package net.shibboleth.utilities.java.support.security;

import com.beust.jcommander.JCommander;
import com.beust.jcommander.Parameter;
import com.beust.jcommander.converters.BaseConverter;
import java.io.File;
import java.io.FileOutputStream;
import java.io.FileWriter;
import java.io.IOException;
import java.math.BigInteger;
import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.KeyStore;
import java.security.NoSuchAlgorithmException;
import java.security.SecureRandom;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Date;
import java.util.GregorianCalendar;
import java.util.Iterator;
import java.util.List;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import net.shibboleth.utilities.java.support.annotation.constraint.NonnullElements;
import net.shibboleth.utilities.java.support.annotation.constraint.NotEmpty;
import net.shibboleth.utilities.java.support.annotation.constraint.Positive;
import net.shibboleth.utilities.java.support.logic.Constraint;
import net.shibboleth.utilities.java.support.primitive.StringSupport;
import org.bouncycastle.asn1.ASN1Encodable;
import org.bouncycastle.asn1.DERSequence;
import org.bouncycastle.asn1.x500.X500Name;
import org.bouncycastle.asn1.x509.Extension;
import org.bouncycastle.asn1.x509.GeneralName;
import org.bouncycastle.asn1.x509.GeneralNames;
import org.bouncycastle.cert.jcajce.JcaX509CertificateConverter;
import org.bouncycastle.cert.jcajce.JcaX509ExtensionUtils;
import org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder;
import org.bouncycastle.openssl.jcajce.JcaPEMWriter;
import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder;
import org.opensaml.security.crypto.JCAConstants;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:WEB-INF/lib/java-support-7.5.2.jar:net/shibboleth/utilities/java/support/security/SelfSignedCertificateGenerator.class */
public class SelfSignedCertificateGenerator {

    @Nonnull
    private Logger log = LoggerFactory.getLogger((Class<?>) SelfSignedCertificateGenerator.class);

    @Nonnull
    private final CommandLineArgs args = new CommandLineArgs();

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:WEB-INF/lib/java-support-7.5.2.jar:net/shibboleth/utilities/java/support/security/SelfSignedCertificateGenerator$CommandLineArgs.class */
    public static class CommandLineArgs {

        @NotEmpty
        @Nonnull
        public static final String HELP = "--help";

        @NotEmpty
        @Nonnull
        public static final String KEY_TYPE = "--type";

        @NotEmpty
        @Nonnull
        public static final String KEY_SIZE = "--size";

        @NotEmpty
        @Nonnull
        public static final String CERT_LIFETIME = "--lifetime";

        @NotEmpty
        @Nonnull
        public static final String CERT_ALG = "--certAlg";

        @NotEmpty
        @Nonnull
        public static final String HOSTNAME = "--hostname";

        @NotEmpty
        @Nonnull
        public static final String DNS_ALTNAMES = "--dnsAltName";

        @NotEmpty
        @Nonnull
        public static final String URI_ALTNAMES = "--uriAltName";

        @NotEmpty
        @Nonnull
        public static final String KEY_FILE = "--keyfile";

        @NotEmpty
        @Nonnull
        public static final String CERT_FILE = "--certfile";

        @NotEmpty
        @Nonnull
        public static final String STORE_TYPE = "--storetype";

        @NotEmpty
        @Nonnull
        public static final String STORE_FILE = "--storefile";

        @NotEmpty
        @Nonnull
        public static final String STORE_PASS = "--storepass";

        @Parameter(names = {"--help"}, description = "Display program usage", help = true)
        private boolean help;

        @NotEmpty
        @Nonnull
        @Parameter(names = {"--type"}, description = "Type of key to generate (default: RSA)")
        private String keyType;

        @Positive
        @Parameter(names = {"--size"}, description = "Size of key to generate (default: 3072)")
        private int keySize;

        @Positive
        @Parameter(names = {CERT_LIFETIME}, description = "Certificate lifetime in years (default: 20)")
        private int certificateLifetime;

        @NotEmpty
        @Nonnull
        @Parameter(names = {CERT_ALG}, description = "Certificate algorithm (default: SHA256withRSA)")
        private String certAlg;

        @NotEmpty
        @Nonnull
        @Parameter(names = {HOSTNAME}, required = true, description = "Hostname for certificate subject")
        private String hostname;

        @Nullable
        @Parameter(names = {DNS_ALTNAMES}, description = "DNS subjectAltNames for certificate")
        private List<String> dnsSubjectAltNames;

        @Nullable
        @Parameter(names = {URI_ALTNAMES}, description = "URI subjectAltNames for certificate")
        private List<String> uriSubjectAltNames;

        @Nullable
        @Parameter(names = {KEY_FILE}, converter = FileConverter.class, description = "Path to private key file")
        private File privateKeyFile;

        @Nullable
        @Parameter(names = {CERT_FILE}, converter = FileConverter.class, description = "Path to certificate file")
        private File certificateFile;

        @NotEmpty
        @Nonnull
        @Parameter(names = {"--storetype"}, description = "Type of keystore to generate (default: PKCS12)")
        private String keystoreType;

        @Nullable
        @Parameter(names = {"--storefile"}, converter = FileConverter.class, description = "Path to keystore")
        private File keystoreFile;

        @Nullable
        @Parameter(names = {"--storepass"}, description = "Password for keystore")
        private String keystorePassword;

        private CommandLineArgs() {
            this.keyType = JCAConstants.KEY_ALGO_RSA;
            this.keySize = 3072;
            this.certificateLifetime = 20;
            this.certAlg = JCAConstants.SIGNATURE_RSA_SHA256;
            this.keystoreType = "PKCS12";
        }
    }

    /* loaded from: input_file:WEB-INF/lib/java-support-7.5.2.jar:net/shibboleth/utilities/java/support/security/SelfSignedCertificateGenerator$FileConverter.class */
    public static class FileConverter extends BaseConverter<File> {
        public FileConverter(String str) {
            super(str);
        }

        /* renamed from: convert, reason: merged with bridge method [inline-methods] */
        public File m2961convert(String str) {
            return new File(str);
        }
    }

    public void setKeyType(@NotEmpty @Nonnull String str) {
        this.args.keyType = (String) Constraint.isNotNull(StringSupport.trimOrNull(str), "Key type cannot be null or empty");
    }

    public void setKeySize(@Positive int i) {
        Constraint.isGreaterThan(0L, i, "Key size must be greater than 0");
        this.args.keySize = i;
    }

    public void setCertificateLifetime(@Positive int i) {
        Constraint.isGreaterThan(0L, i, "Certificate lifetime must be greater than 0");
        this.args.certificateLifetime = i;
    }

    public void setCertificateAlg(@NotEmpty @Nonnull String str) {
        this.args.certAlg = (String) Constraint.isNotNull(StringSupport.trimOrNull(str), "Algorithm cannot be null or empty");
    }

    public void setHostName(@NotEmpty @Nonnull String str) {
        this.args.hostname = (String) Constraint.isNotNull(StringSupport.trimOrNull(str), "Hostname cannot be null or empty");
    }

    public void setPrivateKeyFile(@Nullable File file) {
        this.args.privateKeyFile = file;
    }

    public void setCertificateFile(@Nullable File file) {
        this.args.certificateFile = file;
    }

    public void setKeystoreType(@NotEmpty @Nonnull String str) {
        this.args.keystoreType = (String) Constraint.isNotNull(StringSupport.trimOrNull(str), "Keystore type cannot be null or empty");
    }

    public void setKeystoreFile(@Nullable File file) {
        this.args.keystoreFile = file;
    }

    public void setKeystorePassword(@Nullable String str) {
        this.args.keystorePassword = str;
    }

    public void setDNSSubjectAltNames(@NonnullElements @Nonnull Collection<String> collection) {
        this.args.dnsSubjectAltNames = new ArrayList(StringSupport.normalizeStringCollection(collection));
    }

    public void setURISubjectAltNames(@NonnullElements @Nonnull Collection<String> collection) {
        this.args.uriSubjectAltNames = new ArrayList(StringSupport.normalizeStringCollection(collection));
    }

    public void generate() throws Exception {
        JcaPEMWriter jcaPEMWriter;
        validate();
        if (this.args.privateKeyFile != null && !this.args.privateKeyFile.createNewFile()) {
            throw new IOException("Private key file exists: " + this.args.privateKeyFile.getAbsolutePath());
        }
        if (this.args.certificateFile != null && !this.args.certificateFile.createNewFile()) {
            throw new IOException("Certificate file exists: " + this.args.certificateFile.getAbsolutePath());
        }
        if (this.args.keystoreFile != null && !this.args.keystoreFile.createNewFile()) {
            throw new IOException("KeyStore file exists: " + this.args.keystoreFile.getAbsolutePath());
        }
        KeyPair generateKeyPair = generateKeyPair();
        X509Certificate generateCertificate = generateCertificate(generateKeyPair);
        if (this.args.privateKeyFile != null) {
            jcaPEMWriter = new JcaPEMWriter(new FileWriter(this.args.privateKeyFile));
            Throwable th = null;
            try {
                try {
                    jcaPEMWriter.writeObject(generateKeyPair.getPrivate());
                    jcaPEMWriter.flush();
                    if (jcaPEMWriter != null) {
                        if (0 != 0) {
                            try {
                                jcaPEMWriter.close();
                            } catch (Throwable th2) {
                                th.addSuppressed(th2);
                            }
                        } else {
                            jcaPEMWriter.close();
                        }
                    }
                } catch (Throwable th3) {
                    th = th3;
                    throw th3;
                }
            } finally {
            }
        }
        if (this.args.certificateFile != null) {
            jcaPEMWriter = new JcaPEMWriter(new FileWriter(this.args.certificateFile));
            Throwable th4 = null;
            try {
                try {
                    jcaPEMWriter.writeObject(generateCertificate);
                    jcaPEMWriter.flush();
                    if (jcaPEMWriter != null) {
                        if (0 != 0) {
                            try {
                                jcaPEMWriter.close();
                            } catch (Throwable th5) {
                                th4.addSuppressed(th5);
                            }
                        } else {
                            jcaPEMWriter.close();
                        }
                    }
                } catch (Throwable th6) {
                    th4 = th6;
                    throw th6;
                }
            } finally {
            }
        }
        if (this.args.keystoreFile != null) {
            KeyStore keyStore = KeyStore.getInstance(this.args.keystoreType);
            keyStore.load(null, null);
            keyStore.setKeyEntry(this.args.hostname, generateKeyPair.getPrivate(), this.args.keystorePassword.toCharArray(), new X509Certificate[]{generateCertificate});
            FileOutputStream fileOutputStream = new FileOutputStream(this.args.keystoreFile);
            Throwable th7 = null;
            try {
                keyStore.store(fileOutputStream, this.args.keystorePassword.toCharArray());
                fileOutputStream.flush();
                if (fileOutputStream != null) {
                    if (0 == 0) {
                        fileOutputStream.close();
                        return;
                    }
                    try {
                        fileOutputStream.close();
                    } catch (Throwable th8) {
                        th7.addSuppressed(th8);
                    }
                }
            } catch (Throwable th9) {
                if (fileOutputStream != null) {
                    if (0 != 0) {
                        try {
                            fileOutputStream.close();
                        } catch (Throwable th10) {
                            th7.addSuppressed(th10);
                        }
                    } else {
                        fileOutputStream.close();
                    }
                }
                throw th9;
            }
        }
    }

    protected void validate() {
        if (this.args.keySize > 2048) {
            this.log.warn("Key size is greater than 2048, this may cause problems with some JVMs");
        }
        if (this.args.hostname == null || this.args.hostname.length() == 0) {
            throw new IllegalArgumentException("A non-empty hostname is required");
        }
        if (this.args.keystoreFile != null) {
            if (this.args.keystorePassword == null || this.args.keystorePassword.length() == 0) {
                throw new IllegalArgumentException("Keystore password cannot be null if a keystore file is given");
            }
        }
    }

    @Nonnull
    protected KeyPair generateKeyPair() throws NoSuchAlgorithmException {
        try {
            KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance(this.args.keyType);
            keyPairGenerator.initialize(this.args.keySize);
            return keyPairGenerator.generateKeyPair();
        } catch (NoSuchAlgorithmException e) {
            this.log.error("The {} key type is not supported by this JVM", this.args.keyType);
            throw e;
        }
    }

    @Nonnull
    protected X509Certificate generateCertificate(@Nonnull KeyPair keyPair) throws Exception {
        X500Name x500Name = new X500Name("CN=" + this.args.hostname);
        GregorianCalendar gregorianCalendar = new GregorianCalendar();
        GregorianCalendar gregorianCalendar2 = new GregorianCalendar();
        gregorianCalendar2.set(1, gregorianCalendar2.get(1) + this.args.certificateLifetime);
        JcaX509v3CertificateBuilder jcaX509v3CertificateBuilder = new JcaX509v3CertificateBuilder(x500Name, new BigInteger(160, new SecureRandom()), gregorianCalendar.getTime(), gregorianCalendar2.getTime(), x500Name, keyPair.getPublic());
        jcaX509v3CertificateBuilder.addExtension(Extension.subjectKeyIdentifier, false, new JcaX509ExtensionUtils().createSubjectKeyIdentifier(keyPair.getPublic()));
        jcaX509v3CertificateBuilder.addExtension(Extension.subjectAlternativeName, false, GeneralNames.getInstance(new DERSequence(buildSubjectAltNames())));
        X509Certificate certificate = new JcaX509CertificateConverter().getCertificate(jcaX509v3CertificateBuilder.build(new JcaContentSignerBuilder(this.args.certAlg).build(keyPair.getPrivate())));
        certificate.checkValidity(new Date());
        certificate.verify(keyPair.getPublic());
        return certificate;
    }

    @NonnullElements
    @Nonnull
    protected ASN1Encodable[] buildSubjectAltNames() {
        ArrayList arrayList = new ArrayList();
        arrayList.add(new GeneralName(2, this.args.hostname));
        if (this.args.dnsSubjectAltNames != null) {
            Iterator it = this.args.dnsSubjectAltNames.iterator();
            while (it.hasNext()) {
                arrayList.add(new GeneralName(2, (String) it.next()));
            }
        }
        if (this.args.uriSubjectAltNames != null) {
            Iterator it2 = this.args.uriSubjectAltNames.iterator();
            while (it2.hasNext()) {
                arrayList.add(new GeneralName(6, (String) it2.next()));
            }
        }
        return (ASN1Encodable[]) arrayList.toArray(new ASN1Encodable[0]);
    }

    public static void main(@Nonnull String[] strArr) throws Exception {
        SelfSignedCertificateGenerator selfSignedCertificateGenerator = new SelfSignedCertificateGenerator();
        JCommander jCommander = new JCommander(selfSignedCertificateGenerator.args, strArr);
        if (!selfSignedCertificateGenerator.args.help) {
            selfSignedCertificateGenerator.generate();
        } else {
            jCommander.setProgramName("SelfSignedCertificateGenerator");
            jCommander.usage();
        }
    }
}
