package net.ripe.rpki.commons.crypto.x509cert;

import java.math.BigInteger;
import java.net.URI;
import java.security.InvalidKeyException;
import java.security.KeyPair;
import java.security.NoSuchAlgorithmException;
import java.security.PublicKey;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.Date;
import java.util.EnumSet;
import java.util.Iterator;
import javax.security.auth.x500.X500Principal;
import net.ripe.ipresource.IpResourceSet;
import net.ripe.ipresource.IpResourceType;
import net.ripe.rpki.commons.crypto.ValidityPeriod;
import net.ripe.rpki.commons.crypto.rfc3779.ResourceExtensionEncoder;
import net.ripe.rpki.commons.crypto.rfc8209.RouterExtensionEncoder;
import net.ripe.rpki.commons.crypto.util.BouncyCastleUtil;
import org.apache.commons.lang.Validate;
import org.bouncycastle.asn1.ASN1Object;
import org.bouncycastle.asn1.DERSequence;
import org.bouncycastle.asn1.x509.AccessDescription;
import org.bouncycastle.asn1.x509.AuthorityInformationAccess;
import org.bouncycastle.asn1.x509.BasicConstraints;
import org.bouncycastle.asn1.x509.CRLDistPoint;
import org.bouncycastle.asn1.x509.DistributionPoint;
import org.bouncycastle.asn1.x509.DistributionPointName;
import org.bouncycastle.asn1.x509.ExtendedKeyUsage;
import org.bouncycastle.asn1.x509.Extension;
import org.bouncycastle.asn1.x509.GeneralName;
import org.bouncycastle.asn1.x509.GeneralNames;
import org.bouncycastle.asn1.x509.KeyPurposeId;
import org.bouncycastle.asn1.x509.KeyUsage;
import org.bouncycastle.asn1.x509.PolicyInformation;
import org.bouncycastle.asn1.x509.ReasonFlags;
import org.bouncycastle.cert.CertIOException;
import org.bouncycastle.cert.X509v3CertificateBuilder;
import org.bouncycastle.cert.jcajce.JcaX509CertificateConverter;
import org.bouncycastle.cert.jcajce.JcaX509ExtensionUtils;
import org.bouncycastle.operator.OperatorCreationException;
import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder;

/* loaded from: input_file:net/ripe/rpki/commons/crypto/x509cert/X509CertificateBuilderHelper.class */
public final class X509CertificateBuilderHelper {
    public static final String DEFAULT_SIGNATURE_ALGORITHM = "SHA256withRSA";
    public static final String DEFAULT_SIGNATURE_PROVIDER = "SunRsaSign";
    private BigInteger serial;
    private X500Principal subjectDN;
    private X500Principal issuerDN;
    private ValidityPeriod validityPeriod;
    private IpResourceSet resources;
    private PublicKey publicKey;
    private KeyPair signingKeyPair;
    private int keyUsage;
    private boolean ca;
    private URI[] crlDistributionPoints;
    private AccessDescription[] authorityInformationAccess;
    private AccessDescription[] subjectInformationAccess;
    private PolicyInformation[] policies;
    private String signatureProvider = DEFAULT_SIGNATURE_PROVIDER;
    private String signatureAlgorithm = DEFAULT_SIGNATURE_ALGORITHM;
    private boolean router = false;
    private boolean addSubjectKeyIdentifier = true;
    private boolean addAuthorityKeyIdentifier = true;
    private EnumSet<IpResourceType> inheritedResourceTypes = EnumSet.noneOf(IpResourceType.class);

    public X509CertificateBuilderHelper withSignatureProvider(String str) {
        this.signatureProvider = str;
        return this;
    }

    public X509CertificateBuilderHelper withSerial(BigInteger bigInteger) {
        this.serial = bigInteger;
        return this;
    }

    public X509CertificateBuilderHelper withSubjectDN(X500Principal x500Principal) {
        this.subjectDN = x500Principal;
        return this;
    }

    public X509CertificateBuilderHelper withIssuerDN(X500Principal x500Principal) {
        this.issuerDN = x500Principal;
        return this;
    }

    public X509CertificateBuilderHelper withValidityPeriod(ValidityPeriod validityPeriod) {
        this.validityPeriod = validityPeriod;
        return this;
    }

    public X509CertificateBuilderHelper withResources(IpResourceSet ipResourceSet) {
        this.resources = ipResourceSet;
        return this;
    }

    public X509CertificateBuilderHelper withPublicKey(PublicKey publicKey) {
        this.publicKey = publicKey;
        return this;
    }

    public X509CertificateBuilderHelper withSigningKeyPair(KeyPair keyPair) {
        this.signingKeyPair = keyPair;
        return this;
    }

    public X509CertificateBuilderHelper withSignatureAlgorithm(String str) {
        this.signatureAlgorithm = str;
        return this;
    }

    public X509CertificateBuilderHelper withKeyUsage(int i) {
        this.keyUsage = i;
        return this;
    }

    public X509CertificateBuilderHelper withCa(boolean z) {
        this.ca = z;
        if (z) {
            this.router = false;
        }
        return this;
    }

    public X509CertificateBuilderHelper withRouter(boolean z) {
        this.router = z;
        if (z) {
            this.ca = false;
        }
        return this;
    }

    public X509CertificateBuilderHelper withSubjectKeyIdentifier(boolean z) {
        this.addSubjectKeyIdentifier = z;
        return this;
    }

    public X509CertificateBuilderHelper withAuthorityKeyIdentifier(boolean z) {
        this.addAuthorityKeyIdentifier = z;
        return this;
    }

    public X509CertificateBuilderHelper withCrlDistributionPoints(URI... uriArr) {
        this.crlDistributionPoints = uriArr;
        return this;
    }

    public X509CertificateBuilderHelper withAuthorityInformationAccess(X509CertificateInformationAccessDescriptor... x509CertificateInformationAccessDescriptorArr) {
        this.authorityInformationAccess = X509CertificateInformationAccessDescriptor.convertAccessDescriptors(x509CertificateInformationAccessDescriptorArr);
        return this;
    }

    public X509CertificateBuilderHelper withSubjectInformationAccess(X509CertificateInformationAccessDescriptor... x509CertificateInformationAccessDescriptorArr) {
        this.subjectInformationAccess = X509CertificateInformationAccessDescriptor.convertAccessDescriptors(x509CertificateInformationAccessDescriptorArr);
        return this;
    }

    public X509CertificateBuilderHelper withPolicies(PolicyInformation... policyInformationArr) {
        this.policies = policyInformationArr;
        return this;
    }

    public X509CertificateBuilderHelper withInheritedResourceTypes(EnumSet<IpResourceType> enumSet) {
        this.inheritedResourceTypes = EnumSet.copyOf((EnumSet) enumSet);
        return this;
    }

    public X509Certificate generateCertificate() {
        try {
            return new JcaX509CertificateConverter().getCertificate(createCertificateGenerator().build(new JcaContentSignerBuilder(this.signatureAlgorithm).setProvider(this.signatureProvider).build(this.signingKeyPair.getPrivate())));
        } catch (IllegalStateException | OperatorCreationException | CertificateException e) {
            throw new X509ResourceCertificateBuilderException(e);
        }
    }

    protected X509v3CertificateBuilder createCertificateGenerator() {
        try {
            X509v3CertificateBuilder createX509V3CertificateGenerator = createX509V3CertificateGenerator();
            if (this.addSubjectKeyIdentifier) {
                addSubjectKeyIdentifier(createX509V3CertificateGenerator);
            }
            if (this.addAuthorityKeyIdentifier) {
                addAuthorityKeyIdentifier(createX509V3CertificateGenerator);
            }
            if (this.ca) {
                addCaBit(createX509V3CertificateGenerator);
            }
            if (this.router) {
                addBgpExtension(createX509V3CertificateGenerator);
            }
            if (this.keyUsage != 0) {
                addKeyUsage(createX509V3CertificateGenerator);
            }
            if (this.authorityInformationAccess != null) {
                addAIA(createX509V3CertificateGenerator);
            }
            if (this.subjectInformationAccess != null) {
                addSIA(createX509V3CertificateGenerator);
            }
            if (this.crlDistributionPoints != null) {
                Validate.noNullElements(this.crlDistributionPoints);
                addCrlDistributionPoints(createX509V3CertificateGenerator);
            }
            if (this.policies != null && this.policies.length > 0) {
                addPolicies(createX509V3CertificateGenerator);
            }
            if (this.resources != null) {
                addResourceExtensions(createX509V3CertificateGenerator);
            }
            return createX509V3CertificateGenerator;
        } catch (CertIOException | InvalidKeyException | NoSuchAlgorithmException e) {
            throw new X509ResourceCertificateBuilderException(e);
        }
    }

    private void addBgpExtension(X509v3CertificateBuilder x509v3CertificateBuilder) throws CertIOException {
        x509v3CertificateBuilder.addExtension(Extension.extendedKeyUsage, true, new ExtendedKeyUsage(KeyPurposeId.getInstance(RouterExtensionEncoder.OID_KP_BGPSEC_ROUTER)));
    }

    private X509v3CertificateBuilder createX509V3CertificateGenerator() {
        validateCertificateFields();
        return new X509v3CertificateBuilder(BouncyCastleUtil.principalToName(this.issuerDN), this.serial, new Date(this.validityPeriod.getNotValidBefore().getMillis()), new Date(this.validityPeriod.getNotValidAfter().getMillis()), BouncyCastleUtil.principalToName(this.subjectDN), BouncyCastleUtil.createSubjectPublicKeyInfo(this.publicKey));
    }

    private void validateCertificateFields() {
        Validate.notNull(this.issuerDN, "no issuerDN");
        Validate.notNull(this.subjectDN, "no subjectDN");
        Validate.notNull(this.serial, "no serial");
        Validate.notNull(this.publicKey, "no publicKey");
        Validate.notNull(this.signingKeyPair, "no signingKeyPair");
        Validate.notNull(this.validityPeriod, "no validityPeriod");
        if (this.ca) {
            return;
        }
        Validate.isTrue((this.keyUsage & 4) == 0, "keyCertSign only allowed for ca");
    }

    private void addSubjectKeyIdentifier(X509v3CertificateBuilder x509v3CertificateBuilder) throws InvalidKeyException, CertIOException, NoSuchAlgorithmException {
        x509v3CertificateBuilder.addExtension(Extension.subjectKeyIdentifier, false, new JcaX509ExtensionUtils().createSubjectKeyIdentifier(this.publicKey));
    }

    private void addAuthorityKeyIdentifier(X509v3CertificateBuilder x509v3CertificateBuilder) throws InvalidKeyException, CertIOException {
        x509v3CertificateBuilder.addExtension(Extension.authorityKeyIdentifier, false, BouncyCastleUtil.createAuthorityKeyIdentifier(this.signingKeyPair.getPublic()));
    }

    private void addCaBit(X509v3CertificateBuilder x509v3CertificateBuilder) throws CertIOException {
        x509v3CertificateBuilder.addExtension(Extension.basicConstraints, true, new BasicConstraints(this.ca));
    }

    private void addKeyUsage(X509v3CertificateBuilder x509v3CertificateBuilder) throws CertIOException {
        x509v3CertificateBuilder.addExtension(Extension.keyUsage, true, new KeyUsage(this.keyUsage));
    }

    private void addAIA(X509v3CertificateBuilder x509v3CertificateBuilder) throws CertIOException {
        x509v3CertificateBuilder.addExtension(Extension.authorityInfoAccess, false, AuthorityInformationAccess.getInstance(new DERSequence(this.authorityInformationAccess)));
    }

    private void addSIA(X509v3CertificateBuilder x509v3CertificateBuilder) throws CertIOException {
        x509v3CertificateBuilder.addExtension(Extension.subjectInfoAccess, false, AuthorityInformationAccess.getInstance(new DERSequence(this.subjectInformationAccess)));
    }

    private void addCrlDistributionPoints(X509v3CertificateBuilder x509v3CertificateBuilder) throws CertIOException {
        x509v3CertificateBuilder.addExtension(Extension.cRLDistributionPoints, false, convertToCrlDistributionPoint(this.crlDistributionPoints));
    }

    private void addPolicies(X509v3CertificateBuilder x509v3CertificateBuilder) throws CertIOException {
        x509v3CertificateBuilder.addExtension(Extension.certificatePolicies, true, new DERSequence(this.policies));
    }

    private void addResourceExtensions(X509v3CertificateBuilder x509v3CertificateBuilder) throws CertIOException {
        ResourceExtensionEncoder resourceExtensionEncoder = new ResourceExtensionEncoder();
        Iterator it = this.inheritedResourceTypes.iterator();
        while (it.hasNext()) {
            IpResourceType ipResourceType = (IpResourceType) it.next();
            if (this.resources.containsType(ipResourceType)) {
                throw new IllegalArgumentException("resource set '" + this.resources + "' contains resources of inherited type " + ipResourceType);
            }
        }
        ASN1Object encodeIpAddressBlocks = resourceExtensionEncoder.encodeIpAddressBlocks(this.inheritedResourceTypes.contains(IpResourceType.IPv4), this.inheritedResourceTypes.contains(IpResourceType.IPv6), this.resources);
        if (encodeIpAddressBlocks != null) {
            x509v3CertificateBuilder.addExtension(ResourceExtensionEncoder.OID_IP_ADDRESS_BLOCKS, true, encodeIpAddressBlocks);
        }
        ASN1Object encodeAsIdentifiers = resourceExtensionEncoder.encodeAsIdentifiers(this.inheritedResourceTypes.contains(IpResourceType.ASN), this.resources);
        if (encodeAsIdentifiers != null) {
            x509v3CertificateBuilder.addExtension(ResourceExtensionEncoder.OID_AUTONOMOUS_SYS_IDS, true, encodeAsIdentifiers);
        }
    }

    private CRLDistPoint convertToCrlDistributionPoint(URI[] uriArr) {
        GeneralName[] generalNameArr = new GeneralName[uriArr.length];
        for (int i = 0; i < uriArr.length; i++) {
            generalNameArr[i] = new GeneralName(6, uriArr[i].toString());
        }
        return new CRLDistPoint(new DistributionPoint[]{new DistributionPoint(new DistributionPointName(new GeneralNames(generalNameArr)), (ReasonFlags) null, (GeneralNames) null)});
    }
}
