package io.spiffe.utils;

import java.math.BigInteger;
import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.time.Instant;
import java.time.temporal.ChronoUnit;
import java.time.temporal.TemporalUnit;
import java.util.Date;
import org.apache.commons.lang3.StringUtils;
import org.bouncycastle.asn1.ASN1EncodableVector;
import org.bouncycastle.asn1.DERSequence;
import org.bouncycastle.asn1.x500.X500Name;
import org.bouncycastle.asn1.x509.BasicConstraints;
import org.bouncycastle.asn1.x509.Extension;
import org.bouncycastle.asn1.x509.GeneralName;
import org.bouncycastle.asn1.x509.GeneralNames;
import org.bouncycastle.asn1.x509.KeyPurposeId;
import org.bouncycastle.asn1.x509.KeyUsage;
import org.bouncycastle.asn1.x509.SubjectKeyIdentifier;
import org.bouncycastle.cert.CertIOException;
import org.bouncycastle.cert.jcajce.JcaX509CertificateConverter;
import org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder;
import org.bouncycastle.operator.OperatorCreationException;
import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder;

/* loaded from: input_file:io/spiffe/utils/X509CertificateTestUtils.class */
public class X509CertificateTestUtils {
    public static CertAndKeyPair createRootCA(String str, String str2) throws Exception {
        KeyPair generateKeyPair = generateKeyPair();
        JcaX509v3CertificateBuilder certificateBuilder = getCertificateBuilder(generateKeyPair, str, str);
        addCAExtensions(certificateBuilder, generateKeyPair, str2);
        return new CertAndKeyPair(getSignedX509Certificate(generateKeyPair.getPrivate(), certificateBuilder), generateKeyPair);
    }

    public static CertAndKeyPair createCertificate(String str, String str2, String str3, CertAndKeyPair certAndKeyPair, boolean z) throws Exception {
        KeyPair generateKeyPair = generateKeyPair();
        PrivateKey privateKey = certAndKeyPair.keyPair.getPrivate();
        JcaX509v3CertificateBuilder certificateBuilder = getCertificateBuilder(generateKeyPair, str, str2);
        addCertExtensions(certificateBuilder, str3, z);
        return new CertAndKeyPair(getSignedX509Certificate(privateKey, certificateBuilder), generateKeyPair);
    }

    private static KeyPair generateKeyPair() throws NoSuchAlgorithmException {
        return KeyPairGenerator.getInstance("RSA").generateKeyPair();
    }

    private static void addCertExtensions(JcaX509v3CertificateBuilder jcaX509v3CertificateBuilder, String str, boolean z) throws CertIOException {
        jcaX509v3CertificateBuilder.addExtension(Extension.basicConstraints, true, new BasicConstraints(z));
        if (z) {
            jcaX509v3CertificateBuilder.addExtension(Extension.keyUsage, true, new KeyUsage(134));
        } else {
            jcaX509v3CertificateBuilder.addExtension(Extension.keyUsage, true, new KeyUsage(168));
            ASN1EncodableVector aSN1EncodableVector = new ASN1EncodableVector();
            aSN1EncodableVector.add(KeyPurposeId.id_kp_serverAuth);
            aSN1EncodableVector.add(KeyPurposeId.id_kp_clientAuth);
            jcaX509v3CertificateBuilder.addExtension(Extension.extendedKeyUsage, false, new DERSequence(aSN1EncodableVector));
        }
        if (StringUtils.isNotBlank(str)) {
            jcaX509v3CertificateBuilder.addExtension(Extension.subjectAlternativeName, false, new GeneralNames(new GeneralName(6, str)));
        }
    }

    private static void addCAExtensions(JcaX509v3CertificateBuilder jcaX509v3CertificateBuilder, KeyPair keyPair, String str) throws CertIOException {
        jcaX509v3CertificateBuilder.addExtension(Extension.basicConstraints, true, new BasicConstraints(true));
        jcaX509v3CertificateBuilder.addExtension(Extension.keyUsage, true, new KeyUsage(134));
        jcaX509v3CertificateBuilder.addExtension(Extension.subjectAlternativeName, true, new GeneralNames(new GeneralName(6, str)));
        jcaX509v3CertificateBuilder.addExtension(Extension.subjectKeyIdentifier, false, new SubjectKeyIdentifier(keyPair.getPublic().getEncoded()));
    }

    private static JcaX509v3CertificateBuilder getCertificateBuilder(KeyPair keyPair, String str, String str2) {
        BigInteger valueOf = BigInteger.valueOf(System.currentTimeMillis());
        Instant minus = Instant.now().minus(5L, (TemporalUnit) ChronoUnit.DAYS);
        Instant plus = minus.plus(30L, (TemporalUnit) ChronoUnit.DAYS);
        return new JcaX509v3CertificateBuilder(new X500Name(str2), valueOf, Date.from(minus), Date.from(plus), new X500Name(str), keyPair.getPublic());
    }

    private static X509Certificate getSignedX509Certificate(PrivateKey privateKey, JcaX509v3CertificateBuilder jcaX509v3CertificateBuilder) throws OperatorCreationException, CertificateException {
        return new JcaX509CertificateConverter().getCertificate(jcaX509v3CertificateBuilder.build(new JcaContentSignerBuilder("SHA256WithRSA").build(privateKey)));
    }
}
