package org.graylog.security.certutil.csr;

import com.google.common.collect.Sets;
import java.math.BigInteger;
import java.net.InetAddress;
import java.net.UnknownHostException;
import java.security.PrivateKey;
import java.security.cert.X509Certificate;
import java.time.Clock;
import java.time.Duration;
import java.time.Instant;
import java.time.Period;
import java.time.format.DateTimeParseException;
import java.time.temporal.TemporalAmount;
import java.util.Arrays;
import java.util.Date;
import java.util.Optional;
import java.util.Set;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers;
import org.bouncycastle.asn1.x500.X500Name;
import org.bouncycastle.asn1.x509.Extension;
import org.bouncycastle.asn1.x509.Extensions;
import org.bouncycastle.asn1.x509.GeneralName;
import org.bouncycastle.asn1.x509.GeneralNames;
import org.bouncycastle.cert.X509v3CertificateBuilder;
import org.bouncycastle.cert.jcajce.JcaX509CertificateConverter;
import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder;
import org.bouncycastle.pkcs.PKCS10CertificationRequest;
import org.graylog.security.certutil.CertConstants;
import org.graylog2.plugin.certificates.RenewalPolicy;

/* loaded from: input_file:org/graylog/security/certutil/csr/CsrSigner.class */
public class CsrSigner {
    private static final Set<GeneralName> localhostAttributes = Set.of(new GeneralName(2, "localhost"), new GeneralName(7, "127.0.0.1"), new GeneralName(7, "0:0:0:0:0:0:0:1"));
    private final Clock clock;

    public CsrSigner() {
        this.clock = Clock.systemDefaultZone();
    }

    public CsrSigner(Clock clock) {
        this.clock = clock;
    }

    private boolean isValidName(int i) {
        switch (i) {
            case 1:
            case 2:
            case 7:
                return true;
            default:
                return false;
        }
    }

    private boolean isDNSName(int i) {
        return i == 2;
    }

    private Duration periodToDuration(Period period) {
        return Duration.ofDays((period.getYears() * 365) + (period.getMonths() * 30) + period.getDays());
    }

    private Duration safeParse(String str) {
        try {
            return Duration.parse(str);
        } catch (DateTimeParseException e) {
            return periodToDuration(Period.parse(str));
        }
    }

    private Instant plusIsoDuration(Instant instant, String str) {
        return instant.plus((TemporalAmount) safeParse(str));
    }

    public X509Certificate sign(PrivateKey privateKey, X509Certificate x509Certificate, PKCS10CertificationRequest pKCS10CertificationRequest, RenewalPolicy renewalPolicy) throws Exception {
        Instant now = Instant.now(this.clock);
        return sign(privateKey, x509Certificate, pKCS10CertificationRequest, now, plusIsoDuration(now, renewalPolicy.certificateLifetime()));
    }

    public X509Certificate sign(PrivateKey privateKey, X509Certificate x509Certificate, PKCS10CertificationRequest pKCS10CertificationRequest, int i) throws Exception {
        Instant now = Instant.now(this.clock);
        return sign(privateKey, x509Certificate, pKCS10CertificationRequest, now, now.plus((TemporalAmount) Duration.ofDays(i)));
    }

    private X509Certificate sign(PrivateKey privateKey, X509Certificate x509Certificate, PKCS10CertificationRequest pKCS10CertificationRequest, Instant instant, Instant instant2) throws Exception {
        X509v3CertificateBuilder x509v3CertificateBuilder = new X509v3CertificateBuilder(X500Name.getInstance(x509Certificate.getSubjectX500Principal().getEncoded()), BigInteger.valueOf(System.currentTimeMillis()), Date.from(instant), Date.from(instant2), pKCS10CertificationRequest.getSubject(), pKCS10CertificationRequest.getSubjectPublicKeyInfo());
        Set set = (Set) Optional.ofNullable(pKCS10CertificationRequest.getAttributes(PKCSObjectIdentifiers.pkcs_9_at_extensionRequest)).stream().flatMap((v0) -> {
            return Arrays.stream(v0);
        }).map(attribute -> {
            return Extensions.getInstance(attribute.getAttrValues().getObjectAt(0));
        }).flatMap(extensions -> {
            return Optional.ofNullable(GeneralNames.fromExtensions(extensions, Extension.subjectAlternativeName)).flatMap(generalNames -> {
                return Optional.ofNullable(generalNames.getNames());
            }).stream().flatMap((v0) -> {
                return Arrays.stream(v0);
            });
        }).filter(generalName -> {
            return isValidName(generalName.getTagNo());
        }).flatMap(generalName2 -> {
            return isDNSName(generalName2.getTagNo()) ? resolveDNSName(generalName2) : Stream.of(generalName2);
        }).collect(Collectors.toSet());
        if (!set.isEmpty()) {
            x509v3CertificateBuilder.addExtension(Extension.subjectAlternativeName, false, new GeneralNames((GeneralName[]) Sets.union(localhostAttributes, set).toArray(new GeneralName[0])));
        }
        return new JcaX509CertificateConverter().getCertificate(x509v3CertificateBuilder.build(new JcaContentSignerBuilder(CertConstants.SIGNING_ALGORITHM).build(privateKey)));
    }

    private Stream<? extends GeneralName> resolveDNSName(GeneralName generalName) {
        try {
            return Stream.of((Object[]) new GeneralName[]{generalName, new GeneralName(7, InetAddress.getByName(generalName.getName().toString()).getHostAddress())});
        } catch (UnknownHostException e) {
            return Stream.of(generalName);
        }
    }
}
