package org.xipki.ca.server.mgmt;

import java.io.IOException;
import java.math.BigInteger;
import java.security.InvalidKeyException;
import java.security.spec.InvalidKeySpecException;
import java.time.Instant;
import java.util.Date;
import java.util.Iterator;
import java.util.List;
import org.bouncycastle.asn1.x500.X500Name;
import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo;
import org.bouncycastle.cert.X509CertificateHolder;
import org.bouncycastle.cert.X509v3CertificateBuilder;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.xipki.ca.api.CaUris;
import org.xipki.ca.api.PublicCaInfo;
import org.xipki.ca.api.mgmt.entry.CaEntry;
import org.xipki.ca.api.profile.Certprofile;
import org.xipki.ca.api.profile.CertprofileException;
import org.xipki.ca.sdk.CaAuditConstants;
import org.xipki.ca.server.CaUtil;
import org.xipki.ca.server.IdentifiedCertprofile;
import org.xipki.security.ConcurrentBagEntrySigner;
import org.xipki.security.ConcurrentContentSigner;
import org.xipki.security.NoIdleSignerException;
import org.xipki.security.SecurityFactory;
import org.xipki.security.SignAlgo;
import org.xipki.security.SignerConf;
import org.xipki.security.X509Cert;
import org.xipki.security.XiSecurityException;
import org.xipki.security.util.KeyUtil;
import org.xipki.security.util.X509Util;
import org.xipki.util.Args;
import org.xipki.util.CollectionUtil;
import org.xipki.util.ConfPairs;
import org.xipki.util.StringUtil;
import org.xipki.util.Validity;
import org.xipki.util.exception.BadCertTemplateException;
import org.xipki.util.exception.ErrorCode;
import org.xipki.util.exception.InvalidConfException;
import org.xipki.util.exception.ObjectCreationException;
import org.xipki.util.exception.OperationException;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: input_file:WEB-INF/lib/ca-server-6.4.0.jar:org/xipki/ca/server/mgmt/SelfSignedCertBuilder.class */
public class SelfSignedCertBuilder {
    private static final Logger LOG = LoggerFactory.getLogger((Class<?>) SelfSignedCertBuilder.class);

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:WEB-INF/lib/ca-server-6.4.0.jar:org/xipki/ca/server/mgmt/SelfSignedCertBuilder$GenerateSelfSignedResult.class */
    public static class GenerateSelfSignedResult {
        private final String signerConf;
        private final X509Cert cert;

        GenerateSelfSignedResult(String str, X509Cert x509Cert) {
            this.signerConf = str;
            this.cert = x509Cert;
        }

        /* JADX INFO: Access modifiers changed from: package-private */
        public String getSignerConf() {
            return this.signerConf;
        }

        /* JADX INFO: Access modifiers changed from: package-private */
        public X509Cert getCert() {
            return this.cert;
        }
    }

    private SelfSignedCertBuilder() {
    }

    public static GenerateSelfSignedResult generateSelfSigned(SecurityFactory securityFactory, String str, String str2, IdentifiedCertprofile identifiedCertprofile, String str3, BigInteger bigInteger, CaUris caUris, ConfPairs confPairs, Instant instant, Instant instant2) throws OperationException, InvalidConfException {
        Args.notNull(securityFactory, "securityFactory");
        Args.notBlank(str, "signerType");
        Args.notBlank(str3, CaAuditConstants.NAME_subject);
        if (((BigInteger) Args.notNull(bigInteger, "serialNumber")).signum() != 1) {
            throw new IllegalArgumentException("serialNumber may not be non-positive: " + bigInteger);
        }
        if (Certprofile.CertLevel.RootCA != ((IdentifiedCertprofile) Args.notNull(identifiedCertprofile, CaAuditConstants.NAME_certprofile)).getCertLevel()) {
            throw new IllegalArgumentException("certprofile is not of level " + Certprofile.CertLevel.RootCA);
        }
        if (StringUtil.orEqualsIgnoreCase(str, "PKCS12", "JCEKS") && new ConfPairs(str2).value("keystore") == null) {
            throw new InvalidConfException("required parameter 'keystore' for types PKCS12 and JCEKS, is not specified");
        }
        try {
            List<CaEntry.CaSignerConf> splitCaSignerConfs = CaEntry.splitCaSignerConfs(str2);
            List<SignAlgo> signatureAlgorithms = identifiedCertprofile.getSignatureAlgorithms();
            String str4 = null;
            if (!CollectionUtil.isEmpty(signatureAlgorithms)) {
                for (SignAlgo signAlgo : signatureAlgorithms) {
                    Iterator<CaEntry.CaSignerConf> it = splitCaSignerConfs.iterator();
                    while (true) {
                        if (!it.hasNext()) {
                            break;
                        }
                        CaEntry.CaSignerConf next = it.next();
                        if (next.getAlgo() == signAlgo) {
                            str4 = next.getConf();
                            break;
                        }
                    }
                    if (str4 != null) {
                        break;
                    }
                }
            } else {
                str4 = splitCaSignerConfs.get(0).getConf();
            }
            if (str4 == null) {
                throw new OperationException(ErrorCode.SYSTEM_FAILURE, "CA does not support any signature algorithm restricted by the cert profile");
            }
            return new GenerateSelfSignedResult(str2, generateCertificate(securityFactory.createSigner(str, new SignerConf(str4), (X509Cert[]) null), identifiedCertprofile, str3, bigInteger, caUris, confPairs, instant, instant2));
        } catch (XiSecurityException | ObjectCreationException e) {
            throw new OperationException(ErrorCode.SYSTEM_FAILURE, e);
        }
    }

    private static X509Cert generateCertificate(ConcurrentContentSigner concurrentContentSigner, IdentifiedCertprofile identifiedCertprofile, String str, BigInteger bigInteger, CaUris caUris, ConfPairs confPairs, Instant instant, Instant instant2) throws OperationException {
        try {
            try {
                SubjectPublicKeyInfo rfc3279Style = X509Util.toRfc3279Style(KeyUtil.createSubjectPublicKeyInfo(concurrentContentSigner.getPublicKey()));
                try {
                    if (!concurrentContentSigner.getPublicKey().equals(KeyUtil.generatePublicKey(rfc3279Style))) {
                        throw new OperationException(ErrorCode.BAD_REQUEST, "Public keys of the signer's token and of CSR are different");
                    }
                    try {
                        identifiedCertprofile.checkPublicKey(rfc3279Style);
                        X500Name x500Name = new X500Name(str);
                        try {
                            Certprofile.SubjectInfo subject = identifiedCertprofile.getSubject(x500Name, rfc3279Style);
                            Instant notBefore = identifiedCertprofile.getNotBefore(instant);
                            if (notBefore == null) {
                                notBefore = Instant.now();
                            }
                            Validity validity = identifiedCertprofile.getValidity();
                            if (validity == null) {
                                throw new OperationException(ErrorCode.BAD_CERT_TEMPLATE, "no validity specified in the profile " + identifiedCertprofile.getIdent());
                            }
                            Instant add = validity.add(notBefore);
                            if (instant2 == null) {
                                instant2 = add;
                            } else if (instant2.isAfter(add)) {
                                instant2 = add;
                            }
                            X500Name grantedSubject = subject.getGrantedSubject();
                            X509v3CertificateBuilder x509v3CertificateBuilder = new X509v3CertificateBuilder(grantedSubject, bigInteger, Date.from(notBefore), Date.from(instant2), grantedSubject, rfc3279Style);
                            try {
                                CaUtil.addExtensions(identifiedCertprofile.getExtensions(x500Name, grantedSubject, null, rfc3279Style, new PublicCaInfo(grantedSubject, grantedSubject, bigInteger, null, identifiedCertprofile.getSubjectKeyIdentifier(rfc3279Style).getKeyIdentifier(), caUris, confPairs), null, notBefore, instant2), x509v3CertificateBuilder);
                                ConcurrentBagEntrySigner borrowSigner = concurrentContentSigner.borrowSigner();
                                try {
                                    X509CertificateHolder build = x509v3CertificateBuilder.build(borrowSigner.value());
                                    concurrentContentSigner.requiteSigner(borrowSigner);
                                    return new X509Cert(build);
                                } catch (Throwable th) {
                                    concurrentContentSigner.requiteSigner(borrowSigner);
                                    throw th;
                                }
                            } catch (IOException | CertprofileException | NoIdleSignerException e) {
                                throw new OperationException(ErrorCode.SYSTEM_FAILURE, e);
                            } catch (BadCertTemplateException e2) {
                                throw new OperationException(ErrorCode.BAD_CERT_TEMPLATE, e2);
                            }
                        } catch (CertprofileException e3) {
                            throw new OperationException(ErrorCode.SYSTEM_FAILURE, "exception in cert profile " + identifiedCertprofile.getIdent());
                        } catch (BadCertTemplateException e4) {
                            LOG.warn("certprofile.getSubject", (Throwable) e4);
                            throw new OperationException(ErrorCode.BAD_CERT_TEMPLATE, e4);
                        }
                    } catch (CertprofileException e5) {
                        throw new OperationException(ErrorCode.SYSTEM_FAILURE, "exception in cert profile " + identifiedCertprofile.getIdent());
                    } catch (BadCertTemplateException e6) {
                        LOG.warn("certprofile.checkPublicKey", (Throwable) e6);
                        throw new OperationException(ErrorCode.BAD_CERT_TEMPLATE, e6);
                    }
                } catch (InvalidKeySpecException e7) {
                    throw new OperationException(ErrorCode.SYSTEM_FAILURE, e7.getMessage());
                }
            } catch (InvalidKeySpecException e8) {
                LOG.warn("SecurityUtil.toRfc3279Style", (Throwable) e8);
                throw new OperationException(ErrorCode.BAD_CERT_TEMPLATE, e8);
            }
        } catch (InvalidKeyException e9) {
            LOG.warn("KeyUtil.createSubjectPublicKeyInfo", (Throwable) e9);
            throw new OperationException(ErrorCode.SYSTEM_FAILURE, e9);
        }
    }
}
