package org.apache.geode.cache.ssl;

import java.io.IOException;
import java.math.BigInteger;
import java.net.InetAddress;
import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.SecureRandom;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Date;
import java.util.List;
import java.util.stream.Collectors;
import org.bouncycastle.asn1.DEROctetString;
import org.bouncycastle.asn1.x500.X500Name;
import org.bouncycastle.asn1.x509.AlgorithmIdentifier;
import org.bouncycastle.asn1.x509.BasicConstraints;
import org.bouncycastle.asn1.x509.Extension;
import org.bouncycastle.asn1.x509.GeneralName;
import org.bouncycastle.asn1.x509.GeneralNames;
import org.bouncycastle.asn1.x509.KeyUsage;
import org.bouncycastle.asn1.x509.SubjectKeyIdentifier;
import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo;
import org.bouncycastle.cert.X509v3CertificateBuilder;
import org.bouncycastle.cert.jcajce.JcaX509CertificateConverter;
import org.bouncycastle.crypto.params.AsymmetricKeyParameter;
import org.bouncycastle.crypto.util.PrivateKeyFactory;
import org.bouncycastle.crypto.util.PublicKeyFactory;
import org.bouncycastle.crypto.util.SubjectPublicKeyInfoFactory;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.bouncycastle.operator.ContentSigner;
import org.bouncycastle.operator.DefaultDigestAlgorithmIdentifierFinder;
import org.bouncycastle.operator.DefaultSignatureAlgorithmIdentifierFinder;
import org.bouncycastle.operator.bc.BcRSAContentSignerBuilder;

/* loaded from: input_file:org/apache/geode/cache/ssl/CertificateBuilder.class */
public class CertificateBuilder {
    private final int days;
    private final String algorithm;
    private X500Name name;
    private List<String> dnsNames;
    private List<InetAddress> ipAddresses;
    private boolean isCA;
    private CertificateMaterial issuer;

    public CertificateBuilder() {
        this(30, "SHA256withRSA");
    }

    public CertificateBuilder(int i, String str) {
        this.days = i;
        this.algorithm = str;
        this.dnsNames = new ArrayList();
        this.ipAddresses = new ArrayList();
    }

    private static GeneralName dnsGeneralName(String str) {
        return new GeneralName(2, str);
    }

    private static GeneralName ipGeneralName(InetAddress inetAddress) {
        return new GeneralName(7, new DEROctetString(inetAddress.getAddress()));
    }

    public CertificateBuilder commonName(String str) {
        this.name = new X500Name("CN=" + str + ", O=Geode");
        return this;
    }

    public CertificateBuilder sanDnsName(String str) {
        this.dnsNames.add(str);
        return this;
    }

    public CertificateBuilder sanIpAddress(InetAddress inetAddress) {
        this.ipAddresses.add(inetAddress);
        return this;
    }

    public CertificateBuilder isCA() {
        this.isCA = true;
        return this;
    }

    public CertificateBuilder issuedBy(CertificateMaterial certificateMaterial) {
        this.issuer = certificateMaterial;
        return this;
    }

    private byte[] san() throws IOException {
        List list = (List) this.dnsNames.stream().map(CertificateBuilder::dnsGeneralName).collect(Collectors.toList());
        list.addAll((Collection) this.ipAddresses.stream().map(CertificateBuilder::ipGeneralName).collect(Collectors.toList()));
        if (list.isEmpty()) {
            return null;
        }
        return new GeneralNames((GeneralName[]) list.toArray(new GeneralName[0])).getEncoded();
    }

    public CertificateMaterial generate() {
        KeyPair generateKeyPair = generateKeyPair("RSA");
        X509Certificate x509Certificate = null;
        X509Certificate generate = generate(generateKeyPair.getPublic(), this.issuer == null ? generateKeyPair.getPrivate() : this.issuer.getPrivateKey());
        if (this.issuer != null) {
            x509Certificate = this.issuer.getCertificate();
        }
        return new CertificateMaterial(generate, generateKeyPair, x509Certificate);
    }

    private X509Certificate generate(PublicKey publicKey, PrivateKey privateKey) {
        try {
            AlgorithmIdentifier find = new DefaultSignatureAlgorithmIdentifierFinder().find(this.algorithm);
            AlgorithmIdentifier find2 = new DefaultDigestAlgorithmIdentifierFinder().find(find);
            AsymmetricKeyParameter createKey = PublicKeyFactory.createKey(publicKey.getEncoded());
            AsymmetricKeyParameter createKey2 = PrivateKeyFactory.createKey(privateKey.getEncoded());
            SubjectPublicKeyInfo subjectPublicKeyInfo = SubjectPublicKeyInfo.getInstance(publicKey.getEncoded());
            ContentSigner build = new BcRSAContentSignerBuilder(find, find2).build(createKey2);
            Date date = new Date();
            Date date2 = new Date(date.getTime() + (this.days * 86400000));
            BigInteger bigInteger = new BigInteger(64, new SecureRandom());
            X509v3CertificateBuilder x509v3CertificateBuilder = this.issuer == null ? new X509v3CertificateBuilder(this.name, bigInteger, date, date2, this.name, subjectPublicKeyInfo) : new X509v3CertificateBuilder(new X500Name(this.issuer.getCertificate().getIssuerDN().getName()), bigInteger, date, date2, this.name, subjectPublicKeyInfo);
            byte[] san = san();
            if (san != null) {
                x509v3CertificateBuilder.addExtension(Extension.subjectAlternativeName, false, san);
            }
            if (this.isCA) {
                x509v3CertificateBuilder.addExtension(Extension.keyUsage, true, new KeyUsage(4));
                x509v3CertificateBuilder.addExtension(Extension.basicConstraints, true, new BasicConstraints(0));
            }
            x509v3CertificateBuilder.addExtension(Extension.subjectKeyIdentifier, false, new SubjectKeyIdentifier(SubjectPublicKeyInfoFactory.createSubjectPublicKeyInfo(createKey).getEncoded()));
            return new JcaX509CertificateConverter().setProvider(new BouncyCastleProvider()).getCertificate(x509v3CertificateBuilder.build(build));
        } catch (Exception e) {
            throw new RuntimeException("Unable to create certificate", e);
        }
    }

    private KeyPair generateKeyPair(String str) {
        try {
            KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance(str);
            keyPairGenerator.initialize(2048);
            return keyPairGenerator.genKeyPair();
        } catch (NoSuchAlgorithmException e) {
            throw new RuntimeException("Unable to generate " + str + " keypair");
        }
    }
}
