package org.apache.nifi.security.cert.builder;

import java.math.BigInteger;
import java.security.KeyPair;
import java.security.NoSuchAlgorithmException;
import java.security.PublicKey;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.time.Duration;
import java.time.temporal.TemporalAmount;
import java.util.Collection;
import java.util.Collections;
import java.util.Date;
import java.util.Iterator;
import java.util.LinkedHashSet;
import java.util.Objects;
import java.util.Set;
import javax.security.auth.x500.X500Principal;
import org.bouncycastle.asn1.x500.RDN;
import org.bouncycastle.asn1.x500.X500Name;
import org.bouncycastle.asn1.x500.style.BCStyle;
import org.bouncycastle.asn1.x500.style.IETFUtils;
import org.bouncycastle.asn1.x500.style.RFC4519Style;
import org.bouncycastle.asn1.x509.BasicConstraints;
import org.bouncycastle.asn1.x509.ExtendedKeyUsage;
import org.bouncycastle.asn1.x509.Extension;
import org.bouncycastle.asn1.x509.GeneralName;
import org.bouncycastle.asn1.x509.GeneralNames;
import org.bouncycastle.asn1.x509.KeyPurposeId;
import org.bouncycastle.asn1.x509.KeyUsage;
import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo;
import org.bouncycastle.cert.CertIOException;
import org.bouncycastle.cert.X509CertificateHolder;
import org.bouncycastle.cert.X509v3CertificateBuilder;
import org.bouncycastle.cert.jcajce.JcaX509CertificateConverter;
import org.bouncycastle.cert.jcajce.JcaX509ExtensionUtils;
import org.bouncycastle.operator.ContentSigner;
import org.bouncycastle.operator.OperatorCreationException;
import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder;

/* loaded from: input_file:org/apache/nifi/security/cert/builder/StandardCertificateBuilder.class */
public class StandardCertificateBuilder implements CertificateBuilder {
    private static final String SIGNING_ALGORITHM = "SHA256withRSA";
    private static final String LOCALHOST = "localhost";
    private static final boolean CRITICAL = true;
    private static final boolean NOT_CRITICAL = false;
    private static final int STANDARD_KEY_USAGE = 248;
    private static final int AUTHORITY_KEY_USAGE = 254;
    private final KeyPair issuerKeyPair;
    private final X500Principal issuer;
    private final Duration validityPeriod;
    private PublicKey subjectPublicKey;
    private X500Principal subject;
    private final BigInteger serialNumber = BigInteger.valueOf(System.nanoTime());
    private Set<String> dnsSubjectAlternativeNames = Collections.emptySet();

    public StandardCertificateBuilder(KeyPair keyPair, X500Principal x500Principal, Duration duration) {
        this.issuerKeyPair = (KeyPair) Objects.requireNonNull(keyPair, "Issuer Key Pair required");
        this.issuer = (X500Principal) Objects.requireNonNull(x500Principal, "Issuer required");
        this.validityPeriod = (Duration) Objects.requireNonNull(duration, "Validity Period required");
        this.subject = x500Principal;
        this.subjectPublicKey = keyPair.getPublic();
    }

    @Override // org.apache.nifi.security.cert.builder.CertificateBuilder
    public X509Certificate build() {
        try {
            return new JcaX509CertificateConverter().getCertificate(getCertificateHolder());
        } catch (CertificateException e) {
            throw new IllegalArgumentException("X.509 Certificate conversion failed", e);
        }
    }

    public StandardCertificateBuilder setSubject(X500Principal x500Principal) {
        this.subject = (X500Principal) Objects.requireNonNull(x500Principal, "Subject required");
        return this;
    }

    public StandardCertificateBuilder setSubjectPublicKey(PublicKey publicKey) {
        this.subjectPublicKey = (PublicKey) Objects.requireNonNull(publicKey, "Subject Public Key required");
        return this;
    }

    public StandardCertificateBuilder setDnsSubjectAlternativeNames(Collection<String> collection) {
        this.dnsSubjectAlternativeNames = new LinkedHashSet((Collection) Objects.requireNonNull(collection, "DNS Names required"));
        return this;
    }

    private void setExtensions(X509v3CertificateBuilder x509v3CertificateBuilder) {
        JcaX509ExtensionUtils extensionUtils = getExtensionUtils();
        try {
            BasicConstraints basicConstraints = getBasicConstraints();
            x509v3CertificateBuilder.addExtension(Extension.basicConstraints, false, basicConstraints);
            x509v3CertificateBuilder.addExtension(Extension.keyUsage, true, getKeyUsage(basicConstraints.isCA()));
            x509v3CertificateBuilder.addExtension(Extension.subjectKeyIdentifier, false, extensionUtils.createSubjectKeyIdentifier(this.subjectPublicKey));
            x509v3CertificateBuilder.addExtension(Extension.authorityKeyIdentifier, false, extensionUtils.createAuthorityKeyIdentifier(this.issuerKeyPair.getPublic()));
            x509v3CertificateBuilder.addExtension(Extension.extendedKeyUsage, false, new ExtendedKeyUsage(new KeyPurposeId[]{KeyPurposeId.id_kp_clientAuth, KeyPurposeId.id_kp_serverAuth}));
            x509v3CertificateBuilder.addExtension(Extension.subjectAlternativeName, false, getSubjectAlternativeNames());
        } catch (CertIOException e) {
            throw new IllegalArgumentException("Certificate Extension addition failed", e);
        }
    }

    private BasicConstraints getBasicConstraints() {
        return new BasicConstraints(this.subjectPublicKey.equals(this.issuerKeyPair.getPublic()));
    }

    private KeyUsage getKeyUsage(boolean z) {
        return new KeyUsage(z ? AUTHORITY_KEY_USAGE : STANDARD_KEY_USAGE);
    }

    private GeneralNames getSubjectAlternativeNames() {
        LinkedHashSet linkedHashSet = new LinkedHashSet();
        linkedHashSet.add(new GeneralName(2, getSubjectCommonName()));
        Iterator<String> it = this.dnsSubjectAlternativeNames.iterator();
        while (it.hasNext()) {
            linkedHashSet.add(new GeneralName(2, it.next()));
        }
        return new GeneralNames((GeneralName[]) linkedHashSet.toArray(new GeneralName[NOT_CRITICAL]));
    }

    private String getSubjectCommonName() {
        RDN[] rDNs = getName(this.subject).getRDNs(BCStyle.CN);
        return rDNs.length == 0 ? LOCALHOST : IETFUtils.valueToString(rDNs[NOT_CRITICAL].getFirst().getValue());
    }

    private X509CertificateHolder getCertificateHolder() {
        X509v3CertificateBuilder certificateBuilder = getCertificateBuilder();
        setExtensions(certificateBuilder);
        return certificateBuilder.build(getContentSigner());
    }

    private X509v3CertificateBuilder getCertificateBuilder() {
        X500Name name = getName(this.issuer);
        Date date = new Date();
        return new X509v3CertificateBuilder(name, this.serialNumber, date, Date.from(date.toInstant().plus((TemporalAmount) this.validityPeriod)), getName(this.subject), SubjectPublicKeyInfo.getInstance(this.subjectPublicKey.getEncoded()));
    }

    private ContentSigner getContentSigner() {
        try {
            return new JcaContentSignerBuilder(SIGNING_ALGORITHM).build(this.issuerKeyPair.getPrivate());
        } catch (OperatorCreationException e) {
            throw new IllegalArgumentException("Certificate Signer creation failed", e);
        }
    }

    private JcaX509ExtensionUtils getExtensionUtils() {
        try {
            return new JcaX509ExtensionUtils();
        } catch (NoSuchAlgorithmException e) {
            throw new IllegalArgumentException("Certificate Extension Utilities creation failed", e);
        }
    }

    private X500Name getName(X500Principal x500Principal) {
        return new X500Name(RFC4519Style.INSTANCE, x500Principal.getName());
    }
}
