package cern.c2mon.daq.opcua.security;

import cern.c2mon.daq.opcua.config.AppConfigProperties;
import cern.c2mon.daq.opcua.scope.EquipmentScoped;
import java.security.KeyPair;
import java.security.NoSuchAlgorithmException;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.Optional;
import org.eclipse.milo.opcua.stack.core.security.SecurityAlgorithm;
import org.eclipse.milo.opcua.stack.core.security.SecurityPolicy;
import org.eclipse.milo.opcua.stack.core.types.structured.EndpointDescription;
import org.eclipse.milo.opcua.stack.core.util.SelfSignedCertificateBuilder;
import org.eclipse.milo.opcua.stack.core.util.SelfSignedCertificateGenerator;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@EquipmentScoped
/* loaded from: input_file:cern/c2mon/daq/opcua/security/CertificateGenerator.class */
public class CertificateGenerator extends CertifierBase {
    private static final Logger log = LoggerFactory.getLogger(CertificateGenerator.class);
    private static final String[] SUPPORTED_SIG_ALGS = {SecurityAlgorithm.RsaSha256.getTransformation()};
    private final AppConfigProperties config;

    @Override // cern.c2mon.daq.opcua.security.Certifier
    public boolean supportsAlgorithm(EndpointDescription endpointDescription) {
        if (endpointDescription == null) {
            return false;
        }
        Optional fromUriSafe = SecurityPolicy.fromUriSafe(endpointDescription.getSecurityPolicyUri());
        if (!fromUriSafe.isPresent()) {
            return false;
        }
        String transformation = ((SecurityPolicy) fromUriSafe.get()).getAsymmetricSignatureAlgorithm().getTransformation();
        return Arrays.stream(SUPPORTED_SIG_ALGS).anyMatch(str -> {
            return str.equalsIgnoreCase(transformation);
        });
    }

    @Override // cern.c2mon.daq.opcua.security.Certifier
    public boolean canCertify(EndpointDescription endpointDescription) {
        Optional fromUriSafe = SecurityPolicy.fromUriSafe(endpointDescription.getSecurityPolicyUri());
        return fromUriSafe.isPresent() && supportsAlgorithm(endpointDescription) && generateCertificateIfMissing((SecurityPolicy) fromUriSafe.get());
    }

    private boolean generateCertificateIfMissing(SecurityPolicy securityPolicy) {
        return existingCertificateMatchesSecurityPolicy(securityPolicy) || (securityPolicy.getAsymmetricSignatureAlgorithm().equals(SecurityAlgorithm.RsaSha256) && generateRSASHA256());
    }

    private boolean generateRSASHA256() {
        log.info("Generating self-signed certificate and keypair.");
        try {
            KeyPair generateRsaKeyPair = SelfSignedCertificateGenerator.generateRsaKeyPair(2048);
            X509Certificate build = new SelfSignedCertificateBuilder(generateRsaKeyPair).setCommonName(this.config.getApplicationName()).setOrganization(this.config.getOrganization()).setOrganizationalUnit(this.config.getOrganizationalUnit()).setLocalityName(this.config.getLocalityName()).setStateName(this.config.getStateName()).setCountryCode(this.config.getCountryCode()).setApplicationUri(this.config.getApplicationUri()).build();
            if (build == null) {
                return false;
            }
            this.keyPair = generateRsaKeyPair;
            this.certificate = build;
            return true;
        } catch (NoSuchAlgorithmException e) {
            log.error("Could not generate RSA keypair.", e);
            return false;
        } catch (Exception e2) {
            log.error("Could not generate certificate.", e2);
            return false;
        }
    }

    public CertificateGenerator(AppConfigProperties appConfigProperties) {
        this.config = appConfigProperties;
    }
}
