package net.ripe.rpki.commons.crypto.x509cert;

import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.math.BigInteger;
import java.net.URI;
import java.net.URISyntaxException;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.PublicKey;
import java.security.SignatureException;
import java.security.cert.CertificateEncodingException;
import java.security.cert.CertificateException;
import java.security.cert.CertificateParsingException;
import java.security.cert.X509Certificate;
import java.security.cert.X509Extension;
import java.util.ArrayList;
import java.util.Collections;
import java.util.List;
import javax.security.auth.x500.X500Principal;
import net.ripe.ipresource.IpResourceSet;
import net.ripe.rpki.commons.crypto.ValidityPeriod;
import net.ripe.rpki.commons.crypto.rfc3779.ResourceExtensionEncoder;
import net.ripe.rpki.commons.crypto.rfc3779.ResourceExtensionParser;
import net.ripe.rpki.commons.crypto.rfc8209.RouterExtensionEncoder;
import net.ripe.rpki.commons.crypto.util.Asn1Util;
import net.ripe.rpki.commons.validation.ValidationResult;
import org.apache.commons.lang3.Validate;
import org.bouncycastle.asn1.ASN1ObjectIdentifier;
import org.bouncycastle.asn1.x509.AuthorityInformationAccess;
import org.bouncycastle.asn1.x509.AuthorityKeyIdentifier;
import org.bouncycastle.asn1.x509.BasicConstraints;
import org.bouncycastle.asn1.x509.CRLDistPoint;
import org.bouncycastle.asn1.x509.DistributionPoint;
import org.bouncycastle.asn1.x509.Extension;
import org.bouncycastle.asn1.x509.GeneralName;
import org.bouncycastle.asn1.x509.SubjectKeyIdentifier;
import org.bouncycastle.asn1.x509.TBSCertificate;
import org.bouncycastle.cert.jcajce.JcaX509ExtensionUtils;
import org.bouncycastle.util.encoders.Base64Encoder;

/* loaded from: input_file:net/ripe/rpki/commons/crypto/x509cert/X509CertificateUtil.class */
public final class X509CertificateUtil {
    private X509CertificateUtil() {
    }

    public static byte[] getSubjectKeyIdentifier(X509Extension x509Extension) {
        try {
            byte[] extensionValue = x509Extension.getExtensionValue(Extension.subjectKeyIdentifier.getId());
            if (extensionValue == null) {
                return null;
            }
            return SubjectKeyIdentifier.getInstance(JcaX509ExtensionUtils.parseExtensionValue(extensionValue)).getKeyIdentifier();
        } catch (IOException e) {
            throw new X509CertificateOperationException("Cannot get SubjectKeyIdentifier for certificate", e);
        }
    }

    public static byte[] getAuthorityKeyIdentifier(X509Extension x509Extension) {
        try {
            byte[] extensionValue = x509Extension.getExtensionValue(Extension.authorityKeyIdentifier.getId());
            if (extensionValue == null) {
                return null;
            }
            return AuthorityKeyIdentifier.getInstance(JcaX509ExtensionUtils.parseExtensionValue(extensionValue)).getKeyIdentifier();
        } catch (IOException e) {
            throw new X509CertificateOperationException("Can not get AuthorityKeyIdentifier for certificate", e);
        }
    }

    public static X509ResourceCertificate parseDerEncoded(byte[] bArr) {
        X509ResourceCertificateParser x509ResourceCertificateParser = new X509ResourceCertificateParser();
        x509ResourceCertificateParser.parse(ValidationResult.withLocation("unknown.cer"), bArr);
        return x509ResourceCertificateParser.getCertificate();
    }

    public static X509Certificate parseX509Certificate(byte[] bArr) {
        return X509CertificateParser.parseX509Certificate(bArr);
    }

    public static String getEncodedSubjectPublicKeyInfo(X509Certificate x509Certificate) {
        try {
            try {
                byte[] encoded = TBSCertificate.getInstance(Asn1Util.decode(x509Certificate.getTBSCertificate())).getSubjectPublicKeyInfo().getEncoded();
                Base64Encoder base64Encoder = new Base64Encoder();
                ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
                base64Encoder.encode(encoded, 0, encoded.length, byteArrayOutputStream);
                byteArrayOutputStream.flush();
                return byteArrayOutputStream.toString();
            } catch (IOException e) {
                throw new X509CertificateOperationException("Can't encode SubjectPublicKeyInfo for certificate", e);
            }
        } catch (CertificateEncodingException e2) {
            throw new X509CertificateOperationException("Can't extract TBSCertificate from certificate", e2);
        }
    }

    public static boolean isRoot(X509Certificate x509Certificate) {
        return x509Certificate.getSubjectX500Principal().equals(x509Certificate.getIssuerX500Principal());
    }

    public static boolean isCa(X509Certificate x509Certificate) {
        try {
            byte[] extensionValue = x509Certificate.getExtensionValue(Extension.basicConstraints.getId());
            if (extensionValue == null) {
                return false;
            }
            return BasicConstraints.getInstance(JcaX509ExtensionUtils.parseExtensionValue(extensionValue)).isCA();
        } catch (IOException e) {
            throw new X509CertificateOperationException(e);
        }
    }

    public static boolean isEe(X509Certificate x509Certificate) {
        return !isCa(x509Certificate);
    }

    public static boolean isRouter(X509Certificate x509Certificate) {
        try {
            List<String> extendedKeyUsage = x509Certificate.getExtendedKeyUsage();
            if (extendedKeyUsage != null) {
                if (extendedKeyUsage.contains(RouterExtensionEncoder.OID_KP_BGPSEC_ROUTER.getId())) {
                    return true;
                }
            }
            return false;
        } catch (CertificateParsingException e) {
            throw new X509CertificateOperationException(e);
        }
    }

    public static X509CertificateInformationAccessDescriptor[] getAuthorityInformationAccess(X509Certificate x509Certificate) {
        try {
            byte[] extensionValue = x509Certificate.getExtensionValue(Extension.authorityInfoAccess.getId());
            if (extensionValue == null) {
                return null;
            }
            return X509CertificateInformationAccessDescriptor.convertAccessDescriptors(AuthorityInformationAccess.getInstance(JcaX509ExtensionUtils.parseExtensionValue(extensionValue)).getAccessDescriptions());
        } catch (IOException e) {
            throw new X509CertificateOperationException(e);
        }
    }

    public static X509CertificateInformationAccessDescriptor[] getSubjectInformationAccess(X509Certificate x509Certificate) {
        try {
            byte[] extensionValue = x509Certificate.getExtensionValue(Extension.subjectInfoAccess.getId());
            if (extensionValue == null) {
                return null;
            }
            return X509CertificateInformationAccessDescriptor.convertAccessDescriptors(AuthorityInformationAccess.getInstance(JcaX509ExtensionUtils.parseExtensionValue(extensionValue)).getAccessDescriptions());
        } catch (IOException e) {
            throw new X509CertificateOperationException(e);
        }
    }

    public static URI findFirstAuthorityInformationAccessByMethod(X509Certificate x509Certificate, ASN1ObjectIdentifier aSN1ObjectIdentifier) {
        Validate.notNull(aSN1ObjectIdentifier, "method is null", new Object[0]);
        return findFirstByMethod(aSN1ObjectIdentifier, "rsync", getAuthorityInformationAccess(x509Certificate));
    }

    public static URI findFirstSubjectInformationAccessByMethod(X509Certificate x509Certificate, ASN1ObjectIdentifier aSN1ObjectIdentifier) {
        Validate.notNull(aSN1ObjectIdentifier, "method is null", new Object[0]);
        return findFirstByMethod(aSN1ObjectIdentifier, "rsync", getSubjectInformationAccess(x509Certificate));
    }

    private static URI findFirstByMethod(ASN1ObjectIdentifier aSN1ObjectIdentifier, String str, X509CertificateInformationAccessDescriptor[] x509CertificateInformationAccessDescriptorArr) {
        if (x509CertificateInformationAccessDescriptorArr == null) {
            return null;
        }
        for (X509CertificateInformationAccessDescriptor x509CertificateInformationAccessDescriptor : x509CertificateInformationAccessDescriptorArr) {
            if (aSN1ObjectIdentifier.equals(x509CertificateInformationAccessDescriptor.getMethod()) && x509CertificateInformationAccessDescriptor.getLocation().getScheme().equalsIgnoreCase(str)) {
                return x509CertificateInformationAccessDescriptor.getLocation();
            }
        }
        return null;
    }

    public static URI[] getCrlDistributionPoints(X509Certificate x509Certificate) {
        byte[] extensionValue = x509Certificate.getExtensionValue(Extension.cRLDistributionPoints.getId());
        if (extensionValue == null) {
            return null;
        }
        try {
            return convertCrlDistributionPointToUris(CRLDistPoint.getInstance(JcaX509ExtensionUtils.parseExtensionValue(extensionValue)));
        } catch (IOException e) {
            return null;
        }
    }

    private static URI[] convertCrlDistributionPointToUris(CRLDistPoint cRLDistPoint) {
        ArrayList arrayList = new ArrayList();
        for (DistributionPoint distributionPoint : cRLDistPoint.getDistributionPoints()) {
            for (GeneralName generalName : distributionPoint.getDistributionPoint().getName().getNames()) {
                arrayList.add(URI.create(generalName.getName().getString()));
            }
        }
        return (URI[]) arrayList.toArray(new URI[arrayList.size()]);
    }

    public static URI findFirstRsyncCrlDistributionPoint(X509Certificate x509Certificate) {
        URI[] crlDistributionPoints = getCrlDistributionPoints(x509Certificate);
        if (crlDistributionPoints == null) {
            return null;
        }
        for (URI uri : crlDistributionPoints) {
            if (uri != null && "rsync".equalsIgnoreCase(uri.getScheme())) {
                return uri;
            }
        }
        return null;
    }

    public static URI getManifestUri(X509Certificate x509Certificate) {
        return findFirstSubjectInformationAccessByMethod(x509Certificate, X509CertificateInformationAccessDescriptor.ID_AD_RPKI_MANIFEST);
    }

    public static URI getRepositoryUri(X509Certificate x509Certificate) {
        URI findFirstSubjectInformationAccessByMethod = findFirstSubjectInformationAccessByMethod(x509Certificate, X509CertificateInformationAccessDescriptor.ID_AD_CA_REPOSITORY);
        String rawPath = findFirstSubjectInformationAccessByMethod.getRawPath();
        if (rawPath != null && !rawPath.endsWith("/")) {
            try {
                return new URI(findFirstSubjectInformationAccessByMethod.getScheme(), findFirstSubjectInformationAccessByMethod.getUserInfo(), findFirstSubjectInformationAccessByMethod.getHost(), findFirstSubjectInformationAccessByMethod.getPort(), rawPath + "/", findFirstSubjectInformationAccessByMethod.getRawQuery(), findFirstSubjectInformationAccessByMethod.getRawFragment());
            } catch (URISyntaxException e) {
                throw new IllegalArgumentException(e.getMessage(), e);
            }
        }
        return findFirstSubjectInformationAccessByMethod;
    }

    public static URI getRrdpNotifyUri(X509Certificate x509Certificate) {
        X509CertificateInformationAccessDescriptor[] subjectInformationAccess = getSubjectInformationAccess(x509Certificate);
        URI findFirstByMethod = findFirstByMethod(X509CertificateInformationAccessDescriptor.ID_AD_RPKI_NOTIFY, "http", subjectInformationAccess);
        return findFirstByMethod != null ? findFirstByMethod : findFirstByMethod(X509CertificateInformationAccessDescriptor.ID_AD_RPKI_NOTIFY, "https", subjectInformationAccess);
    }

    public static boolean isObjectIssuer(X509Certificate x509Certificate) {
        return getManifestUri(x509Certificate) != null;
    }

    public static ValidityPeriod getValidityPeriod(X509Certificate x509Certificate) {
        return new ValidityPeriod(x509Certificate.getNotBefore(), x509Certificate.getNotAfter());
    }

    public static BigInteger getSerialNumber(X509Certificate x509Certificate) {
        return x509Certificate.getSerialNumber();
    }

    public static X500Principal getSubject(X509Certificate x509Certificate) {
        return x509Certificate.getSubjectX500Principal();
    }

    public static X500Principal getIssuer(X509Certificate x509Certificate) {
        return x509Certificate.getIssuerX500Principal();
    }

    public static PublicKey getPublicKey(X509Certificate x509Certificate) {
        return x509Certificate.getPublicKey();
    }

    public static void verify(X509Certificate x509Certificate, PublicKey publicKey) throws InvalidKeyException, SignatureException {
        try {
            x509Certificate.verify(publicKey, X509CertificateBuilderHelper.DEFAULT_SIGNATURE_PROVIDER);
        } catch (NoSuchAlgorithmException | NoSuchProviderException | CertificateException e) {
            throw new IllegalArgumentException(e);
        }
    }

    public static List<String> getAsns(X509Certificate x509Certificate) {
        ResourceExtensionParser resourceExtensionParser = new ResourceExtensionParser();
        byte[] extensionValue = x509Certificate.getExtensionValue(ResourceExtensionEncoder.OID_AUTONOMOUS_SYS_IDS.getId());
        if (extensionValue == null) {
            return Collections.emptyList();
        }
        IpResourceSet parseAsIdentifiers = resourceExtensionParser.parseAsIdentifiers(extensionValue);
        ArrayList arrayList = new ArrayList();
        parseAsIdentifiers.forEach(ipResource -> {
            arrayList.add(ipResource.toString());
        });
        return arrayList;
    }
}
