package org.glite.security.util.proxy;

import java.io.IOException;
import java.io.StringWriter;
import java.math.BigInteger;
import java.security.InvalidKeyException;
import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.PrivateKey;
import java.security.Provider;
import java.security.PublicKey;
import java.security.SecureRandom;
import java.security.Security;
import java.security.SignatureException;
import java.security.cert.CertificateEncodingException;
import java.security.cert.X509Certificate;
import java.util.Date;
import java.util.Enumeration;
import java.util.GregorianCalendar;
import java.util.TimeZone;
import org.apache.log4j.Logger;
import org.bouncycastle.asn1.ASN1Encodable;
import org.bouncycastle.asn1.ASN1EncodableVector;
import org.bouncycastle.asn1.ASN1Primitive;
import org.bouncycastle.asn1.ASN1Sequence;
import org.bouncycastle.asn1.DERObjectIdentifier;
import org.bouncycastle.asn1.DEROctetString;
import org.bouncycastle.asn1.DERPrintableString;
import org.bouncycastle.asn1.DERSequence;
import org.bouncycastle.asn1.DERSet;
import org.bouncycastle.asn1.x509.KeyUsage;
import org.bouncycastle.asn1.x509.X509Extensions;
import org.bouncycastle.asn1.x509.X509Name;
import org.bouncycastle.jce.PKCS10CertificationRequest;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.bouncycastle.openssl.PEMWriter;
import org.bouncycastle.x509.X509V3CertificateGenerator;
import org.glite.security.util.PrivateKeyReader;

/* loaded from: input_file:org/glite/security/util/proxy/ProxyCertificateGenerator.class */
public class ProxyCertificateGenerator {
    private static final Logger LOGGER = Logger.getLogger(ProxyCertificateGenerator.class);
    private X509Certificate m_parentCert;
    private X509Certificate[] m_parentCertChain;
    private X509Name m_baseName;
    private PrivateKey m_privateKey;
    private PublicKey m_publicKey;
    private int m_lifetime;
    private X509V3CertificateGenerator m_certGen;
    private X509Certificate m_newProxy;
    private BigInteger m_serialNumber;
    private String m_proxyPolicyOID;
    private DEROctetString m_proxyPolicyOctets;
    private X509Name m_newDN;
    private int m_type;
    private boolean m_limited;
    private String m_hashAlgorithm;
    private int m_keyLength;
    private int m_pathLenLimit;
    public static final int DEFAULT_PROXY_TYPE = 54;
    public static final int DEFAULT_KEY_LENGTH = 1024;

    public ProxyCertificateGenerator(X509Certificate[] x509CertificateArr) {
        this.m_parentCert = null;
        this.m_parentCertChain = null;
        this.m_baseName = null;
        this.m_privateKey = null;
        this.m_publicKey = null;
        this.m_lifetime = 43200;
        this.m_certGen = null;
        this.m_newProxy = null;
        this.m_serialNumber = null;
        this.m_proxyPolicyOID = null;
        this.m_proxyPolicyOctets = null;
        this.m_newDN = null;
        this.m_type = -1;
        this.m_limited = false;
        this.m_hashAlgorithm = null;
        this.m_keyLength = DEFAULT_KEY_LENGTH;
        this.m_pathLenLimit = ProxyCertInfoExtension.UNLIMITED;
        this.m_parentCertChain = x509CertificateArr;
        this.m_parentCert = x509CertificateArr[0];
        this.m_baseName = this.m_parentCert.getSubjectDN();
        this.m_hashAlgorithm = this.m_parentCert.getSigAlgName();
        this.m_type = new ProxyCertificateInfo(this.m_parentCert).getProxyType();
        this.m_certGen = new X509V3CertificateGenerator();
    }

    public ProxyCertificateGenerator(X509Certificate x509Certificate) {
        this(new X509Certificate[]{x509Certificate});
    }

    public ProxyCertificateGenerator(X509Certificate[] x509CertificateArr, PKCS10CertificationRequest pKCS10CertificationRequest) throws InvalidKeyException, NoSuchAlgorithmException, NoSuchProviderException {
        this(x509CertificateArr);
        BigInteger sn;
        this.m_publicKey = pKCS10CertificationRequest.getPublicKey();
        this.m_newDN = X509Name.getInstance(pKCS10CertificationRequest.getCertificationRequestInfo().getSubject());
        if (this.m_type == 99 && ProxyCertificateInfo.isLegacyDN(this.m_newDN)) {
            this.m_type = 52;
        }
        if (this.m_type != 52 && (sn = ProxyCertUtil.getSN(this.m_newDN)) != null) {
            this.m_serialNumber = sn;
        }
        this.m_certGen = new X509V3CertificateGenerator();
    }

    public ProxyCertificateGenerator(X509Certificate x509Certificate, PKCS10CertificationRequest pKCS10CertificationRequest) throws InvalidKeyException, NoSuchAlgorithmException, NoSuchProviderException {
        this(new X509Certificate[]{x509Certificate}, pKCS10CertificationRequest);
    }

    public void setLifetime(int i) {
        this.m_lifetime = i;
    }

    public void addExtension(String str, boolean z, ASN1Encodable aSN1Encodable) {
        this.m_certGen.addExtension(new DERObjectIdentifier(str), z, aSN1Encodable);
    }

    private void setupBasicProxy() {
        setupDates();
        this.m_certGen.setPublicKey(this.m_publicKey);
        this.m_certGen.setSignatureAlgorithm(this.m_parentCert.getSigAlgName());
        this.m_certGen.addExtension(X509Extensions.KeyUsage, false, new KeyUsage(176));
    }

    public void generate(PrivateKey privateKey) throws InvalidKeyException, SignatureException, NoSuchAlgorithmException, CertificateEncodingException {
        if (this.m_publicKey == null) {
            if (this.m_privateKey != null && this.m_publicKey == null) {
                throw new IllegalArgumentException("Only private key of the proxy is set. As it is, also public key has to be set.");
            }
            generateKeys();
        }
        if (this.m_type == 99) {
            this.m_type = 54;
        }
        switch (this.m_type) {
            case ProxyCertificateInfo.LEGACY_PROXY /* 52 */:
                setupOldProxy(this.m_limited);
                break;
            case ProxyCertificateInfo.DRAFT_RFC_PROXY /* 53 */:
                setupRFC3280Proxy(this.m_serialNumber, this.m_proxyPolicyOID, this.m_proxyPolicyOctets, this.m_pathLenLimit, false);
                break;
            case 54:
                setupRFC3280Proxy(this.m_serialNumber, this.m_proxyPolicyOID, this.m_proxyPolicyOctets, this.m_pathLenLimit, true);
                break;
            default:
                throw new IllegalArgumentException("Unknown or unsupported proxy type");
        }
        this.m_certGen.setIssuerDN(this.m_baseName);
        this.m_certGen.setSignatureAlgorithm(this.m_hashAlgorithm);
        this.m_newProxy = this.m_certGen.generate(privateKey);
    }

    private void generateKeys() {
        try {
            KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA", (Provider) new BouncyCastleProvider());
            keyPairGenerator.initialize(this.m_keyLength, new SecureRandom());
            KeyPair generateKeyPair = keyPairGenerator.generateKeyPair();
            this.m_privateKey = generateKeyPair.getPrivate();
            this.m_publicKey = generateKeyPair.getPublic();
        } catch (NoSuchAlgorithmException e) {
            new RuntimeException(e);
        }
    }

    public X509Certificate[] getCertChain() {
        X509Certificate[] x509CertificateArr = new X509Certificate[this.m_parentCertChain.length + 1];
        for (int i = 0; i < this.m_parentCertChain.length; i++) {
            x509CertificateArr[i + 1] = this.m_parentCertChain[i];
        }
        x509CertificateArr[0] = this.m_newProxy;
        return x509CertificateArr;
    }

    public PrivateKey getPrivateKey() {
        return this.m_privateKey;
    }

    public String getCertChainAsPEM() throws IOException {
        X509Certificate[] certChain = getCertChain();
        StringWriter stringWriter = new StringWriter();
        PEMWriter pEMWriter = new PEMWriter(stringWriter);
        for (X509Certificate x509Certificate : certChain) {
            pEMWriter.writeObject(x509Certificate);
        }
        pEMWriter.flush();
        return stringWriter.toString();
    }

    public String getPrivateKeyAsPEM() {
        return PrivateKeyReader.getPEM(this.m_privateKey);
    }

    public String getProxyAsPEM() throws IOException {
        StringWriter stringWriter = new StringWriter();
        PEMWriter pEMWriter = new PEMWriter(stringWriter);
        pEMWriter.writeObject(this.m_newProxy);
        pEMWriter.write(getPrivateKeyAsPEM());
        for (int length = this.m_parentCertChain.length - 1; length >= 0; length--) {
            pEMWriter.writeObject(this.m_parentCertChain[length]);
        }
        pEMWriter.flush();
        return stringWriter.toString();
    }

    public X509Name generateDN(X509Name x509Name, String str, boolean z) {
        if (x509Name == null) {
            throw new IllegalArgumentException("generateDN: no basename given, can't generate DN.");
        }
        String guessCN = str == null ? guessCN(x509Name, z) : str;
        ASN1EncodableVector aSN1EncodableVector = new ASN1EncodableVector();
        aSN1EncodableVector.add(X509Name.CN);
        aSN1EncodableVector.add(new DERPrintableString(guessCN));
        Enumeration objects = x509Name.toASN1Primitive().getObjects();
        ASN1EncodableVector aSN1EncodableVector2 = new ASN1EncodableVector();
        while (objects.hasMoreElements()) {
            aSN1EncodableVector2.add((ASN1Primitive) objects.nextElement());
        }
        aSN1EncodableVector2.add(new DERSet(new DERSequence(aSN1EncodableVector)));
        X509Name x509Name2 = new X509Name(new DERSequence(aSN1EncodableVector2));
        LOGGER.debug("SubjectDN :" + x509Name2);
        return x509Name2;
    }

    private String guessCN(X509Name x509Name, boolean z) {
        String bigInteger;
        ASN1Sequence aSN1Primitive = x509Name.toASN1Primitive();
        DERSequence objectAt = aSN1Primitive.getObjectAt(aSN1Primitive.size() - 1).getObjectAt(0);
        if (objectAt.getObjectAt(0).equals(X509Name.CN)) {
            String obj = objectAt.getObjectAt(1).toString();
            bigInteger = obj.equals("proxy") ? z ? "limited proxy" : "proxy" : obj.equals("limited proxy") ? "limited proxy" : getSerialNumber().toString();
        } else {
            bigInteger = getSerialNumber().toString();
        }
        return bigInteger;
    }

    private void setupDNs(String str) {
        ASN1Sequence aSN1Primitive = this.m_baseName.toASN1Primitive();
        ASN1EncodableVector aSN1EncodableVector = new ASN1EncodableVector();
        aSN1EncodableVector.add(X509Name.CN);
        aSN1EncodableVector.add(new DERPrintableString(str));
        Enumeration objects = aSN1Primitive.getObjects();
        ASN1EncodableVector aSN1EncodableVector2 = new ASN1EncodableVector();
        while (objects.hasMoreElements()) {
            aSN1EncodableVector2.add((ASN1Primitive) objects.nextElement());
        }
        aSN1EncodableVector2.add(new DERSet(new DERSequence(aSN1EncodableVector)));
        X509Name x509Name = new X509Name(new DERSequence(aSN1EncodableVector2));
        this.m_newDN = x509Name;
        LOGGER.debug("SubjectDN :" + x509Name);
        this.m_certGen.setSubjectDN(x509Name);
        this.m_certGen.setIssuerDN(this.m_baseName);
    }

    public void setType(int i) throws IllegalArgumentException {
        if (this.m_type == i) {
            return;
        }
        if (i == 52 || i == 54 || i == 53) {
            if (this.m_type == 99) {
                this.m_type = i;
                return;
            } else {
                LOGGER.warn("The proxy type setting is not the one of the parent or the cert request. Setting is:" + i);
                this.m_type = i;
            }
        }
        throw new IllegalArgumentException("Trying to set the proxy type into an unsupported type");
    }

    private void setupOldProxy(boolean z) {
        if (z) {
            setupDNs("limited proxy");
        } else {
            setupDNs("proxy");
        }
        setupBasicProxy();
        this.m_certGen.setSerialNumber(this.m_parentCert.getSerialNumber());
    }

    private void setupRFC3280Proxy(BigInteger bigInteger, String str, DEROctetString dEROctetString, int i, boolean z) {
        ProxyPolicy proxyPolicy;
        setupBasicProxy();
        BigInteger serialNumber = bigInteger == null ? getSerialNumber() : bigInteger;
        this.m_certGen.setSerialNumber(serialNumber);
        setupDNs(serialNumber.toString());
        if (!this.m_limited) {
            proxyPolicy = new ProxyPolicy(str, dEROctetString);
        } else {
            if (str != null && !str.equals(ProxyPolicy.LIMITED_PROXY_OID)) {
                throw new IllegalArgumentException("Proxy info extension policy OID set to conflicting value when limiting proxy. OID is: " + str);
            }
            proxyPolicy = new ProxyPolicy(ProxyPolicy.LIMITED_PROXY_OID, dEROctetString);
        }
        ProxyCertInfoExtension proxyCertInfoExtension = new ProxyCertInfoExtension(i, proxyPolicy);
        if (z) {
            this.m_certGen.addExtension(ProxyCertInfoExtension.PROXY_CERT_INFO_EXTENSION_OID, true, proxyCertInfoExtension);
        } else {
            this.m_certGen.addExtension(ProxyCertInfoExtension.DRAFT_PROXY_CERT_INFO_EXTENSION_OID, true, proxyCertInfoExtension);
        }
    }

    private void setupDates() {
        GregorianCalendar gregorianCalendar = new GregorianCalendar(TimeZone.getTimeZone("UTC"));
        gregorianCalendar.add(12, -5);
        this.m_certGen.setNotBefore(gregorianCalendar.getTime());
        gregorianCalendar.add(12, 10);
        gregorianCalendar.add(13, this.m_lifetime);
        if (this.m_parentCert != null) {
            Date notAfter = this.m_parentCert.getNotAfter();
            if (notAfter.before(gregorianCalendar.getTime())) {
                gregorianCalendar.setTime(notAfter);
            }
        }
        this.m_certGen.setNotAfter(gregorianCalendar.getTime());
    }

    public void setKeyLength(int i) {
        this.m_keyLength = i;
    }

    public void setLimited() {
        this.m_limited = true;
    }

    private BigInteger getSerialNumber() {
        if (this.m_serialNumber == null) {
            this.m_serialNumber = BigInteger.valueOf(new SecureRandom().nextInt()).abs();
        }
        return this.m_serialNumber;
    }

    public void setSerialNumber(BigInteger bigInteger) {
        this.m_serialNumber = bigInteger;
    }

    public void setPolicy(String str, DEROctetString dEROctetString) {
        if (this.m_type == 52) {
            throw new IllegalArgumentException("Legacy proxies do not support setting the proxy policy.");
        }
        this.m_proxyPolicyOID = str;
        this.m_proxyPolicyOctets = dEROctetString;
    }

    public void setProxyPathLimit(int i) {
        if (this.m_type == 52) {
            throw new IllegalArgumentException("Legacy proxies do not support setting the proxy path length limit.");
        }
        this.m_pathLenLimit = i;
    }

    public void setProxySourceRestrictions(ProxyRestrictionData proxyRestrictionData) {
        this.m_certGen.addExtension(ProxyRestrictionData.SOURCE_RESTRICTION_OID, false, proxyRestrictionData.getNameConstraints());
    }

    public void setProxyTargetRestrictions(ProxyRestrictionData proxyRestrictionData) {
        this.m_certGen.addExtension(ProxyRestrictionData.TARGET_RESTRICTION_OID, false, proxyRestrictionData.getNameConstraints());
    }

    public void setProxyTracingIssuer(String str) {
        this.m_certGen.addExtension(ProxyTracingExtension.PROXY_TRACING_ISSUER_EXTENSION_OID, false, new ProxyTracingExtension(str).getNames());
    }

    public void setProxyTracingSubject(String str) {
        this.m_certGen.addExtension(ProxyTracingExtension.PROXY_TRACING_SUBJECT_EXTENSION_OID, false, new ProxyTracingExtension(str).getNames());
    }

    static {
        if (Security.getProvider("BC") == null) {
            Security.insertProviderAt(new BouncyCastleProvider(), 6);
        }
    }
}
