package com.sshtools.common.publickey;

import com.sshtools.common.logger.Log;
import com.sshtools.common.ssh.SshException;
import com.sshtools.common.ssh.SshKeyFingerprint;
import com.sshtools.common.ssh.components.SshKeyPair;
import com.sshtools.common.ssh.components.SshPublicKey;
import com.sshtools.common.ssh.components.jce.JCEComponentManager;
import com.sshtools.common.util.ByteArrayReader;
import com.sshtools.common.util.ByteArrayWriter;
import com.sshtools.common.util.UnsignedInteger64;
import java.io.IOException;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
import java.util.Date;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.StringTokenizer;
import oracle.xml.xslt.XSLConstants;

/* loaded from: input_file:com/sshtools/common/publickey/OpenSshCertificate.class */
public abstract class OpenSshCertificate implements SshPublicKey {
    public static final int SSH_CERT_TYPE_USER = 1;
    public static final int SSH_CERT_TYPE_HOST = 2;
    public static final String PERMIT_X11_FORWARDING = "permit-x11-forwarding";
    public static final String PERMIT_PORT_FORWARDING = "permit-port-forwarding";
    public static final String PERMIT_AGENT_FORWARDING = "permit-agent-forwarding";
    public static final String PERMIT_USER_PTY = "permit-pty";
    public static final String PERMIT_USER_RC = "permit-user-rc";
    public static final String OPTION_FORCE_COMMAND = "force-command";
    public static final String OPTION_SOURCE_ADDRESS = "source-address";
    protected SshPublicKey publicKey;
    byte[] nonce;
    UnsignedInteger64 serial;
    int type;
    String keyId;
    UnsignedInteger64 validAfter;
    UnsignedInteger64 validBefore;
    String reserved;
    SshPublicKey signedBy;
    byte[] signature;
    List<String> validPrincipals = new ArrayList();
    List<CriticalOption> criticalOptions = new ArrayList();
    List<CertificateExtension> extensions = new ArrayList();

    @Override // com.sshtools.common.ssh.components.SshPublicKey
    public String getEncodingAlgorithm() {
        return getAlgorithm();
    }

    public boolean isUserCertificate() {
        return this.type == 1;
    }

    public boolean isHostCertificate() {
        return this.type == 2;
    }

    public SshPublicKey getSignedKey() {
        return this.publicKey;
    }

    @Override // com.sshtools.common.ssh.components.SshPublicKey
    public final String getFingerprint() throws SshException {
        return SshKeyFingerprint.getFingerprint(getSignedKey().getEncoded());
    }

    @Override // com.sshtools.common.ssh.components.SshPublicKey
    public SshPublicKey init(byte[] bArr, int i, int i2) throws SshException {
        ByteArrayReader byteArrayReader = new ByteArrayReader(bArr, i, i2);
        try {
            try {
                if (!byteArrayReader.readString().equals(getAlgorithm())) {
                    throw new SshException("The encoded key is not DSA", 5);
                }
                this.nonce = byteArrayReader.readBinaryString();
                decodePublicKey(byteArrayReader);
                decodeCertificate(byteArrayReader);
                byteArrayReader.close();
                return this;
            } catch (Exception e) {
                e.printStackTrace();
                throw new SshException("Failed to obtain certificate key instance from JCE", 5, e);
            }
        } catch (Throwable th) {
            byteArrayReader.close();
            throw th;
        }
    }

    @Override // com.sshtools.common.ssh.components.SshPublicKey
    public byte[] getEncoded() throws SshException {
        SshException sshException;
        ByteArrayWriter byteArrayWriter = new ByteArrayWriter();
        try {
            try {
                byteArrayWriter.writeString(getEncodingAlgorithm());
                byteArrayWriter.writeBinaryString(this.nonce);
                ByteArrayReader byteArrayReader = new ByteArrayReader(getSignedKey().getEncoded());
                byteArrayReader.readString();
                byteArrayWriter.write(byteArrayReader.array(), byteArrayReader.getPosition(), byteArrayReader.available());
                byteArrayReader.close();
                encodeCertificate(byteArrayWriter);
                encodeSignature(byteArrayWriter);
                return byteArrayWriter.toByteArray();
            } finally {
            }
        } finally {
            try {
                byteArrayWriter.close();
            } catch (IOException e) {
            }
        }
    }

    private void encodeSignature(ByteArrayWriter byteArrayWriter) throws IOException {
        byteArrayWriter.writeBinaryString(this.signature);
    }

    protected abstract void decodePublicKey(ByteArrayReader byteArrayReader) throws IOException, SshException;

    protected void encodeCertificate(ByteArrayWriter byteArrayWriter) throws IOException, SshException {
        byteArrayWriter.writeUINT64(this.serial);
        byteArrayWriter.writeInt(this.type);
        byteArrayWriter.writeString(this.keyId);
        ByteArrayWriter byteArrayWriter2 = new ByteArrayWriter();
        Iterator<String> it = this.validPrincipals.iterator();
        while (it.hasNext()) {
            byteArrayWriter2.writeString(it.next());
        }
        byteArrayWriter.writeBinaryString(byteArrayWriter2.toByteArray());
        byteArrayWriter2.close();
        byteArrayWriter.writeUINT64(this.validAfter);
        byteArrayWriter.writeUINT64(this.validBefore);
        ByteArrayWriter byteArrayWriter3 = new ByteArrayWriter();
        for (CriticalOption criticalOption : this.criticalOptions) {
            byteArrayWriter3.writeString(criticalOption.getName());
            byteArrayWriter3.writeBinaryString(criticalOption.getStoredValue());
        }
        byteArrayWriter.writeBinaryString(byteArrayWriter3.toByteArray());
        byteArrayWriter3.close();
        ByteArrayWriter byteArrayWriter4 = new ByteArrayWriter();
        for (CertificateExtension certificateExtension : this.extensions) {
            byteArrayWriter4.writeString(certificateExtension.getName());
            byteArrayWriter4.writeBinaryString(certificateExtension.getStoredValue());
        }
        byteArrayWriter.writeBinaryString(byteArrayWriter4.toByteArray());
        byteArrayWriter4.close();
        byteArrayWriter.writeString(this.reserved);
        byteArrayWriter.writeBinaryString(this.signedBy.getEncoded());
    }

    public CertificateExtension getExtension(String str) {
        for (CertificateExtension certificateExtension : this.extensions) {
            if (certificateExtension.getName().equals(str)) {
                return certificateExtension;
            }
        }
        return null;
    }

    protected void decodeCertificate(ByteArrayReader byteArrayReader) throws IOException, SshException {
        this.serial = byteArrayReader.readUINT64();
        this.type = (int) byteArrayReader.readInt();
        this.keyId = byteArrayReader.readString();
        ByteArrayReader byteArrayReader2 = new ByteArrayReader(byteArrayReader.readBinaryString());
        this.validPrincipals = new ArrayList();
        while (byteArrayReader2.available() > 0) {
            this.validPrincipals.add(byteArrayReader2.readString());
        }
        byteArrayReader2.close();
        this.validAfter = byteArrayReader.readUINT64();
        this.validBefore = byteArrayReader.readUINT64();
        ByteArrayReader byteArrayReader3 = new ByteArrayReader(byteArrayReader.readBinaryString());
        this.criticalOptions.clear();
        while (byteArrayReader3.available() > 0) {
            this.criticalOptions.add(CriticalOption.createKnownOption(byteArrayReader3.readString(), byteArrayReader3.readBinaryString()));
        }
        byteArrayReader3.close();
        ByteArrayReader byteArrayReader4 = new ByteArrayReader(byteArrayReader.readBinaryString());
        this.extensions.clear();
        while (byteArrayReader4.available() > 0) {
            this.extensions.add(CertificateExtension.createKnownExtension(byteArrayReader4.readString().trim(), byteArrayReader4.readBinaryString()));
        }
        byteArrayReader4.close();
        this.reserved = byteArrayReader.readString();
        this.signedBy = SshPublicKeyFileFactory.decodeSSH2PublicKey(byteArrayReader.readBinaryString());
        this.signature = byteArrayReader.readBinaryString();
        verify();
    }

    /* JADX WARN: Finally extract failed */
    public void sign(SshPublicKey sshPublicKey, UnsignedInteger64 unsignedInteger64, int i, String str, List<String> list, UnsignedInteger64 unsignedInteger642, UnsignedInteger64 unsignedInteger643, List<CriticalOption> list2, List<CertificateExtension> list3, SshKeyPair sshKeyPair) throws SshException {
        this.publicKey = sshPublicKey;
        this.nonce = new byte[32];
        JCEComponentManager.getSecureRandom().nextBytes(this.nonce);
        this.serial = unsignedInteger64;
        this.type = i;
        this.keyId = str;
        this.validPrincipals = list;
        this.validAfter = unsignedInteger642;
        this.validBefore = unsignedInteger643;
        this.criticalOptions = new ArrayList(list2);
        this.extensions = new ArrayList(list3);
        this.reserved = "";
        this.signedBy = sshKeyPair.getPublicKey();
        ByteArrayWriter byteArrayWriter = new ByteArrayWriter();
        try {
            try {
                byteArrayWriter.writeString(getEncodingAlgorithm());
                byteArrayWriter.writeBinaryString(this.nonce);
                ByteArrayReader byteArrayReader = new ByteArrayReader(sshPublicKey.getEncoded());
                try {
                    byteArrayReader.readString();
                    byteArrayWriter.write(byteArrayReader.array(), byteArrayReader.getPosition(), byteArrayReader.available());
                    byteArrayReader.close();
                    encodeCertificate(byteArrayWriter);
                    byte[] byteArray = byteArrayWriter.toByteArray();
                    ByteArrayWriter byteArrayWriter2 = new ByteArrayWriter();
                    try {
                        byteArrayWriter2.writeString(sshKeyPair.getPublicKey().getSigningAlgorithm());
                        byteArrayWriter2.writeBinaryString(sshKeyPair.getPrivateKey().sign(byteArray));
                        this.signature = byteArrayWriter2.toByteArray();
                        byteArrayWriter2.close();
                        byteArrayReader = new ByteArrayReader(getEncoded());
                        try {
                            String readString = byteArrayReader.readString();
                            if (!readString.equals(getAlgorithm())) {
                                throw new SshException(String.format("Unexpected encoding error generating signed certificate [%s] [%s]", readString, getAlgorithm()), 5);
                            }
                            if (!Arrays.equals(this.nonce, byteArrayReader.readBinaryString())) {
                                throw new SshException("Unexpected encoding error generating signed certificate [nonce]", 5);
                            }
                            decodePublicKey(byteArrayReader);
                            decodeCertificate(byteArrayReader);
                            byteArrayReader.close();
                        } finally {
                            byteArrayReader.close();
                        }
                    } catch (Throwable th) {
                        byteArrayWriter2.close();
                        throw th;
                    }
                } catch (Throwable th2) {
                    throw th2;
                }
            } finally {
                try {
                    byteArrayWriter.close();
                } catch (IOException e) {
                }
            }
        } catch (Throwable th3) {
            Log.error("Ssh certificate sign failed", th3, new Object[0]);
            th3.printStackTrace();
            throw new SshException("Failed to encode public key", 5);
        }
    }

    public void verify() throws SshException {
        ByteArrayWriter byteArrayWriter = new ByteArrayWriter();
        try {
            try {
                byteArrayWriter.writeString(getEncodingAlgorithm());
                byteArrayWriter.writeBinaryString(this.nonce);
                ByteArrayReader byteArrayReader = new ByteArrayReader(this.publicKey.getEncoded());
                try {
                    byteArrayReader.readString();
                    byteArrayWriter.write(byteArrayReader.array(), byteArrayReader.getPosition(), byteArrayReader.available());
                    byteArrayReader.close();
                    encodeCertificate(byteArrayWriter);
                    if (!this.signedBy.verifySignature(this.signature, byteArrayWriter.toByteArray())) {
                        throw new SshException("Failed to verify signature of certificate", 5);
                    }
                } catch (Throwable th) {
                    byteArrayReader.close();
                    throw th;
                }
            } catch (IOException e) {
                Log.error("Ssh certificate sign failed", e, new Object[0]);
                e.printStackTrace();
                throw new SshException("Failed to process signature verification", 5);
            }
        } finally {
            try {
                byteArrayWriter.close();
            } catch (IOException e2) {
            }
        }
    }

    public SshPublicKey getSignedBy() {
        return this.signedBy;
    }

    public int getType() {
        return this.type;
    }

    public List<String> getPrincipals() {
        return Collections.unmodifiableList(this.validPrincipals);
    }

    @Deprecated
    public List<String> getExtensions() {
        ArrayList arrayList = new ArrayList();
        Iterator<CertificateExtension> it = this.extensions.iterator();
        while (it.hasNext()) {
            arrayList.add(it.next().getName());
        }
        return Collections.unmodifiableList(arrayList);
    }

    public List<CriticalOption> getCriticalOptionsList() {
        return Collections.unmodifiableList(this.criticalOptions);
    }

    public List<CertificateExtension> getExtensionsList() {
        return Collections.unmodifiableList(this.extensions);
    }

    @Deprecated
    public Map<String, String> getExtensionsMap() {
        HashMap hashMap = new HashMap();
        for (CertificateExtension certificateExtension : this.extensions) {
            hashMap.put(certificateExtension.getName(), certificateExtension.getValue());
        }
        return Collections.unmodifiableMap(hashMap);
    }

    public boolean isForceCommand() {
        return getForcedCommand() != null;
    }

    public String getForcedCommand() {
        for (CriticalOption criticalOption : this.criticalOptions) {
            if (criticalOption.getName().equals("force-command")) {
                return criticalOption.getStringValue();
            }
        }
        return null;
    }

    public Set<String> getSourceAddresses() {
        HashSet hashSet = new HashSet();
        for (CriticalOption criticalOption : this.criticalOptions) {
            if (criticalOption.getName().equals("source-address")) {
                StringTokenizer stringTokenizer = new StringTokenizer(criticalOption.getStringValue(), XSLConstants.DEFAULT_GROUP_SEPARATOR);
                while (stringTokenizer.hasMoreTokens()) {
                    hashSet.add(stringTokenizer.nextToken());
                }
            }
        }
        return Collections.unmodifiableSet(hashSet);
    }

    public Date getValidBefore() {
        return new Date(this.validBefore.longValue() * 1000);
    }

    public Date getValidAfter() {
        return new Date(this.validAfter.longValue() * 1000);
    }

    public UnsignedInteger64 getSerial() {
        return this.serial;
    }

    public String getKeyId() {
        return this.keyId;
    }
}
