                }
                String[] split = bufferedReader.readLine().split(":\\s");
                if (split.length != 2) {
                    FileCredentialResolver.log.error("Encrypted key did not contain DEK-Info specification.");
                }
                String[] split2 = split[1].split(",");
                if (split2.length != 2 || split2[0] == null || split2[0].equals("") || split2[1] == null || split2[1].equals("")) {
                    FileCredentialResolver.log.error("Encrypted key did not contain a proper DEK-Info specification.");
                }
                if (split2[0].equals("DES-CBC")) {
                    if (FileCredentialResolver.log.isDebugEnabled()) {
                        FileCredentialResolver.log.debug("Key encryption method determined to be DES-CBC");
                    }
                    setEncryptionAlgorithim(0);
                } else if (split2[0].equals("DES-EDE3-CBC")) {
                    if (FileCredentialResolver.log.isDebugEnabled()) {
                        FileCredentialResolver.log.debug("Key encryption method determined to be DES-EDE3-CBC");
                    }
                    setEncryptionAlgorithim(1);
                } else {
                    setEncryptionAlgorithim(-1);
                    FileCredentialResolver.log.error(new StringBuffer("Key encryption method unknown: ").append(split2[0]).toString());
                }
                if (FileCredentialResolver.log.isDebugEnabled()) {
                    FileCredentialResolver.log.debug(new StringBuffer("Key encryption algorithim initialization vector determined to be ").append(split2[1]).toString());
                }
                setInitializationVector(split2[1]);
            }
            StringBuffer stringBuffer = new StringBuffer();
            while (true) {
                String readLine2 = bufferedReader.readLine();
                if (readLine2 != null && !readLine2.matches("^.*END.*$")) {
                    stringBuffer.append(readLine2);
                }
            }
            String stringBuffer2 = stringBuffer.toString();
            if (FileCredentialResolver.log.isDebugEnabled()) {
                FileCredentialResolver.log.debug(new StringBuffer("Base64 encoded key: ").append(stringBuffer2).toString());
            }
            if (FileCredentialResolver.log.isDebugEnabled()) {
                FileCredentialResolver.log.debug("Base64 decoding key");
            }
            setKeyBytes(Base64.decode(stringBuffer2));
            if (isEncrypted() && (getFormat() == 1 || getFormat() == 2)) {
                if (FileCredentialResolver.log.isDebugEnabled()) {
                    FileCredentialResolver.log.debug("Decrypting RSA/DSA key");
                }
                decryptKey();
            }
            if (FileCredentialResolver.log.isDebugEnabled()) {
                FileCredentialResolver.log.debug("PEM key has been decoded into DER encoded data, processing it as DER key");
            }
            this.derKey = new DERKey(this.this$0, getKeyBytes(), getEncryptionPassword());
            bufferedReader.close();
        }

        private void decryptKey() throws CredentialFactoryException {
            try {
                byte[] bArr = new byte[8];
                for (int i = 0; i < 8; i++) {
                    bArr[i] = (byte) Integer.parseInt(getInitializationVector().substring(i * 2, (i * 2) + 2), 16);
                }
                IvParameterSpec ivParameterSpec = new IvParameterSpec(bArr);
                byte[] bArr2 = new byte[24];
                byte[] bytes = getEncryptionPassword().getBytes();
                MessageDigest messageDigest = MessageDigest.getInstance("MD5");
                messageDigest.update(bytes);
                messageDigest.update(ivParameterSpec.getIV());
                byte[] digest = messageDigest.digest();
                System.arraycopy(digest, 0, bArr2, 0, 16);
                messageDigest.update(digest);
                messageDigest.update(bytes);
                messageDigest.update(ivParameterSpec.getIV());
                System.arraycopy(messageDigest.digest(), 0, bArr2, 16, 8);
                SecretKeySpec secretKeySpec = null;
                Cipher cipher = null;
                if (getEncryptionAlgorithim() == 0) {
                    byte[] bArr3 = new byte[8];
                    System.arraycopy(bArr2, 0, bArr3, 0, 8);
                    secretKeySpec = new SecretKeySpec(bArr3, "DES");
                    cipher = Cipher.getInstance("DES/CBC/PKCS5Padding");
                }
                if (getEncryptionAlgorithim() == 1) {
                    secretKeySpec = new SecretKeySpec(bArr2, "DESede");
                    cipher = Cipher.getInstance("DESede/CBC/PKCS5Padding");
                }
                cipher.init(2, secretKeySpec, ivParameterSpec);
                byte[] doFinal = cipher.doFinal(getKeyBytes());
                setEncrypted(false);
                setKeyBytes(doFinal);
            } catch (BadPaddingException e) {
                FileCredentialResolver.log.error("Incorrect password to unlock private key.", e);
                throw new CredentialFactoryException("Unable to load private key.");
            } catch (Exception e2) {
                FileCredentialResolver.log.error(new StringBuffer("Unable to decrypt private key.  Installed JCE implementations don't support the necessary algorithm: ").append(e2).toString());
                throw new CredentialFactoryException("Unable to load private key.");
            }
        }
    }

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r1v2, types: [java.lang.Throwable] */
    static {
        Class<?> cls = class$0;
        if (cls == null) {
            try {
                cls = Class.forName("edu.internet2.middleware.shibboleth.common.FileCredentialResolver");
                class$0 = cls;
            } catch (ClassNotFoundException unused) {
                throw new NoClassDefFoundError(cls.getMessage());
            }
        }
        log = Logger.getLogger(cls.getName());
    }

    @Override // edu.internet2.middleware.shibboleth.common.CredentialResolver
    public Credential loadCredential(Element element) throws CredentialFactoryException {
        if (!element.getLocalName().equals("FileResolver")) {
            log.error("Invalid Credential Resolver configuration: expected <FileResolver> .");
            throw new CredentialFactoryException("Failed to initialize Credential Resolver.");
        }
        PrivateKey privateKey = getPrivateKey(element);
        if (privateKey == null) {
            log.error("Failed to load private key.");
            throw new CredentialFactoryException("Failed to load private key.");
        }
        Credential credential = new Credential((X509Certificate[]) getCertificateChain(element, privateKey).toArray(new X509Certificate[0]), privateKey);
        if (log.isDebugEnabled()) {
            log.debug("Credential created");
        }
        return credential;
    }

    /*  JADX ERROR: JadxRuntimeException in pass: BlockProcessor
        jadx.core.utils.exceptions.JadxRuntimeException: Unreachable block: B:14:0x013f
        	at jadx.core.dex.visitors.blocks.BlockProcessor.checkForUnreachableBlocks(BlockProcessor.java:88)
        	at jadx.core.dex.visitors.blocks.BlockProcessor.processBlocksTree(BlockProcessor.java:52)
        	at jadx.core.dex.visitors.blocks.BlockProcessor.visit(BlockProcessor.java:44)
        */
    private java.security.PrivateKey getPrivateKey(org.w3c.dom.Element r7) throws edu.internet2.middleware.shibboleth.common.CredentialFactoryException {
        /*
            Method dump skipped, instructions count: 323
            To view this dump add '--comments-level debug' option
        */
        throw new UnsupportedOperationException("Method not decompiled: edu.internet2.middleware.shibboleth.common.FileCredentialResolver.getPrivateKey(org.w3c.dom.Element):java.security.PrivateKey");
    }

    private List getCertificateChain(Element element, PrivateKey privateKey) throws CredentialFactoryException {
        ArrayList arrayList = new ArrayList();
        String certPath = getCertPath(element);
        if (certPath != null && !certPath.equals("")) {
            if (log.isDebugEnabled()) {
                log.debug(new StringBuffer("Certificate Path: (").append(certPath).append(").").toString());
            }
            if (!"X.509".equals("X.509")) {
                log.error("File credential resolver only supports the X.509 certificates.");
                throw new CredentialFactoryException("Only X.509 certificates are supported");
            }
            ArrayList arrayList2 = new ArrayList();
            try {
                Certificate[] loadCertificates = loadCertificates(new ShibResource(certPath, getClass()).getInputStream(), "X.509");
                arrayList2.addAll(Arrays.asList(loadCertificates));
                if (loadCertificates == null || loadCertificates.length == 0) {
                    log.error(new StringBuffer("File at (").append(certPath).append(") did not contain any valid certificates.").toString());
                    throw new CredentialFactoryException("File did not contain any valid certificates.");
                }
                if (loadCertificates.length == 1) {
                    if (log.isDebugEnabled()) {
                        log.debug("Certificate file only contains 1 certificate.");
                        log.debug("Ensuring that it matches the private key.");
                    }
                    if (!isMatchingKey(loadCertificates[0].getPublicKey(), privateKey)) {
                        log.error(new StringBuffer("Certificate file ").append(certPath).append("only contained one certificate and it does not match the private key.").toString());
                        throw new CredentialFactoryException("No certificate in chain that matches specified private key");
                    }
                    arrayList.add(loadCertificates[0]);
                    if (log.isDebugEnabled()) {
                        log.debug(new StringBuffer("Successfully identified the end entity cert: ").append(((X509Certificate) arrayList.get(0)).getSubjectDN()).toString());
                    }
                } else {
                    if (log.isDebugEnabled()) {
                        log.debug("Certificate file contains multiple certificates.");
                        log.debug("Trying to determine the end-entity cert by the matching certificates against the private key.");
                    }
                    for (int i = 0; loadCertificates.length > i; i++) {
                        if (isMatchingKey(loadCertificates[i].getPublicKey(), privateKey)) {
                            if (log.isDebugEnabled()) {
                                log.debug(new StringBuffer("Found matching end cert: ").append(((X509Certificate) loadCertificates[i]).getSubjectDN()).toString());
                            }
                            arrayList.add(loadCertificates[i]);
                        }
                    }
                    if (arrayList.size() < 1) {
                        log.error(new StringBuffer("Certificate file ").append(certPath).append("only contained multiple certificates and none matched the private key.").toString());
                        throw new CredentialFactoryException("No certificate in chain that matches specified private key");
                    }
                    if (arrayList.size() > 1) {
                        log.error("More than one certificate in chain that matches specified private key");
                        throw new CredentialFactoryException("More than one certificate in chain that matches specified private key");
                    }
                    if (log.isDebugEnabled()) {
                        log.debug(new StringBuffer("Successfully identified the end entity cert: ").append(((X509Certificate) arrayList.get(0)).getSubjectDN()).toString());
                    }
                }
                String[] cAPaths = getCAPaths(element);
                if (cAPaths != null && cAPaths.length > 0) {
                    if (log.isDebugEnabled()) {
                        log.debug(new StringBuffer("Attempting to load certificates from (").append(cAPaths.length).append(") CA certificate files.").toString());
                    }
                    for (String str : cAPaths) {
                        arrayList2.addAll(Arrays.asList(loadCertificates(new ShibResource(str, getClass()).getInputStream(), "X.509")));
                    }
                }
                if (log.isDebugEnabled()) {
                    log.debug("Attempting to construct a certificate chain.");
                }
                walkChain((X509Certificate[]) arrayList2.toArray(new X509Certificate[0]), arrayList);
                if (log.isDebugEnabled()) {
                    log.debug("Verifying that each link in the cert chain is signed appropriately");
                }
                for (int i2 = 0; i2 < arrayList.size() - 1; i2++) {
                    try {
                        ((X509Certificate) arrayList.get(i2)).verify(((X509Certificate) arrayList.get(i2 + 1)).getPublicKey());
                    } catch (Exception e) {
                        log.error(new StringBuffer("Certificate chain cannot be verified: ").append(e).toString());
                        throw new CredentialFactoryException(new StringBuffer("Certificate chain cannot be verified: ").append(e).toString());
                    }
                }
                if (log.isDebugEnabled()) {
                    log.debug("All signatures verified. Certificate chain creation successful.");
                }
                if (log.isInfoEnabled()) {
                    log.info("Successfully loaded certificates.");
                }
            } catch (IOException e2) {
                log.error(new StringBuffer("Could not load resource from specified location (").append(certPath).append("): ").append(e2).toString());
                throw new CredentialFactoryException("Unable to load certificates.");
            }
        } else if (log.isInfoEnabled()) {
            log.info("No certificates specified.");
        }
        return arrayList;
    }

    private int getKeyEncodingFormat(Element element, InputStream inputStream) throws CredentialFactoryException {
        NodeList elementsByTagNameNS = element.getElementsByTagNameNS(Credentials.credentialsNamespace, "Key");
        if (elementsByTagNameNS.getLength() < 1) {
            log.error("No private key specified in file credential resolver");
            throw new CredentialFactoryException("File Credential Resolver requires a <Key> specification.");
        }
        if (elementsByTagNameNS.getLength() > 1) {
            log.error("Multiple Key path specifications, using first.");
        }
        String attribute = ((Element) elementsByTagNameNS.item(0)).getAttribute("format");
        if (attribute != null && attribute.length() > 0) {
            if (attribute.equals("PEM")) {
                return 1;
            }
            if (attribute.equals("DER")) {
                return 0;
            }
            if (attribute.equals("PKCS12")) {
                log.error("PKCS12 private keys are not yet supported");
                return -1;
            }
        }
        if (log.isInfoEnabled()) {
            log.info("Private key format was not specified in file credential resolver configuration, attempting to auto-detect it.");
        }
        try {
            inputStream.mark(2);
            int read = inputStream.read();
            inputStream.reset();
            if (read == 45) {
                return 1;
            }
            return read == 48 ? 0 : -1;
        } catch (IOException e) {
            throw new CredentialFactoryException("Could not determine the type of private key for file credential resolver.");
        }
    }

    private String getKeyPassword(Element element) throws CredentialFactoryException {
        NodeList elementsByTagNameNS = element.getElementsByTagNameNS(Credentials.credentialsNamespace, "Key");
        if (elementsByTagNameNS.getLength() < 1) {
            log.error("Key not specified.");
            throw new CredentialFactoryException("File Credential Resolver requires a <Key> specification.");
        }
        if (elementsByTagNameNS.getLength() > 1) {
            log.error("Multiple Key path specifications, using first.");
        }
        String attribute = ((Element) elementsByTagNameNS.item(0)).getAttribute("password");
        if (attribute == null) {
            attribute = "";
        }
        return attribute;
    }

    private String getCertPath(Element element) throws CredentialFactoryException {
        NodeList elementsByTagNameNS = element.getElementsByTagNameNS(Credentials.credentialsNamespace, "Certificate");
        if (elementsByTagNameNS.getLength() < 1) {
            if (!log.isDebugEnabled()) {
                return null;
            }
            log.debug("No <Certificate> element found.");
            return null;
        }
        NodeList elementsByTagNameNS2 = ((Element) elementsByTagNameNS.item(0)).getElementsByTagNameNS(Credentials.credentialsNamespace, "Path");
        if (elementsByTagNameNS2.getLength() < 1) {
            log.error("Certificate path not specified.");
            throw new CredentialFactoryException("File Credential Resolver requires a <Certificate><Path/></Certificate> specification, none was specified.");
        }
        if (elementsByTagNameNS2.getLength() > 1) {
            log.error("Multiple Certificate path specifications, using first.");
        }
        Node firstChild = elementsByTagNameNS2.item(0).getFirstChild();
        String str = null;
        if (firstChild != null && firstChild.getNodeType() == 3) {
            str = firstChild.getNodeValue();
        }
        if (str != null && !str.equals("")) {
            return str;
        }
        log.error("Certificate path was empty.");
        throw new CredentialFactoryException("File Credential Resolver requires a <Certificate><Path/></Certificate> specification, the specified one was empty.");
    }

    private String[] getCAPaths(Element element) throws CredentialFactoryException {
        NodeList elementsByTagNameNS = element.getElementsByTagNameNS(Credentials.credentialsNamespace, "Certificate");
        if (elementsByTagNameNS.getLength() < 1) {
            log.error("Certificate not specified.");
            throw new CredentialFactoryException("File Credential Resolver requires a <Certificate> specification.");
        }
        if (elementsByTagNameNS.getLength() > 1) {
            log.error("Multiple Certificate path specifications, using first.");
        }
        NodeList elementsByTagNameNS2 = ((Element) elementsByTagNameNS.item(0)).getElementsByTagNameNS(Credentials.credentialsNamespace, "CAPath");
        if (elementsByTagNameNS2.getLength() < 1) {
            if (!log.isDebugEnabled()) {
                return null;
            }
            log.debug("No CA Certificate paths specified.");
            return null;
        }
        ArrayList arrayList = new ArrayList();
        for (int i = 0; i < elementsByTagNameNS2.getLength(); i++) {
            Node firstChild = elementsByTagNameNS2.item(i).getFirstChild();
            String str = null;
            if (firstChild != null && firstChild.getNodeType() == 3) {
                str = firstChild.getNodeValue();
            }
            if (str != null && !str.equals("")) {
                arrayList.add(str);
            }
            if (arrayList.isEmpty() && log.isDebugEnabled()) {
                log.debug("No CA Certificate paths specified.");
            }
        }
        return (String[]) arrayList.toArray(new String[0]);
    }

    private String getKeyPath(Element element) throws CredentialFactoryException {
        NodeList elementsByTagNameNS = element.getElementsByTagNameNS(Credentials.credentialsNamespace, "Key");
        if (elementsByTagNameNS.getLength() < 1) {
            log.error("Key not specified.");
            throw new CredentialFactoryException("File Credential Resolver requires a <Key> specification.");
        }
        if (elementsByTagNameNS.getLength() > 1) {
            log.error("Multiple Key path specifications, using first.");
        }
        NodeList elementsByTagNameNS2 = ((Element) elementsByTagNameNS.item(0)).getElementsByTagNameNS(Credentials.credentialsNamespace, "Path");
        if (elementsByTagNameNS2.getLength() < 1) {
            log.error("Key path not specified.");
            throw new CredentialFactoryException("File Credential Resolver requires a <Key><Path/></Certificate> specification.");
        }
        if (elementsByTagNameNS2.getLength() > 1) {
            log.error("Multiple Key path specifications, using first.");
        }
        Node firstChild = elementsByTagNameNS2.item(0).getFirstChild();
        String str = null;
        if (firstChild != null && firstChild.getNodeType() == 3) {
            str = firstChild.getNodeValue();
        }
        if (str != null && !str.equals("")) {
            return str;
        }
        log.error("Key path is empty.");
        throw new CredentialFactoryException("File Credential Resolver requires a <Key><Path/></Certificate> specification.");
    }

    /* JADX WARN: Unreachable blocks removed: 1, instructions: 1 */
    private Certificate[] loadCertificates(InputStream inputStream, String str) throws CredentialFactoryException {
        ArrayList arrayList = new ArrayList();
        try {
            CertificateFactory certificateFactory = CertificateFactory.getInstance(str);
            BufferedReader bufferedReader = new BufferedReader(new InputStreamReader(inputStream));
            boolean z = false;
            StringBuffer stringBuffer = null;
            while (true) {
                String readLine = bufferedReader.readLine();
                if (readLine == null) {
                    bufferedReader.close();
                    return (Certificate[]) arrayList.toArray(new Certificate[0]);
                }
                if (z) {
                    stringBuffer.append(readLine);
                    stringBuffer.append(System.getProperty("line.separator"));
                    if (readLine.matches("^.*-----END CERTIFICATE-----.*$")) {
                        z = false;
                        try {
                            arrayList.add(certificateFactory.generateCertificate(new ByteArrayInputStream(stringBuffer.toString().getBytes())));
                        } catch (CertificateException e) {
                            log.warn(new StringBuffer("Failed to load a certificate from the certificate bundle: ").append(e).toString());
                            if (log.isDebugEnabled() && log.isDebugEnabled()) {
                                log.debug(new StringBuffer("Dump of bad certificate: ").append(System.getProperty("line.separator")).append(stringBuffer.toString()).toString());
                            }
                        }
                    }
                } else if (readLine.matches("^.*-----BEGIN CERTIFICATE-----.*$")) {
                    z = true;
                    stringBuffer = new StringBuffer();
                    stringBuffer.append(readLine);
                    stringBuffer.append(System.getProperty("line.separator"));
                }
            }
        } catch (IOException e2) {
            log.error(new StringBuffer("Could not load resource from specified location: ").append(e2).toString());
            throw new CredentialFactoryException("Unable to load certificates.");
        } catch (CertificateException e3) {
            log.error(new StringBuffer("Problem loading certificate factory: ").append(e3).toString());
            throw new CredentialFactoryException("Unable to load certificates.");
        }
    }

    protected void walkChain(X509Certificate[] x509CertificateArr, List list) throws CredentialFactoryException {
        X509Certificate x509Certificate = (X509Certificate) list.get(list.size() - 1);
        if (x509Certificate.getSubjectDN().equals(x509Certificate.getIssuerDN())) {
            if (log.isDebugEnabled()) {
                log.debug(new StringBuffer("Found self-signed root cert: ").append(x509Certificate.getSubjectDN()).toString());
                return;
            }
            return;
        }
        for (int i = 0; x509CertificateArr.length > i; i++) {
            if (x509Certificate.getIssuerDN().equals(x509CertificateArr[i].getSubjectDN())) {
                list.add(x509CertificateArr[i]);
                walkChain(x509CertificateArr, list);
                return;
            }
        }
        if (log.isDebugEnabled()) {
            log.debug("Certificate chain is incomplete.");
        }
    }

    /* JADX WARN: Unreachable blocks removed: 1, instructions: 1 */
    protected boolean isMatchingKey(PublicKey publicKey, PrivateKey privateKey) {
        Signature signature;
        try {
            if (log.isDebugEnabled()) {
                log.debug("Checking for matching private key/public key pair");
            }
            try {
                signature = Signature.getInstance(privateKey.getAlgorithm());
            } catch (NoSuchAlgorithmException e) {
                if (log.isDebugEnabled()) {
                    log.debug("No provider for (RSA) signature, attempting (MD5withRSA).");
                }
                if (!privateKey.getAlgorithm().equals("RSA")) {
                    throw e;
                }
                signature = Signature.getInstance("MD5withRSA");
            }
            signature.initSign(privateKey);
            signature.update("asdf".getBytes());
            byte[] sign = signature.sign();
            signature.initVerify(publicKey);
            signature.update("asdf".getBytes());
            if (signature.verify(sign)) {
                if (!log.isDebugEnabled()) {
                    return true;
                }
                log.debug("Found match.");
                return true;
            }
        } catch (Exception e2) {
            log.warn(e2);
        }
        if (!log.isDebugEnabled()) {
            return false;
        }
        log.debug("This pair does not match.");
        return false;
    }
}
