package org.wildfly.security.x500.cert;

import java.math.BigInteger;
import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.PrivateKey;
import java.security.SecureRandom;
import java.security.cert.X509Certificate;
import java.time.ZonedDateTime;
import java.util.Iterator;
import java.util.LinkedHashMap;
import java.util.Map;
import javax.security.auth.x500.X500Principal;
import org.apache.sshd.common.config.keys.KeyUtils;
import org.apache.xerces.impl.xs.SchemaSymbols;
import org.wildfly.common.Assert;
import org.wildfly.security.auth.realm.ldap.AttributeMapping;
import org.wildfly.security.x500.cert._private.ElytronMessages;
import org.wildfly.security.x500.cert.util.KeyUtil;

/* JADX WARN: Classes with same name are omitted:
  input_file:WEB-INF/lib/wildfly-elytron-1.10.7.Final.jar:org/wildfly/security/x500/cert/SelfSignedX509CertificateAndSigningKey.class
 */
/* loaded from: input_file:WEB-INF/lib/wildfly-elytron-x500-cert-1.10.7.Final.jar:org/wildfly/security/x500/cert/SelfSignedX509CertificateAndSigningKey.class */
public final class SelfSignedX509CertificateAndSigningKey {
    private final X509Certificate selfSignedcertificate;
    private final PrivateKey signingKey;

    /* JADX WARN: Classes with same name are omitted:
      input_file:WEB-INF/lib/wildfly-elytron-1.10.7.Final.jar:org/wildfly/security/x500/cert/SelfSignedX509CertificateAndSigningKey$Builder.class
     */
    /* loaded from: input_file:WEB-INF/lib/wildfly-elytron-x500-cert-1.10.7.Final.jar:org/wildfly/security/x500/cert/SelfSignedX509CertificateAndSigningKey$Builder.class */
    public static class Builder {
        public static final String DEFAULT_KEY_ALGORITHM_NAME = "DSA";
        public static final int DEFAULT_EC_KEY_SIZE = 256;
        public static final int DEFAULT_KEY_SIZE = 2048;
        private static final int VERSION = 3;
        private String keyAlgorithmName;
        private String signatureAlgorithmName;
        private X500Principal dn;
        private ZonedDateTime notValidBefore;
        private ZonedDateTime notValidAfter;
        private X509Certificate selfSignedCertificate;
        private PrivateKey signingKey;
        private final Map<String, X509CertificateExtension> extensionsByOid = new LinkedHashMap();
        private int keySize = -1;

        Builder() {
        }

        public Builder setKeyAlgorithmName(String str) {
            Assert.checkNotNullParam("keyAlgorithmName", str);
            this.keyAlgorithmName = str;
            return this;
        }

        public Builder setKeySize(int i) {
            this.keySize = i;
            return this;
        }

        public Builder setSignatureAlgorithmName(String str) {
            Assert.checkNotNullParam("signatureAlgorithmName", str);
            this.signatureAlgorithmName = str;
            return this;
        }

        public Builder setDn(X500Principal x500Principal) {
            Assert.checkNotNullParam(AttributeMapping.DEFAULT_DN_NAME, x500Principal);
            this.dn = x500Principal;
            return this;
        }

        public Builder addExtension(X509CertificateExtension x509CertificateExtension) throws IllegalArgumentException {
            Assert.checkNotNullParam(SchemaSymbols.ATTVAL_EXTENSION, x509CertificateExtension);
            String id = x509CertificateExtension.getId();
            Assert.checkNotNullParam("extension.getOid()", id);
            if (this.extensionsByOid.putIfAbsent(id, x509CertificateExtension) != null) {
                throw ElytronMessages.log.extensionAlreadyExists(id);
            }
            return this;
        }

        public Builder addExtension(boolean z, String str, String str2) throws IllegalArgumentException {
            Assert.checkNotNullParam("name", str);
            Assert.checkNotNullParam("value", str2);
            return addExtension(CertUtil.getX509CertificateExtension(z, str, str2));
        }

        public X509CertificateExtension addOrReplaceExtension(X509CertificateExtension x509CertificateExtension) {
            Assert.checkNotNullParam(SchemaSymbols.ATTVAL_EXTENSION, x509CertificateExtension);
            String id = x509CertificateExtension.getId();
            Assert.checkNotNullParam("extension.getOid()", id);
            return this.extensionsByOid.put(id, x509CertificateExtension);
        }

        public X509CertificateExtension addOrReplaceExtension(boolean z, String str, String str2) {
            Assert.checkNotNullParam("name", str);
            return addOrReplaceExtension(CertUtil.getX509CertificateExtension(z, str, str2));
        }

        public X509CertificateExtension removeExtension(String str) {
            Assert.checkNotNullParam("oid", str);
            return this.extensionsByOid.remove(str);
        }

        public Builder setNotValidBefore(ZonedDateTime zonedDateTime) {
            Assert.checkNotNullParam("notValidBefore", zonedDateTime);
            this.notValidBefore = zonedDateTime;
            return this;
        }

        public Builder setNotValidAfter(ZonedDateTime zonedDateTime) {
            Assert.checkNotNullParam("notValidAfter", zonedDateTime);
            this.notValidAfter = zonedDateTime;
            return this;
        }

        public SelfSignedX509CertificateAndSigningKey build() throws IllegalArgumentException {
            if (this.dn == null) {
                throw ElytronMessages.log.noDnGiven();
            }
            if (this.keyAlgorithmName == null) {
                this.keyAlgorithmName = "DSA";
            }
            if (this.keySize == -1) {
                if (this.keyAlgorithmName.equals(KeyUtils.EC_ALGORITHM)) {
                    this.keySize = 256;
                } else {
                    this.keySize = 2048;
                }
            }
            try {
                KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance(this.keyAlgorithmName);
                keyPairGenerator.initialize(this.keySize, new SecureRandom());
                KeyPair generateKeyPair = keyPairGenerator.generateKeyPair();
                this.signingKey = generateKeyPair.getPrivate();
                if (this.signatureAlgorithmName == null) {
                    this.signatureAlgorithmName = KeyUtil.getDefaultCompatibleSignatureAlgorithmName(this.signingKey.getAlgorithm(), this.keySize);
                    if (this.signatureAlgorithmName == null) {
                        throw ElytronMessages.log.unableToDetermineDefaultCompatibleSignatureAlgorithmName(this.signingKey.getAlgorithm());
                    }
                }
                addExtension(new SubjectKeyIdentifierExtension(KeyUtil.getKeyIdentifier(generateKeyPair.getPublic())));
                X509CertificateBuilder x509CertificateBuilder = new X509CertificateBuilder();
                x509CertificateBuilder.setIssuerDn(this.dn);
                x509CertificateBuilder.setSubjectDn(this.dn);
                x509CertificateBuilder.setPublicKey(generateKeyPair.getPublic());
                x509CertificateBuilder.setSigningKey(this.signingKey);
                x509CertificateBuilder.setSignatureAlgorithmName(this.signatureAlgorithmName);
                x509CertificateBuilder.setVersion(3);
                x509CertificateBuilder.setSerialNumber(new BigInteger(64, new SecureRandom()));
                Iterator<X509CertificateExtension> it = this.extensionsByOid.values().iterator();
                while (it.hasNext()) {
                    x509CertificateBuilder.addExtension(it.next());
                }
                if (this.notValidBefore != null) {
                    x509CertificateBuilder.setNotValidBefore(this.notValidBefore);
                }
                if (this.notValidAfter != null) {
                    x509CertificateBuilder.setNotValidAfter(this.notValidAfter);
                }
                this.selfSignedCertificate = x509CertificateBuilder.build();
                return new SelfSignedX509CertificateAndSigningKey(this);
            } catch (Exception e) {
                throw ElytronMessages.log.selfSignedCertificateGenerationFailed(e);
            }
        }
    }

    private SelfSignedX509CertificateAndSigningKey(Builder builder) {
        this.selfSignedcertificate = builder.selfSignedCertificate;
        this.signingKey = builder.signingKey;
    }

    public X509Certificate getSelfSignedCertificate() {
        return this.selfSignedcertificate;
    }

    public PrivateKey getSigningKey() {
        return this.signingKey;
    }

    public PKCS10CertificateSigningRequest generatePKCS10CertificateSigningRequest() {
        return PKCS10CertificateSigningRequest.builder().setCertificate(this.selfSignedcertificate).setSigningKey(this.signingKey).build();
    }

    public static Builder builder() {
        return new Builder();
    }
}
