package be.fgov.ehealth.technicalconnector.ra.utils;

import be.ehealth.technicalconnector.exception.TechnicalConnectorException;
import be.ehealth.technicalconnector.service.sts.security.Credential;
import be.ehealth.technicalconnector.utils.ConnectorCryptoUtils;
import be.ehealth.technicalconnector.utils.ConnectorIOUtils;
import be.fgov.ehealth.technicalconnector.ra.domain.DistinguishedName;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.math.BigInteger;
import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.SecureRandom;
import java.security.Security;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import javax.security.auth.x500.X500Principal;
import org.apache.commons.lang3.ArrayUtils;
import org.bouncycastle.asn1.x509.Extension;
import org.bouncycastle.asn1.x509.KeyUsage;
import org.bouncycastle.cert.jcajce.JcaX509CertificateConverter;
import org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.bouncycastle.operator.OperatorCreationException;
import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder;
import org.bouncycastle.pkcs.jcajce.JcaPKCS10CertificationRequestBuilder;
import org.joda.time.DateTime;

/* loaded from: input_file:be/fgov/ehealth/technicalconnector/ra/utils/CertificateUtils.class */
public class CertificateUtils {
    private static final String PROVIDER = "BC";
    private static final CertificateFactory CF;

    public static KeyPair generateKeyPair() {
        String property = RaPropertiesLoader.getProperty(RaPropertiesLoader.AUTH_KEY_ALGO);
        Integer valueOf = Integer.valueOf(Integer.parseInt(RaPropertiesLoader.getProperty(RaPropertiesLoader.AUTH_KEY_SIZE, "0")));
        try {
            KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance(property);
            keyPairGenerator.initialize(valueOf.intValue(), new SecureRandom());
            return keyPairGenerator.generateKeyPair();
        } catch (NoSuchAlgorithmException e) {
            throw new IllegalArgumentException(property + " key algorithm is unknown to the security provider", e);
        }
    }

    public static byte[] createCSR(DistinguishedName distinguishedName, KeyPair keyPair) {
        try {
            return new JcaPKCS10CertificationRequestBuilder(new X500Principal(distinguishedName.asNormalizedEhealthDN()), keyPair.getPublic()).build(new JcaContentSignerBuilder(RaPropertiesLoader.getProperty(RaPropertiesLoader.SIGNATURE_ALGORITHM)).setProvider(new BouncyCastleProvider()).build(keyPair.getPrivate())).getEncoded();
        } catch (OperatorCreationException e) {
            throw new IllegalArgumentException((Throwable) e);
        } catch (IOException e2) {
            throw new IllegalArgumentException(e2);
        }
    }

    public static X509Certificate generateCert(PublicKey publicKey, BigInteger bigInteger, Credential credential) throws TechnicalConnectorException {
        try {
            X509Certificate certificate = credential.getCertificate();
            X500Principal subjectX500Principal = certificate.getSubjectX500Principal();
            JcaX509v3CertificateBuilder jcaX509v3CertificateBuilder = new JcaX509v3CertificateBuilder(subjectX500Principal, bigInteger, certificate.getNotBefore(), certificate.getNotAfter(), subjectX500Principal, publicKey);
            jcaX509v3CertificateBuilder.addExtension(Extension.keyUsage, true, new KeyUsage(16 + 32));
            return new JcaX509CertificateConverter().setProvider(PROVIDER).getCertificate(jcaX509v3CertificateBuilder.build(new JcaContentSignerBuilder(certificate.getSigAlgName()).build(credential.getPrivateKey())));
        } catch (IOException e) {
            throw new IllegalArgumentException(e);
        } catch (CertificateException e2) {
            throw new IllegalArgumentException(e2);
        } catch (OperatorCreationException e3) {
            throw new IllegalArgumentException((Throwable) e3);
        }
    }

    public static X509Certificate generateCert(KeyPair keyPair) {
        try {
            X500Principal x500Principal = new X500Principal(RaPropertiesLoader.getProperty(RaPropertiesLoader.DUMMYCERT_SUBJECT));
            JcaX509v3CertificateBuilder jcaX509v3CertificateBuilder = new JcaX509v3CertificateBuilder(x500Principal, BigInteger.ZERO, new DateTime().minusDays(1).toDate(), new DateTime().minusDays(1).plusMinutes(1).toDate(), x500Principal, keyPair.getPublic());
            jcaX509v3CertificateBuilder.addExtension(Extension.keyUsage, true, new KeyUsage(16 + 32));
            return new JcaX509CertificateConverter().setProvider(PROVIDER).getCertificate(jcaX509v3CertificateBuilder.build(new JcaContentSignerBuilder(RaPropertiesLoader.getProperty(RaPropertiesLoader.DUMMYCERT_SIGNATURE_ALGORITHM)).build(keyPair.getPrivate())));
        } catch (OperatorCreationException e) {
            throw new IllegalArgumentException((Throwable) e);
        } catch (IOException e2) {
            throw new IllegalArgumentException(e2);
        } catch (CertificateException e3) {
            throw new IllegalArgumentException(e3);
        }
    }

    public static BigInteger obtainSerialNumber(PrivateKey privateKey, byte[] bArr) throws TechnicalConnectorException {
        byte[] subarray = ArrayUtils.subarray(bArr, 0, bArr.length - 32);
        byte[] subarray2 = ArrayUtils.subarray(bArr, bArr.length - 32, bArr.length);
        byte[] subarray3 = ArrayUtils.subarray(ConnectorCryptoUtils.decrypt(privateKey, RaPropertiesLoader.getProperty(RaPropertiesLoader.ETK_CHALLENGE_CIPHER), subarray), 0, 16);
        if (!Arrays.equals(subarray2, ConnectorCryptoUtils.calculateDigest(RaPropertiesLoader.getProperty(RaPropertiesLoader.ETK_CHALLENGE_DIGEST), subarray3))) {
            throw new IllegalArgumentException("The challenge is not valid because the hash of the decrypted serial nr found inside the challenge is not equal to the hashed serial nr attached to the challenge.");
        }
        byte[] bArr2 = new byte[subarray3.length + 1];
        System.arraycopy(subarray3, 0, bArr2, 1, subarray3.length);
        return new BigInteger(bArr2);
    }

    public static X509Certificate toX509Certificate(byte[] bArr) {
        ByteArrayInputStream byteArrayInputStream = null;
        try {
            try {
                byteArrayInputStream = new ByteArrayInputStream(bArr);
                X509Certificate x509Certificate = (X509Certificate) CF.generateCertificate(byteArrayInputStream);
                ConnectorIOUtils.closeQuietly(byteArrayInputStream);
                return x509Certificate;
            } catch (CertificateException e) {
                throw new IllegalArgumentException(e);
            }
        } catch (Throwable th) {
            ConnectorIOUtils.closeQuietly(byteArrayInputStream);
            throw th;
        }
    }

    static {
        Security.addProvider(new BouncyCastleProvider());
        try {
            CF = CertificateFactory.getInstance("X.509");
        } catch (CertificateException e) {
            throw new IllegalArgumentException(e);
        }
    }
}
