package com.spotify.helios.client;

import ch.qos.logback.core.joran.action.Action;
import com.google.common.annotations.VisibleForTesting;
import com.google.common.base.Preconditions;
import com.google.common.base.Strings;
import com.google.common.base.Throwables;
import com.spotify.helios.client.tls.X509CertificateFactory;
import com.spotify.sshagentproxy.AgentProxy;
import com.spotify.sshagentproxy.Identity;
import java.io.BufferedReader;
import java.io.IOException;
import java.io.InputStream;
import java.nio.charset.Charset;
import java.nio.file.Files;
import java.nio.file.OpenOption;
import java.security.GeneralSecurityException;
import java.security.KeyFactory;
import java.security.KeyManagementException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.UnrecoverableKeyException;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.spec.PKCS8EncodedKeySpec;
import javax.net.ssl.HttpsURLConnection;
import org.apache.http.protocol.HTTP;
import org.apache.http.ssl.SSLContexts;
import org.bouncycastle.asn1.pkcs.PrivateKeyInfo;
import org.bouncycastle.openssl.PEMKeyPair;
import org.bouncycastle.openssl.PEMParser;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/spotify/helios/client/HttpsHandlers.class */
class HttpsHandlers {

    @VisibleForTesting
    /* loaded from: input_file:com/spotify/helios/client/HttpsHandlers$CertificateAndPrivateKey.class */
    protected static class CertificateAndPrivateKey {
        private final Certificate certificate;
        private final PrivateKey privateKey;

        public CertificateAndPrivateKey(Certificate certificate, PrivateKey privateKey) {
            this.certificate = certificate;
            this.privateKey = privateKey;
        }

        public Certificate getCertificate() {
            return this.certificate;
        }

        public PrivateKey getPrivateKey() {
            return this.privateKey;
        }

        static CertificateAndPrivateKey from(X509CertificateFactory.CertificateAndKeyPair certificateAndKeyPair) {
            return new CertificateAndPrivateKey(certificateAndKeyPair.getCertificate(), certificateAndKeyPair.getKeyPair().getPrivate());
        }
    }

    /* loaded from: input_file:com/spotify/helios/client/HttpsHandlers$CertificateFileHttpsHandler.class */
    static class CertificateFileHttpsHandler extends CertificateHttpsHandler {
        private final ClientCertificatePath clientCertificatePath;

        /* JADX INFO: Access modifiers changed from: package-private */
        public CertificateFileHttpsHandler(String str, boolean z, ClientCertificatePath clientCertificatePath) {
            super(str, z);
            this.clientCertificatePath = (ClientCertificatePath) Preconditions.checkNotNull(clientCertificatePath);
        }

        @VisibleForTesting
        protected ClientCertificatePath getClientCertificatePath() {
            return this.clientCertificatePath;
        }

        @Override // com.spotify.helios.client.HttpsHandlers.CertificateHttpsHandler
        protected CertificateAndPrivateKey createCertificateAndPrivateKey() throws IOException, GeneralSecurityException {
            PrivateKeyInfo privateKeyInfo;
            CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509");
            InputStream newInputStream = Files.newInputStream(this.clientCertificatePath.getCertificatePath(), new OpenOption[0]);
            Throwable th = null;
            try {
                try {
                    Certificate generateCertificate = certificateFactory.generateCertificate(newInputStream);
                    if (newInputStream != null) {
                        if (0 != 0) {
                            try {
                                newInputStream.close();
                            } catch (Throwable th2) {
                                th.addSuppressed(th2);
                            }
                        } else {
                            newInputStream.close();
                        }
                    }
                    BufferedReader newBufferedReader = Files.newBufferedReader(this.clientCertificatePath.getKeyPath(), Charset.defaultCharset());
                    Throwable th3 = null;
                    try {
                        Object readObject = new PEMParser(newBufferedReader).readObject();
                        if (newBufferedReader != null) {
                            if (0 != 0) {
                                try {
                                    newBufferedReader.close();
                                } catch (Throwable th4) {
                                    th3.addSuppressed(th4);
                                }
                            } else {
                                newBufferedReader.close();
                            }
                        }
                        if (readObject instanceof PEMKeyPair) {
                            privateKeyInfo = ((PEMKeyPair) readObject).getPrivateKeyInfo();
                        } else {
                            if (!(readObject instanceof PrivateKeyInfo)) {
                                throw new UnsupportedOperationException("Unable to parse x509 certificate.");
                            }
                            privateKeyInfo = (PrivateKeyInfo) readObject;
                        }
                        return new CertificateAndPrivateKey(generateCertificate, KeyFactory.getInstance("RSA").generatePrivate(new PKCS8EncodedKeySpec(privateKeyInfo.getEncoded())));
                    } catch (Throwable th5) {
                        if (newBufferedReader != null) {
                            if (0 != 0) {
                                try {
                                    newBufferedReader.close();
                                } catch (Throwable th6) {
                                    th3.addSuppressed(th6);
                                }
                            } else {
                                newBufferedReader.close();
                            }
                        }
                        throw th5;
                    }
                } finally {
                }
            } catch (Throwable th7) {
                if (newInputStream != null) {
                    if (th != null) {
                        try {
                            newInputStream.close();
                        } catch (Throwable th8) {
                            th.addSuppressed(th8);
                        }
                    } else {
                        newInputStream.close();
                    }
                }
                throw th7;
            }
        }

        @Override // com.spotify.helios.client.HttpsHandlers.CertificateHttpsHandler
        protected String getCertificateSource() {
            return this.clientCertificatePath.toString();
        }
    }

    /* loaded from: input_file:com/spotify/helios/client/HttpsHandlers$CertificateHttpsHandler.class */
    protected static abstract class CertificateHttpsHandler implements HttpsHandler {
        private static final Logger log = LoggerFactory.getLogger((Class<?>) CertificateHttpsHandler.class);
        private static final char[] KEY_STORE_PASSWORD = "FPLSlZQuM3ZCM3SjINSKuWyPK2HeS4".toCharArray();
        private final String user;
        private final boolean failOnCertificateError;

        protected CertificateHttpsHandler(String str, boolean z) {
            Preconditions.checkArgument(!Strings.isNullOrEmpty(str));
            this.user = str;
            this.failOnCertificateError = z;
        }

        @VisibleForTesting
        protected String getUser() {
            return this.user;
        }

        protected abstract CertificateAndPrivateKey createCertificateAndPrivateKey() throws IOException, GeneralSecurityException;

        protected abstract String getCertificateSource();

        @Override // com.spotify.helios.client.HttpsHandler
        public void handle(HttpsURLConnection httpsURLConnection) {
            try {
                CertificateAndPrivateKey createCertificateAndPrivateKey = createCertificateAndPrivateKey();
                Certificate certificate = createCertificateAndPrivateKey.certificate;
                PrivateKey privateKey = createCertificateAndPrivateKey.privateKey;
                try {
                    KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
                    keyStore.load(null, null);
                    keyStore.setCertificateEntry("client", certificate);
                    keyStore.setKeyEntry(Action.KEY_ATTRIBUTE, privateKey, KEY_STORE_PASSWORD, new Certificate[]{certificate});
                    httpsURLConnection.setSSLSocketFactory(SSLContexts.custom().useProtocol("TLS").loadKeyMaterial(keyStore, KEY_STORE_PASSWORD).build().getSocketFactory());
                } catch (IOException | KeyManagementException | KeyStoreException | NoSuchAlgorithmException | UnrecoverableKeyException | CertificateException e) {
                    throw Throwables.propagate(e);
                }
            } catch (IOException | GeneralSecurityException e2) {
                if (this.failOnCertificateError) {
                    throw Throwables.propagate(e2);
                }
                log.warn("Error when setting up client certificates from {}. Error was '{}'. No certificate will be sent with request.", getCertificateSource(), e2.toString());
                log.debug("full exception from setting up ClientCertificate follows", (Throwable) e2);
            }
        }
    }

    /* loaded from: input_file:com/spotify/helios/client/HttpsHandlers$SshAgentHttpsHandler.class */
    static class SshAgentHttpsHandler extends CertificateHttpsHandler {
        private final AgentProxy agentProxy;
        private final Identity identity;

        /* JADX INFO: Access modifiers changed from: package-private */
        public SshAgentHttpsHandler(String str, boolean z, AgentProxy agentProxy, Identity identity) {
            super(str, z);
            this.agentProxy = (AgentProxy) Preconditions.checkNotNull(agentProxy, "agentProxy");
            this.identity = (Identity) Preconditions.checkNotNull(identity, HTTP.IDENTITY_CODING);
        }

        @VisibleForTesting
        protected AgentProxy getAgentProxy() {
            return this.agentProxy;
        }

        @VisibleForTesting
        protected Identity getIdentity() {
            return this.identity;
        }

        @Override // com.spotify.helios.client.HttpsHandlers.CertificateHttpsHandler
        protected CertificateAndPrivateKey createCertificateAndPrivateKey() {
            return CertificateAndPrivateKey.from(X509CertificateFactory.get(this.agentProxy, this.identity, getUser()));
        }

        @Override // com.spotify.helios.client.HttpsHandlers.CertificateHttpsHandler
        protected String getCertificateSource() {
            return "ssh-agent key: " + this.identity.getComment();
        }
    }

    HttpsHandlers() {
    }
}
