package sila_java.library.core.encryption;

import com.fasterxml.jackson.databind.annotation.JsonPOJOBuilder;
import java.io.ByteArrayInputStream;
import java.math.BigInteger;
import java.nio.charset.StandardCharsets;
import java.security.InvalidAlgorithmParameterException;
import java.security.InvalidKeyException;
import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.SecureRandom;
import java.security.Security;
import java.security.Signature;
import java.security.SignatureException;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.security.spec.RSAKeyGenParameterSpec;
import java.util.Date;
import java.util.UUID;
import javax.annotation.Nullable;
import lombok.NonNull;
import org.bouncycastle.asn1.ASN1Encodable;
import org.bouncycastle.asn1.ASN1ObjectIdentifier;
import org.bouncycastle.asn1.x500.X500Name;
import org.bouncycastle.asn1.x500.X500NameBuilder;
import org.bouncycastle.asn1.x500.style.RFC4519Style;
import org.bouncycastle.asn1.x509.BasicConstraints;
import org.bouncycastle.asn1.x509.ExtendedKeyUsage;
import org.bouncycastle.asn1.x509.Extension;
import org.bouncycastle.asn1.x509.GeneralName;
import org.bouncycastle.asn1.x509.GeneralNames;
import org.bouncycastle.asn1.x509.KeyPurposeId;
import org.bouncycastle.asn1.x509.KeyUsage;
import org.bouncycastle.asn1.x509.SubjectKeyIdentifier;
import org.bouncycastle.cert.CertIOException;
import org.bouncycastle.cert.X509v3CertificateBuilder;
import org.bouncycastle.cert.jcajce.JcaX509CertificateConverter;
import org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.bouncycastle.operator.ContentSigner;
import org.bouncycastle.operator.OperatorCreationException;
import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder;
import org.bouncycastle.pqc.jcajce.spec.SPHINCS256KeyGenParameterSpec;
import org.bouncycastle.pqc.jcajce.spec.XMSSMTParameterSpec;
import org.bouncycastle.pqc.jcajce.spec.XMSSParameterSpec;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:BOOT-INF/lib/core-0.6.0.jar:sila_java/library/core/encryption/SelfSignedCertificate.class */
public class SelfSignedCertificate {
    private static final Logger log = LoggerFactory.getLogger((Class<?>) SelfSignedCertificate.class);
    private static final String CN = "SiLA2";
    private final X509Certificate certificate;
    private final PrivateKey privateKey;
    private final PublicKey publicKey;

    /* loaded from: input_file:BOOT-INF/lib/core-0.6.0.jar:sila_java/library/core/encryption/SelfSignedCertificate$Builder.class */
    public static class Builder {
        private EncryptionAlgorithm encryptionAlgorithm = EncryptionAlgorithm.RSA;
        private DigestAlgorithm digestAlgorithm = DigestAlgorithm.SHA256;
        private KeySize keySize = KeySize.SIZE_2048;
        private int days = 365;
        private String payload = "SiLA Standard now allows an encryption layer.";
        private UUID serverUuid = null;
        private String serverIp = null;

        public Builder withEncryptionAlgorithm(@NonNull EncryptionAlgorithm encryptionAlgorithm) {
            if (encryptionAlgorithm == null) {
                throw new NullPointerException("encryptionAlgorithm is marked non-null but is null");
            }
            this.encryptionAlgorithm = encryptionAlgorithm;
            return this;
        }

        public Builder withDigestAlgorithm(@NonNull DigestAlgorithm digestAlgorithm) {
            if (digestAlgorithm == null) {
                throw new NullPointerException("digestAlgorithm is marked non-null but is null");
            }
            this.digestAlgorithm = digestAlgorithm;
            return this;
        }

        public Builder withKeySize(@NonNull KeySize keySize) {
            if (keySize == null) {
                throw new NullPointerException("keySize is marked non-null but is null");
            }
            this.keySize = keySize;
            return this;
        }

        public Builder withDays(int i) {
            this.days = i;
            return this;
        }

        public Builder withServerUUID(@Nullable UUID uuid) {
            this.serverUuid = uuid;
            return this;
        }

        public Builder withServerIP(@Nullable String str) {
            this.serverIp = str;
            return this;
        }

        public Builder withPayload(@NonNull String str) {
            if (str == null) {
                throw new NullPointerException("payload is marked non-null but is null");
            }
            this.payload = str;
            return this;
        }

        public SelfSignedCertificate build() throws CertificateGenerationException {
            return new SelfSignedCertificate(this.encryptionAlgorithm, this.digestAlgorithm, this.keySize, this.days, this.payload, this.serverIp, this.serverUuid);
        }
    }

    /* loaded from: input_file:BOOT-INF/lib/core-0.6.0.jar:sila_java/library/core/encryption/SelfSignedCertificate$CertificateGenerationException.class */
    public static class CertificateGenerationException extends Exception {
        public CertificateGenerationException(@NonNull Throwable th) {
            super(th);
            if (th == null) {
                throw new NullPointerException("cause is marked non-null but is null");
            }
        }
    }

    /* loaded from: input_file:BOOT-INF/lib/core-0.6.0.jar:sila_java/library/core/encryption/SelfSignedCertificate$DigestAlgorithm.class */
    public enum DigestAlgorithm {
        SHA256,
        SHA512
    }

    /* loaded from: input_file:BOOT-INF/lib/core-0.6.0.jar:sila_java/library/core/encryption/SelfSignedCertificate$EncryptionAlgorithm.class */
    public enum EncryptionAlgorithm {
        XMSS,
        XMSSMT,
        SPHINCS256,
        RSA
    }

    /* loaded from: input_file:BOOT-INF/lib/core-0.6.0.jar:sila_java/library/core/encryption/SelfSignedCertificate$KeySize.class */
    public enum KeySize {
        SIZE_1024(1024),
        SIZE_2048(2048),
        SIZE_4096(4096);

        public final int value;

        KeySize(int i) {
            this.value = i;
        }
    }

    public static Builder newBuilder() {
        return new Builder();
    }

    private static void initialize(@NonNull KeyPairGenerator keyPairGenerator, @NonNull EncryptionAlgorithm encryptionAlgorithm, @NonNull DigestAlgorithm digestAlgorithm, @NonNull KeySize keySize) throws InvalidAlgorithmParameterException {
        if (keyPairGenerator == null) {
            throw new NullPointerException("kpg is marked non-null but is null");
        }
        if (encryptionAlgorithm == null) {
            throw new NullPointerException("alg is marked non-null but is null");
        }
        if (digestAlgorithm == null) {
            throw new NullPointerException("digest is marked non-null but is null");
        }
        if (keySize == null) {
            throw new NullPointerException("keySize is marked non-null but is null");
        }
        switch (encryptionAlgorithm) {
            case XMSS:
                keyPairGenerator.initialize(new XMSSParameterSpec(4, digestAlgorithm.toString()));
                return;
            case XMSSMT:
                keyPairGenerator.initialize(new XMSSMTParameterSpec(4, 2, digestAlgorithm.toString()));
                return;
            case SPHINCS256:
                keyPairGenerator.initialize(new SPHINCS256KeyGenParameterSpec());
                return;
            case RSA:
                keyPairGenerator.initialize(new RSAKeyGenParameterSpec(keySize.value, new BigInteger("65537")));
                return;
            default:
                throw new InvalidAlgorithmParameterException("Cannot initialize with specified algorithm: " + encryptionAlgorithm);
        }
    }

    private static void sign(@NonNull PrivateKey privateKey, @NonNull String str, @NonNull String str2, @NonNull String str3) throws NoSuchProviderException, NoSuchAlgorithmException, InvalidKeyException, SignatureException {
        if (privateKey == null) {
            throw new NullPointerException("pk is marked non-null but is null");
        }
        if (str == null) {
            throw new NullPointerException("sigAlg is marked non-null but is null");
        }
        if (str2 == null) {
            throw new NullPointerException("provider is marked non-null but is null");
        }
        if (str3 == null) {
            throw new NullPointerException("payload is marked non-null but is null");
        }
        Signature signature = Signature.getInstance(str, str2);
        signature.initSign(privateKey);
        signature.update(str3.getBytes());
        signature.sign();
        log.info("Successfully signed");
    }

    private static X509Certificate generate(@NonNull PrivateKey privateKey, @NonNull PublicKey publicKey, @NonNull String str, int i, boolean z, @Nullable String str2, @Nullable UUID uuid) throws OperatorCreationException, CertificateException, NoSuchProviderException, NoSuchAlgorithmException, InvalidKeyException, SignatureException, CertIOException {
        if (privateKey == null) {
            throw new NullPointerException("privKey is marked non-null but is null");
        }
        if (publicKey == null) {
            throw new NullPointerException("pubKey is marked non-null but is null");
        }
        if (str == null) {
            throw new NullPointerException("sigAlg is marked non-null but is null");
        }
        BouncyCastleProvider bouncyCastleProvider = new BouncyCastleProvider();
        X500Name build = createSubjectBuilder().build();
        ContentSigner build2 = new JcaContentSignerBuilder(str).build(privateKey);
        X509v3CertificateBuilder addExtension = new JcaX509v3CertificateBuilder(build, new BigInteger(64, new SecureRandom()), new Date(System.currentTimeMillis() - 50000), new Date(System.currentTimeMillis() + (i * 24 * 60 * 60 * 1000)), build, publicKey).addExtension(Extension.basicConstraints, true, (ASN1Encodable) new BasicConstraints(false)).addExtension(Extension.extendedKeyUsage, false, (ASN1Encodable) new ExtendedKeyUsage(new KeyPurposeId[]{KeyPurposeId.id_kp_serverAuth, KeyPurposeId.id_kp_clientAuth})).addExtension(Extension.keyUsage, true, (ASN1Encodable) new KeyUsage(164)).addExtension(Extension.subjectKeyIdentifier, true, (ASN1Encodable) new SubjectKeyIdentifier(publicKey.getEncoded()));
        if (str2 != null) {
            addExtension = addExtension.addExtension(Extension.subjectAlternativeName, false, (ASN1Encodable) new GeneralNames(new GeneralName(7, str2)));
        }
        if (uuid != null) {
            addExtension = addExtension.addExtension(new ASN1ObjectIdentifier("1.3.6.1.4.1.58583").intern(), false, uuid.toString().getBytes(StandardCharsets.US_ASCII));
        }
        X509Certificate certificate = new JcaX509CertificateConverter().setProvider(bouncyCastleProvider).getCertificate(addExtension.build(build2));
        certificate.checkValidity(new Date());
        if (z) {
            certificate.verify(publicKey);
            certificate.verify(certificate.getPublicKey());
        }
        ByteArrayInputStream byteArrayInputStream = new ByteArrayInputStream(certificate.getEncoded());
        CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509", bouncyCastleProvider);
        log.info("Certificate constructed and valid for " + i + " days.");
        return (X509Certificate) certificateFactory.generateCertificate(byteArrayInputStream);
    }

    private static X500NameBuilder createSubjectBuilder() {
        X500NameBuilder x500NameBuilder = new X500NameBuilder(RFC4519Style.INSTANCE);
        x500NameBuilder.addRDN(RFC4519Style.c, "CH").addRDN(RFC4519Style.o, "Association Consortium Standardization in Lab Automation (SiLA)").addRDN(RFC4519Style.l, "Rapperswil-Jona").addRDN(RFC4519Style.st, "SG").addRDN(RFC4519Style.cn, CN);
        return x500NameBuilder;
    }

    private SelfSignedCertificate(@NonNull EncryptionAlgorithm encryptionAlgorithm, @NonNull DigestAlgorithm digestAlgorithm, @NonNull KeySize keySize, int i, @NonNull String str, @Nullable String str2, @Nullable UUID uuid) throws CertificateGenerationException {
        if (encryptionAlgorithm == null) {
            throw new NullPointerException("alg is marked non-null but is null");
        }
        if (digestAlgorithm == null) {
            throw new NullPointerException("digest is marked non-null but is null");
        }
        if (keySize == null) {
            throw new NullPointerException("keySize is marked non-null but is null");
        }
        if (str == null) {
            throw new NullPointerException("payload is marked non-null but is null");
        }
        String str3 = digestAlgorithm + JsonPOJOBuilder.DEFAULT_WITH_PREFIX + encryptionAlgorithm;
        Security.addProvider(new BouncyCastleProvider());
        try {
            KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance(encryptionAlgorithm.toString(), BouncyCastleProvider.PROVIDER_NAME);
            initialize(keyPairGenerator, encryptionAlgorithm, digestAlgorithm, keySize);
            KeyPair generateKeyPair = keyPairGenerator.generateKeyPair();
            sign(generateKeyPair.getPrivate(), str3, BouncyCastleProvider.PROVIDER_NAME, str);
            this.privateKey = generateKeyPair.getPrivate();
            this.publicKey = generateKeyPair.getPublic();
            this.certificate = generate(this.privateKey, this.publicKey, str3, i, true, str2, uuid);
        } catch (InvalidAlgorithmParameterException | InvalidKeyException | NoSuchAlgorithmException | NoSuchProviderException | SignatureException | CertificateException | CertIOException | OperatorCreationException e) {
            throw new CertificateGenerationException(e);
        }
    }

    public X509Certificate getCertificate() {
        return this.certificate;
    }

    public PrivateKey getPrivateKey() {
        return this.privateKey;
    }

    public PublicKey getPublicKey() {
        return this.publicKey;
    }
}
