package org.keycloak.crypto.def;

import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.math.BigInteger;
import java.security.GeneralSecurityException;
import java.security.KeyPair;
import java.security.PrivateKey;
import java.security.SecureRandom;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.Calendar;
import java.util.Collections;
import java.util.Date;
import java.util.Iterator;
import java.util.LinkedList;
import java.util.List;
import org.bouncycastle.asn1.ASN1Encodable;
import org.bouncycastle.asn1.ASN1InputStream;
import org.bouncycastle.asn1.ASN1ObjectIdentifier;
import org.bouncycastle.asn1.ASN1Sequence;
import org.bouncycastle.asn1.DERIA5String;
import org.bouncycastle.asn1.DEROctetString;
import org.bouncycastle.asn1.x500.X500Name;
import org.bouncycastle.asn1.x509.BasicConstraints;
import org.bouncycastle.asn1.x509.CRLDistPoint;
import org.bouncycastle.asn1.x509.CertificatePolicies;
import org.bouncycastle.asn1.x509.DistributionPoint;
import org.bouncycastle.asn1.x509.DistributionPointName;
import org.bouncycastle.asn1.x509.ExtendedKeyUsage;
import org.bouncycastle.asn1.x509.Extension;
import org.bouncycastle.asn1.x509.Extensions;
import org.bouncycastle.asn1.x509.GeneralName;
import org.bouncycastle.asn1.x509.GeneralNames;
import org.bouncycastle.asn1.x509.KeyPurposeId;
import org.bouncycastle.asn1.x509.KeyUsage;
import org.bouncycastle.asn1.x509.PolicyInformation;
import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo;
import org.bouncycastle.cert.CertIOException;
import org.bouncycastle.cert.X509v1CertificateBuilder;
import org.bouncycastle.cert.X509v3CertificateBuilder;
import org.bouncycastle.cert.jcajce.JcaX509CertificateConverter;
import org.bouncycastle.cert.jcajce.JcaX509CertificateHolder;
import org.bouncycastle.cert.jcajce.JcaX509ExtensionUtils;
import org.bouncycastle.operator.ContentSigner;
import org.bouncycastle.operator.OperatorCreationException;
import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder;
import org.keycloak.common.crypto.CertificateUtilsProvider;
import org.keycloak.common.util.BouncyIntegration;
import org.keycloak.crypto.JavaAlgorithm;

/* loaded from: input_file:org/keycloak/crypto/def/BCCertificateUtilsProvider.class */
public class BCCertificateUtilsProvider implements CertificateUtilsProvider {
    @Override // org.keycloak.common.crypto.CertificateUtilsProvider
    public X509Certificate generateV3Certificate(KeyPair keyPair, PrivateKey privateKey, X509Certificate x509Certificate, String str) throws Exception {
        try {
            X500Name x500Name = new X500Name("CN=" + str);
            BigInteger valueOf = BigInteger.valueOf(Math.abs(SecureRandom.getInstance("SHA1PRNG").nextInt()));
            Date date = new Date(System.currentTimeMillis());
            Date date2 = new Date(System.currentTimeMillis() + 93312000000L);
            SubjectPublicKeyInfo subjectPublicKeyInfo = SubjectPublicKeyInfo.getInstance(keyPair.getPublic().getEncoded());
            X509v3CertificateBuilder x509v3CertificateBuilder = new X509v3CertificateBuilder(new X500Name(x509Certificate.getSubjectDN().getName()), valueOf, date, date2, x500Name, subjectPublicKeyInfo);
            JcaX509ExtensionUtils jcaX509ExtensionUtils = new JcaX509ExtensionUtils();
            x509v3CertificateBuilder.addExtension(Extension.subjectKeyIdentifier, false, (ASN1Encodable) jcaX509ExtensionUtils.createSubjectKeyIdentifier(subjectPublicKeyInfo));
            x509v3CertificateBuilder.addExtension(Extension.authorityKeyIdentifier, false, (ASN1Encodable) jcaX509ExtensionUtils.createAuthorityKeyIdentifier(subjectPublicKeyInfo));
            x509v3CertificateBuilder.addExtension(Extension.keyUsage, false, (ASN1Encodable) new KeyUsage(134));
            x509v3CertificateBuilder.addExtension(Extension.extendedKeyUsage, false, (ASN1Encodable) new ExtendedKeyUsage(new KeyPurposeId[]{KeyPurposeId.id_kp_emailProtection, KeyPurposeId.id_kp_serverAuth}));
            x509v3CertificateBuilder.addExtension(Extension.basicConstraints, true, (ASN1Encodable) new BasicConstraints(0));
            return new JcaX509CertificateConverter().setProvider(BouncyIntegration.PROVIDER).getCertificate(x509v3CertificateBuilder.build(new JcaContentSignerBuilder("SHA1WithRSAEncryption").setProvider(BouncyIntegration.PROVIDER).build(privateKey)));
        } catch (Exception e) {
            throw new RuntimeException("Error creating X509v3Certificate.", e);
        }
    }

    @Override // org.keycloak.common.crypto.CertificateUtilsProvider
    public X509Certificate generateV1SelfSignedCertificate(KeyPair keyPair, String str) {
        return generateV1SelfSignedCertificate(keyPair, str, BigInteger.valueOf(System.currentTimeMillis()));
    }

    @Override // org.keycloak.common.crypto.CertificateUtilsProvider
    public X509Certificate generateV1SelfSignedCertificate(KeyPair keyPair, String str, BigInteger bigInteger) {
        try {
            X500Name x500Name = new X500Name("CN=" + str);
            Date date = new Date(System.currentTimeMillis() - 100000);
            Calendar calendar = Calendar.getInstance();
            calendar.add(1, 10);
            return new JcaX509CertificateConverter().getCertificate(new X509v1CertificateBuilder(x500Name, bigInteger, date, new Date(calendar.getTime().getTime()), x500Name, SubjectPublicKeyInfo.getInstance(keyPair.getPublic().getEncoded())).build(createSigner(keyPair.getPrivate())));
        } catch (Exception e) {
            throw new RuntimeException("Error creating X509v1Certificate.", e);
        }
    }

    private ContentSigner createSigner(PrivateKey privateKey) {
        try {
            return new JcaContentSignerBuilder("SHA256WithRSAEncryption").setProvider(BouncyIntegration.PROVIDER).build(privateKey);
        } catch (Exception e) {
            throw new RuntimeException("Could not create content signer.", e);
        }
    }

    @Override // org.keycloak.common.crypto.CertificateUtilsProvider
    public List<String> getCertificatePolicyList(X509Certificate x509Certificate) throws GeneralSecurityException {
        Extensions extensions = new JcaX509CertificateHolder(x509Certificate).getExtensions();
        if (extensions == null) {
            throw new GeneralSecurityException("Certificate Policy validation was expected, but no certificate extensions were found");
        }
        CertificatePolicies fromExtensions = CertificatePolicies.fromExtensions(extensions);
        if (fromExtensions == null) {
            throw new GeneralSecurityException("Certificate Policy validation was expected, but no certificate policy extensions were found");
        }
        LinkedList linkedList = new LinkedList();
        Arrays.stream(fromExtensions.getPolicyInformation()).forEach(policyInformation -> {
            linkedList.add(policyInformation.getPolicyIdentifier().toString().toLowerCase());
        });
        return linkedList;
    }

    @Override // org.keycloak.common.crypto.CertificateUtilsProvider
    public List<String> getCRLDistributionPoints(X509Certificate x509Certificate) throws IOException {
        byte[] extensionValue = x509Certificate.getExtensionValue(CertificateUtilsProvider.CRL_DISTRIBUTION_POINTS_OID);
        if (extensionValue == null) {
            return Collections.emptyList();
        }
        LinkedList linkedList = new LinkedList();
        ASN1InputStream aSN1InputStream = new ASN1InputStream(new ByteArrayInputStream(extensionValue));
        try {
            DEROctetString dEROctetString = (DEROctetString) aSN1InputStream.readObject();
            aSN1InputStream.close();
            aSN1InputStream = new ASN1InputStream(new ByteArrayInputStream(dEROctetString.getOctets()));
            try {
                CRLDistPoint cRLDistPoint = CRLDistPoint.getInstance(aSN1InputStream.readObject());
                aSN1InputStream.close();
                for (DistributionPoint distributionPoint : cRLDistPoint.getDistributionPoints()) {
                    DistributionPointName distributionPoint2 = distributionPoint.getDistributionPoint();
                    if (distributionPoint2 != null && distributionPoint2.getType() == 0) {
                        for (GeneralName generalName : GeneralNames.getInstance(distributionPoint2.getName()).getNames()) {
                            if (generalName.getTagNo() == 6) {
                                linkedList.add(DERIA5String.getInstance((Object) generalName.getName()).getString());
                            }
                        }
                    }
                }
                return linkedList;
            } finally {
            }
        } finally {
        }
    }

    @Override // org.keycloak.common.crypto.CertificateUtilsProvider
    public X509Certificate createServicesTestCertificate(String str, Date date, Date date2, KeyPair keyPair, String... strArr) {
        X500Name x500Name = new X500Name(str);
        X509v3CertificateBuilder x509v3CertificateBuilder = new X509v3CertificateBuilder(new X500Name(str), new BigInteger(130, new SecureRandom()), date, date2, x500Name, SubjectPublicKeyInfo.getInstance(ASN1Sequence.getInstance(keyPair.getPublic().getEncoded())));
        if (strArr != null) {
            try {
                Iterator<Extension> it = certPolicyExtensions(strArr).iterator();
                while (it.hasNext()) {
                    x509v3CertificateBuilder.addExtension(it.next());
                }
            } catch (CertIOException e) {
                throw new IllegalStateException(e);
            }
        }
        try {
            return new JcaX509CertificateConverter().setProvider(BouncyIntegration.PROVIDER).getCertificate(x509v3CertificateBuilder.build(new JcaContentSignerBuilder(JavaAlgorithm.RS256).setProvider(BouncyIntegration.PROVIDER).build(keyPair.getPrivate())));
        } catch (CertificateException | OperatorCreationException e2) {
            throw new IllegalStateException(e2);
        }
    }

    private List<Extension> certPolicyExtensions(String... strArr) {
        LinkedList linkedList = new LinkedList();
        if (strArr != null && strArr.length > 0) {
            LinkedList linkedList2 = new LinkedList();
            for (String str : strArr) {
                linkedList2.add(new PolicyInformation(new ASN1ObjectIdentifier(str)));
            }
            try {
                linkedList.add(new Extension(Extension.certificatePolicies, false, new CertificatePolicies((PolicyInformation[]) linkedList2.toArray(new PolicyInformation[0])).getEncoded()));
            } catch (IOException e) {
                throw new IllegalStateException(e);
            }
        }
        return linkedList;
    }
}
