package org.opcfoundation.ua.utils;

import java.io.IOException;
import java.math.BigInteger;
import java.security.GeneralSecurityException;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.SignatureException;
import java.security.cert.CertificateException;
import java.security.cert.CertificateParsingException;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
import java.util.Date;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Vector;
import org.apache.sshd.common.util.net.SshdSocketAddress;
import org.opcfoundation.ua.transport.security.KeyPair;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import sun.misc.BASE64Decoder;
import sun.misc.BASE64Encoder;
import sun.security.util.DerOutputStream;
import sun.security.util.DerValue;
import sun.security.util.ObjectIdentifier;
import sun.security.x509.AlgorithmId;
import sun.security.x509.AuthorityKeyIdentifierExtension;
import sun.security.x509.BasicConstraintsExtension;
import sun.security.x509.CertificateAlgorithmId;
import sun.security.x509.CertificateExtensions;
import sun.security.x509.CertificateIssuerName;
import sun.security.x509.CertificateSerialNumber;
import sun.security.x509.CertificateSubjectName;
import sun.security.x509.CertificateValidity;
import sun.security.x509.CertificateVersion;
import sun.security.x509.CertificateX509Key;
import sun.security.x509.DNSName;
import sun.security.x509.ExtendedKeyUsageExtension;
import sun.security.x509.GeneralName;
import sun.security.x509.GeneralNames;
import sun.security.x509.IPAddressName;
import sun.security.x509.KeyIdentifier;
import sun.security.x509.KeyUsageExtension;
import sun.security.x509.OIDName;
import sun.security.x509.RFC822Name;
import sun.security.x509.SerialNumber;
import sun.security.x509.SubjectAlternativeNameExtension;
import sun.security.x509.SubjectKeyIdentifierExtension;
import sun.security.x509.URIName;
import sun.security.x509.X500Name;
import sun.security.x509.X509CertImpl;
import sun.security.x509.X509CertInfo;

/* loaded from: input_file:BOOT-INF/lib/opc-ua-stack-1.3.346-197.jar:org/opcfoundation/ua/utils/SunJceUtils.class */
public class SunJceUtils {
    private static Logger logger = LoggerFactory.getLogger(CertificateUtils.class);
    private static final String KUE_SERVER_AUTH = "1.3.6.1.5.5.7.3.1";
    private static final String KUE_CLIENT_AUTH = "1.3.6.1.5.5.7.3.2";
    private static final String SUBJECT_ALT_NAME_OID = "2.5.29.17";

    public static byte[] base64Decode(String str) {
        try {
            return new BASE64Decoder().decodeBuffer(str);
        } catch (IOException e) {
            throw new RuntimeException(e);
        }
    }

    public static String base64Encode(byte[] bArr) {
        return new BASE64Encoder().encode(bArr);
    }

    public static X509Certificate generateIssuerCert(PublicKey publicKey, PrivateKey privateKey, KeyPair keyPair, String str, BigInteger bigInteger, Date date, Date date2) throws GeneralSecurityException, IOException {
        X500Name x500Name;
        AuthorityKeyIdentifierExtension authorityKeyIdentifierExtension;
        PrivateKey privateKey2;
        X509CertInfo x509CertInfo = new X509CertInfo();
        CertificateExtensions certificateExtensions = new CertificateExtensions();
        CertificateValidity certificateValidity = new CertificateValidity(date, date2);
        X500Name x500Name2 = new X500Name(str);
        KeyIdentifier keyIdentifier = new KeyIdentifier(publicKey);
        if (keyPair == null) {
            x500Name = x500Name2;
            authorityKeyIdentifierExtension = new AuthorityKeyIdentifierExtension(keyIdentifier, (GeneralNames) null, (SerialNumber) null);
            privateKey2 = privateKey;
        } else {
            X509Certificate certificate = keyPair.getCertificate().getCertificate();
            x500Name = new X500Name(certificate.getSubjectX500Principal().getName());
            authorityKeyIdentifierExtension = new AuthorityKeyIdentifierExtension(new KeyIdentifier(certificate.getPublicKey()), (GeneralNames) null, (SerialNumber) null);
            privateKey2 = keyPair.getPrivateKey().getPrivateKey();
        }
        x509CertInfo.set("validity", certificateValidity);
        x509CertInfo.set("serialNumber", new CertificateSerialNumber(bigInteger));
        x509CertInfo.set("subject", new CertificateSubjectName(x500Name2));
        x509CertInfo.set("key", new CertificateX509Key(publicKey));
        x509CertInfo.set("version", new CertificateVersion(2));
        x509CertInfo.set("issuer", new CertificateIssuerName(x500Name));
        x509CertInfo.set("algorithmID", new CertificateAlgorithmId(AlgorithmId.get(CertificateUtils.getCertificateSignatureAlgorithm())));
        certificateExtensions.set("SubjectKeyIdentifier", new SubjectKeyIdentifierExtension(keyIdentifier.getIdentifier()));
        certificateExtensions.set("AuthorityKeyIdentifier", authorityKeyIdentifierExtension);
        certificateExtensions.set("BasicConstraints", new BasicConstraintsExtension(false, true, 0));
        certificateExtensions.set("KeyUsage", new KeyUsageExtension(new boolean[]{true, false, false, false, false, true, true, false, false, false}));
        x509CertInfo.set("extensions", certificateExtensions);
        return signCert(x509CertInfo, privateKey2);
    }

    private static X509Certificate signCert(X509CertInfo x509CertInfo, PrivateKey privateKey) throws CertificateException, NoSuchAlgorithmException, InvalidKeyException, NoSuchProviderException, SignatureException, CertificateParsingException, IOException {
        X509CertImpl x509CertImpl = new X509CertImpl(x509CertInfo);
        x509CertImpl.sign(privateKey, CertificateUtils.getCertificateSignatureAlgorithm());
        return x509CertImpl;
    }

    public static X509Certificate generateCertificate(String str, PublicKey publicKey, PrivateKey privateKey, KeyPair keyPair, Date date, Date date2, BigInteger bigInteger, String str2, String... strArr) throws GeneralSecurityException, IOException {
        X500Name x500Name;
        AuthorityKeyIdentifierExtension authorityKeyIdentifierExtension;
        PrivateKey privateKey2;
        X509CertInfo x509CertInfo = new X509CertInfo();
        CertificateExtensions certificateExtensions = new CertificateExtensions();
        CertificateValidity certificateValidity = new CertificateValidity(date, date2);
        X500Name x500Name2 = new X500Name(str);
        KeyIdentifier keyIdentifier = new KeyIdentifier(publicKey);
        if (keyPair == null) {
            x500Name = x500Name2;
            authorityKeyIdentifierExtension = new AuthorityKeyIdentifierExtension(keyIdentifier, (GeneralNames) null, (SerialNumber) null);
            privateKey2 = privateKey;
        } else {
            X509Certificate certificate = keyPair.getCertificate().getCertificate();
            x500Name = new X500Name(certificate.getSubjectX500Principal().getName());
            authorityKeyIdentifierExtension = new AuthorityKeyIdentifierExtension(new KeyIdentifier(certificate.getPublicKey()), (GeneralNames) null, (SerialNumber) null);
            privateKey2 = keyPair.getPrivateKey().getPrivateKey();
        }
        x509CertInfo.set("validity", certificateValidity);
        x509CertInfo.set("serialNumber", new CertificateSerialNumber(bigInteger));
        x509CertInfo.set("subject", new CertificateSubjectName(x500Name2));
        x509CertInfo.set("key", new CertificateX509Key(publicKey));
        x509CertInfo.set("version", new CertificateVersion(2));
        x509CertInfo.set("issuer", new CertificateIssuerName(x500Name));
        x509CertInfo.set("algorithmID", new CertificateAlgorithmId(AlgorithmId.get(CertificateUtils.getCertificateSignatureAlgorithm())));
        certificateExtensions.set("SubjectKeyIdentifier", new SubjectKeyIdentifierExtension(keyIdentifier.getIdentifier()));
        certificateExtensions.set("AuthorityKeyIdentifier", authorityKeyIdentifierExtension);
        certificateExtensions.set("BasicConstraints", new BasicConstraintsExtension(false, false, 0));
        certificateExtensions.set("KeyUsage", new KeyUsageExtension(new boolean[]{true, true, true, true, false, true, false, false, false, false}));
        Vector vector = new Vector();
        vector.add(new ObjectIdentifier(KUE_SERVER_AUTH));
        vector.add(new ObjectIdentifier(KUE_CLIENT_AUTH));
        certificateExtensions.set("ExtendedKeyUsage", new ExtendedKeyUsageExtension(false, vector));
        certificateExtensions.set("SubjectAlternativeName", new SubjectAlternativeNameExtension(false, createAlternativeNames(str2, strArr)));
        x509CertInfo.set("extensions", certificateExtensions);
        return signCert(x509CertInfo, privateKey2);
    }

    private static GeneralNames createAlternativeNames(String str, String... strArr) throws IOException {
        GeneralNames generalNames = new GeneralNames();
        generalNames.add(new GeneralName(new URIName(str)));
        boolean z = false;
        String str2 = null;
        try {
            String[] split = str.split("[:/]");
            if (split.length > 1) {
                str2 = split[1];
                generalNames.add(new GeneralName(new DNSName(str2)));
                if (!str2.matches("^[0-9.]+$")) {
                    z = true;
                }
            }
        } catch (Exception e) {
            logger.warn("Cannot initialize DNS Name to Certificate from ApplicationUri{}", str);
        }
        GeneralNames generalNames2 = new GeneralNames();
        if (strArr != null) {
            for (String str3 : strArr) {
                boolean matches = str3.matches("^[0-9.]+$");
                if (!str3.equals(str2) && !str3.toLowerCase().equals(SshdSocketAddress.LOCALHOST_NAME)) {
                    GeneralName generalName = new GeneralName(matches ? new IPAddressName(str3) : new DNSName(str3));
                    if (matches) {
                        generalNames2.add(new GeneralName(new IPAddressName(str3)));
                    } else {
                        generalNames.add(generalName);
                        z = true;
                    }
                }
            }
        }
        if (!z) {
            Iterator it = generalNames2.names().iterator();
            while (it.hasNext()) {
                generalNames.add((GeneralName) it.next());
            }
        }
        return generalNames;
    }

    private static Collection<List<?>> makeAltNames(GeneralNames generalNames) {
        if (generalNames.isEmpty()) {
            return Collections.emptySet();
        }
        HashSet hashSet = new HashSet();
        Iterator it = generalNames.names().iterator();
        while (it.hasNext()) {
            RFC822Name name = ((GeneralName) it.next()).getName();
            ArrayList arrayList = new ArrayList(2);
            arrayList.add(Integer.valueOf(name.getType()));
            switch (name.getType()) {
                case 1:
                    arrayList.add(name.getName());
                    break;
                case 2:
                    arrayList.add(((DNSName) name).getName());
                    break;
                case 3:
                case 5:
                default:
                    DerOutputStream derOutputStream = new DerOutputStream();
                    try {
                        name.encode(derOutputStream);
                        arrayList.add(derOutputStream.toByteArray());
                        break;
                    } catch (IOException e) {
                        throw new RuntimeException("name cannot be encoded", e);
                    }
                case 4:
                    arrayList.add(((X500Name) name).getRFC2253Name());
                    break;
                case 6:
                    arrayList.add(((URIName) name).getName());
                    break;
                case 7:
                    try {
                        arrayList.add(((IPAddressName) name).getName());
                        break;
                    } catch (IOException e2) {
                        throw new RuntimeException("IPAddress cannot be parsed", e2);
                    }
                case 8:
                    arrayList.add(((OIDName) name).getOID().toString());
                    break;
            }
            hashSet.add(Collections.unmodifiableList(arrayList));
        }
        return Collections.unmodifiableCollection(hashSet);
    }

    public static Collection<List<?>> getSubjectAlternativeNames(X509Certificate x509Certificate) throws CertificateParsingException {
        try {
            byte[] extensionValue = x509Certificate.getExtensionValue(SUBJECT_ALT_NAME_OID);
            if (extensionValue == null) {
                return null;
            }
            try {
                return makeAltNames((GeneralNames) new SubjectAlternativeNameExtension(Boolean.FALSE, new DerValue(extensionValue).getOctetString()).get("subject_name"));
            } catch (IOException e) {
                return Collections.emptySet();
            }
        } catch (IOException e2) {
            CertificateParsingException certificateParsingException = new CertificateParsingException();
            certificateParsingException.initCause(e2);
            throw certificateParsingException;
        }
    }
}
