package org.xipki.scep.serveremulator;

import java.io.IOException;
import java.math.BigInteger;
import java.security.InvalidKeyException;
import java.security.KeyFactory;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.cert.CertificateEncodingException;
import java.security.interfaces.DSAPublicKey;
import java.security.interfaces.ECPublicKey;
import java.security.interfaces.RSAPublicKey;
import java.security.spec.InvalidKeySpecException;
import java.security.spec.X509EncodedKeySpec;
import java.util.Arrays;
import java.util.Date;
import java.util.HashMap;
import java.util.Map;
import java.util.concurrent.atomic.AtomicLong;
import org.bouncycastle.asn1.ASN1Integer;
import org.bouncycastle.asn1.ASN1ObjectIdentifier;
import org.bouncycastle.asn1.pkcs.CertificationRequest;
import org.bouncycastle.asn1.pkcs.CertificationRequestInfo;
import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers;
import org.bouncycastle.asn1.x500.X500Name;
import org.bouncycastle.asn1.x509.BasicConstraints;
import org.bouncycastle.asn1.x509.Certificate;
import org.bouncycastle.asn1.x509.CertificateList;
import org.bouncycastle.asn1.x509.Extension;
import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo;
import org.bouncycastle.asn1.x9.X9ObjectIdentifiers;
import org.bouncycastle.cert.X509v2CRLBuilder;
import org.bouncycastle.cert.X509v3CertificateBuilder;
import org.bouncycastle.crypto.params.AsymmetricKeyParameter;
import org.bouncycastle.crypto.params.RSAKeyParameters;
import org.bouncycastle.jcajce.provider.asymmetric.dsa.DSAUtil;
import org.bouncycastle.jcajce.provider.asymmetric.util.ECUtil;
import org.bouncycastle.jce.X509KeyUsage;
import org.bouncycastle.operator.ContentVerifierProvider;
import org.bouncycastle.operator.DefaultDigestAlgorithmIdentifierFinder;
import org.bouncycastle.operator.OperatorCreationException;
import org.bouncycastle.operator.bc.BcContentVerifierProviderBuilder;
import org.bouncycastle.operator.bc.BcDSAContentVerifierProviderBuilder;
import org.bouncycastle.operator.bc.BcECContentVerifierProviderBuilder;
import org.bouncycastle.operator.bc.BcRSAContentVerifierProviderBuilder;
import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder;
import org.bouncycastle.pkcs.PKCS10CertificationRequest;
import org.bouncycastle.pkcs.PKCSException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.xipki.scep.crypto.ScepHashAlgo;
import org.xipki.scep.util.ScepUtil;

/* loaded from: input_file:org/xipki/scep/serveremulator/CaEmulator.class */
public class CaEmulator {
    public static final long MIN_IN_MS = 60000;
    public static final long DAY_IN_MS = 86400000;
    private static final Logger LOG = LoggerFactory.getLogger(CaEmulator.class);
    private static final DefaultDigestAlgorithmIdentifierFinder DFLT_DIGESTALG_IDENTIFIER_FINDER = new DefaultDigestAlgorithmIdentifierFinder();
    private static final Map<String, BcContentVerifierProviderBuilder> VERIFIER_PROVIDER_BUILDER = new HashMap();
    private final PrivateKey caKey;
    private final Certificate caCert;
    private final X500Name caSubject;
    private final byte[] caCertBytes;
    private final boolean generateCrl;
    private final Map<BigInteger, Certificate> serialCertMap = new HashMap();
    private final Map<X500Name, Certificate> reqSubjectCertMap = new HashMap();
    private final AtomicLong serialNumber = new AtomicLong(2);
    private final AtomicLong crlNumber = new AtomicLong(2);
    private CertificateList crl;

    public CaEmulator(PrivateKey privateKey, Certificate certificate, boolean z) throws CertificateEncodingException {
        this.caKey = (PrivateKey) ScepUtil.requireNonNull("caKey", privateKey);
        this.caCert = (Certificate) ScepUtil.requireNonNull("caCert", certificate);
        this.caSubject = certificate.getSubject();
        this.generateCrl = z;
        try {
            this.caCertBytes = certificate.getEncoded();
        } catch (IOException e) {
            throw new CertificateEncodingException(e.getMessage(), e);
        }
    }

    public PrivateKey getCaKey() {
        return this.caKey;
    }

    public Certificate getCaCert() {
        return this.caCert;
    }

    public byte[] getCaCertBytes() {
        return Arrays.copyOf(this.caCertBytes, this.caCertBytes.length);
    }

    public boolean isGenerateCrl() {
        return this.generateCrl;
    }

    public Certificate generateCert(CertificationRequest certificationRequest) throws Exception {
        if (!verifyPopo(certificationRequest)) {
            throw new Exception("CSR invalid");
        }
        CertificationRequestInfo certificationRequestInfo = certificationRequest.getCertificationRequestInfo();
        return generateCert(certificationRequestInfo.getSubjectPublicKeyInfo(), certificationRequestInfo.getSubject());
    }

    public Certificate generateCert(SubjectPublicKeyInfo subjectPublicKeyInfo, X500Name x500Name) throws Exception {
        return generateCert(subjectPublicKeyInfo, x500Name, new Date(System.currentTimeMillis() - 600000));
    }

    public Certificate generateCert(SubjectPublicKeyInfo subjectPublicKeyInfo, X500Name x500Name, Date date) throws Exception {
        ScepUtil.requireNonNull("pubKeyInfo", subjectPublicKeyInfo);
        ScepUtil.requireNonNull("subjectDn", x500Name);
        ScepUtil.requireNonNull("notBefore", date);
        Date date2 = new Date(date.getTime() + 63072000000L);
        BigInteger valueOf = BigInteger.valueOf(this.serialNumber.getAndAdd(1L));
        X509v3CertificateBuilder x509v3CertificateBuilder = new X509v3CertificateBuilder(this.caSubject, valueOf, date, date2, x500Name, subjectPublicKeyInfo);
        x509v3CertificateBuilder.addExtension(Extension.keyUsage, true, new X509KeyUsage(184));
        x509v3CertificateBuilder.addExtension(Extension.basicConstraints, true, new BasicConstraints(false));
        Certificate aSN1Structure = x509v3CertificateBuilder.build(new JcaContentSignerBuilder(ScepUtil.getSignatureAlgorithm(this.caKey, ScepHashAlgo.SHA256)).build(this.caKey)).toASN1Structure();
        this.serialCertMap.put(valueOf, aSN1Structure);
        this.reqSubjectCertMap.put(x500Name, aSN1Structure);
        return aSN1Structure;
    }

    public Certificate getCert(X500Name x500Name, BigInteger bigInteger) {
        if (this.caSubject.equals(x500Name)) {
            return this.serialCertMap.get(bigInteger);
        }
        return null;
    }

    public Certificate pollCert(X500Name x500Name, X500Name x500Name2) {
        ScepUtil.requireNonNull("issuer", x500Name);
        ScepUtil.requireNonNull("subject", x500Name2);
        if (this.caSubject.equals(x500Name)) {
            return this.reqSubjectCertMap.get(x500Name2);
        }
        return null;
    }

    public synchronized CertificateList getCrl(X500Name x500Name, BigInteger bigInteger) throws Exception {
        if (this.crl != null) {
            return this.crl;
        }
        Date date = new Date();
        X509v2CRLBuilder x509v2CRLBuilder = new X509v2CRLBuilder(this.caSubject, date);
        x509v2CRLBuilder.setNextUpdate(new Date(date.getTime() + 2592000000L));
        Date date2 = this.caCert.getTBSCertificate().getStartDate().getDate();
        Date date3 = new Date(date2.getTime() + 1);
        if (date3.after(date)) {
            date3 = date2;
        }
        x509v2CRLBuilder.addCRLEntry(BigInteger.valueOf(2L), date3, 1);
        x509v2CRLBuilder.addExtension(Extension.cRLNumber, false, new ASN1Integer(this.crlNumber.getAndAdd(1L)));
        return x509v2CRLBuilder.build(new JcaContentSignerBuilder(ScepUtil.getSignatureAlgorithm(this.caKey, ScepHashAlgo.SHA256)).build(this.caKey)).toASN1Structure();
    }

    private boolean verifyPopo(CertificationRequest certificationRequest) {
        ScepUtil.requireNonNull("csr", certificationRequest);
        try {
            PKCS10CertificationRequest pKCS10CertificationRequest = new PKCS10CertificationRequest(certificationRequest);
            return pKCS10CertificationRequest.isSignatureValid(getContentVerifierProvider(generatePublicKey(pKCS10CertificationRequest.getSubjectPublicKeyInfo())));
        } catch (InvalidKeyException | PKCSException | InvalidKeySpecException e) {
            LOG.error("could not validate POPO of CSR", e);
            return false;
        }
    }

    public ContentVerifierProvider getContentVerifierProvider(PublicKey publicKey) throws InvalidKeyException {
        ScepUtil.requireNonNull("publicKey", publicKey);
        String upperCase = publicKey.getAlgorithm().toUpperCase();
        if ("EC".equals(upperCase)) {
            upperCase = "ECDSA";
        }
        BcRSAContentVerifierProviderBuilder bcRSAContentVerifierProviderBuilder = (BcContentVerifierProviderBuilder) VERIFIER_PROVIDER_BUILDER.get(upperCase);
        if (bcRSAContentVerifierProviderBuilder == null) {
            if ("RSA".equals(upperCase)) {
                bcRSAContentVerifierProviderBuilder = new BcRSAContentVerifierProviderBuilder(DFLT_DIGESTALG_IDENTIFIER_FINDER);
            } else if ("DSA".equals(upperCase)) {
                bcRSAContentVerifierProviderBuilder = new BcDSAContentVerifierProviderBuilder(DFLT_DIGESTALG_IDENTIFIER_FINDER);
            } else {
                if (!"ECDSA".equals(upperCase)) {
                    throw new InvalidKeyException("unknown key algorithm of the public key " + upperCase);
                }
                bcRSAContentVerifierProviderBuilder = new BcECContentVerifierProviderBuilder(DFLT_DIGESTALG_IDENTIFIER_FINDER);
            }
            VERIFIER_PROVIDER_BUILDER.put(upperCase, bcRSAContentVerifierProviderBuilder);
        }
        try {
            return bcRSAContentVerifierProviderBuilder.build(generatePublicKeyParameter(publicKey));
        } catch (OperatorCreationException e) {
            throw new InvalidKeyException("could not build ContentVerifierProvider: " + e.getMessage(), e);
        }
    }

    private static PublicKey generatePublicKey(SubjectPublicKeyInfo subjectPublicKeyInfo) throws InvalidKeySpecException {
        String str;
        ScepUtil.requireNonNull("pkInfo", subjectPublicKeyInfo);
        try {
            X509EncodedKeySpec x509EncodedKeySpec = new X509EncodedKeySpec(subjectPublicKeyInfo.getEncoded());
            ASN1ObjectIdentifier algorithm = subjectPublicKeyInfo.getAlgorithm().getAlgorithm();
            if (PKCSObjectIdentifiers.rsaEncryption.equals(algorithm)) {
                str = "RSA";
            } else if (X9ObjectIdentifiers.id_dsa.equals(algorithm)) {
                str = "DSA";
            } else {
                if (!X9ObjectIdentifiers.id_ecPublicKey.equals(algorithm)) {
                    throw new InvalidKeySpecException("unsupported key algorithm: " + algorithm);
                }
                str = "EC";
            }
            try {
                return KeyFactory.getInstance(str).generatePublic(x509EncodedKeySpec);
            } catch (NoSuchAlgorithmException e) {
                throw new InvalidKeySpecException("could not find KeyFactory for " + str + ": " + e.getMessage());
            }
        } catch (IOException e2) {
            throw new InvalidKeySpecException(e2.getMessage(), e2);
        }
    }

    private static AsymmetricKeyParameter generatePublicKeyParameter(PublicKey publicKey) throws InvalidKeyException {
        ScepUtil.requireNonNull("key", publicKey);
        if (publicKey instanceof RSAPublicKey) {
            RSAPublicKey rSAPublicKey = (RSAPublicKey) publicKey;
            return new RSAKeyParameters(false, rSAPublicKey.getModulus(), rSAPublicKey.getPublicExponent());
        }
        if (publicKey instanceof ECPublicKey) {
            return ECUtil.generatePublicKeyParameter(publicKey);
        }
        if (publicKey instanceof DSAPublicKey) {
            return DSAUtil.generatePublicKeyParameter(publicKey);
        }
        throw new InvalidKeyException("unknown key " + publicKey.getClass().getName());
    }
}
