package com.floragunn.searchguard.tools.tlstool.tasks;

import com.floragunn.searchguard.tools.tlstool.Config;
import com.floragunn.searchguard.tools.tlstool.Context;
import com.floragunn.searchguard.tools.tlstool.ToolException;
import java.io.File;
import java.math.BigInteger;
import java.security.KeyPair;
import java.util.Date;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.bouncycastle.asn1.x500.X500Name;
import org.bouncycastle.asn1.x509.BasicConstraints;
import org.bouncycastle.asn1.x509.Extension;
import org.bouncycastle.asn1.x509.KeyUsage;
import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo;
import org.bouncycastle.cert.CertIOException;
import org.bouncycastle.cert.X509CertificateHolder;
import org.bouncycastle.cert.X509v3CertificateBuilder;
import org.bouncycastle.cert.jcajce.JcaX509ExtensionUtils;
import org.bouncycastle.operator.OperatorCreationException;
import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder;

/* loaded from: input_file:com/floragunn/searchguard/tools/tlstool/tasks/CreateCa.class */
public class CreateCa extends Task {
    private static final Logger log = LogManager.getLogger(CreateCa.class);
    private Config.Ca.Certificate rootCertificateConfig;
    private Config.Ca.Certificate signingCertificateConfig;

    public CreateCa(Context context, Config.Ca ca) throws ToolException {
        super(context);
        if (ca == null) {
            throw new ToolException("Configuration ca is required");
        }
        this.rootCertificateConfig = ca.getRoot();
        if (this.rootCertificateConfig == null) {
            throw new ToolException("Configuration ca.root is required");
        }
        this.signingCertificateConfig = ca.getIntermediate();
    }

    @Override // com.floragunn.searchguard.tools.tlstool.tasks.Task
    public void run() throws ToolException {
        File configuredFile = getConfiguredFile(this.rootCertificateConfig.getFile(), "root-ca.key", "key");
        File configuredFile2 = getConfiguredFile(this.rootCertificateConfig.getFile(), "root-ca.pem", "pem");
        File configuredFile3 = getConfiguredFile(this.rootCertificateConfig.getFile(), "root-ca.readme", "readme");
        if (configuredFile.exists()) {
            throw new ToolException(configuredFile + " does already exist.");
        }
        if (configuredFile2.exists()) {
            throw new ToolException(configuredFile2 + " does already exist.");
        }
        KeyPair generateKeyPair = generateKeyPair(this.rootCertificateConfig);
        X509CertificateHolder createRootCaCertificate = createRootCaCertificate(generateKeyPair);
        this.ctx.setRootCaFile(configuredFile2);
        String password = getPassword(this.rootCertificateConfig.getPkPassword());
        String str = null;
        addOutputFile(configuredFile2, createRootCaCertificate);
        addEncryptedOutputFile(configuredFile, password, generateKeyPair.getPrivate());
        if (this.signingCertificateConfig != null) {
            File configuredFile4 = getConfiguredFile(this.signingCertificateConfig.getFile(), "signing-ca.key", "key");
            File configuredFile5 = getConfiguredFile(this.signingCertificateConfig.getFile(), "signing-ca.pem", "pem");
            if (configuredFile4.exists()) {
                throw new ToolException(configuredFile4 + " does already exist.");
            }
            if (configuredFile5.exists()) {
                throw new ToolException(configuredFile5 + " does already exist.");
            }
            KeyPair generateKeyPair2 = generateKeyPair(this.signingCertificateConfig);
            X509CertificateHolder createIntermediateCertificate = createIntermediateCertificate(generateKeyPair2, generateKeyPair, createRootCaCertificate);
            this.ctx.setSigningCertificate(createIntermediateCertificate);
            this.ctx.setSigningPrivateKey(generateKeyPair2.getPrivate());
            str = getPassword(this.signingCertificateConfig.getPkPassword());
            addOutputFile(configuredFile5, createIntermediateCertificate);
            addEncryptedOutputFile(configuredFile4, str, generateKeyPair2.getPrivate());
        } else {
            this.ctx.setSigningCertificate(createRootCaCertificate);
            this.ctx.setSigningPrivateKey(generateKeyPair.getPrivate());
        }
        if (isPasswordAutoGenerationEnabled(this.rootCertificateConfig.getPkPassword()) || (this.signingCertificateConfig != null && isPasswordAutoGenerationEnabled(this.signingCertificateConfig.getPkPassword()))) {
            addOutputFile(configuredFile3, createReadme(password, str));
        }
        log.info(createSuccessLog());
    }

    private String createSuccessLog() {
        StringBuilder sb = new StringBuilder();
        sb.append("Root certificate ");
        if (this.signingCertificateConfig != null) {
            sb.append("and signing certificate have ");
        } else {
            sb.append("has ");
        }
        sb.append("been sucessfully created.\n");
        if (isPasswordAutoGenerationEnabled(this.rootCertificateConfig.getPkPassword()) || (this.signingCertificateConfig != null && isPasswordAutoGenerationEnabled(this.signingCertificateConfig.getPkPassword()))) {
            sb.append("The passwords of the private key files have been auto generated. You can find the passwords in root-ca.readme.\n");
        }
        return sb.toString();
    }

    private X509CertificateHolder createRootCaCertificate(KeyPair keyPair) throws ToolException {
        try {
            X500Name createDn = createDn(this.rootCertificateConfig.getDn(), "root");
            Date date = new Date(System.currentTimeMillis());
            X509v3CertificateBuilder x509v3CertificateBuilder = new X509v3CertificateBuilder(createDn, BigInteger.valueOf(1L), date, getEndDate(date, this.rootCertificateConfig.getValidityDays().intValue()), createDn, SubjectPublicKeyInfo.getInstance(keyPair.getPublic().getEncoded()));
            JcaX509ExtensionUtils extUtils = getExtUtils();
            x509v3CertificateBuilder.addExtension(Extension.basicConstraints, true, new BasicConstraints(true));
            x509v3CertificateBuilder.addExtension(Extension.authorityKeyIdentifier, false, extUtils.createAuthorityKeyIdentifier(keyPair.getPublic())).addExtension(Extension.subjectKeyIdentifier, false, extUtils.createSubjectKeyIdentifier(keyPair.getPublic())).addExtension(Extension.keyUsage, true, new KeyUsage(134));
            return x509v3CertificateBuilder.build(new JcaContentSignerBuilder(this.ctx.getConfig().getDefaults().getSignatureAlgorithm()).setProvider(this.ctx.getSecurityProvider()).build(keyPair.getPrivate()));
        } catch (CertIOException | OperatorCreationException e) {
            throw new ToolException("Error while composing certificate", e);
        }
    }

    private X509CertificateHolder createIntermediateCertificate(KeyPair keyPair, KeyPair keyPair2, X509CertificateHolder x509CertificateHolder) throws ToolException {
        try {
            Date date = new Date(System.currentTimeMillis());
            X509v3CertificateBuilder x509v3CertificateBuilder = new X509v3CertificateBuilder(x509CertificateHolder.getSubject(), BigInteger.valueOf(2L), date, getEndDate(date, this.signingCertificateConfig.getValidityDays().intValue()), createDn(this.signingCertificateConfig.getDn(), "intermediate"), SubjectPublicKeyInfo.getInstance(keyPair.getPublic().getEncoded()));
            JcaX509ExtensionUtils extUtils = getExtUtils();
            x509v3CertificateBuilder.addExtension(Extension.basicConstraints, true, new BasicConstraints(0));
            x509v3CertificateBuilder.addExtension(Extension.authorityKeyIdentifier, false, extUtils.createAuthorityKeyIdentifier(x509CertificateHolder)).addExtension(Extension.subjectKeyIdentifier, false, extUtils.createSubjectKeyIdentifier(keyPair.getPublic())).addExtension(Extension.keyUsage, true, new KeyUsage(134));
            return x509v3CertificateBuilder.build(new JcaContentSignerBuilder(this.ctx.getConfig().getDefaults().getSignatureAlgorithm()).setProvider(this.ctx.getSecurityProvider()).build(keyPair2.getPrivate()));
        } catch (CertIOException | OperatorCreationException e) {
            throw new ToolException("Error while composing certificate", e);
        }
    }

    private String createReadme(String str, String str2) {
        String str3 = "The private keys of the root certificate and/or the signing certificate have been saved encrypted with an auto-generated password.\nIn order to use these new passwords later again with this tool, you must edit the tool config file and set the new passwords there.\n\nca:\n   root:\n       pkPassword: " + str + "\n";
        if (str2 != null) {
            str3 = str3 + "   intermediate:\n       pkPassword: " + str2;
        }
        return str3;
    }
}
