package org.wildfly.security.x500.cert;

import com.fasterxml.jackson.databind.annotation.JsonPOJOBuilder;
import io.smallrye.openapi.runtime.io.info.InfoConstant;
import java.io.ByteArrayInputStream;
import java.math.BigInteger;
import java.security.InvalidKeyException;
import java.security.KeyFactory;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.Signature;
import java.security.SignatureException;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.security.spec.InvalidKeySpecException;
import java.security.spec.X509EncodedKeySpec;
import java.time.ZoneId;
import java.time.ZoneOffset;
import java.time.ZonedDateTime;
import java.time.chrono.ChronoZonedDateTime;
import java.util.LinkedHashMap;
import java.util.Map;
import javax.security.auth.x500.X500Principal;
import org.apache.sshd.common.config.keys.BuiltinIdentities;
import org.wildfly.common.Assert;
import org.wildfly.security.asn1.ASN1;
import org.wildfly.security.asn1.DEREncoder;
import org.wildfly.security.x500.cert._private.ElytronMessages;

/* loaded from: input_file:org/wildfly/security/x500/cert/X509CertificateBuilder.class */
public final class X509CertificateBuilder {
    private static final ZonedDateTime LATEST_VALID = ZonedDateTime.of(9999, 12, 31, 23, 59, 59, 0, ZoneOffset.UTC);
    private X500Principal subjectDn;
    private byte[] subjectUniqueId;
    private X500Principal issuerDn;
    private byte[] issuerUniqueId;
    private PublicKey publicKey;
    private PrivateKey signingKey;
    private String signatureAlgorithmName;
    private int version = 3;
    private BigInteger serialNumber = BigInteger.ONE;
    private ZonedDateTime notValidBefore = ZonedDateTime.now();
    private ZonedDateTime notValidAfter = LATEST_VALID;
    private final Map<String, X509CertificateExtension> extensionsByOid = new LinkedHashMap();

    public X509CertificateBuilder addExtension(X509CertificateExtension x509CertificateExtension) {
        Assert.checkNotNullParam("extension", x509CertificateExtension);
        String id = x509CertificateExtension.getId();
        Assert.checkNotNullParam("extension.getOid()", id);
        if (this.extensionsByOid.putIfAbsent(id, x509CertificateExtension) != null) {
            throw ElytronMessages.log.extensionAlreadyExists(id);
        }
        return this;
    }

    public X509CertificateExtension addOrReplaceExtension(X509CertificateExtension x509CertificateExtension) {
        Assert.checkNotNullParam("extension", x509CertificateExtension);
        String id = x509CertificateExtension.getId();
        Assert.checkNotNullParam("extension.getOid()", id);
        return this.extensionsByOid.put(id, x509CertificateExtension);
    }

    public X509CertificateExtension removeExtension(String str) {
        Assert.checkNotNullParam("oid", str);
        return this.extensionsByOid.remove(str);
    }

    public int getVersion() {
        return this.version;
    }

    public X509CertificateBuilder setVersion(int i) {
        Assert.checkMinimumParameter(InfoConstant.PROP_VERSION, 1, i);
        Assert.checkMaximumParameter(InfoConstant.PROP_VERSION, 3, i);
        this.version = i;
        return this;
    }

    public BigInteger getSerialNumber() {
        return this.serialNumber;
    }

    public X509CertificateBuilder setSerialNumber(BigInteger bigInteger) {
        Assert.checkNotNullParam("serialNumber", bigInteger);
        if (BigInteger.ONE.compareTo(bigInteger) > 0) {
            throw ElytronMessages.log.serialNumberTooSmall();
        }
        if (bigInteger.bitLength() > 160) {
            throw ElytronMessages.log.serialNumberTooLarge();
        }
        this.serialNumber = bigInteger;
        return this;
    }

    public X500Principal getSubjectDn() {
        return this.subjectDn;
    }

    public X509CertificateBuilder setSubjectDn(X500Principal x500Principal) {
        Assert.checkNotNullParam("subjectDn", x500Principal);
        this.subjectDn = x500Principal;
        return this;
    }

    public byte[] getSubjectUniqueId() {
        return this.subjectUniqueId;
    }

    public X509CertificateBuilder setSubjectUniqueId(byte[] bArr) {
        Assert.checkNotNullParam("subjectUniqueId", bArr);
        this.subjectUniqueId = bArr;
        return this;
    }

    public X500Principal getIssuerDn() {
        return this.issuerDn;
    }

    public X509CertificateBuilder setIssuerDn(X500Principal x500Principal) {
        Assert.checkNotNullParam("issuerDn", x500Principal);
        this.issuerDn = x500Principal;
        return this;
    }

    public byte[] getIssuerUniqueId() {
        return this.issuerUniqueId;
    }

    public X509CertificateBuilder setIssuerUniqueId(byte[] bArr) {
        Assert.checkNotNullParam("issuerUniqueId", bArr);
        this.issuerUniqueId = bArr;
        return this;
    }

    public ZonedDateTime getNotValidBefore() {
        return this.notValidBefore;
    }

    public X509CertificateBuilder setNotValidBefore(ZonedDateTime zonedDateTime) {
        Assert.checkNotNullParam("notValidBefore", zonedDateTime);
        this.notValidBefore = zonedDateTime;
        return this;
    }

    public ZonedDateTime getNotValidAfter() {
        return this.notValidAfter;
    }

    public X509CertificateBuilder setNotValidAfter(ZonedDateTime zonedDateTime) {
        Assert.checkNotNullParam("notValidAfter", zonedDateTime);
        this.notValidAfter = zonedDateTime;
        return this;
    }

    public PublicKey getPublicKey() {
        return this.publicKey;
    }

    public X509CertificateBuilder setPublicKey(PublicKey publicKey) {
        Assert.checkNotNullParam("publicKey", publicKey);
        this.publicKey = publicKey;
        return this;
    }

    public PrivateKey getSigningKey() {
        return this.signingKey;
    }

    public X509CertificateBuilder setSigningKey(PrivateKey privateKey) {
        Assert.checkNotNullParam("signingKey", privateKey);
        this.signingKey = privateKey;
        return this;
    }

    public String getSignatureAlgorithmName() {
        return this.signatureAlgorithmName;
    }

    public X509CertificateBuilder setSignatureAlgorithmName(String str) {
        Assert.checkNotNullParam("signatureAlgorithmName", str);
        this.signatureAlgorithmName = str;
        return this;
    }

    public X509Certificate build() throws CertificateException {
        byte[] tBSBytes = getTBSBytes();
        DEREncoder dEREncoder = new DEREncoder();
        dEREncoder.startSequence();
        dEREncoder.writeEncoded(tBSBytes);
        String str = this.signatureAlgorithmName;
        String oidFromSignatureAlgorithm = ASN1.oidFromSignatureAlgorithm(str);
        if (oidFromSignatureAlgorithm == null) {
            throw ElytronMessages.log.asnUnrecognisedAlgorithm(str);
        }
        dEREncoder.startSequence();
        dEREncoder.encodeObjectIdentifier(oidFromSignatureAlgorithm);
        dEREncoder.endSequence();
        try {
            Signature signature = Signature.getInstance(str);
            signature.initSign(this.signingKey);
            signature.update(tBSBytes);
            dEREncoder.encodeBitString(signature.sign());
            dEREncoder.endSequence();
            return (X509Certificate) CertificateFactory.getInstance("X.509").generateCertificate(new ByteArrayInputStream(dEREncoder.getEncoded()));
        } catch (InvalidKeyException | NoSuchAlgorithmException | SignatureException e) {
            throw ElytronMessages.log.certSigningFailed(e);
        }
    }

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r1v24, types: [java.time.ZonedDateTime] */
    /* JADX WARN: Type inference failed for: r1v26, types: [java.time.ZonedDateTime] */
    byte[] getTBSBytes() {
        BigInteger bigInteger = this.serialNumber;
        int i = this.version;
        String str = this.signatureAlgorithmName;
        if (str == null) {
            throw ElytronMessages.log.noSignatureAlgorithmNameGiven();
        }
        String oidFromSignatureAlgorithm = ASN1.oidFromSignatureAlgorithm(str);
        if (oidFromSignatureAlgorithm == null) {
            throw ElytronMessages.log.unknownSignatureAlgorithmName(str);
        }
        PrivateKey privateKey = this.signingKey;
        if (privateKey == null) {
            throw ElytronMessages.log.noSigningKeyGiven();
        }
        String algorithm = privateKey.getAlgorithm();
        if (algorithm.equals("EC")) {
            algorithm = BuiltinIdentities.Constants.ECDSA;
        }
        if (!str.endsWith(JsonPOJOBuilder.DEFAULT_WITH_PREFIX + algorithm) || str.contains(JsonPOJOBuilder.DEFAULT_WITH_PREFIX + algorithm + "and")) {
            throw ElytronMessages.log.signingKeyNotCompatWithSig(privateKey.getAlgorithm(), str);
        }
        ZonedDateTime zonedDateTime = this.notValidBefore;
        ZonedDateTime zonedDateTime2 = this.notValidAfter;
        if (zonedDateTime.compareTo((ChronoZonedDateTime<?>) zonedDateTime2) > 0) {
            throw ElytronMessages.log.validAfterBeforeValidBefore(zonedDateTime, zonedDateTime2);
        }
        X500Principal x500Principal = this.issuerDn;
        if (x500Principal == null) {
            throw ElytronMessages.log.noIssuerDnGiven();
        }
        X500Principal x500Principal2 = this.subjectDn;
        PublicKey publicKey = this.publicKey;
        if (publicKey == null) {
            throw ElytronMessages.log.noPublicKeyGiven();
        }
        byte[] bArr = this.issuerUniqueId;
        byte[] bArr2 = this.subjectUniqueId;
        if (i < 2 && (bArr != null || bArr2 != null)) {
            throw ElytronMessages.log.uniqueIdNotAllowed();
        }
        Map<String, X509CertificateExtension> map = this.extensionsByOid;
        if (i < 3 && !map.isEmpty()) {
            throw ElytronMessages.log.extensionsNotAllowed();
        }
        DEREncoder dEREncoder = new DEREncoder();
        dEREncoder.startSequence();
        dEREncoder.startExplicit(0);
        dEREncoder.encodeInteger(i - 1);
        dEREncoder.endExplicit();
        dEREncoder.encodeInteger(bigInteger);
        dEREncoder.startSequence();
        dEREncoder.encodeObjectIdentifier(oidFromSignatureAlgorithm);
        dEREncoder.endSequence();
        dEREncoder.writeEncoded(x500Principal.getEncoded());
        dEREncoder.startSequence();
        dEREncoder.encodeGeneralizedTime(zonedDateTime.withZoneSameInstant((ZoneId) ZoneOffset.UTC));
        dEREncoder.encodeGeneralizedTime(zonedDateTime2.withZoneSameInstant((ZoneId) ZoneOffset.UTC));
        dEREncoder.endSequence();
        if (x500Principal2 != null) {
            dEREncoder.writeEncoded(x500Principal2.getEncoded());
        }
        String algorithm2 = publicKey.getAlgorithm();
        try {
            KeyFactory keyFactory = KeyFactory.getInstance(algorithm2);
            dEREncoder.writeEncoded(((X509EncodedKeySpec) keyFactory.getKeySpec(keyFactory.translateKey(publicKey), X509EncodedKeySpec.class)).getEncoded());
            if (bArr != null) {
                dEREncoder.encodeImplicit(1);
                dEREncoder.encodeBitString(bArr);
            }
            if (bArr2 != null) {
                dEREncoder.encodeImplicit(2);
                dEREncoder.encodeBitString(bArr2);
            }
            if (!map.isEmpty()) {
                dEREncoder.startExplicit(3);
                dEREncoder.startSequence();
                for (X509CertificateExtension x509CertificateExtension : map.values()) {
                    dEREncoder.startSequence();
                    dEREncoder.encodeObjectIdentifier(x509CertificateExtension.getId());
                    if (x509CertificateExtension.isCritical()) {
                        dEREncoder.encodeBoolean(true);
                    }
                    DEREncoder dEREncoder2 = new DEREncoder();
                    x509CertificateExtension.encodeTo(dEREncoder2);
                    dEREncoder.encodeOctetString(dEREncoder2.getEncoded());
                    dEREncoder.endSequence();
                }
                dEREncoder.endSequence();
                dEREncoder.endExplicit();
            }
            dEREncoder.endSequence();
            return dEREncoder.getEncoded();
        } catch (InvalidKeyException | NoSuchAlgorithmException | InvalidKeySpecException e) {
            throw ElytronMessages.log.invalidKeyForCert(algorithm2, e);
        }
    }
}
