package org.apache.hadoop.hdds.security.x509.certificate.authority;

import java.io.IOException;
import java.math.BigInteger;
import java.security.PrivateKey;
import java.util.Date;
import java.util.concurrent.CompletableFuture;
import org.apache.hadoop.hdds.security.exception.SCMSecurityException;
import org.apache.hadoop.hdds.security.x509.SecurityConfig;
import org.apache.hadoop.hdds.security.x509.certificate.authority.PKIProfiles.PKIProfile;
import org.apache.hadoop.hdds.security.x509.keys.SecurityUtil;
import org.apache.hadoop.util.Time;
import org.bouncycastle.asn1.x500.X500Name;
import org.bouncycastle.asn1.x500.style.BCStyle;
import org.bouncycastle.asn1.x509.AlgorithmIdentifier;
import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo;
import org.bouncycastle.cert.X509CertificateHolder;
import org.bouncycastle.cert.X509v3CertificateBuilder;
import org.bouncycastle.crypto.params.AsymmetricKeyParameter;
import org.bouncycastle.crypto.params.RSAKeyParameters;
import org.bouncycastle.crypto.util.PrivateKeyFactory;
import org.bouncycastle.crypto.util.PublicKeyFactory;
import org.bouncycastle.operator.DefaultDigestAlgorithmIdentifierFinder;
import org.bouncycastle.operator.DefaultSignatureAlgorithmIdentifierFinder;
import org.bouncycastle.operator.OperatorCreationException;
import org.bouncycastle.operator.bc.BcRSAContentSignerBuilder;
import org.bouncycastle.pkcs.PKCS10CertificationRequest;

/* loaded from: input_file:org/apache/hadoop/hdds/security/x509/certificate/authority/DefaultApprover.class */
public class DefaultApprover extends BaseApprover {
    public DefaultApprover(PKIProfile pKIProfile, SecurityConfig securityConfig) {
        super(pKIProfile, securityConfig);
    }

    @Override // org.apache.hadoop.hdds.security.x509.certificate.authority.CertificateApprover
    public X509CertificateHolder sign(SecurityConfig securityConfig, PrivateKey privateKey, X509CertificateHolder x509CertificateHolder, Date date, Date date2, PKCS10CertificationRequest pKCS10CertificationRequest, String str, String str2) throws IOException, OperatorCreationException {
        AlgorithmIdentifier find = new DefaultSignatureAlgorithmIdentifierFinder().find(securityConfig.getSignatureAlgo());
        AlgorithmIdentifier find2 = new DefaultDigestAlgorithmIdentifierFinder().find(find);
        AsymmetricKeyParameter createKey = PrivateKeyFactory.createKey(privateKey.getEncoded());
        SubjectPublicKeyInfo subjectPublicKeyInfo = pKCS10CertificationRequest.getSubjectPublicKeyInfo();
        X500Name subject = pKCS10CertificationRequest.getSubject();
        String obj = subject.getRDNs(BCStyle.OU)[0].getFirst().getValue().toASN1Primitive().toString();
        String obj2 = subject.getRDNs(BCStyle.O)[0].getFirst().getValue().toASN1Primitive().toString();
        if (!str.equals(obj) || !str2.equals(obj2)) {
            if (!obj.equalsIgnoreCase("null") || !obj2.equalsIgnoreCase("null")) {
                throw new SCMSecurityException("ScmId and ClusterId in CSR subject are incorrect.");
            }
            subject = SecurityUtil.getDistinguishedName(subject.getRDNs(BCStyle.CN)[0].getFirst().getValue().toASN1Primitive().toString(), str, str2);
        }
        if (((RSAKeyParameters) PublicKeyFactory.createKey(subjectPublicKeyInfo)).getModulus().bitLength() < securityConfig.getSize()) {
            throw new SCMSecurityException("Key size is too small in certificate signing request");
        }
        return new X509v3CertificateBuilder(x509CertificateHolder.getSubject(), BigInteger.valueOf(Time.monotonicNowNanos()), date, date2, subject, subjectPublicKeyInfo).build(new BcRSAContentSignerBuilder(find, find2).build(createKey));
    }

    @Override // org.apache.hadoop.hdds.security.x509.certificate.authority.BaseApprover, org.apache.hadoop.hdds.security.x509.certificate.authority.CertificateApprover
    public CompletableFuture<X509CertificateHolder> inspectCSR(String str) throws IOException {
        return super.inspectCSR(str);
    }

    @Override // org.apache.hadoop.hdds.security.x509.certificate.authority.BaseApprover, org.apache.hadoop.hdds.security.x509.certificate.authority.CertificateApprover
    public CompletableFuture<X509CertificateHolder> inspectCSR(PKCS10CertificationRequest pKCS10CertificationRequest) {
        return super.inspectCSR(pKCS10CertificationRequest);
    }
}
