package eu.emi.security.authn.x509.proxy;

import eu.emi.security.authn.x509.helpers.proxy.ProxyAddressRestrictionData;
import eu.emi.security.authn.x509.helpers.proxy.ProxyCSRImpl;
import eu.emi.security.authn.x509.helpers.proxy.ProxyCertInfoExtension;
import eu.emi.security.authn.x509.helpers.proxy.ProxyGeneratorHelper;
import eu.emi.security.authn.x509.helpers.proxy.ProxySAMLExtension;
import eu.emi.security.authn.x509.helpers.proxy.ProxyTracingExtension;
import eu.emi.security.authn.x509.impl.CertificateUtils;
import java.security.InvalidKeyException;
import java.security.KeyPair;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.SignatureException;
import java.security.cert.CertificateEncodingException;
import java.util.ArrayList;
import java.util.Iterator;
import java.util.List;
import javax.security.auth.x500.X500Principal;
import org.bouncycastle.asn1.ASN1Encodable;
import org.bouncycastle.asn1.ASN1Set;
import org.bouncycastle.asn1.DEREncodable;
import org.bouncycastle.asn1.DERSet;
import org.bouncycastle.asn1.pkcs.Attribute;
import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers;
import org.bouncycastle.jce.PKCS10CertificationRequest;

/* loaded from: input_file:eu/emi/security/authn/x509/proxy/ProxyCSRGenerator.class */
public class ProxyCSRGenerator {
    public static ProxyCSR generate(ProxyCertificateOptions proxyCertificateOptions) throws InvalidKeyException, SignatureException, NoSuchAlgorithmException, CertificateEncodingException {
        return generate(proxyCertificateOptions, null);
    }

    public static ProxyCSR generate(ProxyCertificateOptions proxyCertificateOptions, PrivateKey privateKey) throws InvalidKeyException, SignatureException, NoSuchAlgorithmException, CertificateEncodingException {
        PublicKey publicKey = proxyCertificateOptions.getPublicKey();
        KeyPair generateKeyPair = publicKey == null ? ProxyGeneratorHelper.generateKeyPair(proxyCertificateOptions.getKeyLength()) : new KeyPair(publicKey, null);
        if (privateKey == null) {
            privateKey = generateKeyPair.getPrivate();
        }
        if (privateKey == null) {
            throw new IllegalArgumentException("Signing (private) key can not be null when using a manually set public key");
        }
        try {
            return new ProxyCSRImpl(new PKCS10CertificationRequest("SHA1WITHRSA", new X500Principal(ProxyGeneratorHelper.generateDN(proxyCertificateOptions.getParentCertChain()[0].getSubjectX500Principal(), proxyCertificateOptions.getType(), proxyCertificateOptions.isLimited(), ProxyGeneratorHelper.establishSerial(proxyCertificateOptions)).getDEREncoded()), generateKeyPair.getPublic(), generateAttributes(proxyCertificateOptions), privateKey), generateKeyPair.getPrivate());
        } catch (NoSuchProviderException e) {
            throw new RuntimeException("Default provider not installed?", e);
        }
    }

    private static ASN1Set generateAttributes(ProxyCertificateOptions proxyCertificateOptions) {
        ArrayList arrayList = new ArrayList();
        Iterator<CertificateExtension> it = proxyCertificateOptions.getExtensions().iterator();
        while (it.hasNext()) {
            addAttribute(arrayList, it.next());
        }
        ProxyPolicy policy = proxyCertificateOptions.getPolicy();
        int proxyPathLimit = proxyCertificateOptions.getProxyPathLimit();
        if (proxyCertificateOptions.getType() != ProxyType.LEGACY && (policy != null || proxyPathLimit != -1)) {
            if (policy == null) {
                policy = new ProxyPolicy(ProxyPolicy.INHERITALL_POLICY_OID);
            }
            addAttribute(arrayList, new CertificateExtension(proxyCertificateOptions.getType() == ProxyType.DRAFT_RFC ? ProxyCertInfoExtension.DRAFT_EXTENSION_OID : ProxyCertInfoExtension.RFC_EXTENSION_OID, new ProxyCertInfoExtension(proxyPathLimit, policy), true));
        }
        if (proxyCertificateOptions.getProxyTracingIssuer() != null) {
            addAttribute(arrayList, new CertificateExtension(ProxyTracingExtension.PROXY_TRACING_ISSUER_EXTENSION_OID, new ProxyTracingExtension(proxyCertificateOptions.getProxyTracingIssuer()), false));
        }
        if (proxyCertificateOptions.getProxyTracingSubject() != null) {
            addAttribute(arrayList, new CertificateExtension(ProxyTracingExtension.PROXY_TRACING_SUBJECT_EXTENSION_OID, new ProxyTracingExtension(proxyCertificateOptions.getProxyTracingSubject()), false));
        }
        if (proxyCertificateOptions.getSAMLAssertion() != null) {
            addAttribute(arrayList, new CertificateExtension(ProxySAMLExtension.SAML_OID, new ProxySAMLExtension(proxyCertificateOptions.getSAMLAssertion()), false));
        }
        String[] sourceRestrictionExcludedAddresses = proxyCertificateOptions.getSourceRestrictionExcludedAddresses();
        String[] sourceRestrictionPermittedAddresses = proxyCertificateOptions.getSourceRestrictionPermittedAddresses();
        if (sourceRestrictionExcludedAddresses != null || sourceRestrictionPermittedAddresses != null) {
            ProxyAddressRestrictionData proxyAddressRestrictionData = new ProxyAddressRestrictionData();
            if (sourceRestrictionExcludedAddresses != null) {
                for (String str : sourceRestrictionExcludedAddresses) {
                    proxyAddressRestrictionData.addExcludedIPAddressWithNetmask(str);
                }
            }
            if (sourceRestrictionPermittedAddresses != null) {
                for (String str2 : sourceRestrictionPermittedAddresses) {
                    proxyAddressRestrictionData.addPermittedIPAddressWithNetmask(str2);
                }
            }
            addAttribute(arrayList, new CertificateExtension(ProxyAddressRestrictionData.SOURCE_RESTRICTION_OID, proxyAddressRestrictionData, false));
        }
        String[] targetRestrictionExcludedAddresses = proxyCertificateOptions.getTargetRestrictionExcludedAddresses();
        String[] targetRestrictionPermittedAddresses = proxyCertificateOptions.getTargetRestrictionPermittedAddresses();
        if (targetRestrictionExcludedAddresses != null || targetRestrictionPermittedAddresses != null) {
            ProxyAddressRestrictionData proxyAddressRestrictionData2 = new ProxyAddressRestrictionData();
            if (targetRestrictionExcludedAddresses != null) {
                for (String str3 : targetRestrictionExcludedAddresses) {
                    proxyAddressRestrictionData2.addExcludedIPAddressWithNetmask(str3);
                }
            }
            if (targetRestrictionPermittedAddresses != null) {
                for (String str4 : targetRestrictionPermittedAddresses) {
                    proxyAddressRestrictionData2.addPermittedIPAddressWithNetmask(str4);
                }
            }
            addAttribute(arrayList, new CertificateExtension(ProxyAddressRestrictionData.TARGET_RESTRICTION_OID, proxyAddressRestrictionData2, false));
        }
        return new DERSet((ASN1Encodable[]) arrayList.toArray(new Attribute[arrayList.size()]));
    }

    private static void addAttribute(List<Attribute> list, DEREncodable dEREncodable) {
        list.add(new Attribute(PKCSObjectIdentifiers.pkcs_9_at_extensionRequest, new DERSet(dEREncodable)));
    }

    static {
        CertificateUtils.configureSecProvider();
    }
}
