package org.graylog.security.certutil.csr;

import jakarta.inject.Inject;
import java.io.IOException;
import java.security.GeneralSecurityException;
import java.security.KeyStore;
import java.security.PrivateKey;
import org.bouncycastle.operator.OperatorCreationException;
import org.bouncycastle.pkcs.PKCSException;
import org.graylog.security.certutil.CertConstants;
import org.graylog.security.certutil.ca.exceptions.KeyStoreStorageException;
import org.graylog.security.certutil.cert.CertificateChain;
import org.graylog.security.certutil.privatekey.PrivateKeyEncryptedStorage;

/* loaded from: input_file:org/graylog/security/certutil/csr/CertificateAndPrivateKeyMerger.class */
public class CertificateAndPrivateKeyMerger {
    private final KeyPairChecker keyPairChecker;

    @Inject
    public CertificateAndPrivateKeyMerger(KeyPairChecker keyPairChecker) {
        this.keyPairChecker = keyPairChecker;
    }

    public KeyStore merge(CertificateChain certificateChain, PrivateKeyEncryptedStorage privateKeyEncryptedStorage, char[] cArr, char[] cArr2, String str) throws GeneralSecurityException, IOException, OperatorCreationException, PKCSException, KeyStoreStorageException {
        KeyStore keyStore = KeyStore.getInstance(CertConstants.PKCS12);
        keyStore.load(null, null);
        PrivateKey readEncryptedKey = privateKeyEncryptedStorage.readEncryptedKey(cArr);
        if (!this.keyPairChecker.matchingKeys(readEncryptedKey, certificateChain.signedCertificate().getPublicKey())) {
            throw new GeneralSecurityException("Private key from CSR and public key from certificate do not form a valid pair");
        }
        keyStore.setKeyEntry(str, readEncryptedKey, cArr2, certificateChain.toCertificateChainArray());
        return keyStore;
    }
}
