package be.atbash.ee.security.octopus.keys.writer.encoder;

import be.atbash.ee.security.octopus.config.JwtSupportConfiguration;
import be.atbash.ee.security.octopus.keys.AtbashKey;
import be.atbash.ee.security.octopus.keys.generator.ECGenerationParameters;
import be.atbash.ee.security.octopus.keys.generator.KeyGenerator;
import be.atbash.ee.security.octopus.keys.generator.RSAGenerationParameters;
import be.atbash.ee.security.octopus.keys.selector.AsymmetricPart;
import be.atbash.ee.security.octopus.keys.selector.filter.AsymmetricPartKeyFilter;
import be.atbash.ee.security.octopus.keys.writer.KeyEncoderParameters;
import be.atbash.ee.security.octopus.nimbus.jwk.JWKIdentifiers;
import be.atbash.ee.security.octopus.nimbus.jwk.KeyType;
import be.atbash.ee.security.octopus.nimbus.util.KeyUtils;
import be.atbash.util.exception.AtbashUnexpectedException;
import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.math.BigInteger;
import java.security.GeneralSecurityException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.Calendar;
import javax.crypto.SecretKey;
import org.bouncycastle.asn1.x500.X500Name;
import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo;
import org.bouncycastle.cert.X509v3CertificateBuilder;
import org.bouncycastle.cert.jcajce.JcaX509CertificateConverter;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.bouncycastle.operator.OperatorCreationException;
import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder;

/* loaded from: input_file:be/atbash/ee/security/octopus/keys/writer/encoder/KeyStoreEncoder.class */
public class KeyStoreEncoder implements KeyEncoder {
    private final JwtSupportConfiguration configuration = JwtSupportConfiguration.getInstance();

    @Override // be.atbash.ee.security.octopus.keys.writer.encoder.KeyEncoder
    public byte[] encodeKey(AtbashKey atbashKey, KeyEncoderParameters keyEncoderParameters) throws IOException {
        KeyStore keyStore = keyEncoderParameters.getKeyStore();
        try {
            if (atbashKey.getSecretKeyType().getAsymmetricPart() == AsymmetricPart.PRIVATE) {
                PrivateKey privateKey = (PrivateKey) atbashKey.getKey();
                keyStore.setEntry(atbashKey.getKeyId(), new KeyStore.PrivateKeyEntry(privateKey, new X509Certificate[]{generateCertificate(KeyUtils.getPublicKey(atbashKey), privateKey, atbashKey.getSecretKeyType().getKeyType())}), new KeyStore.PasswordProtection(keyEncoderParameters.getKeyPassword()));
            }
            if (atbashKey.getSecretKeyType().getAsymmetricPart() == AsymmetricPart.PUBLIC) {
                keyStore.setEntry(atbashKey.getKeyId(), new KeyStore.TrustedCertificateEntry(generateCertificate((PublicKey) atbashKey.getKey(), null, atbashKey.getSecretKeyType().getKeyType())), null);
            }
            if (atbashKey.getSecretKeyType().getAsymmetricPart() == AsymmetricPart.SYMMETRIC) {
                keyStore.setKeyEntry(atbashKey.getKeyId(), (SecretKey) atbashKey.getKey(), keyEncoderParameters.getKeyPassword(), null);
            }
            ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
            try {
                keyStore.store(byteArrayOutputStream, keyEncoderParameters.getFilePassword());
                return byteArrayOutputStream.toByteArray();
            } catch (KeyStoreException | NoSuchAlgorithmException | CertificateException e) {
                throw new AtbashUnexpectedException(e);
            }
        } catch (KeyStoreException e2) {
            throw new AtbashUnexpectedException(e2);
        }
    }

    private X509Certificate generateCertificate(PublicKey publicKey, PrivateKey privateKey, KeyType keyType) {
        try {
            Calendar calendar = Calendar.getInstance();
            Calendar calendar2 = Calendar.getInstance();
            calendar2.add(1, 1);
            X500Name x500Name = new X500Name(this.configuration.getNameCertificateKeyStore());
            X509v3CertificateBuilder x509v3CertificateBuilder = new X509v3CertificateBuilder(x500Name, BigInteger.ONE, calendar.getTime(), calendar2.getTime(), x500Name, SubjectPublicKeyInfo.getInstance(publicKey.getEncoded()));
            if (privateKey == null) {
                privateKey = createSigningKey(keyType);
            }
            return new JcaX509CertificateConverter().setProvider(new BouncyCastleProvider()).getCertificate(x509v3CertificateBuilder.build(new JcaContentSignerBuilder(getCertificateSignatureAlgorithm(keyType)).setProvider(new BouncyCastleProvider()).build(privateKey)));
        } catch (GeneralSecurityException | OperatorCreationException e) {
            throw new AtbashUnexpectedException(e);
        }
    }

    private String getCertificateSignatureAlgorithm(KeyType keyType) {
        String certificateSignatureAlgorithmEC;
        String value = keyType.getValue();
        boolean z = -1;
        switch (value.hashCode()) {
            case 2206:
                if (value.equals(JWKIdentifiers.ELLIPTIC_CURVE_KEY_TYPE)) {
                    z = true;
                    break;
                }
                break;
            case 81440:
                if (value.equals(JWKIdentifiers.RSA_KEY_TYPE)) {
                    z = false;
                    break;
                }
                break;
        }
        switch (z) {
            case false:
                certificateSignatureAlgorithmEC = this.configuration.getCertificateSignatureAlgorithmRSA();
                break;
            case true:
                certificateSignatureAlgorithmEC = this.configuration.getCertificateSignatureAlgorithmEC();
                break;
            default:
                throw new IllegalStateException("Unexpected value: " + keyType.getValue());
        }
        return certificateSignatureAlgorithmEC;
    }

    private PrivateKey createSigningKey(KeyType keyType) {
        PrivateKey createSigningKeyEC;
        String value = keyType.getValue();
        boolean z = -1;
        switch (value.hashCode()) {
            case 2206:
                if (value.equals(JWKIdentifiers.ELLIPTIC_CURVE_KEY_TYPE)) {
                    z = true;
                    break;
                }
                break;
            case 81440:
                if (value.equals(JWKIdentifiers.RSA_KEY_TYPE)) {
                    z = false;
                    break;
                }
                break;
        }
        switch (z) {
            case false:
                createSigningKeyEC = createSigningKeyRSA();
                break;
            case true:
                createSigningKeyEC = createSigningKeyEC();
                break;
            default:
                throw new IllegalStateException("Unexpected value: " + keyType.getValue());
        }
        return createSigningKeyEC;
    }

    private PrivateKey createSigningKeyRSA() {
        return (PrivateKey) new AsymmetricPartKeyFilter(AsymmetricPart.PRIVATE).filter(new KeyGenerator().generateKeys(((RSAGenerationParameters.RSAGenerationParametersBuilder) new RSAGenerationParameters.RSAGenerationParametersBuilder().withKeyId("cert-signing")).build())).get(0).getKey();
    }

    private PrivateKey createSigningKeyEC() {
        return (PrivateKey) new AsymmetricPartKeyFilter(AsymmetricPart.PRIVATE).filter(new KeyGenerator().generateKeys(((ECGenerationParameters.ECGenerationParametersBuilder) new ECGenerationParameters.ECGenerationParametersBuilder().withKeyId("cert-signing")).withCurveName("P-256").build())).get(0).getKey();
    }
}
