package org.opendaylight.netconf.transport.ssh;

import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.security.InvalidKeyException;
import java.security.KeyFactory;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.Security;
import java.security.Signature;
import java.security.SignatureException;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.security.interfaces.ECPrivateKey;
import java.security.interfaces.RSAPrivateKey;
import java.security.spec.InvalidKeySpecException;
import java.security.spec.PKCS8EncodedKeySpec;
import java.security.spec.X509EncodedKeySpec;
import java.util.Objects;
import java.util.concurrent.ThreadLocalRandom;
import org.bouncycastle.crypto.params.AsymmetricKeyParameter;
import org.bouncycastle.crypto.params.ECPublicKeyParameters;
import org.bouncycastle.crypto.params.RSAKeyParameters;
import org.bouncycastle.crypto.util.OpenSSHPublicKeyUtil;
import org.bouncycastle.crypto.util.SubjectPublicKeyInfoFactory;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.opendaylight.netconf.shaded.sshd.common.signature.SignatureECDSA;
import org.opendaylight.netconf.shaded.sshd.common.signature.SignatureRSASHA256;
import org.opendaylight.netconf.transport.api.UnsupportedConfigurationException;

/* loaded from: input_file:org/opendaylight/netconf/transport/ssh/KeyUtils.class */
final class KeyUtils {
    static final String RSA_ALGORITHM = "RSA";
    static final String EC_ALGORITHM = "EC";
    private static final String BC = "BC";

    private KeyUtils() {
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static X509Certificate buildX509Certificate(byte[] bArr) throws UnsupportedConfigurationException {
        try {
            ByteArrayInputStream byteArrayInputStream = new ByteArrayInputStream(bArr);
            try {
                X509Certificate x509Certificate = (X509Certificate) CertificateFactory.getInstance("X.509", "BC").generateCertificate(byteArrayInputStream);
                byteArrayInputStream.close();
                return x509Certificate;
            } finally {
            }
        } catch (IOException | NoSuchProviderException | CertificateException e) {
            throw new UnsupportedConfigurationException("Cannot read certificate", e);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static PrivateKey buildPrivateKey(String str, byte[] bArr) throws UnsupportedConfigurationException {
        try {
            return KeyFactory.getInstance(str, "BC").generatePrivate(new PKCS8EncodedKeySpec(bArr));
        } catch (NoSuchAlgorithmException | NoSuchProviderException | InvalidKeySpecException e) {
            throw new UnsupportedConfigurationException("Cannot build private key for " + str, e);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static PublicKey buildX509PublicKey(String str, byte[] bArr) throws UnsupportedConfigurationException {
        try {
            return KeyFactory.getInstance(str, "BC").generatePublic(new X509EncodedKeySpec(bArr));
        } catch (NoSuchAlgorithmException | NoSuchProviderException | InvalidKeySpecException e) {
            throw new UnsupportedConfigurationException("Cannot build public key for " + str, e);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static PublicKey buildPublicKeyFromSshEncoding(byte[] bArr) throws UnsupportedConfigurationException {
        try {
            AsymmetricKeyParameter parsePublicKey = OpenSSHPublicKeyUtil.parsePublicKey(bArr);
            byte[] encoded = SubjectPublicKeyInfoFactory.createSubjectPublicKeyInfo(parsePublicKey).getEncoded();
            if ((parsePublicKey instanceof RSAKeyParameters) && !((RSAKeyParameters) parsePublicKey).isPrivate()) {
                return buildX509PublicKey("RSA", encoded);
            }
            if (!(parsePublicKey instanceof ECPublicKeyParameters) || ((ECPublicKeyParameters) parsePublicKey).isPrivate()) {
                throw new UnsupportedConfigurationException("Invalid OpenSSH public key; Expected RSA or EC public key; Current:" + parsePublicKey);
            }
            return buildX509PublicKey("EC", encoded);
        } catch (IOException e) {
            throw new UnsupportedConfigurationException("Cannot parse OpenSSH public key", e);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static void validateKeyPair(PublicKey publicKey, PrivateKey privateKey) throws UnsupportedConfigurationException {
        String str;
        if (privateKey instanceof RSAPrivateKey) {
            str = SignatureRSASHA256.ALGORITHM;
        } else {
            if (!(privateKey instanceof ECPrivateKey)) {
                throw new UnsupportedConfigurationException("Unsupported key type " + privateKey);
            }
            str = SignatureECDSA.SignatureECDSA256.DEFAULT_ALGORITHM;
        }
        try {
            byte[] bArr = new byte[1024];
            ThreadLocalRandom.current().nextBytes(bArr);
            Signature signature = Signature.getInstance(str);
            signature.initSign(privateKey);
            signature.update(bArr);
            byte[] sign = signature.sign();
            signature.initVerify(publicKey);
            signature.update(bArr);
            if (signature.verify(sign)) {
            } else {
                throw new UnsupportedConfigurationException("Private key mismatches Public key");
            }
        } catch (InvalidKeyException | NoSuchAlgorithmException | SignatureException e) {
            throw new UnsupportedConfigurationException("Key pair validation failed", e);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static void validatePublicKey(PublicKey publicKey, Certificate certificate) throws UnsupportedConfigurationException {
        if (!Objects.equals(publicKey, certificate.getPublicKey())) {
            throw new UnsupportedConfigurationException("Certificate mismatches Public key");
        }
    }

    static {
        Security.addProvider(new BouncyCastleProvider());
    }
}
