package com.cloudbees.plugins.credentials.impl;

import com.cloudbees.plugins.credentials.CredentialsScope;
import com.cloudbees.plugins.credentials.CredentialsStore;
import com.cloudbees.plugins.credentials.SecretBytes;
import com.cloudbees.plugins.credentials.common.StandardCertificateCredentials;
import com.cloudbees.plugins.credentials.impl.BaseStandardCredentials;
import edu.umd.cs.findbugs.annotations.CheckForNull;
import edu.umd.cs.findbugs.annotations.NonNull;
import edu.umd.cs.findbugs.annotations.Nullable;
import hudson.Extension;
import hudson.RelativePath;
import hudson.Util;
import hudson.model.AbstractDescribableImpl;
import hudson.model.Descriptor;
import hudson.model.Items;
import hudson.util.FormValidation;
import hudson.util.Secret;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.io.ObjectStreamException;
import java.io.Serializable;
import java.io.UnsupportedEncodingException;
import java.nio.charset.StandardCharsets;
import java.security.GeneralSecurityException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.UnrecoverableEntryException;
import java.security.UnrecoverableKeyException;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.security.interfaces.DSAPrivateKey;
import java.security.interfaces.ECPrivateKey;
import java.security.interfaces.RSAKey;
import java.security.interfaces.RSAPrivateKey;
import java.util.Arrays;
import java.util.Base64;
import java.util.Enumeration;
import java.util.List;
import java.util.Objects;
import java.util.logging.Level;
import java.util.logging.LogRecord;
import java.util.logging.Logger;
import java.util.stream.Collectors;
import javax.crypto.interfaces.DHPrivateKey;
import javax.security.auth.DestroyFailedException;
import jenkins.bouncycastle.api.PEMEncodable;
import jenkins.model.Jenkins;
import jenkins.security.FIPS140;
import net.jcip.annotations.GuardedBy;
import org.apache.commons.fileupload.FileItem;
import org.apache.commons.lang.StringUtils;
import org.jenkinsci.Symbol;
import org.kohsuke.accmod.Restricted;
import org.kohsuke.accmod.restrictions.NoExternalUse;
import org.kohsuke.stapler.DataBoundConstructor;
import org.kohsuke.stapler.QueryParameter;
import org.kohsuke.stapler.interceptor.RequirePOST;
import org.kohsuke.stapler.verb.POST;

/* loaded from: input_file:com/cloudbees/plugins/credentials/impl/CertificateCredentialsImpl.class */
public class CertificateCredentialsImpl extends BaseStandardCredentials implements StandardCertificateCredentials {
    private static final long serialVersionUID = 1;
    private static final Logger LOGGER = Logger.getLogger(CertificateCredentialsImpl.class.getName());
    private final KeyStoreSource keyStoreSource;
    private final Secret password;

    @CheckForNull
    @GuardedBy("this")
    private transient KeyStore keyStore;

    @GuardedBy("this")
    private transient long keyStoreLastModified;

    @Extension(ordinal = -1.0d)
    @Symbol({"certificate"})
    /* loaded from: input_file:com/cloudbees/plugins/credentials/impl/CertificateCredentialsImpl$DescriptorImpl.class */
    public static class DescriptorImpl extends BaseStandardCredentials.BaseStandardCredentialsDescriptor {
        @NonNull
        public String getDisplayName() {
            return Messages.CertificateCredentialsImpl_DisplayName();
        }

        @Override // com.cloudbees.plugins.credentials.CredentialsDescriptor
        public String getIconClassName() {
            return "icon-application-certificate";
        }

        @POST
        @Restricted({NoExternalUse.class})
        public FormValidation doCheckPassword(@QueryParameter String str) {
            String plainText = Secret.fromString(str).getPlainText();
            return (!FIPS140.useCompliantAlgorithms() || plainText.length() >= 14) ? plainText.isEmpty() ? FormValidation.warning(Messages.CertificateCredentialsImpl_NoPassword()) : plainText.length() < 14 ? FormValidation.warning(Messages.CertificateCredentialsImpl_ShortPassword()) : FormValidation.ok() : FormValidation.error(Messages.CertificateCredentialsImpl_ShortPasswordFIPS());
        }

        @Override // com.cloudbees.plugins.credentials.impl.BaseStandardCredentials.BaseStandardCredentialsDescriptor
        public /* bridge */ /* synthetic */ String getCheckIdUrl(CredentialsStore credentialsStore) throws UnsupportedEncodingException {
            return super.getCheckIdUrl(credentialsStore);
        }
    }

    /* loaded from: input_file:com/cloudbees/plugins/credentials/impl/CertificateCredentialsImpl$KeyStoreSource.class */
    public static abstract class KeyStoreSource extends AbstractDescribableImpl<KeyStoreSource> {
        @NonNull
        @Deprecated(forRemoval = true)
        public byte[] getKeyStoreBytes() {
            throw new IllegalStateException("Callers should use toKeyStore");
        }

        public abstract long getKeyStoreLastModified();

        @NonNull
        public abstract KeyStore toKeyStore(@Nullable char[] cArr) throws GeneralSecurityException, IOException;

        @Deprecated
        public boolean isSnapshotSource() {
            return false;
        }
    }

    /* loaded from: input_file:com/cloudbees/plugins/credentials/impl/CertificateCredentialsImpl$KeyStoreSourceDescriptor.class */
    public static abstract class KeyStoreSourceDescriptor extends Descriptor<KeyStoreSource> {
        protected static FormValidation validateCertificateKeystore(KeyStore keyStore, char[] cArr) throws KeyStoreException, NoSuchAlgorithmException {
            if (keyStore.size() == 0) {
                return FormValidation.warning(Messages.CertificateCredentialsImpl_EmptyKeystore());
            }
            StringBuilder sb = new StringBuilder();
            boolean z = true;
            Enumeration<String> aliases = keyStore.aliases();
            while (aliases.hasMoreElements()) {
                String nextElement = aliases.nextElement();
                if (z) {
                    z = false;
                } else {
                    sb.append(", ");
                }
                sb.append(nextElement);
                if (keyStore.isCertificateEntry(nextElement)) {
                    keyStore.getCertificate(nextElement);
                } else if (!keyStore.isKeyEntry(nextElement)) {
                    continue;
                } else {
                    if (cArr == null) {
                        return FormValidation.warning(Messages.CertificateCredentialsImpl_LoadKeyFailedQueryEmptyPassword(nextElement));
                    }
                    try {
                        keyStore.getKey(nextElement, cArr);
                    } catch (UnrecoverableEntryException e) {
                        return FormValidation.warning(e, Messages.CertificateCredentialsImpl_LoadKeyFailed(nextElement));
                    }
                }
            }
            return FormValidation.ok(StringUtils.defaultIfEmpty(StandardCertificateCredentials.NameProvider.getSubjectDN(keyStore), sb.toString()));
        }

        protected KeyStoreSourceDescriptor() {
        }

        protected KeyStoreSourceDescriptor(Class<? extends KeyStoreSource> cls) {
            super(cls);
        }
    }

    /* loaded from: input_file:com/cloudbees/plugins/credentials/impl/CertificateCredentialsImpl$PEMEntryKeyStoreSource.class */
    public static class PEMEntryKeyStoreSource extends KeyStoreSource implements Serializable {
        private static final long serialVersionUID = 1;
        private final Secret certChain;
        private final Secret privateKey;

        @Extension
        /* loaded from: input_file:com/cloudbees/plugins/credentials/impl/CertificateCredentialsImpl$PEMEntryKeyStoreSource$DescriptorImpl.class */
        public static class DescriptorImpl extends KeyStoreSourceDescriptor {
            @NonNull
            public String getDisplayName() {
                return Messages.CertificateCredentialsImpl_PEMEntryKeyStoreSourceDisplayName();
            }

            @POST
            @Restricted({NoExternalUse.class})
            public FormValidation doCheckCertChain(@QueryParameter String str) {
                try {
                    List decodeAll = PEMEncodable.decodeAll(Secret.fromString(str).getPlainText(), (char[]) null);
                    long count = decodeAll.stream().map((v0) -> {
                        return v0.toCertificate();
                    }).filter((v0) -> {
                        return Objects.nonNull(v0);
                    }).count();
                    if (count >= PEMEntryKeyStoreSource.serialVersionUID && decodeAll.size() == count) {
                        Certificate certificate = ((PEMEncodable) decodeAll.get(0)).toCertificate();
                        return certificate instanceof X509Certificate ? FormValidation.ok(((X509Certificate) certificate).getSubjectDN().getName()) : FormValidation.ok();
                    }
                    return FormValidation.error(Messages.CertificateCredentialsImpl_PEMNoCertificates());
                } catch (IOException | UnrecoverableKeyException e) {
                    String message = e.getMessage();
                    return message != null ? FormValidation.error(e, Messages.CertificateCredentialsImpl_PEMCertificateParsingError(message)) : FormValidation.error(e, Messages.CertificateCredentialsImpl_PEMCertificateParsingError("unkown reason"));
                }
            }

            @POST
            @Restricted({NoExternalUse.class})
            public FormValidation doCheckPrivateKey(@QueryParameter String str, @RelativePath("..") @QueryParameter String str2) {
                String str3;
                String str4;
                try {
                    List decodeAll = PEMEncodable.decodeAll(Secret.fromString(str).getPlainText(), CertificateCredentialsImpl.toCharArray(Secret.fromString(str2)));
                    long count = decodeAll.stream().map((v0) -> {
                        return v0.toPrivateKey();
                    }).filter((v0) -> {
                        return Objects.nonNull(v0);
                    }).count();
                    if (count == 0) {
                        return FormValidation.error(Messages.CertificateCredentialsImpl_PEMNoKeys());
                    }
                    if (count > PEMEntryKeyStoreSource.serialVersionUID) {
                        return FormValidation.error(Messages.CertificateCredentialsImpl_PEMMultipleKeys());
                    }
                    if (decodeAll.size() != 1) {
                        return FormValidation.error(Messages.CertificateCredentialsImpl_PEMNonKeys());
                    }
                    PrivateKey privateKey = ((PEMEncodable) decodeAll.get(0)).toPrivateKey();
                    if (privateKey instanceof RSAPrivateKey) {
                        str3 = "RSA";
                        str4 = ((RSAKey) privateKey).getModulus().bitLength() + " bit";
                    } else if (privateKey instanceof ECPrivateKey) {
                        str3 = "elliptic curve (EC)";
                        str4 = ((ECPrivateKey) privateKey).getParams().getOrder().bitLength() + " bit";
                    } else if (privateKey instanceof DSAPrivateKey) {
                        str3 = "DSA";
                        str4 = ((DSAPrivateKey) privateKey).getParams().getP().bitLength() + " bit";
                    } else if (privateKey instanceof DHPrivateKey) {
                        str3 = "Diffie-Hellman";
                        str4 = ((DHPrivateKey) privateKey).getParams().getP().bitLength() + " bit";
                    } else {
                        if (privateKey == null) {
                            return FormValidation.error("there is a bug in the code, pk is null!");
                        }
                        str3 = "unknown format (" + privateKey.getClass() + ")";
                        str4 = "unknown strength";
                    }
                    try {
                        privateKey.destroy();
                    } catch (DestroyFailedException e) {
                    }
                    return FormValidation.ok(Messages.CertificateCredentialsImpl_PEMKeyInfo(str4, str3));
                } catch (IOException | UnrecoverableKeyException e2) {
                    return FormValidation.error(e2, Messages.CertificateCredentialsImpl_PEMKeyParseError(e2.getLocalizedMessage()));
                }
            }
        }

        @DataBoundConstructor
        public PEMEntryKeyStoreSource(String str, String str2) {
            this.certChain = Secret.fromString(str);
            this.privateKey = Secret.fromString(str2);
        }

        @Restricted({NoExternalUse.class})
        public Secret getCertChain() {
            return this.certChain;
        }

        @Restricted({NoExternalUse.class})
        public Secret getPrivateKey() {
            return this.privateKey;
        }

        @Override // com.cloudbees.plugins.credentials.impl.CertificateCredentialsImpl.KeyStoreSource
        public long getKeyStoreLastModified() {
            return 0L;
        }

        @Override // com.cloudbees.plugins.credentials.impl.CertificateCredentialsImpl.KeyStoreSource
        public boolean isSnapshotSource() {
            return true;
        }

        @Override // com.cloudbees.plugins.credentials.impl.CertificateCredentialsImpl.KeyStoreSource
        public KeyStore toKeyStore(char[] cArr) throws NoSuchAlgorithmException, CertificateException, KeyStoreException, KeyStoreException, UnrecoverableKeyException, IOException {
            return toKeyStore(this.certChain.getPlainText(), this.privateKey.getPlainText(), cArr);
        }

        protected static KeyStore toKeyStore(String str, String str2, char[] cArr) throws NoSuchAlgorithmException, CertificateException, KeyStoreException, KeyStoreException, UnrecoverableKeyException, IOException {
            KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
            keyStore.load(null, cArr);
            List list = (List) PEMEncodable.decodeAll(str, cArr).stream().map((v0) -> {
                return v0.toCertificate();
            }).filter((v0) -> {
                return Objects.nonNull(v0);
            }).collect(Collectors.toList());
            List decodeAll = PEMEncodable.decodeAll(str2, cArr);
            if (decodeAll.size() != 1) {
                throw new IOException("expected one key but got " + decodeAll.size());
            }
            keyStore.setKeyEntry("keychain", ((PEMEncodable) decodeAll.get(0)).toPrivateKey(), cArr, (Certificate[]) list.toArray(new Certificate[0]));
            return keyStore;
        }

        public String toString() {
            return "PEMEntryKeyStoreSource{pemCertChain=******,pemKey=******}";
        }
    }

    /* loaded from: input_file:com/cloudbees/plugins/credentials/impl/CertificateCredentialsImpl$UploadedKeyStoreSource.class */
    public static class UploadedKeyStoreSource extends KeyStoreSource implements Serializable {
        private static final long serialVersionUID = 1;

        @CheckForNull
        @Deprecated
        private transient Secret uploadedKeystore;

        @CheckForNull
        private final SecretBytes uploadedKeystoreBytes;

        /* loaded from: input_file:com/cloudbees/plugins/credentials/impl/CertificateCredentialsImpl$UploadedKeyStoreSource$DescriptorImpl.class */
        public static class DescriptorImpl extends KeyStoreSourceDescriptor {
            public static final String DEFAULT_VALUE = UploadedKeyStoreSource.class.getName() + ".default-value";

            @Extension
            @Restricted({NoExternalUse.class})
            public static KeyStoreSourceDescriptor extension() {
                if (FIPS140.useCompliantAlgorithms()) {
                    return null;
                }
                return new DescriptorImpl();
            }

            @NonNull
            public static byte[] toByteArray(@Nullable Secret secret) {
                byte[] decode;
                return (secret == null || null == (decode = Base64.getDecoder().decode(secret.getPlainText()))) ? new byte[0] : decode;
            }

            @CheckForNull
            @Deprecated
            public static Secret toSecret(@Nullable byte[] bArr) {
                if (bArr == null || bArr.length == 0) {
                    return null;
                }
                return Secret.fromString(Base64.getEncoder().encodeToString(bArr));
            }

            @NonNull
            public String getDisplayName() {
                return Messages.CertificateCredentialsImpl_UploadedKeyStoreSourceDisplayName();
            }

            @RequirePOST
            @Restricted({NoExternalUse.class})
            public FormValidation doCheckUploadedKeystore(@QueryParameter String str, @QueryParameter String str2, @QueryParameter String str3) {
                if (StringUtils.isNotEmpty(str2)) {
                    return validateCertificateKeystore(Base64.getDecoder().decode(str2.getBytes(StandardCharsets.UTF_8)), str3);
                }
                if (StringUtils.isBlank(str)) {
                    return FormValidation.error(Messages.CertificateCredentialsImpl_NoCertificateUploaded());
                }
                if (DEFAULT_VALUE.equals(str)) {
                    return FormValidation.ok();
                }
                byte[] plainData = SecretBytes.fromString(str).getPlainData();
                return (plainData == null || plainData.length == 0) ? FormValidation.error(Messages.CertificateCredentialsImpl_LoadKeystoreFailed()) : validateCertificateKeystore(plainData, str3);
            }

            @NonNull
            protected static FormValidation validateCertificateKeystore(byte[] bArr, String str) {
                UploadedKeyStoreSource.ensureNotRunningInFIPSMode();
                if (bArr == null || bArr.length == 0) {
                    return FormValidation.warning(Messages.CertificateCredentialsImpl_LoadKeystoreFailed());
                }
                char[] charArray = CertificateCredentialsImpl.toCharArray(Secret.fromString(str));
                try {
                    try {
                        KeyStore keyStore = KeyStore.getInstance("PKCS12");
                        keyStore.load(new ByteArrayInputStream(bArr), charArray);
                        FormValidation validateCertificateKeystore = validateCertificateKeystore(keyStore, charArray);
                        if (charArray != null) {
                            Arrays.fill(charArray, ' ');
                        }
                        return validateCertificateKeystore;
                    } catch (IOException | KeyStoreException | NoSuchAlgorithmException | CertificateException e) {
                        FormValidation warning = FormValidation.warning(e, Messages.CertificateCredentialsImpl_LoadKeystoreFailed());
                        if (charArray != null) {
                            Arrays.fill(charArray, ' ');
                        }
                        return warning;
                    }
                } catch (Throwable th) {
                    if (charArray != null) {
                        Arrays.fill(charArray, ' ');
                    }
                    throw th;
                }
            }
        }

        @Deprecated
        public UploadedKeyStoreSource(String str) {
            ensureNotRunningInFIPSMode();
            this.uploadedKeystoreBytes = StringUtils.isBlank(str) ? null : SecretBytes.fromBytes(DescriptorImpl.toByteArray(Secret.fromString(str)));
        }

        @Deprecated
        public UploadedKeyStoreSource(@CheckForNull SecretBytes secretBytes) {
            ensureNotRunningInFIPSMode();
            this.uploadedKeystoreBytes = secretBytes;
        }

        @DataBoundConstructor
        public UploadedKeyStoreSource(FileItem fileItem, @CheckForNull SecretBytes secretBytes) {
            ensureNotRunningInFIPSMode();
            if (fileItem != null) {
                byte[] bArr = fileItem.get();
                if (bArr.length != 0) {
                    secretBytes = SecretBytes.fromBytes(bArr);
                }
            }
            this.uploadedKeystoreBytes = secretBytes;
        }

        private Object readResolve() throws ObjectStreamException {
            ensureNotRunningInFIPSMode();
            return (this.uploadedKeystore == null || this.uploadedKeystoreBytes != null) ? this : new UploadedKeyStoreSource(SecretBytes.fromBytes(DescriptorImpl.toByteArray(this.uploadedKeystore)));
        }

        public SecretBytes getUploadedKeystore() {
            return this.uploadedKeystoreBytes;
        }

        @Override // com.cloudbees.plugins.credentials.impl.CertificateCredentialsImpl.KeyStoreSource
        @NonNull
        public byte[] getKeyStoreBytes() {
            return SecretBytes.getPlainData(this.uploadedKeystoreBytes);
        }

        @Override // com.cloudbees.plugins.credentials.impl.CertificateCredentialsImpl.KeyStoreSource
        public long getKeyStoreLastModified() {
            return 0L;
        }

        @Override // com.cloudbees.plugins.credentials.impl.CertificateCredentialsImpl.KeyStoreSource
        public boolean isSnapshotSource() {
            return true;
        }

        @Override // com.cloudbees.plugins.credentials.impl.CertificateCredentialsImpl.KeyStoreSource
        public KeyStore toKeyStore(char[] cArr) throws NoSuchAlgorithmException, CertificateException, KeyStoreException, KeyStoreException, IOException {
            if (FIPS140.useCompliantAlgorithms()) {
                Class<?> cls = getClass();
                throw new IllegalStateException(cls.getName() + " is not FIPS compliant and can not be used when Jenkins is in FIPS mode. An issue should be filed against the plugin " + Jenkins.get().getPluginManager().whichPlugin(cls).getShortName() + " to ensure it is adapted to be able to work in this mode");
            }
            KeyStore keyStore = KeyStore.getInstance("PKCS12");
            keyStore.load(new ByteArrayInputStream(getKeyStoreBytes()), cArr);
            return keyStore;
        }

        public String toString() {
            return "UploadedKeyStoreSource{uploadedKeystoreBytes=******}";
        }

        private static void ensureNotRunningInFIPSMode() {
            if (FIPS140.useCompliantAlgorithms()) {
                throw new IllegalStateException("UploadedKeyStoreSource is not compliant with FIPS-140 and can not be used when Jenkins is in FIPS mode. This is an error in the calling code and an issue should be filed against the plugin that is calling to adapt to become FIPS compliant.");
            }
        }
    }

    @DataBoundConstructor
    public CertificateCredentialsImpl(@CheckForNull CredentialsScope credentialsScope, @CheckForNull String str, @CheckForNull String str2, @CheckForNull String str3, @NonNull KeyStoreSource keyStoreSource) {
        super(credentialsScope, str, str2);
        Objects.requireNonNull(keyStoreSource);
        this.password = Secret.fromString(str3);
        this.keyStoreSource = keyStoreSource;
        try {
            keyStoreSource.toKeyStore(toCharArray(this.password));
        } catch (IOException | GeneralSecurityException e) {
            throw new IllegalArgumentException("KeyStore is not valid.", e);
        }
    }

    @CheckForNull
    private static char[] toCharArray(@NonNull Secret secret) {
        String fixEmpty = Util.fixEmpty(secret.getPlainText());
        if (fixEmpty == null) {
            return null;
        }
        return fixEmpty.toCharArray();
    }

    @Override // com.cloudbees.plugins.credentials.common.CertificateCredentials
    @NonNull
    public synchronized KeyStore getKeyStore() {
        KeyStore keyStore;
        long keyStoreLastModified = this.keyStoreSource.getKeyStoreLastModified();
        if (this.keyStore == null || this.keyStoreLastModified < keyStoreLastModified) {
            try {
                keyStore = this.keyStoreSource.toKeyStore(toCharArray(this.password));
            } catch (IOException | GeneralSecurityException e) {
                LogRecord logRecord = new LogRecord(Level.WARNING, "Credentials ID {0}: Could not load keystore from {1}");
                logRecord.setParameters(new Object[]{getId(), this.keyStoreSource});
                logRecord.setThrown(e);
                LOGGER.log(logRecord);
                try {
                    keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
                } catch (KeyStoreException e2) {
                    throw new IllegalStateException("JVM can not create a KeyStore of the JVM Default Type (" + KeyStore.getDefaultType() + ")", e2);
                }
            }
            this.keyStore = keyStore;
            this.keyStoreLastModified = keyStoreLastModified;
        }
        return this.keyStore;
    }

    @Override // com.cloudbees.plugins.credentials.common.PasswordCredentials
    @NonNull
    public Secret getPassword() {
        return this.password;
    }

    public boolean isPasswordEmpty() {
        return StringUtils.isEmpty(this.password.getPlainText());
    }

    public KeyStoreSource getKeyStoreSource() {
        return this.keyStoreSource;
    }

    static {
        Items.XSTREAM2.addCriticalField(CertificateCredentialsImpl.class, "keyStoreSource");
    }
}
