package io.spiffe.svid.x509svid;

import io.spiffe.exception.X509SvidException;
import io.spiffe.internal.AsymmetricKeyAlgorithm;
import io.spiffe.internal.CertificateUtils;
import io.spiffe.internal.KeyFileFormat;
import io.spiffe.spiffeid.SpiffeId;
import java.io.IOException;
import java.nio.file.Files;
import java.nio.file.Path;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.cert.CertificateException;
import java.security.cert.CertificateParsingException;
import java.security.cert.X509Certificate;
import java.security.spec.InvalidKeySpecException;
import java.util.Collections;
import java.util.List;
import lombok.Generated;
import lombok.NonNull;

/* loaded from: input_file:io/spiffe/svid/x509svid/X509Svid.class */
public final class X509Svid {
    private final SpiffeId spiffeId;
    private final List<X509Certificate> chain;
    private final PrivateKey privateKey;

    private X509Svid(SpiffeId spiffeId, List<X509Certificate> list, PrivateKey privateKey) {
        this.spiffeId = spiffeId;
        this.chain = list;
        this.privateKey = privateKey;
    }

    public X509Certificate getLeaf() {
        return this.chain.get(0);
    }

    public List<X509Certificate> getChain() {
        return Collections.unmodifiableList(this.chain);
    }

    public static X509Svid load(@NonNull Path path, @NonNull Path path2) throws X509SvidException {
        if (path == null) {
            throw new NullPointerException("certsFilePath is marked non-null but is null");
        }
        if (path2 == null) {
            throw new NullPointerException("privateKeyFilePath is marked non-null but is null");
        }
        try {
            try {
                return createX509Svid(Files.readAllBytes(path), Files.readAllBytes(path2), KeyFileFormat.PEM);
            } catch (IOException e) {
                throw new X509SvidException("Cannot read private key file", e);
            }
        } catch (IOException e2) {
            throw new X509SvidException("Cannot read certificate file", e2);
        }
    }

    public static X509Svid parse(@NonNull byte[] bArr, @NonNull byte[] bArr2) throws X509SvidException {
        if (bArr == null) {
            throw new NullPointerException("certsBytes is marked non-null but is null");
        }
        if (bArr2 == null) {
            throw new NullPointerException("privateKeyBytes is marked non-null but is null");
        }
        return createX509Svid(bArr, bArr2, KeyFileFormat.PEM);
    }

    public static X509Svid parseRaw(@NonNull byte[] bArr, @NonNull byte[] bArr2) throws X509SvidException {
        if (bArr == null) {
            throw new NullPointerException("certsBytes is marked non-null but is null");
        }
        if (bArr2 == null) {
            throw new NullPointerException("privateKeyBytes is marked non-null but is null");
        }
        return createX509Svid(bArr, bArr2, KeyFileFormat.DER);
    }

    public X509Certificate[] getChainArray() {
        return (X509Certificate[]) this.chain.toArray(new X509Certificate[0]);
    }

    private static X509Svid createX509Svid(byte[] bArr, byte[] bArr2, KeyFileFormat keyFileFormat) throws X509SvidException {
        List<X509Certificate> generateX509Certificates = generateX509Certificates(bArr);
        PrivateKey generatePrivateKey = generatePrivateKey(bArr2, keyFileFormat, generateX509Certificates);
        SpiffeId spiffeId = getSpiffeId(generateX509Certificates);
        validatePrivateKey(generatePrivateKey, generateX509Certificates);
        validateLeafCertificate(generateX509Certificates.get(0));
        if (generateX509Certificates.size() > 1) {
            validateSigningCertificates(generateX509Certificates);
        }
        return new X509Svid(spiffeId, generateX509Certificates, generatePrivateKey);
    }

    private static SpiffeId getSpiffeId(List<X509Certificate> list) throws X509SvidException {
        try {
            return CertificateUtils.getSpiffeId(list.get(0));
        } catch (CertificateException e) {
            throw new X509SvidException(e.getMessage(), e);
        }
    }

    private static PrivateKey generatePrivateKey(byte[] bArr, KeyFileFormat keyFileFormat, List<X509Certificate> list) throws X509SvidException {
        try {
            return CertificateUtils.generatePrivateKey(bArr, AsymmetricKeyAlgorithm.parse(list.get(0).getPublicKey().getAlgorithm()), keyFileFormat);
        } catch (InvalidKeyException | NoSuchAlgorithmException | InvalidKeySpecException e) {
            throw new X509SvidException("Private Key could not be parsed from key bytes", e);
        }
    }

    private static List<X509Certificate> generateX509Certificates(byte[] bArr) throws X509SvidException {
        try {
            return CertificateUtils.generateCertificates(bArr);
        } catch (CertificateParsingException e) {
            throw new X509SvidException("Certificate could not be parsed from cert bytes", e);
        }
    }

    private static void validateSigningCertificates(List<X509Certificate> list) throws X509SvidException {
        for (int i = 1; i < list.size(); i++) {
            verifyCaCert(list.get(i));
        }
    }

    private static void verifyCaCert(X509Certificate x509Certificate) throws X509SvidException {
        if (!CertificateUtils.isCA(x509Certificate)) {
            throw new X509SvidException("Signing certificate must have CA flag set to true");
        }
        if (!CertificateUtils.hasKeyUsageCertSign(x509Certificate)) {
            throw new X509SvidException("Signing certificate must have 'keyCertSign' as key usage");
        }
    }

    private static void validateLeafCertificate(X509Certificate x509Certificate) throws X509SvidException {
        if (CertificateUtils.isCA(x509Certificate)) {
            throw new X509SvidException("Leaf certificate must not have CA flag set to true");
        }
        validateKeyUsageOfLeafCertificate(x509Certificate);
    }

    private static void validateKeyUsageOfLeafCertificate(X509Certificate x509Certificate) throws X509SvidException {
        if (!CertificateUtils.hasKeyUsageDigitalSignature(x509Certificate)) {
            throw new X509SvidException("Leaf certificate must have 'digitalSignature' as key usage");
        }
        if (CertificateUtils.hasKeyUsageCertSign(x509Certificate)) {
            throw new X509SvidException("Leaf certificate must not have 'keyCertSign' as key usage");
        }
        if (CertificateUtils.hasKeyUsageCRLSign(x509Certificate)) {
            throw new X509SvidException("Leaf certificate must not have 'cRLSign' as key usage");
        }
    }

    private static void validatePrivateKey(PrivateKey privateKey, List<X509Certificate> list) throws X509SvidException {
        try {
            CertificateUtils.validatePrivateKey(privateKey, list.get(0));
        } catch (InvalidKeyException e) {
            throw new X509SvidException("Private Key does not match Certificate Public Key", e);
        }
    }

    @Generated
    public SpiffeId getSpiffeId() {
        return this.spiffeId;
    }

    @Generated
    public PrivateKey getPrivateKey() {
        return this.privateKey;
    }

    @Generated
    public boolean equals(Object obj) {
        if (obj == this) {
            return true;
        }
        if (!(obj instanceof X509Svid)) {
            return false;
        }
        X509Svid x509Svid = (X509Svid) obj;
        SpiffeId spiffeId = getSpiffeId();
        SpiffeId spiffeId2 = x509Svid.getSpiffeId();
        if (spiffeId == null) {
            if (spiffeId2 != null) {
                return false;
            }
        } else if (!spiffeId.equals(spiffeId2)) {
            return false;
        }
        List<X509Certificate> chain = getChain();
        List<X509Certificate> chain2 = x509Svid.getChain();
        if (chain == null) {
            if (chain2 != null) {
                return false;
            }
        } else if (!chain.equals(chain2)) {
            return false;
        }
        PrivateKey privateKey = getPrivateKey();
        PrivateKey privateKey2 = x509Svid.getPrivateKey();
        return privateKey == null ? privateKey2 == null : privateKey.equals(privateKey2);
    }

    @Generated
    public int hashCode() {
        SpiffeId spiffeId = getSpiffeId();
        int hashCode = (1 * 59) + (spiffeId == null ? 43 : spiffeId.hashCode());
        List<X509Certificate> chain = getChain();
        int hashCode2 = (hashCode * 59) + (chain == null ? 43 : chain.hashCode());
        PrivateKey privateKey = getPrivateKey();
        return (hashCode2 * 59) + (privateKey == null ? 43 : privateKey.hashCode());
    }

    @Generated
    public String toString() {
        return "X509Svid(spiffeId=" + getSpiffeId() + ", chain=" + getChain() + ", privateKey=" + getPrivateKey() + ")";
    }
}
