package tech.relaycorp.relaynet.wrappers.x509;

import java.security.MessageDigest;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.sql.Date;
import java.time.LocalDateTime;
import java.time.chrono.ChronoLocalDateTime;
import kotlin.Metadata;
import kotlin.jvm.internal.DefaultConstructorMarker;
import kotlin.jvm.internal.Intrinsics;
import org.bouncycastle.asn1.ASN1Primitive;
import org.bouncycastle.asn1.x500.X500Name;
import org.bouncycastle.asn1.x500.X500NameBuilder;
import org.bouncycastle.asn1.x500.style.BCStyle;
import org.bouncycastle.asn1.x509.AlgorithmIdentifier;
import org.bouncycastle.asn1.x509.AuthorityKeyIdentifier;
import org.bouncycastle.asn1.x509.BasicConstraints;
import org.bouncycastle.asn1.x509.Extension;
import org.bouncycastle.asn1.x509.SubjectKeyIdentifier;
import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo;
import org.bouncycastle.cert.X509CertificateHolder;
import org.bouncycastle.cert.X509v3CertificateBuilder;
import org.bouncycastle.crypto.params.AsymmetricKeyParameter;
import org.bouncycastle.crypto.util.PrivateKeyFactory;
import org.bouncycastle.operator.ContentSigner;
import org.bouncycastle.operator.DefaultDigestAlgorithmIdentifierFinder;
import org.bouncycastle.operator.DefaultSignatureAlgorithmIdentifierFinder;
import org.bouncycastle.operator.bc.BcRSAContentSignerBuilder;
import org.jetbrains.annotations.NotNull;
import org.jetbrains.annotations.Nullable;
import tech.relaycorp.relaynet.wrappers.PRNGKt;

/* compiled from: Certificate.kt */
@Metadata(mv = {1, 1, 16}, bv = {1, 0, 3}, k = 1, d1 = {"��\u001a\n\u0002\u0018\u0002\n\u0002\u0010��\n��\n\u0002\u0018\u0002\n\u0002\b\u0004\n\u0002\u0010\u0012\n\u0002\b\u0002\u0018�� \t2\u00020\u0001:\u0001\tB\r\u0012\u0006\u0010\u0002\u001a\u00020\u0003¢\u0006\u0002\u0010\u0004J\u0006\u0010\u0007\u001a\u00020\bR\u0011\u0010\u0002\u001a\u00020\u0003¢\u0006\b\n��\u001a\u0004\b\u0005\u0010\u0006¨\u0006\n"}, d2 = {"Ltech/relaycorp/relaynet/wrappers/x509/Certificate;", "", "certificateHolder", "Lorg/bouncycastle/cert/X509CertificateHolder;", "(Lorg/bouncycastle/cert/X509CertificateHolder;)V", "getCertificateHolder", "()Lorg/bouncycastle/cert/X509CertificateHolder;", "serialize", "", "Companion", "relaynet"})
/* loaded from: input_file:tech/relaycorp/relaynet/wrappers/x509/Certificate.class */
public final class Certificate {

    @NotNull
    private final X509CertificateHolder certificateHolder;
    private static final String DEFAULT_ALGORITHM = "SHA256WithRSAEncryption";
    public static final Companion Companion = new Companion(null);

    /* compiled from: Certificate.kt */
    @Metadata(mv = {1, 1, 16}, bv = {1, 0, 3}, k = 1, d1 = {"��\\\n\u0002\u0018\u0002\n\u0002\u0010��\n\u0002\b\u0002\n\u0002\u0010\u000e\n��\n\u0002\u0018\u0002\n\u0002\b\u0002\n\u0002\u0010\u0012\n��\n\u0002\u0018\u0002\n��\n\u0002\u0018\u0002\n\u0002\b\u0002\n\u0002\u0018\u0002\n��\n\u0002\u0018\u0002\n��\n\u0002\u0018\u0002\n\u0002\b\u0002\n\u0002\u0010\u000b\n��\n\u0002\u0010\b\n\u0002\b\u0002\n\u0002\u0018\u0002\n��\n\u0002\u0010\u0002\n��\b\u0086\u0003\u0018��2\u00020\u0001B\u0007\b\u0002¢\u0006\u0002\u0010\u0002J\u0010\u0010\u0005\u001a\u00020\u00062\u0006\u0010\u0007\u001a\u00020\u0004H\u0002J\u0010\u0010\b\u001a\u00020\t2\u0006\u0010\n\u001a\u00020\u000bH\u0002JP\u0010\f\u001a\u00020\r2\u0006\u0010\u000e\u001a\u00020\u00042\u0006\u0010\u000f\u001a\u00020\u00102\u0006\u0010\u0011\u001a\u00020\u00122\u0006\u0010\u0013\u001a\u00020\u00142\b\b\u0002\u0010\u0015\u001a\u00020\u00142\b\b\u0002\u0010\u0016\u001a\u00020\u00172\b\b\u0002\u0010\u0018\u001a\u00020\u00192\n\b\u0002\u0010\u001a\u001a\u0004\u0018\u00010\rJ\u0010\u0010\u001b\u001a\u00020\u001c2\u0006\u0010\u000f\u001a\u00020\u0010H\u0002J\u0010\u0010\u001d\u001a\u00020\u001e2\u0006\u0010\u001a\u001a\u00020\rH\u0002R\u000e\u0010\u0003\u001a\u00020\u0004X\u0082T¢\u0006\u0002\n��¨\u0006\u001f"}, d2 = {"Ltech/relaycorp/relaynet/wrappers/x509/Certificate$Companion;", "", "()V", "DEFAULT_ALGORITHM", "", "buildDistinguishedName", "Lorg/bouncycastle/asn1/x500/X500Name;", "commonName", "getPublicKeyInfoDigest", "", "keyInfo", "Lorg/bouncycastle/asn1/x509/SubjectPublicKeyInfo;", "issue", "Ltech/relaycorp/relaynet/wrappers/x509/Certificate;", "subjectCommonName", "issuerPrivateKey", "Ljava/security/PrivateKey;", "subjectPublicKey", "Ljava/security/PublicKey;", "validityEndDate", "Ljava/time/LocalDateTime;", "validityStartDate", "isCA", "", "pathLenConstraint", "", "issuerCertificate", "makeSigner", "Lorg/bouncycastle/operator/ContentSigner;", "requireCertificateToBeCA", "", "relaynet"})
    /* loaded from: input_file:tech/relaycorp/relaynet/wrappers/x509/Certificate$Companion.class */
    public static final class Companion {
        @NotNull
        public final Certificate issue(@NotNull String str, @NotNull PrivateKey privateKey, @NotNull PublicKey publicKey, @NotNull LocalDateTime localDateTime, @NotNull LocalDateTime localDateTime2, boolean z, int i, @Nullable Certificate certificate) throws CertificateException {
            byte[] bArr;
            Intrinsics.checkParameterIsNotNull(str, "subjectCommonName");
            Intrinsics.checkParameterIsNotNull(privateKey, "issuerPrivateKey");
            Intrinsics.checkParameterIsNotNull(publicKey, "subjectPublicKey");
            Intrinsics.checkParameterIsNotNull(localDateTime, "validityEndDate");
            Intrinsics.checkParameterIsNotNull(localDateTime2, "validityStartDate");
            if (localDateTime2.compareTo((ChronoLocalDateTime<?>) localDateTime) >= 0) {
                throw new CertificateException("The end date must be later than the start date");
            }
            if (certificate != null) {
                requireCertificateToBeCA(certificate);
            }
            X500Name buildDistinguishedName = buildDistinguishedName(str);
            X500Name issuer = certificate != null ? certificate.getCertificateHolder().getIssuer() : buildDistinguishedName;
            SubjectPublicKeyInfo subjectPublicKeyInfo = SubjectPublicKeyInfo.getInstance(publicKey.getEncoded());
            X509v3CertificateBuilder x509v3CertificateBuilder = new X509v3CertificateBuilder(issuer, PRNGKt.generateRandomBigInteger(), Date.valueOf(localDateTime2.toLocalDate()), Date.valueOf(localDateTime.toLocalDate()), buildDistinguishedName, subjectPublicKeyInfo);
            x509v3CertificateBuilder.addExtension(Extension.basicConstraints, true, new BasicConstraintsExtension(z, i));
            Intrinsics.checkExpressionValueIsNotNull(subjectPublicKeyInfo, "subjectPublicKeyInfo");
            byte[] publicKeyInfoDigest = getPublicKeyInfoDigest(subjectPublicKeyInfo);
            x509v3CertificateBuilder.addExtension(Extension.subjectKeyIdentifier, false, new SubjectKeyIdentifier(publicKeyInfoDigest));
            if (certificate != null) {
                SubjectPublicKeyInfo subjectPublicKeyInfo2 = certificate.getCertificateHolder().getSubjectPublicKeyInfo();
                Intrinsics.checkExpressionValueIsNotNull(subjectPublicKeyInfo2, "issuerCertificate.certif…lder.subjectPublicKeyInfo");
                bArr = getPublicKeyInfoDigest(subjectPublicKeyInfo2);
            } else {
                bArr = publicKeyInfoDigest;
            }
            x509v3CertificateBuilder.addExtension(Extension.authorityKeyIdentifier, false, new AuthorityKeyIdentifier(bArr));
            X509CertificateHolder build = x509v3CertificateBuilder.build(makeSigner(privateKey));
            Intrinsics.checkExpressionValueIsNotNull(build, "builder.build(signerBuilder)");
            return new Certificate(build);
        }

        public static /* synthetic */ Certificate issue$default(Companion companion, String str, PrivateKey privateKey, PublicKey publicKey, LocalDateTime localDateTime, LocalDateTime localDateTime2, boolean z, int i, Certificate certificate, int i2, Object obj) throws CertificateException {
            if ((i2 & 16) != 0) {
                LocalDateTime now = LocalDateTime.now();
                Intrinsics.checkExpressionValueIsNotNull(now, "LocalDateTime.now()");
                localDateTime2 = now;
            }
            if ((i2 & 32) != 0) {
                z = false;
            }
            if ((i2 & 64) != 0) {
                i = 0;
            }
            if ((i2 & 128) != 0) {
                certificate = (Certificate) null;
            }
            return companion.issue(str, privateKey, publicKey, localDateTime, localDateTime2, z, i, certificate);
        }

        private final byte[] getPublicKeyInfoDigest(SubjectPublicKeyInfo subjectPublicKeyInfo) {
            MessageDigest messageDigest = MessageDigest.getInstance("SHA-256");
            ASN1Primitive parsePublicKey = subjectPublicKeyInfo.parsePublicKey();
            Intrinsics.checkExpressionValueIsNotNull(parsePublicKey, "keyInfo.parsePublicKey()");
            byte[] digest = messageDigest.digest(parsePublicKey.getEncoded());
            Intrinsics.checkExpressionValueIsNotNull(digest, "digest.digest(keyInfo.parsePublicKey().encoded)");
            return digest;
        }

        private final X500Name buildDistinguishedName(String str) throws CertificateException {
            X500NameBuilder x500NameBuilder = new X500NameBuilder(BCStyle.INSTANCE);
            x500NameBuilder.addRDN(BCStyle.C, str);
            X500Name build = x500NameBuilder.build();
            Intrinsics.checkExpressionValueIsNotNull(build, "builder.build()");
            return build;
        }

        private final void requireCertificateToBeCA(Certificate certificate) {
            Extension extension = certificate.getCertificateHolder().getExtension(Extension.basicConstraints);
            if (extension == null) {
                throw new CertificateException("Issuer certificate should have basic constraints extension");
            }
            BasicConstraints basicConstraints = BasicConstraints.getInstance(extension.getParsedValue());
            Intrinsics.checkExpressionValueIsNotNull(basicConstraints, "issuerBasicConstraints");
            if (!basicConstraints.isCA()) {
                throw new CertificateException("Issuer certificate should be marked as CA");
            }
        }

        private final ContentSigner makeSigner(PrivateKey privateKey) {
            AlgorithmIdentifier find = new DefaultSignatureAlgorithmIdentifierFinder().find(Certificate.DEFAULT_ALGORITHM);
            AlgorithmIdentifier find2 = new DefaultDigestAlgorithmIdentifierFinder().find(find);
            AsymmetricKeyParameter createKey = PrivateKeyFactory.createKey(privateKey.getEncoded());
            Intrinsics.checkExpressionValueIsNotNull(createKey, "PrivateKeyFactory.create…issuerPrivateKey.encoded)");
            ContentSigner build = new BcRSAContentSignerBuilder(find, find2).build(createKey);
            Intrinsics.checkExpressionValueIsNotNull(build, "contentSignerBuilder.build(privateKeyParam)");
            return build;
        }

        private Companion() {
        }

        public /* synthetic */ Companion(DefaultConstructorMarker defaultConstructorMarker) {
            this();
        }
    }

    @NotNull
    public final byte[] serialize() {
        byte[] encoded = this.certificateHolder.getEncoded();
        Intrinsics.checkExpressionValueIsNotNull(encoded, "certificateHolder.encoded");
        return encoded;
    }

    @NotNull
    public final X509CertificateHolder getCertificateHolder() {
        return this.certificateHolder;
    }

    public Certificate(@NotNull X509CertificateHolder x509CertificateHolder) {
        Intrinsics.checkParameterIsNotNull(x509CertificateHolder, "certificateHolder");
        this.certificateHolder = x509CertificateHolder;
    }
}
