package fi.protonode.certy;

import java.io.BufferedWriter;
import java.io.IOException;
import java.io.StringWriter;
import java.math.BigInteger;
import java.nio.charset.StandardCharsets;
import java.nio.file.Files;
import java.nio.file.OpenOption;
import java.nio.file.Path;
import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.SecureRandom;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.security.interfaces.ECPublicKey;
import java.security.spec.EllipticCurve;
import java.time.Duration;
import java.time.Instant;
import java.time.temporal.ChronoUnit;
import java.time.temporal.TemporalAmount;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Date;
import java.util.List;
import java.util.stream.Collectors;
import org.bouncycastle.asn1.ASN1Encodable;
import org.bouncycastle.asn1.DERSequence;
import org.bouncycastle.asn1.x500.X500Name;
import org.bouncycastle.asn1.x509.BasicConstraints;
import org.bouncycastle.asn1.x509.CRLDistPoint;
import org.bouncycastle.asn1.x509.DistributionPoint;
import org.bouncycastle.asn1.x509.DistributionPointName;
import org.bouncycastle.asn1.x509.ExtendedKeyUsage;
import org.bouncycastle.asn1.x509.Extension;
import org.bouncycastle.asn1.x509.GeneralName;
import org.bouncycastle.asn1.x509.GeneralNames;
import org.bouncycastle.asn1.x509.KeyPurposeId;
import org.bouncycastle.asn1.x509.ReasonFlags;
import org.bouncycastle.cert.CertIOException;
import org.bouncycastle.cert.jcajce.JcaX509CertificateConverter;
import org.bouncycastle.cert.jcajce.JcaX509ExtensionUtils;
import org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.bouncycastle.openssl.jcajce.JcaPEMWriter;
import org.bouncycastle.openssl.jcajce.JcaPKCS8Generator;
import org.bouncycastle.operator.ContentSigner;
import org.bouncycastle.operator.OperatorCreationException;
import org.bouncycastle.operator.OutputEncryptor;
import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder;

/* loaded from: input_file:fi/protonode/certy/Credential.class */
public class Credential {
    protected X500Name subject;
    private GeneralNames subjectAltNames;
    private KeyType keyType;
    private int keySize;
    private Duration expires;
    private Date notBefore;
    private Date notAfter;
    private List<KeyUsage> keyUsages = new ArrayList();
    private List<ExtKeyUsage> extKeyUsages = new ArrayList();
    protected Credential issuer;
    private Boolean isCa;
    protected BigInteger serial;
    private String crlDistributionPointUri;
    protected KeyPair keyPair;
    protected Certificate certificate;

    /* loaded from: input_file:fi/protonode/certy/Credential$ExtKeyUsage.class */
    public enum ExtKeyUsage {
        ANY(KeyPurposeId.anyExtendedKeyUsage),
        SERVER_AUTH(KeyPurposeId.id_kp_serverAuth),
        CLIENT_AUTH(KeyPurposeId.id_kp_clientAuth),
        CODE_SIGNING(KeyPurposeId.id_kp_codeSigning),
        EMAIL_PROTECTION(KeyPurposeId.id_kp_emailProtection),
        TIME_STAMPING(KeyPurposeId.id_kp_timeStamping),
        OCSP_SIGNING(KeyPurposeId.id_kp_OCSPSigning);

        private KeyPurposeId val;

        ExtKeyUsage(KeyPurposeId keyPurposeId) {
            this.val = keyPurposeId;
        }

        public KeyPurposeId getValue() {
            return this.val;
        }
    }

    /* loaded from: input_file:fi/protonode/certy/Credential$KeyType.class */
    public enum KeyType {
        EC,
        RSA
    }

    /* loaded from: input_file:fi/protonode/certy/Credential$KeyUsage.class */
    public enum KeyUsage {
        DIGITAL_SIGNATURE(128),
        NON_REPUDIATION(64),
        KEY_ENCIPHERMENT(32),
        DATA_ENCIPHERMENT(16),
        KEY_AGREEMENT(8),
        KEY_CERT_SIGN(4),
        CRL_SIGN(2),
        ENCIPHER_ONLY(1),
        DECIPHER_ONLY(32768);

        private int val;

        KeyUsage(int i) {
            this.val = i;
        }

        public int getValue() {
            return this.val;
        }
    }

    public Credential subject(String str) {
        this.subject = new X500Name(str);
        return this;
    }

    public Credential subjectAltNames(List<String> list) {
        this.subjectAltNames = asGeneralNames(list);
        return this;
    }

    public Credential subjectAltName(String str) {
        this.subjectAltNames = asGeneralNames(Arrays.asList(str));
        return this;
    }

    public Credential keyType(KeyType keyType) {
        this.keyType = keyType;
        return this;
    }

    public Credential keySize(int i) {
        this.keySize = i;
        return this;
    }

    public Credential expires(Duration duration) {
        this.expires = duration;
        return this;
    }

    public Credential notBefore(Date date) {
        this.notBefore = date;
        return this;
    }

    public Credential notAfter(Date date) {
        this.notAfter = date;
        return this;
    }

    public Credential keyUsages(List<KeyUsage> list) {
        this.keyUsages = list;
        return this;
    }

    public Credential extKeyUsages(List<ExtKeyUsage> list) {
        this.extKeyUsages = list;
        return this;
    }

    public Credential issuer(Credential credential) {
        this.issuer = credential;
        return this;
    }

    public Credential ca(Boolean bool) {
        this.isCa = bool;
        return this;
    }

    public Credential serial(BigInteger bigInteger) {
        this.serial = bigInteger;
        return this;
    }

    public Credential crlDistributionPointUri(String str) {
        this.crlDistributionPointUri = str;
        return this;
    }

    public Credential generate() throws CertificateException, NoSuchAlgorithmException {
        X500Name x500Name;
        ContentSigner build;
        try {
            if (this.issuer != null) {
                this.issuer.ensureGenerated();
            }
            setDefaults();
            this.keyPair = newKeyPair(this.keyType, this.keySize);
            Date date = this.notBefore != null ? this.notBefore : new Date();
            Date from = this.notAfter != null ? this.notAfter : Date.from(date.toInstant().plus((TemporalAmount) this.expires));
            if (this.subject == null) {
                throw new IllegalArgumentException("subject name must be set");
            }
            if (this.issuer == null) {
                x500Name = this.subject;
                build = new JcaContentSignerBuilder(signatureAlgorithm(this.keyPair.getPublic())).build(this.keyPair.getPrivate());
            } else {
                x500Name = this.issuer.subject;
                build = new JcaContentSignerBuilder(signatureAlgorithm(this.issuer.keyPair.getPublic())).build(this.issuer.keyPair.getPrivate());
            }
            JcaX509v3CertificateBuilder jcaX509v3CertificateBuilder = new JcaX509v3CertificateBuilder(x500Name, this.serial, date, from, this.subject, this.keyPair.getPublic());
            jcaX509v3CertificateBuilder.addExtension(Extension.basicConstraints, true, new BasicConstraints(this.isCa.booleanValue())).addExtension(Extension.subjectKeyIdentifier, false, new JcaX509ExtensionUtils().createSubjectKeyIdentifier(this.keyPair.getPublic())).addExtension(Extension.keyUsage, true, new org.bouncycastle.asn1.x509.KeyUsage(((Integer) this.keyUsages.stream().collect(Collectors.summingInt((v0) -> {
                return v0.getValue();
            }))).intValue()));
            if (this.subjectAltNames != null) {
                jcaX509v3CertificateBuilder.addExtension(Extension.subjectAlternativeName, this.subject == null, this.subjectAltNames);
            }
            if (!this.extKeyUsages.isEmpty()) {
                jcaX509v3CertificateBuilder.addExtension(Extension.extendedKeyUsage, false, new ExtendedKeyUsage((KeyPurposeId[]) this.extKeyUsages.stream().map((v0) -> {
                    return v0.getValue();
                }).toArray(i -> {
                    return new KeyPurposeId[i];
                })));
            }
            if (this.crlDistributionPointUri != null) {
                jcaX509v3CertificateBuilder.addExtension(Extension.cRLDistributionPoints, false, new CRLDistPoint(new DistributionPoint[]{new DistributionPoint(new DistributionPointName(new GeneralNames(new GeneralName(6, this.crlDistributionPointUri))), (ReasonFlags) null, (GeneralNames) null)}));
            }
            this.certificate = new JcaX509CertificateConverter().setProvider(new BouncyCastleProvider()).getCertificate(jcaX509v3CertificateBuilder.build(build));
            return this;
        } catch (CertIOException | OperatorCreationException e) {
            throw new CertificateException(e.toString());
        }
    }

    public String getCertificateAsPem() throws CertificateException, NoSuchAlgorithmException, IOException {
        ensureGenerated();
        StringWriter stringWriter = new StringWriter();
        JcaPEMWriter jcaPEMWriter = new JcaPEMWriter(stringWriter);
        jcaPEMWriter.writeObject(this.certificate);
        jcaPEMWriter.flush();
        jcaPEMWriter.close();
        return stringWriter.toString();
    }

    public String getCertificatesAsPem() throws CertificateException, NoSuchAlgorithmException, IOException {
        ensureGenerated();
        StringWriter stringWriter = new StringWriter();
        JcaPEMWriter jcaPEMWriter = new JcaPEMWriter(stringWriter);
        for (Certificate certificate : getChain()) {
            jcaPEMWriter.writeObject(certificate);
        }
        jcaPEMWriter.flush();
        jcaPEMWriter.close();
        return stringWriter.toString();
    }

    public String getPrivateKeyAsPem() throws IOException, CertificateException, NoSuchAlgorithmException {
        ensureGenerated();
        StringWriter stringWriter = new StringWriter();
        JcaPEMWriter jcaPEMWriter = new JcaPEMWriter(stringWriter);
        jcaPEMWriter.writeObject(new JcaPKCS8Generator(this.keyPair.getPrivate(), (OutputEncryptor) null));
        jcaPEMWriter.flush();
        jcaPEMWriter.close();
        return stringWriter.toString();
    }

    public Credential writeCertificateAsPem(Path path) throws IOException, CertificateException, NoSuchAlgorithmException {
        ensureGenerated();
        BufferedWriter newBufferedWriter = Files.newBufferedWriter(path, StandardCharsets.UTF_8, new OpenOption[0]);
        try {
            JcaPEMWriter jcaPEMWriter = new JcaPEMWriter(newBufferedWriter);
            jcaPEMWriter.writeObject(this.certificate);
            jcaPEMWriter.flush();
            jcaPEMWriter.close();
            if (newBufferedWriter != null) {
                newBufferedWriter.close();
            }
            return this;
        } catch (Throwable th) {
            if (newBufferedWriter != null) {
                try {
                    newBufferedWriter.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    public Credential writeCertificatesAsPem(Path path) throws IOException, CertificateException, NoSuchAlgorithmException {
        ensureGenerated();
        BufferedWriter newBufferedWriter = Files.newBufferedWriter(path, StandardCharsets.UTF_8, new OpenOption[0]);
        try {
            JcaPEMWriter jcaPEMWriter = new JcaPEMWriter(newBufferedWriter);
            for (Certificate certificate : getChain()) {
                jcaPEMWriter.writeObject(certificate);
            }
            jcaPEMWriter.flush();
            jcaPEMWriter.close();
            if (newBufferedWriter != null) {
                newBufferedWriter.close();
            }
            return this;
        } catch (Throwable th) {
            if (newBufferedWriter != null) {
                try {
                    newBufferedWriter.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    public Credential writePrivateKeyAsPem(Path path) throws IOException, CertificateException, NoSuchAlgorithmException {
        ensureGenerated();
        BufferedWriter newBufferedWriter = Files.newBufferedWriter(path, StandardCharsets.UTF_8, new OpenOption[0]);
        try {
            JcaPEMWriter jcaPEMWriter = new JcaPEMWriter(newBufferedWriter);
            jcaPEMWriter.writeObject(new JcaPKCS8Generator(this.keyPair.getPrivate(), (OutputEncryptor) null));
            jcaPEMWriter.flush();
            jcaPEMWriter.close();
            if (newBufferedWriter != null) {
                newBufferedWriter.close();
            }
            return this;
        } catch (Throwable th) {
            if (newBufferedWriter != null) {
                try {
                    newBufferedWriter.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    public Certificate getCertificate() throws CertificateException, NoSuchAlgorithmException {
        ensureGenerated();
        return this.certificate;
    }

    public Certificate[] getCertificates() throws CertificateException, NoSuchAlgorithmException {
        ensureGenerated();
        return getChain();
    }

    public X509Certificate getX509Certificate() throws CertificateException, NoSuchAlgorithmException {
        ensureGenerated();
        return (X509Certificate) this.certificate;
    }

    public PrivateKey getPrivateKey() throws CertificateException, NoSuchAlgorithmException {
        ensureGenerated();
        return this.keyPair.getPrivate();
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void ensureGenerated() throws CertificateException, NoSuchAlgorithmException {
        if (this.certificate == null || this.keyPair == null) {
            generate();
        }
    }

    private void setDefaults() {
        if (this.keyType == null) {
            this.keyType = KeyType.EC;
        }
        if (this.keySize == 0) {
            if (this.keyType == KeyType.EC) {
                this.keySize = 256;
            } else if (this.keyType == KeyType.RSA) {
                this.keySize = 2048;
            }
        }
        if (this.expires == null && this.notAfter == null) {
            this.expires = Duration.of(365L, ChronoUnit.DAYS);
        }
        if (this.isCa == null) {
            this.isCa = Boolean.valueOf(this.issuer == null);
        }
        if (this.keyUsages.isEmpty()) {
            if (Boolean.TRUE.equals(this.isCa)) {
                this.keyUsages = Arrays.asList(KeyUsage.KEY_CERT_SIGN, KeyUsage.CRL_SIGN);
            } else if (this.keyType == KeyType.EC) {
                this.keyUsages = Arrays.asList(KeyUsage.KEY_ENCIPHERMENT, KeyUsage.DIGITAL_SIGNATURE, KeyUsage.KEY_AGREEMENT);
            } else {
                this.keyUsages = Arrays.asList(KeyUsage.KEY_ENCIPHERMENT, KeyUsage.DIGITAL_SIGNATURE);
            }
        }
        if (this.serial == null) {
            this.serial = BigInteger.valueOf(Instant.now().toEpochMilli());
        }
    }

    private static KeyPair newKeyPair(KeyType keyType, int i) throws NoSuchAlgorithmException {
        KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance(keyType.name());
        keyPairGenerator.initialize(i, new SecureRandom());
        return keyPairGenerator.genKeyPair();
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public static String signatureAlgorithm(PublicKey publicKey) {
        String algorithm = publicKey.getAlgorithm();
        boolean z = -1;
        switch (algorithm.hashCode()) {
            case 2206:
                if (algorithm.equals("EC")) {
                    z = false;
                    break;
                }
                break;
            case 81440:
                if (algorithm.equals("RSA")) {
                    z = true;
                    break;
                }
                break;
        }
        switch (z) {
            case false:
                EllipticCurve curve = ((ECPublicKey) publicKey).getParams().getCurve();
                switch (curve.getField().getFieldSize()) {
                    case 224:
                    case 256:
                        return "SHA256withECDSA";
                    case 384:
                        return "SHA384withECDSA";
                    case 521:
                        return "SHA512withECDSA";
                    default:
                        throw new IllegalArgumentException("unknown elliptic curve: " + curve);
                }
            case true:
                return "SHA256WithRSAEncryption";
            default:
                throw new UnsupportedOperationException("unsupported private key algorithm: " + publicKey.getAlgorithm());
        }
    }

    /* JADX WARN: Failed to find 'out' block for switch in B:7:0x0072. Please report as an issue. */
    private static GeneralNames asGeneralNames(List<String> list) {
        ArrayList arrayList = new ArrayList();
        for (String str : list) {
            int indexOf = str.indexOf(":");
            if (indexOf == -1) {
                throw new IllegalArgumentException("cannot parse " + str + ": all subjectAltNames must be of format: DNS:www.example.com, IP:1.2.3.4, URI:https://www.example.com");
            }
            String substring = str.substring(0, indexOf);
            String substring2 = str.substring(indexOf + 1);
            boolean z = -1;
            switch (substring.hashCode()) {
                case 2343:
                    if (substring.equals("IP")) {
                        z = true;
                        break;
                    }
                    break;
                case 67849:
                    if (substring.equals("DNS")) {
                        z = false;
                        break;
                    }
                    break;
                case 84300:
                    if (substring.equals("URI")) {
                        z = 2;
                        break;
                    }
                    break;
            }
            switch (z) {
                case false:
                    arrayList.add(new GeneralName(2, substring2));
                    break;
                case true:
                    arrayList.add(new GeneralName(7, substring2));
                    break;
                case true:
                    arrayList.add(new GeneralName(6, substring2));
                    break;
            }
        }
        if (arrayList.isEmpty()) {
            throw new IllegalArgumentException("subjectAltNames must be of format: DNS:www.example.com, IP:1.2.3.4, URI:https://www.example.com");
        }
        return GeneralNames.getInstance(new DERSequence((ASN1Encodable[]) arrayList.toArray(new GeneralName[0])));
    }

    private Certificate[] getChain() {
        ArrayList arrayList = new ArrayList();
        arrayList.add(this.certificate);
        Credential credential = this.issuer;
        while (true) {
            Credential credential2 = credential;
            if (credential2 == null || credential2.issuer == null) {
                break;
            }
            arrayList.add(credential2.certificate);
            credential = credential2.issuer;
        }
        return (Certificate[]) arrayList.toArray(new Certificate[0]);
    }
}
