package org.esteid.sk;

import java.io.File;
import java.io.FileInputStream;
import java.io.FileOutputStream;
import java.io.IOException;
import java.io.InputStreamReader;
import java.math.BigInteger;
import java.security.InvalidKeyException;
import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.PublicKey;
import java.security.SecureRandom;
import java.security.Security;
import java.security.SignatureException;
import java.security.UnrecoverableKeyException;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.security.interfaces.ECPublicKey;
import java.security.interfaces.RSAPrivateCrtKey;
import java.security.interfaces.RSAPublicKey;
import java.text.ParseException;
import java.text.SimpleDateFormat;
import java.util.Date;
import java.util.Iterator;
import java.util.Locale;
import org.bouncycastle.asn1.ASN1GeneralizedTime;
import org.bouncycastle.asn1.ASN1ObjectIdentifier;
import org.bouncycastle.asn1.ASN1UTCTime;
import org.bouncycastle.asn1.x500.X500Name;
import org.bouncycastle.asn1.x509.Extension;
import org.bouncycastle.asn1.x509.GeneralName;
import org.bouncycastle.asn1.x509.GeneralNames;
import org.bouncycastle.asn1.x509.Time;
import org.bouncycastle.cert.X509CertificateHolder;
import org.bouncycastle.cert.jcajce.JcaX509CertificateConverter;
import org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.bouncycastle.openssl.PEMParser;
import org.bouncycastle.operator.OperatorCreationException;
import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/esteid/sk/FakeEstEIDCA.class */
public class FakeEstEIDCA {
    private static final String root = "root";
    private static final String esteid = "esteid";
    private final Logger log = LoggerFactory.getLogger(FakeEstEIDCA.class);
    private RSAPrivateCrtKey rootKey;
    private X509Certificate rootCert;
    private RSAPrivateCrtKey esteidKey;
    private X509Certificate esteidCert;
    private static final char[] password = "infected".toCharArray();
    private static final SecureRandom random = new SecureRandom();

    static X509CertificateHolder getRealCert(String str) throws IOException {
        PEMParser pEMParser = new PEMParser(new InputStreamReader(FakeEstEIDCA.class.getResourceAsStream(str), "UTF-8"));
        Throwable th = null;
        try {
            X509CertificateHolder x509CertificateHolder = (X509CertificateHolder) pEMParser.readObject();
            if (pEMParser != null) {
                if (0 != 0) {
                    try {
                        pEMParser.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                } else {
                    pEMParser.close();
                }
            }
            return x509CertificateHolder;
        } catch (Throwable th3) {
            if (pEMParser != null) {
                if (0 != 0) {
                    try {
                        pEMParser.close();
                    } catch (Throwable th4) {
                        th.addSuppressed(th4);
                    }
                } else {
                    pEMParser.close();
                }
            }
            throw th3;
        }
    }

    public static X509Certificate holder2pem(X509CertificateHolder x509CertificateHolder) throws CertificateException {
        return new JcaX509CertificateConverter().setProvider("BC").getCertificate(x509CertificateHolder);
    }

    public void generate() throws NoSuchAlgorithmException, InvalidKeyException, IllegalStateException, NoSuchProviderException, SignatureException, IOException, ParseException, OperatorCreationException, CertificateException {
        this.log.info("Generating CA ...");
        KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA");
        keyPairGenerator.initialize(2048);
        KeyPair generateKeyPair = keyPairGenerator.generateKeyPair();
        keyPairGenerator.initialize(4096);
        KeyPair generateKeyPair2 = keyPairGenerator.generateKeyPair();
        this.rootKey = (RSAPrivateCrtKey) generateKeyPair.getPrivate();
        this.esteidKey = (RSAPrivateCrtKey) generateKeyPair2.getPrivate();
        this.rootCert = makeRootCert(generateKeyPair);
        this.esteidCert = makeEsteidCert(generateKeyPair2, generateKeyPair);
    }

    public X509Certificate getIntermediateCert() {
        return this.esteidCert;
    }

    public X509Certificate getRootCert() {
        return this.rootCert;
    }

    private X509Certificate makeRootCert(KeyPair keyPair) throws InvalidKeyException, IllegalStateException, NoSuchProviderException, SignatureException, IOException, NoSuchAlgorithmException, ParseException, OperatorCreationException, CertificateException {
        X509CertificateHolder realCert = getRealCert("sk-root.pem");
        JcaX509v3CertificateBuilder jcaX509v3CertificateBuilder = new JcaX509v3CertificateBuilder(realCert.getIssuer(), realCert.getSerialNumber(), Time.getInstance(new ASN1GeneralizedTime(realCert.getNotBefore())), Time.getInstance(new ASN1GeneralizedTime(realCert.getNotAfter())), realCert.getSubject(), keyPair.getPublic());
        Iterator it = realCert.getExtensionOIDs().iterator();
        while (it.hasNext()) {
            Extension extension = realCert.getExtension((ASN1ObjectIdentifier) it.next());
            jcaX509v3CertificateBuilder.copyAndAddExtension(extension.getExtnId(), extension.isCritical(), realCert);
        }
        return new JcaX509CertificateConverter().setProvider("BC").getCertificate(jcaX509v3CertificateBuilder.build(new JcaContentSignerBuilder("SHA1withRSA").setProvider("BC").build(keyPair.getPrivate())));
    }

    private X509Certificate makeEsteidCert(KeyPair keyPair, KeyPair keyPair2) throws InvalidKeyException, IllegalStateException, NoSuchProviderException, SignatureException, IOException, NoSuchAlgorithmException, ParseException, OperatorCreationException, CertificateException {
        X509CertificateHolder realCert = getRealCert("sk-esteid.pem");
        JcaX509v3CertificateBuilder jcaX509v3CertificateBuilder = new JcaX509v3CertificateBuilder(realCert.getIssuer(), realCert.getSerialNumber(), Time.getInstance(new ASN1UTCTime(realCert.getNotBefore())), Time.getInstance(new ASN1GeneralizedTime(realCert.getNotAfter())), realCert.getSubject(), keyPair.getPublic());
        Iterator it = realCert.getExtensionOIDs().iterator();
        while (it.hasNext()) {
            Extension extension = realCert.getExtension((ASN1ObjectIdentifier) it.next());
            jcaX509v3CertificateBuilder.copyAndAddExtension(extension.getExtnId(), extension.isCritical(), realCert);
        }
        return new JcaX509CertificateConverter().setProvider("BC").getCertificate(jcaX509v3CertificateBuilder.build(new JcaContentSignerBuilder("SHA384withRSA").setProvider("BC").build(keyPair2.getPrivate())));
    }

    public X509Certificate generateUserCertificate(PublicKey publicKey, boolean z, String str, String str2, String str3, String str4, Date date, Date date2) throws InvalidKeyException, ParseException, IOException, IllegalStateException, NoSuchProviderException, NoSuchAlgorithmException, SignatureException, CertificateException, OperatorCreationException {
        if (publicKey instanceof ECPublicKey) {
            return generateUserCertificate((ECPublicKey) publicKey, z, str, str2, str3, str4, date, date2);
        }
        if (publicKey instanceof RSAPublicKey) {
            return generateUserCertificate((RSAPublicKey) publicKey, z, str, str2, str3, str4, date, date2);
        }
        throw new IllegalArgumentException("Unknown public key type " + publicKey.getAlgorithm());
    }

    public X509Certificate cloneUserCertificate(PublicKey publicKey, X509Certificate x509Certificate) throws InvalidKeyException, ParseException, IOException, IllegalStateException, NoSuchProviderException, NoSuchAlgorithmException, SignatureException, CertificateException, OperatorCreationException {
        if (publicKey instanceof ECPublicKey) {
            return cloneUserCertificate((ECPublicKey) publicKey, x509Certificate);
        }
        if (publicKey instanceof RSAPublicKey) {
            return cloneUserCertificate((RSAPublicKey) publicKey, x509Certificate);
        }
        throw new IllegalArgumentException("Unknown public key type " + publicKey.getAlgorithm());
    }

    private X509Certificate cloneUserCertificate(RSAPublicKey rSAPublicKey, X509Certificate x509Certificate) throws OperatorCreationException, CertificateException, IOException {
        if (rSAPublicKey.getModulus().bitLength() != 2048) {
            throw new IllegalArgumentException("Key must be 2048b RSA");
        }
        X509CertificateHolder x509CertificateHolder = new X509CertificateHolder(x509Certificate.getEncoded());
        JcaX509v3CertificateBuilder jcaX509v3CertificateBuilder = new JcaX509v3CertificateBuilder(x509CertificateHolder.getIssuer(), x509Certificate.getSerialNumber(), x509Certificate.getNotBefore(), x509Certificate.getNotAfter(), x509CertificateHolder.getSubject(), rSAPublicKey);
        Iterator it = x509CertificateHolder.getExtensionOIDs().iterator();
        while (it.hasNext()) {
            Extension extension = x509CertificateHolder.getExtension((ASN1ObjectIdentifier) it.next());
            jcaX509v3CertificateBuilder.copyAndAddExtension(extension.getExtnId(), extension.isCritical(), x509CertificateHolder);
        }
        return new JcaX509CertificateConverter().setProvider("BC").getCertificate(jcaX509v3CertificateBuilder.build(new JcaContentSignerBuilder(x509Certificate.getSigAlgName()).setProvider("BC").build(this.esteidKey)));
    }

    private X509Certificate generateUserCertificate(RSAPublicKey rSAPublicKey, boolean z, String str, String str2, String str3, String str4, Date date, Date date2) throws InvalidKeyException, ParseException, IOException, IllegalStateException, NoSuchProviderException, NoSuchAlgorithmException, SignatureException, CertificateException, OperatorCreationException {
        if (rSAPublicKey.getModulus().bitLength() != 2048) {
            throw new IllegalArgumentException("Key must be 2048b RSA");
        }
        Date parse = new SimpleDateFormat("yyyy-MM-dd", Locale.ENGLISH).parse("2017-01-01");
        Date parse2 = new SimpleDateFormat("yyyy-MM-dd", Locale.ENGLISH).parse("2017-12-31");
        if (date != null) {
            parse = date;
        }
        if (date2 != null) {
            parse2 = date2;
        }
        String upperCase = str2.toUpperCase();
        String upperCase2 = str.toUpperCase();
        String upperCase3 = str3.toUpperCase();
        String lowerCase = str4.toLowerCase();
        Object[] objArr = new Object[7];
        objArr[0] = z ? "digital signature" : "authentication";
        objArr[1] = upperCase;
        objArr[2] = upperCase2;
        objArr[3] = upperCase3;
        objArr[4] = upperCase;
        objArr[5] = upperCase2;
        objArr[6] = upperCase3;
        String format = String.format("C=EE,O=ESTEID,OU=%s,CN=%s\\,%s\\,%s,SURNAME=%s,GIVENNAME=%s,SERIALNUMBER=%s", objArr);
        byte[] bArr = new byte[16];
        random.nextBytes(bArr);
        bArr[0] = (byte) (bArr[0] & Byte.MAX_VALUE);
        BigInteger bigInteger = new BigInteger(bArr);
        X509CertificateHolder realCert = z ? getRealCert("sk-sign.pem") : getRealCert("sk-auth.pem");
        this.log.trace("Generating from subject: " + realCert.getSubject());
        this.log.trace("Generating subject: " + new X500Name(format).toString());
        JcaX509v3CertificateBuilder jcaX509v3CertificateBuilder = new JcaX509v3CertificateBuilder(realCert.getIssuer(), bigInteger, parse, parse2, new X500Name(format), rSAPublicKey);
        Iterator it = realCert.getExtensionOIDs().iterator();
        while (it.hasNext()) {
            Extension extension = realCert.getExtension((ASN1ObjectIdentifier) it.next());
            if (extension.getExtnId().equals(Extension.subjectAlternativeName)) {
                jcaX509v3CertificateBuilder.addExtension(extension.getExtnId(), extension.isCritical(), new GeneralNames(new GeneralName(1, lowerCase)));
            } else {
                jcaX509v3CertificateBuilder.copyAndAddExtension(extension.getExtnId(), extension.isCritical(), realCert);
            }
        }
        return new JcaX509CertificateConverter().setProvider("BC").getCertificate(jcaX509v3CertificateBuilder.build(new JcaContentSignerBuilder("SHA256withRSA").setProvider("BC").build(this.esteidKey)));
    }

    private X509Certificate cloneUserCertificate(ECPublicKey eCPublicKey, X509Certificate x509Certificate) throws OperatorCreationException, CertificateException, IOException {
        if (eCPublicKey.getParams().getCurve().getField().getFieldSize() != 384) {
            throw new IllegalArgumentException("Must be secp384r1 key!");
        }
        X509CertificateHolder x509CertificateHolder = new X509CertificateHolder(x509Certificate.getEncoded());
        JcaX509v3CertificateBuilder jcaX509v3CertificateBuilder = new JcaX509v3CertificateBuilder(x509CertificateHolder.getIssuer(), x509Certificate.getSerialNumber(), x509Certificate.getNotBefore(), x509Certificate.getNotAfter(), x509CertificateHolder.getSubject(), eCPublicKey);
        Iterator it = x509CertificateHolder.getExtensionOIDs().iterator();
        while (it.hasNext()) {
            Extension extension = x509CertificateHolder.getExtension((ASN1ObjectIdentifier) it.next());
            jcaX509v3CertificateBuilder.copyAndAddExtension(extension.getExtnId(), extension.isCritical(), x509CertificateHolder);
        }
        return new JcaX509CertificateConverter().setProvider("BC").getCertificate(jcaX509v3CertificateBuilder.build(new JcaContentSignerBuilder(x509Certificate.getSigAlgName()).setProvider("BC").build(this.esteidKey)));
    }

    private X509Certificate generateUserCertificate(ECPublicKey eCPublicKey, boolean z, String str, String str2, String str3, String str4, Date date, Date date2) throws InvalidKeyException, ParseException, IOException, IllegalStateException, NoSuchProviderException, NoSuchAlgorithmException, SignatureException, CertificateException, OperatorCreationException {
        Date parse = new SimpleDateFormat("yyyy-MM-dd", Locale.ENGLISH).parse("2017-01-01");
        Date parse2 = new SimpleDateFormat("yyyy-MM-dd", Locale.ENGLISH).parse("2017-12-31");
        if (date != null) {
            parse = date;
        }
        if (date2 != null) {
            parse2 = date2;
        }
        String upperCase = str2.toUpperCase();
        String upperCase2 = str.toUpperCase();
        String upperCase3 = str3.toUpperCase();
        String lowerCase = str4.toLowerCase();
        Object[] objArr = new Object[7];
        objArr[0] = z ? "digital signature" : "authentication";
        objArr[1] = upperCase;
        objArr[2] = upperCase2;
        objArr[3] = upperCase3;
        objArr[4] = upperCase;
        objArr[5] = upperCase2;
        objArr[6] = upperCase3;
        String format = String.format("C=EE,O=ESTEID,OU=%s,CN=%s\\,%s\\,%s,SURNAME=%s,GIVENNAME=%s,SERIALNUMBER=%s", objArr);
        byte[] bArr = new byte[16];
        random.nextBytes(bArr);
        bArr[0] = (byte) (bArr[0] & Byte.MAX_VALUE);
        BigInteger bigInteger = new BigInteger(bArr);
        X509CertificateHolder realCert = z ? getRealCert("sk-sign-ecc.pem") : getRealCert("sk-auth-ecc.pem");
        this.log.trace("Generating from subject: " + realCert.getSubject());
        this.log.trace("Generating subject: " + new X500Name(format).toString());
        JcaX509v3CertificateBuilder jcaX509v3CertificateBuilder = new JcaX509v3CertificateBuilder(realCert.getIssuer(), bigInteger, parse, parse2, new X500Name(format), eCPublicKey);
        Iterator it = realCert.getExtensionOIDs().iterator();
        while (it.hasNext()) {
            Extension extension = realCert.getExtension((ASN1ObjectIdentifier) it.next());
            if (extension.getExtnId().equals(Extension.subjectAlternativeName)) {
                jcaX509v3CertificateBuilder.addExtension(extension.getExtnId(), extension.isCritical(), new GeneralNames(new GeneralName(1, lowerCase)));
            } else {
                jcaX509v3CertificateBuilder.copyAndAddExtension(extension.getExtnId(), extension.isCritical(), realCert);
            }
        }
        return new JcaX509CertificateConverter().setProvider("BC").getCertificate(jcaX509v3CertificateBuilder.build(new JcaContentSignerBuilder("SHA256withRSA").setProvider("BC").build(this.esteidKey)));
    }

    public void storeToFile(File file) throws KeyStoreException, NoSuchProviderException, NoSuchAlgorithmException, CertificateException, IOException {
        FileOutputStream fileOutputStream = new FileOutputStream(file);
        Throwable th = null;
        try {
            KeyStore keyStore = KeyStore.getInstance("pkcs12", "BC");
            keyStore.load(null, password);
            keyStore.setKeyEntry(root, this.rootKey, password, new Certificate[]{this.rootCert});
            keyStore.setKeyEntry(esteid, this.esteidKey, password, new Certificate[]{this.esteidCert});
            keyStore.store(fileOutputStream, password);
            if (fileOutputStream != null) {
                if (0 == 0) {
                    fileOutputStream.close();
                    return;
                }
                try {
                    fileOutputStream.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
        } catch (Throwable th3) {
            if (fileOutputStream != null) {
                if (0 != 0) {
                    try {
                        fileOutputStream.close();
                    } catch (Throwable th4) {
                        th.addSuppressed(th4);
                    }
                } else {
                    fileOutputStream.close();
                }
            }
            throw th3;
        }
    }

    public void loadFromFile(File file) throws KeyStoreException, NoSuchProviderException, NoSuchAlgorithmException, CertificateException, IOException, UnrecoverableKeyException {
        FileInputStream fileInputStream = new FileInputStream(file);
        Throwable th = null;
        try {
            try {
                KeyStore keyStore = KeyStore.getInstance("pkcs12", "BC");
                keyStore.load(fileInputStream, password);
                this.rootKey = (RSAPrivateCrtKey) keyStore.getKey(root, password);
                this.rootCert = (X509Certificate) keyStore.getCertificate(root);
                this.esteidKey = (RSAPrivateCrtKey) keyStore.getKey(esteid, password);
                this.esteidCert = (X509Certificate) keyStore.getCertificate(esteid);
                if (fileInputStream != null) {
                    if (0 == 0) {
                        fileInputStream.close();
                        return;
                    }
                    try {
                        fileInputStream.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                }
            } catch (Throwable th3) {
                th = th3;
                throw th3;
            }
        } catch (Throwable th4) {
            if (fileInputStream != null) {
                if (th != null) {
                    try {
                        fileInputStream.close();
                    } catch (Throwable th5) {
                        th.addSuppressed(th5);
                    }
                } else {
                    fileInputStream.close();
                }
            }
            throw th4;
        }
    }

    static {
        random.nextBytes(new byte[2]);
        if (Security.getProvider("BC") == null) {
            Security.addProvider(new BouncyCastleProvider());
        }
    }
}
