package de.gematik.test.tiger.proxy.tls;

import de.gematik.test.tiger.common.pki.TigerPkiIdentity;
import de.gematik.test.tiger.proxy.exceptions.TigerProxyStartupException;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.math.BigInteger;
import java.security.GeneralSecurityException;
import java.security.Key;
import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.PrivateKey;
import java.security.SecureRandom;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.security.interfaces.RSAPrivateKey;
import java.time.ZonedDateTime;
import java.util.Date;
import java.util.Random;
import lombok.Generated;
import org.bouncycastle.asn1.ASN1Encodable;
import org.bouncycastle.asn1.ASN1InputStream;
import org.bouncycastle.asn1.ASN1Sequence;
import org.bouncycastle.asn1.x500.X500Name;
import org.bouncycastle.asn1.x509.BasicConstraints;
import org.bouncycastle.asn1.x509.Extension;
import org.bouncycastle.asn1.x509.KeyUsage;
import org.bouncycastle.asn1.x509.SubjectKeyIdentifier;
import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo;
import org.bouncycastle.cert.X509v3CertificateBuilder;
import org.bouncycastle.cert.bc.BcX509ExtensionUtils;
import org.bouncycastle.cert.jcajce.JcaX509CertificateConverter;
import org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.bouncycastle.operator.OperatorCreationException;
import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder;

/* loaded from: input_file:BOOT-INF/lib/tiger-proxy-3.7.0.jar:de/gematik/test/tiger/proxy/tls/TlsCertificateGenerator.class */
public class TlsCertificateGenerator {
    public static TigerPkiIdentity generateNewCaCertificate() {
        try {
            return generateNewCaCertificateUnsafe();
        } catch (IOException | GeneralSecurityException | OperatorCreationException e) {
            throw new TigerProxyStartupException("Error while generating CA certificate", e);
        }
    }

    private static TigerPkiIdentity generateNewCaCertificateUnsafe() throws GeneralSecurityException, IOException, OperatorCreationException {
        KeyPair generateRsaKeyPair = generateRsaKeyPair(2048);
        X500Name x500Name = new X500Name("CN=Tiger-Proxy, O=Gematik, L=Berlin, ST=Berlin, C=DE");
        JcaX509v3CertificateBuilder jcaX509v3CertificateBuilder = new JcaX509v3CertificateBuilder(x500Name, BigInteger.valueOf(new Random().nextInt(Integer.MAX_VALUE)), Date.from(ZonedDateTime.now().minusYears(1L).toInstant()), Date.from(ZonedDateTime.now().plusYears(10L).toInstant()), x500Name, generateRsaKeyPair.getPublic());
        jcaX509v3CertificateBuilder.addExtension(Extension.subjectKeyIdentifier, false, (ASN1Encodable) createNewSubjectKeyIdentifier(generateRsaKeyPair.getPublic()));
        jcaX509v3CertificateBuilder.addExtension(Extension.basicConstraints, true, (ASN1Encodable) new BasicConstraints(100));
        jcaX509v3CertificateBuilder.addExtension(Extension.keyUsage, true, (ASN1Encodable) new KeyUsage(134));
        return new TigerPkiIdentity(signTheCertificate(jcaX509v3CertificateBuilder, generateRsaKeyPair.getPrivate()), generateRsaKeyPair.getPrivate());
    }

    private static X509Certificate signTheCertificate(X509v3CertificateBuilder x509v3CertificateBuilder, PrivateKey privateKey) throws OperatorCreationException, CertificateException {
        return new JcaX509CertificateConverter().setProvider(BouncyCastleProvider.PROVIDER_NAME).getCertificate(x509v3CertificateBuilder.build(privateKey instanceof RSAPrivateKey ? new JcaContentSignerBuilder("SHA256WithRSAEncryption").setProvider(BouncyCastleProvider.PROVIDER_NAME).build(privateKey) : new JcaContentSignerBuilder("SHA256withECDSA").setProvider(BouncyCastleProvider.PROVIDER_NAME).build(privateKey)));
    }

    private static KeyPair generateRsaKeyPair(int i) throws GeneralSecurityException {
        KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA", BouncyCastleProvider.PROVIDER_NAME);
        keyPairGenerator.initialize(i, new SecureRandom());
        return keyPairGenerator.generateKeyPair();
    }

    private static SubjectKeyIdentifier createNewSubjectKeyIdentifier(Key key) throws IOException {
        ASN1InputStream aSN1InputStream = new ASN1InputStream(new ByteArrayInputStream(key.getEncoded()));
        try {
            SubjectKeyIdentifier createSubjectKeyIdentifier = new BcX509ExtensionUtils().createSubjectKeyIdentifier(SubjectPublicKeyInfo.getInstance((ASN1Sequence) aSN1InputStream.readObject()));
            aSN1InputStream.close();
            return createSubjectKeyIdentifier;
        } catch (Throwable th) {
            try {
                aSN1InputStream.close();
            } catch (Throwable th2) {
                th.addSuppressed(th2);
            }
            throw th;
        }
    }

    @Generated
    private TlsCertificateGenerator() {
    }
}
