package io.airlift.security.cert;

import com.google.common.base.Preconditions;
import io.airlift.security.der.DerUtils;
import java.io.ByteArrayInputStream;
import java.net.InetAddress;
import java.nio.charset.StandardCharsets;
import java.security.GeneralSecurityException;
import java.security.KeyPair;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.Signature;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.security.interfaces.RSAPrivateKey;
import java.security.interfaces.RSAPublicKey;
import java.time.Instant;
import java.time.LocalDate;
import java.time.ZoneOffset;
import java.util.ArrayList;
import java.util.List;
import java.util.Objects;
import java.util.stream.Stream;
import javax.security.auth.x500.X500Principal;

/* loaded from: input_file:io/airlift/security/cert/CertificateBuilder.class */
public class CertificateBuilder {
    private static final byte[] SHA_256_WITH_RSA_ENCRYPTION_OID = DerUtils.encodeOid("1.2.840.113549.1.1.11");
    private static final byte[] SUBJECT_KEY_IDENTIFIER_OID = DerUtils.encodeOid("2.5.29.14");
    private static final byte[] AUTHORITY_KEY_IDENTIFIER_OID = DerUtils.encodeOid("2.5.29.35");
    private static final byte[] BASIC_CONSTRAINTS_OID = DerUtils.encodeOid("2.5.29.19");
    private static final byte[] SUBJECT_ALT_NAME_OID = DerUtils.encodeOid("2.5.29.17");
    private RSAPublicKey publicKey;
    private RSAPrivateKey privateKey;
    private long serialNumber;
    private X500Principal issuer;
    private Instant notBefore;
    private Instant notAfter;
    private X500Principal subject;
    private final List<String> sanDnsNames = new ArrayList();
    private final List<InetAddress> sanIpAddresses = new ArrayList();

    private CertificateBuilder() {
    }

    public static CertificateBuilder certificateBuilder() {
        return new CertificateBuilder();
    }

    public CertificateBuilder setKeyPair(KeyPair keyPair) {
        Objects.requireNonNull(keyPair, "keyPair is null");
        Preconditions.checkArgument(keyPair.getPublic() instanceof RSAPublicKey, "not an RSA key: %s", keyPair.getPublic());
        Preconditions.checkArgument(keyPair.getPrivate() instanceof RSAPrivateKey, "not an RSA key: %s", keyPair.getPrivate());
        setPublicKey((RSAPublicKey) keyPair.getPublic());
        setPrivateKey((RSAPrivateKey) keyPair.getPrivate());
        return this;
    }

    public CertificateBuilder setPublicKey(RSAPublicKey rSAPublicKey) {
        this.publicKey = (RSAPublicKey) Objects.requireNonNull(rSAPublicKey, "publicKey is null");
        return this;
    }

    public CertificateBuilder setPrivateKey(RSAPrivateKey rSAPrivateKey) {
        this.privateKey = (RSAPrivateKey) Objects.requireNonNull(rSAPrivateKey, "privateKey is null");
        return this;
    }

    public CertificateBuilder setSerialNumber(long j) {
        Preconditions.checkArgument(j >= 0, "serialNumber is negative");
        this.serialNumber = j;
        return this;
    }

    public CertificateBuilder setIssuer(X500Principal x500Principal) {
        this.issuer = (X500Principal) Objects.requireNonNull(x500Principal, "issuer is null");
        return this;
    }

    public CertificateBuilder setNotBefore(Instant instant) {
        this.notBefore = (Instant) Objects.requireNonNull(instant, "notBefore is null");
        return this;
    }

    public CertificateBuilder setNotBefore(LocalDate localDate) {
        Objects.requireNonNull(localDate, "notBefore is null");
        this.notBefore = localDate.atStartOfDay().toInstant(ZoneOffset.UTC);
        return this;
    }

    public CertificateBuilder setNotAfter(Instant instant) {
        this.notAfter = (Instant) Objects.requireNonNull(instant, "notAfter is null");
        return this;
    }

    public CertificateBuilder setNotAfter(LocalDate localDate) {
        Objects.requireNonNull(localDate, "notAfter is null");
        this.notAfter = localDate.atTime(23, 59, 59).toInstant(ZoneOffset.UTC);
        return this;
    }

    public CertificateBuilder setSubject(X500Principal x500Principal) {
        this.subject = (X500Principal) Objects.requireNonNull(x500Principal, "subject is null");
        return this;
    }

    public CertificateBuilder addSanIpAddress(InetAddress inetAddress) {
        this.sanIpAddresses.add((InetAddress) Objects.requireNonNull(inetAddress, "address is null"));
        return this;
    }

    public CertificateBuilder addSanIpAddresses(List<InetAddress> list) {
        Objects.requireNonNull(list, "addresses is null");
        list.forEach(this::addSanIpAddress);
        return this;
    }

    public CertificateBuilder addSanDnsName(String str) {
        this.sanDnsNames.add((String) Objects.requireNonNull(str, "dnsName is null"));
        return this;
    }

    public CertificateBuilder addSanDnsNamees(List<String> list) {
        Objects.requireNonNull(list, "dnsNames is null");
        list.forEach(this::addSanDnsName);
        return this;
    }

    /* JADX WARN: Type inference failed for: r0v42, types: [byte[], byte[][]] */
    /* JADX WARN: Type inference failed for: r0v47, types: [byte[], byte[][]] */
    /* JADX WARN: Type inference failed for: r10v1, types: [byte[], byte[][]] */
    /* JADX WARN: Type inference failed for: r10v10, types: [byte[], byte[][]] */
    /* JADX WARN: Type inference failed for: r10v4, types: [byte[], byte[][]] */
    /* JADX WARN: Type inference failed for: r10v7, types: [byte[], byte[][]] */
    /* JADX WARN: Type inference failed for: r13v12, types: [byte[], byte[][]] */
    /* JADX WARN: Type inference failed for: r13v6, types: [byte[], byte[][]] */
    /* JADX WARN: Type inference failed for: r3v12, types: [byte[], byte[][]] */
    /* JADX WARN: Type inference failed for: r3v24, types: [byte[], byte[][]] */
    /* JADX WARN: Type inference failed for: r3v6, types: [byte[], byte[][]] */
    /* JADX WARN: Type inference failed for: r4v1, types: [byte[], byte[][]] */
    /* JADX WARN: Type inference failed for: r4v7, types: [byte[], byte[][]] */
    /* JADX WARN: Type inference failed for: r7v3, types: [byte[], byte[][]] */
    public X509Certificate buildSelfSigned() throws GeneralSecurityException {
        Preconditions.checkState(this.publicKey != null, "publicKey is not set");
        Preconditions.checkState(this.privateKey != null, "privateKey is not set");
        Preconditions.checkState(this.issuer != null, "issuer is not set");
        Preconditions.checkState(this.notBefore != null, "notBefore is not set");
        Preconditions.checkState(this.notAfter != null, "notAfter is not set");
        Preconditions.checkState(!this.notBefore.isAfter(this.notAfter), "notAfter is before notBefore");
        Preconditions.checkState(this.subject != null, "subject is not set");
        byte[] hashPublicKey = hashPublicKey();
        ArrayList arrayList = new ArrayList();
        Stream<R> map = this.sanDnsNames.stream().map(str -> {
            return DerUtils.encodeContextSpecificTag(2, str.getBytes(StandardCharsets.UTF_8));
        });
        Objects.requireNonNull(arrayList);
        map.forEach((v1) -> {
            r1.add(v1);
        });
        Stream map2 = this.sanIpAddresses.stream().map((v0) -> {
            return v0.getAddress();
        }).map(bArr -> {
            return DerUtils.encodeContextSpecificTag(7, bArr);
        });
        Objects.requireNonNull(arrayList);
        map2.forEach((v1) -> {
            r1.add(v1);
        });
        byte[] encodeSequence = DerUtils.encodeSequence(new byte[]{DerUtils.encodeContextSpecificSequence(0, new byte[]{DerUtils.encodeInteger(2L)}), DerUtils.encodeInteger(this.serialNumber), DerUtils.encodeSequence(new byte[]{SHA_256_WITH_RSA_ENCRYPTION_OID, DerUtils.encodeNull()}), this.issuer.getEncoded(), DerUtils.encodeSequence(new byte[]{DerUtils.encodeUtcTime(this.notBefore), DerUtils.encodeUtcTime(this.notAfter)}), this.subject.getEncoded(), this.publicKey.getEncoded(), DerUtils.encodeContextSpecificSequence(3, new byte[]{DerUtils.encodeSequence(new byte[]{DerUtils.encodeSequence(new byte[]{SUBJECT_KEY_IDENTIFIER_OID, DerUtils.encodeOctetString(DerUtils.encodeOctetString(hashPublicKey))}), DerUtils.encodeSequence(new byte[]{AUTHORITY_KEY_IDENTIFIER_OID, DerUtils.encodeOctetString(DerUtils.encodeSequence(new byte[]{DerUtils.encodeContextSpecificTag(0, hashPublicKey)}))}), DerUtils.encodeSequence(new byte[]{BASIC_CONSTRAINTS_OID, DerUtils.encodeBooleanTrue(), DerUtils.encodeOctetString(DerUtils.encodeSequence(new byte[]{DerUtils.encodeBooleanTrue()}))}), DerUtils.encodeSequence(new byte[]{SUBJECT_ALT_NAME_OID, DerUtils.encodeOctetString(DerUtils.encodeSequence((byte[][]) arrayList.toArray((Object[]) new byte[0])))})})})});
        return (X509Certificate) CertificateFactory.getInstance("X.509").generateCertificate(new ByteArrayInputStream(DerUtils.encodeSequence(new byte[]{encodeSequence, DerUtils.encodeSequence(new byte[]{SHA_256_WITH_RSA_ENCRYPTION_OID, DerUtils.encodeNull()}), DerUtils.encodeBitString(0, signCertificate(encodeSequence))})));
    }

    private byte[] signCertificate(byte[] bArr) throws GeneralSecurityException {
        Signature signature = Signature.getInstance("SHA256withRSA");
        signature.initSign(this.privateKey);
        signature.update(bArr);
        return signature.sign();
    }

    /* JADX WARN: Type inference failed for: r0v1, types: [byte[], byte[][]] */
    private byte[] hashPublicKey() throws NoSuchAlgorithmException {
        return MessageDigest.getInstance("SHA-1").digest(DerUtils.encodeSequence(new byte[]{DerUtils.encodeInteger(this.publicKey.getModulus()), DerUtils.encodeInteger(this.publicKey.getPublicExponent())}));
    }
}
