package org.elasticsearch.xpack.security.cli;

import java.io.IOException;
import java.math.BigInteger;
import java.net.InetAddress;
import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.sql.Date;
import java.time.ZoneOffset;
import java.time.ZonedDateTime;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Locale;
import java.util.Objects;
import java.util.Set;
import javax.security.auth.x500.X500Principal;
import org.bouncycastle.asn1.ASN1Encodable;
import org.bouncycastle.asn1.ASN1ObjectIdentifier;
import org.bouncycastle.asn1.DERSequence;
import org.bouncycastle.asn1.DERTaggedObject;
import org.bouncycastle.asn1.DERUTF8String;
import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers;
import org.bouncycastle.asn1.x500.X500Name;
import org.bouncycastle.asn1.x509.AuthorityKeyIdentifier;
import org.bouncycastle.asn1.x509.BasicConstraints;
import org.bouncycastle.asn1.x509.ExtendedKeyUsage;
import org.bouncycastle.asn1.x509.Extension;
import org.bouncycastle.asn1.x509.ExtensionsGenerator;
import org.bouncycastle.asn1.x509.GeneralName;
import org.bouncycastle.asn1.x509.GeneralNames;
import org.bouncycastle.asn1.x509.Time;
import org.bouncycastle.cert.CertIOException;
import org.bouncycastle.cert.jcajce.JcaX509CertificateConverter;
import org.bouncycastle.cert.jcajce.JcaX509ExtensionUtils;
import org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.bouncycastle.operator.OperatorCreationException;
import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder;
import org.bouncycastle.pkcs.PKCS10CertificationRequest;
import org.bouncycastle.pkcs.jcajce.JcaPKCS10CertificationRequestBuilder;
import org.elasticsearch.common.Randomness;
import org.elasticsearch.common.Strings;
import org.elasticsearch.common.network.NetworkAddress;
import org.elasticsearch.common.network.NetworkUtils;
import org.elasticsearch.core.SuppressForbidden;

/* loaded from: input_file:org/elasticsearch/xpack/security/cli/CertGenUtils.class */
public class CertGenUtils {
    private static final String CN_OID = "2.5.4.3";
    private static final int SERIAL_BIT_LENGTH = 160;
    private static final BouncyCastleProvider BC_PROV;
    static final /* synthetic */ boolean $assertionsDisabled;

    private CertGenUtils() {
    }

    public static X509Certificate generateCACertificate(X500Principal x500Principal, KeyPair keyPair, int i) throws OperatorCreationException, CertificateException, CertIOException, NoSuchAlgorithmException {
        return generateSignedCertificate(x500Principal, null, keyPair, null, null, true, i, null);
    }

    public static X509Certificate generateSignedCertificate(X500Principal x500Principal, GeneralNames generalNames, KeyPair keyPair, X509Certificate x509Certificate, PrivateKey privateKey, int i) throws OperatorCreationException, CertificateException, CertIOException, NoSuchAlgorithmException {
        return generateSignedCertificate(x500Principal, generalNames, keyPair, x509Certificate, privateKey, false, i, null);
    }

    public static X509Certificate generateSignedCertificate(X500Principal x500Principal, GeneralNames generalNames, KeyPair keyPair, X509Certificate x509Certificate, PrivateKey privateKey, int i, String str) throws OperatorCreationException, CertificateException, CertIOException, NoSuchAlgorithmException {
        return generateSignedCertificate(x500Principal, generalNames, keyPair, x509Certificate, privateKey, false, i, str);
    }

    public static X509Certificate generateSignedCertificate(X500Principal x500Principal, GeneralNames generalNames, KeyPair keyPair, X509Certificate x509Certificate, PrivateKey privateKey, boolean z, int i, String str) throws NoSuchAlgorithmException, CertificateException, CertIOException, OperatorCreationException {
        return generateSignedCertificate(x500Principal, generalNames, keyPair, x509Certificate, privateKey, z, i, str, (Set<ExtendedKeyUsage>) Set.of());
    }

    public static X509Certificate generateSignedCertificate(X500Principal x500Principal, GeneralNames generalNames, KeyPair keyPair, X509Certificate x509Certificate, PrivateKey privateKey, boolean z, int i, String str, Set<ExtendedKeyUsage> set) throws NoSuchAlgorithmException, CertificateException, CertIOException, OperatorCreationException {
        Objects.requireNonNull(keyPair, "Key-Pair must not be null");
        ZonedDateTime now = ZonedDateTime.now(ZoneOffset.UTC);
        if (i < 1) {
            throw new IllegalArgumentException("the certificate must be valid for at least one day");
        }
        return generateSignedCertificate(x500Principal, generalNames, keyPair, x509Certificate, privateKey, z, now, now.plusDays(i), str, set);
    }

    public static X509Certificate generateSignedCertificate(X500Principal x500Principal, GeneralNames generalNames, KeyPair keyPair, X509Certificate x509Certificate, PrivateKey privateKey, boolean z, ZonedDateTime zonedDateTime, ZonedDateTime zonedDateTime2, String str) throws NoSuchAlgorithmException, CertIOException, OperatorCreationException, CertificateException {
        return generateSignedCertificate(x500Principal, generalNames, keyPair, x509Certificate, privateKey, z, zonedDateTime, zonedDateTime2, str, Set.of());
    }

    public static X509Certificate generateSignedCertificate(X500Principal x500Principal, GeneralNames generalNames, KeyPair keyPair, X509Certificate x509Certificate, PrivateKey privateKey, boolean z, ZonedDateTime zonedDateTime, ZonedDateTime zonedDateTime2, String str, Set<ExtendedKeyUsage> set) throws NoSuchAlgorithmException, CertIOException, OperatorCreationException, CertificateException {
        X500Name x500Name;
        AuthorityKeyIdentifier createAuthorityKeyIdentifier;
        BigInteger serial = getSerial();
        JcaX509ExtensionUtils jcaX509ExtensionUtils = new JcaX509ExtensionUtils();
        X500Name x500Name2 = X500Name.getInstance(x500Principal.getEncoded());
        if (x509Certificate == null) {
            x500Name = x500Name2;
            createAuthorityKeyIdentifier = jcaX509ExtensionUtils.createAuthorityKeyIdentifier(keyPair.getPublic());
        } else {
            if (x509Certificate.getBasicConstraints() < 0) {
                throw new IllegalArgumentException("ca certificate is not a CA!");
            }
            x500Name = X500Name.getInstance(x509Certificate.getSubjectX500Principal().getEncoded());
            createAuthorityKeyIdentifier = jcaX509ExtensionUtils.createAuthorityKeyIdentifier(x509Certificate.getPublicKey());
        }
        JcaX509v3CertificateBuilder jcaX509v3CertificateBuilder = new JcaX509v3CertificateBuilder(x500Name, serial, new Time(Date.from(zonedDateTime.toInstant()), Locale.ROOT), new Time(Date.from(zonedDateTime2.toInstant()), Locale.ROOT), x500Name2, keyPair.getPublic());
        jcaX509v3CertificateBuilder.addExtension(Extension.subjectKeyIdentifier, false, jcaX509ExtensionUtils.createSubjectKeyIdentifier(keyPair.getPublic()));
        jcaX509v3CertificateBuilder.addExtension(Extension.authorityKeyIdentifier, false, createAuthorityKeyIdentifier);
        if (generalNames != null) {
            jcaX509v3CertificateBuilder.addExtension(Extension.subjectAlternativeName, false, generalNames);
        }
        jcaX509v3CertificateBuilder.addExtension(Extension.basicConstraints, z, new BasicConstraints(z));
        if (set != null) {
            Iterator<ExtendedKeyUsage> it = set.iterator();
            while (it.hasNext()) {
                jcaX509v3CertificateBuilder.addExtension(Extension.extendedKeyUsage, false, it.next());
            }
        }
        PrivateKey privateKey2 = privateKey != null ? privateKey : keyPair.getPrivate();
        return new JcaX509CertificateConverter().getCertificate(jcaX509v3CertificateBuilder.build(new JcaContentSignerBuilder(Strings.isNullOrEmpty(str) ? getDefaultSignatureAlgorithm(privateKey2) : str).setProvider(BC_PROV).build(privateKey2)));
    }

    private static String getDefaultSignatureAlgorithm(PrivateKey privateKey) {
        String str;
        String algorithm = privateKey.getAlgorithm();
        boolean z = -1;
        switch (algorithm.hashCode()) {
            case 2206:
                if (algorithm.equals("EC")) {
                    z = 2;
                    break;
                }
                break;
            case 67986:
                if (algorithm.equals("DSA")) {
                    z = true;
                    break;
                }
                break;
            case 81440:
                if (algorithm.equals("RSA")) {
                    z = false;
                    break;
                }
                break;
        }
        switch (z) {
            case false:
                str = "SHA256withRSA";
                break;
            case true:
                str = "SHA256withDSA";
                break;
            case true:
                str = "SHA256withECDSA";
                break;
            default:
                throw new IllegalArgumentException("Unsupported algorithm : " + privateKey.getAlgorithm() + " for signature, allowed values for private key algorithm are [RSA, DSA, EC]");
        }
        return str;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static PKCS10CertificationRequest generateCSR(KeyPair keyPair, X500Principal x500Principal, GeneralNames generalNames) throws IOException, OperatorCreationException {
        return generateCSR(keyPair, x500Principal, generalNames, Set.of());
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static PKCS10CertificationRequest generateCSR(KeyPair keyPair, X500Principal x500Principal, GeneralNames generalNames, Set<ExtendedKeyUsage> set) throws IOException, OperatorCreationException {
        Objects.requireNonNull(keyPair, "Key-Pair must not be null");
        Objects.requireNonNull(keyPair.getPublic(), "Public-Key must not be null");
        Objects.requireNonNull(x500Principal, "Principal must not be null");
        Objects.requireNonNull(set, "extendedKeyUsages must not be null");
        JcaPKCS10CertificationRequestBuilder jcaPKCS10CertificationRequestBuilder = new JcaPKCS10CertificationRequestBuilder(x500Principal, keyPair.getPublic());
        ExtensionsGenerator extensionsGenerator = new ExtensionsGenerator();
        if (generalNames != null) {
            extensionsGenerator.addExtension(Extension.subjectAlternativeName, false, generalNames);
        }
        Iterator<ExtendedKeyUsage> it = set.iterator();
        while (it.hasNext()) {
            extensionsGenerator.addExtension(Extension.extendedKeyUsage, false, it.next());
        }
        if (!extensionsGenerator.isEmpty()) {
            jcaPKCS10CertificationRequestBuilder.addAttribute(PKCSObjectIdentifiers.pkcs_9_at_extensionRequest, extensionsGenerator.generate());
        }
        return jcaPKCS10CertificationRequestBuilder.build(new JcaContentSignerBuilder("SHA256withRSA").setProvider(BC_PROV).build(keyPair.getPrivate()));
    }

    public static BigInteger getSerial() {
        BigInteger bigInteger = new BigInteger(SERIAL_BIT_LENGTH, Randomness.createSecure());
        if ($assertionsDisabled || bigInteger.compareTo(BigInteger.valueOf(0L)) >= 0) {
            return bigInteger;
        }
        throw new AssertionError();
    }

    public static KeyPair generateKeyPair(int i) throws NoSuchAlgorithmException {
        KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA");
        keyPairGenerator.initialize(i, Randomness.createSecure());
        return keyPairGenerator.generateKeyPair();
    }

    public static GeneralNames getSubjectAlternativeNames(boolean z, Set<InetAddress> set) throws IOException {
        HashSet hashSet = new HashSet();
        for (InetAddress inetAddress : set) {
            if (inetAddress.isAnyLocalAddress()) {
                for (InetAddress inetAddress2 : NetworkUtils.getAllAddresses()) {
                    addSubjectAlternativeNames(z, inetAddress2, hashSet);
                }
            } else {
                addSubjectAlternativeNames(z, inetAddress, hashSet);
            }
        }
        return new GeneralNames((GeneralName[]) hashSet.toArray(new GeneralName[hashSet.size()]));
    }

    @SuppressForbidden(reason = "need to use getHostName to resolve DNS name and getHostAddress to ensure we resolved the name")
    private static void addSubjectAlternativeNames(boolean z, InetAddress inetAddress, Set<GeneralName> set) {
        String hostAddress = inetAddress.getHostAddress();
        set.add(new GeneralName(7, NetworkAddress.format(inetAddress)));
        if (!z || inetAddress.isLinkLocalAddress()) {
            return;
        }
        String hostName = inetAddress.getHostName();
        if (hostName.equals(hostAddress)) {
            return;
        }
        set.add(new GeneralName(2, hostName));
    }

    public static GeneralName createCommonName(String str) {
        return new GeneralName(0, new DERSequence(new ASN1Encodable[]{new ASN1ObjectIdentifier(CN_OID), new DERTaggedObject(true, 0, new DERUTF8String(str))}));
    }

    public static String buildDnFromDomain(String str) {
        return "DC=" + str.replace(".", ",DC=");
    }

    static {
        $assertionsDisabled = !CertGenUtils.class.desiredAssertionStatus();
        BC_PROV = new BouncyCastleProvider();
    }
}
