package org.elasticsearch.xpack.security.cli;

import java.io.BufferedReader;
import java.io.IOException;
import java.io.OutputStream;
import java.io.OutputStreamWriter;
import java.nio.CharBuffer;
import java.nio.charset.CharsetEncoder;
import java.nio.charset.StandardCharsets;
import java.nio.file.Files;
import java.nio.file.LinkOption;
import java.nio.file.Path;
import java.nio.file.StandardOpenOption;
import java.nio.file.attribute.FileAttribute;
import java.nio.file.attribute.PosixFileAttributeView;
import java.nio.file.attribute.PosixFilePermission;
import java.security.GeneralSecurityException;
import java.security.KeyPair;
import java.security.KeyStore;
import java.security.PrivateKey;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.concurrent.atomic.AtomicReference;
import java.util.function.Function;
import java.util.regex.Pattern;
import java.util.stream.Collectors;
import java.util.zip.ZipEntry;
import java.util.zip.ZipOutputStream;
import javax.security.auth.x500.X500Principal;
import joptsimple.OptionException;
import joptsimple.OptionParser;
import joptsimple.OptionSet;
import joptsimple.OptionSpec;
import joptsimple.OptionSpecBuilder;
import org.bouncycastle.asn1.DERIA5String;
import org.bouncycastle.asn1.x509.GeneralName;
import org.bouncycastle.asn1.x509.GeneralNames;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.bouncycastle.openssl.PEMEncryptor;
import org.bouncycastle.openssl.jcajce.JcaPEMWriter;
import org.bouncycastle.openssl.jcajce.JcePEMEncryptorBuilder;
import org.bouncycastle.pkcs.PKCS10CertificationRequest;
import org.elasticsearch.ExceptionsHelper;
import org.elasticsearch.cli.MultiCommand;
import org.elasticsearch.cli.ProcessInfo;
import org.elasticsearch.cli.Terminal;
import org.elasticsearch.cli.UserException;
import org.elasticsearch.common.Strings;
import org.elasticsearch.common.cli.EnvironmentAwareCommand;
import org.elasticsearch.common.network.InetAddresses;
import org.elasticsearch.common.ssl.PemUtils;
import org.elasticsearch.common.util.set.Sets;
import org.elasticsearch.core.CheckedConsumer;
import org.elasticsearch.core.CheckedFunction;
import org.elasticsearch.core.PathUtils;
import org.elasticsearch.core.SuppressForbidden;
import org.elasticsearch.env.Environment;
import org.elasticsearch.xcontent.ConstructingObjectParser;
import org.elasticsearch.xcontent.ObjectParser;
import org.elasticsearch.xcontent.ParseField;
import org.elasticsearch.xcontent.XContentParserConfiguration;
import org.elasticsearch.xcontent.XContentType;
import org.elasticsearch.xpack.core.ssl.CertParsingUtils;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: input_file:org/elasticsearch/xpack/security/cli/CertificateTool.class */
public class CertificateTool extends MultiCommand {
    private static final String AUTO_GEN_CA_DN = "CN=Elastic Certificate Tool Autogenerated CA";
    private static final String DESCRIPTION = "Simplifies certificate creation for use with the Elastic Stack";
    private static final String DEFAULT_CSR_ZIP = "csr-bundle.zip";
    private static final String DEFAULT_CERT_ZIP = "certificate-bundle.zip";
    private static final String DEFAULT_CA_ZIP = "elastic-stack-ca.zip";
    private static final String DEFAULT_CA_P12 = "elastic-stack-ca.p12";
    private static final BouncyCastleProvider BC_PROV;
    static final String DEFAULT_CERT_NAME = "instance";
    private static final CharsetEncoder ASCII_ENCODER;
    private static final int DEFAULT_DAYS = 1095;
    private static final int FILE_EXTENSION_LENGTH = 4;
    static final int MAX_FILENAME_LENGTH = 251;
    private static final Pattern ALLOWED_FILENAME_CHAR_PATTERN;
    private static final int DEFAULT_KEY_SIZE = 2048;
    static final String OLD_OPENSSL_VERSION = "1.1.0";
    static final int MAX_PASSWORD_OLD_OPENSSL = 50;
    static final String INTRO_TEXT = "This tool assists you in the generation of X.509 certificates and certificate\nsigning requests for use with SSL/TLS in the Elastic stack.";
    static final String INSTANCE_EXPLANATION;
    static final String CA_EXPLANATION;
    static final /* synthetic */ boolean $assertionsDisabled;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:org/elasticsearch/xpack/security/cli/CertificateTool$CAInfo.class */
    public static class CAInfo {
        final CertificateAndKey certAndKey;
        final boolean generated;
        final char[] password;

        /* JADX INFO: Access modifiers changed from: package-private */
        public CAInfo(X509Certificate x509Certificate, PrivateKey privateKey) {
            this(x509Certificate, privateKey, false, null);
        }

        /* JADX INFO: Access modifiers changed from: package-private */
        public CAInfo(X509Certificate x509Certificate, PrivateKey privateKey, boolean z, char[] cArr) {
            this.certAndKey = new CertificateAndKey(x509Certificate, privateKey);
            this.generated = z;
            this.password = cArr;
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:org/elasticsearch/xpack/security/cli/CertificateTool$CertificateAndKey.class */
    public static class CertificateAndKey {
        final X509Certificate cert;
        final PrivateKey key;

        CertificateAndKey(X509Certificate x509Certificate, PrivateKey privateKey) {
            this.cert = x509Certificate;
            this.key = privateKey;
        }
    }

    /* loaded from: input_file:org/elasticsearch/xpack/security/cli/CertificateTool$CertificateAuthorityCommand.class */
    static class CertificateAuthorityCommand extends CertificateCommand {
        CertificateAuthorityCommand() {
            super("generate a new local certificate authority");
            acceptCertificateGenerationOptions();
            acceptsCertificateAuthorityName();
            this.caPasswordSpec = this.outputPasswordSpec;
        }

        public void execute(Terminal terminal, OptionSet optionSet, Environment environment, ProcessInfo processInfo) throws Exception {
            terminal.println(CertificateTool.INTRO_TEXT);
            terminal.println("");
            terminal.println("The 'ca' mode generates a new 'certificate authority'");
            terminal.println("This will create a new X.509 certificate and private key that can be used");
            terminal.println("to sign certificate when running in 'cert' mode.");
            terminal.println("");
            terminal.println("Use the 'ca-dn' option if you wish to configure the 'distinguished name'");
            terminal.println("of the certificate authority");
            terminal.println("");
            terminal.println("By default the 'ca' mode produces a single PKCS#12 output file which holds:");
            terminal.println("    * The CA certificate");
            terminal.println("    * The CA's private key");
            terminal.println("");
            terminal.println("If you elect to generate PEM format certificates (the -pem option), then the output will");
            terminal.println("be a zip file containing individual files for the CA certificate and private key");
            terminal.println("");
            CAInfo generateCA = generateCA(terminal, optionSet);
            boolean usePemFormat = usePemFormat(optionSet);
            writeCertificateAuthority(resolveOutputPath(terminal, optionSet, usePemFormat ? CertificateTool.DEFAULT_CA_ZIP : CertificateTool.DEFAULT_CA_P12), generateCA, usePemFormat, terminal);
        }

        private void writeCertificateAuthority(Path path, CAInfo cAInfo, boolean z, Terminal terminal) throws Exception {
            CertificateTool.checkDirectory(path, terminal);
            if (z) {
                CertificateTool.fullyWriteZipFile(path, (zipOutputStream, jcaPEMWriter) -> {
                    writeCAInfo(zipOutputStream, jcaPEMWriter, cAInfo, true);
                });
            } else {
                String path2 = path.getFileName().toString();
                CertificateTool.fullyWriteFile(path, outputStream -> {
                    writePkcs12(path2, outputStream, "ca", cAInfo.certAndKey, null, cAInfo.password, terminal);
                });
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:org/elasticsearch/xpack/security/cli/CertificateTool$CertificateCommand.class */
    public static abstract class CertificateCommand extends EnvironmentAwareCommand {
        final OptionSpec<String> outputPathSpec;
        final OptionSpec<String> outputPasswordSpec;
        final OptionSpec<Integer> keysizeSpec;
        OptionSpec<Void> pemFormatSpec;
        OptionSpec<Integer> daysSpec;
        OptionSpec<String> caPkcs12PathSpec;
        OptionSpec<String> caCertPathSpec;
        OptionSpec<String> caKeyPathSpec;
        OptionSpec<String> caPasswordSpec;
        OptionSpec<String> caDnSpec;
        OptionSpec<Void> multipleNodesSpec;
        OptionSpec<String> nameSpec;
        OptionSpec<String> dnsNamesSpec;
        OptionSpec<String> ipAddressesSpec;
        OptionSpec<String> inputFileSpec;
        static final /* synthetic */ boolean $assertionsDisabled;

        CertificateCommand(String str) {
            super(str);
            this.outputPathSpec = this.parser.accepts("out", "path to the output file that should be produced").withRequiredArg();
            this.outputPasswordSpec = this.parser.accepts("pass", "password for generated private keys").withOptionalArg();
            this.keysizeSpec = this.parser.accepts("keysize", "size in bits of RSA keys").withRequiredArg().ofType(Integer.class);
        }

        final void acceptCertificateGenerationOptions() {
            this.pemFormatSpec = this.parser.accepts("pem", "output certificates and keys in PEM format instead of PKCS#12");
            this.daysSpec = this.parser.accepts("days", "number of days that the generated certificates are valid").withRequiredArg().ofType(Integer.class);
        }

        final void acceptsCertificateAuthority() {
            this.caPkcs12PathSpec = this.parser.accepts("ca", "path to an existing ca key pair (in PKCS#12 format)").withRequiredArg();
            this.caCertPathSpec = this.parser.accepts("ca-cert", "path to an existing ca certificate").availableUnless(this.caPkcs12PathSpec, new OptionSpec[0]).withRequiredArg();
            this.caKeyPathSpec = this.parser.accepts("ca-key", "path to an existing ca private key").availableIf(this.caCertPathSpec, new OptionSpec[0]).requiredIf(this.caCertPathSpec, new OptionSpec[0]).withRequiredArg();
            this.caPasswordSpec = this.parser.accepts("ca-pass", "password for an existing ca private key or the generated ca private key").withOptionalArg();
            acceptsCertificateAuthorityName();
        }

        void acceptsCertificateAuthorityName() {
            OptionSpecBuilder accepts = this.parser.accepts("ca-dn", "distinguished name to use for the generated ca. defaults to CN=Elastic Certificate Tool Autogenerated CA");
            if (this.caPkcs12PathSpec != null) {
                accepts = accepts.availableUnless(this.caPkcs12PathSpec, new OptionSpec[0]);
            }
            if (this.caCertPathSpec != null) {
                accepts = accepts.availableUnless(this.caCertPathSpec, new OptionSpec[0]);
            }
            this.caDnSpec = accepts.withRequiredArg();
        }

        final void acceptInstanceDetails() {
            this.multipleNodesSpec = this.parser.accepts("multiple", "generate files for multiple instances");
            this.nameSpec = this.parser.accepts("name", "name of the generated certificate").availableUnless(this.multipleNodesSpec, new OptionSpec[0]).withRequiredArg();
            this.dnsNamesSpec = this.parser.accepts("dns", "comma separated DNS names").availableUnless(this.multipleNodesSpec, new OptionSpec[0]).withRequiredArg();
            this.ipAddressesSpec = this.parser.accepts("ip", "comma separated IP addresses").availableUnless(this.multipleNodesSpec, new OptionSpec[0]).withRequiredArg();
        }

        final void acceptInputFile() {
            this.inputFileSpec = this.parser.accepts("in", "file containing details of the instances in yaml format").withRequiredArg();
        }

        OptionParser getParser() {
            return this.parser;
        }

        Path resolveOutputPath(Terminal terminal, OptionSet optionSet, String str) throws IOException {
            return resolveOutputPath(terminal, (String) this.outputPathSpec.value(optionSet), str);
        }

        static Path resolveOutputPath(Terminal terminal, String str, String str2) {
            Path resolvePath;
            if (str != null) {
                resolvePath = CertificateTool.resolvePath(str);
            } else {
                resolvePath = CertificateTool.resolvePath(str2);
                String readText = terminal.readText("Please enter the desired output file [" + resolvePath + "]: ");
                if (!readText.isEmpty()) {
                    resolvePath = CertificateTool.resolvePath(readText);
                }
            }
            return resolvePath.toAbsolutePath();
        }

        final int getKeySize(OptionSet optionSet) {
            return optionSet.has(this.keysizeSpec) ? ((Integer) this.keysizeSpec.value(optionSet)).intValue() : CertificateTool.DEFAULT_KEY_SIZE;
        }

        final int getDays(OptionSet optionSet) {
            return optionSet.has(this.daysSpec) ? ((Integer) this.daysSpec.value(optionSet)).intValue() : CertificateTool.DEFAULT_DAYS;
        }

        boolean usePemFormat(OptionSet optionSet) {
            return optionSet.has(this.pemFormatSpec);
        }

        boolean useOutputPassword(OptionSet optionSet) {
            return optionSet.has(this.outputPasswordSpec);
        }

        char[] getOutputPassword(OptionSet optionSet) {
            return CertificateTool.getChars((String) this.outputPasswordSpec.value(optionSet));
        }

        protected Path resolvePath(OptionSet optionSet, OptionSpec<String> optionSpec) {
            String str = (String) optionSpec.value(optionSet);
            if (Strings.isNullOrEmpty(str)) {
                return null;
            }
            return CertificateTool.resolvePath(str);
        }

        CAInfo getCAInfo(Terminal terminal, OptionSet optionSet, Environment environment) throws Exception {
            if (optionSet.has(this.caPkcs12PathSpec)) {
                return loadPkcs12CA(terminal, optionSet, environment);
            }
            if (optionSet.has(this.caCertPathSpec)) {
                return loadPemCA(terminal, optionSet, environment);
            }
            terminal.println("Note: Generating certificates without providing a CA certificate is deprecated.");
            terminal.println("      A CA certificate will become mandatory in the next major release.");
            terminal.println("");
            return generateCA(terminal, optionSet);
        }

        private CAInfo loadPkcs12CA(Terminal terminal, OptionSet optionSet, Environment environment) throws Exception {
            Path resolvePath = resolvePath(optionSet, this.caPkcs12PathSpec);
            Map map = (Map) CertificateTool.withPassword("CA (" + resolvePath + ")", CertificateTool.getChars((String) this.caPasswordSpec.value(optionSet)), terminal, false, cArr -> {
                return CertParsingUtils.readPkcs12KeyPairs(resolvePath, cArr, str -> {
                    return cArr;
                });
            });
            if (map.size() != 1) {
                throw new IllegalArgumentException("expected a single key in file [" + resolvePath.toAbsolutePath() + "] but found [" + map.size() + "]");
            }
            Map.Entry entry = (Map.Entry) map.entrySet().iterator().next();
            return new CAInfo((X509Certificate) entry.getKey(), (PrivateKey) entry.getValue());
        }

        private CAInfo loadPemCA(Terminal terminal, OptionSet optionSet, Environment environment) throws Exception {
            if (!optionSet.hasArgument(this.caKeyPathSpec)) {
                throw new UserException(64, "Option " + this.caCertPathSpec + " also requires " + this.caKeyPathSpec);
            }
            return new CAInfo(CertParsingUtils.readX509Certificate(resolvePath(optionSet, this.caCertPathSpec)), CertificateTool.readPrivateKey(resolvePath(optionSet, this.caKeyPathSpec), CertificateTool.getChars((String) this.caPasswordSpec.value(optionSet)), terminal));
        }

        CAInfo generateCA(Terminal terminal, OptionSet optionSet) throws Exception {
            String str = (String) this.caDnSpec.value(optionSet);
            if (Strings.isNullOrEmpty(str)) {
                str = CertificateTool.AUTO_GEN_CA_DN;
            }
            X500Principal x500Principal = new X500Principal(str);
            KeyPair generateKeyPair = CertGenUtils.generateKeyPair(getKeySize(optionSet));
            X509Certificate generateCACertificate = CertGenUtils.generateCACertificate(x500Principal, generateKeyPair, getDays(optionSet));
            if (!optionSet.hasArgument(this.caPasswordSpec)) {
                return optionSet.has(this.caPasswordSpec) ? (CAInfo) CertificateTool.withPassword("CA Private key", null, terminal, true, cArr -> {
                    return new CAInfo(generateCACertificate, generateKeyPair.getPrivate(), true, (char[]) cArr.clone());
                }) : new CAInfo(generateCACertificate, generateKeyPair.getPrivate(), true, null);
            }
            char[] chars = CertificateTool.getChars((String) this.caPasswordSpec.value(optionSet));
            CertificateTool.checkAndConfirmPasswordLengthForOpenSSLCompatibility(chars, terminal, false);
            return new CAInfo(generateCACertificate, generateKeyPair.getPrivate(), true, chars);
        }

        Collection<CertificateInformation> getCertificateInformationList(Terminal terminal, OptionSet optionSet) throws Exception {
            Path resolvePath = resolvePath(optionSet, this.inputFileSpec);
            if (resolvePath != null) {
                return CertificateTool.parseAndValidateFile(terminal, resolvePath.toAbsolutePath());
            }
            if (optionSet.has(this.multipleNodesSpec)) {
                return readMultipleCertificateInformation(terminal);
            }
            Function function = str -> {
                return Arrays.stream(Strings.splitStringByCommaToArray(str));
            };
            List list = (List) this.dnsNamesSpec.values(optionSet).stream().flatMap(function).collect(Collectors.toList());
            List list2 = (List) this.ipAddressesSpec.values(optionSet).stream().flatMap(function).collect(Collectors.toList());
            String certificateName = getCertificateName(optionSet);
            CertificateInformation certificateInformation = new CertificateInformation(certificateName, Name.isValidFilename(certificateName) ? certificateName : requestFileName(terminal, certificateName), list2, list, null);
            List<String> validate = certificateInformation.validate();
            if (validate.isEmpty()) {
                return Collections.singleton(certificateInformation);
            }
            Objects.requireNonNull(terminal);
            validate.forEach(terminal::errorPrintln);
            return Collections.emptyList();
        }

        protected String getCertificateName(OptionSet optionSet) {
            return optionSet.has(this.nameSpec) ? (String) this.nameSpec.value(optionSet) : CertificateTool.DEFAULT_CERT_NAME;
        }

        static Collection<CertificateInformation> readMultipleCertificateInformation(Terminal terminal) {
            HashMap hashMap = new HashMap();
            boolean z = false;
            while (!z) {
                String readText = terminal.readText("Enter instance name: ");
                if (readText.isEmpty()) {
                    terminal.println("A name must be provided");
                } else {
                    CertificateInformation certificateInformation = new CertificateInformation(readText, requestFileName(terminal, readText), Arrays.asList(Strings.splitStringByCommaToArray(terminal.readText("Enter IP Addresses for instance (comma-separated if more than one) []: "))), Arrays.asList(Strings.splitStringByCommaToArray(terminal.readText("Enter DNS names for instance (comma-separated if more than one) []: "))), null);
                    List<String> validate = certificateInformation.validate();
                    if (validate.isEmpty()) {
                        if (hashMap.containsKey(readText)) {
                            terminal.println("Overwriting previously defined instance information [" + readText + "]");
                        }
                        hashMap.put(readText, certificateInformation);
                    } else {
                        Iterator<String> it = validate.iterator();
                        while (it.hasNext()) {
                            terminal.println(it.next());
                        }
                        terminal.println("Skipping entry as invalid values were found");
                    }
                }
                if (!"y".equals(terminal.readText("Would you like to specify another instance? Press 'y' to continue entering instance information: "))) {
                    z = true;
                }
            }
            return hashMap.values();
        }

        private static String requestFileName(Terminal terminal, String str) {
            boolean isValidFilename = Name.isValidFilename(str);
            while (true) {
                String readText = terminal.readText("Enter name for directories and files of " + str + (isValidFilename ? " [" + str + "]" : "") + ": ");
                if (readText.isEmpty() && isValidFilename) {
                    return str;
                }
                if (Name.isValidFilename(readText)) {
                    return readText;
                }
                terminal.errorPrintln(Terminal.Verbosity.SILENT, "'" + readText + "' is not a valid filename");
            }
        }

        /* JADX INFO: Access modifiers changed from: package-private */
        public static void writeCAInfo(ZipOutputStream zipOutputStream, JcaPEMWriter jcaPEMWriter, CAInfo cAInfo, boolean z) throws Exception {
            String createCaDirectory = createCaDirectory(zipOutputStream);
            zipOutputStream.putNextEntry(new ZipEntry(createCaDirectory + "ca.crt"));
            jcaPEMWriter.writeObject(cAInfo.certAndKey.cert);
            jcaPEMWriter.flush();
            zipOutputStream.closeEntry();
            if (z) {
                zipOutputStream.putNextEntry(new ZipEntry(createCaDirectory + "ca.key"));
                if (cAInfo.password == null || cAInfo.password.length <= 0) {
                    jcaPEMWriter.writeObject(cAInfo.certAndKey.key);
                } else {
                    try {
                        jcaPEMWriter.writeObject(cAInfo.certAndKey.key, CertificateTool.getEncrypter(cAInfo.password));
                        Arrays.fill(cAInfo.password, (char) 0);
                    } catch (Throwable th) {
                        Arrays.fill(cAInfo.password, (char) 0);
                        throw th;
                    }
                }
                jcaPEMWriter.flush();
                zipOutputStream.closeEntry();
            }
        }

        private static String createCaDirectory(ZipOutputStream zipOutputStream) throws IOException {
            ZipEntry zipEntry = new ZipEntry("ca/");
            if (!$assertionsDisabled && !zipEntry.isDirectory()) {
                throw new AssertionError();
            }
            zipOutputStream.putNextEntry(zipEntry);
            return "ca/";
        }

        /* JADX INFO: Access modifiers changed from: package-private */
        public static void writePkcs12(String str, OutputStream outputStream, String str2, CertificateAndKey certificateAndKey, X509Certificate x509Certificate, char[] cArr, Terminal terminal) throws Exception {
            KeyStore keyStore = KeyStore.getInstance("PKCS12");
            keyStore.load(null);
            CertificateTool.withPassword(str, cArr, terminal, true, cArr2 -> {
                if (!CertificateTool.isAscii(cArr2)) {
                    throw new UserException(78, "PKCS#12 passwords must be plain ASCII");
                }
                keyStore.setKeyEntry(str2, certificateAndKey.key, cArr2, new Certificate[]{certificateAndKey.cert});
                if (x509Certificate != null) {
                    keyStore.setCertificateEntry("ca", x509Certificate);
                }
                keyStore.store(outputStream, cArr2);
                return null;
            });
        }

        static void verifyIssuer(Certificate certificate, CAInfo cAInfo, Terminal terminal) throws UserException {
            try {
                certificate.verify(cAInfo.certAndKey.cert.getPublicKey());
            } catch (GeneralSecurityException e) {
                terminal.errorPrintln("");
                terminal.errorPrintln("* ERROR *");
                terminal.errorPrintln("Verification of generated certificate failed.");
                terminal.errorPrintln("This usually occurs if the provided CA certificate does not match with the CA key.");
                terminal.errorPrintln("Cause: " + e);
                Throwable cause = e.getCause();
                while (true) {
                    Throwable th = cause;
                    if (th == null) {
                        break;
                    }
                    terminal.errorPrintln("     - " + th);
                    cause = th.getCause();
                }
                throw new UserException(78, "Certificate verification failed");
            }
        }

        protected void writePemPrivateKey(Terminal terminal, OptionSet optionSet, ZipOutputStream zipOutputStream, JcaPEMWriter jcaPEMWriter, String str, PrivateKey privateKey) throws IOException {
            boolean useOutputPassword = useOutputPassword(optionSet);
            char[] outputPassword = getOutputPassword(optionSet);
            zipOutputStream.putNextEntry(new ZipEntry(str));
            if (useOutputPassword) {
                CertificateTool.withPassword(str, outputPassword, terminal, true, cArr -> {
                    jcaPEMWriter.writeObject(privateKey, CertificateTool.getEncrypter(cArr));
                    return null;
                });
            } else {
                jcaPEMWriter.writeObject(privateKey);
            }
            jcaPEMWriter.flush();
            zipOutputStream.closeEntry();
        }

        static {
            $assertionsDisabled = !CertificateTool.class.desiredAssertionStatus();
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:org/elasticsearch/xpack/security/cli/CertificateTool$CertificateInformation.class */
    public static class CertificateInformation {
        final Name name;
        final List<String> ipAddresses;
        final List<String> dnsNames;
        final List<String> commonNames;

        CertificateInformation(String str, String str2, List<String> list, List<String> list2, List<String> list3) {
            this.name = Name.fromUserProvidedName(str, str2);
            this.ipAddresses = list == null ? Collections.emptyList() : list;
            this.dnsNames = list2 == null ? Collections.emptyList() : list2;
            this.commonNames = list3 == null ? Collections.emptyList() : list3;
        }

        List<String> validate() {
            ArrayList arrayList = new ArrayList();
            if (this.name.error != null) {
                arrayList.add(this.name.error);
            }
            for (String str : this.ipAddresses) {
                if (!InetAddresses.isInetAddress(str)) {
                    arrayList.add("[" + str + "] is not a valid IP address");
                }
            }
            for (String str2 : this.dnsNames) {
                if (!DERIA5String.isIA5String(str2)) {
                    arrayList.add("[" + str2 + "] is not a valid DNS name");
                }
            }
            return arrayList;
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/elasticsearch/xpack/security/cli/CertificateTool$CertificateToolParser.class */
    public static class CertificateToolParser {
        private static final ObjectParser<List<CertificateInformation>, Void> PARSER = new ObjectParser<>("certgen");

        private CertificateToolParser() {
        }

        static {
            ConstructingObjectParser constructingObjectParser = new ConstructingObjectParser("instances", objArr -> {
                return new CertificateInformation((String) objArr[0], (String) (objArr[1] == null ? objArr[0] : objArr[1]), (List) objArr[2], (List) objArr[3], (List) objArr[CertificateTool.FILE_EXTENSION_LENGTH]);
            });
            constructingObjectParser.declareString(ConstructingObjectParser.constructorArg(), new ParseField("name", new String[0]));
            constructingObjectParser.declareString(ConstructingObjectParser.optionalConstructorArg(), new ParseField("filename", new String[0]));
            constructingObjectParser.declareStringArray(ConstructingObjectParser.optionalConstructorArg(), new ParseField("ip", new String[0]));
            constructingObjectParser.declareStringArray(ConstructingObjectParser.optionalConstructorArg(), new ParseField("dns", new String[0]));
            constructingObjectParser.declareStringArray(ConstructingObjectParser.optionalConstructorArg(), new ParseField("cn", new String[0]));
            PARSER.declareObjectArray((v0, v1) -> {
                v0.addAll(v1);
            }, constructingObjectParser, new ParseField("instances", new String[0]));
        }
    }

    /* loaded from: input_file:org/elasticsearch/xpack/security/cli/CertificateTool$GenerateCertificateCommand.class */
    static class GenerateCertificateCommand extends CertificateCommand {
        OptionSpec<Void> selfSigned;
        static final /* synthetic */ boolean $assertionsDisabled;

        GenerateCertificateCommand() {
            super("generate X.509 certificates and keys");
            acceptCertificateGenerationOptions();
            acceptInstanceDetails();
            acceptsCertificateAuthority();
            acceptInputFile();
            this.selfSigned = this.parser.accepts("self-signed", "generate self signed certificates").availableUnless(this.caPkcs12PathSpec, new OptionSpec[]{this.caCertPathSpec});
        }

        public void execute(Terminal terminal, OptionSet optionSet, Environment environment, ProcessInfo processInfo) throws Exception {
            Object obj;
            terminal.println(CertificateTool.INTRO_TEXT);
            terminal.println("");
            terminal.println("The 'cert' mode generates X.509 certificate and private keys.");
            terminal.println("    * By default, this generates a single certificate and key for use");
            terminal.println("       on a single instance.");
            terminal.println("    * The '-multiple' option will prompt you to enter details for multiple");
            terminal.println("       instances and will generate a certificate and key for each one");
            terminal.println("    * The '-in' option allows for the certificate generation to be automated by describing");
            terminal.println("       the details of each instance in a YAML file");
            terminal.println("");
            terminal.println(CertificateTool.INSTANCE_EXPLANATION);
            terminal.println("");
            terminal.println(CertificateTool.CA_EXPLANATION);
            terminal.println("");
            terminal.println("By default the 'cert' mode produces a single PKCS#12 output file which holds:");
            terminal.println("    * The instance certificate");
            terminal.println("    * The private key for the instance certificate");
            terminal.println("    * The CA certificate");
            terminal.println("");
            terminal.println("If you specify any of the following options:");
            terminal.println("    * -pem (PEM formatted output)");
            terminal.println("    * -multiple (generate multiple certificates)");
            terminal.println("    * -in (generate certificates from an input file)");
            terminal.println("then the output will be be a zip file containing individual certificate/key files");
            terminal.println("");
            CAInfo cAInfo = getCAInfo(terminal, optionSet, environment);
            Collection<CertificateInformation> certificateInformationList = getCertificateInformationList(terminal, optionSet);
            boolean usePemFormat = usePemFormat(optionSet);
            boolean z = optionSet.has(this.multipleNodesSpec) || optionSet.has(this.inputFileSpec) || usePemFormat;
            Path resolveOutputPath = resolveOutputPath(terminal, optionSet, z ? CertificateTool.DEFAULT_CERT_ZIP : optionSet.has(this.nameSpec) ? ((String) this.nameSpec.value(optionSet)) + ".p12" : "elastic-certificates.p12");
            generateAndWriteSignedCertificates(resolveOutputPath, z, optionSet, certificateInformationList, cAInfo, terminal);
            terminal.println("");
            terminal.println("Certificates written to " + resolveOutputPath);
            terminal.println("");
            if (certificateInformationList.size() > 1) {
                terminal.println(Terminal.Verbosity.NORMAL, "This file should be properly secured as it contains the private keys for ");
                terminal.print(Terminal.Verbosity.NORMAL, "all instances");
            } else {
                terminal.println(Terminal.Verbosity.NORMAL, "This file should be properly secured as it contains the private key for ");
                terminal.print(Terminal.Verbosity.NORMAL, "your instance.");
            }
            terminal.println("");
            if (z) {
                terminal.println("After unzipping the file, there will be a directory for each instance.");
                if (usePemFormat) {
                    terminal.println("Each instance has a certificate and private key.");
                    obj = "the certificate, key, and CA certificate";
                } else {
                    terminal.println("Each instance has a single PKCS#12 (.p12) file containing the instance");
                    terminal.println("certificate, instance private key and the CA certificate");
                    obj = "this '.p12' file";
                }
            } else {
                terminal.println("This file is a self contained file and can be copied and used 'as is'");
                obj = "this '.p12' file";
            }
            terminal.println("For each Elastic product that you wish to configure, you should copy");
            terminal.println(obj + " to the relevant configuration directory");
            terminal.println("and then follow the SSL configuration instructions in the product guide.");
            terminal.println("");
            if (usePemFormat || !(cAInfo == null || cAInfo.generated)) {
                terminal.println("For client applications, you may only need to copy the CA certificate and");
                terminal.println("configure the client to trust this certificate.");
            }
        }

        @Override // org.elasticsearch.xpack.security.cli.CertificateTool.CertificateCommand
        CAInfo getCAInfo(Terminal terminal, OptionSet optionSet, Environment environment) throws Exception {
            if (false == optionSet.has(this.selfSigned) && false == optionSet.has(this.caPkcs12PathSpec) && false == optionSet.has(this.caCertPathSpec)) {
                throw new UserException(64, "Must specify either --ca or --ca-cert/--ca-key or --self-signed");
            }
            if (optionSet.has(this.selfSigned)) {
                return null;
            }
            return super.getCAInfo(terminal, optionSet, environment);
        }

        void generateAndWriteSignedCertificates(Path path, boolean z, OptionSet optionSet, Collection<CertificateInformation> collection, CAInfo cAInfo, Terminal terminal) throws Exception {
            CertificateTool.checkDirectory(path, terminal);
            int keySize = getKeySize(optionSet);
            int days = getDays(optionSet);
            if (z) {
                boolean usePemFormat = usePemFormat(optionSet);
                CertificateTool.fullyWriteZipFile(path, (zipOutputStream, jcaPEMWriter) -> {
                    Iterator it = collection.iterator();
                    while (it.hasNext()) {
                        CertificateInformation certificateInformation = (CertificateInformation) it.next();
                        CertificateAndKey generateCertificateAndKey = generateCertificateAndKey(certificateInformation, cAInfo, keySize, days, terminal);
                        String str = certificateInformation.name.filename + "/";
                        ZipEntry zipEntry = new ZipEntry(str);
                        if (!$assertionsDisabled && !zipEntry.isDirectory()) {
                            throw new AssertionError();
                        }
                        zipOutputStream.putNextEntry(zipEntry);
                        String str2 = str + certificateInformation.name.filename;
                        if (usePemFormat) {
                            zipOutputStream.putNextEntry(new ZipEntry(str2 + ".crt"));
                            jcaPEMWriter.writeObject(generateCertificateAndKey.cert);
                            jcaPEMWriter.flush();
                            zipOutputStream.closeEntry();
                            writePemPrivateKey(terminal, optionSet, zipOutputStream, jcaPEMWriter, str2 + ".key", generateCertificateAndKey.key);
                        } else {
                            String str3 = str2 + ".p12";
                            char[] outputPassword = super.getOutputPassword(optionSet);
                            zipOutputStream.putNextEntry(new ZipEntry(str3));
                            writePkcs12(str3, zipOutputStream, certificateInformation.name.originalName, generateCertificateAndKey, cAInfo == null ? null : cAInfo.certAndKey.cert, outputPassword, terminal);
                            zipOutputStream.closeEntry();
                        }
                    }
                });
            } else {
                if (!$assertionsDisabled && collection.size() != 1) {
                    throw new AssertionError();
                }
                char[] outputPassword = super.getOutputPassword(optionSet);
                CertificateInformation next = collection.iterator().next();
                CertificateAndKey generateCertificateAndKey = generateCertificateAndKey(next, cAInfo, keySize, days, terminal);
                CertificateTool.fullyWriteFile(path, outputStream -> {
                    writePkcs12(path.getFileName().toString(), outputStream, next.name.originalName, generateCertificateAndKey, cAInfo == null ? null : cAInfo.certAndKey.cert, outputPassword, terminal);
                });
            }
        }

        private static CertificateAndKey generateCertificateAndKey(CertificateInformation certificateInformation, CAInfo cAInfo, int i, int i2, Terminal terminal) throws Exception {
            X509Certificate generateSignedCertificate;
            KeyPair generateKeyPair = CertGenUtils.generateKeyPair(i);
            if (cAInfo != null) {
                generateSignedCertificate = CertGenUtils.generateSignedCertificate(certificateInformation.name.x500Principal, CertificateTool.getSubjectAlternativeNamesValue(certificateInformation.ipAddresses, certificateInformation.dnsNames, certificateInformation.commonNames), generateKeyPair, cAInfo.certAndKey.cert, cAInfo.certAndKey.key, i2);
                verifyIssuer(generateSignedCertificate, cAInfo, terminal);
            } else {
                generateSignedCertificate = CertGenUtils.generateSignedCertificate(certificateInformation.name.x500Principal, CertificateTool.getSubjectAlternativeNamesValue(certificateInformation.ipAddresses, certificateInformation.dnsNames, certificateInformation.commonNames), generateKeyPair, null, null, false, i2, null);
            }
            return new CertificateAndKey(generateSignedCertificate, generateKeyPair.getPrivate());
        }

        static {
            $assertionsDisabled = !CertificateTool.class.desiredAssertionStatus();
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:org/elasticsearch/xpack/security/cli/CertificateTool$Name.class */
    public static class Name {
        final String originalName;
        final X500Principal x500Principal;
        final String filename;
        final String error;

        private Name(String str, X500Principal x500Principal, String str2, String str3) {
            this.originalName = str;
            this.x500Principal = x500Principal;
            this.filename = str2;
            this.error = str3;
        }

        static Name fromUserProvidedName(String str, String str2) {
            if ("ca".equals(str)) {
                return new Name(str, null, null, "[ca] may not be used as an instance name");
            }
            if (str == null) {
                return new Name("", null, null, "instance name may not be null");
            }
            try {
                X500Principal x500Principal = str.contains("=") ? new X500Principal(str) : new X500Principal("CN=" + str);
                return !isValidFilename(str2) ? new Name(str, x500Principal, null, "[" + str2 + "] is not a valid filename") : new Name(str, x500Principal, CertificateTool.resolvePath(str2).toString(), null);
            } catch (IllegalArgumentException e) {
                return new Name(str, null, null, "[" + str + "] could not be converted to a valid DN\n" + e.getMessage() + "\n" + ExceptionsHelper.stackTrace(e));
            }
        }

        static boolean isValidFilename(String str) {
            return CertificateTool.ALLOWED_FILENAME_CHAR_PATTERN.matcher(str).matches() && CertificateTool.ALLOWED_FILENAME_CHAR_PATTERN.matcher(CertificateTool.resolvePath(str).toString()).matches() && !str.startsWith(".");
        }

        public String toString() {
            return getClass().getSimpleName() + "{original=[" + this.originalName + "] principal=[" + this.x500Principal + "] file=[" + this.filename + "] err=[" + this.error + "]}";
        }
    }

    /* loaded from: input_file:org/elasticsearch/xpack/security/cli/CertificateTool$SigningRequestCommand.class */
    static class SigningRequestCommand extends CertificateCommand {
        static final /* synthetic */ boolean $assertionsDisabled;

        SigningRequestCommand() {
            super("generate certificate signing requests");
            acceptInstanceDetails();
            acceptInputFile();
        }

        public void execute(Terminal terminal, OptionSet optionSet, Environment environment, ProcessInfo processInfo) throws Exception {
            terminal.println(CertificateTool.INTRO_TEXT);
            terminal.println("");
            terminal.println("The 'csr' mode generates certificate signing requests that can be sent to");
            terminal.println("a trusted certificate authority");
            terminal.println("    * By default, this generates a single CSR for a single instance.");
            terminal.println("    * You can use the '-multiple' option to generate CSRs for multiple");
            terminal.println("       instances, each with their own private key.");
            terminal.println("    * The '-in' option allows for the CSR generation to be automated");
            terminal.println("       by describing the details of each instance in a YAML file");
            terminal.println("");
            terminal.println(CertificateTool.INSTANCE_EXPLANATION);
            terminal.println("");
            terminal.println("The 'csr' mode produces a single zip file which contains the certificate");
            terminal.println("signing requests and private keys for each instance.");
            terminal.println("    * Each certificate signing request is provided as a standard PEM encoding of a PKCS#10 CSR.");
            terminal.println("    * Each key is provided as a PEM encoding of an RSA private key");
            terminal.println("");
            Path resolveOutputPath = resolveOutputPath(terminal, optionSet, CertificateTool.DEFAULT_CSR_ZIP);
            generateAndWriteCsrs(terminal, optionSet, resolveOutputPath);
            terminal.println("");
            terminal.println("Certificate signing requests have been written to " + resolveOutputPath);
            terminal.println("");
            terminal.println("This file should be properly secured as it contains the private keys for all");
            terminal.println("instances.");
            terminal.println("");
            terminal.println("After unzipping the file, there will be a directory for each instance containing");
            terminal.println("the certificate signing request and the private key. Provide the certificate");
            terminal.println("signing requests to your certificate authority. Once you have received the");
            terminal.println("signed certificate, copy the signed certificate, key, and CA certificate to the");
            terminal.println("configuration directory of the Elastic product that they will be used for and");
            terminal.println("follow the SSL configuration instructions in the product guide.");
        }

        void generateAndWriteCsrs(Terminal terminal, OptionSet optionSet, Path path) throws Exception {
            generateAndWriteCsrs(terminal, optionSet, path, getKeySize(optionSet), getCertificateInformationList(terminal, optionSet));
        }

        void generateAndWriteCsrs(Terminal terminal, OptionSet optionSet, Path path, int i, Collection<CertificateInformation> collection) throws Exception {
            CertificateTool.fullyWriteZipFile(path, (zipOutputStream, jcaPEMWriter) -> {
                Iterator it = collection.iterator();
                while (it.hasNext()) {
                    CertificateInformation certificateInformation = (CertificateInformation) it.next();
                    KeyPair generateKeyPair = CertGenUtils.generateKeyPair(i);
                    PKCS10CertificationRequest generateCSR = CertGenUtils.generateCSR(generateKeyPair, certificateInformation.name.x500Principal, CertificateTool.getSubjectAlternativeNamesValue(certificateInformation.ipAddresses, certificateInformation.dnsNames, certificateInformation.commonNames));
                    String str = certificateInformation.name.filename + "/";
                    ZipEntry zipEntry = new ZipEntry(str);
                    if (!$assertionsDisabled && !zipEntry.isDirectory()) {
                        throw new AssertionError();
                    }
                    zipOutputStream.putNextEntry(zipEntry);
                    zipOutputStream.putNextEntry(new ZipEntry(str + certificateInformation.name.filename + ".csr"));
                    jcaPEMWriter.writeObject(generateCSR);
                    jcaPEMWriter.flush();
                    zipOutputStream.closeEntry();
                    super.writePemPrivateKey(terminal, optionSet, zipOutputStream, jcaPEMWriter, str + certificateInformation.name.filename + ".key", generateKeyPair.getPrivate());
                }
            });
        }

        static {
            $assertionsDisabled = !CertificateTool.class.desiredAssertionStatus();
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/elasticsearch/xpack/security/cli/CertificateTool$Writer.class */
    public interface Writer {
        void write(ZipOutputStream zipOutputStream, JcaPEMWriter jcaPEMWriter) throws Exception;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public CertificateTool() {
        super(DESCRIPTION);
        this.subcommands.put("csr", new SigningRequestCommand());
        this.subcommands.put("cert", new GenerateCertificateCommand());
        this.subcommands.put("ca", new CertificateAuthorityCommand());
        this.subcommands.put("http", new HttpCertificateCommand());
    }

    protected void execute(Terminal terminal, OptionSet optionSet, ProcessInfo processInfo) throws Exception {
        try {
            super.execute(terminal, optionSet, processInfo);
        } catch (OptionException e) {
            if (e.options().size() != 1 || !e.options().contains("keep-ca-key")) {
                throw e;
            }
            throw new UserException(64, "Generating certificates without providing a CA is no longer supported.\nPlease first generate a CA with the 'ca' sub-command and provide the ca file \nwith either --ca or --ca-cert/--ca-key to generate certificates.");
        }
    }

    @SuppressForbidden(reason = "resolve paths against CWD for a CLI tool")
    static Path resolvePath(String str) {
        return PathUtils.get(str, new String[0]).normalize();
    }

    static Collection<CertificateInformation> parseAndValidateFile(Terminal terminal, Path path) throws Exception {
        Collection<CertificateInformation> parseFile = parseFile(path);
        boolean z = false;
        for (CertificateInformation certificateInformation : parseFile) {
            List<String> validate = certificateInformation.validate();
            if (validate.size() > 0) {
                z = true;
                terminal.errorPrintln(Terminal.Verbosity.SILENT, "Configuration for instance " + certificateInformation.name.originalName + " has invalid details");
                Iterator<String> it = validate.iterator();
                while (it.hasNext()) {
                    terminal.errorPrintln(Terminal.Verbosity.SILENT, " * " + it.next());
                }
                terminal.errorPrintln("");
            }
        }
        if (z) {
            throw new UserException(78, "File " + path + " contains invalid configuration details (see messages above)");
        }
        return parseFile;
    }

    static Collection<CertificateInformation> parseFile(Path path) throws Exception {
        BufferedReader newBufferedReader = Files.newBufferedReader(path);
        try {
            Collection<CertificateInformation> collection = (Collection) CertificateToolParser.PARSER.parse(XContentType.YAML.xContent().createParser(XContentParserConfiguration.EMPTY, newBufferedReader), new ArrayList(), (Object) null);
            if (newBufferedReader != null) {
                newBufferedReader.close();
            }
            return collection;
        } catch (Throwable th) {
            if (newBufferedReader != null) {
                try {
                    newBufferedReader.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static PEMEncryptor getEncrypter(char[] cArr) {
        return new JcePEMEncryptorBuilder("AES-128-CBC").setProvider(BC_PROV).build(cArr);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static boolean checkAndConfirmPasswordLengthForOpenSSLCompatibility(char[] cArr, Terminal terminal, boolean z) {
        if (cArr.length <= MAX_PASSWORD_OLD_OPENSSL) {
            return true;
        }
        terminal.println(Terminal.Verbosity.SILENT, "Warning: Your password exceeds 50 characters. Versions of OpenSSL older than 1.1.0 may not be able to read this file.");
        if (z) {
            return terminal.promptYesNo("Do you want to continue?", true);
        }
        return true;
    }

    private static <T, E extends Exception> T withPassword(String str, char[] cArr, Terminal terminal, boolean z, CheckedFunction<char[], T, E> checkedFunction) throws Exception {
        char[] readSecret;
        if (cArr != null) {
            if (z) {
                checkAndConfirmPasswordLengthForOpenSSLCompatibility(cArr, terminal, false);
            }
            return (T) checkedFunction.apply(cArr);
        }
        try {
            do {
                readSecret = terminal.readSecret("Enter password for " + str + " : ");
                if (z) {
                }
                T t = (T) checkedFunction.apply(readSecret);
                Arrays.fill(readSecret, (char) 0);
                return t;
            } while (!checkAndConfirmPasswordLengthForOpenSSLCompatibility(readSecret, terminal, true));
            T t2 = (T) checkedFunction.apply(readSecret);
            Arrays.fill(readSecret, (char) 0);
            return t2;
        } catch (Throwable th) {
            Arrays.fill(readSecret, (char) 0);
            throw th;
        }
    }

    private static void fullyWriteZipFile(Path path, Writer writer) throws Exception {
        fullyWriteFile(path, outputStream -> {
            ZipOutputStream zipOutputStream = new ZipOutputStream(outputStream, StandardCharsets.UTF_8);
            try {
                JcaPEMWriter jcaPEMWriter = new JcaPEMWriter(new OutputStreamWriter(zipOutputStream, StandardCharsets.UTF_8));
                try {
                    writer.write(zipOutputStream, jcaPEMWriter);
                    jcaPEMWriter.close();
                    zipOutputStream.close();
                } finally {
                }
            } catch (Throwable th) {
                try {
                    zipOutputStream.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
                throw th;
            }
        });
    }

    private static void checkDirectory(Path path, Terminal terminal) throws UserException {
        Path parent = path.getParent();
        if (Files.isDirectory(parent, new LinkOption[0])) {
            return;
        }
        if (Files.exists(parent, new LinkOption[0])) {
            terminal.errorPrintln(Terminal.Verbosity.SILENT, "Path " + parent + " exists, but is not a directory. Cannot write to " + path);
            throw new UserException(73, "Cannot write to " + path);
        }
        if (!terminal.promptYesNo("Directory " + parent + " does not exist. Do you want to create it?", true)) {
            throw new UserException(73, "Directory " + parent + " does not exist");
        }
        try {
            Files.createDirectories(parent, new FileAttribute[0]);
        } catch (IOException e) {
            throw new UserException(73, "Cannot create directory " + parent, e);
        }
    }

    private static void fullyWriteFile(Path path, CheckedConsumer<OutputStream, Exception> checkedConsumer) throws Exception {
        if (!$assertionsDisabled && path == null) {
            throw new AssertionError();
        }
        if (!$assertionsDisabled && checkedConsumer == null) {
            throw new AssertionError();
        }
        if (Files.exists(path, new LinkOption[0])) {
            throw new UserException(74, "Output file '" + path + "' already exists");
        }
        try {
            OutputStream newOutputStream = Files.newOutputStream(path, StandardOpenOption.CREATE_NEW);
            try {
                checkedConsumer.accept(newOutputStream);
                PosixFileAttributeView posixFileAttributeView = (PosixFileAttributeView) Files.getFileAttributeView(path, PosixFileAttributeView.class, new LinkOption[0]);
                if (posixFileAttributeView != null) {
                    posixFileAttributeView.setPermissions(Sets.newHashSet(new PosixFilePermission[]{PosixFilePermission.OWNER_READ, PosixFilePermission.OWNER_WRITE}));
                }
                if (newOutputStream != null) {
                    newOutputStream.close();
                }
                if (1 == 0) {
                    Files.deleteIfExists(path);
                }
            } finally {
            }
        } catch (Throwable th) {
            if (0 == 0) {
                Files.deleteIfExists(path);
            }
            throw th;
        }
    }

    private static PrivateKey readPrivateKey(Path path, char[] cArr, Terminal terminal) throws Exception {
        AtomicReference atomicReference = new AtomicReference(cArr);
        try {
            PrivateKey readPrivateKey = PemUtils.readPrivateKey(path, () -> {
                if (cArr != null) {
                    return cArr;
                }
                char[] readSecret = terminal.readSecret("Enter password for CA private key (" + path.getFileName() + ") : ");
                atomicReference.set(readSecret);
                return readSecret;
            });
            if (atomicReference.get() != null) {
                Arrays.fill((char[]) atomicReference.get(), (char) 0);
            }
            return readPrivateKey;
        } catch (Throwable th) {
            if (atomicReference.get() != null) {
                Arrays.fill((char[]) atomicReference.get(), (char) 0);
            }
            throw th;
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static GeneralNames getSubjectAlternativeNamesValue(List<String> list, List<String> list2, List<String> list3) {
        HashSet hashSet = new HashSet();
        Iterator<String> it = list.iterator();
        while (it.hasNext()) {
            hashSet.add(new GeneralName(7, it.next()));
        }
        Iterator<String> it2 = list2.iterator();
        while (it2.hasNext()) {
            hashSet.add(new GeneralName(2, it2.next()));
        }
        Iterator<String> it3 = list3.iterator();
        while (it3.hasNext()) {
            hashSet.add(CertGenUtils.createCommonName(it3.next()));
        }
        if (hashSet.isEmpty()) {
            return null;
        }
        return new GeneralNames((GeneralName[]) hashSet.toArray(new GeneralName[0]));
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static boolean isAscii(char[] cArr) {
        return ASCII_ENCODER.canEncode(CharBuffer.wrap(cArr));
    }

    private static char[] getChars(String str) {
        if (str == null) {
            return null;
        }
        return str.toCharArray();
    }

    static {
        $assertionsDisabled = !CertificateTool.class.desiredAssertionStatus();
        BC_PROV = new BouncyCastleProvider();
        ASCII_ENCODER = StandardCharsets.US_ASCII.newEncoder();
        ALLOWED_FILENAME_CHAR_PATTERN = Pattern.compile("[a-zA-Z0-9!@#$%^&{}\\[\\]()_+\\-=,.~'` ]{1,251}");
        INSTANCE_EXPLANATION = "* An instance is any piece of the Elastic Stack that requires an SSL certificate.\n  Depending on your configuration, Elasticsearch, Logstash, Kibana, and Beats\n  may all require a certificate and private key.\n* The minimum required value for each instance is a name. This can simply be the\n  hostname, which will be used as the Common Name of the certificate. A full\n  distinguished name may also be used.\n* A filename value may be required for each instance. This is necessary when the\n  name would result in an invalid file or directory name. The name provided here\n  is used as the directory name (within the zip) and the prefix for the key and\n  certificate files. The filename is required if you are prompted and the name\n  is not displayed in the prompt.\n* IP addresses and DNS names are optional. Multiple values can be specified as a\n  comma separated string. If no IP addresses or DNS names are provided, you may\n  disable hostname verification in your SSL configuration.".indent(FILE_EXTENSION_LENGTH);
        CA_EXPLANATION = "* All certificates generated by this tool will be signed by a certificate authority (CA)\n  unless the --self-signed command line option is specified.\n  The tool can automatically generate a new CA for you, or you can provide your own with\n  the --ca or --ca-cert command line options.".indent(FILE_EXTENSION_LENGTH);
    }
}
