package io.smallrye.certs.chain;

import io.smallrye.certs.CertificateUtils;
import java.io.File;
import java.math.BigInteger;
import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.SecureRandom;
import java.security.Security;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.time.Instant;
import java.time.temporal.ChronoUnit;
import java.time.temporal.TemporalUnit;
import java.util.Date;
import java.util.List;
import org.bouncycastle.asn1.ASN1Encodable;
import org.bouncycastle.asn1.ASN1Sequence;
import org.bouncycastle.asn1.DERSequence;
import org.bouncycastle.asn1.x500.X500Name;
import org.bouncycastle.asn1.x509.BasicConstraints;
import org.bouncycastle.asn1.x509.Extension;
import org.bouncycastle.asn1.x509.GeneralName;
import org.bouncycastle.asn1.x509.KeyUsage;
import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo;
import org.bouncycastle.cert.CertIOException;
import org.bouncycastle.cert.X509v3CertificateBuilder;
import org.bouncycastle.cert.jcajce.JcaX509CertificateConverter;
import org.bouncycastle.cert.jcajce.JcaX509ExtensionUtils;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.bouncycastle.operator.OperatorCreationException;
import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder;

/* loaded from: input_file:io/smallrye/certs/chain/CertificateChainGenerator.class */
public class CertificateChainGenerator {
    private String cn = "localhost";
    private List<String> sans = List.of("DNS:localhost");
    private final File baseDir;

    public CertificateChainGenerator(File file) {
        this.baseDir = file;
        if (file.isDirectory()) {
            return;
        }
        file.mkdirs();
    }

    public CertificateChainGenerator withCN(String str) {
        this.cn = str;
        return this;
    }

    public CertificateChainGenerator withSAN(List<String> list) {
        this.sans = list;
        return this;
    }

    public void generate() throws Exception {
        KeyPair generateKeyPair = generateKeyPair();
        X509Certificate generateRootCertificate = generateRootCertificate(generateKeyPair);
        KeyPair generateKeyPair2 = generateKeyPair();
        X509Certificate generateIntermediaryCertificate = generateIntermediaryCertificate(generateKeyPair2, generateKeyPair, generateRootCertificate);
        KeyPair generateKeyPair3 = generateKeyPair();
        X509Certificate generateLeafCertificate = generateLeafCertificate(generateKeyPair3, generateKeyPair2, generateIntermediaryCertificate);
        CertificateUtils.writeCertificateToPEM(generateRootCertificate, new File(this.baseDir, "root.crt"), new X509Certificate[0]);
        CertificateUtils.writePrivateKeyToPem(generateKeyPair.getPrivate(), null, new File(this.baseDir, "root.key"));
        CertificateUtils.writeCertificateToPEM(generateIntermediaryCertificate, new File(this.baseDir, "intermediate.crt"), new X509Certificate[0]);
        CertificateUtils.writePrivateKeyToPem(generateKeyPair2.getPrivate(), null, new File(this.baseDir, "intermediate.key"));
        CertificateUtils.writeCertificateToPEM(generateLeafCertificate, new File(this.baseDir, this.cn + ".crt"), generateIntermediaryCertificate);
        CertificateUtils.writePrivateKeyToPem(generateKeyPair3.getPrivate(), null, new File(this.baseDir, this.cn + ".key"));
    }

    private KeyPair generateKeyPair() throws NoSuchAlgorithmException, NoSuchProviderException {
        KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA", "BC");
        keyPairGenerator.initialize(2048, new SecureRandom());
        return keyPairGenerator.generateKeyPair();
    }

    private X509Certificate generateRootCertificate(KeyPair keyPair) throws CertIOException, NoSuchAlgorithmException, OperatorCreationException, CertificateException {
        SubjectPublicKeyInfo subjectPublicKeyInfo = SubjectPublicKeyInfo.getInstance(ASN1Sequence.getInstance(keyPair.getPublic().getEncoded()));
        X500Name x500Name = new X500Name("CN=quarkus-root,O=Quarkus Development");
        X500Name x500Name2 = new X500Name("CN=root");
        X509v3CertificateBuilder x509v3CertificateBuilder = new X509v3CertificateBuilder(x500Name, BigInteger.valueOf(System.currentTimeMillis()), new Date(System.currentTimeMillis() - 86400000), new Date(System.currentTimeMillis() + 31536000000L), x500Name2, subjectPublicKeyInfo);
        x509v3CertificateBuilder.addExtension(Extension.keyUsage, true, new KeyUsage(4));
        x509v3CertificateBuilder.addExtension(Extension.basicConstraints, true, new BasicConstraints(true));
        x509v3CertificateBuilder.addExtension(Extension.subjectKeyIdentifier, false, new JcaX509ExtensionUtils().createSubjectKeyIdentifier(keyPair.getPublic()));
        return new JcaX509CertificateConverter().getCertificate(x509v3CertificateBuilder.build(new JcaContentSignerBuilder("SHA256WithRSAEncryption").build(keyPair.getPrivate())));
    }

    private X509Certificate generateIntermediaryCertificate(KeyPair keyPair, KeyPair keyPair2, X509Certificate x509Certificate) throws NoSuchAlgorithmException, CertIOException, OperatorCreationException, CertificateException {
        SubjectPublicKeyInfo subjectPublicKeyInfo = SubjectPublicKeyInfo.getInstance(ASN1Sequence.getInstance(keyPair.getPublic().getEncoded()));
        X509v3CertificateBuilder x509v3CertificateBuilder = new X509v3CertificateBuilder(new X500Name(x509Certificate.getSubjectX500Principal().getName()), BigInteger.valueOf(System.currentTimeMillis()), new Date(System.currentTimeMillis() - 86400000), new Date(System.currentTimeMillis() + 31536000000L), new X500Name("CN=intermediary"), subjectPublicKeyInfo);
        x509v3CertificateBuilder.addExtension(Extension.keyUsage, true, new KeyUsage(132));
        x509v3CertificateBuilder.addExtension(Extension.basicConstraints, true, new BasicConstraints(true));
        x509v3CertificateBuilder.addExtension(Extension.subjectKeyIdentifier, false, new JcaX509ExtensionUtils().createSubjectKeyIdentifier(keyPair.getPublic()));
        return new JcaX509CertificateConverter().getCertificate(x509v3CertificateBuilder.build(new JcaContentSignerBuilder("SHA256WithRSAEncryption").build(keyPair2.getPrivate())));
    }

    private X509Certificate generateLeafCertificate(KeyPair keyPair, KeyPair keyPair2, X509Certificate x509Certificate) throws NoSuchAlgorithmException, CertIOException, OperatorCreationException, CertificateException {
        X509v3CertificateBuilder x509v3CertificateBuilder = new X509v3CertificateBuilder(new X500Name(x509Certificate.getSubjectX500Principal().getName()), BigInteger.valueOf(System.currentTimeMillis()), new Date(Instant.now().minus(2L, (TemporalUnit) ChronoUnit.DAYS).toEpochMilli()), new Date(Instant.now().plus(2L, (TemporalUnit) ChronoUnit.DAYS).toEpochMilli()), new X500Name("CN=" + this.cn), SubjectPublicKeyInfo.getInstance(ASN1Sequence.getInstance(keyPair.getPublic().getEncoded())));
        x509v3CertificateBuilder.addExtension(Extension.keyUsage, true, new KeyUsage(248));
        x509v3CertificateBuilder.addExtension(Extension.subjectKeyIdentifier, false, new JcaX509ExtensionUtils().createSubjectKeyIdentifier(keyPair.getPublic()));
        x509v3CertificateBuilder.addExtension(Extension.subjectAlternativeName, false, new DERSequence((ASN1Encodable[]) this.sans.stream().map(str -> {
            return str.startsWith("DNS:") ? new GeneralName(2, str.substring(4)) : str.startsWith("IP:") ? new GeneralName(7, str.substring(3)) : new GeneralName(2, str);
        }).toArray(i -> {
            return new ASN1Encodable[i];
        })));
        return new JcaX509CertificateConverter().getCertificate(x509v3CertificateBuilder.build(new JcaContentSignerBuilder("SHA256WithRSAEncryption").build(keyPair2.getPrivate())));
    }

    static {
        Security.addProvider(new BouncyCastleProvider());
    }
}
