package net.ripe.rpki.commons.provisioning.cms;

import java.io.IOException;
import java.nio.charset.Charset;
import java.security.PrivateKey;
import java.security.cert.CRLException;
import java.security.cert.CertificateEncodingException;
import java.security.cert.X509CRL;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Collections;
import java.util.Date;
import java.util.Hashtable;
import java.util.Map;
import java.util.stream.Collectors;
import net.ripe.rpki.commons.crypto.cms.RPKISignedDataGenerator;
import net.ripe.rpki.commons.crypto.util.BouncyCastleUtil;
import net.ripe.rpki.commons.crypto.x509cert.X509CertificateBuilderHelper;
import net.ripe.rpki.commons.crypto.x509cert.X509CertificateUtil;
import net.ripe.rpki.commons.provisioning.payload.AbstractProvisioningPayload;
import net.ripe.rpki.commons.provisioning.payload.PayloadParser;
import net.ripe.rpki.commons.validation.ValidationLocation;
import net.ripe.rpki.commons.validation.ValidationResult;
import org.apache.commons.lang.Validate;
import org.bouncycastle.asn1.ASN1ObjectIdentifier;
import org.bouncycastle.asn1.DERSet;
import org.bouncycastle.asn1.cms.Attribute;
import org.bouncycastle.asn1.cms.AttributeTable;
import org.bouncycastle.asn1.cms.CMSAttributes;
import org.bouncycastle.asn1.cms.Time;
import org.bouncycastle.cert.jcajce.JcaCRLStore;
import org.bouncycastle.cert.jcajce.JcaCertStore;
import org.bouncycastle.cms.CMSException;
import org.bouncycastle.cms.CMSProcessableByteArray;
import org.bouncycastle.cms.DefaultSignedAttributeTableGenerator;
import org.bouncycastle.cms.jcajce.JcaSignerInfoGeneratorBuilder;
import org.bouncycastle.operator.ContentSigner;
import org.bouncycastle.operator.DigestCalculatorProvider;
import org.bouncycastle.operator.OperatorCreationException;
import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder;
import org.joda.time.DateTimeUtils;

/* loaded from: input_file:net/ripe/rpki/commons/provisioning/cms/ProvisioningCmsObjectBuilder.class */
public class ProvisioningCmsObjectBuilder {
    private static final ASN1ObjectIdentifier CONTENT_TYPE = new ASN1ObjectIdentifier("1.2.840.113549.1.9.16.1.28");
    private X509Certificate cmsCertificate;
    private X509CRL crl;
    private String signatureProvider = X509CertificateBuilderHelper.DEFAULT_SIGNATURE_PROVIDER;
    private String payloadContent;

    public ProvisioningCmsObjectBuilder withCmsCertificate(X509Certificate x509Certificate) {
        this.cmsCertificate = x509Certificate;
        return this;
    }

    public ProvisioningCmsObjectBuilder withCrl(X509CRL x509crl) {
        this.crl = x509crl;
        return this;
    }

    public ProvisioningCmsObjectBuilder withSignatureProvider(String str) {
        this.signatureProvider = str;
        return this;
    }

    public ProvisioningCmsObjectBuilder withPayloadContent(AbstractProvisioningPayload abstractProvisioningPayload) {
        this.payloadContent = PayloadParser.serialize(abstractProvisioningPayload);
        return this;
    }

    public ProvisioningCmsObject build(PrivateKey privateKey) {
        Validate.notEmpty(this.payloadContent, "Payload content is required");
        Validate.notNull(this.cmsCertificate, "cms certificate is required");
        Validate.notNull(this.crl, "crl is required");
        ProvisioningCmsObjectParser provisioningCmsObjectParser = new ProvisioningCmsObjectParser();
        provisioningCmsObjectParser.parseCms("n/a", generateCms(privateKey));
        ValidationResult validationResult = provisioningCmsObjectParser.getValidationResult();
        if (validationResult.hasFailures()) {
            Validate.isTrue(false, "Validation of generated CMS object failed with following errors: " + ((String) validationResult.getFailures(new ValidationLocation("generated.cms")).stream().map((v0) -> {
                return v0.getKey();
            }).collect(Collectors.joining(","))), ",");
        }
        return provisioningCmsObjectParser.getProvisioningCmsObject();
    }

    private byte[] generateCms(PrivateKey privateKey) {
        try {
            return doGenerate(privateKey);
        } catch (CMSException | IOException | OperatorCreationException | CRLException | CertificateEncodingException e) {
            throw new ProvisioningCmsObjectBuilderException(e);
        }
    }

    private byte[] doGenerate(PrivateKey privateKey) throws CMSException, IOException, CertificateEncodingException, CRLException, OperatorCreationException {
        RPKISignedDataGenerator rPKISignedDataGenerator = new RPKISignedDataGenerator();
        addCertificateAndCrl(rPKISignedDataGenerator);
        addSignerInfo(rPKISignedDataGenerator, privateKey);
        return rPKISignedDataGenerator.generate(new CMSProcessableByteArray(CONTENT_TYPE, this.payloadContent.getBytes(Charset.forName("UTF-8"))), true).getEncoded();
    }

    private void addSignerInfo(RPKISignedDataGenerator rPKISignedDataGenerator, PrivateKey privateKey) throws OperatorCreationException {
        ContentSigner build = new JcaContentSignerBuilder(X509CertificateBuilderHelper.DEFAULT_SIGNATURE_ALGORITHM).setProvider(this.signatureProvider).build(privateKey);
        DigestCalculatorProvider digestCalculatorProvider = BouncyCastleUtil.DIGEST_CALCULATOR_PROVIDER;
        rPKISignedDataGenerator.addSignerInfoGenerator(new JcaSignerInfoGeneratorBuilder(digestCalculatorProvider).setSignedAttributeGenerator(new DefaultSignedAttributeTableGenerator(createSignedAttributes()) { // from class: net.ripe.rpki.commons.provisioning.cms.ProvisioningCmsObjectBuilder.1
            public AttributeTable getAttributes(Map map) {
                return super.getAttributes(map).remove(CMSAttributes.cmsAlgorithmProtect);
            }
        }).build(build, X509CertificateUtil.getSubjectKeyIdentifier(this.cmsCertificate)));
    }

    private void addCertificateAndCrl(RPKISignedDataGenerator rPKISignedDataGenerator) throws CertificateEncodingException, CMSException, CRLException {
        ArrayList arrayList = new ArrayList();
        arrayList.add(this.cmsCertificate);
        rPKISignedDataGenerator.addCertificates(new JcaCertStore(arrayList));
        rPKISignedDataGenerator.addCRLs(new JcaCRLStore(Collections.singleton(this.crl)));
    }

    private AttributeTable createSignedAttributes() {
        Hashtable hashtable = new Hashtable();
        hashtable.put(CMSAttributes.signingTime, new Attribute(CMSAttributes.signingTime, new DERSet(new Time(new Date(DateTimeUtils.currentTimeMillis())))));
        return new AttributeTable(hashtable);
    }
}
