package com.peterphi.std.crypto.keygen;

import com.peterphi.std.crypto.digest.DigestHelper;
import com.peterphi.std.util.HexHelper;
import java.io.ByteArrayInputStream;
import java.io.File;
import java.io.FileInputStream;
import java.io.FileOutputStream;
import java.io.FileWriter;
import java.math.BigInteger;
import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.KeyStore;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.SecureRandom;
import java.security.Security;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import java.util.Calendar;
import java.util.TimeZone;
import java.util.Vector;
import javax.security.auth.x500.X500Principal;
import org.apache.commons.io.IOUtils;
import org.apache.log4j.Logger;
import org.bouncycastle.asn1.ASN1EncodableVector;
import org.bouncycastle.asn1.ASN1InputStream;
import org.bouncycastle.asn1.DERBMPString;
import org.bouncycastle.asn1.DERBitString;
import org.bouncycastle.asn1.DERObjectIdentifier;
import org.bouncycastle.asn1.DERSet;
import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers;
import org.bouncycastle.asn1.x509.Attribute;
import org.bouncycastle.asn1.x509.AuthorityKeyIdentifier;
import org.bouncycastle.asn1.x509.BasicConstraints;
import org.bouncycastle.asn1.x509.ExtendedKeyUsage;
import org.bouncycastle.asn1.x509.KeyPurposeId;
import org.bouncycastle.asn1.x509.KeyUsage;
import org.bouncycastle.asn1.x509.SubjectKeyIdentifier;
import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo;
import org.bouncycastle.asn1.x509.X509Extensions;
import org.bouncycastle.asn1.x509.X509Name;
import org.bouncycastle.jce.PKCS10CertificationRequest;
import org.bouncycastle.jce.interfaces.PKCS12BagAttributeCarrier;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.bouncycastle.openssl.PEMWriter;
import org.bouncycastle.x509.X509V3CertificateGenerator;

/* loaded from: input_file:com/peterphi/std/crypto/keygen/CaHelper.class */
public class CaHelper {
    private static final transient Logger log = Logger.getLogger(CaHelper.class);
    public static final boolean GLOBUS_COG_HACK = true;
    public static final boolean GLOBUS_ALGORITHM_HACK = true;
    public static final DERObjectIdentifier netscapeCertType;

    private static boolean getExtendedKeyUsageCriticality() {
        return false;
    }

    private static String getSignatureAlgorithm() {
        return "MD5WITHRSA";
    }

    public static String opensslHash(X509Certificate x509Certificate) {
        try {
            return openssl_X509_NAME_hash(x509Certificate.getSubjectX500Principal());
        } catch (NoSuchAlgorithmException e) {
            throw new Error("MD5 isn't available!", e);
        }
    }

    public static String openssl_X509_NAME_hash(X500Principal x500Principal) throws NoSuchAlgorithmException {
        byte[] digest = MessageDigest.getInstance(DigestHelper.MD5).digest(x500Principal.getEncoded());
        return HexHelper.toHex(digest[3], digest[2], digest[1], digest[0]);
    }

    public static KeyPair generateKeyPair(int i) throws Exception {
        KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA", "BC");
        keyPairGenerator.initialize(i, new SecureRandom());
        return keyPairGenerator.generateKeyPair();
    }

    public static X509Certificate generateClientCertificate(PublicKey publicKey, PrivateKey privateKey, X509Name x509Name, X509Name x509Name2) throws Exception {
        X509V3CertificateGenerator x509V3CertificateGenerator = new X509V3CertificateGenerator();
        x509V3CertificateGenerator.setIssuerDN(x509Name);
        setNotBeforeNotAfter(x509V3CertificateGenerator, 10);
        x509V3CertificateGenerator.setSubjectDN(x509Name2);
        x509V3CertificateGenerator.setPublicKey(publicKey);
        x509V3CertificateGenerator.setSignatureAlgorithm(getSignatureAlgorithm());
        x509V3CertificateGenerator.setSerialNumber(BigInteger.valueOf(System.currentTimeMillis()));
        return addClientExtensions(x509V3CertificateGenerator).generate(privateKey, "BC");
    }

    public static X509Certificate generateServerCertificate(PublicKey publicKey, PrivateKey privateKey, X509Name x509Name, X509Name x509Name2) throws Exception {
        X509V3CertificateGenerator x509V3CertificateGenerator = new X509V3CertificateGenerator();
        x509V3CertificateGenerator.setIssuerDN(x509Name);
        x509V3CertificateGenerator.setSubjectDN(x509Name2);
        setNotBeforeNotAfter(x509V3CertificateGenerator, 10);
        x509V3CertificateGenerator.setPublicKey(publicKey);
        x509V3CertificateGenerator.setSignatureAlgorithm(getSignatureAlgorithm());
        x509V3CertificateGenerator.setSerialNumber(BigInteger.valueOf(System.currentTimeMillis()));
        return addSSLServerExtensions(x509V3CertificateGenerator).generate(privateKey, "BC");
    }

    private static void setNotBeforeNotAfter(X509V3CertificateGenerator x509V3CertificateGenerator, int i) {
        Calendar calendar = Calendar.getInstance(TimeZone.getTimeZone("UTC"));
        calendar.setTimeZone(TimeZone.getTimeZone("UTC"));
        calendar.add(10, -48);
        x509V3CertificateGenerator.setNotBefore(calendar.getTime());
        calendar.add(1, i);
        x509V3CertificateGenerator.setNotAfter(calendar.getTime());
    }

    public static X509Certificate generateCaCertificate(String str, KeyPair keyPair, BigInteger bigInteger, X509Name x509Name) throws Exception {
        return generateCaCertificate(str, keyPair, bigInteger, x509Name, x509Name);
    }

    public static X509Certificate generateCaCertificate(String str, KeyPair keyPair, BigInteger bigInteger, X509Name x509Name, X509Name x509Name2) throws Exception {
        X509V3CertificateGenerator x509V3CertificateGenerator = new X509V3CertificateGenerator();
        x509V3CertificateGenerator.setIssuerDN(x509Name);
        setNotBeforeNotAfter(x509V3CertificateGenerator, 20);
        x509V3CertificateGenerator.setSubjectDN(x509Name2);
        x509V3CertificateGenerator.setPublicKey(keyPair.getPublic());
        x509V3CertificateGenerator.setSignatureAlgorithm(getSignatureAlgorithm());
        if (bigInteger != null) {
            x509V3CertificateGenerator.setSerialNumber(bigInteger);
        } else {
            x509V3CertificateGenerator.setSerialNumber(BigInteger.valueOf(System.currentTimeMillis()));
        }
        PKCS12BagAttributeCarrier generate = addCaExtensions(x509V3CertificateGenerator, keyPair.getPublic()).generate(keyPair.getPrivate(), "BC");
        generate.checkValidity();
        generate.verify(keyPair.getPublic(), "BC");
        if (str != null) {
            generate.setBagAttribute(PKCSObjectIdentifiers.pkcs_9_at_friendlyName, new DERBMPString(str));
        }
        return generate;
    }

    public static PKCS10CertificationRequest generateCertificateRequest(X509Certificate x509Certificate, PrivateKey privateKey) throws Exception {
        ASN1EncodableVector aSN1EncodableVector = new ASN1EncodableVector();
        for (String str : x509Certificate.getNonCriticalExtensionOIDs()) {
            ASN1InputStream aSN1InputStream = new ASN1InputStream(new ByteArrayInputStream(x509Certificate.getExtensionValue(str)));
            try {
                aSN1EncodableVector.add(new Attribute(new DERObjectIdentifier(str), new DERSet(aSN1InputStream.readObject())));
                IOUtils.closeQuietly(aSN1InputStream);
            } catch (Throwable th) {
                IOUtils.closeQuietly(aSN1InputStream);
                throw th;
            }
        }
        return new PKCS10CertificationRequest(getSignatureAlgorithm(), x509Certificate.getSubjectX500Principal(), x509Certificate.getPublicKey(), new DERSet(aSN1EncodableVector), privateKey);
    }

    private static X509V3CertificateGenerator addCaExtensions(X509V3CertificateGenerator x509V3CertificateGenerator, PublicKey publicKey) throws Exception {
        x509V3CertificateGenerator.addExtension(X509Extensions.BasicConstraints, true, new BasicConstraints(true));
        x509V3CertificateGenerator.addExtension(X509Extensions.KeyUsage, true, new KeyUsage(182));
        x509V3CertificateGenerator.addExtension(X509Extensions.ExtendedKeyUsage, getExtendedKeyUsageCriticality(), new ExtendedKeyUsage(KeyPurposeId.id_kp_serverAuth));
        x509V3CertificateGenerator.addExtension(netscapeCertType, false, new DERBitString(new byte[]{Byte.MAX_VALUE}));
        addSubjectKeyIdentifier(x509V3CertificateGenerator, publicKey);
        addAuthorityKeyIdentifier(x509V3CertificateGenerator, publicKey);
        return x509V3CertificateGenerator;
    }

    private static X509V3CertificateGenerator addServerExtensions(X509V3CertificateGenerator x509V3CertificateGenerator, PublicKey publicKey) throws Exception {
        x509V3CertificateGenerator.addExtension(X509Extensions.BasicConstraints, true, new BasicConstraints(true));
        x509V3CertificateGenerator.addExtension(X509Extensions.KeyUsage, true, new KeyUsage(176));
        x509V3CertificateGenerator.addExtension(X509Extensions.ExtendedKeyUsage, getExtendedKeyUsageCriticality(), new ExtendedKeyUsage(KeyPurposeId.id_kp_serverAuth));
        x509V3CertificateGenerator.addExtension(netscapeCertType, false, new DERBitString(new byte[]{-16}));
        addSubjectKeyIdentifier(x509V3CertificateGenerator, publicKey);
        addAuthorityKeyIdentifier(x509V3CertificateGenerator, publicKey);
        return x509V3CertificateGenerator;
    }

    private static void addAuthorityKeyIdentifier(X509V3CertificateGenerator x509V3CertificateGenerator, PublicKey publicKey) throws Exception {
        ASN1InputStream aSN1InputStream = new ASN1InputStream(new ByteArrayInputStream(publicKey.getEncoded()));
        try {
            x509V3CertificateGenerator.addExtension(X509Extensions.AuthorityKeyIdentifier.getId(), false, new AuthorityKeyIdentifier(new SubjectPublicKeyInfo(aSN1InputStream.readObject())));
            IOUtils.closeQuietly(aSN1InputStream);
        } catch (Throwable th) {
            IOUtils.closeQuietly(aSN1InputStream);
            throw th;
        }
    }

    private static void addSubjectKeyIdentifier(X509V3CertificateGenerator x509V3CertificateGenerator, PublicKey publicKey) throws Exception {
        ASN1InputStream aSN1InputStream = new ASN1InputStream(new ByteArrayInputStream(publicKey.getEncoded()));
        try {
            x509V3CertificateGenerator.addExtension(X509Extensions.SubjectKeyIdentifier.getId(), false, new SubjectKeyIdentifier(new SubjectPublicKeyInfo(aSN1InputStream.readObject())));
            IOUtils.closeQuietly(aSN1InputStream);
        } catch (Throwable th) {
            IOUtils.closeQuietly(aSN1InputStream);
            throw th;
        }
    }

    private static X509V3CertificateGenerator addSSLServerExtensions(X509V3CertificateGenerator x509V3CertificateGenerator) {
        x509V3CertificateGenerator.addExtension(X509Extensions.BasicConstraints, true, new BasicConstraints(false));
        x509V3CertificateGenerator.addExtension(X509Extensions.KeyUsage, false, new KeyUsage(160));
        Vector vector = new Vector();
        vector.add(KeyPurposeId.id_kp_serverAuth);
        vector.add(KeyPurposeId.id_kp_clientAuth);
        x509V3CertificateGenerator.addExtension(X509Extensions.ExtendedKeyUsage, getExtendedKeyUsageCriticality(), new ExtendedKeyUsage(vector));
        return x509V3CertificateGenerator;
    }

    private static X509V3CertificateGenerator addClientExtensions(X509V3CertificateGenerator x509V3CertificateGenerator) throws Exception {
        x509V3CertificateGenerator.addExtension(X509Extensions.BasicConstraints, true, new BasicConstraints(false));
        x509V3CertificateGenerator.addExtension(X509Extensions.KeyUsage, true, new KeyUsage(180));
        x509V3CertificateGenerator.addExtension(X509Extensions.ExtendedKeyUsage, getExtendedKeyUsageCriticality(), new ExtendedKeyUsage(KeyPurposeId.id_kp_clientAuth));
        return x509V3CertificateGenerator;
    }

    public static void main(String[] strArr) throws Exception {
        KeyStore keyStore = KeyStore.getInstance("PKCS12", "BC");
        keyStore.load(new FileInputStream(new File("/tmp/someorg-ca.p12")), new char[0]);
        PrivateKey privateKey = (PrivateKey) keyStore.getKey("ca", new char[0]);
        X509Certificate x509Certificate = (X509Certificate) keyStore.getCertificate("ca");
        KeyStore keyStore2 = KeyStore.getInstance("PKCS12", "BC");
        keyStore2.load(null);
        keyStore2.setKeyEntry("ca", privateKey, new char[0], new Certificate[]{x509Certificate});
        keyStore2.store(new FileOutputStream("/tmp/someorg-ca.p12"), new char[0]);
        KeyStore keyStore3 = KeyStore.getInstance("JKS");
        keyStore3.load(null);
        keyStore3.setCertificateEntry("ca", x509Certificate);
        keyStore3.store(new FileOutputStream("/tmp/ca-public.jks"), new char[0]);
        PEMWriter pEMWriter = new PEMWriter(new FileWriter(new File("/tmp/d3ca.crt")));
        pEMWriter.writeObject(x509Certificate);
        pEMWriter.close();
        KeyPair generateKeyPair = generateKeyPair(1024);
        X509Certificate generateServerCertificate = generateServerCertificate(generateKeyPair.getPublic(), privateKey, new X509Name("C=UK, O=SOMEORG, OU=Org Unit, CN=Example Certificate Authority"), new X509Name("C=UK, O=SOMEORG, OU=Org Unit, L=SomeCompany, CN=examplehost.example.com"));
        KeyStore keyStore4 = KeyStore.getInstance("JKS");
        keyStore4.load(null);
        keyStore4.setKeyEntry("me", generateKeyPair.getPrivate(), new char[0], new Certificate[]{generateServerCertificate, x509Certificate});
        keyStore4.store(new FileOutputStream("/tmp/host.jks"), new char[0]);
        KeyStore keyStore5 = KeyStore.getInstance("PKCS12", "BC");
        keyStore5.load(null);
        keyStore5.setCertificateEntry("issuer", x509Certificate);
        keyStore5.setCertificateEntry("me", generateServerCertificate);
        keyStore5.setKeyEntry("me", generateKeyPair.getPrivate(), new char[0], new Certificate[]{generateServerCertificate, x509Certificate});
        keyStore5.store(new FileOutputStream("/tmp/host.p12"), new char[0]);
    }

    static {
        if (Security.getProvider("BC") == null) {
            log.info("[CaHelper] Loading Bouncy Castle Provider");
            Security.addProvider(new BouncyCastleProvider());
            log.debug("[CaHelper] Bouncy Castle Provider loaded");
        }
        netscapeCertType = new DERObjectIdentifier("2.16.840.1.113730.1.1");
    }
}
