package io.spiffe.internal;

import io.spiffe.spiffeid.SpiffeId;
import io.spiffe.spiffeid.TrustDomain;
import java.io.ByteArrayInputStream;
import java.security.InvalidAlgorithmParameterException;
import java.security.InvalidKeyException;
import java.security.KeyFactory;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.cert.CertPathValidator;
import java.security.cert.CertPathValidatorException;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.CertificateParsingException;
import java.security.cert.PKIXParameters;
import java.security.cert.TrustAnchor;
import java.security.cert.X509Certificate;
import java.security.spec.EncodedKeySpec;
import java.security.spec.InvalidKeySpecException;
import java.security.spec.PKCS8EncodedKeySpec;
import java.util.Base64;
import java.util.Collection;
import java.util.Collections;
import java.util.List;
import java.util.Objects;
import java.util.Set;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import org.apache.commons.lang3.StringUtils;

/* loaded from: input_file:io/spiffe/internal/CertificateUtils.class */
public class CertificateUtils {
    private static final String SPIFFE_PREFIX = "spiffe://";
    private static final int SAN_VALUE_INDEX = 1;
    private static final String PUBLIC_KEY_INFRASTRUCTURE_ALGORITHM = "PKIX";
    private static final String X509_CERTIFICATE_TYPE = "X.509";

    private CertificateUtils() {
    }

    public static List<X509Certificate> generateCertificates(byte[] bArr) throws CertificateParsingException {
        if (bArr.length == 0) {
            throw new CertificateParsingException("No certificates found");
        }
        try {
            Stream<? extends Certificate> stream = getCertificateFactory().generateCertificates(new ByteArrayInputStream(bArr)).stream();
            Class<X509Certificate> cls = X509Certificate.class;
            Objects.requireNonNull(X509Certificate.class);
            return (List) stream.map((v1) -> {
                return r1.cast(v1);
            }).collect(Collectors.toList());
        } catch (CertificateException e) {
            throw new CertificateParsingException("Certificate could not be parsed from cert bytes", e);
        }
    }

    public static PrivateKey generatePrivateKey(byte[] bArr, AsymmetricKeyAlgorithm asymmetricKeyAlgorithm, KeyFileFormat keyFileFormat) throws InvalidKeySpecException, NoSuchAlgorithmException, InvalidKeyException {
        return generatePrivateKeyWithSpec(getEncodedKeySpec(bArr, keyFileFormat), asymmetricKeyAlgorithm);
    }

    public static void validate(List<X509Certificate> list, Collection<X509Certificate> collection) throws CertificateException, CertPathValidatorException {
        if (list == null || list.size() == 0) {
            throw new IllegalArgumentException("Chain of certificates is empty");
        }
        CertificateFactory certificateFactory = getCertificateFactory();
        try {
            PKIXParameters pkixParameters = toPkixParameters(collection);
            getCertPathValidator().validate(certificateFactory.generateCertPath(list), pkixParameters);
        } catch (InvalidAlgorithmParameterException | NoSuchAlgorithmException e) {
            throw new CertificateException(e);
        }
    }

    public static SpiffeId getSpiffeId(X509Certificate x509Certificate) throws CertificateException {
        List<String> spiffeIds = getSpiffeIds(x509Certificate);
        if (spiffeIds.size() > 1) {
            throw new CertificateException("Certificate contains multiple SPIFFE IDs");
        }
        if (spiffeIds.size() < 1) {
            throw new CertificateException("Certificate does not contain SPIFFE ID in the URI SAN");
        }
        return SpiffeId.parse(spiffeIds.get(0));
    }

    public static TrustDomain getTrustDomain(List<X509Certificate> list) throws CertificateException {
        return getSpiffeId(list.get(0)).getTrustDomain();
    }

    public static boolean isCA(X509Certificate x509Certificate) {
        return x509Certificate.getBasicConstraints() != -1;
    }

    public static boolean hasKeyUsageCertSign(X509Certificate x509Certificate) {
        return x509Certificate.getKeyUsage()[KeyUsage.KEY_CERT_SIGN.index()];
    }

    public static boolean hasKeyUsageDigitalSignature(X509Certificate x509Certificate) {
        return x509Certificate.getKeyUsage()[KeyUsage.DIGITAL_SIGNATURE.index()];
    }

    public static boolean hasKeyUsageCRLSign(X509Certificate x509Certificate) {
        return x509Certificate.getKeyUsage()[KeyUsage.CRL_SIGN.index()];
    }

    private static EncodedKeySpec getEncodedKeySpec(byte[] bArr, KeyFileFormat keyFileFormat) throws InvalidKeyException {
        return keyFileFormat == KeyFileFormat.PEM ? new PKCS8EncodedKeySpec(toDerFormat(bArr)) : new PKCS8EncodedKeySpec(bArr);
    }

    private static List<String> getSpiffeIds(X509Certificate x509Certificate) throws CertificateParsingException {
        return x509Certificate.getSubjectAlternativeNames() == null ? Collections.emptyList() : (List) x509Certificate.getSubjectAlternativeNames().stream().map(list -> {
            return (String) list.get(1);
        }).filter(str -> {
            return StringUtils.startsWith(str, SPIFFE_PREFIX);
        }).collect(Collectors.toList());
    }

    private static PrivateKey generatePrivateKeyWithSpec(EncodedKeySpec encodedKeySpec, AsymmetricKeyAlgorithm asymmetricKeyAlgorithm) throws NoSuchAlgorithmException, InvalidKeySpecException {
        PrivateKey privateKey = null;
        switch (asymmetricKeyAlgorithm) {
            case EC:
                privateKey = KeyFactory.getInstance(AsymmetricKeyAlgorithm.EC.value()).generatePrivate(encodedKeySpec);
                break;
            case RSA:
                privateKey = KeyFactory.getInstance(AsymmetricKeyAlgorithm.RSA.value()).generatePrivate(encodedKeySpec);
                break;
        }
        return privateKey;
    }

    private static PKIXParameters toPkixParameters(Collection<X509Certificate> collection) throws CertificateException, InvalidAlgorithmParameterException {
        if (collection == null || collection.isEmpty()) {
            throw new CertificateException("No trusted Certs");
        }
        PKIXParameters pKIXParameters = new PKIXParameters((Set<TrustAnchor>) collection.stream().map(x509Certificate -> {
            return new TrustAnchor(x509Certificate, null);
        }).collect(Collectors.toSet()));
        pKIXParameters.setRevocationEnabled(false);
        return pKIXParameters;
    }

    private static CertPathValidator getCertPathValidator() throws NoSuchAlgorithmException {
        return CertPathValidator.getInstance(PUBLIC_KEY_INFRASTRUCTURE_ALGORITHM);
    }

    private static CertificateFactory getCertificateFactory() {
        try {
            return CertificateFactory.getInstance(X509_CERTIFICATE_TYPE);
        } catch (CertificateException e) {
            throw new IllegalStateException("Could not create Certificate Factory", e);
        }
    }

    private static byte[] toDerFormat(byte[] bArr) throws InvalidKeyException {
        try {
            return Base64.getDecoder().decode(new String(bArr).replaceAll("(-+BEGIN PRIVATE KEY-+\\r?\\n|-+END PRIVATE KEY-+\\r?\\n?)", "").replaceAll("\n", ""));
        } catch (Exception e) {
            throw new InvalidKeyException(e);
        }
    }
}
