package eu.emi.security.authn.x509.helpers.proxy;

import eu.emi.security.authn.x509.helpers.CertificateHelpers;
import eu.emi.security.authn.x509.proxy.BaseProxyCertificateOptions;
import eu.emi.security.authn.x509.proxy.CertificateExtension;
import eu.emi.security.authn.x509.proxy.ProxyCertificate;
import eu.emi.security.authn.x509.proxy.ProxyCertificateOptions;
import eu.emi.security.authn.x509.proxy.ProxyPolicy;
import eu.emi.security.authn.x509.proxy.ProxyRequestOptions;
import eu.emi.security.authn.x509.proxy.ProxyType;
import java.io.IOException;
import java.math.BigInteger;
import java.security.InvalidKeyException;
import java.security.KeyPair;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.SecureRandom;
import java.security.SignatureException;
import java.security.cert.CertificateParsingException;
import java.security.cert.X509Certificate;
import java.util.Date;
import javax.security.auth.x500.X500Principal;
import org.bouncycastle.asn1.ASN1InputStream;
import org.bouncycastle.asn1.ASN1ObjectIdentifier;
import org.bouncycastle.asn1.DERPrintableString;
import org.bouncycastle.asn1.x500.AttributeTypeAndValue;
import org.bouncycastle.asn1.x500.RDN;
import org.bouncycastle.asn1.x500.X500Name;
import org.bouncycastle.asn1.x500.style.BCStyle;
import org.bouncycastle.asn1.x509.AlgorithmIdentifier;
import org.bouncycastle.asn1.x509.KeyUsage;
import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo;
import org.bouncycastle.asn1.x509.X509Extension;
import org.bouncycastle.jce.provider.JDKKeyPairGenerator;

/* loaded from: input_file:eu/emi/security/authn/x509/helpers/proxy/ProxyGeneratorHelper.class */
public class ProxyGeneratorHelper {
    private PublicKey proxyPublicKey = null;
    private transient PrivateKey proxyPrivateKey = null;
    private X509v3CertificateBuilder certBuilder;
    private X509Certificate proxy;

    public ProxyCertificate generate(ProxyCertificateOptions proxyCertificateOptions, PrivateKey privateKey) throws InvalidKeyException, SignatureException, NoSuchAlgorithmException, CertificateParsingException {
        establishKeys(proxyCertificateOptions);
        return generateCommon(proxyCertificateOptions, privateKey);
    }

    public X509Certificate[] generate(ProxyRequestOptions proxyRequestOptions, PrivateKey privateKey) throws InvalidKeyException, SignatureException, NoSuchAlgorithmException, CertificateParsingException {
        try {
            this.proxyPublicKey = proxyRequestOptions.getProxyRequest().getPublicKey();
            return generateCommon(proxyRequestOptions, privateKey).getCertificateChain();
        } catch (NoSuchProviderException e) {
            throw new IllegalStateException("BC provider is not registered, it is a BUG", e);
        }
    }

    private ProxyCertificate generateCommon(BaseProxyCertificateOptions baseProxyCertificateOptions, PrivateKey privateKey) throws InvalidKeyException, SignatureException, NoSuchAlgorithmException, CertificateParsingException {
        setupCertBuilder(baseProxyCertificateOptions);
        addExtensions(baseProxyCertificateOptions);
        try {
            buildCertificate(baseProxyCertificateOptions.getParentCertChain()[0], privateKey);
            return wrapResult(baseProxyCertificateOptions.getParentCertChain());
        } catch (IOException e) {
            throw new CertificateParsingException("Can not encode the certificate to the binary DER form", e);
        } catch (NoSuchProviderException e2) {
            throw new RuntimeException("Default signature provider is not available? A bug or serious JDK misconfiguration.", e2);
        }
    }

    private void establishKeys(ProxyCertificateOptions proxyCertificateOptions) {
        this.proxyPublicKey = proxyCertificateOptions.getPublicKey();
        this.proxyPrivateKey = null;
        if (this.proxyPublicKey == null) {
            KeyPair generateKeyPair = generateKeyPair(proxyCertificateOptions.getKeyLength());
            this.proxyPublicKey = generateKeyPair.getPublic();
            this.proxyPrivateKey = generateKeyPair.getPrivate();
        }
    }

    private void setupCertBuilder(BaseProxyCertificateOptions baseProxyCertificateOptions) throws InvalidKeyException {
        X509Certificate x509Certificate = baseProxyCertificateOptions.getParentCertChain()[0];
        Date notBefore = baseProxyCertificateOptions.getNotBefore();
        Date date = new Date(notBefore.getTime() + (baseProxyCertificateOptions.getLifetime() * 1000));
        BigInteger establishSerial = establishSerial(baseProxyCertificateOptions);
        try {
            this.certBuilder = new X509v3CertificateBuilder(CertificateHelpers.toX500Name(x509Certificate.getSubjectX500Principal()), establishSerial, notBefore, date, generateDN(x509Certificate.getSubjectX500Principal(), baseProxyCertificateOptions.getType(), baseProxyCertificateOptions.isLimited(), establishSerial), SubjectPublicKeyInfo.getInstance(new ASN1InputStream(this.proxyPublicKey.getEncoded()).readObject()));
        } catch (IOException e) {
            throw new InvalidKeyException("Can not parse the public keybeing included in the proxy certificate", e);
        }
    }

    private void addExtensions(BaseProxyCertificateOptions baseProxyCertificateOptions) {
        this.certBuilder.addExtension(X509Extension.keyUsage, false, new KeyUsage(176));
        if (baseProxyCertificateOptions.getType() != ProxyType.LEGACY) {
            ProxyPolicy policy = baseProxyCertificateOptions.getPolicy();
            if (policy == null) {
                policy = new ProxyPolicy(ProxyPolicy.INHERITALL_POLICY_OID);
            }
            this.certBuilder.addExtension(new ASN1ObjectIdentifier(baseProxyCertificateOptions.getType() == ProxyType.DRAFT_RFC ? ProxyCertInfoExtension.DRAFT_EXTENSION_OID : ProxyCertInfoExtension.RFC_EXTENSION_OID), true, new ProxyCertInfoExtension(baseProxyCertificateOptions.getProxyPathLimit(), policy));
        }
        if (baseProxyCertificateOptions.getProxyTracingIssuer() != null) {
            this.certBuilder.addExtension(new ASN1ObjectIdentifier(ProxyTracingExtension.PROXY_TRACING_ISSUER_EXTENSION_OID), false, new ProxyTracingExtension(baseProxyCertificateOptions.getProxyTracingIssuer()));
        }
        if (baseProxyCertificateOptions.getProxyTracingSubject() != null) {
            this.certBuilder.addExtension(new ASN1ObjectIdentifier(ProxyTracingExtension.PROXY_TRACING_SUBJECT_EXTENSION_OID), false, new ProxyTracingExtension(baseProxyCertificateOptions.getProxyTracingSubject()));
        }
        if (baseProxyCertificateOptions.getSAMLAssertion() != null) {
            this.certBuilder.addExtension(new ASN1ObjectIdentifier(ProxySAMLExtension.SAML_OID), false, new ProxySAMLExtension(baseProxyCertificateOptions.getSAMLAssertion()));
        }
        if (baseProxyCertificateOptions.getAttributeCertificates() != null) {
            this.certBuilder.addExtension(new ASN1ObjectIdentifier(ProxyACExtension.AC_OID), false, new ProxyACExtension(baseProxyCertificateOptions.getAttributeCertificates()));
        }
        String[] sourceRestrictionExcludedAddresses = baseProxyCertificateOptions.getSourceRestrictionExcludedAddresses();
        String[] sourceRestrictionPermittedAddresses = baseProxyCertificateOptions.getSourceRestrictionPermittedAddresses();
        if (sourceRestrictionExcludedAddresses != null || sourceRestrictionPermittedAddresses != null) {
            ProxyAddressRestrictionData proxyAddressRestrictionData = new ProxyAddressRestrictionData();
            if (sourceRestrictionExcludedAddresses != null) {
                for (String str : sourceRestrictionExcludedAddresses) {
                    proxyAddressRestrictionData.addExcludedIPAddressWithNetmask(str);
                }
            }
            if (sourceRestrictionPermittedAddresses != null) {
                for (String str2 : sourceRestrictionPermittedAddresses) {
                    proxyAddressRestrictionData.addPermittedIPAddressWithNetmask(str2);
                }
            }
            this.certBuilder.addExtension(new ASN1ObjectIdentifier(ProxyAddressRestrictionData.SOURCE_RESTRICTION_OID), false, proxyAddressRestrictionData);
        }
        String[] targetRestrictionExcludedAddresses = baseProxyCertificateOptions.getTargetRestrictionExcludedAddresses();
        String[] targetRestrictionPermittedAddresses = baseProxyCertificateOptions.getTargetRestrictionPermittedAddresses();
        if (targetRestrictionExcludedAddresses != null || targetRestrictionPermittedAddresses != null) {
            ProxyAddressRestrictionData proxyAddressRestrictionData2 = new ProxyAddressRestrictionData();
            if (targetRestrictionExcludedAddresses != null) {
                for (String str3 : targetRestrictionExcludedAddresses) {
                    proxyAddressRestrictionData2.addExcludedIPAddressWithNetmask(str3);
                }
            }
            if (targetRestrictionPermittedAddresses != null) {
                for (String str4 : targetRestrictionPermittedAddresses) {
                    proxyAddressRestrictionData2.addPermittedIPAddressWithNetmask(str4);
                }
            }
            this.certBuilder.addExtension(new ASN1ObjectIdentifier(ProxyAddressRestrictionData.TARGET_RESTRICTION_OID), false, proxyAddressRestrictionData2);
        }
        for (CertificateExtension certificateExtension : baseProxyCertificateOptions.getExtensions()) {
            this.certBuilder.addExtension(new ASN1ObjectIdentifier(certificateExtension.getOid()), certificateExtension.isCritical(), certificateExtension.getValue());
        }
    }

    private void buildCertificate(X509Certificate x509Certificate, PrivateKey privateKey) throws CertificateParsingException, InvalidKeyException, NoSuchProviderException, NoSuchAlgorithmException, SignatureException, IOException {
        try {
            AlgorithmIdentifier extractAlgorithmId = X509v3CertificateBuilder.extractAlgorithmId(x509Certificate);
            this.proxy = this.certBuilder.build(privateKey, extractAlgorithmId, x509Certificate.getSigAlgName(), null, null);
        } catch (IOException e) {
            throw new CertificateParsingException("Can not parse parameters of the public key contained in the issuer certificate", e);
        }
    }

    private ProxyCertificate wrapResult(X509Certificate[] x509CertificateArr) throws InvalidKeyException {
        X509Certificate[] x509CertificateArr2 = new X509Certificate[x509CertificateArr.length + 1];
        for (int i = 0; i < x509CertificateArr.length; i++) {
            x509CertificateArr2[i + 1] = x509CertificateArr[i];
        }
        x509CertificateArr2[0] = this.proxy;
        if (this.proxyPrivateKey == null) {
            return new ProxyCertificateImpl(x509CertificateArr2);
        }
        try {
            return new ProxyCertificateImpl(x509CertificateArr2, this.proxyPrivateKey);
        } catch (KeyStoreException e) {
            throw new InvalidKeyException("The generated private key is unsupported, bug?", e);
        }
    }

    private BigInteger establishSerial(BaseProxyCertificateOptions baseProxyCertificateOptions) {
        return baseProxyCertificateOptions.getType() == ProxyType.LEGACY ? baseProxyCertificateOptions.getParentCertChain()[0].getSerialNumber() : baseProxyCertificateOptions.getSerialNumber() != null ? baseProxyCertificateOptions.getSerialNumber() : BigInteger.valueOf(new SecureRandom().nextInt()).abs();
    }

    public static X500Name generateDN(X500Principal x500Principal, ProxyType proxyType, boolean z, BigInteger bigInteger) {
        String bigInteger2 = proxyType == ProxyType.LEGACY ? z ? "limited proxy" : "proxy" : bigInteger.toString();
        X500Name x500Name = CertificateHelpers.toX500Name(x500Principal);
        RDN rdn = new RDN(new AttributeTypeAndValue(BCStyle.CN, new DERPrintableString(bigInteger2)));
        RDN[] rDNs = x500Name.getRDNs();
        RDN[] rdnArr = new RDN[rDNs.length + 1];
        for (int i = 0; i < rDNs.length; i++) {
            rdnArr[i] = rDNs[i];
        }
        rdnArr[rDNs.length] = rdn;
        return new X500Name(rdnArr);
    }

    public static KeyPair generateKeyPair(int i) {
        JDKKeyPairGenerator.RSA rsa = new JDKKeyPairGenerator.RSA();
        rsa.initialize(i, new SecureRandom());
        return rsa.generateKeyPair();
    }
}
