package com.dajudge.kindcontainer.pki;

import com.dajudge.kindcontainer.Utils;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.math.BigInteger;
import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.KeyStore;
import java.security.NoSuchProviderException;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.SecureRandom;
import java.security.Security;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.time.Duration;
import java.time.temporal.TemporalAmount;
import java.util.Collections;
import java.util.Date;
import java.util.Iterator;
import java.util.List;
import java.util.UUID;
import java.util.function.Supplier;
import org.testcontainers.shaded.org.bouncycastle.asn1.ASN1ObjectIdentifier;
import org.testcontainers.shaded.org.bouncycastle.asn1.x500.X500Name;
import org.testcontainers.shaded.org.bouncycastle.asn1.x509.AlgorithmIdentifier;
import org.testcontainers.shaded.org.bouncycastle.asn1.x509.BasicConstraints;
import org.testcontainers.shaded.org.bouncycastle.asn1.x509.GeneralName;
import org.testcontainers.shaded.org.bouncycastle.asn1.x509.GeneralNames;
import org.testcontainers.shaded.org.bouncycastle.asn1.x509.SubjectPublicKeyInfo;
import org.testcontainers.shaded.org.bouncycastle.asn1.x509.X509Extensions;
import org.testcontainers.shaded.org.bouncycastle.cert.CertIOException;
import org.testcontainers.shaded.org.bouncycastle.cert.X509CertificateHolder;
import org.testcontainers.shaded.org.bouncycastle.cert.X509v3CertificateBuilder;
import org.testcontainers.shaded.org.bouncycastle.crypto.util.PrivateKeyFactory;
import org.testcontainers.shaded.org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.testcontainers.shaded.org.bouncycastle.operator.DefaultDigestAlgorithmIdentifierFinder;
import org.testcontainers.shaded.org.bouncycastle.operator.DefaultSignatureAlgorithmIdentifierFinder;
import org.testcontainers.shaded.org.bouncycastle.operator.OperatorCreationException;
import org.testcontainers.shaded.org.bouncycastle.operator.bc.BcRSAContentSignerBuilder;

/* loaded from: input_file:com/dajudge/kindcontainer/pki/CertAuthority.class */
public class CertAuthority {
    private static final SecureRandom SECURE_RANDOM;
    private static final Duration CERT_VALIDITY;
    private final KeyStoreWrapper caKeyStore;
    private final Supplier<Long> clock;
    private final String issuerDn;

    public CertAuthority(Supplier<Long> supplier, String str) {
        this.clock = supplier;
        this.caKeyStore = createCaKeyStore(str, supplier);
        this.issuerDn = str;
    }

    public KeyStoreWrapper getCaKeyStore() {
        return this.caKeyStore;
    }

    public KeyStoreWrapper newKeyPair(String str, List<GeneralName> list) {
        char[] charArray = UUID.randomUUID().toString().toCharArray();
        String uuid = UUID.randomUUID().toString();
        return new KeyStoreWrapper(createJks(keyStore -> {
            KeyPair randomKeyPair = randomKeyPair();
            keyStore.setKeyEntry(uuid, randomKeyPair.getPrivate(), charArray, new Certificate[]{sign(str, this.issuerDn, this.caKeyStore.getPrivateKey(), "SHA256withRSA", randomKeyPair.getPublic(), now(this.clock), plus(now(this.clock), CERT_VALIDITY), Collections.singletonList(addSan(list)))});
        }), charArray, uuid);
    }

    private static KeyStoreWrapper createCaKeyStore(String str, Supplier<Long> supplier) {
        char[] charArray = UUID.randomUUID().toString().toCharArray();
        String uuid = UUID.randomUUID().toString();
        return new KeyStoreWrapper(createJks(keyStore -> {
            KeyPair randomKeyPair = randomKeyPair();
            keyStore.setKeyEntry(uuid, randomKeyPair.getPrivate(), charArray, new Certificate[]{selfSignedCert(str, randomKeyPair, now(supplier), plus(now(supplier), CERT_VALIDITY), "SHA256withRSA", Collections.singletonList(caKeystore()))});
        }), charArray, uuid);
    }

    private static Utils.ThrowingConsumer<X509v3CertificateBuilder, CertIOException> caKeystore() {
        return x509v3CertificateBuilder -> {
            x509v3CertificateBuilder.addExtension(new ASN1ObjectIdentifier("2.5.29.19"), false, new BasicConstraints(true));
        };
    }

    private static Utils.ThrowingConsumer<X509v3CertificateBuilder, CertIOException> addSan(List<GeneralName> list) {
        return x509v3CertificateBuilder -> {
            if (list.isEmpty()) {
                return;
            }
            x509v3CertificateBuilder.addExtension(X509Extensions.SubjectAlternativeName, false, new GeneralNames((GeneralName[]) list.toArray(new GeneralName[0])));
        };
    }

    public static X509Certificate selfSignedCert(String str, KeyPair keyPair, Date date, Date date2, String str2, List<Utils.ThrowingConsumer<X509v3CertificateBuilder, CertIOException>> list) {
        return sign(str, str, keyPair.getPrivate(), str2, keyPair.getPublic(), date, date2, list);
    }

    public static X509Certificate sign(String str, String str2, PrivateKey privateKey, String str3, PublicKey publicKey, Date date, Date date2, List<Utils.ThrowingConsumer<X509v3CertificateBuilder, CertIOException>> list) {
        try {
            AlgorithmIdentifier find = new DefaultSignatureAlgorithmIdentifierFinder().find(str3);
            AlgorithmIdentifier find2 = new DefaultDigestAlgorithmIdentifierFinder().find(find);
            X509v3CertificateBuilder x509v3CertificateBuilder = new X509v3CertificateBuilder(new X500Name(str2), BigInteger.valueOf(SECURE_RANDOM.nextInt()), date, date2, new X500Name(str), SubjectPublicKeyInfo.getInstance(publicKey.getEncoded()));
            Iterator<Utils.ThrowingConsumer<X509v3CertificateBuilder, CertIOException>> it = list.iterator();
            while (it.hasNext()) {
                it.next().accept(x509v3CertificateBuilder);
            }
            X509CertificateHolder build = x509v3CertificateBuilder.build(new BcRSAContentSignerBuilder(find, find2).build(PrivateKeyFactory.createKey(privateKey.getEncoded())));
            CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509", "BC");
            ByteArrayInputStream byteArrayInputStream = new ByteArrayInputStream(build.toASN1Structure().getEncoded());
            try {
                X509Certificate x509Certificate = (X509Certificate) certificateFactory.generateCertificate(byteArrayInputStream);
                byteArrayInputStream.close();
                return x509Certificate;
            } finally {
            }
        } catch (IOException | NoSuchProviderException | CertificateException | OperatorCreationException e) {
            throw new RuntimeException("Failed to sign certificate", e);
        }
    }

    public static KeyPair randomKeyPair() {
        return (KeyPair) Helpers.call(() -> {
            KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA");
            keyPairGenerator.initialize(2048);
            return keyPairGenerator.generateKeyPair();
        });
    }

    private static KeyStore createJks(Utils.ThrowingConsumer<KeyStore, Exception> throwingConsumer) {
        return (KeyStore) Helpers.call(() -> {
            KeyStore keyStore = KeyStore.getInstance("JKS");
            keyStore.load(null, null);
            throwingConsumer.accept(keyStore);
            return keyStore;
        });
    }

    private static Date now(Supplier<Long> supplier) {
        return new Date(supplier.get().longValue());
    }

    private static Date plus(Date date, TemporalAmount temporalAmount) {
        return new Date(date.toInstant().plus(temporalAmount).toEpochMilli());
    }

    static {
        Security.addProvider(new BouncyCastleProvider());
        SECURE_RANDOM = new SecureRandom();
        CERT_VALIDITY = Duration.ofDays(365L);
    }
}
