package org.pac4j.saml.metadata.keystore;

import java.io.ByteArrayInputStream;
import java.math.BigInteger;
import java.net.InetAddress;
import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.KeyStore;
import java.security.PrivateKey;
import java.security.Signature;
import java.security.cert.Certificate;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.time.Clock;
import java.time.LocalDateTime;
import java.time.ZoneOffset;
import java.time.temporal.TemporalAmount;
import java.util.Date;
import org.bouncycastle.asn1.ASN1EncodableVector;
import org.bouncycastle.asn1.ASN1Integer;
import org.bouncycastle.asn1.DERBitString;
import org.bouncycastle.asn1.DERSequence;
import org.bouncycastle.asn1.x500.X500Name;
import org.bouncycastle.asn1.x509.AlgorithmIdentifier;
import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo;
import org.bouncycastle.asn1.x509.TBSCertificate;
import org.bouncycastle.asn1.x509.Time;
import org.bouncycastle.asn1.x509.V3TBSCertificateGenerator;
import org.bouncycastle.operator.DefaultSignatureAlgorithmIdentifierFinder;
import org.pac4j.core.util.CommonHelper;
import org.pac4j.saml.config.SAML2Configuration;
import org.pac4j.saml.exceptions.SAMLException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/pac4j/saml/metadata/keystore/BaseSAML2KeystoreGenerator.class */
public abstract class BaseSAML2KeystoreGenerator implements SAML2KeystoreGenerator {
    protected static final String CERTIFICATES_PREFIX = "saml-signing-cert";
    protected final Logger logger = LoggerFactory.getLogger(getClass());
    protected final SAML2Configuration saml2Configuration;

    public BaseSAML2KeystoreGenerator(SAML2Configuration sAML2Configuration) {
        this.saml2Configuration = sAML2Configuration;
    }

    @Override // org.pac4j.saml.metadata.keystore.SAML2KeystoreGenerator
    public boolean shouldGenerate() {
        return this.saml2Configuration.isForceKeystoreGeneration();
    }

    @Override // org.pac4j.saml.metadata.keystore.SAML2KeystoreGenerator
    public void generate() {
        try {
            if (CommonHelper.isBlank(this.saml2Configuration.getKeyStoreAlias())) {
                this.saml2Configuration.setKeyStoreAlias(getClass().getSimpleName());
                this.logger.warn("Defaulting keystore alias {}", this.saml2Configuration.getKeyStoreAlias());
            }
            if (CommonHelper.isBlank(this.saml2Configuration.getKeyStoreType())) {
                this.saml2Configuration.setKeyStoreType(KeyStore.getDefaultType());
                this.logger.warn("Defaulting keystore type {}", this.saml2Configuration.getKeyStoreType());
            }
            validate();
            KeyStore keyStore = KeyStore.getInstance(this.saml2Configuration.getKeyStoreType());
            keyStore.load(null, this.saml2Configuration.getKeystorePassword().toCharArray());
            KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA");
            keyPairGenerator.initialize(this.saml2Configuration.getPrivateKeySize());
            KeyPair genKeyPair = keyPairGenerator.genKeyPair();
            String certificateSignatureAlg = this.saml2Configuration.getCertificateSignatureAlg();
            X509Certificate createSelfSignedCert = createSelfSignedCert(new X500Name("CN=" + InetAddress.getLocalHost().getHostName()), certificateSignatureAlg, new DefaultSignatureAlgorithmIdentifierFinder().find(certificateSignatureAlg), genKeyPair);
            char[] charArray = this.saml2Configuration.getPrivateKeyPassword().toCharArray();
            PrivateKey privateKey = genKeyPair.getPrivate();
            keyStore.setKeyEntry(this.saml2Configuration.getKeyStoreAlias(), privateKey, charArray, new Certificate[]{createSelfSignedCert});
            store(keyStore, createSelfSignedCert, privateKey);
            this.logger.info("Created keystore {} with key alias {}", this.saml2Configuration.getKeystoreResource(), keyStore.aliases().nextElement());
        } catch (Exception e) {
            throw new SAMLException("Could not create keystore", e);
        }
    }

    protected abstract void store(KeyStore keyStore, X509Certificate x509Certificate, PrivateKey privateKey) throws Exception;

    private static Time time(LocalDateTime localDateTime) {
        return new Time(Date.from(localDateTime.toInstant(ZoneOffset.UTC)));
    }

    private X509Certificate createSelfSignedCert(X500Name x500Name, String str, AlgorithmIdentifier algorithmIdentifier, KeyPair keyPair) throws Exception {
        V3TBSCertificateGenerator v3TBSCertificateGenerator = new V3TBSCertificateGenerator();
        v3TBSCertificateGenerator.setSerialNumber(new ASN1Integer(BigInteger.valueOf(1L)));
        v3TBSCertificateGenerator.setIssuer(x500Name);
        v3TBSCertificateGenerator.setSubject(x500Name);
        LocalDateTime minusSeconds = LocalDateTime.now(Clock.systemUTC()).minusSeconds(1L);
        v3TBSCertificateGenerator.setStartDate(time(minusSeconds));
        v3TBSCertificateGenerator.setEndDate(time(minusSeconds.plus((TemporalAmount) this.saml2Configuration.getCertificateExpirationPeriod())));
        v3TBSCertificateGenerator.setSignature(algorithmIdentifier);
        v3TBSCertificateGenerator.setSubjectPublicKeyInfo(SubjectPublicKeyInfo.getInstance(keyPair.getPublic().getEncoded()));
        Signature signature = Signature.getInstance(str);
        signature.initSign(keyPair.getPrivate());
        signature.update(v3TBSCertificateGenerator.generateTBSCertificate().getEncoded("DER"));
        TBSCertificate generateTBSCertificate = v3TBSCertificateGenerator.generateTBSCertificate();
        ASN1EncodableVector aSN1EncodableVector = new ASN1EncodableVector();
        aSN1EncodableVector.add(generateTBSCertificate);
        aSN1EncodableVector.add(algorithmIdentifier);
        aSN1EncodableVector.add(new DERBitString(signature.sign()));
        X509Certificate x509Certificate = (X509Certificate) CertificateFactory.getInstance("X.509").generateCertificate(new ByteArrayInputStream(new DERSequence(aSN1EncodableVector).getEncoded("DER")));
        x509Certificate.verify(keyPair.getPublic());
        return x509Certificate;
    }

    private void validate() {
        CommonHelper.assertNotBlank("keystoreAlias", this.saml2Configuration.getKeyStoreAlias());
        CommonHelper.assertNotBlank("keystoreType", this.saml2Configuration.getKeyStoreType());
        CommonHelper.assertNotBlank("privateKeyPassword", this.saml2Configuration.getPrivateKeyPassword());
    }
}
