package org.cesecore.certificates.certificate.certextensions.standard;

import java.net.InetAddress;
import java.net.UnknownHostException;
import java.security.PublicKey;
import java.util.ArrayList;
import java.util.List;
import org.apache.commons.codec.DecoderException;
import org.apache.commons.codec.binary.Hex;
import org.bouncycastle.asn1.ASN1Encodable;
import org.bouncycastle.asn1.DEROctetString;
import org.bouncycastle.asn1.x500.X500Name;
import org.bouncycastle.asn1.x509.Extension;
import org.bouncycastle.asn1.x509.GeneralName;
import org.bouncycastle.asn1.x509.GeneralSubtree;
import org.bouncycastle.asn1.x509.NameConstraints;
import org.cesecore.certificates.ca.CA;
import org.cesecore.certificates.ca.X509CA;
import org.cesecore.certificates.ca.internal.CertificateValidity;
import org.cesecore.certificates.certificate.certextensions.CertificateExtensionException;
import org.cesecore.certificates.certificateprofile.CertificateProfile;
import org.cesecore.certificates.endentity.EndEntityInformation;
import org.cesecore.certificates.endentity.ExtendedInformation;
import org.cesecore.util.CeSecoreNameStyle;
import org.cesecore.util.CertTools;

/* loaded from: input_file:org/cesecore/certificates/certificate/certextensions/standard/NameConstraint.class */
public class NameConstraint extends StandardCertificateExtension {
    private static final long serialVersionUID = 1;

    @Override // org.cesecore.certificates.certificate.certextensions.standard.StandardCertificateExtension
    public void init(CertificateProfile certificateProfile) {
        super.setOID(Extension.nameConstraints.getId());
        super.setCriticalFlag(certificateProfile.getNameConstraintsCritical());
    }

    @Override // org.cesecore.certificates.certificate.certextensions.CertificateExtension
    public ASN1Encodable getValue(EndEntityInformation endEntityInformation, CA ca, CertificateProfile certificateProfile, PublicKey publicKey, PublicKey publicKey2, CertificateValidity certificateValidity) throws CertificateExtensionException {
        NameConstraints nameConstraints = null;
        if (!(ca instanceof X509CA)) {
            throw new CertificateExtensionException("Can't issue non-X509 certificate with Name Constraint");
        }
        ExtendedInformation extendedInformation = endEntityInformation.getExtendedInformation();
        if (extendedInformation != null) {
            List<String> nameConstraintsPermitted = extendedInformation.getNameConstraintsPermitted();
            List<String> nameConstraintsExcluded = extendedInformation.getNameConstraintsExcluded();
            if (nameConstraintsPermitted != null || nameConstraintsExcluded != null) {
                nameConstraints = new NameConstraints(toGeneralSubtrees(nameConstraintsPermitted), toGeneralSubtrees(nameConstraintsExcluded));
            }
        }
        return nameConstraints;
    }

    public static GeneralSubtree[] toGeneralSubtrees(List<String> list) {
        GeneralName generalName;
        if (list == null) {
            return null;
        }
        GeneralSubtree[] generalSubtreeArr = new GeneralSubtree[list.size()];
        int i = 0;
        for (String str : list) {
            int nameConstraintType = getNameConstraintType(str);
            Object nameConstraintData = getNameConstraintData(str);
            switch (nameConstraintType) {
                case 1:
                case 2:
                    generalName = new GeneralName(nameConstraintType, (String) nameConstraintData);
                    break;
                case 3:
                case 5:
                case 6:
                default:
                    throw new UnsupportedOperationException("Encoding of name constraint type " + nameConstraintType + " is not implemented.");
                case 4:
                    generalName = new GeneralName(new X500Name(CeSecoreNameStyle.INSTANCE, (String) nameConstraintData));
                    break;
                case 7:
                    generalName = new GeneralName(nameConstraintType, new DEROctetString((byte[]) nameConstraintData));
                    break;
            }
            int i2 = i;
            i++;
            generalSubtreeArr[i2] = new GeneralSubtree(generalName);
        }
        return generalSubtreeArr;
    }

    private static int getNameConstraintType(String str) {
        String str2 = str.split(":", 2)[0];
        if (CertTools.IPADDR.equals(str2)) {
            return 7;
        }
        if (CertTools.DNS.equals(str2)) {
            return 2;
        }
        if (CertTools.DIRECTORYNAME.equals(str2)) {
            return 4;
        }
        if ("rfc822Name".equals(str2)) {
            return 1;
        }
        throw new UnsupportedOperationException("Unsupported name constraint type " + str2);
    }

    private static Object getNameConstraintData(String str) {
        int nameConstraintType = getNameConstraintType(str);
        String str2 = str.split(":", 2)[1];
        switch (nameConstraintType) {
            case 1:
            case 2:
            case 4:
                return str2;
            case 3:
            case 5:
            case 6:
            default:
                throw new UnsupportedOperationException("Unsupported name constraint type " + nameConstraintType);
            case 7:
                try {
                    return Hex.decodeHex(str2.toCharArray());
                } catch (DecoderException e) {
                    throw new IllegalStateException("internal name constraint data could not be decoded as hex", e);
                }
        }
    }

    public static String parseNameConstraintEntry(String str) throws CertificateExtensionException {
        if (!str.matches("^([0-9]+\\.){3,3}([0-9]+)/[0-9]+$") && !str.matches("^[0-9a-fA-F]{0,4}:[0-9a-fA-F]{0,4}:[0-9a-fA-F:]*/[0-9]+$")) {
            if (str.matches("^([0-9]+\\.){3,3}([0-9]+)$")) {
                throw new CertificateExtensionException("Name constraint entry with IP address is missing a netmask: " + str + ". Use /32 to match only this address.");
            }
            if (str.matches("^\\.?([a-zA-Z0-9_-]+\\.)*[a-zA-Z0-9_-]+$")) {
                return "dNSName:" + str;
            }
            if (!str.matches("^[^=,]*@[a-zA-Z0-9_.\\[\\]:-]+$")) {
                if (str.contains("=")) {
                    return "directoryName:" + new X500Name(CeSecoreNameStyle.INSTANCE, str).toString();
                }
                throw new CertificateExtensionException("Cannot parse name constraint entry (only DNS Name, RFC 822 Name, Directory Name, IPv4/Netmask and IPv6/Netmask are supported): " + str);
            }
            String str2 = str;
            if (str.startsWith("@")) {
                str2 = str2.substring(1);
            }
            return "rfc822Name:" + str2;
        }
        try {
            String[] split = str.split(CertTools.PERMANENTIDENTIFIER_SEP, 2);
            byte[] address = InetAddress.getByName(split[0]).getAddress();
            byte[] bArr = new byte[2 * address.length];
            System.arraycopy(address, 0, bArr, 0, address.length);
            int parseInt = Integer.parseInt(split[1]);
            if (parseInt > 8 * address.length) {
                throw new CertificateExtensionException("Netmask is too large: " + str);
            }
            for (int i = 0; i < parseInt; i++) {
                int length = address.length + (i / 8);
                bArr[length] = (byte) (bArr[length] | (1 << (7 - (i % 8))));
            }
            for (int i2 = parseInt; i2 < 8 * address.length; i2++) {
                int i3 = i2 / 8;
                bArr[i3] = (byte) (bArr[i3] & ((1 << (7 - (i2 % 8))) ^ (-1)));
            }
            return "iPAddress:" + Hex.encodeHexString(bArr);
        } catch (UnknownHostException e) {
            throw new CertificateExtensionException("Failed to parse IP address in name constraint: " + str, e);
        }
    }

    public static List<String> parseNameConstraintsList(String str) throws CertificateExtensionException {
        ArrayList arrayList = new ArrayList();
        if (str != null) {
            for (String str2 : str.split("\n")) {
                String trim = str2.trim();
                if (!trim.isEmpty()) {
                    arrayList.add(parseNameConstraintEntry(trim));
                }
            }
        }
        return arrayList;
    }

    public static String formatNameConstraintEntry(String str) {
        if (str == null) {
            return "";
        }
        int nameConstraintType = getNameConstraintType(str);
        Object nameConstraintData = getNameConstraintData(str);
        switch (nameConstraintType) {
            case 1:
                String str2 = (String) nameConstraintData;
                return str2.contains("@") ? str2 : "@" + str2;
            case 2:
            case 4:
                return (String) nameConstraintData;
            case 3:
            case 5:
            case 6:
            default:
                throw new UnsupportedOperationException("Unsupported name constraint type " + nameConstraintType);
            case 7:
                byte[] bArr = (byte[]) nameConstraintData;
                byte[] bArr2 = new byte[bArr.length / 2];
                byte[] bArr3 = new byte[bArr.length / 2];
                System.arraycopy(bArr, 0, bArr2, 0, bArr2.length);
                System.arraycopy(bArr, bArr2.length, bArr3, 0, bArr3.length);
                int i = 0;
                for (int i2 = 0; i2 < 8 * bArr3.length; i2++) {
                    boolean z = ((bArr3[i2 / 8] >> (7 - (i2 % 8))) & 1) == 1;
                    if (z && i == i2) {
                        i++;
                    } else if (z) {
                        throw new IllegalArgumentException("Unsupported netmask with mixed ones/zeros");
                    }
                }
                try {
                    return InetAddress.getByAddress(bArr2).getHostAddress() + CertTools.PERMANENTIDENTIFIER_SEP + i;
                } catch (UnknownHostException e) {
                    throw new IllegalArgumentException(e);
                }
        }
    }

    public static String formatNameConstraintsList(List<String> list) {
        StringBuilder sb = new StringBuilder();
        if (list != null) {
            boolean z = true;
            for (String str : list) {
                if (!z) {
                    sb.append('\n');
                }
                z = false;
                sb.append(formatNameConstraintEntry(str));
            }
        }
        return sb.toString();
    }
}
