package org.parosproxy.paros.security;

import java.io.IOException;
import java.math.BigInteger;
import java.security.InvalidKeyException;
import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.SecureRandom;
import java.security.Security;
import java.security.SignatureException;
import java.security.UnrecoverableKeyException;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.security.interfaces.RSAPrivateKey;
import java.time.Duration;
import java.util.Date;
import java.util.Random;
import java.util.concurrent.atomic.AtomicLong;
import org.bouncycastle.asn1.x500.X500NameBuilder;
import org.bouncycastle.asn1.x500.style.BCStyle;
import org.bouncycastle.asn1.x509.BasicConstraints;
import org.bouncycastle.asn1.x509.ExtendedKeyUsage;
import org.bouncycastle.asn1.x509.Extension;
import org.bouncycastle.asn1.x509.GeneralName;
import org.bouncycastle.asn1.x509.GeneralNames;
import org.bouncycastle.asn1.x509.KeyPurposeId;
import org.bouncycastle.asn1.x509.SubjectKeyIdentifier;
import org.bouncycastle.cert.X509CertificateHolder;
import org.bouncycastle.cert.jcajce.JcaX509CertificateConverter;
import org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.bouncycastle.operator.OperatorCreationException;
import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder;
import org.parosproxy.paros.security.CertData;

/* loaded from: input_file:org/parosproxy/paros/security/SslCertificateServiceImpl.class */
public final class SslCertificateServiceImpl implements SslCertificateService {
    private static final int SITE_CERTIFICATE_START_ADJUSTMENT = 30;
    private static final int SITE_CERTIFICATE_END_VALIDITY_PERIOD = 368;
    private X509Certificate caCert = null;
    private PublicKey caPubKey = null;
    private PrivateKey caPrivKey = null;
    private final AtomicLong serial;
    private static final SslCertificateService singleton = new SslCertificateServiceImpl();

    private SslCertificateServiceImpl() {
        Security.addProvider(new BouncyCastleProvider());
        new Random().setSeed(System.currentTimeMillis());
        this.serial = new AtomicLong(((r0.nextInt() << 32) | (r0.nextInt() & 4294967295L)) & 281474976710655L);
    }

    @Override // org.parosproxy.paros.security.SslCertificateService
    public synchronized void initializeRootCA(KeyStore keyStore) throws KeyStoreException, UnrecoverableKeyException, NoSuchAlgorithmException {
        if (keyStore == null) {
            this.caCert = null;
            this.caPrivKey = null;
            this.caPubKey = null;
        } else {
            this.caCert = (X509Certificate) keyStore.getCertificate(SslCertificateService.ZAPROXY_JKS_ALIAS);
            this.caPrivKey = (RSAPrivateKey) keyStore.getKey(SslCertificateService.ZAPROXY_JKS_ALIAS, SslCertificateService.PASSPHRASE);
            this.caPubKey = this.caCert.getPublicKey();
        }
    }

    @Override // org.parosproxy.paros.security.SslCertificateService
    public KeyStore createCertForHost(String str) throws CertificateException, UnrecoverableKeyException, NoSuchAlgorithmException, KeyStoreException, SignatureException, NoSuchProviderException, InvalidKeyException, IOException {
        return createCertForHost(new CertData(str));
    }

    @Override // org.parosproxy.paros.security.SslCertificateService
    public KeyStore createCertForHost(CertData certData) throws NoSuchAlgorithmException, InvalidKeyException, CertificateException, NoSuchProviderException, SignatureException, KeyStoreException, IOException, UnrecoverableKeyException {
        if (this.caCert == null || this.caPrivKey == null || this.caPubKey == null) {
            throw new MissingRootCertificateException(getClass() + " wasn't initialized! Got to options 'Dynamic SSL Certs' and create one.");
        }
        CertData.Name[] subjectAlternativeNames = certData.getSubjectAlternativeNames();
        GeneralName[] generalNameArr = new GeneralName[subjectAlternativeNames.length];
        for (int i = 0; i < subjectAlternativeNames.length; i++) {
            CertData.Name name = subjectAlternativeNames[i];
            generalNameArr[i] = new GeneralName(name.getType(), name.getValue());
        }
        if (certData.getCommonName() == null && generalNameArr.length == 0) {
            throw new IllegalArgumentException("commonName is null and no subjectAlternativeNames are specified");
        }
        KeyPair createKeyPair = createKeyPair();
        PrivateKey privateKey = createKeyPair.getPrivate();
        PublicKey publicKey = createKeyPair.getPublic();
        X500NameBuilder x500NameBuilder = new X500NameBuilder(BCStyle.INSTANCE);
        if (certData.getCommonName() != null) {
            x500NameBuilder.addRDN(BCStyle.CN, certData.getCommonName());
        }
        x500NameBuilder.addRDN(BCStyle.OU, "Zed Attack Proxy Project");
        x500NameBuilder.addRDN(BCStyle.O, "OWASP");
        x500NameBuilder.addRDN(BCStyle.C, "xx");
        x500NameBuilder.addRDN(BCStyle.EmailAddress, "zaproxy-develop@googlegroups.com");
        long currentTimeMillis = System.currentTimeMillis();
        JcaX509v3CertificateBuilder jcaX509v3CertificateBuilder = new JcaX509v3CertificateBuilder(new X509CertificateHolder(this.caCert.getEncoded()).getSubject(), BigInteger.valueOf(this.serial.getAndIncrement()), new Date(currentTimeMillis - Duration.ofDays(30L).toMillis()), new Date(currentTimeMillis + Duration.ofDays(368L).toMillis()), x500NameBuilder.build(), publicKey);
        jcaX509v3CertificateBuilder.addExtension(Extension.subjectKeyIdentifier, false, new SubjectKeyIdentifier(publicKey.getEncoded()));
        jcaX509v3CertificateBuilder.addExtension(Extension.basicConstraints, false, new BasicConstraints(false));
        jcaX509v3CertificateBuilder.addExtension(Extension.extendedKeyUsage, false, new ExtendedKeyUsage(new KeyPurposeId[]{KeyPurposeId.id_kp_serverAuth}));
        if (generalNameArr.length > 0) {
            jcaX509v3CertificateBuilder.addExtension(Extension.subjectAlternativeName, certData.isSubjectAlternativeNameIsCritical(), new GeneralNames(generalNameArr));
        }
        try {
            X509Certificate certificate = new JcaX509CertificateConverter().setProvider("BC").getCertificate(jcaX509v3CertificateBuilder.build(new JcaContentSignerBuilder("SHA256WithRSAEncryption").setProvider("BC").build(this.caPrivKey)));
            certificate.checkValidity(new Date());
            certificate.verify(this.caPubKey);
            KeyStore keyStore = KeyStore.getInstance("JKS");
            keyStore.load(null, null);
            keyStore.setKeyEntry(SslCertificateService.ZAPROXY_JKS_ALIAS, privateKey, PASSPHRASE, new Certificate[]{certificate, this.caCert});
            return keyStore;
        } catch (OperatorCreationException e) {
            throw new CertificateException((Throwable) e);
        }
    }

    private KeyPair createKeyPair() throws NoSuchAlgorithmException {
        KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA");
        SecureRandom secureRandom = SecureRandom.getInstance("SHA1PRNG");
        secureRandom.setSeed(Long.toString(System.currentTimeMillis()).getBytes());
        keyPairGenerator.initialize(2048, secureRandom);
        return keyPairGenerator.generateKeyPair();
    }

    public static SslCertificateService getService() {
        return singleton;
    }
}
