package org.zz.gmhelper.cert;

import java.math.BigInteger;
import java.security.KeyPair;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Date;
import java.util.LinkedList;
import org.bouncycastle.asn1.ASN1Encodable;
import org.bouncycastle.asn1.ASN1ObjectIdentifier;
import org.bouncycastle.asn1.ASN1Primitive;
import org.bouncycastle.asn1.DERIA5String;
import org.bouncycastle.asn1.x500.AttributeTypeAndValue;
import org.bouncycastle.asn1.x500.RDN;
import org.bouncycastle.asn1.x500.X500Name;
import org.bouncycastle.asn1.x500.style.BCStyle;
import org.bouncycastle.asn1.x500.style.IETFUtils;
import org.bouncycastle.asn1.x509.BasicConstraints;
import org.bouncycastle.asn1.x509.ExtendedKeyUsage;
import org.bouncycastle.asn1.x509.Extension;
import org.bouncycastle.asn1.x509.GeneralName;
import org.bouncycastle.asn1.x509.GeneralNames;
import org.bouncycastle.asn1.x509.KeyPurposeId;
import org.bouncycastle.asn1.x509.KeyUsage;
import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo;
import org.bouncycastle.cert.X509v3CertificateBuilder;
import org.bouncycastle.cert.jcajce.JcaX509CertificateConverter;
import org.bouncycastle.cert.jcajce.JcaX509ExtensionUtils;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder;
import org.bouncycastle.pkcs.PKCS10CertificationRequest;

/* loaded from: input_file:BOOT-INF/lib/infras-crypto-0.1.3-SNAPSHOT.jar:org/zz/gmhelper/cert/SM2X509CertMaker.class */
public class SM2X509CertMaker {
    public static final String SIGN_ALGO_SM3WITHSM2 = "SM3withSM2";
    private long certExpire;
    private X500Name issuerDN;
    private CertSNAllocator snAllocator;
    private KeyPair issuerKeyPair;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:BOOT-INF/lib/infras-crypto-0.1.3-SNAPSHOT.jar:org/zz/gmhelper/cert/SM2X509CertMaker$CertLevel.class */
    public enum CertLevel {
        RootCA,
        SubCA,
        EndEntity
    }

    public SM2X509CertMaker(KeyPair keyPair, long j, X500Name x500Name, CertSNAllocator certSNAllocator) {
        this.issuerKeyPair = keyPair;
        this.certExpire = j;
        this.issuerDN = x500Name;
        this.snAllocator = certSNAllocator;
    }

    public X509Certificate makeRootCACert(byte[] bArr) throws Exception {
        return makeCertificate(CertLevel.RootCA, null, bArr, new KeyUsage(6), null);
    }

    public X509Certificate makeSubCACert(byte[] bArr) throws Exception {
        return makeCertificate(CertLevel.SubCA, 0, bArr, new KeyUsage(6), null);
    }

    public X509Certificate makeSSLEndEntityCert(byte[] bArr) throws Exception {
        return makeEndEntityCert(bArr, new KeyPurposeId[]{KeyPurposeId.id_kp_clientAuth, KeyPurposeId.id_kp_serverAuth});
    }

    public X509Certificate makeEndEntityCert(byte[] bArr, KeyPurposeId[] keyPurposeIdArr) throws Exception {
        return makeCertificate(CertLevel.SubCA, null, bArr, new KeyUsage(184), keyPurposeIdArr);
    }

    private X509Certificate makeCertificate(CertLevel certLevel, Integer num, byte[] bArr, KeyUsage keyUsage, KeyPurposeId[] keyPurposeIdArr) throws Exception {
        if (certLevel == CertLevel.EndEntity && keyUsage.hasUsages(4)) {
            throw new IllegalArgumentException("keyusage keyCertSign is not allowed in EndEntity Certificate");
        }
        PKCS10CertificationRequest pKCS10CertificationRequest = new PKCS10CertificationRequest(bArr);
        SubjectPublicKeyInfo subjectPublicKeyInfo = pKCS10CertificationRequest.getSubjectPublicKeyInfo();
        PrivateKey privateKey = this.issuerKeyPair.getPrivate();
        PublicKey publicKey = this.issuerKeyPair.getPublic();
        X500Name subject = pKCS10CertificationRequest.getSubject();
        String str = null;
        String str2 = null;
        RDN[] rDNs = subject.getRDNs();
        ArrayList arrayList = new ArrayList(rDNs.length);
        for (RDN rdn : rDNs) {
            AttributeTypeAndValue first = rdn.getFirst();
            ASN1ObjectIdentifier type = first.getType();
            if (BCStyle.EmailAddress.equals((ASN1Primitive) type)) {
                str = IETFUtils.valueToString(first.getValue());
            } else {
                if (BCStyle.CN.equals((ASN1Primitive) type)) {
                    str2 = IETFUtils.valueToString(first.getValue());
                }
                arrayList.add(rdn);
            }
        }
        LinkedList linkedList = new LinkedList();
        if (str != null) {
            subject = new X500Name((RDN[]) arrayList.toArray(new RDN[0]));
            linkedList.add(new GeneralName(1, new DERIA5String(str, true)));
        }
        boolean z = false;
        switch (certLevel) {
            case RootCA:
                if (!this.issuerDN.equals(subject)) {
                    throw new IllegalArgumentException("subject != issuer for certLevel " + CertLevel.RootCA);
                }
                subject = this.issuerDN;
                break;
            case SubCA:
                if (this.issuerDN.equals(subject)) {
                    throw new IllegalArgumentException("subject MUST not equals issuer for certLevel " + certLevel);
                }
                break;
            default:
                if (this.issuerDN.equals(subject)) {
                    z = true;
                    subject = this.issuerDN;
                    break;
                }
                break;
        }
        BigInteger nextSerialNumber = this.snAllocator.nextSerialNumber();
        Date date = new Date();
        X509v3CertificateBuilder x509v3CertificateBuilder = new X509v3CertificateBuilder(this.issuerDN, nextSerialNumber, date, new Date(date.getTime() + this.certExpire), subject, subjectPublicKeyInfo);
        JcaX509ExtensionUtils jcaX509ExtensionUtils = new JcaX509ExtensionUtils();
        x509v3CertificateBuilder.addExtension(Extension.subjectKeyIdentifier, false, (ASN1Encodable) jcaX509ExtensionUtils.createSubjectKeyIdentifier(subjectPublicKeyInfo));
        if (certLevel != CertLevel.RootCA && !z) {
            x509v3CertificateBuilder.addExtension(Extension.authorityKeyIdentifier, false, (ASN1Encodable) jcaX509ExtensionUtils.createAuthorityKeyIdentifier(SubjectPublicKeyInfo.getInstance(publicKey.getEncoded())));
        }
        x509v3CertificateBuilder.addExtension(Extension.basicConstraints, true, (ASN1Encodable) (certLevel == CertLevel.EndEntity ? new BasicConstraints(false) : num == null ? new BasicConstraints(true) : new BasicConstraints(num.intValue())));
        x509v3CertificateBuilder.addExtension(Extension.keyUsage, true, (ASN1Encodable) keyUsage);
        if (keyPurposeIdArr != null) {
            x509v3CertificateBuilder.addExtension(Extension.extendedKeyUsage, false, (ASN1Encodable) new ExtendedKeyUsage(keyPurposeIdArr));
            boolean z2 = false;
            int length = keyPurposeIdArr.length;
            int i = 0;
            while (true) {
                if (i < length) {
                    if (KeyPurposeId.id_kp_serverAuth.equals(keyPurposeIdArr[i])) {
                        z2 = true;
                    } else {
                        i++;
                    }
                }
            }
            if (z2) {
                if (str2 == null) {
                    throw new IllegalArgumentException("commonName must not be null");
                }
                linkedList.add(new GeneralName(2, new DERIA5String(str2, true)));
            }
        }
        if (!linkedList.isEmpty()) {
            x509v3CertificateBuilder.addExtension(Extension.subjectAlternativeName, false, (ASN1Encodable) new GeneralNames((GeneralName[]) linkedList.toArray(new GeneralName[0])));
        }
        X509Certificate certificate = new JcaX509CertificateConverter().setProvider(BouncyCastleProvider.PROVIDER_NAME).getCertificate(x509v3CertificateBuilder.build(makeContentSignerBuilder(publicKey).build(privateKey)));
        certificate.verify(publicKey);
        return certificate;
    }

    private JcaContentSignerBuilder makeContentSignerBuilder(PublicKey publicKey) throws Exception {
        if (!publicKey.getAlgorithm().equals("EC")) {
            throw new Exception("Unsupported PublicKey Algorithm:" + publicKey.getAlgorithm());
        }
        JcaContentSignerBuilder jcaContentSignerBuilder = new JcaContentSignerBuilder(SIGN_ALGO_SM3WITHSM2);
        jcaContentSignerBuilder.setProvider(BouncyCastleProvider.PROVIDER_NAME);
        return jcaContentSignerBuilder;
    }
}
