package okhttp3.tls;

import java.math.BigInteger;
import java.net.InetAddress;
import java.security.GeneralSecurityException;
import java.security.KeyFactory;
import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.SecureRandom;
import java.security.Signature;
import java.security.cert.X509Certificate;
import java.security.interfaces.ECPublicKey;
import java.security.interfaces.RSAPrivateKey;
import java.security.interfaces.RSAPublicKey;
import java.security.spec.PKCS8EncodedKeySpec;
import java.util.ArrayList;
import java.util.Iterator;
import java.util.List;
import java.util.UUID;
import java.util.concurrent.TimeUnit;
import kotlin.Pair;
import kotlin.TuplesKt;
import kotlin.collections.CollectionsKt__CollectionsJVMKt;
import kotlin.collections.CollectionsKt__IterablesKt;
import kotlin.jvm.internal.DefaultConstructorMarker;
import kotlin.jvm.internal.Intrinsics;
import kotlin.text.MatchGroup;
import kotlin.text.MatchResult;
import kotlin.text.Regex;
import okhttp3.internal.Util;
import okhttp3.tls.internal.der.AlgorithmIdentifier;
import okhttp3.tls.internal.der.AttributeTypeAndValue;
import okhttp3.tls.internal.der.BasicConstraints;
import okhttp3.tls.internal.der.BasicDerAdapter;
import okhttp3.tls.internal.der.BitString;
import okhttp3.tls.internal.der.Certificate;
import okhttp3.tls.internal.der.CertificateAdapters;
import okhttp3.tls.internal.der.Extension;
import okhttp3.tls.internal.der.ObjectIdentifiers;
import okhttp3.tls.internal.der.PrivateKeyInfo;
import okhttp3.tls.internal.der.SubjectPublicKeyInfo;
import okhttp3.tls.internal.der.TbsCertificate;
import okhttp3.tls.internal.der.Validity;
import okio.ByteString;

/* compiled from: HeldCertificate.kt */
/* loaded from: classes2.dex */
public final class HeldCertificate {
    public static final Companion Companion = new Companion(null);
    private static final Regex PEM_REGEX = new Regex("-----BEGIN ([!-,.-~ ]*)-----([^-]*)-----END \\1-----");
    private final X509Certificate certificate;
    private final KeyPair keyPair;

    /* compiled from: HeldCertificate.kt */
    /* loaded from: classes2.dex */
    public static final class Builder {
        public static final Companion Companion = new Companion(null);
        private static final long DEFAULT_DURATION_MILLIS = 86400000;
        private String commonName;
        private String keyAlgorithm;
        private KeyPair keyPair;
        private int keySize;
        private String organizationalUnit;
        private BigInteger serialNumber;
        private HeldCertificate signedBy;
        private long notBefore = -1;
        private long notAfter = -1;
        private final List<String> altNames = new ArrayList();
        private int maxIntermediateCas = -1;

        /* compiled from: HeldCertificate.kt */
        /* loaded from: classes2.dex */
        public static final class Companion {
            private Companion() {
            }

            public /* synthetic */ Companion(DefaultConstructorMarker defaultConstructorMarker) {
                this();
            }
        }

        public Builder() {
            ecdsa256();
        }

        private final List<Extension> extensions() {
            Pair pair;
            ArrayList arrayList = new ArrayList();
            int i2 = this.maxIntermediateCas;
            if (i2 != -1) {
                arrayList.add(new Extension(ObjectIdentifiers.basicConstraints, true, new BasicConstraints(true, Long.valueOf(i2))));
            }
            if (!this.altNames.isEmpty()) {
                List<String> list = this.altNames;
                ArrayList arrayList2 = new ArrayList(CollectionsKt__IterablesKt.collectionSizeOrDefault(list, 10));
                for (String str : list) {
                    if (Util.canParseAsIpAddress(str)) {
                        BasicDerAdapter<ByteString> generalNameIpAddress$okhttp_tls = CertificateAdapters.INSTANCE.getGeneralNameIpAddress$okhttp_tls();
                        ByteString.Companion companion = ByteString.Companion;
                        byte[] address = InetAddress.getByName(str).getAddress();
                        Intrinsics.checkNotNullExpressionValue(address, "getByName(it).address");
                        pair = TuplesKt.to(generalNameIpAddress$okhttp_tls, ByteString.Companion.of$default(companion, address, 0, 0, 3, null));
                    } else {
                        pair = TuplesKt.to(CertificateAdapters.INSTANCE.getGeneralNameDnsName$okhttp_tls(), str);
                    }
                    arrayList2.add(pair);
                }
                arrayList.add(new Extension(ObjectIdentifiers.subjectAlternativeName, true, arrayList2));
            }
            return arrayList;
        }

        private final KeyPair generateKeyPair() {
            KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance(this.keyAlgorithm);
            keyPairGenerator.initialize(this.keySize, new SecureRandom());
            KeyPair generateKeyPair = keyPairGenerator.generateKeyPair();
            Intrinsics.checkNotNullExpressionValue(generateKeyPair, "getInstance(keyAlgorithm…generateKeyPair()\n      }");
            return generateKeyPair;
        }

        private final AlgorithmIdentifier signatureAlgorithm(KeyPair keyPair) {
            return keyPair.getPrivate() instanceof RSAPrivateKey ? new AlgorithmIdentifier(ObjectIdentifiers.sha256WithRSAEncryption, null) : new AlgorithmIdentifier(ObjectIdentifiers.sha256withEcdsa, ByteString.EMPTY);
        }

        private final List<List<AttributeTypeAndValue>> subject() {
            ArrayList arrayList = new ArrayList();
            String str = this.organizationalUnit;
            if (str != null) {
                arrayList.add(CollectionsKt__CollectionsJVMKt.listOf(new AttributeTypeAndValue(ObjectIdentifiers.organizationalUnitName, str)));
            }
            String str2 = this.commonName;
            if (str2 == null) {
                str2 = UUID.randomUUID().toString();
                Intrinsics.checkNotNullExpressionValue(str2, "randomUUID().toString()");
            }
            arrayList.add(CollectionsKt__CollectionsJVMKt.listOf(new AttributeTypeAndValue(ObjectIdentifiers.commonName, str2)));
            return arrayList;
        }

        private final Validity validity() {
            long j2 = this.notBefore;
            if (j2 == -1) {
                j2 = System.currentTimeMillis();
            }
            long j3 = this.notAfter;
            if (j3 == -1) {
                j3 = j2 + DEFAULT_DURATION_MILLIS;
            }
            return new Validity(j2, j3);
        }

        public final Builder addSubjectAlternativeName(String altName) {
            Intrinsics.checkNotNullParameter(altName, "altName");
            this.altNames.add(altName);
            return this;
        }

        public final HeldCertificate build() {
            KeyPair keyPair;
            List<List<AttributeTypeAndValue>> list;
            KeyPair keyPair2 = this.keyPair;
            if (keyPair2 == null) {
                keyPair2 = generateKeyPair();
            }
            CertificateAdapters certificateAdapters = CertificateAdapters.INSTANCE;
            BasicDerAdapter<SubjectPublicKeyInfo> subjectPublicKeyInfo$okhttp_tls = certificateAdapters.getSubjectPublicKeyInfo$okhttp_tls();
            ByteString.Companion companion = ByteString.Companion;
            byte[] encoded = keyPair2.getPublic().getEncoded();
            Intrinsics.checkNotNullExpressionValue(encoded, "subjectKeyPair.public.encoded");
            SubjectPublicKeyInfo fromDer = subjectPublicKeyInfo$okhttp_tls.fromDer(ByteString.Companion.of$default(companion, encoded, 0, 0, 3, null));
            List<List<AttributeTypeAndValue>> subject = subject();
            HeldCertificate heldCertificate = this.signedBy;
            if (heldCertificate != null) {
                Intrinsics.checkNotNull(heldCertificate);
                keyPair = heldCertificate.keyPair();
                BasicDerAdapter<List<List<AttributeTypeAndValue>>> rdnSequence$okhttp_tls = certificateAdapters.getRdnSequence$okhttp_tls();
                HeldCertificate heldCertificate2 = this.signedBy;
                Intrinsics.checkNotNull(heldCertificate2);
                byte[] encoded2 = heldCertificate2.certificate().getSubjectX500Principal().getEncoded();
                Intrinsics.checkNotNullExpressionValue(encoded2, "signedBy!!.certificate.s…jectX500Principal.encoded");
                list = rdnSequence$okhttp_tls.fromDer(ByteString.Companion.of$default(companion, encoded2, 0, 0, 3, null));
            } else {
                keyPair = keyPair2;
                list = subject;
            }
            AlgorithmIdentifier signatureAlgorithm = signatureAlgorithm(keyPair);
            BigInteger bigInteger = this.serialNumber;
            if (bigInteger == null) {
                bigInteger = BigInteger.ONE;
            }
            BigInteger bigInteger2 = bigInteger;
            Intrinsics.checkNotNullExpressionValue(bigInteger2, "serialNumber ?: BigInteger.ONE");
            TbsCertificate tbsCertificate = new TbsCertificate(2L, bigInteger2, signatureAlgorithm, list, validity(), subject, fromDer, null, null, extensions());
            Signature signature = Signature.getInstance(tbsCertificate.getSignatureAlgorithmName());
            signature.initSign(keyPair.getPrivate());
            signature.update(certificateAdapters.getTbsCertificate$okhttp_tls().toDer(tbsCertificate).toByteArray());
            byte[] sign = signature.sign();
            Intrinsics.checkNotNullExpressionValue(sign, "sign()");
            return new HeldCertificate(keyPair2, new Certificate(tbsCertificate, signatureAlgorithm, new BitString(ByteString.Companion.of$default(companion, sign, 0, 0, 3, null), 0)).toX509Certificate());
        }

        public final Builder certificateAuthority(int i2) {
            if (!(i2 >= 0)) {
                throw new IllegalArgumentException(Intrinsics.stringPlus("maxIntermediateCas < 0: ", Integer.valueOf(i2)).toString());
            }
            this.maxIntermediateCas = i2;
            return this;
        }

        public final Builder commonName(String cn) {
            Intrinsics.checkNotNullParameter(cn, "cn");
            this.commonName = cn;
            return this;
        }

        public final Builder duration(long j2, TimeUnit unit) {
            Intrinsics.checkNotNullParameter(unit, "unit");
            long currentTimeMillis = System.currentTimeMillis();
            validityInterval(currentTimeMillis, unit.toMillis(j2) + currentTimeMillis);
            return this;
        }

        public final Builder ecdsa256() {
            this.keyAlgorithm = "EC";
            this.keySize = 256;
            return this;
        }

        public final Builder keyPair(KeyPair keyPair) {
            Intrinsics.checkNotNullParameter(keyPair, "keyPair");
            this.keyPair = keyPair;
            return this;
        }

        public final Builder keyPair(PublicKey publicKey, PrivateKey privateKey) {
            Intrinsics.checkNotNullParameter(publicKey, "publicKey");
            Intrinsics.checkNotNullParameter(privateKey, "privateKey");
            keyPair(new KeyPair(publicKey, privateKey));
            return this;
        }

        public final Builder organizationalUnit(String ou) {
            Intrinsics.checkNotNullParameter(ou, "ou");
            this.organizationalUnit = ou;
            return this;
        }

        public final Builder rsa2048() {
            this.keyAlgorithm = "RSA";
            this.keySize = 2048;
            return this;
        }

        public final Builder serialNumber(long j2) {
            BigInteger valueOf = BigInteger.valueOf(j2);
            Intrinsics.checkNotNullExpressionValue(valueOf, "valueOf(serialNumber)");
            serialNumber(valueOf);
            return this;
        }

        public final Builder serialNumber(BigInteger serialNumber) {
            Intrinsics.checkNotNullParameter(serialNumber, "serialNumber");
            this.serialNumber = serialNumber;
            return this;
        }

        public final Builder signedBy(HeldCertificate heldCertificate) {
            this.signedBy = heldCertificate;
            return this;
        }

        public final Builder validityInterval(long j2, long j3) {
            boolean z2 = false;
            if (j2 <= j3) {
                if ((j2 == -1) == (j3 == -1)) {
                    z2 = true;
                }
            }
            if (z2) {
                this.notBefore = j2;
                this.notAfter = j3;
                return this;
            }
            throw new IllegalArgumentException(("invalid interval: " + j2 + ".." + j3).toString());
        }
    }

    /* compiled from: HeldCertificate.kt */
    /* loaded from: classes2.dex */
    public static final class Companion {
        private Companion() {
        }

        public /* synthetic */ Companion(DefaultConstructorMarker defaultConstructorMarker) {
            this();
        }

        private final HeldCertificate decode(String str, String str2) {
            String str3;
            X509Certificate decodeCertificatePem = Certificates.decodeCertificatePem(str);
            ByteString decodeBase64 = ByteString.Companion.decodeBase64(str2);
            if (decodeBase64 == null) {
                throw new IllegalArgumentException("failed to decode private key");
            }
            PublicKey publicKey = decodeCertificatePem.getPublicKey();
            if (publicKey instanceof ECPublicKey) {
                str3 = "EC";
            } else {
                if (!(publicKey instanceof RSAPublicKey)) {
                    throw new IllegalArgumentException(Intrinsics.stringPlus("unexpected key type: ", decodeCertificatePem.getPublicKey()));
                }
                str3 = "RSA";
            }
            return new HeldCertificate(new KeyPair(decodeCertificatePem.getPublicKey(), decodePkcs8(decodeBase64, str3)), decodeCertificatePem);
        }

        private final PrivateKey decodePkcs8(ByteString byteString, String str) {
            try {
                PrivateKey generatePrivate = KeyFactory.getInstance(str).generatePrivate(new PKCS8EncodedKeySpec(byteString.toByteArray()));
                Intrinsics.checkNotNullExpressionValue(generatePrivate, "keyFactory.generatePriva…Spec(data.toByteArray()))");
                return generatePrivate;
            } catch (GeneralSecurityException e2) {
                throw new IllegalArgumentException("failed to decode private key", e2);
            }
        }

        public final HeldCertificate decode(String certificateAndPrivateKeyPem) {
            Intrinsics.checkNotNullParameter(certificateAndPrivateKeyPem, "certificateAndPrivateKeyPem");
            String str = null;
            Iterator it = Regex.findAll$default(HeldCertificate.PEM_REGEX, certificateAndPrivateKeyPem, 0, 2, null).iterator();
            String str2 = null;
            while (true) {
                if (!it.hasNext()) {
                    if (!(str != null)) {
                        throw new IllegalArgumentException("string does not include a certificate".toString());
                    }
                    if (str2 != null) {
                        return decode(str, str2);
                    }
                    throw new IllegalArgumentException("string does not include a private key".toString());
                }
                MatchResult matchResult = (MatchResult) it.next();
                MatchGroup matchGroup = matchResult.getGroups().get(1);
                Intrinsics.checkNotNull(matchGroup);
                String value = matchGroup.getValue();
                if (Intrinsics.areEqual(value, "CERTIFICATE")) {
                    if (!(str == null)) {
                        throw new IllegalArgumentException("string includes multiple certificates".toString());
                    }
                    MatchGroup matchGroup2 = matchResult.getGroups().get(0);
                    Intrinsics.checkNotNull(matchGroup2);
                    str = matchGroup2.getValue();
                } else {
                    if (!Intrinsics.areEqual(value, "PRIVATE KEY")) {
                        throw new IllegalArgumentException(Intrinsics.stringPlus("unexpected type: ", value));
                    }
                    if (!(str2 == null)) {
                        throw new IllegalArgumentException("string includes multiple private keys".toString());
                    }
                    MatchGroup matchGroup3 = matchResult.getGroups().get(2);
                    Intrinsics.checkNotNull(matchGroup3);
                    str2 = matchGroup3.getValue();
                }
            }
        }
    }

    public HeldCertificate(KeyPair keyPair, X509Certificate certificate) {
        Intrinsics.checkNotNullParameter(keyPair, "keyPair");
        Intrinsics.checkNotNullParameter(certificate, "certificate");
        this.keyPair = keyPair;
        this.certificate = certificate;
    }

    public static final HeldCertificate decode(String str) {
        return Companion.decode(str);
    }

    private final ByteString pkcs1Bytes() {
        BasicDerAdapter<PrivateKeyInfo> privateKeyInfo$okhttp_tls = CertificateAdapters.INSTANCE.getPrivateKeyInfo$okhttp_tls();
        ByteString.Companion companion = ByteString.Companion;
        byte[] encoded = this.keyPair.getPrivate().getEncoded();
        Intrinsics.checkNotNullExpressionValue(encoded, "keyPair.private.encoded");
        return privateKeyInfo$okhttp_tls.fromDer(ByteString.Companion.of$default(companion, encoded, 0, 0, 3, null)).getPrivateKey();
    }

    /* renamed from: -deprecated_certificate, reason: not valid java name */
    public final X509Certificate m413deprecated_certificate() {
        return this.certificate;
    }

    /* renamed from: -deprecated_keyPair, reason: not valid java name */
    public final KeyPair m414deprecated_keyPair() {
        return this.keyPair;
    }

    public final X509Certificate certificate() {
        return this.certificate;
    }

    public final String certificatePem() {
        return Certificates.certificatePem(this.certificate);
    }

    public final KeyPair keyPair() {
        return this.keyPair;
    }

    public final String privateKeyPkcs1Pem() {
        if (!(this.keyPair.getPrivate() instanceof RSAPrivateKey)) {
            throw new IllegalStateException("PKCS1 only supports RSA keys".toString());
        }
        StringBuilder sb = new StringBuilder();
        sb.append("-----BEGIN RSA PRIVATE KEY-----\n");
        Certificates.encodeBase64Lines(sb, pkcs1Bytes());
        sb.append("-----END RSA PRIVATE KEY-----\n");
        String sb2 = sb.toString();
        Intrinsics.checkNotNullExpressionValue(sb2, "StringBuilder().apply(builderAction).toString()");
        return sb2;
    }

    public final String privateKeyPkcs8Pem() {
        StringBuilder sb = new StringBuilder();
        sb.append("-----BEGIN PRIVATE KEY-----\n");
        ByteString.Companion companion = ByteString.Companion;
        byte[] encoded = keyPair().getPrivate().getEncoded();
        Intrinsics.checkNotNullExpressionValue(encoded, "keyPair.private.encoded");
        Certificates.encodeBase64Lines(sb, ByteString.Companion.of$default(companion, encoded, 0, 0, 3, null));
        sb.append("-----END PRIVATE KEY-----\n");
        String sb2 = sb.toString();
        Intrinsics.checkNotNullExpressionValue(sb2, "StringBuilder().apply(builderAction).toString()");
        return sb2;
    }
}
