package org.nhindirect.stagent.cert.tools.certgen;

import java.math.BigInteger;
import java.security.AlgorithmParameters;
import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.PrivateKey;
import java.security.SecureRandom;
import java.security.Security;
import java.security.cert.X509Certificate;
import java.util.Calendar;
import java.util.List;
import javax.crypto.Cipher;
import javax.crypto.EncryptedPrivateKeyInfo;
import javax.crypto.SecretKey;
import javax.crypto.SecretKeyFactory;
import javax.crypto.spec.PBEKeySpec;
import javax.crypto.spec.PBEParameterSpec;
import org.apache.commons.io.FileUtils;
import org.apache.derby.iapi.services.classfile.VMDescriptor;
import org.apache.derby.impl.sql.execute.xplain.XPLAINUtil;
import org.apache.james.dnsservice.library.netmatcher.NetMatcher;
import org.bouncycastle.asn1.ASN1Encodable;
import org.bouncycastle.asn1.x509.BasicConstraints;
import org.bouncycastle.asn1.x509.GeneralName;
import org.bouncycastle.asn1.x509.GeneralNames;
import org.bouncycastle.asn1.x509.KeyUsage;
import org.bouncycastle.asn1.x509.X509Extensions;
import org.bouncycastle.crypto.prng.VMPCRandomGenerator;
import org.bouncycastle.jce.X509Principal;
import org.bouncycastle.util.io.pem.PemObject;
import org.bouncycastle.x509.X509V3CertificateGenerator;
import org.bouncycastle.x509.extension.AuthorityKeyIdentifierStructure;
import org.nhindirect.common.crypto.CryptoExtensions;

/* loaded from: input_file:BOOT-INF/lib/agent-8.0.0.jar:org/nhindirect/stagent/cert/tools/certgen/CertGenerator.class */
public class CertGenerator {
    private static final String PBE_WITH_MD5_AND_DES_CBC_OID = "1.2.840.113549.1.5.3";

    public static CertCreateFields createCertificate(CertCreateFields certCreateFields) throws Exception {
        return createCertificate(certCreateFields, false);
    }

    public static CertCreateFields createCertificate(CertCreateFields certCreateFields, boolean z) throws Exception {
        KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA", CryptoExtensions.getJCEProviderName());
        keyPairGenerator.initialize(certCreateFields.getKeyStrength(), new SecureRandom());
        KeyPair generateKeyPair = keyPairGenerator.generateKeyPair();
        return certCreateFields.getSignerCert() == null ? createNewCA(certCreateFields, generateKeyPair, z) : createLeafCertificate(certCreateFields, generateKeyPair, z);
    }

    public static long generatePositiveRandom() {
        long j = -1;
        byte[] bArr = new byte[8];
        VMPCRandomGenerator vMPCRandomGenerator = new VMPCRandomGenerator();
        vMPCRandomGenerator.addSeedMaterial(new SecureRandom().nextLong());
        vMPCRandomGenerator.nextBytes(bArr);
        SecureRandom secureRandom = new SecureRandom(bArr);
        while (j < 1) {
            j = secureRandom.nextLong();
        }
        return j;
    }

    public static X509Certificate createCertFromCSR(PemObject pemObject, CertCreateFields certCreateFields) throws Exception {
        return null;
    }

    private static CertCreateFields createNewCA(CertCreateFields certCreateFields, KeyPair keyPair, boolean z) throws Exception {
        StringBuilder sb = new StringBuilder();
        String str = "";
        if (certCreateFields.getAttributes().containsKey("EMAILADDRESS")) {
            sb.append("EMAILADDRESS=").append(certCreateFields.getAttributes().get("EMAILADDRESS")).append(NetMatcher.NETS_SEPARATOR);
            str = certCreateFields.getAttributes().get("EMAILADDRESS").toString();
        }
        if (certCreateFields.getAttributes().containsKey("CN")) {
            sb.append("CN=").append(certCreateFields.getAttributes().get("CN")).append(NetMatcher.NETS_SEPARATOR);
        }
        if (certCreateFields.getAttributes().containsKey("C")) {
            sb.append("C=").append(certCreateFields.getAttributes().get("C")).append(NetMatcher.NETS_SEPARATOR);
        }
        if (certCreateFields.getAttributes().containsKey("ST")) {
            sb.append("ST=").append(certCreateFields.getAttributes().get("ST")).append(NetMatcher.NETS_SEPARATOR);
        }
        if (certCreateFields.getAttributes().containsKey(VMDescriptor.CLASS)) {
            sb.append("L=").append(certCreateFields.getAttributes().get(VMDescriptor.CLASS)).append(NetMatcher.NETS_SEPARATOR);
        }
        if (certCreateFields.getAttributes().containsKey(XPLAINUtil.XPLAIN_ONLY)) {
            sb.append("O=").append(certCreateFields.getAttributes().get(XPLAINUtil.XPLAIN_ONLY)).append(NetMatcher.NETS_SEPARATOR);
        }
        String trim = sb.toString().trim();
        if (trim.endsWith(",")) {
            trim = trim.substring(0, trim.length() - 1);
        }
        X509V3CertificateGenerator x509V3CertificateGenerator = new X509V3CertificateGenerator();
        Calendar calendar = Calendar.getInstance();
        Calendar calendar2 = Calendar.getInstance();
        calendar2.add(5, certCreateFields.getExpDays());
        x509V3CertificateGenerator.setSerialNumber(BigInteger.valueOf(generatePositiveRandom()));
        x509V3CertificateGenerator.setIssuerDN(new X509Principal(trim));
        x509V3CertificateGenerator.setNotBefore(calendar.getTime());
        x509V3CertificateGenerator.setNotAfter(calendar2.getTime());
        x509V3CertificateGenerator.setSubjectDN(new X509Principal(trim));
        x509V3CertificateGenerator.setPublicKey(keyPair.getPublic());
        x509V3CertificateGenerator.setSignatureAlgorithm("SHA1WithRSAEncryption");
        x509V3CertificateGenerator.addExtension(X509Extensions.BasicConstraints, true, (ASN1Encodable) new BasicConstraints(true));
        if (z && !str.isEmpty()) {
            x509V3CertificateGenerator.addExtension(X509Extensions.SubjectAlternativeName, false, (ASN1Encodable) new GeneralNames(new GeneralName(str.contains("@") ? 1 : 2, str)));
        }
        X509Certificate generate = x509V3CertificateGenerator.generate(keyPair.getPrivate(), CryptoExtensions.getJCEProviderName());
        generate.verify(keyPair.getPublic());
        writeCertAndKey(generate, keyPair.getPrivate(), certCreateFields);
        return certCreateFields;
    }

    private static CertCreateFields createLeafCertificate(CertCreateFields certCreateFields, KeyPair keyPair, boolean z) throws Exception {
        String str = "";
        StringBuilder sb = new StringBuilder();
        if (certCreateFields.getAttributes().containsKey("EMAILADDRESS")) {
            sb.append("EMAILADDRESS=").append(certCreateFields.getAttributes().get("EMAILADDRESS")).append(NetMatcher.NETS_SEPARATOR);
            str = certCreateFields.getAttributes().get("EMAILADDRESS").toString();
        }
        if (certCreateFields.getAttributes().containsKey("CN")) {
            sb.append("CN=").append(certCreateFields.getAttributes().get("CN")).append(NetMatcher.NETS_SEPARATOR);
        }
        if (certCreateFields.getAttributes().containsKey("C")) {
            sb.append("C=").append(certCreateFields.getAttributes().get("C")).append(NetMatcher.NETS_SEPARATOR);
        }
        if (certCreateFields.getAttributes().containsKey("ST")) {
            sb.append("ST=").append(certCreateFields.getAttributes().get("ST")).append(NetMatcher.NETS_SEPARATOR);
        }
        if (certCreateFields.getAttributes().containsKey(VMDescriptor.CLASS)) {
            sb.append("L=").append(certCreateFields.getAttributes().get(VMDescriptor.CLASS)).append(NetMatcher.NETS_SEPARATOR);
        }
        if (certCreateFields.getAttributes().containsKey(XPLAINUtil.XPLAIN_ONLY)) {
            sb.append("O=").append(certCreateFields.getAttributes().get(XPLAINUtil.XPLAIN_ONLY)).append(NetMatcher.NETS_SEPARATOR);
        }
        String trim = sb.toString().trim();
        if (trim.endsWith(",")) {
            trim = trim.substring(0, trim.length() - 1);
        }
        X509V3CertificateGenerator x509V3CertificateGenerator = new X509V3CertificateGenerator();
        Calendar calendar = Calendar.getInstance();
        Calendar calendar2 = Calendar.getInstance();
        calendar2.add(5, certCreateFields.getExpDays());
        x509V3CertificateGenerator.setSerialNumber(BigInteger.valueOf(generatePositiveRandom()));
        x509V3CertificateGenerator.setIssuerDN(certCreateFields.getSignerCert().getSubjectX500Principal());
        x509V3CertificateGenerator.setNotBefore(calendar.getTime());
        x509V3CertificateGenerator.setNotAfter(calendar2.getTime());
        x509V3CertificateGenerator.setSubjectDN(new X509Principal(trim));
        x509V3CertificateGenerator.setPublicKey(keyPair.getPublic());
        x509V3CertificateGenerator.setSignatureAlgorithm("SHA1WithRSAEncryption");
        x509V3CertificateGenerator.addExtension(X509Extensions.AuthorityKeyIdentifier, false, (ASN1Encodable) new AuthorityKeyIdentifierStructure(certCreateFields.getSignerCert()));
        x509V3CertificateGenerator.addExtension(X509Extensions.BasicConstraints, true, (ASN1Encodable) new BasicConstraints(certCreateFields.getAttributes().get("ALLOWTOSIGN") != null && certCreateFields.getAttributes().get("ALLOWTOSIGN").toString().equalsIgnoreCase("true")));
        int i = 0;
        if (certCreateFields.getAttributes().get("KEYENC") != null && certCreateFields.getAttributes().get("KEYENC").toString().equalsIgnoreCase("true")) {
            i = 0 | 32;
        }
        if (certCreateFields.getAttributes().get("DIGSIG") != null && certCreateFields.getAttributes().get("DIGSIG").toString().equalsIgnoreCase("true")) {
            i |= 128;
        }
        if (i > 0) {
            x509V3CertificateGenerator.addExtension(X509Extensions.KeyUsage, false, (ASN1Encodable) new KeyUsage(i));
        }
        if (certCreateFields.getSignerCert().getSubjectAlternativeNames() != null) {
            for (List<?> list : certCreateFields.getSignerCert().getSubjectAlternativeNames()) {
                x509V3CertificateGenerator.addExtension(X509Extensions.IssuerAlternativeName, false, (ASN1Encodable) new GeneralNames(new GeneralName(((Integer) list.get(0)).intValue(), list.get(1).toString())));
            }
        }
        if (z && !str.isEmpty()) {
            x509V3CertificateGenerator.addExtension(X509Extensions.SubjectAlternativeName, false, (ASN1Encodable) new GeneralNames(new GeneralName(str.contains("@") ? 1 : 2, str)));
        }
        X509Certificate generate = x509V3CertificateGenerator.generate((PrivateKey) certCreateFields.getSignerKey(), CryptoExtensions.getJCEProviderName());
        generate.verify(certCreateFields.getSignerCert().getPublicKey());
        writeCertAndKey(generate, keyPair.getPrivate(), certCreateFields);
        return certCreateFields;
    }

    private static void writeCertAndKey(X509Certificate x509Certificate, PrivateKey privateKey, CertCreateFields certCreateFields) throws Exception {
        FileUtils.writeByteArrayToFile(certCreateFields.getNewCertFile(), x509Certificate.getEncoded());
        if (certCreateFields.getNewPassword() == null || certCreateFields.getNewPassword().length == 0) {
            FileUtils.writeByteArrayToFile(certCreateFields.getNewKeyFile(), privateKey.getEncoded());
        } else {
            byte[] bArr = new byte[8];
            VMPCRandomGenerator vMPCRandomGenerator = new VMPCRandomGenerator();
            vMPCRandomGenerator.addSeedMaterial(new SecureRandom().nextLong());
            vMPCRandomGenerator.nextBytes(bArr);
            PBEParameterSpec pBEParameterSpec = new PBEParameterSpec(bArr, 20);
            SecretKey generateSecret = SecretKeyFactory.getInstance("PBEWithMD5AndDES", CryptoExtensions.getJCEProviderName()).generateSecret(new PBEKeySpec(certCreateFields.getNewPassword()));
            Cipher cipher = Cipher.getInstance("PBEWithMD5AndDES", CryptoExtensions.getJCEProviderName());
            cipher.init(1, generateSecret, pBEParameterSpec, (SecureRandom) null);
            byte[] encoded = privateKey.getEncoded();
            byte[] doFinal = cipher.doFinal(encoded, 0, encoded.length);
            AlgorithmParameters algorithmParameters = AlgorithmParameters.getInstance(PBE_WITH_MD5_AND_DES_CBC_OID, Security.getProvider("SunJCE"));
            algorithmParameters.init(pBEParameterSpec);
            FileUtils.writeByteArrayToFile(certCreateFields.getNewKeyFile(), new EncryptedPrivateKeyInfo(algorithmParameters, doFinal).getEncoded());
        }
        if (certCreateFields.getSignerCert() == null) {
            certCreateFields.setSignerCert(x509Certificate);
        }
        if (certCreateFields.getSignerKey() == null) {
            certCreateFields.setSignerKey(privateKey);
        }
    }

    static {
        CryptoExtensions.registerJCEProviders();
    }
}
