package org.openlca.license.certificate;

import java.math.BigInteger;
import java.security.InvalidKeyException;
import java.security.KeyPair;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.PublicKey;
import java.security.SecureRandom;
import java.security.Security;
import java.security.SignatureException;
import java.security.cert.CertificateEncodingException;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import org.bouncycastle.asn1.x500.X500Name;
import org.bouncycastle.asn1.x509.BasicConstraints;
import org.bouncycastle.asn1.x509.Extension;
import org.bouncycastle.asn1.x509.KeyUsage;
import org.bouncycastle.cert.CertIOException;
import org.bouncycastle.cert.X509CertificateHolder;
import org.bouncycastle.cert.X509v3CertificateBuilder;
import org.bouncycastle.cert.jcajce.JcaX509CertificateConverter;
import org.bouncycastle.cert.jcajce.JcaX509ExtensionUtils;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.bouncycastle.operator.ContentSigner;
import org.bouncycastle.operator.OperatorCreationException;
import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder;
import org.bouncycastle.pkcs.PKCS10CertificationRequest;
import org.bouncycastle.pkcs.jcajce.JcaPKCS10CertificationRequestBuilder;
import org.bouncycastle.util.encoders.Base64;

/* loaded from: input_file:org/openlca/license/certificate/CertificateGenerator.class */
public class CertificateGenerator {
    private static final String BC = "BC";
    private static final String SIGNATURE_ALGORITHM = "SHA256withRSA";
    private static final String BEGIN = "-----BEGIN CERTIFICATE-----\n";
    private static final String END = "\n-----END CERTIFICATE-----";
    private final X509CertificateHolder certAuth;
    private final KeyPair keyPairCA;
    private ContentSigner csrContentSigner;

    public CertificateGenerator(X509CertificateHolder x509CertificateHolder, KeyPair keyPair) {
        this.certAuth = x509CertificateHolder;
        this.keyPairCA = keyPair;
    }

    public X509Certificate createCertificate(CertificateInfo certificateInfo, KeyPair keyPair) {
        try {
            PKCS10CertificationRequest createCSR = createCSR(certificateInfo, keyPair.getPublic());
            X509v3CertificateBuilder certBuilder = getCertBuilder(certificateInfo, createCSR);
            addExtensions(certBuilder, createCSR);
            X509Certificate certificate = new JcaX509CertificateConverter().setProvider(BC).getCertificate(certBuilder.build(this.csrContentSigner));
            certificate.verify(this.keyPairCA.getPublic(), BC);
            return certificate;
        } catch (InvalidKeyException | NoSuchAlgorithmException | NoSuchProviderException | SignatureException | CertificateException e) {
            throw new RuntimeException("Error while creating the license certificate.", e);
        }
    }

    private void addExtensions(X509v3CertificateBuilder x509v3CertificateBuilder, PKCS10CertificationRequest pKCS10CertificationRequest) {
        try {
            JcaX509ExtensionUtils jcaX509ExtensionUtils = new JcaX509ExtensionUtils();
            x509v3CertificateBuilder.addExtension(Extension.basicConstraints, true, new BasicConstraints(false));
            x509v3CertificateBuilder.addExtension(Extension.authorityKeyIdentifier, false, jcaX509ExtensionUtils.createAuthorityKeyIdentifier(new JcaX509CertificateConverter().getCertificate(this.certAuth)));
            x509v3CertificateBuilder.addExtension(Extension.subjectKeyIdentifier, false, jcaX509ExtensionUtils.createSubjectKeyIdentifier(pKCS10CertificationRequest.getSubjectPublicKeyInfo()));
            x509v3CertificateBuilder.addExtension(Extension.keyUsage, false, new KeyUsage(128));
        } catch (NoSuchAlgorithmException | CertIOException | CertificateException e) {
            throw new RuntimeException("Error while adding the extensions to the license certificate.", e);
        }
    }

    private ContentSigner getCsrContentSigner() {
        if (this.csrContentSigner == null) {
            JcaContentSignerBuilder jcaContentSignerBuilder = new JcaContentSignerBuilder("SHA256withRSA");
            jcaContentSignerBuilder.setProvider(BC);
            try {
                this.csrContentSigner = jcaContentSignerBuilder.build(this.keyPairCA.getPrivate());
            } catch (OperatorCreationException e) {
                throw new RuntimeException("Error while creating the CST content signer.", e);
            }
        }
        return this.csrContentSigner;
    }

    private X509v3CertificateBuilder getCertBuilder(CertificateInfo certificateInfo, PKCS10CertificationRequest pKCS10CertificationRequest) {
        return new X509v3CertificateBuilder(this.certAuth.getSubject(), new BigInteger(Long.toString(new SecureRandom().nextLong())), certificateInfo.notBefore(), certificateInfo.notAfter(), pKCS10CertificationRequest.getSubject(), pKCS10CertificationRequest.getSubjectPublicKeyInfo());
    }

    private PKCS10CertificationRequest createCSR(CertificateInfo certificateInfo, PublicKey publicKey) {
        String userName = certificateInfo.subject().userName();
        String email = certificateInfo.subject().email();
        if (userName == null || email == null || userName.isEmpty() || email.isEmpty()) {
            throw new RuntimeException("Error while creating the CSR, the user name and the email cannot be null or empty.");
        }
        X500Name asX500Name = certificateInfo.subject().asX500Name();
        if (asX500Name.getRDNs().length == 0) {
            throw new RuntimeException("Error while processing the X500 name of the license subject: " + certificateInfo.subject().asRDNString());
        }
        return new JcaPKCS10CertificationRequestBuilder(asX500Name, publicKey).build(getCsrContentSigner());
    }

    public static String toBase64(X509Certificate x509Certificate) throws CertificateEncodingException {
        return "-----BEGIN CERTIFICATE-----\n" + new String(Base64.encode(x509Certificate.getEncoded())) + "\n-----END CERTIFICATE-----";
    }

    static {
        Security.addProvider(new BouncyCastleProvider());
    }
}
