package org.qipki.crypto.x509;

import java.math.BigInteger;
import java.security.GeneralSecurityException;
import java.security.KeyPair;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.cert.X509CRL;
import java.security.cert.X509Certificate;
import java.util.List;
import java.util.Vector;
import org.bouncycastle.asn1.ASN1OctetString;
import org.bouncycastle.asn1.ASN1Set;
import org.bouncycastle.asn1.DEREncodable;
import org.bouncycastle.asn1.DEROctetString;
import org.bouncycastle.asn1.DERSet;
import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers;
import org.bouncycastle.asn1.x509.Attribute;
import org.bouncycastle.asn1.x509.CRLNumber;
import org.bouncycastle.asn1.x509.GeneralNames;
import org.bouncycastle.asn1.x509.X509Extension;
import org.bouncycastle.asn1.x509.X509Extensions;
import org.bouncycastle.jce.PKCS10CertificationRequest;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.bouncycastle.x509.X509V2CRLGenerator;
import org.bouncycastle.x509.X509V3CertificateGenerator;
import org.bouncycastle.x509.extension.AuthorityKeyIdentifierStructure;
import org.joda.time.DateTime;
import org.joda.time.Duration;
import org.qi4j.api.injection.scope.Service;
import org.qipki.crypto.CryptoContext;
import org.qipki.crypto.CryptoFailure;
import org.qipki.crypto.algorithms.SignatureAlgorithm;
import org.qipki.crypto.constants.Time;

/* loaded from: input_file:WEB-INF/lib/qipki-crypto-1.0.jar:org/qipki/crypto/x509/X509GeneratorImpl.class */
public class X509GeneratorImpl implements X509Generator {
    private CryptoContext cryptoContext;

    public X509GeneratorImpl(@Service CryptoContext cryptoContext) {
        this.cryptoContext = cryptoContext;
    }

    @Override // org.qipki.crypto.x509.X509Generator
    public PKCS10CertificationRequest generatePKCS10(DistinguishedName distinguishedName, KeyPair keyPair) {
        try {
            return new PKCS10CertificationRequest(SignatureAlgorithm.SHA256withRSA.jcaString(), distinguishedName.toX500Principal(), keyPair.getPublic(), (ASN1Set) null, keyPair.getPrivate(), this.cryptoContext.providerName());
        } catch (GeneralSecurityException e) {
            throw new CryptoFailure("Unable to generate PKCS#10", e);
        }
    }

    @Override // org.qipki.crypto.x509.X509Generator
    public PKCS10CertificationRequest generatePKCS10(DistinguishedName distinguishedName, KeyPair keyPair, GeneralNames generalNames) {
        try {
            return new PKCS10CertificationRequest(SignatureAlgorithm.SHA256withRSA.jcaString(), distinguishedName.toX500Principal(), keyPair.getPublic(), generateSANAttribute(generalNames), keyPair.getPrivate(), this.cryptoContext.providerName());
        } catch (GeneralSecurityException e) {
            throw new CryptoFailure("Unable to generate PKCS#10", e);
        }
    }

    @Override // org.qipki.crypto.x509.X509Generator
    public X509Certificate generateX509Certificate(PrivateKey privateKey, DistinguishedName distinguishedName, BigInteger bigInteger, DistinguishedName distinguishedName2, PublicKey publicKey, Duration duration, List<X509ExtensionHolder> list) {
        try {
            X509V3CertificateGenerator x509V3CertificateGenerator = new X509V3CertificateGenerator();
            DateTime dateTime = new DateTime();
            x509V3CertificateGenerator.setSerialNumber(bigInteger);
            x509V3CertificateGenerator.setSubjectDN(distinguishedName2.toX500Principal());
            x509V3CertificateGenerator.setIssuerDN(distinguishedName.toX500Principal());
            x509V3CertificateGenerator.setNotBefore(dateTime.minus(Time.CLOCK_SKEW).toDate());
            x509V3CertificateGenerator.setNotAfter(dateTime.plus(duration).minus(Time.CLOCK_SKEW).toDate());
            x509V3CertificateGenerator.setSignatureAlgorithm(SignatureAlgorithm.SHA256withRSA.jcaString());
            x509V3CertificateGenerator.setPublicKey(publicKey);
            for (X509ExtensionHolder x509ExtensionHolder : list) {
                x509V3CertificateGenerator.addExtension(x509ExtensionHolder.getDerOID(), x509ExtensionHolder.isCritical(), x509ExtensionHolder.getValue());
            }
            return x509V3CertificateGenerator.generate(privateKey, this.cryptoContext.providerName());
        } catch (IllegalStateException e) {
            throw new CryptoFailure("Unable to generate X509Certificate", e);
        } catch (GeneralSecurityException e2) {
            throw new CryptoFailure("Unable to generate X509Certificate", e2);
        }
    }

    @Override // org.qipki.crypto.x509.X509Generator
    public X509CRL generateX509CRL(X509Certificate x509Certificate, PrivateKey privateKey) {
        try {
            X509V2CRLGenerator x509V2CRLGenerator = new X509V2CRLGenerator();
            x509V2CRLGenerator.setIssuerDN(x509Certificate.getSubjectX500Principal());
            x509V2CRLGenerator.setThisUpdate(new DateTime().minus(Time.CLOCK_SKEW).toDate());
            x509V2CRLGenerator.setNextUpdate(new DateTime().minus(Time.CLOCK_SKEW).plusHours(12).toDate());
            x509V2CRLGenerator.setSignatureAlgorithm(SignatureAlgorithm.SHA256withRSA.jcaString());
            x509V2CRLGenerator.addExtension(X509Extensions.AuthorityKeyIdentifier, false, (DEREncodable) new AuthorityKeyIdentifierStructure(x509Certificate));
            x509V2CRLGenerator.addExtension(X509Extensions.CRLNumber, false, (DEREncodable) new CRLNumber(BigInteger.ONE));
            return x509V2CRLGenerator.generate(privateKey, BouncyCastleProvider.PROVIDER_NAME);
        } catch (GeneralSecurityException e) {
            throw new CryptoFailure("Unable to generate CRL", e);
        }
    }

    @Override // org.qipki.crypto.x509.X509Generator
    public X509CRL updateX509CRL(X509Certificate x509Certificate, PrivateKey privateKey, X509Certificate x509Certificate2, RevocationReason revocationReason, X509CRL x509crl, BigInteger bigInteger) {
        try {
            X509V2CRLGenerator x509V2CRLGenerator = new X509V2CRLGenerator();
            x509V2CRLGenerator.setIssuerDN(x509Certificate.getSubjectX500Principal());
            DateTime minus = new DateTime().minus(Time.CLOCK_SKEW);
            x509V2CRLGenerator.setThisUpdate(minus.toDate());
            x509V2CRLGenerator.setNextUpdate(minus.plusHours(12).toDate());
            x509V2CRLGenerator.setSignatureAlgorithm(SignatureAlgorithm.SHA256withRSA.jcaString());
            x509V2CRLGenerator.addExtension(X509Extensions.AuthorityKeyIdentifier, false, (DEREncodable) new AuthorityKeyIdentifierStructure(x509Certificate));
            x509V2CRLGenerator.addExtension(X509Extensions.CRLNumber, false, (DEREncodable) new CRLNumber(bigInteger));
            x509V2CRLGenerator.addCRL(x509crl);
            x509V2CRLGenerator.addCRLEntry(x509Certificate2.getSerialNumber(), minus.toDate(), revocationReason.reason());
            return x509V2CRLGenerator.generate(privateKey, BouncyCastleProvider.PROVIDER_NAME);
        } catch (GeneralSecurityException e) {
            throw new CryptoFailure("Unable to update CRL", e);
        }
    }

    private DERSet generateSANAttribute(GeneralNames generalNames) {
        if (generalNames == null) {
            return new DERSet();
        }
        Vector vector = new Vector();
        Vector vector2 = new Vector();
        vector.add(X509Extensions.SubjectAlternativeName);
        vector2.add(new X509Extension(false, (ASN1OctetString) new DEROctetString(generalNames)));
        return new DERSet(new Attribute(PKCSObjectIdentifiers.pkcs_9_at_extensionRequest, new DERSet(new X509Extensions(vector, vector2))));
    }
}
