package io.netty.pkitesting;

import io.netty.util.internal.EmptyArrays;
import java.io.IOException;
import java.io.UncheckedIOException;
import java.math.BigInteger;
import java.net.InetAddress;
import java.net.URI;
import java.net.URISyntaxException;
import java.security.GeneralSecurityException;
import java.security.KeyPair;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.SecureRandom;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.security.interfaces.DSAPublicKey;
import java.security.interfaces.ECPublicKey;
import java.security.interfaces.RSAPublicKey;
import java.security.spec.AlgorithmParameterSpec;
import java.security.spec.ECGenParameterSpec;
import java.security.spec.RSAKeyGenParameterSpec;
import java.time.Instant;
import java.time.temporal.ChronoUnit;
import java.time.temporal.TemporalUnit;
import java.util.ArrayList;
import java.util.Date;
import java.util.Iterator;
import java.util.List;
import java.util.Objects;
import java.util.OptionalInt;
import java.util.Set;
import java.util.TreeSet;
import javax.security.auth.x500.X500Principal;
import org.bouncycastle.asn1.ASN1Integer;
import org.bouncycastle.asn1.ASN1ObjectIdentifier;
import org.bouncycastle.asn1.DERBitString;
import org.bouncycastle.asn1.DERIA5String;
import org.bouncycastle.asn1.DERUTF8String;
import org.bouncycastle.asn1.x500.X500Name;
import org.bouncycastle.asn1.x509.AlgorithmIdentifier;
import org.bouncycastle.asn1.x509.BasicConstraints;
import org.bouncycastle.asn1.x509.CRLDistPoint;
import org.bouncycastle.asn1.x509.DistributionPoint;
import org.bouncycastle.asn1.x509.DistributionPointName;
import org.bouncycastle.asn1.x509.Extension;
import org.bouncycastle.asn1.x509.ExtensionsGenerator;
import org.bouncycastle.asn1.x509.GeneralName;
import org.bouncycastle.asn1.x509.GeneralNames;
import org.bouncycastle.asn1.x509.KeyPurposeId;
import org.bouncycastle.asn1.x509.ReasonFlags;
import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo;
import org.bouncycastle.asn1.x509.Time;
import org.bouncycastle.asn1.x509.V3TBSCertificateGenerator;
import org.bouncycastle.jcajce.spec.EdDSAParameterSpec;

/* loaded from: input_file:io/netty/pkitesting/CertificateBuilder.class */
public final class CertificateBuilder {
    static final String OID_X509_NAME_CONSTRAINTS = "2.5.29.30";
    static final String OID_PKIX_KP = "1.3.6.1.5.5.7.3";
    static final String OID_PKIX_KP_SERVER_AUTH = "1.3.6.1.5.5.7.3.1";
    static final String OID_PKIX_KP_CLIENT_AUTH = "1.3.6.1.5.5.7.3.2";
    static final String OID_PKIX_KP_CODE_SIGNING = "1.3.6.1.5.5.7.3.3";
    static final String OID_PKIX_KP_EMAIL_PROTECTION = "1.3.6.1.5.5.7.3.4";
    static final String OID_PKIX_KP_TIME_STAMPING = "1.3.6.1.5.5.7.3.8";
    static final String OID_PKIX_KP_OCSP_SIGNING = "1.3.6.1.5.5.7.3.9";
    static final String OID_KERBEROS_KEY_PURPOSE_CLIENT_AUTH = "1.3.6.1.5.2.3.4";
    static final String OID_MICROSOFT_SMARTCARD_LOGIN = "1.3.6.1.4.1.311.20.2.2";
    private static final GeneralName[] EMPTY_GENERAL_NAMES = new GeneralName[0];
    private static final DistributionPoint[] EMPTY_DIST_POINTS = new DistributionPoint[0];
    private static final AlgorithmParameterSpec UNSUPPORTED_SPEC = new AlgorithmParameterSpec() { // from class: io.netty.pkitesting.CertificateBuilder.1
    };
    SecureRandom random;
    BigInteger serial;
    X500Principal subject;
    boolean isCertificateAuthority;
    PublicKey publicKey;
    Extension keyUsage;
    Algorithm algorithm = Algorithm.ecp256;
    Instant notBefore = Instant.now().minus(1L, (TemporalUnit) ChronoUnit.DAYS);
    Instant notAfter = Instant.now().plus(1L, (TemporalUnit) ChronoUnit.DAYS);
    List<BuilderCallback> modifierCallbacks = new ArrayList();
    List<GeneralName> subjectAlternativeNames = new ArrayList();
    List<DistributionPoint> crlDistributionPoints = new ArrayList();
    OptionalInt pathLengthConstraint = OptionalInt.empty();
    Set<String> extendedKeyUsage = new TreeSet();

    /* loaded from: input_file:io/netty/pkitesting/CertificateBuilder$Algorithm.class */
    public enum Algorithm {
        ecp256("EC", new ECGenParameterSpec("secp256r1"), "SHA256withECDSA"),
        ecp384("EC", new ECGenParameterSpec("secp384r1"), "SHA384withECDSA"),
        rsa2048("RSA", new RSAKeyGenParameterSpec(2048, RSAKeyGenParameterSpec.F4), "SHA256withRSA"),
        rsa3072("RSA", new RSAKeyGenParameterSpec(3072, RSAKeyGenParameterSpec.F4), "SHA256withRSA"),
        rsa4096("RSA", new RSAKeyGenParameterSpec(4096, RSAKeyGenParameterSpec.F4), "SHA384withRSA"),
        rsa8192("RSA", new RSAKeyGenParameterSpec(8192, RSAKeyGenParameterSpec.F4), "SHA384withRSA"),
        ed25519("Ed25519", namedParameterSpec("Ed25519"), "Ed25519"),
        ed448("Ed448", namedParameterSpec("Ed448"), "Ed448"),
        mlDsa44("ML-DSA", namedParameterSpec("ML-DSA-44"), "ML-DSA-44"),
        mlDsa65("ML-DSA", namedParameterSpec("ML-DSA-65"), "ML-DSA-65"),
        mlDsa87("ML-DSA", namedParameterSpec("ML-DSA-87"), "ML-DSA-87");

        final String keyType;
        final AlgorithmParameterSpec parameterSpec;
        final String signatureType;

        Algorithm(String str, AlgorithmParameterSpec algorithmParameterSpec, String str2) {
            this.keyType = str;
            this.parameterSpec = algorithmParameterSpec;
            this.signatureType = str2;
        }

        private static AlgorithmParameterSpec namedParameterSpec(String str) {
            try {
                return (AlgorithmParameterSpec) Class.forName("java.security.spec.NamedParameterSpec").getConstructor(String.class).newInstance(str);
            } catch (Exception e) {
                return "Ed25519".equals(str) ? new EdDSAParameterSpec("Ed25519") : "Ed448".equals(str) ? new EdDSAParameterSpec("Ed448") : CertificateBuilder.UNSUPPORTED_SPEC;
            }
        }

        public KeyPair generateKeyPair(SecureRandom secureRandom) throws GeneralSecurityException {
            Objects.requireNonNull(secureRandom, "secureRandom");
            if (this.parameterSpec == CertificateBuilder.UNSUPPORTED_SPEC) {
                throw new UnsupportedOperationException("This algorithm is not supported: " + this);
            }
            return (this == mlDsa44 || this == mlDsa65 || this == mlDsa87) ? genMlDsaKeyPair(secureRandom) : genKeyPair(secureRandom);
        }

        private KeyPair genMlDsaKeyPair(final SecureRandom secureRandom) throws GeneralSecurityException {
            final byte[] bArr = new byte[32];
            KeyPair genKeyPair = genKeyPair(new SecureRandom() { // from class: io.netty.pkitesting.CertificateBuilder.Algorithm.1
                static final /* synthetic */ boolean $assertionsDisabled;

                @Override // java.security.SecureRandom, java.util.Random
                public void nextBytes(byte[] bArr2) {
                    if (!$assertionsDisabled && bArr2.length != 32) {
                        throw new AssertionError();
                    }
                    secureRandom.nextBytes(bArr2);
                    System.arraycopy(bArr2, 0, bArr, 0, bArr.length);
                }

                static {
                    $assertionsDisabled = !CertificateBuilder.class.desiredAssertionStatus();
                }
            });
            return new KeyPair(genKeyPair.getPublic(), new MLDSASeedPrivateKey(genKeyPair.getPrivate(), this, bArr));
        }

        private KeyPair genKeyPair(SecureRandom secureRandom) throws GeneralSecurityException {
            return Algorithms.keyPairGenerator(this.keyType, this.parameterSpec, secureRandom).generateKeyPair();
        }

        public boolean isSupported() {
            return this.parameterSpec != CertificateBuilder.UNSUPPORTED_SPEC;
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    @FunctionalInterface
    /* loaded from: input_file:io/netty/pkitesting/CertificateBuilder$BuilderCallback.class */
    public interface BuilderCallback {
        void modify(ExtensionsGenerator extensionsGenerator) throws Exception;
    }

    /* loaded from: input_file:io/netty/pkitesting/CertificateBuilder$ExtendedKeyUsage.class */
    public enum ExtendedKeyUsage {
        PKIX_KP_SERVER_AUTH(CertificateBuilder.OID_PKIX_KP_SERVER_AUTH),
        PKIX_KP_CLIENT_AUTH(CertificateBuilder.OID_PKIX_KP_CLIENT_AUTH),
        PKIX_KP_CODE_SIGNING(CertificateBuilder.OID_PKIX_KP_CODE_SIGNING),
        PKIX_KP_EMAIL_PROTECTION(CertificateBuilder.OID_PKIX_KP_EMAIL_PROTECTION),
        PKIX_KP_TIME_STAMPING(CertificateBuilder.OID_PKIX_KP_TIME_STAMPING),
        PKIX_KP_OCSP_SIGNING(CertificateBuilder.OID_PKIX_KP_OCSP_SIGNING),
        KERBEROS_KEY_PURPOSE_CLIENT_AUTH(CertificateBuilder.OID_KERBEROS_KEY_PURPOSE_CLIENT_AUTH),
        MICROSOFT_SMARTCARD_LOGIN(CertificateBuilder.OID_MICROSOFT_SMARTCARD_LOGIN);

        private final String oid;

        ExtendedKeyUsage(String str) {
            this.oid = str;
        }

        public String getOid() {
            return this.oid;
        }
    }

    /* loaded from: input_file:io/netty/pkitesting/CertificateBuilder$KeyUsage.class */
    public enum KeyUsage {
        digitalSignature(0),
        contentCommitment(1),
        keyEncipherment(2),
        dataEncipherment(3),
        keyAgreement(4),
        keyCertSign(5),
        cRLSign(6),
        encipherOnly(7),
        decipherOnly(8);

        private final int bitId;

        KeyUsage(int i) {
            this.bitId = i;
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:io/netty/pkitesting/CertificateBuilder$SecureRandomHolder.class */
    public static final class SecureRandomHolder {
        private static final SecureRandom RANDOM = new SecureRandom();

        private SecureRandomHolder() {
        }
    }

    public CertificateBuilder copy() {
        CertificateBuilder certificateBuilder = new CertificateBuilder();
        certificateBuilder.random = this.random;
        certificateBuilder.algorithm = this.algorithm;
        certificateBuilder.notBefore = this.notBefore;
        certificateBuilder.notAfter = this.notAfter;
        certificateBuilder.modifierCallbacks = new ArrayList(this.modifierCallbacks);
        certificateBuilder.subjectAlternativeNames = new ArrayList(this.subjectAlternativeNames);
        certificateBuilder.crlDistributionPoints = new ArrayList(this.crlDistributionPoints);
        certificateBuilder.serial = this.serial;
        certificateBuilder.subject = this.subject;
        certificateBuilder.isCertificateAuthority = this.isCertificateAuthority;
        certificateBuilder.pathLengthConstraint = this.pathLengthConstraint;
        certificateBuilder.publicKey = this.publicKey;
        certificateBuilder.keyUsage = this.keyUsage;
        certificateBuilder.extendedKeyUsage = new TreeSet(this.extendedKeyUsage);
        return certificateBuilder;
    }

    public CertificateBuilder secureRandom(SecureRandom secureRandom) {
        this.random = (SecureRandom) Objects.requireNonNull(secureRandom);
        return this;
    }

    public CertificateBuilder notBefore(Instant instant) {
        this.notBefore = (Instant) Objects.requireNonNull(instant);
        return this;
    }

    public CertificateBuilder notAfter(Instant instant) {
        this.notAfter = (Instant) Objects.requireNonNull(instant);
        return this;
    }

    public CertificateBuilder serial(BigInteger bigInteger) {
        this.serial = bigInteger;
        return this;
    }

    public CertificateBuilder subject(String str) {
        this.subject = new X500Principal((String) Objects.requireNonNull(str));
        return this;
    }

    public CertificateBuilder subject(X500Principal x500Principal) {
        this.subject = (X500Principal) Objects.requireNonNull(x500Principal);
        return this;
    }

    public CertificateBuilder addSanOtherName(String str, byte[] bArr) {
        this.subjectAlternativeNames.add(GeneralNameUtils.otherName(str, bArr));
        return this;
    }

    public CertificateBuilder addSanRfc822Name(String str) {
        this.subjectAlternativeNames.add(GeneralNameUtils.rfc822Name(str));
        return this;
    }

    public CertificateBuilder addSanDnsName(String str) {
        if (str.trim().isEmpty()) {
            throw new IllegalArgumentException("Blank DNS SANs are forbidden by RFC 5280, Section 4.2.1.6.");
        }
        this.subjectAlternativeNames.add(GeneralNameUtils.dnsName(str));
        return this;
    }

    public CertificateBuilder addSanDirectoryName(String str) {
        this.subjectAlternativeNames.add(GeneralNameUtils.directoryName(str));
        return this;
    }

    public CertificateBuilder addSanUriName(String str) throws URISyntaxException {
        this.subjectAlternativeNames.add(GeneralNameUtils.uriName(str));
        return this;
    }

    public CertificateBuilder addSanUriName(URI uri) {
        this.subjectAlternativeNames.add(GeneralNameUtils.uriName(uri));
        return this;
    }

    public CertificateBuilder addSanIpAddress(String str) {
        this.subjectAlternativeNames.add(GeneralNameUtils.ipAddress(str));
        return this;
    }

    public CertificateBuilder addSanIpAddress(InetAddress inetAddress) {
        this.subjectAlternativeNames.add(GeneralNameUtils.ipAddress(inetAddress.getHostAddress()));
        return this;
    }

    public CertificateBuilder addSanRegisteredId(String str) {
        this.subjectAlternativeNames.add(GeneralNameUtils.registeredId(str));
        return this;
    }

    public CertificateBuilder addCrlDistributionPoint(URI uri) {
        this.crlDistributionPoints.add(new DistributionPoint(new DistributionPointName(new GeneralNames(GeneralNameUtils.uriName(uri))), (ReasonFlags) null, (GeneralNames) null));
        return this;
    }

    public CertificateBuilder addCrlDistributionPoint(URI uri, X500Principal x500Principal) {
        this.crlDistributionPoints.add(new DistributionPoint(new DistributionPointName(new GeneralNames(GeneralNameUtils.uriName(uri))), (ReasonFlags) null, new GeneralNames(GeneralNameUtils.directoryName(x500Principal))));
        return this;
    }

    public CertificateBuilder setIsCertificateAuthority(boolean z) {
        this.isCertificateAuthority = z;
        return this;
    }

    public CertificateBuilder setPathLengthConstraint(OptionalInt optionalInt) {
        this.pathLengthConstraint = (OptionalInt) Objects.requireNonNull(optionalInt, "pathLengthConstraint");
        return this;
    }

    public CertificateBuilder algorithm(Algorithm algorithm) {
        Objects.requireNonNull(algorithm, "algorithm");
        if (algorithm.parameterSpec == UNSUPPORTED_SPEC) {
            throw new UnsupportedOperationException("This algorithm is not supported: " + algorithm);
        }
        this.algorithm = algorithm;
        return this;
    }

    public CertificateBuilder ecp256() {
        return algorithm(Algorithm.ecp256);
    }

    public CertificateBuilder rsa2048() {
        return algorithm(Algorithm.rsa2048);
    }

    public CertificateBuilder publicKey(PublicKey publicKey) {
        this.publicKey = publicKey;
        return this;
    }

    private CertificateBuilder addExtension(String str, boolean z, byte[] bArr) {
        Objects.requireNonNull(str, "identifierOid");
        Objects.requireNonNull(bArr, "value");
        this.modifierCallbacks.add(extensionsGenerator -> {
            extensionsGenerator.addExtension(new Extension(new ASN1ObjectIdentifier(str), z, bArr));
        });
        return this;
    }

    public CertificateBuilder addExtensionOctetString(String str, boolean z, byte[] bArr) {
        Objects.requireNonNull(str, "identifierOID");
        Objects.requireNonNull(bArr, "contents");
        this.modifierCallbacks.add(extensionsGenerator -> {
            extensionsGenerator.addExtension(new Extension(new ASN1ObjectIdentifier(str), z, bArr));
        });
        return this;
    }

    public CertificateBuilder addExtensionUtf8String(String str, boolean z, String str2) {
        try {
            return addExtension(str, z, new DERUTF8String(str2).getEncoded("DER"));
        } catch (IOException e) {
            throw new UncheckedIOException(e);
        }
    }

    public CertificateBuilder addExtensionAsciiString(String str, boolean z, String str2) {
        try {
            return addExtension(str, z, new DERIA5String(str2).getEncoded("DER"));
        } catch (IOException e) {
            throw new UncheckedIOException(e);
        }
    }

    public CertificateBuilder setKeyUsage(boolean z, KeyUsage... keyUsageArr) {
        int i = 0;
        for (KeyUsage keyUsage : keyUsageArr) {
            i = Math.max(keyUsage.bitId, i);
        }
        boolean[] zArr = new boolean[i + 1];
        for (KeyUsage keyUsage2 : keyUsageArr) {
            zArr[keyUsage2.bitId] = true;
        }
        int length = 8 - (zArr.length % 8);
        int length2 = (zArr.length / 8) + 1;
        if (length == 8) {
            length = 0;
            length2--;
        }
        byte[] bArr = new byte[length2];
        for (int i2 = 0; i2 < zArr.length; i2++) {
            if (zArr[i2]) {
                int i3 = i2 / 8;
                bArr[i3] = (byte) (bArr[i3] | ((byte) (128 >>> (i2 % 8))));
            }
        }
        try {
            this.keyUsage = new Extension(Extension.keyUsage, z, new DERBitString(bArr, length).getEncoded("DER"));
            return this;
        } catch (IOException e) {
            throw new UncheckedIOException(e);
        }
    }

    public CertificateBuilder addExtendedKeyUsage(String str) {
        this.extendedKeyUsage.add(str);
        return this;
    }

    public CertificateBuilder addExtendedKeyUsage(ExtendedKeyUsage extendedKeyUsage) {
        this.extendedKeyUsage.add(extendedKeyUsage.getOid());
        return this;
    }

    public CertificateBuilder addExtendedKeyUsageServerAuth() {
        return addExtendedKeyUsage(ExtendedKeyUsage.PKIX_KP_SERVER_AUTH);
    }

    public CertificateBuilder addExtendedKeyUsageClientAuth() {
        return addExtendedKeyUsage(ExtendedKeyUsage.PKIX_KP_CLIENT_AUTH);
    }

    public CertificateBuilder addExtendedKeyUsageCodeSigning() {
        return addExtendedKeyUsage(ExtendedKeyUsage.PKIX_KP_CODE_SIGNING);
    }

    public CertificateBuilder addExtendedKeyUsageEmailProtection() {
        return addExtendedKeyUsage(ExtendedKeyUsage.PKIX_KP_EMAIL_PROTECTION);
    }

    public CertificateBuilder addExtendedKeyUsageTimeStamping() {
        return addExtendedKeyUsage(ExtendedKeyUsage.PKIX_KP_TIME_STAMPING);
    }

    public CertificateBuilder addExtendedKeyUsageOcspSigning() {
        return addExtendedKeyUsage(ExtendedKeyUsage.PKIX_KP_OCSP_SIGNING);
    }

    public CertificateBuilder addExtendedKeyUsageKerberosClientAuth() {
        return addExtendedKeyUsage(ExtendedKeyUsage.KERBEROS_KEY_PURPOSE_CLIENT_AUTH);
    }

    public CertificateBuilder addExtendedKeyUsageMicrosoftSmartcardLogin() {
        return addExtendedKeyUsage(ExtendedKeyUsage.MICROSOFT_SMARTCARD_LOGIN);
    }

    public X509Bundle buildSelfSigned() throws Exception {
        if (this.publicKey != null) {
            throw new IllegalStateException("Cannot create a self-signed certificate with a public key from a CSR.");
        }
        KeyPair generateKeyPair = generateKeyPair();
        V3TBSCertificateGenerator createCertBuilder = createCertBuilder(this.subject, this.subject, generateKeyPair, this.algorithm.signatureType);
        addExtensions(createCertBuilder);
        return X509Bundle.fromRootCertificateAuthority((X509Certificate) CertificateFactory.getInstance("X.509").generateCertificate(new Signed(tbsCertToBytes(createCertBuilder), this.algorithm.signatureType, generateKeyPair.getPrivate()).toInputStream()), generateKeyPair);
    }

    public X509Bundle buildIssuedBy(X509Bundle x509Bundle) throws Exception {
        return buildIssuedBy(x509Bundle, preferredSignatureAlgorithm(x509Bundle.getCertificate().getPublicKey()));
    }

    public X509Bundle buildIssuedBy(X509Bundle x509Bundle, String str) throws Exception {
        KeyPair generateKeyPair = this.publicKey == null ? generateKeyPair() : new KeyPair(this.publicKey, null);
        V3TBSCertificateGenerator createCertBuilder = createCertBuilder(x509Bundle.getCertificate().getSubjectX500Principal(), this.subject, generateKeyPair, str);
        addExtensions(createCertBuilder);
        PrivateKey privateKey = x509Bundle.getKeyPair().getPrivate();
        if (privateKey == null) {
            throw new IllegalArgumentException("Cannot sign certificate with issuer bundle that does not have a private key.");
        }
        X509Certificate x509Certificate = (X509Certificate) CertificateFactory.getInstance("X.509").generateCertificate(new Signed(tbsCertToBytes(createCertBuilder), str, privateKey).toInputStream());
        X509Certificate[] certificatePath = x509Bundle.getCertificatePath();
        X509Certificate[] x509CertificateArr = new X509Certificate[certificatePath.length + 1];
        x509CertificateArr[0] = x509Certificate;
        System.arraycopy(certificatePath, 0, x509CertificateArr, 1, certificatePath.length);
        return X509Bundle.fromCertificatePath(x509CertificateArr, x509Bundle.getRootCertificate(), generateKeyPair);
    }

    private static String preferredSignatureAlgorithm(PublicKey publicKey) {
        if (publicKey instanceof RSAPublicKey) {
            return ((RSAPublicKey) publicKey).getModulus().bitLength() < 4096 ? "SHA256withRSA" : "SHA384withRSA";
        }
        if (publicKey instanceof ECPublicKey) {
            int bitLength = ((ECPublicKey) publicKey).getW().getAffineX().bitLength();
            return bitLength <= 256 ? "SHA256withECDSA" : bitLength <= 384 ? "SHA384withECDSA" : "SHA512withECDSA";
        }
        if (publicKey instanceof DSAPublicKey) {
            throw new IllegalArgumentException("DSA keys are not supported because they are obsolete.");
        }
        String algorithm = publicKey.getAlgorithm();
        if ("Ed25519".equals(algorithm) || "1.3.101.112".equals(algorithm)) {
            return "Ed25519";
        }
        if ("Ed448".equals(algorithm) || "1.3.101.113".equals(algorithm)) {
            return "Ed448";
        }
        if ("EdDSA".equals(algorithm)) {
            byte[] encoded = publicKey.getEncoded();
            if (encoded.length <= 44) {
                return "Ed25519";
            }
            if (encoded.length <= 69) {
                return "Ed448";
            }
        }
        throw new IllegalArgumentException("Don't know what signature algorithm is best for " + publicKey);
    }

    private KeyPair generateKeyPair() throws GeneralSecurityException {
        return this.algorithm.generateKeyPair(getSecureRandom());
    }

    private V3TBSCertificateGenerator createCertBuilder(X500Principal x500Principal, X500Principal x500Principal2, KeyPair keyPair, String str) {
        BigInteger bigInteger = this.serial != null ? this.serial : new BigInteger(159, getSecureRandom());
        PublicKey publicKey = keyPair.getPublic();
        V3TBSCertificateGenerator v3TBSCertificateGenerator = new V3TBSCertificateGenerator();
        v3TBSCertificateGenerator.setIssuer(X500Name.getInstance(x500Principal.getEncoded()));
        if (x500Principal2 != null) {
            v3TBSCertificateGenerator.setSubject(X500Name.getInstance(x500Principal2.getEncoded()));
        }
        v3TBSCertificateGenerator.setSerialNumber(new ASN1Integer(bigInteger));
        v3TBSCertificateGenerator.setSignature(new AlgorithmIdentifier(new ASN1ObjectIdentifier(Algorithms.oidForAlgorithmName(str))));
        v3TBSCertificateGenerator.setStartDate(new Time(Date.from(this.notBefore)));
        v3TBSCertificateGenerator.setEndDate(new Time(Date.from(this.notAfter)));
        v3TBSCertificateGenerator.setSubjectPublicKeyInfo(SubjectPublicKeyInfo.getInstance(publicKey.getEncoded()));
        return v3TBSCertificateGenerator;
    }

    private static byte[] tbsCertToBytes(V3TBSCertificateGenerator v3TBSCertificateGenerator) {
        try {
            return v3TBSCertificateGenerator.generateTBSCertificate().getEncoded("DER");
        } catch (IOException e) {
            throw new UncheckedIOException(e);
        }
    }

    private SecureRandom getSecureRandom() {
        SecureRandom secureRandom = this.random;
        if (secureRandom == null) {
            secureRandom = SecureRandomHolder.RANDOM;
        }
        return secureRandom;
    }

    private void addExtensions(V3TBSCertificateGenerator v3TBSCertificateGenerator) throws Exception {
        ExtensionsGenerator extensionsGenerator = new ExtensionsGenerator();
        if (this.isCertificateAuthority) {
            extensionsGenerator.addExtension(new Extension(Extension.basicConstraints, true, (this.pathLengthConstraint.isPresent() ? new BasicConstraints(this.pathLengthConstraint.getAsInt()) : new BasicConstraints(true)).getEncoded("DER")));
        }
        if (this.keyUsage != null) {
            extensionsGenerator.addExtension(this.keyUsage);
        }
        if (!this.extendedKeyUsage.isEmpty()) {
            KeyPurposeId[] keyPurposeIdArr = new KeyPurposeId[this.extendedKeyUsage.size()];
            String[] strArr = (String[]) this.extendedKeyUsage.toArray(EmptyArrays.EMPTY_STRINGS);
            for (int i = 0; i < strArr.length; i++) {
                keyPurposeIdArr[i] = KeyPurposeId.getInstance(new ASN1ObjectIdentifier(strArr[i]));
            }
            extensionsGenerator.addExtension(new Extension(Extension.extendedKeyUsage, false, new org.bouncycastle.asn1.x509.ExtendedKeyUsage(keyPurposeIdArr).getEncoded("DER")));
        }
        if (!this.subjectAlternativeNames.isEmpty()) {
            try {
                extensionsGenerator.addExtension(new Extension(Extension.subjectAlternativeName, this.subject.getName().isEmpty(), new GeneralNames((GeneralName[]) this.subjectAlternativeNames.toArray(EMPTY_GENERAL_NAMES)).getEncoded("DER")));
            } catch (IOException e) {
                throw new UncheckedIOException(e);
            }
        }
        if (!this.crlDistributionPoints.isEmpty()) {
            extensionsGenerator.addExtension(Extension.create(Extension.cRLDistributionPoints, false, new CRLDistPoint((DistributionPoint[]) this.crlDistributionPoints.toArray(EMPTY_DIST_POINTS))));
        }
        Iterator<BuilderCallback> it = this.modifierCallbacks.iterator();
        while (it.hasNext()) {
            it.next().modify(extensionsGenerator);
        }
        if (extensionsGenerator.isEmpty()) {
            return;
        }
        v3TBSCertificateGenerator.setExtensions(extensionsGenerator.generate());
    }
}
