package net.ripe.rpki.commons.crypto.cms.roa;

import java.security.PrivateKey;
import java.util.List;
import java.util.Set;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import net.ripe.ipresource.Asn;
import net.ripe.ipresource.IpResourceType;
import net.ripe.rpki.commons.crypto.cms.RpkiSignedObjectBuilder;
import net.ripe.rpki.commons.crypto.rfc3779.AddressFamily;
import net.ripe.rpki.commons.crypto.util.Asn1Util;
import net.ripe.rpki.commons.crypto.x509cert.X509ResourceCertificate;
import net.ripe.rpki.commons.validation.ValidationResult;
import org.apache.commons.lang3.Validate;
import org.bouncycastle.asn1.ASN1Encodable;
import org.bouncycastle.asn1.ASN1Integer;
import org.bouncycastle.asn1.ASN1Object;
import org.bouncycastle.asn1.DERSequence;

/* loaded from: input_file:net/ripe/rpki/commons/crypto/cms/roa/RoaCmsBuilder.class */
public class RoaCmsBuilder extends RpkiSignedObjectBuilder {
    private X509ResourceCertificate certificate;
    private Asn asn;
    private List<RoaPrefix> prefixes;
    private String signatureProvider;

    public RoaCmsBuilder withCertificate(X509ResourceCertificate x509ResourceCertificate) {
        this.certificate = x509ResourceCertificate;
        return this;
    }

    public RoaCmsBuilder withAsn(Asn asn) {
        this.asn = asn;
        return this;
    }

    public RoaCmsBuilder withPrefixes(List<RoaPrefix> list) {
        this.prefixes = list;
        return this;
    }

    public RoaCmsBuilder withSignatureProvider(String str) {
        this.signatureProvider = str;
        return this;
    }

    public RoaCms build(PrivateKey privateKey) {
        RoaCmsParser roaCmsParser = new RoaCmsParser();
        roaCmsParser.parse(ValidationResult.withLocation("unknown.roa"), generateCms(this.certificate.getCertificate(), privateKey, this.signatureProvider, RoaCms.CONTENT_TYPE, encodeRouteOriginAttestation(this.asn, this.prefixes)));
        return roaCmsParser.getRoaCms();
    }

    ASN1Object encodeRoaIpAddress(RoaPrefix roaPrefix) {
        ASN1Encodable resourceToBitString = Asn1Util.resourceToBitString(roaPrefix.getPrefix().getStart(), roaPrefix.getPrefix().getPrefixLength());
        return new DERSequence(roaPrefix.getMaximumLength() == null ? new ASN1Encodable[]{resourceToBitString} : new ASN1Encodable[]{resourceToBitString, new ASN1Integer(roaPrefix.getMaximumLength().intValue())});
    }

    ASN1Encodable encodeRoaIpAddressFamily(AddressFamily addressFamily, Set<RoaPrefix> set) {
        Validate.isTrue(addressFamily == AddressFamily.IPV4 || addressFamily == AddressFamily.IPV6, "ROA can only contain IPv4 or IPv6 AFI", new Object[0]);
        return new DERSequence(new ASN1Encodable[]{addressFamily.toDer(), new DERSequence((ASN1Encodable[]) set.stream().sorted().map(this::encodeRoaIpAddress).toArray(i -> {
            return new ASN1Encodable[i];
        }))});
    }

    ASN1Encodable encodeRoaIpAddressFamilySequence(List<RoaPrefix> list) {
        Validate.isTrue(!list.isEmpty(), "no prefixes", new Object[0]);
        List list2 = (List) Stream.concat(addRoaIpAddressFamily(IpResourceType.IPv4, list), addRoaIpAddressFamily(IpResourceType.IPv6, list)).collect(Collectors.toList());
        Validate.isTrue(!list2.isEmpty(), "no encodable prefixes", new Object[0]);
        return new DERSequence((ASN1Encodable[]) list2.toArray(new ASN1Encodable[list2.size()]));
    }

    private Stream<ASN1Encodable> addRoaIpAddressFamily(IpResourceType ipResourceType, List<RoaPrefix> list) {
        Set<RoaPrefix> set = (Set) list.stream().filter(roaPrefix -> {
            return ipResourceType == roaPrefix.getPrefix().getType();
        }).collect(Collectors.toSet());
        return set.isEmpty() ? Stream.empty() : Stream.of(encodeRoaIpAddressFamily(AddressFamily.fromIpResourceType(ipResourceType), set));
    }

    byte[] encodeRouteOriginAttestation(Asn asn, List<RoaPrefix> list) {
        return Asn1Util.encode(new DERSequence(new ASN1Encodable[]{new ASN1Integer(asn.getValue()), encodeRoaIpAddressFamilySequence(list)}));
    }
}
