package net.solarnetwork.pki.bc;

import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.io.StringReader;
import java.io.StringWriter;
import java.math.BigInteger;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.cert.CertPath;
import java.security.cert.Certificate;
import java.security.cert.CertificateEncodingException;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Date;
import java.util.Iterator;
import java.util.LinkedHashMap;
import java.util.List;
import java.util.ListIterator;
import java.util.Map;
import java.util.concurrent.atomic.AtomicLong;
import javax.security.auth.x500.X500Principal;
import net.solarnetwork.service.CertificateService;
import net.solarnetwork.service.CertificationAuthorityService;
import org.bouncycastle.asn1.x500.X500Name;
import org.bouncycastle.asn1.x509.BasicConstraints;
import org.bouncycastle.asn1.x509.Extension;
import org.bouncycastle.asn1.x509.KeyUsage;
import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo;
import org.bouncycastle.cert.CertIOException;
import org.bouncycastle.cert.X509v3CertificateBuilder;
import org.bouncycastle.cert.jcajce.JcaX500NameUtil;
import org.bouncycastle.cert.jcajce.JcaX509CertificateConverter;
import org.bouncycastle.cert.jcajce.JcaX509CertificateHolder;
import org.bouncycastle.cert.jcajce.JcaX509ExtensionUtils;
import org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.bouncycastle.operator.DefaultDigestAlgorithmIdentifierFinder;
import org.bouncycastle.operator.OperatorCreationException;
import org.bouncycastle.operator.OperatorException;
import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder;
import org.bouncycastle.operator.jcajce.JcaDigestCalculatorProviderBuilder;
import org.bouncycastle.pkcs.PKCS10CertificationRequest;
import org.bouncycastle.pkcs.PKCS10CertificationRequestBuilder;
import org.bouncycastle.util.io.pem.PemObject;
import org.bouncycastle.util.io.pem.PemReader;
import org.bouncycastle.util.io.pem.PemWriter;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:net/solarnetwork/pki/bc/BCCertificateService.class */
public class BCCertificateService implements CertificateService, CertificationAuthorityService {
    private final AtomicLong counter = new AtomicLong(System.currentTimeMillis());
    private int certificateExpireDays = 730;
    private int authorityExpireDays = 7300;
    private String signatureAlgorithm = "SHA256WithRSA";
    private final Logger log = LoggerFactory.getLogger(getClass());

    public X509Certificate generateCertificate(String str, PublicKey publicKey, PrivateKey privateKey) {
        X500Principal x500Principal = new X500Principal(str);
        Date date = new Date();
        try {
            try {
                return new JcaX509CertificateConverter().getCertificate(new JcaX509v3CertificateBuilder(x500Principal, new BigInteger(String.valueOf(this.counter.incrementAndGet())), date, new Date(date.getTime() + (86400000 * this.certificateExpireDays)), x500Principal, publicKey).build(new JcaContentSignerBuilder(this.signatureAlgorithm).build(privateKey)));
            } catch (CertificateException e) {
                throw new net.solarnetwork.service.CertificateException("Error creating certificate", e);
            }
        } catch (OperatorCreationException e2) {
            throw new net.solarnetwork.service.CertificateException("Error signing certificate", e2);
        }
    }

    public X509Certificate generateCertificationAuthorityCertificate(String str, PublicKey publicKey, PrivateKey privateKey) {
        X500Principal x500Principal = new X500Principal(str);
        Date date = new Date();
        JcaX509v3CertificateBuilder jcaX509v3CertificateBuilder = new JcaX509v3CertificateBuilder(x500Principal, new BigInteger("0"), date, new Date(date.getTime() + (86400000 * this.authorityExpireDays)), x500Principal, publicKey);
        JcaContentSignerBuilder jcaContentSignerBuilder = new JcaContentSignerBuilder(this.signatureAlgorithm);
        try {
            JcaX509ExtensionUtils jcaX509ExtensionUtils = new JcaX509ExtensionUtils(new JcaDigestCalculatorProviderBuilder().setProvider(new BouncyCastleProvider()).build().get(new DefaultDigestAlgorithmIdentifierFinder().find("SHA-256")));
            jcaX509v3CertificateBuilder.addExtension(Extension.basicConstraints, true, new BasicConstraints(true));
            jcaX509v3CertificateBuilder.addExtension(Extension.subjectKeyIdentifier, false, jcaX509ExtensionUtils.createSubjectKeyIdentifier(publicKey));
            jcaX509v3CertificateBuilder.addExtension(Extension.keyUsage, true, new KeyUsage(198));
            jcaX509v3CertificateBuilder.addExtension(Extension.authorityKeyIdentifier, false, jcaX509ExtensionUtils.createAuthorityKeyIdentifier(publicKey));
            try {
                return new JcaX509CertificateConverter().getCertificate(jcaX509v3CertificateBuilder.build(jcaContentSignerBuilder.build(privateKey)));
            } catch (CertificateException e) {
                throw new net.solarnetwork.service.CertificateException("Error creating certificate", e);
            }
        } catch (CertIOException e2) {
            this.log.error("Error generating CA certificate [{}]", str, e2);
            throw new net.solarnetwork.service.CertificateException("Error signing CA certificate", e2);
        } catch (OperatorCreationException e3) {
            this.log.error("Error generating CA certificate [{}]", str, e3);
            throw new net.solarnetwork.service.CertificateException("Error signing CA certificate", e3);
        }
    }

    public X509Certificate signCertificate(String str, X509Certificate x509Certificate, PrivateKey privateKey) throws net.solarnetwork.service.CertificateException {
        X500Name subject;
        SubjectPublicKeyInfo subjectPublicKeyInfo;
        if (!str.matches("(?is)^\\s*-----BEGIN.*")) {
            str = "-----BEGIN CERTIFICATE REQUEST-----\n" + str + "\n-----END CERTIFICATE REQUEST-----\n";
        }
        PemReader pemReader = null;
        try {
            try {
                PemReader pemReader2 = new PemReader(new StringReader(str));
                PemObject readPemObject = pemReader2.readPemObject();
                this.log.debug("Parsed PEM type {}", readPemObject.getType());
                if (readPemObject.getType().equalsIgnoreCase("certificate")) {
                    X509Certificate[] parsePKCS7CertificateChainString = parsePKCS7CertificateChainString(str);
                    subject = JcaX500NameUtil.getSubject(parsePKCS7CertificateChainString[0]);
                    subjectPublicKeyInfo = SubjectPublicKeyInfo.getInstance(parsePKCS7CertificateChainString[0].getPublicKey().getEncoded());
                } else {
                    PKCS10CertificationRequest pKCS10CertificationRequest = new PKCS10CertificationRequest(readPemObject.getContent());
                    subject = pKCS10CertificationRequest.getSubject();
                    subjectPublicKeyInfo = pKCS10CertificationRequest.getSubjectPublicKeyInfo();
                }
                Date date = new Date();
                X509v3CertificateBuilder x509v3CertificateBuilder = new X509v3CertificateBuilder(JcaX500NameUtil.getIssuer(x509Certificate), new BigInteger(String.valueOf(this.counter.incrementAndGet())), date, new Date(date.getTime() + (86400000 * this.certificateExpireDays)), subject, subjectPublicKeyInfo);
                JcaContentSignerBuilder jcaContentSignerBuilder = new JcaContentSignerBuilder(this.signatureAlgorithm);
                try {
                    JcaX509ExtensionUtils jcaX509ExtensionUtils = new JcaX509ExtensionUtils(new JcaDigestCalculatorProviderBuilder().setProvider(new BouncyCastleProvider()).build().get(new DefaultDigestAlgorithmIdentifierFinder().find("SHA-256")));
                    x509v3CertificateBuilder.addExtension(Extension.basicConstraints, false, new BasicConstraints(false));
                    x509v3CertificateBuilder.addExtension(Extension.subjectKeyIdentifier, false, jcaX509ExtensionUtils.createSubjectKeyIdentifier(subjectPublicKeyInfo));
                    x509v3CertificateBuilder.addExtension(Extension.authorityKeyIdentifier, false, jcaX509ExtensionUtils.createAuthorityKeyIdentifier(x509Certificate));
                    try {
                        X509Certificate certificate = new JcaX509CertificateConverter().getCertificate(x509v3CertificateBuilder.build(jcaContentSignerBuilder.build(privateKey)));
                        if (pemReader2 != null) {
                            try {
                                pemReader2.close();
                            } catch (IOException e) {
                                this.log.warn("IOException closing PemReader", e);
                            }
                        }
                        return certificate;
                    } catch (CertificateException e2) {
                        throw new net.solarnetwork.service.CertificateException("Error creating certificate", e2);
                    }
                } catch (OperatorException e3) {
                    this.log.error("Error signing CSR {}", subject, e3);
                    throw new net.solarnetwork.service.CertificateException("Error signing CSR" + subject + ": " + e3.getMessage());
                } catch (CertificateEncodingException e4) {
                    this.log.error("Error signing CSR {}", subject.toString(), e4);
                    throw new net.solarnetwork.service.CertificateException("Error signing CSR" + subject + ": " + e4.getMessage());
                }
            } catch (IOException e5) {
                throw new net.solarnetwork.service.CertificateException("Error signing CSR", e5);
            }
        } catch (Throwable th) {
            if (0 != 0) {
                try {
                    pemReader.close();
                } catch (IOException e6) {
                    this.log.warn("IOException closing PemReader", e6);
                }
            }
            throw th;
        }
    }

    public String generatePKCS10CertificateRequestString(X509Certificate x509Certificate, PrivateKey privateKey) throws net.solarnetwork.service.CertificateException {
        try {
            JcaX509CertificateHolder jcaX509CertificateHolder = new JcaX509CertificateHolder(x509Certificate);
            try {
                PKCS10CertificationRequest build = new PKCS10CertificationRequestBuilder(jcaX509CertificateHolder.getSubject(), jcaX509CertificateHolder.getSubjectPublicKeyInfo()).build(new JcaContentSignerBuilder(this.signatureAlgorithm).build(privateKey));
                StringWriter stringWriter = new StringWriter();
                PemWriter pemWriter = new PemWriter(stringWriter);
                try {
                    try {
                        pemWriter.writeObject(new PemObject("CERTIFICATE REQUEST", build.getEncoded()));
                        return stringWriter.toString();
                    } finally {
                        try {
                            pemWriter.flush();
                            pemWriter.close();
                            stringWriter.close();
                        } catch (IOException e) {
                        }
                    }
                } catch (IOException e2) {
                    throw new net.solarnetwork.service.CertificateException("Error signing certificate", e2);
                }
            } catch (OperatorCreationException e3) {
                throw new net.solarnetwork.service.CertificateException("Error signing certificate request", e3);
            }
        } catch (CertificateEncodingException e4) {
            throw new net.solarnetwork.service.CertificateException("Error creating CSR", e4);
        }
    }

    private void orderCertificateChain(Map<X500Principal, X509Certificate> map, List<X509Certificate> list, X509Certificate x509Certificate) {
        X509Certificate x509Certificate2 = map.get(x509Certificate.getIssuerX500Principal());
        if (x509Certificate2 != null) {
            orderCertificateChain(map, list, x509Certificate2);
        }
        ListIterator<X509Certificate> listIterator = list.listIterator();
        while (true) {
            if (!listIterator.hasNext()) {
                break;
            }
            if (listIterator.next().getSubjectDN().equals(x509Certificate.getIssuerDN())) {
                listIterator.previous();
                listIterator.add(x509Certificate);
                break;
            }
        }
        map.remove(x509Certificate.getSubjectX500Principal());
    }

    private void orderCertificateChain(Map<X500Principal, X509Certificate> map, List<X509Certificate> list) {
        while (map.size() > 0) {
            orderCertificateChain(map, list, map.values().iterator().next());
        }
    }

    public X509Certificate[] parsePKCS7CertificateChainString(String str) throws net.solarnetwork.service.CertificateException {
        if (!str.matches("(?is)^\\s*-----BEGIN.*")) {
            str = "-----BEGIN CERTIFICATE CHAIN-----\n" + str + "\n-----END CERTIFICATE CHAIN-----\n";
        }
        PemReader pemReader = new PemReader(new StringReader(str));
        ArrayList arrayList = new ArrayList(3);
        try {
            try {
                CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509");
                PemObject readPemObject = pemReader.readPemObject();
                this.log.debug("Parsed PEM type {}", readPemObject.getType());
                Collection<? extends Certificate> generateCertificates = certificateFactory.generateCertificates(new ByteArrayInputStream(readPemObject.getContent()));
                LinkedHashMap linkedHashMap = new LinkedHashMap();
                Iterator<? extends Certificate> it = generateCertificates.iterator();
                while (it.hasNext()) {
                    X509Certificate x509Certificate = (X509Certificate) it.next();
                    if (x509Certificate.getIssuerDN().equals(x509Certificate.getSubjectDN())) {
                        arrayList.add(x509Certificate);
                    } else {
                        linkedHashMap.put(x509Certificate.getSubjectX500Principal(), x509Certificate);
                    }
                }
                if (arrayList.size() == 0) {
                    arrayList.addAll(linkedHashMap.values());
                } else {
                    orderCertificateChain(linkedHashMap, arrayList);
                }
                return (X509Certificate[]) arrayList.toArray(new X509Certificate[arrayList.size()]);
            } catch (IOException e) {
                throw new net.solarnetwork.service.CertificateException("Error reading certificate", e);
            } catch (CertificateException e2) {
                throw new net.solarnetwork.service.CertificateException("Error loading CertificateFactory", e2);
            }
        } finally {
            try {
                pemReader.close();
            } catch (IOException e3) {
            }
        }
    }

    public String generatePKCS7CertificateChainString(X509Certificate[] x509CertificateArr) throws net.solarnetwork.service.CertificateException {
        try {
            CertPath generateCertPath = CertificateFactory.getInstance("X.509").generateCertPath(Arrays.asList(x509CertificateArr));
            StringWriter stringWriter = new StringWriter();
            PemWriter pemWriter = new PemWriter(stringWriter);
            pemWriter.writeObject(new PemObject("CERTIFICATE" + (x509CertificateArr.length > 1 ? " CHAIN" : ""), generateCertPath.getEncoded("PKCS7")));
            pemWriter.flush();
            pemWriter.close();
            stringWriter.close();
            String stringWriter2 = stringWriter.toString();
            this.log.debug("Generated cert chain:\n{}", stringWriter2);
            return stringWriter2;
        } catch (IOException e) {
            throw new net.solarnetwork.service.CertificateException("Error generating PKCS#7 chain", e);
        } catch (CertificateException e2) {
            throw new net.solarnetwork.service.CertificateException("Error generating PKCS#7 chain", e2);
        }
    }

    public void setCertificateExpireDays(int i) {
        this.certificateExpireDays = i;
    }

    public void setSignatureAlgorithm(String str) {
        this.signatureAlgorithm = str;
    }

    public void setAuthorityExpireDays(int i) {
        this.authorityExpireDays = i;
    }
}
