package org.xwiki.crypto.script;

import java.io.IOException;
import java.math.BigInteger;
import java.nio.charset.Charset;
import java.security.GeneralSecurityException;
import java.util.Collection;
import java.util.Date;
import java.util.EnumSet;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import javax.inject.Inject;
import javax.inject.Named;
import javax.inject.Provider;
import javax.inject.Singleton;
import org.xwiki.component.annotation.Component;
import org.xwiki.crypto.KeyPairGenerator;
import org.xwiki.crypto.params.cipher.asymmetric.AsymmetricKeyPair;
import org.xwiki.crypto.params.cipher.asymmetric.PrivateKeyParameters;
import org.xwiki.crypto.params.cipher.asymmetric.PublicKeyParameters;
import org.xwiki.crypto.params.generator.asymmetric.RSAKeyGenerationParameters;
import org.xwiki.crypto.pkix.CertificateChainBuilder;
import org.xwiki.crypto.pkix.CertificateGeneratorFactory;
import org.xwiki.crypto.pkix.CertificateProvider;
import org.xwiki.crypto.pkix.CertifyingSigner;
import org.xwiki.crypto.pkix.X509ExtensionBuilder;
import org.xwiki.crypto.pkix.params.CertifiedKeyPair;
import org.xwiki.crypto.pkix.params.CertifiedPublicKey;
import org.xwiki.crypto.pkix.params.x509certificate.DistinguishedName;
import org.xwiki.crypto.pkix.params.x509certificate.X509CertificateGenerationParameters;
import org.xwiki.crypto.pkix.params.x509certificate.X509CertificateParameters;
import org.xwiki.crypto.pkix.params.x509certificate.X509CertifiedPublicKey;
import org.xwiki.crypto.pkix.params.x509certificate.extension.ExtendedKeyUsages;
import org.xwiki.crypto.pkix.params.x509certificate.extension.KeyUsage;
import org.xwiki.crypto.pkix.params.x509certificate.extension.X509DnsName;
import org.xwiki.crypto.pkix.params.x509certificate.extension.X509GeneralName;
import org.xwiki.crypto.pkix.params.x509certificate.extension.X509IpAddress;
import org.xwiki.crypto.pkix.params.x509certificate.extension.X509Rfc822Name;
import org.xwiki.crypto.signer.CMSSignedDataGenerator;
import org.xwiki.crypto.signer.CMSSignedDataVerifier;
import org.xwiki.crypto.signer.SignerFactory;
import org.xwiki.crypto.signer.param.CMSSignedDataGeneratorParameters;
import org.xwiki.crypto.signer.param.CMSSignedDataVerified;
import org.xwiki.crypto.signer.param.CMSSignerVerifiedInformation;
import org.xwiki.script.service.ScriptService;

@Singleton
@Component
@Named("crypto.rsa")
/* loaded from: input_file:WEB-INF/lib/xwiki-platform-crypto-script-10.0.jar:org/xwiki/crypto/script/RSACryptoScriptService.class */
public class RSACryptoScriptService implements ScriptService {
    public static final String ROLEHINT = "rsa";
    private static final Charset UTF8 = Charset.forName("UTF-8");

    @Inject
    @Named("RSA")
    private KeyPairGenerator keyPairGenerator;

    @Inject
    @Named("SHA1withRSAEncryption")
    private SignerFactory signerFactory;

    @Inject
    private Provider<X509ExtensionBuilder> extensionBuilder;

    @Inject
    @Named("X509")
    private CertificateGeneratorFactory certificateGeneratorFactory;

    @Inject
    private CMSSignedDataGenerator cmsSignedDataGenerator;

    @Inject
    @Named("X509")
    private CertificateChainBuilder certificateChainBuilder;

    @Inject
    private CMSSignedDataVerifier cmsSignedDataVerifier;

    public AsymmetricKeyPair generateKeyPair() {
        return this.keyPairGenerator.generate();
    }

    public AsymmetricKeyPair generateKeyPair(int i) {
        return this.keyPairGenerator.generate(new RSAKeyGenerationParameters(i));
    }

    public AsymmetricKeyPair generateKeyPair(int i, BigInteger bigInteger, int i2) {
        return this.keyPairGenerator.generate(new RSAKeyGenerationParameters(i, bigInteger, i2));
    }

    public CertifiedKeyPair createCertifiedKeyPair(PrivateKeyParameters privateKeyParameters, CertifiedPublicKey certifiedPublicKey) {
        return new CertifiedKeyPair(privateKeyParameters, certifiedPublicKey);
    }

    public CertifiedKeyPair issueRootCACertificate(AsymmetricKeyPair asymmetricKeyPair, String str, int i) throws IOException, GeneralSecurityException {
        return new CertifiedKeyPair(asymmetricKeyPair.getPrivate(), this.certificateGeneratorFactory.getInstance(this.signerFactory.getInstance(true, asymmetricKeyPair.getPrivate()), new X509CertificateGenerationParameters(i, this.extensionBuilder.get().addBasicConstraints(true).addKeyUsage(true, EnumSet.of(KeyUsage.keyCertSign, KeyUsage.cRLSign)).build())).generate(new DistinguishedName(str), asymmetricKeyPair.getPublic(), new X509CertificateParameters()));
    }

    public CertifiedKeyPair issueIntermediateCertificate(CertifiedKeyPair certifiedKeyPair, AsymmetricKeyPair asymmetricKeyPair, String str, int i) throws IOException, GeneralSecurityException {
        return new CertifiedKeyPair(asymmetricKeyPair.getPrivate(), issueIntermediateCertificate(certifiedKeyPair, asymmetricKeyPair.getPublic(), str, i));
    }

    public CertifiedPublicKey issueIntermediateCertificate(PrivateKeyParameters privateKeyParameters, CertifiedPublicKey certifiedPublicKey, PublicKeyParameters publicKeyParameters, String str, int i) throws IOException, GeneralSecurityException {
        return issueIntermediateCertificate(new CertifiedKeyPair(privateKeyParameters, certifiedPublicKey), publicKeyParameters, str, i);
    }

    public CertifiedPublicKey issueIntermediateCertificate(CertifiedKeyPair certifiedKeyPair, PublicKeyParameters publicKeyParameters, String str, int i) throws IOException, GeneralSecurityException {
        return this.certificateGeneratorFactory.getInstance(CertifyingSigner.getInstance(true, certifiedKeyPair, this.signerFactory), new X509CertificateGenerationParameters(i, this.extensionBuilder.get().addBasicConstraints(0).addKeyUsage(EnumSet.of(KeyUsage.keyCertSign, KeyUsage.cRLSign)).build())).generate(new DistinguishedName(str), publicKeyParameters, new X509CertificateParameters());
    }

    public CertifiedKeyPair issueCertificate(CertifiedKeyPair certifiedKeyPair, AsymmetricKeyPair asymmetricKeyPair, String str, int i, List<X509GeneralName> list) throws IOException, GeneralSecurityException {
        return new CertifiedKeyPair(asymmetricKeyPair.getPrivate(), issueCertificate(certifiedKeyPair, asymmetricKeyPair.getPublic(), str, i, list));
    }

    public CertifiedPublicKey issueCertificate(PrivateKeyParameters privateKeyParameters, CertifiedPublicKey certifiedPublicKey, PublicKeyParameters publicKeyParameters, String str, int i, List<X509GeneralName> list) throws IOException, GeneralSecurityException {
        return issueCertificate(new CertifiedKeyPair(privateKeyParameters, certifiedPublicKey), publicKeyParameters, str, i, list);
    }

    public CertifiedPublicKey issueCertificate(CertifiedKeyPair certifiedKeyPair, PublicKeyParameters publicKeyParameters, String str, int i, List<X509GeneralName> list) throws IOException, GeneralSecurityException {
        X509CertificateParameters x509CertificateParameters;
        X509ExtensionBuilder addKeyUsage = this.extensionBuilder.get().addKeyUsage(EnumSet.of(KeyUsage.digitalSignature, KeyUsage.dataEncipherment));
        if (list != null) {
            x509CertificateParameters = new X509CertificateParameters(this.extensionBuilder.get().addSubjectAltName(false, (X509GeneralName[]) list.toArray(new X509GeneralName[0])).build());
            HashSet hashSet = new HashSet();
            for (X509GeneralName x509GeneralName : list) {
                if (x509GeneralName instanceof X509Rfc822Name) {
                    hashSet.add(ExtendedKeyUsages.EMAIL_PROTECTION);
                } else if ((x509GeneralName instanceof X509DnsName) || (x509GeneralName instanceof X509IpAddress)) {
                    hashSet.add(ExtendedKeyUsages.SERVER_AUTH);
                    hashSet.add(ExtendedKeyUsages.CLIENT_AUTH);
                }
                addKeyUsage.addExtendedKeyUsage(false, new ExtendedKeyUsages(hashSet));
            }
        } else {
            x509CertificateParameters = new X509CertificateParameters();
        }
        return this.certificateGeneratorFactory.getInstance(CertifyingSigner.getInstance(true, certifiedKeyPair, this.signerFactory), new X509CertificateGenerationParameters(i, addKeyUsage.build())).generate(new DistinguishedName(str), publicKeyParameters, x509CertificateParameters);
    }

    public byte[] cmsSign(byte[] bArr, CertifiedKeyPair certifiedKeyPair, boolean z) throws GeneralSecurityException {
        return cmsSign(bArr, certifiedKeyPair, null, null, z);
    }

    public byte[] cmsSign(byte[] bArr, CertifiedKeyPair certifiedKeyPair, CertificateProvider certificateProvider, boolean z) throws GeneralSecurityException {
        return cmsSign(bArr, certifiedKeyPair, certificateProvider, null, z);
    }

    public byte[] cmsSign(byte[] bArr, CertifiedKeyPair certifiedKeyPair, CertificateProvider certificateProvider, CMSSignedDataVerified cMSSignedDataVerified, boolean z) throws GeneralSecurityException {
        CMSSignedDataGeneratorParameters addSigner = new CMSSignedDataGeneratorParameters().addSigner(CertifyingSigner.getInstance(true, certifiedKeyPair, this.signerFactory));
        if (cMSSignedDataVerified != null) {
            Iterator<CMSSignerVerifiedInformation> it = cMSSignedDataVerified.getSignatures().iterator();
            while (it.hasNext()) {
                addSigner.addSignature(it.next());
            }
        }
        HashSet hashSet = new HashSet();
        if (cMSSignedDataVerified != null && cMSSignedDataVerified.getCertificates() != null) {
            hashSet.addAll(cMSSignedDataVerified.getCertificates());
        }
        if (certificateProvider != null) {
            if (cMSSignedDataVerified != null) {
                for (CMSSignerVerifiedInformation cMSSignerVerifiedInformation : cMSSignedDataVerified.getSignatures()) {
                    if (cMSSignerVerifiedInformation.getSubjectKeyIdentifier() != null) {
                        addCertificateChain(certificateProvider.getCertificate(cMSSignerVerifiedInformation.getSubjectKeyIdentifier()), certificateProvider, hashSet);
                    } else {
                        addCertificateChain(certificateProvider.getCertificate(cMSSignerVerifiedInformation.getIssuer(), cMSSignerVerifiedInformation.getSerialNumber()), certificateProvider, hashSet);
                    }
                }
            }
            addCertificateChain(certifiedKeyPair.getCertificate(), certificateProvider, hashSet);
        }
        if (!hashSet.isEmpty()) {
            addSigner.addCertificates(hashSet);
        }
        return this.cmsSignedDataGenerator.generate(bArr, addSigner, z);
    }

    private void addCertificateChain(CertifiedPublicKey certifiedPublicKey, CertificateProvider certificateProvider, Collection<CertifiedPublicKey> collection) {
        Collection<CertifiedPublicKey> build = this.certificateChainBuilder.build(certifiedPublicKey, certificateProvider);
        if (build != null) {
            collection.addAll(build);
        }
    }

    public CMSSignedDataVerified cmsVerify(byte[] bArr) throws GeneralSecurityException {
        return this.cmsSignedDataVerifier.verify(bArr);
    }

    public CMSSignedDataVerified cmsVerify(byte[] bArr, byte[] bArr2) throws GeneralSecurityException {
        return this.cmsSignedDataVerifier.verify(bArr, bArr2);
    }

    public CMSSignedDataVerified cmsVerify(byte[] bArr, CertificateProvider certificateProvider) throws GeneralSecurityException {
        return this.cmsSignedDataVerifier.verify(bArr, certificateProvider);
    }

    public CMSSignedDataVerified cmsVerify(byte[] bArr, byte[] bArr2, CertificateProvider certificateProvider) throws GeneralSecurityException {
        return this.cmsSignedDataVerifier.verify(bArr, bArr2, certificateProvider);
    }

    public boolean checkX509CertificateChainValidity(Collection<CertifiedPublicKey> collection) {
        return checkX509CertificateChainValidity(collection, null);
    }

    public boolean checkX509CertificateChainValidity(Collection<CertifiedPublicKey> collection, Date date) {
        if (collection == null || collection.isEmpty()) {
            return false;
        }
        Date date2 = date != null ? date : new Date();
        boolean z = true;
        for (CertifiedPublicKey certifiedPublicKey : collection) {
            if (!(certifiedPublicKey instanceof X509CertifiedPublicKey)) {
                return false;
            }
            if (z) {
                if (!((X509CertifiedPublicKey) certifiedPublicKey).isRootCA()) {
                    return false;
                }
                z = false;
            }
            if (!((X509CertifiedPublicKey) certifiedPublicKey).isValidOn(date2)) {
                return false;
            }
        }
        return true;
    }
}
