package org.ow2.contrail.provider.vep.Certificate;

import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.io.File;
import java.io.FileInputStream;
import java.io.FileNotFoundException;
import java.io.FileOutputStream;
import java.io.IOException;
import java.math.BigInteger;
import java.security.InvalidKeyException;
import java.security.Key;
import java.security.KeyFactory;
import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.SecureRandom;
import java.security.Signature;
import java.security.SignatureException;
import java.security.UnrecoverableKeyException;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.security.interfaces.RSAPrivateCrtKey;
import java.security.spec.InvalidKeySpecException;
import java.security.spec.RSAPrivateCrtKeySpec;
import java.security.spec.RSAPublicKeySpec;
import java.util.Calendar;
import java.util.Date;
import org.apache.commons.codec.binary.Hex;
import org.apache.log4j.Logger;
import org.bouncycastle.asn1.ASN1EncodableVector;
import org.bouncycastle.asn1.ASN1InputStream;
import org.bouncycastle.asn1.DERBMPString;
import org.bouncycastle.asn1.DERBitString;
import org.bouncycastle.asn1.DEREncodable;
import org.bouncycastle.asn1.DERInteger;
import org.bouncycastle.asn1.DERNull;
import org.bouncycastle.asn1.DERObjectIdentifier;
import org.bouncycastle.asn1.DEROutputStream;
import org.bouncycastle.asn1.DERSequence;
import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers;
import org.bouncycastle.asn1.x509.AlgorithmIdentifier;
import org.bouncycastle.asn1.x509.DigestInfo;
import org.bouncycastle.asn1.x509.RSAPublicKeyStructure;
import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo;
import org.bouncycastle.asn1.x509.TBSCertificateStructure;
import org.bouncycastle.asn1.x509.Time;
import org.bouncycastle.asn1.x509.V3TBSCertificateGenerator;
import org.bouncycastle.asn1.x509.X509CertificateStructure;
import org.bouncycastle.asn1.x509.X509Name;
import org.bouncycastle.asn1.x509.X509ObjectIdentifiers;
import org.bouncycastle.crypto.AsymmetricCipherKeyPair;
import org.bouncycastle.crypto.CryptoException;
import org.bouncycastle.crypto.DataLengthException;
import org.bouncycastle.crypto.digests.SHA1Digest;
import org.bouncycastle.crypto.encodings.PKCS1Encoding;
import org.bouncycastle.crypto.engines.RSAEngine;
import org.bouncycastle.crypto.generators.RSAKeyPairGenerator;
import org.bouncycastle.crypto.params.RSAKeyGenerationParameters;
import org.bouncycastle.crypto.params.RSAKeyParameters;
import org.bouncycastle.crypto.params.RSAPrivateCrtKeyParameters;
import org.bouncycastle.jce.PrincipalUtil;
import org.bouncycastle.jce.provider.X509CertificateObject;
import org.bouncycastle.x509.extension.SubjectKeyIdentifierStructure;

/* loaded from: input_file:org/ow2/contrail/provider/vep/Certificate/X509CertificateGenerator.class */
public class X509CertificateGenerator {
    private static Logger logger = Logger.getLogger(X509CertificateGenerator.class);
    private X509Certificate caCert;
    private RSAPrivateCrtKeyParameters caPrivateKey;
    private boolean useBCAPI;

    public X509CertificateGenerator(String str, String str2, String str3, boolean z) throws KeyStoreException, NoSuchAlgorithmException, CertificateException, FileNotFoundException, IOException, UnrecoverableKeyException, InvalidKeyException, NoSuchProviderException, SignatureException {
        this.useBCAPI = z;
        System.out.println("Loading CA certificate and private key from file '" + str + "', using alias '" + str3 + "' with " + (this.useBCAPI ? "Bouncycastle lightweight API" : "JCE API"));
        KeyStore keyStore = KeyStore.getInstance("PKCS12");
        keyStore.load(new FileInputStream(new File(str)), str2.toCharArray());
        Key key = keyStore.getKey(str3, str2.toCharArray());
        if (key == null) {
            throw new RuntimeException("Got null key from keystore!");
        }
        RSAPrivateCrtKey rSAPrivateCrtKey = (RSAPrivateCrtKey) key;
        this.caPrivateKey = new RSAPrivateCrtKeyParameters(rSAPrivateCrtKey.getModulus(), rSAPrivateCrtKey.getPublicExponent(), rSAPrivateCrtKey.getPrivateExponent(), rSAPrivateCrtKey.getPrimeP(), rSAPrivateCrtKey.getPrimeQ(), rSAPrivateCrtKey.getPrimeExponentP(), rSAPrivateCrtKey.getPrimeExponentQ(), rSAPrivateCrtKey.getCrtCoefficient());
        this.caCert = (X509Certificate) keyStore.getCertificate(str3);
        if (this.caCert == null) {
            throw new RuntimeException("Got null cert from keystore!");
        }
        System.out.println("Successfully loaded CA key and certificate. CA DN is '" + this.caCert.getSubjectDN().getName() + "'");
        this.caCert.verify(this.caCert.getPublicKey());
        System.out.println("Successfully verified CA certificate with its own public key.");
    }

    public boolean createCertificate(String str, int i, String str2, String str3) throws IOException, InvalidKeyException, SecurityException, SignatureException, NoSuchAlgorithmException, DataLengthException, CryptoException, KeyStoreException, NoSuchProviderException, CertificateException, InvalidKeySpecException {
        PrivateKey privateKey;
        PublicKey publicKey;
        byte[] sign;
        System.out.println("Generating certificate for distinguished subject name '" + str + "', valid for " + i + " days");
        SecureRandom secureRandom = new SecureRandom();
        System.out.println("Creating RSA keypair");
        if (this.useBCAPI) {
            RSAKeyPairGenerator rSAKeyPairGenerator = new RSAKeyPairGenerator();
            rSAKeyPairGenerator.init(new RSAKeyGenerationParameters(BigInteger.valueOf(3L), secureRandom, 1024, 80));
            AsymmetricCipherKeyPair generateKeyPair = rSAKeyPairGenerator.generateKeyPair();
            System.out.println("Generated keypair, extracting components and creating public structure for certificate");
            RSAKeyParameters rSAKeyParameters = generateKeyPair.getPublic();
            RSAPrivateCrtKeyParameters rSAPrivateCrtKeyParameters = generateKeyPair.getPrivate();
            System.out.println("New public key is '" + new String(Hex.encodeHex(new RSAPublicKeyStructure(rSAKeyParameters.getModulus(), rSAKeyParameters.getExponent()).getEncoded())) + ", exponent=" + rSAKeyParameters.getExponent() + ", modulus=" + rSAKeyParameters.getModulus());
            publicKey = KeyFactory.getInstance("RSA").generatePublic(new RSAPublicKeySpec(rSAKeyParameters.getModulus(), rSAKeyParameters.getExponent()));
            privateKey = KeyFactory.getInstance("RSA").generatePrivate(new RSAPrivateCrtKeySpec(rSAKeyParameters.getModulus(), rSAKeyParameters.getExponent(), rSAPrivateCrtKeyParameters.getExponent(), rSAPrivateCrtKeyParameters.getP(), rSAPrivateCrtKeyParameters.getQ(), rSAPrivateCrtKeyParameters.getDP(), rSAPrivateCrtKeyParameters.getDQ(), rSAPrivateCrtKeyParameters.getQInv()));
        } else {
            KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA");
            keyPairGenerator.initialize(1024, secureRandom);
            KeyPair generateKeyPair2 = keyPairGenerator.generateKeyPair();
            privateKey = generateKeyPair2.getPrivate();
            publicKey = generateKeyPair2.getPublic();
        }
        Calendar calendar = Calendar.getInstance();
        calendar.add(6, i);
        X509Name x509Name = new X509Name("CN=" + str);
        V3TBSCertificateGenerator v3TBSCertificateGenerator = new V3TBSCertificateGenerator();
        v3TBSCertificateGenerator.setSerialNumber(new DERInteger(BigInteger.valueOf(System.currentTimeMillis())));
        v3TBSCertificateGenerator.setIssuer(PrincipalUtil.getSubjectX509Principal(this.caCert));
        v3TBSCertificateGenerator.setSubject(x509Name);
        DERObjectIdentifier algorithmOID = X509Util.getAlgorithmOID("SHA1WithRSAEncryption");
        AlgorithmIdentifier algorithmIdentifier = new AlgorithmIdentifier(algorithmOID, new DERNull());
        v3TBSCertificateGenerator.setSignature(algorithmIdentifier);
        v3TBSCertificateGenerator.setSubjectPublicKeyInfo(new SubjectPublicKeyInfo(new ASN1InputStream(new ByteArrayInputStream(publicKey.getEncoded())).readObject()));
        v3TBSCertificateGenerator.setStartDate(new Time(new Date(System.currentTimeMillis())));
        v3TBSCertificateGenerator.setEndDate(new Time(calendar.getTime()));
        System.out.println("Certificate structure generated, creating SHA1 digest");
        SHA1Digest sHA1Digest = new SHA1Digest();
        PKCS1Encoding pKCS1Encoding = new PKCS1Encoding(new RSAEngine());
        TBSCertificateStructure generateTBSCertificate = v3TBSCertificateGenerator.generateTBSCertificate();
        ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
        new DEROutputStream(byteArrayOutputStream).writeObject(generateTBSCertificate);
        if (this.useBCAPI) {
            byte[] byteArray = byteArrayOutputStream.toByteArray();
            System.out.println("Block to sign is '" + new String(Hex.encodeHex(byteArray)) + "'");
            sHA1Digest.update(byteArray, 0, byteArray.length);
            byte[] bArr = new byte[sHA1Digest.getDigestSize()];
            sHA1Digest.doFinal(bArr, 0);
            pKCS1Encoding.init(true, this.caPrivateKey);
            byte[] encoded = new DigestInfo(new AlgorithmIdentifier(X509ObjectIdentifiers.id_SHA1, (DEREncodable) null), bArr).getEncoded("DER");
            sign = pKCS1Encoding.processBlock(encoded, 0, encoded.length);
        } else {
            PrivateKey generatePrivate = KeyFactory.getInstance("RSA").generatePrivate(new RSAPrivateCrtKeySpec(this.caPrivateKey.getModulus(), this.caPrivateKey.getPublicExponent(), this.caPrivateKey.getExponent(), this.caPrivateKey.getP(), this.caPrivateKey.getQ(), this.caPrivateKey.getDP(), this.caPrivateKey.getDQ(), this.caPrivateKey.getQInv()));
            Signature signature = Signature.getInstance(algorithmOID.getId());
            signature.initSign(generatePrivate, secureRandom);
            signature.update(byteArrayOutputStream.toByteArray());
            sign = signature.sign();
        }
        System.out.println("SHA1/RSA signature of digest is '" + new String(Hex.encodeHex(sign)) + "'");
        ASN1EncodableVector aSN1EncodableVector = new ASN1EncodableVector();
        aSN1EncodableVector.add(generateTBSCertificate);
        aSN1EncodableVector.add(algorithmIdentifier);
        aSN1EncodableVector.add(new DERBitString(sign));
        X509Certificate x509CertificateObject = new X509CertificateObject(new X509CertificateStructure(new DERSequence(aSN1EncodableVector)));
        System.out.println("Verifying certificate for correct signature with CA public key");
        x509CertificateObject.verify(this.caCert.getPublicKey());
        System.out.println("Exporting certificate in PKCS12 format");
        x509CertificateObject.setBagAttribute(PKCSObjectIdentifiers.pkcs_9_at_friendlyName, new DERBMPString("Certificate for IPSec WLAN access"));
        x509CertificateObject.setBagAttribute(PKCSObjectIdentifiers.pkcs_9_at_localKeyId, new SubjectKeyIdentifierStructure(publicKey));
        KeyStore keyStore = KeyStore.getInstance("PKCS12");
        keyStore.load(null, null);
        keyStore.setKeyEntry("Private key for IPSec WLAN access", privateKey, str3.toCharArray(), new X509Certificate[]{x509CertificateObject, this.caCert});
        keyStore.store(new FileOutputStream(str2), str3.toCharArray());
        return true;
    }

    public static void main(String[] strArr) throws Exception {
        System.out.println(new X509CertificateGenerator("/etc/openvpn/easy-rsa/2.0/keys/ca.crt", "changeme", "changeme", false).createCertificate("Test CN", 30, "test.p12", "test"));
    }
}
