package org.xipki.ca.server;

import java.io.IOException;
import java.security.spec.InvalidKeySpecException;
import java.time.Instant;
import java.time.ZoneOffset;
import java.time.ZonedDateTime;
import java.time.temporal.ChronoUnit;
import java.time.temporal.TemporalUnit;
import java.util.Iterator;
import java.util.List;
import java.util.Locale;
import org.bouncycastle.asn1.ASN1BitString;
import org.bouncycastle.asn1.ASN1Integer;
import org.bouncycastle.asn1.ASN1ObjectIdentifier;
import org.bouncycastle.asn1.ASN1Sequence;
import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers;
import org.bouncycastle.asn1.pkcs.PrivateKeyInfo;
import org.bouncycastle.asn1.pkcs.RSAPrivateKey;
import org.bouncycastle.asn1.pkcs.RSAPublicKey;
import org.bouncycastle.asn1.sec.ECPrivateKey;
import org.bouncycastle.asn1.x500.X500Name;
import org.bouncycastle.asn1.x509.AlgorithmIdentifier;
import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.xipki.ca.api.NameId;
import org.xipki.ca.api.mgmt.ValidityMode;
import org.xipki.ca.api.profile.Certprofile;
import org.xipki.ca.api.profile.CertprofileException;
import org.xipki.ca.api.profile.KeypairGenControl;
import org.xipki.ca.api.profile.NotAfterMode;
import org.xipki.ca.server.X509Ca;
import org.xipki.security.ConcurrentContentSigner;
import org.xipki.security.EdECConstants;
import org.xipki.security.KeypairGenerator;
import org.xipki.security.XiSecurityException;
import org.xipki.security.util.RSABrokenKey;
import org.xipki.security.util.X509Util;
import org.xipki.util.LogUtil;
import org.xipki.util.Validity;
import org.xipki.util.exception.BadCertTemplateException;
import org.xipki.util.exception.ErrorCode;
import org.xipki.util.exception.OperationException;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: input_file:WEB-INF/lib/ca-server-6.4.0.jar:org/xipki/ca/server/GrandCertTemplateBuilder.class */
public class GrandCertTemplateBuilder {
    private static final Logger LOG = LoggerFactory.getLogger((Class<?>) GrandCertTemplateBuilder.class);
    private static final Instant MAX_CERT_TIME = ZonedDateTime.of(9999, 12, 31, 23, 59, 59, 0, ZoneOffset.UTC).toInstant();
    private final ASN1ObjectIdentifier keyAlgOidByImplicitCA;
    private final String keyspecByImplicitCA;
    private final CaInfo caInfo;

    /* JADX INFO: Access modifiers changed from: package-private */
    public GrandCertTemplateBuilder(CaInfo caInfo) {
        this.caInfo = caInfo;
        this.keyspecByImplicitCA = caInfo.getCaKeyspec();
        this.keyAlgOidByImplicitCA = caInfo.getCaKeyAlgId().getAlgorithm();
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public X509Ca.GrantedCertTemplate create(boolean z, IdentifiedCertprofile identifiedCertprofile, CertTemplateData certTemplateData, List<KeypairGenerator> list) throws OperationException {
        SubjectPublicKeyInfo rfc3279Style;
        X500Name grantedSubject;
        Instant notAfter;
        String keyspec;
        ASN1ObjectIdentifier keyAlgorithmOid;
        byte[] bytes;
        if (this.caInfo.getRevocationInfo() != null) {
            throw new OperationException(ErrorCode.NOT_PERMITTED, "CA is revoked");
        }
        if (identifiedCertprofile == null) {
            throw new OperationException(ErrorCode.UNKNOWN_CERT_PROFILE, "unknown cert profile " + certTemplateData.getCertprofileName());
        }
        ConcurrentContentSigner signer = this.caInfo.getSigner(identifiedCertprofile.getSignatureAlgorithms());
        if (signer == null) {
            throw new OperationException(ErrorCode.SYSTEM_FAILURE, "CA does not support any signature algorithm restricted by the cert profile");
        }
        NameId ident = identifiedCertprofile.getIdent();
        if (identifiedCertprofile.getVersion() != Certprofile.X509CertVersion.v3) {
            throw new OperationException(ErrorCode.SYSTEM_FAILURE, "unknown cert version " + identifiedCertprofile.getVersion());
        }
        switch (identifiedCertprofile.getCertLevel()) {
            case RootCA:
                throw new OperationException(ErrorCode.NOT_PERMITTED, "CA is not allowed to generate Root CA certificate");
            case SubCA:
            case CROSS:
                Integer pathLenBasicConstraint = identifiedCertprofile.getPathLenBasicConstraint();
                int pathLenConstraint = this.caInfo.getPathLenConstraint();
                if (!((pathLenBasicConstraint == null && pathLenConstraint == Integer.MAX_VALUE) || (pathLenBasicConstraint != null && pathLenBasicConstraint.intValue() < pathLenConstraint))) {
                    throw new OperationException(ErrorCode.NOT_PERMITTED, "invalid BasicConstraint.pathLenConstraint");
                }
                break;
        }
        boolean isForCrossCert = certTemplateData.isForCrossCert();
        X500Name subject = isForCrossCert ? certTemplateData.getSubject() : CaUtil.removeEmptyRdns(certTemplateData.getSubject());
        Instant notBefore = identifiedCertprofile.getNotBefore(certTemplateData.getNotBefore());
        Instant minus = Instant.now().minus(10L, (TemporalUnit) ChronoUnit.MINUTES);
        if (notBefore.isBefore(minus)) {
            notBefore = minus;
        }
        if (notBefore.isAfter(this.caInfo.getNoNewCertificateAfter())) {
            throw new OperationException(ErrorCode.NOT_PERMITTED, "CA is not permitted to issue certificate after " + this.caInfo.getNoNewCertificateAfter());
        }
        if (notBefore.isBefore(this.caInfo.getNotBefore())) {
            notBefore = this.caInfo.getNotBefore();
        }
        PrivateKeyInfo privateKeyInfo = null;
        if (certTemplateData.getPublicKeyInfo() != null) {
            try {
                rfc3279Style = X509Util.toRfc3279Style(certTemplateData.getPublicKeyInfo());
                if (rfc3279Style.getAlgorithm().getAlgorithm().equals(PKCSObjectIdentifiers.rsaEncryption)) {
                    try {
                        ASN1Sequence aSN1Sequence = ASN1Sequence.getInstance(rfc3279Style.getPublicKeyData().getOctets());
                        if (aSN1Sequence.size() != 2) {
                            throw new OperationException(ErrorCode.BAD_CERT_TEMPLATE, "invalid format of RSA public key");
                        }
                        if (RSABrokenKey.isAffected(ASN1Integer.getInstance(aSN1Sequence.getObjectAt(0)).getPositiveValue())) {
                            throw new OperationException(ErrorCode.BAD_CERT_TEMPLATE, "RSA public key is too weak");
                        }
                    } catch (IllegalArgumentException e) {
                        throw new OperationException(ErrorCode.BAD_CERT_TEMPLATE, "invalid format of RSA public key");
                    }
                }
            } catch (InvalidKeySpecException e2) {
                LogUtil.warn(LOG, e2, "invalid SubjectPublicKeyInfo");
                throw new OperationException(ErrorCode.BAD_CERT_TEMPLATE, "invalid SubjectPublicKeyInfo");
            }
        } else {
            if (!certTemplateData.isServerkeygen()) {
                throw new OperationException(ErrorCode.BAD_CERT_TEMPLATE, "no public key is specified");
            }
            KeypairGenControl keypairGenControl = identifiedCertprofile.getKeypairGenControl();
            if (keypairGenControl == null || (keypairGenControl instanceof KeypairGenControl.ForbiddenKeypairGenControl)) {
                throw new OperationException(ErrorCode.BAD_CERT_TEMPLATE, "no public key is specified");
            }
            if (keypairGenControl instanceof KeypairGenControl.InheritCAKeypairGenControl) {
                keyspec = this.keyspecByImplicitCA;
                keyAlgorithmOid = this.keyAlgOidByImplicitCA;
            } else {
                keyspec = keypairGenControl.getKeyspec();
                keyAlgorithmOid = keypairGenControl.getKeyAlgorithmOid();
            }
            KeypairGenerator keypairGenerator = null;
            if (list != null) {
                Iterator<KeypairGenerator> it = list.iterator();
                while (true) {
                    if (it.hasNext()) {
                        KeypairGenerator next = it.next();
                        if (next.supports(keyspec)) {
                            keypairGenerator = next;
                        }
                    }
                }
            }
            if (keypairGenerator == null) {
                throw new OperationException(ErrorCode.SYSTEM_FAILURE, "found no keypair generator for keyspec " + keyspec);
            }
            String name = keypairGenerator.getName();
            try {
                privateKeyInfo = keypairGenerator.generateKeypair(keyspec);
                LOG.info("generated keypair {} with generator {}", keyspec, name);
                if (!privateKeyInfo.getPrivateKeyAlgorithm().getAlgorithm().equals(keyAlgorithmOid)) {
                    ASN1BitString publicKeyData = privateKeyInfo.getPublicKeyData();
                    try {
                        privateKeyInfo = new PrivateKeyInfo(new AlgorithmIdentifier(keyAlgorithmOid, privateKeyInfo.getPrivateKeyAlgorithm().getParameters()), privateKeyInfo.getPrivateKey().toASN1Primitive(), privateKeyInfo.getAttributes(), publicKeyData == null ? null : publicKeyData.getOctets());
                    } catch (IOException e3) {
                        throw new OperationException(ErrorCode.SYSTEM_FAILURE, e3);
                    }
                }
                String upperCase = keyspec.split("/")[0].toUpperCase(Locale.ROOT);
                boolean z2 = -1;
                switch (upperCase.hashCode()) {
                    case -1727794526:
                        if (upperCase.equals(EdECConstants.X25519)) {
                            z2 = 5;
                            break;
                        }
                        break;
                    case -1192165701:
                        if (upperCase.equals(EdECConstants.ED25519)) {
                            z2 = 3;
                            break;
                        }
                        break;
                    case 2206:
                        if (upperCase.equals("EC")) {
                            z2 = true;
                            break;
                        }
                        break;
                    case 67986:
                        if (upperCase.equals("DSA")) {
                            z2 = 2;
                            break;
                        }
                        break;
                    case 81440:
                        if (upperCase.equals("RSA")) {
                            z2 = false;
                            break;
                        }
                        break;
                    case 2673248:
                        if (upperCase.equals(EdECConstants.X448)) {
                            z2 = 6;
                            break;
                        }
                        break;
                    case 65800377:
                        if (upperCase.equals(EdECConstants.ED448)) {
                            z2 = 4;
                            break;
                        }
                        break;
                }
                switch (z2) {
                    case false:
                        RSAPrivateKey rSAPrivateKey = RSAPrivateKey.getInstance(privateKeyInfo.getPrivateKey().getOctets());
                        try {
                            bytes = new RSAPublicKey(rSAPrivateKey.getModulus(), rSAPrivateKey.getPublicExponent()).getEncoded();
                            break;
                        } catch (IOException e4) {
                            throw new OperationException(ErrorCode.SYSTEM_FAILURE, e4);
                        }
                    case true:
                        bytes = ECPrivateKey.getInstance(privateKeyInfo.getPrivateKey().getOctets()).getPublicKey().getBytes();
                        break;
                    case true:
                    case true:
                    case true:
                    case true:
                    case true:
                        bytes = privateKeyInfo.getPublicKeyData().getBytes();
                        break;
                    default:
                        throw new IllegalStateException("unknown key type " + upperCase);
                }
                try {
                    rfc3279Style = X509Util.toRfc3279Style(new SubjectPublicKeyInfo(privateKeyInfo.getPrivateKeyAlgorithm(), bytes));
                } catch (InvalidKeySpecException e5) {
                    throw new OperationException(ErrorCode.SYSTEM_FAILURE, e5);
                }
            } catch (XiSecurityException e6) {
                String str = "error generating keypair " + keyspec + " using generator " + name;
                LogUtil.error(LOG, e6, str);
                throw new OperationException(ErrorCode.SYSTEM_FAILURE, str);
            }
        }
        try {
            SubjectPublicKeyInfo checkPublicKey = identifiedCertprofile.checkPublicKey(rfc3279Style);
            StringBuilder sb = new StringBuilder();
            try {
                Certprofile.SubjectInfo subject2 = identifiedCertprofile.getSubject(subject, checkPublicKey);
                if (!isForCrossCert) {
                    grantedSubject = subject2.getGrantedSubject();
                    if (subject2.getWarning() != null) {
                        sb.append(", ").append(subject2.getWarning());
                    }
                } else {
                    if (!X509Util.canonicalizeName(subject2.getGrantedSubject()).equals(X509Util.canonicalizeName(subject))) {
                        throw new OperationException(ErrorCode.BAD_CERT_TEMPLATE, "subject did not match the certificate profile");
                    }
                    grantedSubject = subject;
                }
                if (X509Util.canonicalizeName(grantedSubject).equals(this.caInfo.getPublicCaInfo().getC14nSubject())) {
                    throw new OperationException(ErrorCode.ALREADY_ISSUED, "certificate with the same subject as CA is not allowed");
                }
                if (identifiedCertprofile.hasNoWellDefinedExpirationDate()) {
                    notAfter = MAX_CERT_TIME;
                } else {
                    Validity validity = identifiedCertprofile.getValidity();
                    if (validity == null) {
                        validity = this.caInfo.getMaxValidity();
                    } else if (validity.compareTo(this.caInfo.getMaxValidity()) > 0) {
                        validity = this.caInfo.getMaxValidity();
                    }
                    Instant add = validity.add(notBefore);
                    if (add.isAfter(MAX_CERT_TIME)) {
                        add = MAX_CERT_TIME;
                    }
                    notAfter = certTemplateData.getNotAfter();
                    if (notAfter == null) {
                        notAfter = add;
                    } else if (notAfter.isAfter(add)) {
                        notAfter = add;
                        sb.append(", notAfter modified");
                    }
                    if (notAfter.isAfter(this.caInfo.getNotAfter())) {
                        ValidityMode validityMode = this.caInfo.getValidityMode();
                        NotAfterMode notAfterMode = identifiedCertprofile.getNotAfterMode();
                        if (notAfterMode == null) {
                            notAfterMode = NotAfterMode.BY_CA;
                        }
                        if (notAfterMode == NotAfterMode.STRICT) {
                            throw new OperationException(ErrorCode.NOT_PERMITTED, "notAfter outside of CA's validity is not permitted by the CertProfile");
                        }
                        if (validityMode == ValidityMode.STRICT) {
                            throw new OperationException(ErrorCode.NOT_PERMITTED, "notAfter outside of CA's validity is not permitted by the CA");
                        }
                        if (validityMode == ValidityMode.CUTOFF) {
                            notAfter = this.caInfo.getNotAfter();
                        } else {
                            if (validityMode != ValidityMode.LAX) {
                                throw new IllegalStateException("should not reach here, CA ValidityMode " + validityMode + " CertProfile NotAfterMode " + notAfterMode);
                            }
                            if (notAfterMode == NotAfterMode.CUTOFF) {
                                notAfter = this.caInfo.getNotAfter();
                            }
                        }
                    }
                }
                String str2 = null;
                if (sb.length() > 2) {
                    str2 = sb.substring(2);
                }
                X509Ca.GrantedCertTemplate grantedCertTemplate = new X509Ca.GrantedCertTemplate(z, certTemplateData.getCertReqId(), certTemplateData.getExtensions(), identifiedCertprofile, notBefore, notAfter, subject, checkPublicKey, privateKeyInfo, signer, str2);
                grantedCertTemplate.setGrantedSubject(grantedSubject);
                return grantedCertTemplate;
            } catch (CertprofileException e7) {
                throw new OperationException(ErrorCode.SYSTEM_FAILURE, "exception in cert profile " + ident);
            } catch (BadCertTemplateException e8) {
                throw new OperationException(ErrorCode.BAD_CERT_TEMPLATE, e8);
            }
        } catch (CertprofileException e9) {
            throw new OperationException(ErrorCode.SYSTEM_FAILURE, "exception in cert profile " + ident);
        } catch (BadCertTemplateException e10) {
            throw new OperationException(ErrorCode.BAD_CERT_TEMPLATE, e10);
        }
    }
}
