package com.helger.security.certificate;

import com.helger.commons.ValueEnforcer;
import com.helger.commons.annotation.Nonempty;
import com.helger.commons.base64.Base64;
import com.helger.commons.collection.ArrayHelper;
import com.helger.commons.collection.impl.ICommonsSet;
import com.helger.commons.io.stream.NonBlockingByteArrayInputStream;
import com.helger.commons.io.stream.StringInputStream;
import com.helger.commons.string.StringHelper;
import com.helger.security.revocation.AbstractRevocationCheckBuilder;
import com.helger.security.revocation.RevocationCheckResultCache;
import java.io.IOException;
import java.nio.charset.Charset;
import java.nio.charset.StandardCharsets;
import java.security.GeneralSecurityException;
import java.security.KeyFactory;
import java.security.PrivateKey;
import java.security.cert.Certificate;
import java.security.cert.CertificateEncodingException;
import java.security.cert.CertificateException;
import java.security.cert.CertificateExpiredException;
import java.security.cert.CertificateFactory;
import java.security.cert.CertificateNotYetValidException;
import java.security.cert.X509Certificate;
import java.security.spec.PKCS8EncodedKeySpec;
import java.util.Date;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import javax.annotation.concurrent.Immutable;
import javax.naming.InvalidNameException;
import javax.naming.ldap.LdapName;
import javax.naming.ldap.Rdn;
import javax.security.auth.x500.X500Principal;
import org.apache.poi.openxml4j.opc.PackageRelationship;
import org.bouncycastle.asn1.ASN1Primitive;
import org.bouncycastle.asn1.ASN1Sequence;
import org.bouncycastle.asn1.x509.BasicConstraints;
import org.bouncycastle.asn1.x509.Extension;
import org.bouncycastle.cert.jcajce.JcaX509ExtensionUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@Immutable
/* loaded from: input_file:WEB-INF/lib/ph-security-11.2.4.jar:com/helger/security/certificate/CertificateHelper.class */
public final class CertificateHelper {
    public static final String BEGIN_CERTIFICATE = "-----BEGIN CERTIFICATE-----";
    public static final String END_CERTIFICATE = "-----END CERTIFICATE-----";

    @Deprecated(forRemoval = true, since = "11.1.1")
    public static final String BEGIN_CERTIFICATE_INVALID = "-----BEGINCERTIFICATE-----";

    @Deprecated(forRemoval = true, since = "11.1.1")
    public static final String END_CERTIFICATE_INVALID = "-----ENDCERTIFICATE-----";
    public static final String BEGIN_PRIVATE_KEY = "-----BEGIN PRIVATE KEY-----";
    public static final String END_PRIVATE_KEY = "-----END PRIVATE KEY-----";
    public static final String CRLF = "\r\n";
    public static final String PRINCIPAL_TYPE_CN = "CN";
    public static final String PRINCIPAL_TYPE_O = "O";
    public static final Charset CERT_CHARSET = StandardCharsets.ISO_8859_1;
    private static final Logger LOGGER = LoggerFactory.getLogger((Class<?>) CertificateHelper.class);
    private static final CertificateHelper INSTANCE = new CertificateHelper();

    private CertificateHelper() {
    }

    @Nonnull
    public static CertificateFactory getX509CertificateFactory() throws CertificateException {
        return CertificateFactory.getInstance("X.509");
    }

    @Nonnull
    @Deprecated(forRemoval = true, since = "11.1.1")
    public static String getWithPEMHeader(@Nonnull String str) {
        return getCertificateWithPEMHeader(str);
    }

    @Nonnull
    public static String getCertificateWithPEMHeader(@Nonnull String str) {
        String str2 = str;
        if (!str2.startsWith(BEGIN_CERTIFICATE)) {
            str2 = "-----BEGIN CERTIFICATE-----\n" + str2;
        }
        if (!str2.trim().endsWith(END_CERTIFICATE)) {
            str2 = str2 + "\n-----END CERTIFICATE-----";
        }
        return str2;
    }

    @Nullable
    public static String getWithoutPEMHeader(@Nullable String str) {
        if (StringHelper.hasNoText(str)) {
            return null;
        }
        return StringHelper.getWithoutAnySpaces(StringHelper.trimEnd(StringHelper.trimStart(StringHelper.trimEnd(StringHelper.trimStart(str.trim(), BEGIN_CERTIFICATE_INVALID), END_CERTIFICATE_INVALID), BEGIN_CERTIFICATE), END_CERTIFICATE));
    }

    @Nullable
    public static String getRFC1421CompliantString(@Nullable String str, boolean z) {
        return getRFC1421CompliantString(str, z, "\r\n");
    }

    @Nullable
    public static String getRFC1421CompliantString(@Nullable String str, boolean z, @Nonnull String str2) {
        ValueEnforcer.notNull(str2, "LineSeparator");
        String withoutPEMHeader = getWithoutPEMHeader(str);
        if (StringHelper.hasNoText(withoutPEMHeader)) {
            return null;
        }
        StringBuilder sb = new StringBuilder();
        if (z) {
            sb.append(BEGIN_CERTIFICATE).append('\n');
        }
        while (withoutPEMHeader.length() > 64) {
            sb.append((CharSequence) withoutPEMHeader, 0, 64).append(str2);
            withoutPEMHeader = withoutPEMHeader.substring(64);
        }
        sb.append(withoutPEMHeader);
        if (z) {
            sb.append('\n').append(END_CERTIFICATE);
        }
        return sb.toString();
    }

    @Nullable
    public static X509Certificate convertByteArrayToCertficate(@Nullable byte[] bArr) throws CertificateException {
        if (ArrayHelper.isEmpty(bArr)) {
            return null;
        }
        return convertStringToCertficate(new String(bArr, CERT_CHARSET), false);
    }

    @Nullable
    public static X509Certificate convertByteArrayToCertficateOrNull(@Nullable byte[] bArr) {
        try {
            return convertByteArrayToCertficate(bArr);
        } catch (CertificateException e) {
            return null;
        }
    }

    @Nullable
    public static X509Certificate convertByteArrayToCertficateDirect(@Nullable byte[] bArr) throws CertificateException {
        if (ArrayHelper.isEmpty(bArr)) {
            return null;
        }
        CertificateFactory x509CertificateFactory = getX509CertificateFactory();
        NonBlockingByteArrayInputStream nonBlockingByteArrayInputStream = new NonBlockingByteArrayInputStream(bArr);
        try {
            X509Certificate x509Certificate = (X509Certificate) x509CertificateFactory.generateCertificate(nonBlockingByteArrayInputStream);
            nonBlockingByteArrayInputStream.close();
            return x509Certificate;
        } catch (Throwable th) {
            try {
                nonBlockingByteArrayInputStream.close();
            } catch (Throwable th2) {
                th.addSuppressed(th2);
            }
            throw th;
        }
    }

    @Nonnull
    private static X509Certificate _str2cert(@Nonnull String str, @Nonnull CertificateFactory certificateFactory) throws CertificateException {
        StringInputStream stringInputStream = new StringInputStream(getRFC1421CompliantString(str, true), CERT_CHARSET);
        try {
            X509Certificate x509Certificate = (X509Certificate) certificateFactory.generateCertificate(stringInputStream);
            stringInputStream.close();
            return x509Certificate;
        } catch (Throwable th) {
            try {
                stringInputStream.close();
            } catch (Throwable th2) {
                th.addSuppressed(th2);
            }
            throw th;
        }
    }

    @Nullable
    public static X509Certificate convertStringToCertficate(@Nullable String str) throws CertificateException {
        return convertStringToCertficate(str, false);
    }

    @Nullable
    public static X509Certificate convertStringToCertficate(@Nullable String str, boolean z) throws CertificateException {
        if (StringHelper.hasNoText(str)) {
            return null;
        }
        CertificateFactory x509CertificateFactory = getX509CertificateFactory();
        try {
            return _str2cert(str, x509CertificateFactory);
        } catch (IllegalArgumentException | CertificateException e) {
            if (LOGGER.isDebugEnabled()) {
                LOGGER.debug("Failed to decode provided X.509 certificate string: " + str);
            }
            if (!z) {
                throw e;
            }
            try {
                return _str2cert(new String(StringHelper.getHexDecoded(str), CERT_CHARSET), x509CertificateFactory);
            } catch (IllegalArgumentException e2) {
                throw e;
            }
        }
    }

    @Nullable
    public static X509Certificate convertStringToCertficateOrNull(@Nullable String str) {
        try {
            return convertStringToCertficate(str, false);
        } catch (IllegalArgumentException | CertificateException e) {
            return null;
        }
    }

    @Nullable
    public static byte[] convertCertificateStringToByteArray(@Nullable String str) {
        String withoutPEMHeader = getWithoutPEMHeader(str);
        if (StringHelper.hasNoText(withoutPEMHeader)) {
            return null;
        }
        return Base64.safeDecode(withoutPEMHeader);
    }

    @Nonnull
    @Nonempty
    public static byte[] getEncodedCertificate(@Nonnull Certificate certificate) {
        ValueEnforcer.notNull(certificate, "Cert");
        try {
            return certificate.getEncoded();
        } catch (CertificateEncodingException e) {
            throw new IllegalArgumentException("Failed to encode certificate " + String.valueOf(certificate), e);
        }
    }

    @Nonnull
    @Nonempty
    public static String getPEMEncodedCertificate(@Nonnull Certificate certificate) {
        ValueEnforcer.notNull(certificate, "Cert");
        try {
            return "-----BEGIN CERTIFICATE-----\n" + Base64.encodeBytes(certificate.getEncoded()) + "\n-----END CERTIFICATE-----";
        } catch (CertificateEncodingException e) {
            throw new IllegalArgumentException("Failed to encode certificate " + String.valueOf(certificate), e);
        }
    }

    public static boolean isCertificateValidPerNow(@Nonnull X509Certificate x509Certificate) {
        ValueEnforcer.notNull(x509Certificate, "Cert");
        try {
            x509Certificate.checkValidity();
            return true;
        } catch (CertificateExpiredException | CertificateNotYetValidException e) {
            return false;
        }
    }

    @Nullable
    public static PrivateKey convertStringToPrivateKey(@Nullable String str) throws GeneralSecurityException {
        byte[] safeDecode;
        if (StringHelper.hasNoText(str) || (safeDecode = Base64.safeDecode(StringHelper.getWithoutAnySpaces(StringHelper.trimEnd(StringHelper.trimStart(str, BEGIN_PRIVATE_KEY), END_PRIVATE_KEY)))) == null) {
            return null;
        }
        return KeyFactory.getInstance("RSA").generatePrivate(new PKCS8EncodedKeySpec(safeDecode));
    }

    public static boolean isCA(@Nonnull X509Certificate x509Certificate) {
        BasicConstraints basicConstraints;
        ValueEnforcer.notNull(x509Certificate, "Cert");
        byte[] extensionValue = x509Certificate.getExtensionValue(Extension.basicConstraints.getId());
        if (extensionValue == null) {
            return false;
        }
        try {
            ASN1Primitive parseExtensionValue = JcaX509ExtensionUtils.parseExtensionValue(extensionValue);
            if (!(parseExtensionValue instanceof ASN1Sequence) || (basicConstraints = BasicConstraints.getInstance((ASN1Sequence) parseExtensionValue)) == null) {
                return false;
            }
            return basicConstraints.isCA();
        } catch (IOException e) {
            return false;
        }
    }

    @Nonnull
    public static ECertificateCheckResult checkCertificate(@Nullable ICommonsSet<X500Principal> iCommonsSet, @Nullable RevocationCheckResultCache revocationCheckResultCache, @Nonnull AbstractRevocationCheckBuilder<?> abstractRevocationCheckBuilder) {
        ValueEnforcer.notNull(abstractRevocationCheckBuilder, "RevocationChecker");
        if (LOGGER.isDebugEnabled()) {
            LOGGER.debug("Running Certificate Check" + (iCommonsSet != null ? " against a list of " + iCommonsSet.size() + " certificate issuers" : "") + (revocationCheckResultCache != null ? "; a cache is provided" : "; not using a cache"));
        }
        X509Certificate certificate = abstractRevocationCheckBuilder.certificate();
        if (certificate == null) {
            LOGGER.warn("No Certificate was provided to the certificate check");
            return ECertificateCheckResult.NO_CERTIFICATE_PROVIDED;
        }
        Date checkDate = abstractRevocationCheckBuilder.checkDate();
        try {
            if (checkDate == null) {
                if (LOGGER.isDebugEnabled()) {
                    LOGGER.debug("Checking the Certificate validity against the current date time");
                }
                certificate.checkValidity();
            } else {
                if (LOGGER.isDebugEnabled()) {
                    LOGGER.debug("Checking the Certificate validity against the provided date time " + String.valueOf(checkDate));
                }
                certificate.checkValidity(checkDate);
            }
            if (iCommonsSet != null) {
                X500Principal issuerX500Principal = certificate.getIssuerX500Principal();
                if (!iCommonsSet.contains(issuerX500Principal)) {
                    LOGGER.warn("The provided Certificate issuer '" + String.valueOf(issuerX500Principal) + "' is not in the list of trusted issuers " + String.valueOf(iCommonsSet));
                    return ECertificateCheckResult.UNSUPPORTED_ISSUER;
                }
            } else if (LOGGER.isDebugEnabled()) {
                LOGGER.debug("Not testing against known Certificate issuers");
            }
            if (revocationCheckResultCache != null) {
                if (LOGGER.isDebugEnabled()) {
                    LOGGER.debug("Testing if the Certificate is revoked, using a cache");
                }
                if (revocationCheckResultCache.isRevoked(certificate)) {
                    LOGGER.warn("The Certificate is revoked [caching used]");
                    return ECertificateCheckResult.REVOKED;
                }
            } else {
                if (LOGGER.isDebugEnabled()) {
                    LOGGER.debug("Testing if the Certificate is revoked, without a cache");
                }
                if (abstractRevocationCheckBuilder.build().isRevoked()) {
                    LOGGER.warn("The Certificate is revoked [no caching]");
                    return ECertificateCheckResult.REVOKED;
                }
            }
            if (LOGGER.isDebugEnabled()) {
                LOGGER.debug("The Certificate seems to be valid");
            }
            return ECertificateCheckResult.VALID;
        } catch (CertificateExpiredException e) {
            LOGGER.warn("The provided Certificate is expired per " + (checkDate == null ? "now" : checkDate.toString()));
            return ECertificateCheckResult.EXPIRED;
        } catch (CertificateNotYetValidException e2) {
            LOGGER.warn("The provided Certificate is not yet valid per " + (checkDate == null ? "now" : checkDate.toString()));
            return ECertificateCheckResult.NOT_YET_VALID;
        }
    }

    @Nullable
    public static String getPrincipalTypeValue(@Nullable String str, @Nonnull String str2) throws InvalidNameException {
        ValueEnforcer.notNull(str2, PackageRelationship.TYPE_ATTRIBUTE_NAME);
        if (str == null) {
            return null;
        }
        for (Rdn rdn : new LdapName(str).getRdns()) {
            if (rdn.getType().equalsIgnoreCase(str2)) {
                return (String) rdn.getValue();
            }
        }
        return null;
    }

    @Nullable
    public static String getCN(@Nullable String str) throws InvalidNameException {
        return getPrincipalTypeValue(str, "CN");
    }

    @Nullable
    public static String getSubjectCN(@Nullable X509Certificate x509Certificate) {
        if (x509Certificate != null) {
            return getCNOrNull(x509Certificate.getSubjectX500Principal());
        }
        return null;
    }

    @Nullable
    public static String getCNOrNull(@Nullable X500Principal x500Principal) {
        if (x500Principal != null) {
            return getCNOrNull(x500Principal.getName());
        }
        return null;
    }

    @Nullable
    public static String getCNOrNull(@Nullable String str) {
        try {
            return getCN(str);
        } catch (InvalidNameException e) {
            return null;
        }
    }

    @Nullable
    public static String getO(@Nullable String str) throws InvalidNameException {
        return getPrincipalTypeValue(str, "O");
    }

    @Nullable
    public static String getSubjectO(@Nullable X509Certificate x509Certificate) {
        if (x509Certificate != null) {
            return getOOrNull(x509Certificate.getSubjectX500Principal());
        }
        return null;
    }

    @Nullable
    public static String getOOrNull(@Nullable X500Principal x500Principal) {
        if (x500Principal != null) {
            return getOOrNull(x500Principal.getName());
        }
        return null;
    }

    @Nullable
    public static String getOOrNull(@Nullable String str) {
        try {
            return getO(str);
        } catch (InvalidNameException e) {
            return null;
        }
    }
}
