package org.graylog.security.certutil;

import java.math.BigInteger;
import java.security.KeyPairGenerator;
import java.security.PrivateKey;
import java.time.Instant;
import java.time.temporal.TemporalAmount;
import java.util.Date;
import org.bouncycastle.asn1.x500.X500Name;
import org.bouncycastle.asn1.x509.BasicConstraints;
import org.bouncycastle.asn1.x509.Extension;
import org.bouncycastle.asn1.x509.GeneralName;
import org.bouncycastle.asn1.x509.GeneralNames;
import org.bouncycastle.cert.jcajce.JcaX509CertificateConverter;
import org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder;
import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder;

/* loaded from: input_file:org/graylog/security/certutil/CertificateGenerator.class */
public class CertificateGenerator {
    public static KeyPair generate(CertRequest certRequest) throws Exception {
        X500Name x500Name;
        PrivateKey privateKey;
        java.security.KeyPair generateKeyPair = KeyPairGenerator.getInstance(CertConstants.KEY_GENERATION_ALGORITHM).generateKeyPair();
        X500Name x500Name2 = new X500Name("CN=" + certRequest.cnName());
        BigInteger valueOf = BigInteger.valueOf(System.currentTimeMillis());
        Instant now = Instant.now();
        Instant plus = now.plus((TemporalAmount) certRequest.validity());
        if (certRequest.issuer() == null) {
            x500Name = x500Name2;
            privateKey = generateKeyPair.getPrivate();
        } else {
            x500Name = new X500Name(certRequest.issuer().certificate().getSubjectX500Principal().getName());
            privateKey = certRequest.issuer().privateKey();
        }
        JcaX509v3CertificateBuilder jcaX509v3CertificateBuilder = new JcaX509v3CertificateBuilder(x500Name, valueOf, Date.from(now), Date.from(plus), x500Name2, generateKeyPair.getPublic());
        if (certRequest.isCA()) {
            jcaX509v3CertificateBuilder.addExtension(Extension.basicConstraints, true, new BasicConstraints(true));
        }
        if (!certRequest.subjectAlternativeNames().isEmpty()) {
            jcaX509v3CertificateBuilder.addExtension(Extension.subjectAlternativeName, false, new GeneralNames((GeneralName[]) certRequest.subjectAlternativeNames().stream().map(str -> {
                return new GeneralName(2, str);
            }).toArray(i -> {
                return new GeneralName[i];
            })));
        }
        return new KeyPair(generateKeyPair.getPrivate(), generateKeyPair.getPublic(), new JcaX509CertificateConverter().getCertificate(jcaX509v3CertificateBuilder.build(new JcaContentSignerBuilder(CertConstants.SIGNING_ALGORITHM).build(privateKey))));
    }
}
