package net.snowflake.client.core;

import java.io.FileReader;
import java.io.IOException;
import java.io.StringReader;
import java.nio.file.Files;
import java.nio.file.Paths;
import java.security.InvalidKeyException;
import java.security.KeyFactory;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.Provider;
import java.security.PublicKey;
import java.security.Security;
import java.security.interfaces.RSAPrivateCrtKey;
import java.security.spec.InvalidKeySpecException;
import java.security.spec.PKCS8EncodedKeySpec;
import java.security.spec.RSAPublicKeySpec;
import java.util.Date;
import javax.crypto.EncryptedPrivateKeyInfo;
import javax.crypto.SecretKeyFactory;
import javax.crypto.spec.PBEKeySpec;
import net.snowflake.client.jdbc.ErrorCode;
import net.snowflake.client.jdbc.SnowflakeUtil;
import net.snowflake.client.jdbc.internal.apache.commons.codec.binary.Base64;
import net.snowflake.client.jdbc.internal.com.nimbusds.jose.JOSEException;
import net.snowflake.client.jdbc.internal.com.nimbusds.jose.JWSAlgorithm;
import net.snowflake.client.jdbc.internal.com.nimbusds.jose.JWSHeader;
import net.snowflake.client.jdbc.internal.com.nimbusds.jose.crypto.RSASSASigner;
import net.snowflake.client.jdbc.internal.com.nimbusds.jwt.JWTClaimsSet;
import net.snowflake.client.jdbc.internal.com.nimbusds.jwt.SignedJWT;
import net.snowflake.client.jdbc.internal.google.common.base.Strings;
import net.snowflake.client.jdbc.internal.org.bouncycastle.asn1.pkcs.PrivateKeyInfo;
import net.snowflake.client.jdbc.internal.org.bouncycastle.openssl.PEMKeyPair;
import net.snowflake.client.jdbc.internal.org.bouncycastle.openssl.PEMParser;
import net.snowflake.client.jdbc.internal.org.bouncycastle.openssl.jcajce.JcaPEMKeyConverter;
import net.snowflake.client.jdbc.internal.org.bouncycastle.openssl.jcajce.JceOpenSSLPKCS8DecryptorProviderBuilder;
import net.snowflake.client.jdbc.internal.org.bouncycastle.operator.OperatorCreationException;
import net.snowflake.client.jdbc.internal.org.bouncycastle.pkcs.PKCS8EncryptedPrivateKeyInfo;
import net.snowflake.client.jdbc.internal.org.bouncycastle.pkcs.PKCSException;
import net.snowflake.client.jdbc.internal.org.bouncycastle.util.io.pem.PemReader;
import net.snowflake.client.log.SFLogger;
import net.snowflake.client.log.SFLoggerFactory;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: input_file:net/snowflake/client/core/SessionUtilKeyPair.class */
public class SessionUtilKeyPair {
    static final SFLogger logger = SFLoggerFactory.getLogger((Class<?>) SessionUtilKeyPair.class);
    private final String userName;
    private final String accountName;
    private final PrivateKey privateKey;
    private PublicKey publicKey;
    private boolean isFipsMode;
    private Provider SecurityProvider;
    private static final String ISSUER_FMT = "%s.%s.%s";
    private static final String SUBJECT_FMT = "%s.%s";
    private static final int JWT_DEFAULT_AUTH_TIMEOUT = 10;
    private boolean isBouncyCastleProviderEnabled;

    /* JADX INFO: Access modifiers changed from: package-private */
    public SessionUtilKeyPair(PrivateKey privateKey, String str, String str2, String str3, String str4) throws SFException {
        this.publicKey = null;
        this.isFipsMode = false;
        this.SecurityProvider = null;
        this.isBouncyCastleProviderEnabled = false;
        this.userName = str4.toUpperCase();
        this.accountName = str3.toUpperCase();
        String property = System.getProperty(SecurityUtil.ENABLE_BOUNCYCASTLE_PROVIDER_JVM);
        if (property != null) {
            this.isBouncyCastleProviderEnabled = property.equalsIgnoreCase(net.snowflake.client.jdbc.internal.microsoft.azure.storage.Constants.TRUE);
        }
        Provider[] providers = Security.getProviders();
        int length = providers.length;
        int i = 0;
        while (true) {
            if (i >= length) {
                break;
            }
            Provider provider = providers[i];
            if (SecurityUtil.BOUNCY_CASTLE_FIPS_PROVIDER.equals(provider.getName())) {
                this.isFipsMode = true;
                this.SecurityProvider = provider;
                break;
            }
            i++;
        }
        if (!Strings.isNullOrEmpty(str) && privateKey != null) {
            throw new SFException(ErrorCode.INVALID_OR_UNSUPPORTED_PRIVATE_KEY, "Cannot have both private key value and private key file.");
        }
        this.privateKey = Strings.isNullOrEmpty(str) ? privateKey : extractPrivateKeyFromFile(str, str2);
        if (!(this.privateKey instanceof RSAPrivateCrtKey)) {
            throw new SFException(ErrorCode.INVALID_OR_UNSUPPORTED_PRIVATE_KEY, "Use java.security.interfaces.RSAPrivateCrtKey.class for the private key");
        }
        RSAPrivateCrtKey rSAPrivateCrtKey = (RSAPrivateCrtKey) this.privateKey;
        try {
            this.publicKey = getKeyFactoryInstance().generatePublic(new RSAPublicKeySpec(rSAPrivateCrtKey.getModulus(), rSAPrivateCrtKey.getPublicExponent()));
        } catch (NoSuchAlgorithmException | InvalidKeySpecException e) {
            throw new SFException(e, ErrorCode.INTERNAL_ERROR, "Error retrieving public key");
        }
    }

    private KeyFactory getKeyFactoryInstance() throws NoSuchAlgorithmException {
        return this.isFipsMode ? KeyFactory.getInstance("RSA", this.SecurityProvider) : KeyFactory.getInstance("RSA");
    }

    private SecretKeyFactory getSecretKeyFactory(String str) throws NoSuchAlgorithmException {
        return this.isFipsMode ? SecretKeyFactory.getInstance(str, this.SecurityProvider) : SecretKeyFactory.getInstance(str);
    }

    private PrivateKey extractPrivateKeyFromFile(String str, String str2) throws SFException {
        if (this.isBouncyCastleProviderEnabled) {
            try {
                return extractPrivateKeyWithBouncyCastle(str, str2);
            } catch (IOException | OperatorCreationException | PKCSException e) {
                logger.error("Could not extract private key using Bouncy Castle provider", e);
                throw new SFException(e, ErrorCode.INVALID_OR_UNSUPPORTED_PRIVATE_KEY, e.getCause());
            }
        }
        try {
            return extractPrivateKeyWithJdk(str, str2);
        } catch (IOException | IllegalArgumentException | NullPointerException | InvalidKeyException | NoSuchAlgorithmException | InvalidKeySpecException e2) {
            logger.error("Could not extract private key. Try setting the JVM argument: -D{}=TRUE", SecurityUtil.ENABLE_BOUNCYCASTLE_PROVIDER_JVM);
            throw new SFException(e2, ErrorCode.INVALID_OR_UNSUPPORTED_PRIVATE_KEY, str + ": " + e2.getMessage());
        }
    }

    public String issueJwtToken() throws SFException {
        JWTClaimsSet.Builder builder = new JWTClaimsSet.Builder();
        String format = String.format(SUBJECT_FMT, this.accountName, this.userName);
        String format2 = String.format(ISSUER_FMT, this.accountName, this.userName, calculatePublicKeyFingerprint(this.publicKey));
        Date date = new Date(System.currentTimeMillis());
        Date date2 = new Date(date.getTime() + 60000);
        SignedJWT signedJWT = new SignedJWT(new JWSHeader(JWSAlgorithm.RS256), builder.issuer(format2).subject(format).issueTime(date).expirationTime(date2).build());
        try {
            signedJWT.sign(new RSASSASigner(this.privateKey));
            logger.debug("JWT:\n'{'\niss: {}\nsub: {}\niat: {}\nexp: {}\n'}'", format2, format, String.valueOf(date.getTime() / 1000), String.valueOf(date2.getTime() / 1000));
            return signedJWT.serialize();
        } catch (JOSEException e) {
            throw new SFException(e, ErrorCode.FAILED_TO_GENERATE_JWT, new Object[0]);
        }
    }

    private String calculatePublicKeyFingerprint(PublicKey publicKey) throws SFException {
        try {
            return "SHA256:" + Base64.encodeBase64String(MessageDigest.getInstance("SHA-256").digest(publicKey.getEncoded()));
        } catch (NoSuchAlgorithmException e) {
            throw new SFException(e, ErrorCode.INTERNAL_ERROR, "Error when calculating fingerprint");
        }
    }

    public static int getTimeout() {
        String systemGetEnv = SnowflakeUtil.systemGetEnv("JWT_AUTH_TIMEOUT");
        int i = 10;
        if (systemGetEnv != null) {
            i = Integer.parseInt(systemGetEnv);
        }
        return i;
    }

    private PrivateKey extractPrivateKeyWithBouncyCastle(String str, String str2) throws IOException, PKCSException, OperatorCreationException {
        PrivateKeyInfo privateKeyInfo = null;
        PEMParser pEMParser = new PEMParser(new FileReader(Paths.get(str, new String[0]).toFile()));
        Object readObject = pEMParser.readObject();
        if (readObject instanceof PKCS8EncryptedPrivateKeyInfo) {
            privateKeyInfo = ((PKCS8EncryptedPrivateKeyInfo) readObject).decryptPrivateKeyInfo(new JceOpenSSLPKCS8DecryptorProviderBuilder().build(str2.toCharArray()));
        } else if (readObject instanceof PEMKeyPair) {
            privateKeyInfo = ((PEMKeyPair) readObject).getPrivateKeyInfo();
        } else if (readObject instanceof PrivateKeyInfo) {
            privateKeyInfo = (PrivateKeyInfo) readObject;
        }
        pEMParser.close();
        return new JcaPEMKeyConverter().setProvider(this.isFipsMode ? SecurityUtil.BOUNCY_CASTLE_FIPS_PROVIDER : "BC").getPrivateKey(privateKeyInfo);
    }

    private PrivateKey extractPrivateKeyWithJdk(String str, String str2) throws IOException, NoSuchAlgorithmException, InvalidKeySpecException, InvalidKeyException {
        String str3 = new String(Files.readAllBytes(Paths.get(str, new String[0])));
        return Strings.isNullOrEmpty(str2) ? generatePrivateKey(false, str3, str2) : generatePrivateKey(true, str3, str2);
    }

    private PrivateKey generatePrivateKey(boolean z, String str, String str2) throws IOException, NoSuchAlgorithmException, InvalidKeySpecException, InvalidKeyException {
        PemReader pemReader;
        if (!z) {
            pemReader = new PemReader(new StringReader(str));
            try {
                byte[] content = pemReader.readPemObject().getContent();
                pemReader.close();
                PrivateKey generatePrivate = getKeyFactoryInstance().generatePrivate(new PKCS8EncodedKeySpec(content));
                pemReader.close();
                return generatePrivate;
            } finally {
            }
        }
        pemReader = new PemReader(new StringReader(str));
        try {
            byte[] content2 = pemReader.readPemObject().getContent();
            pemReader.close();
            EncryptedPrivateKeyInfo encryptedPrivateKeyInfo = new EncryptedPrivateKeyInfo(content2);
            PrivateKey generatePrivate2 = getKeyFactoryInstance().generatePrivate(encryptedPrivateKeyInfo.getKeySpec(getSecretKeyFactory(encryptedPrivateKeyInfo.getAlgName()).generateSecret(new PBEKeySpec(str2.toCharArray()))));
            pemReader.close();
            return generatePrivate2;
        } finally {
        }
    }
}
