package org.neo4j.test.ssl;

import java.io.IOException;
import java.math.BigInteger;
import java.nio.charset.StandardCharsets;
import java.nio.file.Files;
import java.nio.file.LinkOption;
import java.nio.file.OpenOption;
import java.nio.file.Path;
import java.nio.file.attribute.FileAttribute;
import java.nio.file.attribute.PosixFilePermission;
import java.security.GeneralSecurityException;
import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.PrivateKey;
import java.security.Provider;
import java.security.SecureRandom;
import java.security.Security;
import java.security.cert.X509Certificate;
import java.util.Date;
import java.util.Set;
import org.bouncycastle.asn1.x500.X500Name;
import org.bouncycastle.asn1.x509.Extension;
import org.bouncycastle.asn1.x509.GeneralName;
import org.bouncycastle.asn1.x509.GeneralNames;
import org.bouncycastle.cert.jcajce.JcaX509CertificateConverter;
import org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.bouncycastle.operator.OperatorCreationException;
import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder;
import org.bouncycastle.util.io.pem.PemObject;
import org.bouncycastle.util.io.pem.PemWriter;

/* loaded from: input_file:org/neo4j/test/ssl/SelfSignedCertificateFactory.class */
public class SelfSignedCertificateFactory {
    private static final String DEFAULT_ENCRYPTION = "RSA";
    private final SecureRandom random;
    private static final String DEFAULT_KEY_FILE_NAME = "private.key";
    private static final String DEFAULT_CERT_FILE_NAME = "public.crt";
    private static final String DEFAULT_HOST_NAME = "localhost";
    private static final boolean useInsecureCertificateGeneration = Boolean.getBoolean("org.neo4j.useInsecureCertificateGeneration");
    private static final Date NOT_BEFORE = new Date(System.currentTimeMillis() - 31536000000L);
    private static final Date NOT_AFTER = new Date(253402300799000L);
    private static final Provider PROVIDER = new BouncyCastleProvider();
    private static volatile boolean cleanupRequired = true;

    public static void create(Path path) {
        create(path, DEFAULT_KEY_FILE_NAME, DEFAULT_CERT_FILE_NAME);
    }

    public static void create(Path path, String str, String str2) {
        SelfSignedCertificateFactory selfSignedCertificateFactory = new SelfSignedCertificateFactory();
        Path resolve = path.resolve(str);
        Path resolve2 = path.resolve(str2);
        if (Files.exists(resolve, new LinkOption[0]) || Files.exists(resolve2, new LinkOption[0])) {
            return;
        }
        try {
            selfSignedCertificateFactory.createSelfSignedCertificate(resolve2, resolve, DEFAULT_HOST_NAME);
        } catch (Exception e) {
            throw new RuntimeException("Failed to generate private key and certificate", e);
        }
    }

    public SelfSignedCertificateFactory() {
        this.random = useInsecureCertificateGeneration ? new InsecureRandom() : new SecureRandom();
    }

    public void createSelfSignedCertificate(Path path, Path path2, String str) throws GeneralSecurityException, IOException, OperatorCreationException {
        installCleanupHook(path, path2);
        KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance(DEFAULT_ENCRYPTION);
        keyPairGenerator.initialize(2048, this.random);
        KeyPair generateKeyPair = keyPairGenerator.generateKeyPair();
        X500Name x500Name = new X500Name("CN=" + str);
        JcaX509v3CertificateBuilder jcaX509v3CertificateBuilder = new JcaX509v3CertificateBuilder(x500Name, new BigInteger(64, this.random), NOT_BEFORE, NOT_AFTER, x500Name, generateKeyPair.getPublic());
        jcaX509v3CertificateBuilder.addExtension(Extension.subjectAlternativeName, false, new GeneralNames(new GeneralName(2, str)));
        PrivateKey privateKey = generateKeyPair.getPrivate();
        X509Certificate certificate = new JcaX509CertificateConverter().setProvider(PROVIDER).getCertificate(jcaX509v3CertificateBuilder.build(new JcaContentSignerBuilder("SHA512WithRSAEncryption").build(privateKey)));
        certificate.verify(generateKeyPair.getPublic());
        writePem("CERTIFICATE", certificate.getEncoded(), path);
        writePem("PRIVATE KEY", privateKey.getEncoded(), path2);
        cleanupRequired = false;
    }

    private static void installCleanupHook(Path path, Path path2) {
        Runtime.getRuntime().addShutdownHook(new Thread(() -> {
            if (cleanupRequired) {
                System.err.println("Cleaning up partially generated self-signed certificate...");
                try {
                    if (Files.exists(path, new LinkOption[0])) {
                        Files.delete(path);
                    }
                    if (Files.exists(path2, new LinkOption[0])) {
                        Files.delete(path2);
                    }
                } catch (IOException e) {
                    System.err.println("Error cleaning up");
                    e.printStackTrace(System.err);
                }
            }
        }));
    }

    private void writePem(String str, byte[] bArr, Path path) throws IOException {
        Files.createDirectories(path.getParent(), new FileAttribute[0]);
        PemWriter pemWriter = new PemWriter(Files.newBufferedWriter(path, StandardCharsets.UTF_8, new OpenOption[0]));
        try {
            pemWriter.writeObject(new PemObject(str, bArr));
            pemWriter.flush();
            pemWriter.close();
            try {
                Files.setPosixFilePermissions(path, Set.of(PosixFilePermission.OWNER_WRITE, PosixFilePermission.OWNER_READ));
            } catch (UnsupportedOperationException e) {
                path.toFile().setReadable(false, false);
                path.toFile().setWritable(false, false);
                path.toFile().setReadable(true);
                path.toFile().setWritable(true);
            }
        } catch (Throwable th) {
            try {
                pemWriter.close();
            } catch (Throwable th2) {
                th.addSuppressed(th2);
            }
            throw th;
        }
    }

    static {
        Security.addProvider(PROVIDER);
    }
}
