package org.xipki.ca.server;

import java.io.IOException;
import java.math.BigInteger;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.security.spec.InvalidKeySpecException;
import java.util.Date;
import java.util.Iterator;
import java.util.List;
import org.bouncycastle.asn1.ASN1ObjectIdentifier;
import org.bouncycastle.asn1.ASN1Set;
import org.bouncycastle.asn1.pkcs.Attribute;
import org.bouncycastle.asn1.pkcs.CertificationRequest;
import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers;
import org.bouncycastle.asn1.x500.X500Name;
import org.bouncycastle.asn1.x509.Extensions;
import org.bouncycastle.asn1.x509.GeneralNames;
import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo;
import org.bouncycastle.cert.X509CertificateHolder;
import org.bouncycastle.cert.X509v3CertificateBuilder;
import org.bouncycastle.operator.ContentSigner;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.xipki.ca.api.BadCertTemplateException;
import org.xipki.ca.api.CaUris;
import org.xipki.ca.api.OperationException;
import org.xipki.ca.api.PublicCaInfo;
import org.xipki.ca.api.mgmt.MgmtEntry;
import org.xipki.ca.api.profile.Certprofile;
import org.xipki.ca.api.profile.CertprofileException;
import org.xipki.ca.api.profile.ExtensionValue;
import org.xipki.ca.api.profile.ExtensionValues;
import org.xipki.security.AlgorithmValidator;
import org.xipki.security.ConcurrentBagEntrySigner;
import org.xipki.security.ConcurrentContentSigner;
import org.xipki.security.NoIdleSignerException;
import org.xipki.security.SecurityFactory;
import org.xipki.security.SignerConf;
import org.xipki.security.XiSecurityException;
import org.xipki.security.util.KeyUtil;
import org.xipki.security.util.X509Util;
import org.xipki.util.Args;
import org.xipki.util.CollectionUtil;
import org.xipki.util.ConfPairs;
import org.xipki.util.InvalidConfException;
import org.xipki.util.ObjectCreationException;
import org.xipki.util.Validity;

/* loaded from: input_file:org/xipki/ca/server/SelfSignedCertBuilder.class */
class SelfSignedCertBuilder {
    private static final Logger LOG = LoggerFactory.getLogger(SelfSignedCertBuilder.class);

    /* loaded from: input_file:org/xipki/ca/server/SelfSignedCertBuilder$GenerateSelfSignedResult.class */
    static class GenerateSelfSignedResult {
        private final String signerConf;
        private final X509Certificate cert;

        GenerateSelfSignedResult(String str, X509Certificate x509Certificate) {
            this.signerConf = str;
            this.cert = x509Certificate;
        }

        /* JADX INFO: Access modifiers changed from: package-private */
        public String getSignerConf() {
            return this.signerConf;
        }

        /* JADX INFO: Access modifiers changed from: package-private */
        public X509Certificate getCert() {
            return this.cert;
        }
    }

    private SelfSignedCertBuilder() {
    }

    public static GenerateSelfSignedResult generateSelfSigned(SecurityFactory securityFactory, String str, String str2, IdentifiedCertprofile identifiedCertprofile, CertificationRequest certificationRequest, BigInteger bigInteger, CaUris caUris, ConfPairs confPairs) throws OperationException, InvalidConfException {
        Args.notNull(securityFactory, "securityFactory");
        Args.notBlank(str, "signerType");
        Args.notNull(identifiedCertprofile, CaAuditConstants.NAME_certprofile);
        Args.notNull(certificationRequest, "csr");
        Args.notNull(bigInteger, "serialNumber");
        if (bigInteger.compareTo(BigInteger.ZERO) != 1) {
            throw new IllegalArgumentException("serialNumber may not be non-positive: " + bigInteger);
        }
        if (Certprofile.CertLevel.RootCA != identifiedCertprofile.getCertLevel()) {
            throw new IllegalArgumentException("certprofile is not of level " + Certprofile.CertLevel.RootCA);
        }
        if (!securityFactory.verifyPopo(certificationRequest, (AlgorithmValidator) null)) {
            throw new InvalidConfException("could not validate POP for the CSR");
        }
        if (("pkcs12".equalsIgnoreCase(str) || "jks".equalsIgnoreCase(str)) && new ConfPairs(str2).value("keystore") == null) {
            throw new InvalidConfException("required parameter 'keystore' for types PKCS12 and JKS, is not specified");
        }
        try {
            List splitCaSignerConfs = MgmtEntry.Ca.splitCaSignerConfs(str2);
            List<String> signatureAlgorithms = identifiedCertprofile.getSignatureAlgorithms();
            String str3 = null;
            if (!CollectionUtil.isEmpty(signatureAlgorithms)) {
                for (String str4 : signatureAlgorithms) {
                    Iterator it = splitCaSignerConfs.iterator();
                    while (true) {
                        if (!it.hasNext()) {
                            break;
                        }
                        String[] strArr = (String[]) it.next();
                        if (strArr[0].equals(str4)) {
                            str3 = strArr[1];
                            break;
                        }
                    }
                    if (str3 != null) {
                        break;
                    }
                }
            } else {
                str3 = ((String[]) splitCaSignerConfs.get(0))[1];
            }
            if (str3 == null) {
                throw new OperationException(OperationException.ErrorCode.SYSTEM_FAILURE, "CA does not support any signature algorithm restricted by the cert profile");
            }
            return new GenerateSelfSignedResult(str2, generateCertificate(securityFactory.createSigner(str, new SignerConf(str3), (X509Certificate[]) null), identifiedCertprofile, certificationRequest, bigInteger, caUris, confPairs));
        } catch (XiSecurityException | ObjectCreationException e) {
            throw new OperationException(OperationException.ErrorCode.SYSTEM_FAILURE, e);
        }
    }

    private static X509Certificate generateCertificate(ConcurrentContentSigner concurrentContentSigner, IdentifiedCertprofile identifiedCertprofile, CertificationRequest certificationRequest, BigInteger bigInteger, CaUris caUris, ConfPairs confPairs) throws OperationException {
        try {
            SubjectPublicKeyInfo rfc3279Style = X509Util.toRfc3279Style(certificationRequest.getCertificationRequestInfo().getSubjectPublicKeyInfo());
            try {
                if (!concurrentContentSigner.getPublicKey().equals(KeyUtil.generatePublicKey(rfc3279Style))) {
                    throw new OperationException(OperationException.ErrorCode.BAD_REQUEST, "Public keys of the signer's token and of CSR are different");
                }
                try {
                    identifiedCertprofile.checkPublicKey(rfc3279Style);
                    X500Name subject = certificationRequest.getCertificationRequestInfo().getSubject();
                    try {
                        Certprofile.SubjectInfo subject2 = identifiedCertprofile.getSubject(subject);
                        Date notBefore = identifiedCertprofile.getNotBefore(null);
                        if (notBefore == null) {
                            notBefore = new Date();
                        }
                        Validity validity = identifiedCertprofile.getValidity();
                        if (validity == null) {
                            throw new OperationException(OperationException.ErrorCode.BAD_CERT_TEMPLATE, "no validity specified in the profile " + identifiedCertprofile.getIdent());
                        }
                        Date add = validity.add(notBefore);
                        X500Name grantedSubject = subject2.getGrantedSubject();
                        X509v3CertificateBuilder x509v3CertificateBuilder = new X509v3CertificateBuilder(grantedSubject, bigInteger, notBefore, add, grantedSubject, rfc3279Style);
                        PublicCaInfo publicCaInfo = new PublicCaInfo(grantedSubject, bigInteger, (GeneralNames) null, (byte[]) null, caUris, confPairs);
                        Extensions extensions = null;
                        ASN1Set attributes = certificationRequest.getCertificationRequestInfo().getAttributes();
                        for (int i = 0; i < attributes.size(); i++) {
                            Attribute attribute = Attribute.getInstance(attributes.getObjectAt(i));
                            if (PKCSObjectIdentifiers.pkcs_9_at_extensionRequest.equals(attribute.getAttrType())) {
                                extensions = Extensions.getInstance(attribute.getAttributeValues()[0]);
                            }
                        }
                        try {
                            addExtensions(x509v3CertificateBuilder, identifiedCertprofile, subject, grantedSubject, extensions, rfc3279Style, publicCaInfo, notBefore, add);
                            ConcurrentBagEntrySigner borrowSigner = concurrentContentSigner.borrowSigner();
                            try {
                                X509CertificateHolder build = x509v3CertificateBuilder.build((ContentSigner) borrowSigner.value());
                                concurrentContentSigner.requiteSigner(borrowSigner);
                                return X509Util.parseCert(build.toASN1Structure().getEncoded());
                            } catch (Throwable th) {
                                concurrentContentSigner.requiteSigner(borrowSigner);
                                throw th;
                            }
                        } catch (NoIdleSignerException | IOException | CertificateException | CertprofileException e) {
                            throw new OperationException(OperationException.ErrorCode.SYSTEM_FAILURE, e);
                        } catch (BadCertTemplateException e2) {
                            throw new OperationException(OperationException.ErrorCode.BAD_CERT_TEMPLATE, e2);
                        }
                    } catch (BadCertTemplateException e3) {
                        LOG.warn("certprofile.getSubject", e3);
                        throw new OperationException(OperationException.ErrorCode.BAD_CERT_TEMPLATE, e3);
                    } catch (CertprofileException e4) {
                        throw new OperationException(OperationException.ErrorCode.SYSTEM_FAILURE, "exception in cert profile " + identifiedCertprofile.getIdent());
                    }
                } catch (CertprofileException e5) {
                    throw new OperationException(OperationException.ErrorCode.SYSTEM_FAILURE, "exception in cert profile " + identifiedCertprofile.getIdent());
                } catch (BadCertTemplateException e6) {
                    LOG.warn("certprofile.checkPublicKey", e6);
                    throw new OperationException(OperationException.ErrorCode.BAD_CERT_TEMPLATE, e6);
                }
            } catch (InvalidKeySpecException e7) {
                throw new OperationException(OperationException.ErrorCode.SYSTEM_FAILURE, e7.getMessage());
            }
        } catch (InvalidKeySpecException e8) {
            LOG.warn("SecurityUtil.toRfc3279Style", e8);
            throw new OperationException(OperationException.ErrorCode.BAD_CERT_TEMPLATE, e8);
        }
    }

    private static void addExtensions(X509v3CertificateBuilder x509v3CertificateBuilder, IdentifiedCertprofile identifiedCertprofile, X500Name x500Name, X500Name x500Name2, Extensions extensions, SubjectPublicKeyInfo subjectPublicKeyInfo, PublicCaInfo publicCaInfo, Date date, Date date2) throws CertprofileException, IOException, BadCertTemplateException {
        ExtensionValues extensions2 = identifiedCertprofile.getExtensions(x500Name, x500Name2, extensions, subjectPublicKeyInfo, publicCaInfo, null, date, date2);
        if (extensions2 == null) {
            return;
        }
        for (ASN1ObjectIdentifier aSN1ObjectIdentifier : extensions2.getExtensionTypes()) {
            ExtensionValue extensionValue = extensions2.getExtensionValue(aSN1ObjectIdentifier);
            x509v3CertificateBuilder.addExtension(aSN1ObjectIdentifier, extensionValue.isCritical(), extensionValue.getValue());
        }
    }
}
