package org.xipki.scep.util;

import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.io.InputStream;
import java.math.BigInteger;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.cert.CRLException;
import java.security.cert.CertificateEncodingException;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509CRL;
import java.security.cert.X509Certificate;
import java.security.interfaces.RSAPublicKey;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.Date;
import java.util.HashMap;
import java.util.LinkedList;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import org.bouncycastle.asn1.ASN1Encodable;
import org.bouncycastle.asn1.ASN1ObjectIdentifier;
import org.bouncycastle.asn1.ASN1OctetString;
import org.bouncycastle.asn1.ASN1Set;
import org.bouncycastle.asn1.DERNull;
import org.bouncycastle.asn1.DERPrintableString;
import org.bouncycastle.asn1.cms.Attribute;
import org.bouncycastle.asn1.cms.AttributeTable;
import org.bouncycastle.asn1.cms.SignedData;
import org.bouncycastle.asn1.nist.NISTObjectIdentifiers;
import org.bouncycastle.asn1.pkcs.CertificationRequest;
import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers;
import org.bouncycastle.asn1.pkcs.RSASSAPSSparams;
import org.bouncycastle.asn1.x500.X500Name;
import org.bouncycastle.asn1.x509.AlgorithmIdentifier;
import org.bouncycastle.asn1.x509.AuthorityKeyIdentifier;
import org.bouncycastle.asn1.x509.Certificate;
import org.bouncycastle.asn1.x509.CertificateList;
import org.bouncycastle.asn1.x509.Extension;
import org.bouncycastle.asn1.x509.Extensions;
import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo;
import org.bouncycastle.asn1.x509.X509ObjectIdentifiers;
import org.bouncycastle.cert.CertIOException;
import org.bouncycastle.cert.X509v3CertificateBuilder;
import org.bouncycastle.cert.jcajce.JcaCertStore;
import org.bouncycastle.cms.CMSException;
import org.bouncycastle.cms.CMSSignedDataGenerator;
import org.bouncycastle.jce.X509KeyUsage;
import org.bouncycastle.operator.OperatorCreationException;
import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder;
import org.bouncycastle.pkcs.PKCS10CertificationRequest;
import org.bouncycastle.pkcs.PKCS10CertificationRequestBuilder;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.xipki.scep.crypto.KeyUsage;
import org.xipki.scep.crypto.ScepHashAlgo;

/* loaded from: input_file:org/xipki/scep/util/ScepUtil.class */
public class ScepUtil {
    private static final long MIN_IN_MS = 60000;
    private static final long DAY_IN_MS = 86400000;
    private static CertificateFactory certFact;
    private static final Logger LOG = LoggerFactory.getLogger(ScepUtil.class);
    private static final AlgorithmIdentifier ALGID_RSA = new AlgorithmIdentifier(PKCSObjectIdentifiers.rsaEncryption, DERNull.INSTANCE);
    private static Object certFactLock = new Object();

    private ScepUtil() {
    }

    public static SubjectPublicKeyInfo createSubjectPublicKeyInfo(PublicKey publicKey) throws IOException {
        requireNonNull("publicKey", publicKey);
        if (!(publicKey instanceof RSAPublicKey)) {
            throw new IllegalArgumentException("unsupported public key " + publicKey);
        }
        RSAPublicKey rSAPublicKey = (RSAPublicKey) publicKey;
        return new SubjectPublicKeyInfo(ALGID_RSA, new org.bouncycastle.asn1.pkcs.RSAPublicKey(rSAPublicKey.getModulus(), rSAPublicKey.getPublicExponent()));
    }

    public static PKCS10CertificationRequest generateRequest(PrivateKey privateKey, SubjectPublicKeyInfo subjectPublicKeyInfo, X500Name x500Name, Map<ASN1ObjectIdentifier, ASN1Encodable> map) throws OperatorCreationException {
        requireNonNull("privatekey", privateKey);
        requireNonNull("subjectPublicKeyInfo", subjectPublicKeyInfo);
        requireNonNull("subjectDn", x500Name);
        PKCS10CertificationRequestBuilder pKCS10CertificationRequestBuilder = new PKCS10CertificationRequestBuilder(x500Name, subjectPublicKeyInfo);
        if (map != null) {
            for (ASN1ObjectIdentifier aSN1ObjectIdentifier : map.keySet()) {
                pKCS10CertificationRequestBuilder.addAttribute(aSN1ObjectIdentifier, map.get(aSN1ObjectIdentifier));
            }
        }
        return pKCS10CertificationRequestBuilder.build(new JcaContentSignerBuilder(getSignatureAlgorithm(privateKey, ScepHashAlgo.SHA1)).build(privateKey));
    }

    public static PKCS10CertificationRequest generateRequest(PrivateKey privateKey, SubjectPublicKeyInfo subjectPublicKeyInfo, X500Name x500Name, String str, List<Extension> list) throws OperatorCreationException {
        requireNonNull("privatekey", privateKey);
        requireNonNull("subjectPublicKeyInfo", subjectPublicKeyInfo);
        requireNonNull("subjectDn", x500Name);
        HashMap hashMap = new HashMap();
        if (str != null && !str.isEmpty()) {
            hashMap.put(PKCSObjectIdentifiers.pkcs_9_at_challengePassword, new DERPrintableString(str));
        }
        if (list != null && !list.isEmpty()) {
            hashMap.put(PKCSObjectIdentifiers.pkcs_9_at_extensionRequest, new Extensions((Extension[]) list.toArray(new Extension[0])));
        }
        return generateRequest(privateKey, subjectPublicKeyInfo, x500Name, hashMap);
    }

    public static X509Certificate generateSelfsignedCert(CertificationRequest certificationRequest, PrivateKey privateKey) throws CertificateException {
        requireNonNull("csr", certificationRequest);
        return generateSelfsignedCert(certificationRequest.getCertificationRequestInfo().getSubject(), certificationRequest.getCertificationRequestInfo().getSubjectPublicKeyInfo(), privateKey);
    }

    public static X509Certificate generateSelfsignedCert(X500Name x500Name, PublicKey publicKey, PrivateKey privateKey) throws CertificateException {
        try {
            return generateSelfsignedCert(x500Name, createSubjectPublicKeyInfo(publicKey), privateKey);
        } catch (IOException e) {
            throw new CertificateException(e.getMessage(), e);
        }
    }

    public static X509Certificate generateSelfsignedCert(X500Name x500Name, SubjectPublicKeyInfo subjectPublicKeyInfo, PrivateKey privateKey) throws CertificateException {
        requireNonNull("subjectDn", x500Name);
        requireNonNull("pubKeyInfo", subjectPublicKeyInfo);
        requireNonNull("identityKey", privateKey);
        Date date = new Date(System.currentTimeMillis() - 300000);
        X509v3CertificateBuilder x509v3CertificateBuilder = new X509v3CertificateBuilder(x500Name, BigInteger.ONE, date, new Date(date.getTime() + 2592000000L), x500Name, subjectPublicKeyInfo);
        try {
            x509v3CertificateBuilder.addExtension(Extension.keyUsage, true, new X509KeyUsage(184));
            try {
                return toX509Cert(x509v3CertificateBuilder.build(new JcaContentSignerBuilder(getSignatureAlgorithm(privateKey, ScepHashAlgo.SHA1)).build(privateKey)).toASN1Structure());
            } catch (OperatorCreationException e) {
                throw new CertificateException("error while creating signer", e);
            }
        } catch (CertIOException e2) {
            throw new CertificateException("could not generate self-signed certificate: " + e2.getMessage(), e2);
        }
    }

    public static List<X509Certificate> getCertsFromSignedData(SignedData signedData) throws CertificateException {
        int size;
        requireNonNull("signedData", signedData);
        ASN1Set certificates = signedData.getCertificates();
        if (certificates != null && (size = certificates.size()) != 0) {
            LinkedList linkedList = new LinkedList();
            X509Certificate x509Certificate = null;
            for (int i = 0; i < size; i++) {
                try {
                    X509Certificate x509Cert = toX509Cert(Certificate.getInstance(certificates.getObjectAt(i)));
                    if (x509Certificate == null && x509Cert.getBasicConstraints() == -1) {
                        x509Certificate = x509Cert;
                    } else {
                        linkedList.add(x509Cert);
                    }
                } catch (IllegalArgumentException e) {
                    throw new CertificateException(e);
                }
            }
            if (x509Certificate != null) {
                linkedList.add(0, x509Certificate);
            }
            return linkedList;
        }
        return Collections.emptyList();
    }

    public static X509CRL getCrlFromPkiMessage(SignedData signedData) throws CRLException {
        requireNonNull("signedData", signedData);
        ASN1Set cRLs = signedData.getCRLs();
        if (cRLs == null || cRLs.size() == 0) {
            return null;
        }
        try {
            return toX509Crl(CertificateList.getInstance(cRLs.getObjectAt(0)));
        } catch (IllegalArgumentException | CRLException | CertificateException e) {
            throw new CRLException(e);
        }
    }

    public static String getSignatureAlgorithm(PrivateKey privateKey, ScepHashAlgo scepHashAlgo) {
        requireNonNull("key", privateKey);
        requireNonNull("hashAlgo", scepHashAlgo);
        if ("RSA".equalsIgnoreCase(privateKey.getAlgorithm())) {
            return scepHashAlgo.getName() + "withRSA";
        }
        throw new UnsupportedOperationException("getSignatureAlgorithm() for non-RSA is not supported yet.");
    }

    public static X509Certificate toX509Cert(Certificate certificate) throws CertificateException {
        try {
            return parseCert(certificate.getEncoded());
        } catch (IOException e) {
            throw new CertificateEncodingException("could not get encoded certificate", e);
        }
    }

    public static X509CRL toX509Crl(CertificateList certificateList) throws CertificateException, CRLException {
        try {
            return parseCrl(certificateList.getEncoded());
        } catch (IOException e) {
            throw new CRLException("could not get encoded CRL", e);
        }
    }

    public static X509CRL parseCrl(byte[] bArr) throws CertificateException, CRLException {
        requireNonNull("encodedCrl", bArr);
        return parseCrl(new ByteArrayInputStream(bArr));
    }

    public static X509CRL parseCrl(InputStream inputStream) throws CertificateException, CRLException {
        requireNonNull("crlStream", inputStream);
        X509CRL x509crl = (X509CRL) getCertFactory().generateCRL(inputStream);
        if (x509crl == null) {
            throw new CRLException("the given one is not a valid X.509 CRL");
        }
        return x509crl;
    }

    public static X509Certificate parseCert(byte[] bArr) throws CertificateException {
        requireNonNull("certBytes", bArr);
        return parseCert(new ByteArrayInputStream(bArr));
    }

    private static X509Certificate parseCert(InputStream inputStream) throws CertificateException {
        requireNonNull("certStream", inputStream);
        return (X509Certificate) getCertFactory().generateCertificate(inputStream);
    }

    private static byte[] extractSki(X509Certificate x509Certificate) throws CertificateEncodingException {
        byte[] coreExtValue = getCoreExtValue(x509Certificate, Extension.subjectKeyIdentifier);
        if (coreExtValue == null) {
            return null;
        }
        try {
            return ASN1OctetString.getInstance(coreExtValue).getOctets();
        } catch (IllegalArgumentException e) {
            throw new CertificateEncodingException(e.getMessage());
        }
    }

    private static byte[] extractAki(X509Certificate x509Certificate) throws CertificateEncodingException {
        byte[] coreExtValue = getCoreExtValue(x509Certificate, Extension.authorityKeyIdentifier);
        if (coreExtValue == null) {
            return null;
        }
        try {
            return AuthorityKeyIdentifier.getInstance(coreExtValue).getKeyIdentifier();
        } catch (IllegalArgumentException e) {
            throw new CertificateEncodingException("invalid extension AuthorityKeyIdentifier: " + e.getMessage());
        }
    }

    public static boolean hasKeyusage(X509Certificate x509Certificate, KeyUsage keyUsage) {
        boolean[] keyUsage2 = x509Certificate.getKeyUsage();
        if (keyUsage2 == null || keyUsage2.length <= keyUsage.getBit()) {
            return false;
        }
        return keyUsage2[keyUsage.getBit()];
    }

    private static byte[] getCoreExtValue(X509Certificate x509Certificate, ASN1ObjectIdentifier aSN1ObjectIdentifier) throws CertificateEncodingException {
        requireNonNull("cert", x509Certificate);
        requireNonNull("type", aSN1ObjectIdentifier);
        byte[] extensionValue = x509Certificate.getExtensionValue(aSN1ObjectIdentifier.getId());
        if (extensionValue == null) {
            return null;
        }
        try {
            return ASN1OctetString.getInstance(extensionValue).getOctets();
        } catch (IllegalArgumentException e) {
            throw new CertificateEncodingException("invalid extension " + aSN1ObjectIdentifier.getId() + ": " + e.getMessage());
        }
    }

    public static boolean isSelfSigned(X509Certificate x509Certificate) {
        requireNonNull("cert", x509Certificate);
        if (!x509Certificate.getSubjectX500Principal().equals(x509Certificate.getIssuerX500Principal())) {
            return false;
        }
        try {
            byte[] extractSki = extractSki(x509Certificate);
            byte[] extractAki = extractAki(x509Certificate);
            if (extractSki == null || extractAki == null) {
                return true;
            }
            return Arrays.equals(extractSki, extractAki);
        } catch (CertificateEncodingException e) {
            return false;
        }
    }

    public static boolean issues(X509Certificate x509Certificate, X509Certificate x509Certificate2) throws CertificateEncodingException {
        requireNonNull("issuerCert", x509Certificate);
        requireNonNull("cert", x509Certificate2);
        if (!(x509Certificate.getBasicConstraints() >= 0)) {
            return false;
        }
        boolean equals = x509Certificate.getSubjectX500Principal().equals(x509Certificate2.getIssuerX500Principal());
        if (equals) {
            byte[] extractSki = extractSki(x509Certificate);
            byte[] extractAki = extractAki(x509Certificate2);
            if (extractSki != null) {
                equals = Arrays.equals(extractSki, extractAki);
            }
        }
        if (equals) {
            long time = x509Certificate.getNotBefore().getTime();
            long time2 = x509Certificate.getNotAfter().getTime();
            long time3 = x509Certificate2.getNotBefore().getTime();
            equals = time3 <= time2 && time3 >= time;
        }
        return equals;
    }

    public static ASN1ObjectIdentifier extractDigesetAlgorithmIdentifier(String str, byte[] bArr) throws NoSuchAlgorithmException {
        ASN1ObjectIdentifier algorithm;
        requireNonBlank("sigOid", str);
        ASN1ObjectIdentifier aSN1ObjectIdentifier = new ASN1ObjectIdentifier(str);
        if (PKCSObjectIdentifiers.md5WithRSAEncryption.equals(aSN1ObjectIdentifier)) {
            algorithm = PKCSObjectIdentifiers.md5;
        } else if (PKCSObjectIdentifiers.sha1WithRSAEncryption.equals(aSN1ObjectIdentifier)) {
            algorithm = X509ObjectIdentifiers.id_SHA1;
        } else if (PKCSObjectIdentifiers.sha224WithRSAEncryption.equals(aSN1ObjectIdentifier)) {
            algorithm = NISTObjectIdentifiers.id_sha224;
        } else if (PKCSObjectIdentifiers.sha256WithRSAEncryption.equals(aSN1ObjectIdentifier)) {
            algorithm = NISTObjectIdentifiers.id_sha256;
        } else if (PKCSObjectIdentifiers.sha384WithRSAEncryption.equals(aSN1ObjectIdentifier)) {
            algorithm = NISTObjectIdentifiers.id_sha384;
        } else if (PKCSObjectIdentifiers.sha512WithRSAEncryption.equals(aSN1ObjectIdentifier)) {
            algorithm = NISTObjectIdentifiers.id_sha512;
        } else {
            if (!PKCSObjectIdentifiers.id_RSASSA_PSS.equals(aSN1ObjectIdentifier)) {
                throw new NoSuchAlgorithmException("unknown signature algorithm" + aSN1ObjectIdentifier.getId());
            }
            algorithm = RSASSAPSSparams.getInstance(bArr).getHashAlgorithm().getAlgorithm();
        }
        return algorithm;
    }

    public static ASN1Encodable getFirstAttrValue(AttributeTable attributeTable, ASN1ObjectIdentifier aSN1ObjectIdentifier) {
        requireNonNull("attrs", attributeTable);
        requireNonNull("type", aSN1ObjectIdentifier);
        Attribute attribute = attributeTable.get(aSN1ObjectIdentifier);
        if (attribute == null) {
            return null;
        }
        ASN1Set attrValues = attribute.getAttrValues();
        if (attrValues.size() == 0) {
            return null;
        }
        return attrValues.getObjectAt(0);
    }

    public static byte[] read(InputStream inputStream) throws IOException {
        requireNonNull("in", inputStream);
        try {
            ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
            byte[] bArr = new byte[2048];
            while (true) {
                int read = inputStream.read(bArr);
                if (read == -1) {
                    break;
                }
                byteArrayOutputStream.write(bArr, 0, read);
            }
            return byteArrayOutputStream.toByteArray();
        } finally {
            try {
                inputStream.close();
            } catch (IOException e) {
                LOG.error("could not close stream: {}", e.getMessage());
            }
        }
    }

    public static void addCmsCertSet(CMSSignedDataGenerator cMSSignedDataGenerator, X509Certificate[] x509CertificateArr) throws CertificateEncodingException, CMSException {
        if (x509CertificateArr == null || x509CertificateArr.length == 0) {
            return;
        }
        requireNonNull("geneator", cMSSignedDataGenerator);
        LinkedList linkedList = new LinkedList();
        for (X509Certificate x509Certificate : x509CertificateArr) {
            linkedList.add(x509Certificate);
        }
        cMSSignedDataGenerator.addCertificates(new JcaCertStore(linkedList));
    }

    private static CertificateFactory getCertFactory() throws CertificateException {
        CertificateFactory certificateFactory;
        synchronized (certFactLock) {
            if (certFact == null) {
                try {
                    certFact = CertificateFactory.getInstance("X.509", "BC");
                } catch (NoSuchProviderException e) {
                    certFact = CertificateFactory.getInstance("X.509");
                }
            }
            certificateFactory = certFact;
        }
        return certificateFactory;
    }

    public static <T> T requireNonNull(String str, T t) {
        return (T) Objects.requireNonNull(t, str + " must not be null");
    }

    public static String requireNonBlank(String str, String str2) {
        Objects.requireNonNull(str2, str + " must not be null");
        if (str2.isEmpty()) {
            throw new IllegalArgumentException(str + " must not be blank");
        }
        return str2;
    }

    public static <T> Collection<T> requireNonEmpty(String str, Collection<T> collection) {
        Objects.requireNonNull(collection, str + " must not be null");
        if (collection.isEmpty()) {
            throw new IllegalArgumentException(str + " must not be empty");
        }
        return collection;
    }
}
