package com.yahoo.security;

import com.yahoo.security.SubjectAlternativeName;
import java.io.IOException;
import java.io.UncheckedIOException;
import java.math.BigInteger;
import java.security.GeneralSecurityException;
import java.security.KeyPair;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.SecureRandom;
import java.security.cert.X509Certificate;
import java.time.Instant;
import java.util.ArrayList;
import java.util.Date;
import java.util.List;
import javax.security.auth.x500.X500Principal;
import org.bouncycastle.asn1.x509.BasicConstraints;
import org.bouncycastle.asn1.x509.GeneralName;
import org.bouncycastle.asn1.x509.GeneralNames;
import org.bouncycastle.cert.jcajce.JcaX509CertificateConverter;
import org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder;
import org.bouncycastle.operator.OperatorException;
import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder;
import org.bouncycastle.pkcs.PKCS10CertificationRequest;
import org.bouncycastle.pkcs.jcajce.JcaPKCS10CertificationRequest;

/* loaded from: input_file:com/yahoo/security/X509CertificateBuilder.class */
public class X509CertificateBuilder {
    private final BigInteger serialNumber;
    private final SignatureAlgorithm signingAlgorithm;
    private final PrivateKey caPrivateKey;
    private final Instant notBefore;
    private final Instant notAfter;
    private final List<SubjectAlternativeName> subjectAlternativeNames = new ArrayList();
    private final X500Principal issuer;
    private final X500Principal subject;
    private final PublicKey certPublicKey;
    private BasicConstraintsExtension basicConstraintsExtension;

    private X509CertificateBuilder(X500Principal x500Principal, X500Principal x500Principal2, Instant instant, Instant instant2, PublicKey publicKey, PrivateKey privateKey, SignatureAlgorithm signatureAlgorithm, BigInteger bigInteger) {
        this.issuer = x500Principal;
        this.subject = x500Principal2;
        this.notBefore = instant;
        this.notAfter = instant2;
        this.certPublicKey = publicKey;
        this.caPrivateKey = privateKey;
        this.signingAlgorithm = signatureAlgorithm;
        this.serialNumber = bigInteger;
    }

    public static X509CertificateBuilder fromCsr(Pkcs10Csr pkcs10Csr, X500Principal x500Principal, Instant instant, Instant instant2, PrivateKey privateKey, SignatureAlgorithm signatureAlgorithm, BigInteger bigInteger) {
        try {
            PKCS10CertificationRequest bcCsr = pkcs10Csr.getBcCsr();
            return new X509CertificateBuilder(x500Principal, new X500Principal(bcCsr.getSubject().getEncoded()), instant, instant2, new JcaPKCS10CertificationRequest(bcCsr).setProvider(BouncyCastleProviderHolder.getInstance()).getPublicKey(), privateKey, signatureAlgorithm, bigInteger);
        } catch (IOException e) {
            throw new UncheckedIOException(e);
        } catch (GeneralSecurityException e2) {
            throw new RuntimeException(e2);
        }
    }

    public static X509CertificateBuilder fromKeypair(KeyPair keyPair, X500Principal x500Principal, Instant instant, Instant instant2, SignatureAlgorithm signatureAlgorithm, BigInteger bigInteger) {
        return new X509CertificateBuilder(x500Principal, x500Principal, instant, instant2, keyPair.getPublic(), keyPair.getPrivate(), signatureAlgorithm, bigInteger);
    }

    public static BigInteger generateRandomSerialNumber() {
        return new BigInteger(128, new SecureRandom());
    }

    public X509CertificateBuilder addSubjectAlternativeName(String str) {
        this.subjectAlternativeNames.add(new SubjectAlternativeName(SubjectAlternativeName.Type.DNS_NAME, str));
        return this;
    }

    public X509CertificateBuilder addSubjectAlternativeName(SubjectAlternativeName subjectAlternativeName) {
        this.subjectAlternativeNames.add(subjectAlternativeName);
        return this;
    }

    public X509CertificateBuilder addSubjectAlternativeName(SubjectAlternativeName.Type type, String str) {
        this.subjectAlternativeNames.add(new SubjectAlternativeName(type, str));
        return this;
    }

    public X509CertificateBuilder setBasicConstraints(boolean z, boolean z2) {
        this.basicConstraintsExtension = new BasicConstraintsExtension(z, z2);
        return this;
    }

    public X509CertificateBuilder setIsCertAuthority(boolean z) {
        return setBasicConstraints(true, z);
    }

    public X509Certificate build() {
        try {
            JcaX509v3CertificateBuilder jcaX509v3CertificateBuilder = new JcaX509v3CertificateBuilder(this.issuer, this.serialNumber, Date.from(this.notBefore), Date.from(this.notAfter), this.subject, this.certPublicKey);
            if (this.basicConstraintsExtension != null) {
                jcaX509v3CertificateBuilder.addExtension(org.bouncycastle.asn1.x509.Extension.basicConstraints, this.basicConstraintsExtension.isCritical, new BasicConstraints(this.basicConstraintsExtension.isCertAuthorityCertificate));
            }
            if (!this.subjectAlternativeNames.isEmpty()) {
                jcaX509v3CertificateBuilder.addExtension(org.bouncycastle.asn1.x509.Extension.subjectAlternativeName, false, new GeneralNames((GeneralName[]) this.subjectAlternativeNames.stream().map((v0) -> {
                    return v0.toGeneralName();
                }).toArray(i -> {
                    return new GeneralName[i];
                })));
            }
            return new JcaX509CertificateConverter().setProvider(BouncyCastleProviderHolder.getInstance()).getCertificate(jcaX509v3CertificateBuilder.build(new JcaContentSignerBuilder(this.signingAlgorithm.getAlgorithmName()).setProvider(BouncyCastleProviderHolder.getInstance()).build(this.caPrivateKey)));
        } catch (OperatorException | GeneralSecurityException e) {
            throw new RuntimeException((Throwable) e);
        } catch (IOException e2) {
            throw new UncheckedIOException(e2);
        }
    }
}
