package com.github.tomakehurst.wiremock.http.ssl;

import com.github.tomakehurst.wiremock.common.ArrayFunctions;
import com.github.tomakehurst.wiremock.common.Exceptions;
import java.io.IOException;
import java.security.InvalidKeyException;
import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.SecureRandom;
import java.security.SignatureException;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.time.Period;
import java.time.ZonedDateTime;
import java.time.temporal.TemporalAmount;
import java.util.Date;
import java.util.Objects;
import java.util.Random;
import javax.net.ssl.SNIHostName;
import sun.security.x509.AlgorithmId;
import sun.security.x509.AuthorityKeyIdentifierExtension;
import sun.security.x509.BasicConstraintsExtension;
import sun.security.x509.CertificateAlgorithmId;
import sun.security.x509.CertificateExtensions;
import sun.security.x509.CertificateSerialNumber;
import sun.security.x509.CertificateValidity;
import sun.security.x509.CertificateVersion;
import sun.security.x509.CertificateX509Key;
import sun.security.x509.DNSName;
import sun.security.x509.GeneralName;
import sun.security.x509.GeneralNames;
import sun.security.x509.KeyIdentifier;
import sun.security.x509.KeyUsageExtension;
import sun.security.x509.SerialNumber;
import sun.security.x509.SubjectAlternativeNameExtension;
import sun.security.x509.SubjectKeyIdentifierExtension;
import sun.security.x509.X500Name;
import sun.security.x509.X509CertImpl;
import sun.security.x509.X509CertInfo;

/* loaded from: input_file:com/github/tomakehurst/wiremock/http/ssl/CertificateAuthority.class */
public class CertificateAuthority {
    private final X509Certificate[] certificateChain;
    private final PrivateKey key;

    public CertificateAuthority(X509Certificate[] x509CertificateArr, PrivateKey privateKey) {
        this.certificateChain = (X509Certificate[]) Objects.requireNonNull(x509CertificateArr);
        if (x509CertificateArr.length == 0) {
            throw new IllegalArgumentException("Chain must have entries");
        }
        this.key = (PrivateKey) Objects.requireNonNull(privateKey);
    }

    public static CertificateAuthority generateCertificateAuthority() throws CertificateGenerationUnsupportedException {
        try {
            KeyPair generateKeyPair = generateKeyPair("RSA");
            return new CertificateAuthority(new X509Certificate[]{selfSign(makeX509CertInfo("SHA256WithRSA", "WireMock Local Self Signed Root Certificate", Period.ofYears(10), generateKeyPair.getPublic(), certificateAuthorityExtensions(generateKeyPair.getPublic())), generateKeyPair.getPrivate(), "SHA256WithRSA")}, generateKeyPair.getPrivate());
        } catch (IOException | NoClassDefFoundError | NoSuchMethodError | VerifyError | InvalidKeyException | NoSuchAlgorithmException | NoSuchProviderException | SignatureException | CertificateException e) {
            throw new CertificateGenerationUnsupportedException("Your runtime does not support generating certificates at runtime", e);
        }
    }

    private static X509CertImpl selfSign(X509CertInfo x509CertInfo, PrivateKey privateKey, String str) throws CertificateException, NoSuchAlgorithmException, InvalidKeyException, NoSuchProviderException, SignatureException {
        X509CertImpl x509CertImpl = new X509CertImpl(x509CertInfo);
        x509CertImpl.sign(privateKey, str);
        return x509CertImpl;
    }

    private static CertificateExtensions certificateAuthorityExtensions(PublicKey publicKey) {
        try {
            KeyIdentifier keyIdentifier = new KeyIdentifier(publicKey);
            byte[] identifier = keyIdentifier.getIdentifier();
            CertificateExtensions certificateExtensions = new CertificateExtensions();
            certificateExtensions.set("AuthorityKeyIdentifier", new AuthorityKeyIdentifierExtension(keyIdentifier, (GeneralNames) null, (SerialNumber) null));
            certificateExtensions.set("BasicConstraints", new BasicConstraintsExtension(true, Integer.MAX_VALUE));
            KeyUsageExtension keyUsageExtension = new KeyUsageExtension(new boolean[7]);
            keyUsageExtension.set("key_certsign", true);
            keyUsageExtension.set("crl_sign", true);
            certificateExtensions.set("KeyUsage", keyUsageExtension);
            certificateExtensions.set("SubjectKeyIdentifier", new SubjectKeyIdentifierExtension(identifier));
            return certificateExtensions;
        } catch (IOException e) {
            return (CertificateExtensions) Exceptions.throwUnchecked(e, null);
        }
    }

    public X509Certificate[] certificateChain() {
        return this.certificateChain;
    }

    public PrivateKey key() {
        return this.key;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public CertChainAndKey generateCertificate(String str, SNIHostName sNIHostName) throws CertificateGenerationUnsupportedException {
        try {
            KeyPair generateKeyPair = generateKeyPair(str);
            return new CertChainAndKey((X509Certificate[]) ArrayFunctions.prepend(sign(makeX509CertInfo("SHA256With" + str, sNIHostName.getAsciiName(), Period.ofYears(1), generateKeyPair.getPublic(), subjectAlternativeName(sNIHostName))), this.certificateChain), generateKeyPair.getPrivate());
        } catch (IOException | NoClassDefFoundError | NoSuchMethodError | VerifyError | InvalidKeyException | NoSuchAlgorithmException | NoSuchProviderException | SignatureException | CertificateException e) {
            throw new CertificateGenerationUnsupportedException("Your runtime does not support generating certificates at runtime", e);
        }
    }

    private X509CertImpl sign(X509CertInfo x509CertInfo) throws CertificateException, IOException, NoSuchAlgorithmException, InvalidKeyException, NoSuchProviderException, SignatureException {
        X509Certificate x509Certificate = this.certificateChain[0];
        x509CertInfo.set("issuer", x509Certificate.getSubjectDN());
        X509CertImpl x509CertImpl = new X509CertImpl(x509CertInfo);
        x509CertImpl.sign(this.key, x509Certificate.getSigAlgName());
        return x509CertImpl;
    }

    private static KeyPair generateKeyPair(String str) throws NoSuchAlgorithmException {
        KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance(str);
        keyPairGenerator.initialize(2048, new SecureRandom());
        return keyPairGenerator.generateKeyPair();
    }

    private static X509CertInfo makeX509CertInfo(String str, String str2, Period period, PublicKey publicKey, CertificateExtensions certificateExtensions) throws IOException, CertificateException, NoSuchAlgorithmException {
        ZonedDateTime now = ZonedDateTime.now();
        ZonedDateTime plus = now.plus((TemporalAmount) period);
        X500Name x500Name = new X500Name("CN=" + str2);
        X509CertInfo x509CertInfo = new X509CertInfo();
        x509CertInfo.set("version", new CertificateVersion(2));
        x509CertInfo.set("serialNumber", new CertificateSerialNumber(new Random().nextInt() & Integer.MAX_VALUE));
        x509CertInfo.set("algorithmID", new CertificateAlgorithmId(AlgorithmId.get(str)));
        x509CertInfo.set("subject", x500Name);
        x509CertInfo.set("key", new CertificateX509Key(publicKey));
        x509CertInfo.set("validity", new CertificateValidity(Date.from(now.toInstant()), Date.from(plus.toInstant())));
        x509CertInfo.set("issuer", x500Name);
        x509CertInfo.set("extensions", certificateExtensions);
        return x509CertInfo;
    }

    private static CertificateExtensions subjectAlternativeName(SNIHostName sNIHostName) {
        GeneralName generalName = new GeneralName(dnsName(sNIHostName));
        GeneralNames generalNames = new GeneralNames();
        generalNames.add(generalName);
        try {
            CertificateExtensions certificateExtensions = new CertificateExtensions();
            certificateExtensions.set("SubjectAlternativeName", new SubjectAlternativeNameExtension(generalNames));
            return certificateExtensions;
        } catch (IOException e) {
            return (CertificateExtensions) Exceptions.throwUnchecked(e, null);
        }
    }

    private static DNSName dnsName(SNIHostName sNIHostName) {
        try {
            return new DNSName(sNIHostName.getAsciiName());
        } catch (IOException e) {
            return (DNSName) Exceptions.throwUnchecked(e, null);
        }
    }
}
