package org.elasticsearch.xpack.security.cli;

import java.io.IOException;
import java.io.InputStream;
import java.io.OutputStream;
import java.io.OutputStreamWriter;
import java.io.PrintWriter;
import java.io.UncheckedIOException;
import java.nio.charset.StandardCharsets;
import java.nio.file.Files;
import java.nio.file.LinkOption;
import java.nio.file.OpenOption;
import java.nio.file.Path;
import java.nio.file.StandardOpenOption;
import java.nio.file.attribute.PosixFileAttributeView;
import java.nio.file.attribute.PosixFilePermission;
import java.security.GeneralSecurityException;
import java.security.KeyPair;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.time.Period;
import java.time.ZoneOffset;
import java.time.ZonedDateTime;
import java.time.format.DateTimeFormatter;
import java.time.format.DateTimeParseException;
import java.time.temporal.TemporalAmount;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.List;
import java.util.Locale;
import java.util.Map;
import java.util.Set;
import java.util.function.Function;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import java.util.zip.ZipEntry;
import java.util.zip.ZipOutputStream;
import javax.security.auth.x500.X500Principal;
import joptsimple.OptionParser;
import joptsimple.OptionSet;
import org.bouncycastle.asn1.DERIA5String;
import org.bouncycastle.asn1.x509.ExtendedKeyUsage;
import org.bouncycastle.asn1.x509.GeneralNames;
import org.bouncycastle.asn1.x509.KeyPurposeId;
import org.bouncycastle.cert.CertIOException;
import org.bouncycastle.openssl.jcajce.JcaMiscPEMGenerator;
import org.bouncycastle.openssl.jcajce.JcaPEMWriter;
import org.bouncycastle.operator.OperatorCreationException;
import org.bouncycastle.operator.OperatorException;
import org.bouncycastle.pkcs.PKCS10CertificationRequest;
import org.bouncycastle.util.io.pem.PemObjectGenerator;
import org.elasticsearch.ElasticsearchException;
import org.elasticsearch.Version;
import org.elasticsearch.cli.ProcessInfo;
import org.elasticsearch.cli.Terminal;
import org.elasticsearch.cli.UserException;
import org.elasticsearch.common.Strings;
import org.elasticsearch.common.cli.EnvironmentAwareCommand;
import org.elasticsearch.common.io.Streams;
import org.elasticsearch.common.network.InetAddresses;
import org.elasticsearch.common.ssl.PemUtils;
import org.elasticsearch.common.util.Maps;
import org.elasticsearch.common.util.set.Sets;
import org.elasticsearch.core.PathUtils;
import org.elasticsearch.core.SuppressForbidden;
import org.elasticsearch.env.Environment;
import org.elasticsearch.xpack.core.ssl.CertParsingUtils;
import org.elasticsearch.xpack.security.cli.CertificateTool;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: input_file:org/elasticsearch/xpack/security/cli/HttpCertificateCommand.class */
public class HttpCertificateCommand extends EnvironmentAwareCommand {
    static final int DEFAULT_CERT_KEY_SIZE = 2048;
    static final Period DEFAULT_CERT_VALIDITY;
    static final X500Principal DEFAULT_CA_NAME;
    static final int DEFAULT_CA_KEY_SIZE = 2048;
    static final Period DEFAULT_CA_VALIDITY;
    private static final String ES_README_CSR = "es-readme-csr.txt";
    private static final String ES_YML_CSR = "es-sample-csr.yml";
    private static final String ES_README_P12 = "es-readme-p12.txt";
    private static final String ES_YML_P12 = "es-sample-p12.yml";
    private static final String CA_README_P12 = "ca-readme-p12.txt";
    private static final String KIBANA_README = "kibana-readme.txt";
    private static final String KIBANA_YML = "kibana-sample.yml";
    private static final byte[] MAGIC_BYTES1_PKCS12;
    private static final byte[] MAGIC_BYTES2_PKCS12;
    private static final byte[] MAGIC_BYTES2_JDK16_PKCS12;
    private static final byte[] MAGIC_BYTES_JKS;
    static final /* synthetic */ boolean $assertionsDisabled;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/elasticsearch/xpack/security/cli/HttpCertificateCommand$CertOptions.class */
    public class CertOptions {
        final String name;
        final X500Principal subject;
        final List<String> dnsNames;
        final List<String> ipNames;
        final int keySize;
        final Period validity;

        private CertOptions(String str, X500Principal x500Principal, List<String> list, List<String> list2, int i, Period period) {
            this.name = str;
            this.subject = x500Principal;
            this.dnsNames = list;
            this.ipNames = list2;
            this.keySize = i;
            this.validity = period;
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:org/elasticsearch/xpack/security/cli/HttpCertificateCommand$FileType.class */
    public enum FileType {
        PKCS12,
        JKS,
        PEM_CERT,
        PEM_KEY,
        PEM_CERT_CHAIN,
        UNRECOGNIZED
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/elasticsearch/xpack/security/cli/HttpCertificateCommand$ZipEntryStream.class */
    public class ZipEntryStream extends OutputStream {
        private final ZipOutputStream zip;
        static final /* synthetic */ boolean $assertionsDisabled;

        ZipEntryStream(HttpCertificateCommand httpCertificateCommand, ZipOutputStream zipOutputStream, String str) throws IOException {
            this(zipOutputStream, new ZipEntry(str));
        }

        ZipEntryStream(ZipOutputStream zipOutputStream, ZipEntry zipEntry) throws IOException {
            this.zip = zipOutputStream;
            if (!$assertionsDisabled && zipEntry.isDirectory()) {
                throw new AssertionError();
            }
            zipOutputStream.putNextEntry(zipEntry);
        }

        @Override // java.io.OutputStream
        public void write(int i) throws IOException {
            this.zip.write(i);
        }

        @Override // java.io.OutputStream
        public void write(byte[] bArr) throws IOException {
            this.zip.write(bArr);
        }

        @Override // java.io.OutputStream
        public void write(byte[] bArr, int i, int i2) throws IOException {
            this.zip.write(bArr, i, i2);
        }

        @Override // java.io.OutputStream, java.io.Flushable
        public void flush() throws IOException {
            this.zip.flush();
        }

        @Override // java.io.OutputStream, java.io.Closeable, java.lang.AutoCloseable
        public void close() throws IOException {
            this.zip.closeEntry();
        }

        static {
            $assertionsDisabled = !HttpCertificateCommand.class.desiredAssertionStatus();
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public HttpCertificateCommand() {
        super("generate a new certificate (or certificate request) for the Elasticsearch HTTP interface");
    }

    public void execute(Terminal terminal, OptionSet optionSet, Environment environment, ProcessInfo processInfo) throws Exception {
        CertificateTool.CAInfo findExistingCA;
        Period certificateValidityPeriod;
        char[] readPassword;
        printHeader("Elasticsearch HTTP Certificate Utility", terminal);
        terminal.println("The 'http' command guides you through the process of generating certificates");
        terminal.println("for use on the HTTP (Rest) interface for Elasticsearch.");
        terminal.println("");
        terminal.println("This tool will ask you a number of questions in order to generate the right");
        terminal.println("set of files for your needs.");
        boolean askCertSigningRequest = askCertSigningRequest(terminal);
        if (askCertSigningRequest) {
            findExistingCA = null;
            certificateValidityPeriod = null;
        } else {
            findExistingCA = askExistingCertificateAuthority(terminal) ? findExistingCA(terminal, environment) : createNewCA(terminal);
            terminal.println(Terminal.Verbosity.VERBOSE, "Using the following CA:");
            terminal.println(Terminal.Verbosity.VERBOSE, "\tSubject: " + findExistingCA.certAndKey.cert.getSubjectX500Principal());
            terminal.println(Terminal.Verbosity.VERBOSE, "\tIssuer: " + findExistingCA.certAndKey.cert.getIssuerX500Principal());
            terminal.println(Terminal.Verbosity.VERBOSE, "\tSerial: " + findExistingCA.certAndKey.cert.getSerialNumber());
            terminal.println(Terminal.Verbosity.VERBOSE, "\tExpiry: " + findExistingCA.certAndKey.cert.getNotAfter());
            terminal.println(Terminal.Verbosity.VERBOSE, "\tSignature Algorithm: " + findExistingCA.certAndKey.cert.getSigAlgName());
            certificateValidityPeriod = getCertificateValidityPeriod(terminal);
        }
        boolean askMultipleCertificates = askMultipleCertificates(terminal);
        ArrayList arrayList = new ArrayList();
        String str = askMultipleCertificates ? "node #1" : "your nodes";
        while (true) {
            CertOptions certificateConfiguration = getCertificateConfiguration(terminal, askMultipleCertificates, str, certificateValidityPeriod, askCertSigningRequest);
            terminal.println(Terminal.Verbosity.VERBOSE, "Generating the following " + (askCertSigningRequest ? "CSR" : "Certificate") + ":");
            terminal.println(Terminal.Verbosity.VERBOSE, "\tName: " + certificateConfiguration.name);
            terminal.println(Terminal.Verbosity.VERBOSE, "\tSubject: " + certificateConfiguration.subject);
            terminal.println(Terminal.Verbosity.VERBOSE, "\tDNS Names: " + Strings.collectionToCommaDelimitedString(certificateConfiguration.dnsNames));
            terminal.println(Terminal.Verbosity.VERBOSE, "\tIP Names: " + Strings.collectionToCommaDelimitedString(certificateConfiguration.ipNames));
            terminal.println(Terminal.Verbosity.VERBOSE, "\tKey Size: " + certificateConfiguration.keySize);
            terminal.println(Terminal.Verbosity.VERBOSE, "\tValidity: " + toString(certificateConfiguration.validity));
            arrayList.add(certificateConfiguration);
            if (!askMultipleCertificates || !terminal.promptYesNo("Generate additional certificates?", true)) {
                break;
            } else {
                str = "node #" + (arrayList.size() + 1);
            }
        }
        printHeader("What password do you want for your private key(s)?", terminal);
        if (askCertSigningRequest) {
            terminal.println("Your private key(s) will be stored as a PEM formatted file.");
            terminal.println("We recommend that you protect your private keys with a password");
            terminal.println("");
            terminal.println("If you do not wish to use a password, simply press <enter> at the prompt below.");
            readPassword = readPassword(terminal, "Provide a password for the private key: ", true);
        } else {
            terminal.println("Your private key(s) will be stored in a PKCS#12 keystore file named \"http.p12\".");
            terminal.println("This type of keystore is always password protected, but it is possible to use a");
            terminal.println("blank password.");
            terminal.println("");
            terminal.println("If you wish to use a blank password, simply press <enter> at the prompt below.");
            readPassword = readPassword(terminal, "Provide a password for the \"http.p12\" file: ", true);
        }
        printHeader("Where should we save the generated files?", terminal);
        if (askCertSigningRequest) {
            terminal.println("A number of files will be generated including your private key(s),");
            terminal.println("certificate request(s), and sample configuration options for Elastic Stack products.");
        } else {
            terminal.println("A number of files will be generated including your private key(s),");
            terminal.println("public certificate(s), and sample configuration options for Elastic Stack products.");
        }
        terminal.println("");
        terminal.println("These files will be included in a single zip archive.");
        terminal.println("");
        Path path = (Path) tryReadInput(terminal, "What filename should be used for the output zip file?", resolvePath("elasticsearch-ssl-http.zip"), this::resolvePath);
        writeZip(path, readPassword, findExistingCA, arrayList, environment);
        terminal.println("");
        terminal.println("Zip file written to " + path);
    }

    @SuppressForbidden(reason = "CLI tool resolves files against working directory")
    protected Path resolvePath(String str) {
        return PathUtils.get(str, new String[0]).normalize().toAbsolutePath();
    }

    private void writeZip(Path path, char[] cArr, CertificateTool.CAInfo cAInfo, List<CertOptions> list, Environment environment) throws UserException {
        if (Files.exists(path, new LinkOption[0])) {
            throw new UserException(74, "Output file '" + path + "' already exists");
        }
        try {
            try {
                OutputStream newOutputStream = Files.newOutputStream(path, StandardOpenOption.CREATE_NEW);
                try {
                    ZipOutputStream zipOutputStream = new ZipOutputStream(newOutputStream, StandardCharsets.UTF_8);
                    try {
                        createZipDirectory(zipOutputStream, "elasticsearch");
                        if (list.size() == 1) {
                            writeCertificateAndKeyDetails(zipOutputStream, "elasticsearch", list.get(0), cAInfo, cArr, environment);
                        } else {
                            for (CertOptions certOptions : list) {
                                String str = "elasticsearch/" + certOptions.name;
                                createZipDirectory(zipOutputStream, str);
                                writeCertificateAndKeyDetails(zipOutputStream, str, certOptions, cAInfo, cArr, environment);
                            }
                        }
                        if (cAInfo != null && cAInfo.generated) {
                            createZipDirectory(zipOutputStream, "ca");
                            writeCertificateAuthority(zipOutputStream, "ca", cAInfo, environment);
                        }
                        createZipDirectory(zipOutputStream, "kibana");
                        writeKibanaInfo(zipOutputStream, "kibana", cAInfo, environment);
                        PosixFileAttributeView posixFileAttributeView = (PosixFileAttributeView) Files.getFileAttributeView(path, PosixFileAttributeView.class, new LinkOption[0]);
                        if (posixFileAttributeView != null) {
                            posixFileAttributeView.setPermissions(Sets.newHashSet(new PosixFilePermission[]{PosixFilePermission.OWNER_READ, PosixFilePermission.OWNER_WRITE}));
                        }
                        zipOutputStream.close();
                        if (newOutputStream != null) {
                            newOutputStream.close();
                        }
                        if (1 == 0) {
                            Files.deleteIfExists(path);
                        }
                    } catch (Throwable th) {
                        try {
                            zipOutputStream.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                        throw th;
                    }
                } catch (Throwable th3) {
                    if (newOutputStream != null) {
                        try {
                            newOutputStream.close();
                        } catch (Throwable th4) {
                            th3.addSuppressed(th4);
                        }
                    }
                    throw th3;
                }
            } catch (IOException e) {
                throw new ElasticsearchException("Failed to write ZIP file '" + path + "'", e, new Object[0]);
            }
        } catch (Throwable th5) {
            if (0 == 0) {
                Files.deleteIfExists(path);
            }
            throw th5;
        }
    }

    private static void createZipDirectory(ZipOutputStream zipOutputStream, String str) throws IOException {
        ZipEntry zipEntry = new ZipEntry(str + "/");
        if (!$assertionsDisabled && !zipEntry.isDirectory()) {
            throw new AssertionError();
        }
        zipOutputStream.putNextEntry(zipEntry);
    }

    private void writeCertificateAndKeyDetails(ZipOutputStream zipOutputStream, String str, CertOptions certOptions, CertificateTool.CAInfo cAInfo, char[] cArr, Environment environment) {
        try {
            KeyPair generateKeyPair = CertGenUtils.generateKeyPair(certOptions.keySize);
            GeneralNames subjectAlternativeNamesValue = CertificateTool.getSubjectAlternativeNamesValue(certOptions.ipNames, certOptions.dnsNames, List.of());
            boolean z = cArr != null && cArr.length > 0;
            if (cAInfo == null) {
                PKCS10CertificationRequest generateCSR = CertGenUtils.generateCSR(generateKeyPair, certOptions.subject, subjectAlternativeNamesValue, Set.of(new ExtendedKeyUsage(KeyPurposeId.id_kp_serverAuth)));
                String str2 = "http-" + certOptions.name + ".csr";
                String str3 = "http-" + certOptions.name + ".key";
                String str4 = "http-" + certOptions.name + ".crt";
                Map.Entry[] entryArr = new Map.Entry[5];
                entryArr[0] = Map.entry("CSR", str2);
                entryArr[1] = Map.entry("KEY", str3);
                entryArr[2] = Map.entry("CERT", str4);
                entryArr[3] = Map.entry("YML", "sample-elasticsearch.yml");
                entryArr[4] = Map.entry("PASSWORD", z ? "*" : "");
                Map<String, String> buildSubstitutions = buildSubstitutions(environment, Map.ofEntries(entryArr));
                writeTextFile(zipOutputStream, str + "/README.txt", ES_README_CSR, buildSubstitutions);
                writePemEntry(zipOutputStream, str + "/" + str2, new JcaMiscPEMGenerator(generateCSR));
                writePemEntry(zipOutputStream, str + "/" + str3, generator(generateKeyPair.getPrivate(), cArr));
                writeTextFile(zipOutputStream, str + "/sample-elasticsearch.yml", ES_YML_CSR, buildSubstitutions);
            } else {
                ZonedDateTime now = ZonedDateTime.now(ZoneOffset.UTC);
                X509Certificate generateSignedCertificate = CertGenUtils.generateSignedCertificate(certOptions.subject, subjectAlternativeNamesValue, generateKeyPair, cAInfo.certAndKey.cert, cAInfo.certAndKey.key, false, now, now.plus((TemporalAmount) certOptions.validity), null, Set.of(new ExtendedKeyUsage(KeyPurposeId.id_kp_serverAuth)));
                Map.Entry[] entryArr2 = new Map.Entry[3];
                entryArr2[0] = Map.entry("P12", "http.p12");
                entryArr2[1] = Map.entry("YML", "sample-elasticsearch.yml");
                entryArr2[2] = Map.entry("PASSWORD", z ? "*" : "");
                Map<String, String> buildSubstitutions2 = buildSubstitutions(environment, Map.ofEntries(entryArr2));
                writeTextFile(zipOutputStream, str + "/README.txt", ES_README_P12, buildSubstitutions2);
                writeKeyStore(zipOutputStream, str + "/http.p12", generateSignedCertificate, generateKeyPair.getPrivate(), cArr, cAInfo.certAndKey.cert);
                writeTextFile(zipOutputStream, str + "/sample-elasticsearch.yml", ES_YML_P12, buildSubstitutions2);
            }
        } catch (OperatorException | IOException | GeneralSecurityException e) {
            throw new ElasticsearchException("Failed to write certificate to ZIP file", e, new Object[0]);
        }
    }

    private void writeCertificateAuthority(ZipOutputStream zipOutputStream, String str, CertificateTool.CAInfo cAInfo, Environment environment) {
        if (!$assertionsDisabled && cAInfo == null) {
            throw new AssertionError();
        }
        if (!$assertionsDisabled && !cAInfo.generated) {
            throw new AssertionError();
        }
        try {
            writeTextFile(zipOutputStream, str + "/README.txt", CA_README_P12, buildSubstitutions(environment, Map.of("P12", "ca.p12", "DN", cAInfo.certAndKey.cert.getSubjectX500Principal().getName(), "PASSWORD", (cAInfo.password == null || cAInfo.password.length == 0) ? "" : "*")));
            KeyStore keyStore = KeyStore.getInstance("PKCS12");
            keyStore.load(null);
            keyStore.setKeyEntry("ca", cAInfo.certAndKey.key, cAInfo.password, new Certificate[]{cAInfo.certAndKey.cert});
            ZipEntryStream zipEntryStream = new ZipEntryStream(this, zipOutputStream, str + "/ca.p12");
            try {
                keyStore.store(zipEntryStream, cAInfo.password);
                zipEntryStream.close();
            } finally {
            }
        } catch (IOException | KeyStoreException | NoSuchAlgorithmException | CertificateException e) {
            throw new ElasticsearchException("Failed to write CA to ZIP file", e, new Object[0]);
        }
    }

    private void writeKibanaInfo(ZipOutputStream zipOutputStream, String str, CertificateTool.CAInfo cAInfo, Environment environment) {
        String str2 = cAInfo == null ? "" : "elasticsearch-ca.pem";
        Map<String, String> buildSubstitutions = buildSubstitutions(environment, Map.ofEntries(Map.entry("CA_CERT_NAME", "elasticsearch-ca.pem"), Map.entry("CA_CERT", str2), Map.entry("YML", "sample-kibana.yml")));
        try {
            writeTextFile(zipOutputStream, str + "/README.txt", KIBANA_README, buildSubstitutions);
            if (cAInfo != null) {
                writePemEntry(zipOutputStream, str + "/" + str2, new JcaMiscPEMGenerator(cAInfo.certAndKey.cert));
            }
            writeTextFile(zipOutputStream, str + "/sample-kibana.yml", KIBANA_YML, buildSubstitutions);
        } catch (IOException e) {
            throw new ElasticsearchException("Failed to write Kibana details ZIP file", e, new Object[0]);
        }
    }

    private void writeTextFile(ZipOutputStream zipOutputStream, String str, String str2, Map<String, String> map) {
        try {
            InputStream resourceAsStream = getClass().getResourceAsStream("certutil-http/" + str2);
            try {
                ZipEntryStream zipEntryStream = new ZipEntryStream(this, zipOutputStream, str);
                try {
                    PrintWriter printWriter = new PrintWriter(zipEntryStream, false, StandardCharsets.UTF_8);
                    try {
                        if (resourceAsStream == null) {
                            throw new IllegalStateException("Cannot find internal resource " + str2);
                        }
                        copyWithSubstitutions(resourceAsStream, printWriter, map);
                        printWriter.flush();
                        printWriter.close();
                        zipEntryStream.close();
                        if (resourceAsStream != null) {
                            resourceAsStream.close();
                        }
                    } catch (Throwable th) {
                        try {
                            printWriter.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                        throw th;
                    }
                } catch (Throwable th3) {
                    try {
                        zipEntryStream.close();
                    } catch (Throwable th4) {
                        th3.addSuppressed(th4);
                    }
                    throw th3;
                }
            } finally {
            }
        } catch (IOException e) {
            throw new UncheckedIOException("Cannot add resource " + str2 + " to zip file", e);
        }
    }

    static void copyWithSubstitutions(InputStream inputStream, PrintWriter printWriter, Map<String, String> map) throws IOException {
        boolean z = false;
        for (String str : Streams.readAllLines(inputStream)) {
            for (Map.Entry<String, String> entry : map.entrySet()) {
                str = str.replace("${" + entry.getKey() + "}", entry.getValue());
            }
            if (str.startsWith("#if ")) {
                z = Strings.isNullOrEmpty(map.get(str.substring(4).trim()));
            } else if (str.equals("#else")) {
                z = !z;
            } else if (str.equals("#endif")) {
                z = false;
            } else if (!z) {
                printWriter.println(str);
            }
        }
    }

    private static Map<String, String> buildSubstitutions(Environment environment, Map<String, String> map) {
        Map<String, String> newMapWithExpectedSize = Maps.newMapWithExpectedSize(map.size() + 4);
        ZonedDateTime withNano = ZonedDateTime.now().withNano(0);
        newMapWithExpectedSize.put("DATE", withNano.format(DateTimeFormatter.ISO_LOCAL_DATE));
        newMapWithExpectedSize.put("TIME", withNano.format(DateTimeFormatter.ISO_OFFSET_TIME));
        newMapWithExpectedSize.put("VERSION", Version.CURRENT.toString());
        newMapWithExpectedSize.put("CONF_DIR", environment.configFile().toAbsolutePath().toString());
        newMapWithExpectedSize.putAll(map);
        return newMapWithExpectedSize;
    }

    private void writeKeyStore(ZipOutputStream zipOutputStream, String str, Certificate certificate, PrivateKey privateKey, char[] cArr, X509Certificate x509Certificate) throws IOException, GeneralSecurityException {
        KeyStore keyStore = KeyStore.getInstance("PKCS12");
        keyStore.load(null);
        keyStore.setKeyEntry("http", privateKey, cArr, new Certificate[]{certificate});
        if (x509Certificate != null) {
            keyStore.setCertificateEntry("ca", x509Certificate);
        }
        ZipEntryStream zipEntryStream = new ZipEntryStream(this, zipOutputStream, str);
        try {
            keyStore.store(zipEntryStream, cArr);
            zipEntryStream.close();
        } catch (Throwable th) {
            try {
                zipEntryStream.close();
            } catch (Throwable th2) {
                th.addSuppressed(th2);
            }
            throw th;
        }
    }

    private void writePemEntry(ZipOutputStream zipOutputStream, String str, PemObjectGenerator pemObjectGenerator) throws IOException {
        ZipEntryStream zipEntryStream = new ZipEntryStream(this, zipOutputStream, str);
        try {
            JcaPEMWriter jcaPEMWriter = new JcaPEMWriter(new OutputStreamWriter(zipEntryStream, StandardCharsets.UTF_8));
            try {
                jcaPEMWriter.writeObject(pemObjectGenerator);
                jcaPEMWriter.flush();
                jcaPEMWriter.close();
                zipEntryStream.close();
            } finally {
            }
        } catch (Throwable th) {
            try {
                zipEntryStream.close();
            } catch (Throwable th2) {
                th.addSuppressed(th2);
            }
            throw th;
        }
    }

    private static JcaMiscPEMGenerator generator(PrivateKey privateKey, char[] cArr) throws IOException {
        return (cArr == null || cArr.length == 0) ? new JcaMiscPEMGenerator(privateKey) : new JcaMiscPEMGenerator(privateKey, CertificateTool.getEncrypter(cArr));
    }

    private static Period getCertificateValidityPeriod(Terminal terminal) {
        printHeader("How long should your certificates be valid?", terminal);
        terminal.println("Every certificate has an expiry date. When the expiry date is reached clients");
        terminal.println("will stop trusting your certificate and TLS connections will fail.");
        terminal.println("");
        terminal.println("Best practice suggests that you should either:");
        terminal.println("(a) set this to a short duration (90 - 120 days) and have automatic processes");
        terminal.println("to generate a new certificate before the old one expires, or");
        terminal.println("(b) set it to a longer duration (3 - 5 years) and then perform a manual update");
        terminal.println("a few months before it expires.");
        terminal.println("");
        terminal.println("You may enter the validity period in years (e.g. 3Y), months (e.g. 18M), or days (e.g. 90D)");
        terminal.println("");
        return readPeriodInput(terminal, "For how long should your certificate be valid?", DEFAULT_CERT_VALIDITY, 60);
    }

    private static boolean askMultipleCertificates(Terminal terminal) {
        printHeader("Do you wish to generate one certificate per node?", terminal);
        terminal.println("If you have multiple nodes in your cluster, then you may choose to generate a");
        terminal.println("separate certificate for each of these nodes. Each certificate will have its");
        terminal.println("own private key, and will be issued for a specific hostname or IP address.");
        terminal.println("");
        terminal.println("Alternatively, you may wish to generate a single certificate that is valid");
        terminal.println("across all the hostnames or addresses in your cluster.");
        terminal.println("");
        terminal.println("If all of your nodes will be accessed through a single domain");
        terminal.println("(e.g. node01.es.example.com, node02.es.example.com, etc) then you may find it");
        terminal.println("simpler to generate one certificate with a wildcard hostname (*.es.example.com)");
        terminal.println("and use that across all of your nodes.");
        terminal.println("");
        terminal.println("However, if you do not have a common domain name, and you expect to add");
        terminal.println("additional nodes to your cluster in the future, then you should generate a");
        terminal.println("certificate per node so that you can more easily generate new certificates when");
        terminal.println("you provision new nodes.");
        terminal.println("");
        return terminal.promptYesNo("Generate a certificate per node?", false);
    }

    private CertOptions getCertificateConfiguration(Terminal terminal, boolean z, String str, Period period, boolean z2) {
        String str2 = null;
        if (z) {
            printHeader("What is the name of " + str + "?", terminal);
            terminal.println("This name will be used as part of the certificate file name, and as a");
            terminal.println("descriptive name within the certificate.");
            terminal.println("");
            terminal.println("You can use any descriptive name that you like, but we recommend using the name");
            terminal.println("of the Elasticsearch node.");
            terminal.println("");
            str2 = terminal.readText(str + " name: ");
            str = str2;
        }
        printHeader("Which hostnames will be used to connect to " + str + "?", terminal);
        terminal.println("These hostnames will be added as \"DNS\" names in the \"Subject Alternative Name\"");
        terminal.println("(SAN) field in your certificate.");
        terminal.println("");
        terminal.println("You should list every hostname and variant that people will use to connect to");
        terminal.println("your cluster over http.");
        terminal.println("Do not list IP addresses here, you will be asked to enter them later.");
        terminal.println("");
        terminal.println("If you wish to use a wildcard certificate (for example *.es.example.com) you");
        terminal.println("can enter that here.");
        ArrayList arrayList = new ArrayList();
        while (true) {
            terminal.println("");
            terminal.println("Enter all the hostnames that you need, one per line.");
            terminal.println("When you are done, press <ENTER> once more to move on to the next step.");
            terminal.println("");
            arrayList.addAll(readMultiLineInput(terminal, HttpCertificateCommand::validateHostname));
            if (arrayList.isEmpty()) {
                terminal.println(Terminal.Verbosity.SILENT, "You did not enter any hostnames.");
                terminal.println("Clients are likely to encounter TLS hostname verification errors if they");
                terminal.println("connect to your cluster using a DNS name.");
            } else {
                terminal.println(Terminal.Verbosity.SILENT, "You entered the following hostnames.");
                terminal.println(Terminal.Verbosity.SILENT, "");
                arrayList.forEach(str3 -> {
                    terminal.println(Terminal.Verbosity.SILENT, " - " + str3);
                });
            }
            terminal.println("");
            if (terminal.promptYesNo("Is this correct", true)) {
                break;
            }
            arrayList.clear();
        }
        printHeader("Which IP addresses will be used to connect to " + str + "?", terminal);
        terminal.println("If your clients will ever connect to your nodes by numeric IP address, then you");
        terminal.println("can list these as valid IP \"Subject Alternative Name\" (SAN) fields in your");
        terminal.println("certificate.");
        terminal.println("");
        terminal.println("If you do not have fixed IP addresses, or not wish to support direct IP access");
        terminal.println("to your cluster then you can just press <ENTER> to skip this step.");
        ArrayList arrayList2 = new ArrayList();
        while (true) {
            terminal.println("");
            terminal.println("Enter all the IP addresses that you need, one per line.");
            terminal.println("When you are done, press <ENTER> once more to move on to the next step.");
            terminal.println("");
            arrayList2.addAll(readMultiLineInput(terminal, HttpCertificateCommand::validateIpAddress));
            if (arrayList2.isEmpty()) {
                terminal.println(Terminal.Verbosity.SILENT, "You did not enter any IP addresses.");
            } else {
                terminal.println(Terminal.Verbosity.SILENT, "You entered the following IP addresses.");
                terminal.println(Terminal.Verbosity.SILENT, "");
                arrayList2.forEach(str4 -> {
                    terminal.println(Terminal.Verbosity.SILENT, " - " + str4);
                });
            }
            terminal.println("");
            if (terminal.promptYesNo("Is this correct", true)) {
                break;
            }
            arrayList2.clear();
        }
        printHeader("Other certificate options", terminal);
        terminal.println("The generated certificate will have the following additional configuration");
        terminal.println("values. These values have been selected based on a combination of the");
        terminal.println("information you have provided above and secure defaults. You should not need to");
        terminal.println("change these values unless you have specific requirements.");
        terminal.println("");
        if (str2 == null) {
            str2 = (String) arrayList.stream().filter(str5 -> {
                return str5.indexOf(42) == -1;
            }).findFirst().or(() -> {
                return arrayList.stream().map(str6 -> {
                    return str6.replace("*.", "");
                }).findFirst();
            }).orElse("elasticsearch");
        }
        X500Principal buildDistinguishedName = buildDistinguishedName(str2);
        int i = 2048;
        while (true) {
            terminal.println(Terminal.Verbosity.SILENT, "Key Name: " + str2);
            terminal.println(Terminal.Verbosity.SILENT, "Subject DN: " + buildDistinguishedName);
            terminal.println(Terminal.Verbosity.SILENT, "Key Size: " + i);
            terminal.println(Terminal.Verbosity.SILENT, "");
            if (!terminal.promptYesNo("Do you wish to change any of these options?", false)) {
                return new CertOptions(str2, buildDistinguishedName, arrayList, arrayList2, i, period);
            }
            printHeader("What should your key be named?", terminal);
            if (z2) {
                terminal.println("This will be included in the name of the files that are generated");
            } else {
                terminal.println("This will be the entry name in the PKCS#12 keystore that is generated");
            }
            terminal.println("It is helpful to have a meaningful name for this key");
            terminal.println("");
            str2 = (String) tryReadInput(terminal, "Key Name", str2, Function.identity());
            printHeader("What subject DN should be used for your certificate?", terminal);
            terminal.println("This will be visible to clients.");
            terminal.println("It is helpful to have a meaningful name for each certificate");
            terminal.println("");
            buildDistinguishedName = (X500Principal) tryReadInput(terminal, "Subject DN", buildDistinguishedName, str6 -> {
                try {
                    return str6.contains("=") ? new X500Principal(str6) : new X500Principal("CN=" + str6);
                } catch (IllegalArgumentException e) {
                    terminal.println(Terminal.Verbosity.SILENT, "'" + str6 + "' is not a valid DN (" + e.getMessage() + ")");
                    return null;
                }
            });
            printHeader("What key size should your certificate have?", terminal);
            terminal.println("The RSA private key for your certificate has a fixed 'key size' (in bits).");
            terminal.println("Larger key sizes are generally more secure, but are also slower.");
            terminal.println("");
            terminal.println("We recommend that you use one of 2048, 3072 or 4096 bits for your key.");
            i = readKeySize(terminal, i).intValue();
            terminal.println("");
        }
    }

    private static String validateHostname(String str) {
        if (DERIA5String.isIA5String(str)) {
            return null;
        }
        return str + " is not a valid DNS name";
    }

    private static String validateIpAddress(String str) {
        if (InetAddresses.isInetAddress(str)) {
            return null;
        }
        return str + " is not a valid IP address";
    }

    private static X500Principal buildDistinguishedName(String str) {
        return new X500Principal("CN=" + str.replace(".", ",DC="));
    }

    private static List<String> readMultiLineInput(Terminal terminal, Function<String, String> function) {
        ArrayList arrayList = new ArrayList();
        while (true) {
            String readText = terminal.readText("");
            if (Strings.isEmpty(readText)) {
                return arrayList;
            }
            String apply = function.apply(readText);
            if (apply == null) {
                arrayList.add(readText);
            } else {
                terminal.println("Error: " + apply);
            }
        }
    }

    private static boolean askCertSigningRequest(Terminal terminal) {
        printHeader("Do you wish to generate a Certificate Signing Request (CSR)?", terminal);
        terminal.println("A CSR is used when you want your certificate to be created by an existing");
        terminal.println("Certificate Authority (CA) that you do not control (that is, you don't have");
        terminal.println("access to the keys for that CA). ");
        terminal.println("");
        terminal.println("If you are in a corporate environment with a central security team, then you");
        terminal.println("may have an existing Corporate CA that can generate your certificate for you.");
        terminal.println("Infrastructure within your organisation may already be configured to trust this");
        terminal.println("CA, so it may be easier for clients to connect to Elasticsearch if you use a");
        terminal.println("CSR and send that request to the team that controls your CA.");
        terminal.println("");
        terminal.println("If you choose not to generate a CSR, this tool will generate a new certificate");
        terminal.println("for you. That certificate will be signed by a CA under your control. This is a");
        terminal.println("quick and easy way to secure your cluster with TLS, but you will need to");
        terminal.println("configure all your clients to trust that custom CA.");
        terminal.println("");
        return terminal.promptYesNo("Generate a CSR?", false);
    }

    private static CertificateTool.CAInfo findExistingCA(Terminal terminal, Environment environment) throws UserException {
        printHeader("What is the path to your CA?", terminal);
        terminal.println("Please enter the full pathname to the Certificate Authority that you wish to");
        terminal.println("use for signing your new http certificate. This can be in PKCS#12 (.p12), JKS");
        terminal.println("(.jks) or PEM (.crt, .key, .pem) format.");
        Path requestPath = requestPath("CA Path: ", terminal, environment, true);
        FileType guessFileType = guessFileType(requestPath, terminal);
        switch (guessFileType) {
            case PKCS12:
            case JKS:
                terminal.println(Terminal.Verbosity.VERBOSE, "CA file " + requestPath + " appears to be a " + guessFileType + " keystore");
                return readKeystoreCA(requestPath, guessFileType, terminal);
            case PEM_KEY:
                printHeader("What is the path to your CA certificate?", terminal);
                terminal.println(requestPath + " appears to be a PEM formatted private key file.");
                terminal.println("In order to use it for signing we also need access to the certificate");
                terminal.println("that corresponds to that key.");
                terminal.println("");
                return readPemCA(requestPath("CA Certificate: ", terminal, environment, true), requestPath, terminal);
            case PEM_CERT:
                printHeader("What is the path to your CA key?", terminal);
                terminal.println(requestPath + " appears to be a PEM formatted certificate file.");
                terminal.println("In order to use it for signing we also need access to the private key");
                terminal.println("that corresponds to that certificate.");
                terminal.println("");
                return readPemCA(requestPath, requestPath("CA Key: ", terminal, environment, true), terminal);
            case PEM_CERT_CHAIN:
                terminal.println(Terminal.Verbosity.SILENT, "The file at " + requestPath + " contains multiple certificates.");
                terminal.println("That type of file typically represents a certificate-chain");
                terminal.println("This tool requires a single certificate for the CA");
                throw new UserException(65, requestPath + ": Unsupported file type (certificate chain)");
            default:
                terminal.println(Terminal.Verbosity.SILENT, "The file at " + requestPath + " isn't a file type that this tool recognises.");
                terminal.println("Please try again with a CA in PKCS#12, JKS or PEM format");
                throw new UserException(65, requestPath + ": Unrecognized file type");
        }
    }

    private CertificateTool.CAInfo createNewCA(Terminal terminal) {
        terminal.println("A new Certificate Authority will be generated for you");
        printHeader("CA Generation Options", terminal);
        terminal.println("The generated certificate authority will have the following configuration values.");
        terminal.println("These values have been selected based on secure defaults.");
        terminal.println("You should not need to change these values unless you have specific requirements.");
        terminal.println("");
        X500Principal x500Principal = DEFAULT_CA_NAME;
        Period period = DEFAULT_CA_VALIDITY;
        int i = 2048;
        while (true) {
            terminal.println(Terminal.Verbosity.SILENT, "Subject DN: " + x500Principal);
            terminal.println(Terminal.Verbosity.SILENT, "Validity: " + toString(period));
            terminal.println(Terminal.Verbosity.SILENT, "Key Size: " + i);
            terminal.println(Terminal.Verbosity.SILENT, "");
            if (!terminal.promptYesNo("Do you wish to change any of these options?", false)) {
                try {
                    KeyPair generateKeyPair = CertGenUtils.generateKeyPair(i);
                    ZonedDateTime now = ZonedDateTime.now(ZoneOffset.UTC);
                    X509Certificate generateSignedCertificate = CertGenUtils.generateSignedCertificate(x500Principal, (GeneralNames) null, generateKeyPair, (X509Certificate) null, (PrivateKey) null, true, now, now.plus((TemporalAmount) period), (String) null);
                    printHeader("CA password", terminal);
                    terminal.println("We recommend that you protect your CA private key with a strong password.");
                    terminal.println("If your key does not have a password (or the password can be easily guessed)");
                    terminal.println("then anyone who gets a copy of the key file will be able to generate new certificates");
                    terminal.println("and impersonate your Elasticsearch cluster.");
                    terminal.println("");
                    terminal.println("IT IS IMPORTANT THAT YOU REMEMBER THIS PASSWORD AND KEEP IT SECURE");
                    terminal.println("");
                    return new CertificateTool.CAInfo(generateSignedCertificate, generateKeyPair.getPrivate(), true, readPassword(terminal, "CA password: ", true));
                } catch (GeneralSecurityException | CertIOException | OperatorCreationException e) {
                    throw new IllegalArgumentException("Cannot generate CA key pair", e);
                }
            }
            printHeader("What should your CA be named?", terminal);
            terminal.println("Every client that connects to your Elasticsearch cluster will need to trust");
            terminal.println("this custom Certificate Authority.");
            terminal.println("It is helpful to have a meaningful name for this CA");
            terminal.println("");
            x500Principal = (X500Principal) tryReadInput(terminal, "CA Name", x500Principal, str -> {
                try {
                    return str.contains("=") ? new X500Principal(str) : new X500Principal("CN=" + str);
                } catch (IllegalArgumentException e2) {
                    terminal.println(Terminal.Verbosity.SILENT, "'" + str + "' is not a valid CA name (" + e2.getMessage() + ")");
                    return null;
                }
            });
            printHeader("How long should your CA be valid?", terminal);
            terminal.println("Every certificate has an expiry date. When the expiry date is reached, clients");
            terminal.println("will stop trusting your Certificate Authority and TLS connections will fail.");
            terminal.println("");
            terminal.println("We recommend that you set this to a long duration (3 - 5 years) and then perform a");
            terminal.println("manual update a few months before it expires.");
            terminal.println("You may enter the validity period in years (e.g. 3Y), months (e.g. 18M), or days (e.g. 90D)");
            period = readPeriodInput(terminal, "CA Validity", period, 90);
            printHeader("What key size should your CA have?", terminal);
            terminal.println("The RSA private key for your Certificate Authority has a fixed 'key size' (in bits).");
            terminal.println("Larger key sizes are generally more secure, but are also slower.");
            terminal.println("");
            terminal.println("We recommend that you use one of 2048, 3072 or 4096 bits for your key.");
            i = readKeySize(terminal, i).intValue();
            terminal.println("");
        }
    }

    static Period readPeriodInput(Terminal terminal, String str, Period period, int i) {
        return (Period) tryReadInput(terminal, str, period, str2 -> {
            String replaceAll = str2.replaceAll("[,\\s]", "");
            if (str2.charAt(0) != 'P') {
                replaceAll = "P" + replaceAll;
            }
            try {
                Period parse = Period.parse(replaceAll);
                if ((30 * parse.toTotalMonths()) + parse.getDays() < i) {
                    terminal.println("The period '" + toString(parse) + "' is less than the recommended period");
                    if (!terminal.promptYesNo("Are you sure?", false)) {
                        return null;
                    }
                }
                return parse;
            } catch (DateTimeParseException e) {
                terminal.println("Sorry, I do not understand '" + str2 + "' (" + e.getMessage() + ")");
                return null;
            }
        });
    }

    private static Integer readKeySize(Terminal terminal, int i) {
        return (Integer) tryReadInput(terminal, "Key Size", Integer.valueOf(i), str -> {
            try {
                int parseInt = Integer.parseInt(str);
                if (parseInt < 1024) {
                    terminal.println("Keys must be at least 1024 bits");
                    return null;
                }
                if (parseInt > 8192) {
                    terminal.println("Keys cannot be larger than 8192 bits");
                    return null;
                }
                if (parseInt % 1024 == 0) {
                    return Integer.valueOf(parseInt);
                }
                terminal.println("The key size should be a multiple of 1024 bits");
                return null;
            } catch (NumberFormatException e) {
                terminal.println("The key size must be a positive integer");
                return null;
            }
        });
    }

    private static char[] readPassword(Terminal terminal, String str, boolean z) {
        while (true) {
            char[] readSecret = terminal.readSecret(str + " [<ENTER> for none]");
            if (readSecret.length == 0) {
                return readSecret;
            }
            if (!CertificateTool.isAscii(readSecret)) {
                terminal.println(Terminal.Verbosity.SILENT, "Passwords must be plain ASCII");
            } else if (z && !Arrays.equals(readSecret, terminal.readSecret("Repeat password to confirm: "))) {
                terminal.println("Passwords do not match");
            } else if (CertificateTool.checkAndConfirmPasswordLengthForOpenSSLCompatibility(readSecret, terminal, z)) {
                return readSecret;
            }
        }
    }

    private static CertificateTool.CAInfo readKeystoreCA(Path path, FileType fileType, Terminal terminal) throws UserException {
        String str = fileType == FileType.PKCS12 ? "PKCS12" : "jks";
        terminal.println("Reading a " + str + " keystore requires a password.");
        terminal.println("It is possible for the keystore's password to be blank,");
        terminal.println("in which case you can simply press <ENTER> at the prompt");
        char[] readSecret = terminal.readSecret("Password for " + path.getFileName() + ":");
        try {
            Map readKeyPairsFromKeystore = CertParsingUtils.readKeyPairsFromKeystore(path, str, readSecret, str2 -> {
                return readSecret;
            });
            if (readKeyPairsFromKeystore.size() == 1) {
                Map.Entry entry = (Map.Entry) readKeyPairsFromKeystore.entrySet().iterator().next();
                return new CertificateTool.CAInfo((X509Certificate) entry.getKey(), (PrivateKey) entry.getValue());
            }
            if (readKeyPairsFromKeystore.isEmpty()) {
                terminal.println(Terminal.Verbosity.SILENT, "The keystore at " + path + " does not contain any keys ");
            } else {
                terminal.println(Terminal.Verbosity.SILENT, "The keystore at " + path + " contains " + readKeyPairsFromKeystore.size() + " keys,");
                terminal.println(Terminal.Verbosity.SILENT, "but this command requires a keystore with a single key");
            }
            terminal.println("Please try again with a keystore that contains exactly 1 private key entry");
            throw new UserException(65, "The CA keystore " + path + " contains " + readKeyPairsFromKeystore.size() + " keys");
        } catch (IOException | GeneralSecurityException e) {
            throw new ElasticsearchException("Failed to read keystore " + path, e, new Object[0]);
        }
    }

    private static CertificateTool.CAInfo readPemCA(Path path, Path path2, Terminal terminal) throws UserException {
        return new CertificateTool.CAInfo(readCertificate(path, terminal), readPrivateKey(path2, terminal));
    }

    private static X509Certificate readCertificate(Path path, Terminal terminal) throws UserException {
        try {
            X509Certificate[] readX509Certificates = CertParsingUtils.readX509Certificates(List.of(path));
            switch (readX509Certificates.length) {
                case 0:
                    terminal.errorPrintln("Could not read any certificates from " + path);
                    throw new UserException(65, path + ": No certificates found");
                case 1:
                    return readX509Certificates[0];
                default:
                    terminal.errorPrintln("Read [" + readX509Certificates.length + "] certificates from " + path + " but expected 1");
                    throw new UserException(65, path + ": Multiple certificates found");
            }
        } catch (IOException | CertificateException e) {
            throw new ElasticsearchException("Failed to read certificates from " + path, e, new Object[0]);
        }
    }

    private static PrivateKey readPrivateKey(Path path, Terminal terminal) {
        try {
            return PemUtils.readPrivateKey(path, () -> {
                terminal.println("");
                terminal.println("The PEM key stored in " + path + " requires a password.");
                terminal.println("");
                return terminal.readSecret("Password for " + path.getFileName() + ":");
            });
        } catch (IOException | GeneralSecurityException e) {
            throw new ElasticsearchException("Failed to read private key from " + path, e, new Object[0]);
        }
    }

    private static boolean askExistingCertificateAuthority(Terminal terminal) {
        printHeader("Do you have an existing Certificate Authority (CA) key-pair that you wish to use to sign your certificate?", terminal);
        terminal.println("If you have an existing CA certificate and key, then you can use that CA to");
        terminal.println("sign your new http certificate. This allows you to use the same CA across");
        terminal.println("multiple Elasticsearch clusters which can make it easier to configure clients,");
        terminal.println("and may be easier for you to manage.");
        terminal.println("");
        terminal.println("If you do not have an existing CA, one will be generated for you.");
        terminal.println("");
        return terminal.promptYesNo("Use an existing CA?", false);
    }

    /* JADX WARN: Multi-variable type inference failed */
    private static <T> T tryReadInput(Terminal terminal, String str, T t, Function<String, T> function) {
        T apply;
        String httpCertificateCommand = t instanceof Period ? toString((Period) t) : String.valueOf(t);
        do {
            String readText = terminal.readText(str + " [" + httpCertificateCommand + "] ");
            if (Strings.isEmpty(readText)) {
                return t;
            }
            apply = function.apply(readText);
        } while (apply == null);
        return apply;
    }

    static String toString(Period period) {
        if (period == null) {
            return "N/A";
        }
        if (period.isZero()) {
            return "0d";
        }
        ArrayList arrayList = new ArrayList(3);
        if (period.getYears() != 0) {
            arrayList.add(period.getYears() + "y");
        }
        if (period.getMonths() != 0) {
            arrayList.add(period.getMonths() + "m");
        }
        if (period.getDays() != 0) {
            arrayList.add(period.getDays() + "d");
        }
        return Strings.collectionToCommaDelimitedString(arrayList);
    }

    private static Path requestPath(String str, Terminal terminal, Environment environment, boolean z) {
        Path absolutePath;
        while (true) {
            String readText = terminal.readText(str);
            absolutePath = environment.configFile().resolve(readText).toAbsolutePath();
            if (absolutePath.getFileName() == null) {
                terminal.println(Terminal.Verbosity.SILENT, readText + " is not a valid file");
            } else {
                if (!z || Files.isReadable(absolutePath)) {
                    break;
                }
                if (Files.notExists(absolutePath, new LinkOption[0])) {
                    terminal.println(Terminal.Verbosity.SILENT, "The file " + absolutePath + " does not exist");
                } else {
                    terminal.println(Terminal.Verbosity.SILENT, "The file " + absolutePath + " cannot be read");
                }
            }
        }
        return absolutePath;
    }

    static FileType guessFileType(Path path, Terminal terminal) {
        String lowerCase = path == null ? "" : path.getFileName().toString().toLowerCase(Locale.ROOT);
        if (lowerCase.endsWith(".p12") || lowerCase.endsWith(".pfx") || lowerCase.endsWith(".pkcs12")) {
            return FileType.PKCS12;
        }
        if (lowerCase.endsWith(".jks")) {
            return FileType.JKS;
        }
        try {
            InputStream newInputStream = Files.newInputStream(path, new OpenOption[0]);
            try {
                byte[] bArr = new byte[2];
                if (newInputStream.read(bArr) < bArr.length) {
                    FileType fileType = FileType.UNRECOGNIZED;
                    if (newInputStream != null) {
                        newInputStream.close();
                    }
                    return fileType;
                }
                if (Arrays.equals(bArr, MAGIC_BYTES1_PKCS12) || Arrays.equals(bArr, MAGIC_BYTES2_PKCS12) || Arrays.equals(bArr, MAGIC_BYTES2_JDK16_PKCS12)) {
                    FileType fileType2 = FileType.PKCS12;
                    if (newInputStream != null) {
                        newInputStream.close();
                    }
                    return fileType2;
                }
                if (Arrays.equals(bArr, MAGIC_BYTES_JKS)) {
                    FileType fileType3 = FileType.JKS;
                    if (newInputStream != null) {
                        newInputStream.close();
                    }
                    return fileType3;
                }
                if (newInputStream != null) {
                    newInputStream.close();
                }
                try {
                    Stream<String> lines = Files.lines(path, StandardCharsets.UTF_8);
                    try {
                        List list = (List) lines.filter(str -> {
                            return str.startsWith("-----BEGIN");
                        }).map(str2 -> {
                            if (str2.contains("BEGIN CERTIFICATE")) {
                                return FileType.PEM_CERT;
                            }
                            if (str2.contains("PRIVATE KEY")) {
                                return FileType.PEM_KEY;
                            }
                            return null;
                        }).filter(fileType4 -> {
                            return fileType4 != null;
                        }).collect(Collectors.toList());
                        switch (list.size()) {
                            case 0:
                                FileType fileType5 = FileType.UNRECOGNIZED;
                                if (lines != null) {
                                    lines.close();
                                }
                                return fileType5;
                            case 1:
                                FileType fileType6 = (FileType) list.get(0);
                                if (lines != null) {
                                    lines.close();
                                }
                                return fileType6;
                            default:
                                if (list.contains(FileType.PEM_KEY)) {
                                    terminal.errorPrintln("Cannot determine a type for the PEM file " + path + " because it contains: [" + Strings.collectionToCommaDelimitedString(list) + "]");
                                    if (lines != null) {
                                        lines.close();
                                    }
                                    return FileType.UNRECOGNIZED;
                                }
                                FileType fileType7 = FileType.PEM_CERT_CHAIN;
                                if (lines != null) {
                                    lines.close();
                                }
                                return fileType7;
                        }
                    } catch (Throwable th) {
                        if (lines != null) {
                            try {
                                lines.close();
                            } catch (Throwable th2) {
                                th.addSuppressed(th2);
                            }
                        }
                        throw th;
                    }
                } catch (IOException | UncheckedIOException e) {
                    terminal.errorPrintln("Cannot determine the file type for " + path);
                    terminal.errorPrintln(e.toString());
                    return FileType.UNRECOGNIZED;
                }
            } finally {
            }
        } catch (IOException e2) {
            terminal.errorPrintln("Failed to read from file " + path);
            terminal.errorPrintln(e2.toString());
            return FileType.UNRECOGNIZED;
        }
    }

    private static void printHeader(String str, Terminal terminal) {
        terminal.println("");
        terminal.println(Terminal.Verbosity.SILENT, "## " + str);
        terminal.println("");
    }

    OptionParser getParser() {
        return this.parser;
    }

    static {
        $assertionsDisabled = !HttpCertificateCommand.class.desiredAssertionStatus();
        DEFAULT_CERT_VALIDITY = Period.ofYears(5);
        DEFAULT_CA_NAME = new X500Principal("CN=Elasticsearch HTTP CA");
        DEFAULT_CA_VALIDITY = DEFAULT_CERT_VALIDITY;
        MAGIC_BYTES1_PKCS12 = new byte[]{48, -126};
        MAGIC_BYTES2_PKCS12 = new byte[]{48, 86};
        MAGIC_BYTES2_JDK16_PKCS12 = new byte[]{48, 101};
        MAGIC_BYTES_JKS = new byte[]{-2, -19};
    }
}
