package org.wildfly.security.x500.cert;

import com.fasterxml.jackson.databind.annotation.JsonPOJOBuilder;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.Signature;
import java.security.SignatureException;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Iterator;
import java.util.LinkedHashMap;
import java.util.List;
import java.util.Map;
import javax.security.auth.x500.X500Principal;
import org.wildfly.common.Assert;
import org.wildfly.common.bytes.ByteStringBuilder;
import org.wildfly.security.asn1.ASN1;
import org.wildfly.security.asn1.DEREncoder;
import org.wildfly.security.pem.Pem;
import org.wildfly.security.x500.cert._private.ElytronMessages;
import org.wildfly.security.x500.cert.acme.Acme;
import org.wildfly.security.x500.cert.util.KeyUtil;

/* loaded from: input_file:org/wildfly/security/x500/cert/PKCS10CertificateSigningRequest.class */
public final class PKCS10CertificateSigningRequest {
    private final PublicKey publicKey;
    private final X500Principal subjectDn;
    private final List<X509CertificateExtension> extensions;
    private final byte[] encoded;

    /* loaded from: input_file:org/wildfly/security/x500/cert/PKCS10CertificateSigningRequest$Builder.class */
    public static class Builder {
        private static final int VERSION = 0;
        private Certificate certificate;
        private PublicKey publicKey;
        private PrivateKey signingKey;
        private String signatureAlgorithmName;
        private String signatureAlgorithmOid;
        private X500Principal subjectDn;
        private final Map<String, X509CertificateExtension> extensionsByOid = new LinkedHashMap();

        Builder() {
        }

        public Builder setCertificate(Certificate certificate) {
            Assert.checkNotNullParam(Acme.CERTIFICATE, certificate);
            this.certificate = certificate;
            this.publicKey = certificate.getPublicKey();
            return this;
        }

        public Builder setSigningKey(PrivateKey privateKey) {
            Assert.checkNotNullParam("signingKey", privateKey);
            this.signingKey = privateKey;
            return this;
        }

        public Builder setSubjectDn(X500Principal x500Principal) {
            Assert.checkNotNullParam("subjectDn", x500Principal);
            this.subjectDn = x500Principal;
            return this;
        }

        public Builder setSignatureAlgorithmName(String str) {
            Assert.checkNotNullParam("signatureAlgorithmName", str);
            this.signatureAlgorithmName = str;
            return this;
        }

        public Builder addExtension(X509CertificateExtension x509CertificateExtension) throws IllegalArgumentException {
            Assert.checkNotNullParam("extension", x509CertificateExtension);
            String id = x509CertificateExtension.getId();
            Assert.checkNotNullParam("extension.getOid()", id);
            if (this.extensionsByOid.putIfAbsent(id, x509CertificateExtension) != null) {
                throw ElytronMessages.log.extensionAlreadyExists(id);
            }
            return this;
        }

        public Builder addExtension(boolean z, String str, String str2) throws IllegalArgumentException {
            Assert.checkNotNullParam("name", str);
            Assert.checkNotNullParam("value", str2);
            return addExtension(CertUtil.getX509CertificateExtension(z, str, str2));
        }

        public PKCS10CertificateSigningRequest build() throws IllegalArgumentException {
            if (this.certificate == null) {
                throw ElytronMessages.log.noCertificateGiven();
            }
            if (this.signingKey == null) {
                throw ElytronMessages.log.noSigningKeyGiven();
            }
            if (this.signatureAlgorithmName == null) {
                this.signatureAlgorithmName = KeyUtil.getDefaultCompatibleSignatureAlgorithmName(this.signingKey);
                if (this.signatureAlgorithmName == null) {
                    throw ElytronMessages.log.noSignatureAlgorithmNameGiven();
                }
            }
            this.signatureAlgorithmOid = ASN1.oidFromSignatureAlgorithm(this.signatureAlgorithmName);
            if (this.signatureAlgorithmOid == null) {
                throw ElytronMessages.log.asnUnrecognisedAlgorithm(this.signatureAlgorithmName);
            }
            String algorithm = this.signingKey.getAlgorithm();
            if (algorithm.equals("EC")) {
                algorithm = "ECDSA";
            }
            if (!this.signatureAlgorithmName.endsWith(JsonPOJOBuilder.DEFAULT_WITH_PREFIX + algorithm) || this.signatureAlgorithmName.contains(JsonPOJOBuilder.DEFAULT_WITH_PREFIX + algorithm + "and")) {
                throw ElytronMessages.log.signingKeyNotCompatWithSig(this.signingKey.getAlgorithm(), this.signatureAlgorithmName);
            }
            if (this.subjectDn == null) {
                this.subjectDn = ((X509Certificate) this.certificate).getSubjectX500Principal();
            }
            addExtension(new SubjectKeyIdentifierExtension(KeyUtil.getKeyIdentifier(this.publicKey)));
            DEREncoder dEREncoder = new DEREncoder();
            encodeCertificationRequest(dEREncoder);
            return new PKCS10CertificateSigningRequest(this, dEREncoder.getEncoded());
        }

        private void encodeCertificationRequest(DEREncoder dEREncoder) {
            DEREncoder dEREncoder2 = new DEREncoder();
            encodeCertificationRequestInfo(dEREncoder2);
            try {
                Signature signature = Signature.getInstance(this.signatureAlgorithmName);
                signature.initSign(this.signingKey);
                signature.update(dEREncoder2.getEncoded());
                byte[] sign = signature.sign();
                dEREncoder.startSequence();
                dEREncoder.writeEncoded(dEREncoder2.getEncoded());
                encodeAlgorithmIdentifier(dEREncoder);
                dEREncoder.encodeBitString(sign);
                dEREncoder.endSequence();
            } catch (InvalidKeyException | NoSuchAlgorithmException | SignatureException e) {
                throw ElytronMessages.log.certRequestInfoSigningFailed(e);
            }
        }

        private void encodeCertificationRequestInfo(DEREncoder dEREncoder) {
            dEREncoder.startSequence();
            dEREncoder.encodeInteger(0);
            dEREncoder.writeEncoded(this.subjectDn.getEncoded());
            dEREncoder.writeEncoded(this.publicKey.getEncoded());
            dEREncoder.encodeImplicit(0);
            encodeAttributes(dEREncoder);
            dEREncoder.endSequence();
        }

        private void encodeAlgorithmIdentifier(DEREncoder dEREncoder) {
            dEREncoder.startSequence();
            dEREncoder.encodeObjectIdentifier(this.signatureAlgorithmOid);
            if (this.signingKey.getAlgorithm().equals("RSA")) {
                dEREncoder.encodeNull();
            }
            dEREncoder.endSequence();
        }

        private void encodeAttributes(DEREncoder dEREncoder) {
            dEREncoder.startSetOf();
            dEREncoder.startSequence();
            dEREncoder.encodeObjectIdentifier(ASN1.OID_EXTENSION_REQUEST);
            dEREncoder.startSetOf();
            encodeExtensionRequest(dEREncoder);
            dEREncoder.endSetOf();
            dEREncoder.endSequence();
            dEREncoder.endSetOf();
        }

        private void encodeExtensionRequest(DEREncoder dEREncoder) {
            dEREncoder.startSequence();
            Iterator<X509CertificateExtension> it = this.extensionsByOid.values().iterator();
            while (it.hasNext()) {
                encodeExtension(dEREncoder, it.next());
            }
            dEREncoder.endSequence();
        }

        private static void encodeExtension(DEREncoder dEREncoder, X509CertificateExtension x509CertificateExtension) {
            dEREncoder.startSequence();
            dEREncoder.encodeObjectIdentifier(x509CertificateExtension.getId());
            if (x509CertificateExtension.isCritical()) {
                dEREncoder.encodeBoolean(true);
            }
            DEREncoder dEREncoder2 = new DEREncoder();
            x509CertificateExtension.encodeTo(dEREncoder2);
            dEREncoder.encodeOctetString(dEREncoder2.getEncoded());
            dEREncoder.endSequence();
        }
    }

    private PKCS10CertificateSigningRequest(Builder builder, byte[] bArr) {
        this.publicKey = builder.publicKey;
        this.subjectDn = builder.subjectDn;
        this.extensions = new ArrayList(builder.extensionsByOid.values());
        this.encoded = bArr;
    }

    public byte[] getEncoded() {
        return (byte[]) this.encoded.clone();
    }

    public byte[] getPem() {
        ByteStringBuilder byteStringBuilder = new ByteStringBuilder();
        Pem.generatePemPKCS10CertificateSigningRequest(byteStringBuilder, this);
        return byteStringBuilder.toArray();
    }

    public PublicKey getPublicKey() {
        return this.publicKey;
    }

    public X500Principal getSubjectDn() {
        return this.subjectDn;
    }

    public List<X509CertificateExtension> getExtensions() {
        return this.extensions;
    }

    public static Builder builder() {
        return new Builder();
    }
}
