package org.mockserver.socket.tls.jdk;

import com.google.common.net.InetAddresses;
import com.google.common.net.InternetDomainName;
import java.io.IOException;
import java.math.BigInteger;
import java.security.InvalidKeyException;
import java.security.KeyFactory;
import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.SignatureException;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.security.spec.InvalidKeySpecException;
import java.util.Date;
import java.util.List;
import java.util.Objects;
import java.util.Random;
import java.util.stream.Collector;
import org.apache.commons.lang3.StringUtils;
import org.apache.http.cookie.ClientCookie;
import org.mockserver.log.model.LogEntry;
import org.mockserver.logging.MockServerLogger;
import org.mockserver.socket.tls.PEMToFile;
import org.slf4j.event.Level;
import sun.security.util.DerValue;
import sun.security.x509.AlgorithmId;
import sun.security.x509.AuthorityKeyIdentifierExtension;
import sun.security.x509.BasicConstraintsExtension;
import sun.security.x509.CertificateAlgorithmId;
import sun.security.x509.CertificateExtensions;
import sun.security.x509.CertificateSerialNumber;
import sun.security.x509.CertificateValidity;
import sun.security.x509.CertificateVersion;
import sun.security.x509.CertificateX509Key;
import sun.security.x509.DNSName;
import sun.security.x509.GeneralName;
import sun.security.x509.GeneralNames;
import sun.security.x509.IPAddressName;
import sun.security.x509.KeyIdentifier;
import sun.security.x509.KeyUsageExtension;
import sun.security.x509.SerialNumber;
import sun.security.x509.SubjectAlternativeNameExtension;
import sun.security.x509.SubjectKeyIdentifierExtension;
import sun.security.x509.X500Name;
import sun.security.x509.X509CertImpl;
import sun.security.x509.X509CertInfo;

/* loaded from: input_file:WEB-INF/lib/mockserver-core-5.12.0.jar:org/mockserver/socket/tls/jdk/X509Generator.class */
public class X509Generator {
    private final MockServerLogger mockServerLogger;

    public X509Generator(MockServerLogger mockServerLogger) {
        this.mockServerLogger = mockServerLogger;
    }

    public X509AndPrivateKey generateRootX509AndPrivateKey(CertificateSigningRequest certificateSigningRequest) throws IOException, NoSuchAlgorithmException, CertificateException, InvalidKeyException, NoSuchProviderException, SignatureException {
        KeyPair generateKeyPair = generateKeyPair(certificateSigningRequest.getKeyPairAlgorithm(), certificateSigningRequest.getKeyPairSize());
        X500Name x500Name = new X500Name(CertificateSigningRequest.buildDistinguishedName(certificateSigningRequest.getCommonName()));
        X509CertInfo buildX509CertInfo = buildX509CertInfo(x500Name, x500Name, generateKeyPair.getPublic(), certificateSigningRequest);
        updateWithRootCertificateExtensions(buildX509CertInfo, generateKeyPair.getPublic());
        return signX509KeyPair(generateKeyPair.getPrivate(), generateKeyPair, buildX509CertInfo, certificateSigningRequest.getSigningAlgorithm());
    }

    public X509AndPrivateKey generateLeafX509AndPrivateKey(CertificateSigningRequest certificateSigningRequest, String str, String str2, X509Certificate x509Certificate) throws IOException, NoSuchAlgorithmException, CertificateException, InvalidKeyException, NoSuchProviderException, SignatureException, InvalidKeySpecException {
        PrivateKey generatePrivate = KeyFactory.getInstance(certificateSigningRequest.getKeyPairAlgorithm()).generatePrivate(PEMToFile.keySpecFromPEM(str2));
        KeyPair generateKeyPair = generateKeyPair(certificateSigningRequest.getKeyPairAlgorithm(), certificateSigningRequest.getKeyPairSize());
        X509CertInfo buildX509CertInfo = buildX509CertInfo(new X500Name(CertificateSigningRequest.buildDistinguishedName(certificateSigningRequest.getCommonName())), new X500Name(str), generateKeyPair.getPublic(), certificateSigningRequest);
        updateWithCertificateExtensions(buildX509CertInfo, generateKeyPair.getPublic(), x509Certificate.getPublicKey(), certificateSigningRequest.getSubjectAlternativeNames());
        X509AndPrivateKey signX509KeyPair = signX509KeyPair(generatePrivate, generateKeyPair, buildX509CertInfo, certificateSigningRequest.getSigningAlgorithm());
        X509Certificate x509FromPEM = PEMToFile.x509FromPEM(signX509KeyPair.getCert());
        x509FromPEM.checkValidity(new Date());
        x509FromPEM.verify(x509Certificate.getPublicKey());
        return signX509KeyPair;
    }

    private KeyPair generateKeyPair(String str, int i) throws NoSuchAlgorithmException {
        KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance(str);
        keyPairGenerator.initialize(i);
        return keyPairGenerator.genKeyPair();
    }

    private X509CertInfo buildX509CertInfo(X500Name x500Name, X500Name x500Name2, PublicKey publicKey, CertificateSigningRequest certificateSigningRequest) throws IOException, NoSuchAlgorithmException, CertificateException {
        X509CertInfo x509CertInfo = new X509CertInfo();
        CertificateValidity certificateValidity = new CertificateValidity(CertificateSigningRequest.NOT_BEFORE, CertificateSigningRequest.NOT_AFTER);
        BigInteger bigInteger = new BigInteger(64, new Random());
        x509CertInfo.set("validity", certificateValidity);
        x509CertInfo.set("serialNumber", new CertificateSerialNumber(bigInteger));
        x509CertInfo.set("subject", x500Name);
        x509CertInfo.set("issuer", x500Name2);
        x509CertInfo.set("key", new CertificateX509Key(publicKey));
        x509CertInfo.set(ClientCookie.VERSION_ATTR, new CertificateVersion(2));
        x509CertInfo.set("algorithmID", new CertificateAlgorithmId(new AlgorithmId(AlgorithmId.get(certificateSigningRequest.getSigningAlgorithm()).getOID())));
        return x509CertInfo;
    }

    private void updateWithCertificateExtensions(X509CertInfo x509CertInfo, PublicKey publicKey, PublicKey publicKey2, List<String> list) throws IOException, CertificateException {
        CertificateExtensions certificateExtensions = new CertificateExtensions();
        GeneralNames generalNames = (GeneralNames) list.stream().filter((v0) -> {
            return StringUtils.isNotBlank(v0);
        }).map(this::buildGeneralName).filter((v0) -> {
            return Objects.nonNull(v0);
        }).collect(Collector.of(GeneralNames::new, (v0, v1) -> {
            v0.add(v1);
        }, (generalNames2, generalNames3) -> {
            return null;
        }, new Collector.Characteristics[0]));
        if (!generalNames.isEmpty()) {
            certificateExtensions.set("SubjectAlternativeName", new SubjectAlternativeNameExtension(Boolean.FALSE, generalNames));
        }
        certificateExtensions.set("SubjectKeyIdentifier", new SubjectKeyIdentifierExtension(new KeyIdentifier(publicKey).getIdentifier()));
        certificateExtensions.set("AuthorityKeyIdentifier", new AuthorityKeyIdentifierExtension(new KeyIdentifier(publicKey2), (GeneralNames) null, (SerialNumber) null));
        x509CertInfo.set("extensions", certificateExtensions);
    }

    private void updateWithRootCertificateExtensions(X509CertInfo x509CertInfo, PublicKey publicKey) throws IOException, CertificateException {
        CertificateExtensions certificateExtensions = new CertificateExtensions();
        certificateExtensions.set("BasicConstraints", new BasicConstraintsExtension(true, true, -1));
        boolean[] zArr = new boolean[9];
        zArr[5] = true;
        certificateExtensions.set("KeyUsage", new KeyUsageExtension(zArr));
        certificateExtensions.set("SubjectKeyIdentifier", new SubjectKeyIdentifierExtension(new KeyIdentifier(publicKey).getIdentifier()));
        x509CertInfo.set("extensions", certificateExtensions);
    }

    private GeneralName buildGeneralName(String str) {
        if (InetAddresses.isUriInetAddress(str)) {
            try {
                return new GeneralName(new IPAddressName(str));
            } catch (Throwable th) {
                if (!MockServerLogger.isEnabled(Level.WARN)) {
                    return null;
                }
                this.mockServerLogger.logEvent(new LogEntry().setLogLevel(Level.WARN).setMessageFormat("unable to use ip address with the value \"" + str + "\" as Subject Alternative Name (SAN) for X509 as JDK does not support SANs with that format").setThrowable(th));
                return null;
            }
        }
        if (InternetDomainName.isValid(str)) {
            try {
                return new GeneralName(new DNSName(str));
            } catch (Throwable th2) {
                try {
                    return new GeneralName(new DNSName(new DerValue((byte) 22, str)));
                } catch (Throwable th3) {
                    if (!MockServerLogger.isEnabled(Level.WARN)) {
                        return null;
                    }
                    this.mockServerLogger.logEvent(new LogEntry().setLogLevel(Level.WARN).setMessageFormat("unable to use domain name with the value \"" + str + "\" as Subject Alternative Name (SAN) for X509 as JDK does not support SANs with that format").setThrowable(th3));
                    return null;
                }
            }
        }
        if (!str.contains("*")) {
            return null;
        }
        try {
            return new GeneralName(new DNSName(new DerValue((byte) 22, str)));
        } catch (Throwable th4) {
            if (!MockServerLogger.isEnabled(Level.WARN)) {
                return null;
            }
            this.mockServerLogger.logEvent(new LogEntry().setLogLevel(Level.WARN).setMessageFormat("unable to use domain name with the value \"" + str + "\" as Subject Alternative Name (SAN) for X509 as JDK does not support SANs with that format").setThrowable(th4));
            return null;
        }
    }

    /* JADX WARN: Type inference failed for: r1v9, types: [byte[], byte[][]] */
    private X509AndPrivateKey signX509KeyPair(PrivateKey privateKey, KeyPair keyPair, X509CertInfo x509CertInfo, String str) throws CertificateException, NoSuchAlgorithmException, IOException, InvalidKeyException, NoSuchProviderException, SignatureException {
        x509CertInfo.set("algorithmID", new CertificateAlgorithmId(AlgorithmId.get(str)));
        X509CertImpl x509CertImpl = new X509CertImpl(x509CertInfo);
        x509CertImpl.sign(privateKey, str);
        return new X509AndPrivateKey().setPrivateKey(PEMToFile.privateKeyToPEM(keyPair.getPrivate().getEncoded())).setCert(PEMToFile.certToPEM((byte[][]) new byte[]{x509CertImpl.getEncoded()}));
    }
}
