package org.apache.hadoop.hbase.io.crypto.tls;

import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.io.StringWriter;
import java.math.BigInteger;
import java.net.InetAddress;
import java.net.UnknownHostException;
import java.security.GeneralSecurityException;
import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.KeyStore;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.SecureRandom;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.security.spec.ECGenParameterSpec;
import java.security.spec.RSAKeyGenParameterSpec;
import java.sql.Date;
import java.time.LocalDate;
import java.time.ZoneId;
import org.apache.yetus.audience.InterfaceAudience;
import org.bouncycastle.asn1.DERIA5String;
import org.bouncycastle.asn1.DEROctetString;
import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers;
import org.bouncycastle.asn1.x500.X500Name;
import org.bouncycastle.asn1.x509.AlgorithmIdentifier;
import org.bouncycastle.asn1.x509.BasicConstraints;
import org.bouncycastle.asn1.x509.ExtendedKeyUsage;
import org.bouncycastle.asn1.x509.Extension;
import org.bouncycastle.asn1.x509.GeneralName;
import org.bouncycastle.asn1.x509.GeneralNames;
import org.bouncycastle.asn1.x509.KeyPurposeId;
import org.bouncycastle.asn1.x509.KeyUsage;
import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo;
import org.bouncycastle.cert.X509CertificateHolder;
import org.bouncycastle.cert.X509v3CertificateBuilder;
import org.bouncycastle.cert.jcajce.JcaX509CertificateConverter;
import org.bouncycastle.crypto.util.PrivateKeyFactory;
import org.bouncycastle.openssl.jcajce.JcaPEMWriter;
import org.bouncycastle.openssl.jcajce.JcaPKCS8Generator;
import org.bouncycastle.openssl.jcajce.JceOpenSSLPKCS8EncryptorBuilder;
import org.bouncycastle.operator.DefaultDigestAlgorithmIdentifierFinder;
import org.bouncycastle.operator.DefaultSignatureAlgorithmIdentifierFinder;
import org.bouncycastle.operator.OperatorCreationException;
import org.bouncycastle.operator.OutputEncryptor;
import org.bouncycastle.operator.bc.BcECContentSignerBuilder;
import org.bouncycastle.operator.bc.BcRSAContentSignerBuilder;

@InterfaceAudience.Private
/* loaded from: input_file:org/apache/hadoop/hbase/io/crypto/tls/X509TestHelpers.class */
final class X509TestHelpers {
    private static final int DEFAULT_RSA_KEY_SIZE_BITS = 2048;
    private static final String DEFAULT_ELLIPTIC_CURVE_NAME = "secp256r1";
    private static final int SERIAL_NUMBER_MAX_BITS = 160;
    private static final SecureRandom PRNG = new SecureRandom();
    private static final BigInteger DEFAULT_RSA_PUB_EXPONENT = RSAKeyGenParameterSpec.F4;

    public static X509Certificate newSelfSignedCACert(X500Name x500Name, KeyPair keyPair) throws IOException, OperatorCreationException, GeneralSecurityException {
        LocalDate now = LocalDate.now(ZoneId.systemDefault());
        X509v3CertificateBuilder initCertBuilder = initCertBuilder(x500Name, now, now.plusDays(1L), x500Name, keyPair.getPublic());
        initCertBuilder.addExtension(Extension.basicConstraints, true, new BasicConstraints(true));
        initCertBuilder.addExtension(Extension.keyUsage, true, new KeyUsage(134));
        return buildAndSignCertificate(keyPair.getPrivate(), initCertBuilder);
    }

    public static X509Certificate newCert(X509Certificate x509Certificate, KeyPair keyPair, X500Name x500Name, PublicKey publicKey) throws IOException, OperatorCreationException, GeneralSecurityException {
        return newCert(x509Certificate, keyPair, x500Name, publicKey, getLocalhostSubjectAltNames());
    }

    public static X509Certificate newCert(X509Certificate x509Certificate, KeyPair keyPair, X500Name x500Name, PublicKey publicKey, GeneralNames generalNames) throws IOException, OperatorCreationException, GeneralSecurityException {
        if (!keyPair.getPublic().equals(x509Certificate.getPublicKey())) {
            throw new IllegalArgumentException("CA private key does not match the public key in the CA cert");
        }
        LocalDate now = LocalDate.now(ZoneId.systemDefault());
        X509v3CertificateBuilder initCertBuilder = initCertBuilder(new X500Name(x509Certificate.getIssuerDN().getName()), now, now.plusDays(1L), x500Name, publicKey);
        initCertBuilder.addExtension(Extension.basicConstraints, true, new BasicConstraints(false));
        initCertBuilder.addExtension(Extension.keyUsage, true, new KeyUsage(160));
        initCertBuilder.addExtension(Extension.extendedKeyUsage, true, new ExtendedKeyUsage(new KeyPurposeId[]{KeyPurposeId.id_kp_serverAuth, KeyPurposeId.id_kp_clientAuth}));
        if (generalNames != null) {
            initCertBuilder.addExtension(Extension.subjectAlternativeName, false, generalNames);
        }
        return buildAndSignCertificate(keyPair.getPrivate(), initCertBuilder);
    }

    private static GeneralNames getLocalhostSubjectAltNames() throws UnknownHostException {
        InetAddress[] allByName = InetAddress.getAllByName("localhost");
        GeneralName[] generalNameArr = new GeneralName[allByName.length + 1];
        for (int i = 0; i < allByName.length; i++) {
            generalNameArr[i] = new GeneralName(7, new DEROctetString(allByName[i].getAddress()));
        }
        generalNameArr[generalNameArr.length - 1] = new GeneralName(2, new DERIA5String("localhost"));
        return new GeneralNames(generalNameArr);
    }

    private static X509v3CertificateBuilder initCertBuilder(X500Name x500Name, LocalDate localDate, LocalDate localDate2, X500Name x500Name2, PublicKey publicKey) {
        return new X509v3CertificateBuilder(x500Name, new BigInteger(160, PRNG), Date.valueOf(localDate), Date.valueOf(localDate2), x500Name2, SubjectPublicKeyInfo.getInstance(publicKey.getEncoded()));
    }

    private static X509Certificate buildAndSignCertificate(PrivateKey privateKey, X509v3CertificateBuilder x509v3CertificateBuilder) throws IOException, OperatorCreationException, CertificateException {
        BcRSAContentSignerBuilder bcECContentSignerBuilder;
        if (privateKey.getAlgorithm().contains("RSA")) {
            AlgorithmIdentifier find = new DefaultSignatureAlgorithmIdentifierFinder().find("SHA256WithRSAEncryption");
            bcECContentSignerBuilder = new BcRSAContentSignerBuilder(find, new DefaultDigestAlgorithmIdentifierFinder().find(find));
        } else {
            AlgorithmIdentifier find2 = new DefaultSignatureAlgorithmIdentifierFinder().find("SHA256withECDSA");
            bcECContentSignerBuilder = new BcECContentSignerBuilder(find2, new DefaultDigestAlgorithmIdentifierFinder().find(find2));
        }
        return toX509Cert(x509v3CertificateBuilder.build(bcECContentSignerBuilder.build(PrivateKeyFactory.createKey(privateKey.getEncoded()))));
    }

    public static KeyPair generateKeyPair(X509KeyType x509KeyType) throws GeneralSecurityException {
        switch (x509KeyType) {
            case RSA:
                return generateRSAKeyPair();
            case EC:
                return generateECKeyPair();
            default:
                throw new IllegalArgumentException("Invalid X509KeyType");
        }
    }

    public static KeyPair generateRSAKeyPair() throws GeneralSecurityException {
        KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA");
        keyPairGenerator.initialize(new RSAKeyGenParameterSpec(2048, DEFAULT_RSA_PUB_EXPONENT), PRNG);
        return keyPairGenerator.generateKeyPair();
    }

    public static KeyPair generateECKeyPair() throws GeneralSecurityException {
        KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("EC");
        keyPairGenerator.initialize(new ECGenParameterSpec(DEFAULT_ELLIPTIC_CURVE_NAME), PRNG);
        return keyPairGenerator.generateKeyPair();
    }

    public static String pemEncodeCertAndPrivateKey(X509Certificate x509Certificate, PrivateKey privateKey, char[] cArr) throws IOException, OperatorCreationException {
        return pemEncodeX509Certificate(x509Certificate) + "\n" + pemEncodePrivateKey(privateKey, cArr);
    }

    public static String pemEncodePrivateKey(PrivateKey privateKey, char[] cArr) throws IOException, OperatorCreationException {
        StringWriter stringWriter = new StringWriter();
        JcaPEMWriter jcaPEMWriter = new JcaPEMWriter(stringWriter);
        OutputEncryptor outputEncryptor = null;
        if (cArr != null && cArr.length > 0) {
            outputEncryptor = new JceOpenSSLPKCS8EncryptorBuilder(PKCSObjectIdentifiers.pbeWithSHAAnd3_KeyTripleDES_CBC).setProvider("BC").setRandom(PRNG).setPasssword(cArr).build();
        }
        jcaPEMWriter.writeObject(new JcaPKCS8Generator(privateKey, outputEncryptor));
        jcaPEMWriter.close();
        return stringWriter.toString();
    }

    public static String pemEncodeX509Certificate(X509Certificate x509Certificate) throws IOException {
        StringWriter stringWriter = new StringWriter();
        JcaPEMWriter jcaPEMWriter = new JcaPEMWriter(stringWriter);
        jcaPEMWriter.writeObject(x509Certificate);
        jcaPEMWriter.close();
        return stringWriter.toString();
    }

    public static byte[] certToJavaTrustStoreBytes(X509Certificate x509Certificate, char[] cArr) throws IOException, GeneralSecurityException {
        return certToTrustStoreBytes(x509Certificate, cArr, KeyStore.getInstance(KeyStore.getDefaultType()));
    }

    public static byte[] certToPKCS12TrustStoreBytes(X509Certificate x509Certificate, char[] cArr) throws IOException, GeneralSecurityException {
        return certToTrustStoreBytes(x509Certificate, cArr, KeyStore.getInstance("PKCS12"));
    }

    public static byte[] certToBCFKSTrustStoreBytes(X509Certificate x509Certificate, char[] cArr) throws IOException, GeneralSecurityException {
        return certToTrustStoreBytes(x509Certificate, cArr, KeyStore.getInstance("BCFKS"));
    }

    private static byte[] certToTrustStoreBytes(X509Certificate x509Certificate, char[] cArr, KeyStore keyStore) throws IOException, GeneralSecurityException {
        keyStore.load(null, cArr);
        keyStore.setCertificateEntry(x509Certificate.getSubjectDN().toString(), x509Certificate);
        ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
        keyStore.store(byteArrayOutputStream, cArr);
        byteArrayOutputStream.flush();
        byte[] byteArray = byteArrayOutputStream.toByteArray();
        byteArrayOutputStream.close();
        return byteArray;
    }

    public static byte[] certAndPrivateKeyToJavaKeyStoreBytes(X509Certificate x509Certificate, PrivateKey privateKey, char[] cArr) throws IOException, GeneralSecurityException {
        return certAndPrivateKeyToBytes(x509Certificate, privateKey, cArr, KeyStore.getInstance(KeyStore.getDefaultType()));
    }

    public static byte[] certAndPrivateKeyToPKCS12Bytes(X509Certificate x509Certificate, PrivateKey privateKey, char[] cArr) throws IOException, GeneralSecurityException {
        return certAndPrivateKeyToBytes(x509Certificate, privateKey, cArr, KeyStore.getInstance("PKCS12"));
    }

    public static byte[] certAndPrivateKeyToBCFKSBytes(X509Certificate x509Certificate, PrivateKey privateKey, char[] cArr) throws IOException, GeneralSecurityException {
        return certAndPrivateKeyToBytes(x509Certificate, privateKey, cArr, KeyStore.getInstance("BCFKS"));
    }

    private static byte[] certAndPrivateKeyToBytes(X509Certificate x509Certificate, PrivateKey privateKey, char[] cArr, KeyStore keyStore) throws IOException, GeneralSecurityException {
        keyStore.load(null, cArr);
        keyStore.setKeyEntry("key", privateKey, cArr, new Certificate[]{x509Certificate});
        ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
        keyStore.store(byteArrayOutputStream, cArr);
        byteArrayOutputStream.flush();
        byte[] byteArray = byteArrayOutputStream.toByteArray();
        byteArrayOutputStream.close();
        return byteArray;
    }

    public static X509Certificate toX509Cert(X509CertificateHolder x509CertificateHolder) throws CertificateException {
        return new JcaX509CertificateConverter().setProvider("BC").getCertificate(x509CertificateHolder);
    }

    private X509TestHelpers() {
    }
}
