package org.dcache.gsi;

import eu.emi.security.authn.x509.X509Credential;
import eu.emi.security.authn.x509.impl.CertificateUtils;
import eu.emi.security.authn.x509.impl.KeyAndCertCredential;
import eu.emi.security.authn.x509.proxy.ProxyCSRGenerator;
import eu.emi.security.authn.x509.proxy.ProxyCertificateOptions;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.io.StringWriter;
import java.nio.charset.StandardCharsets;
import java.security.GeneralSecurityException;
import java.security.KeyPair;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.cert.CertPath;
import java.security.cert.X509Certificate;
import java.security.interfaces.RSAPublicKey;
import java.util.stream.Stream;
import org.bouncycastle.openssl.jcajce.JcaPEMWriter;

/* loaded from: input_file:org/dcache/gsi/X509DelegationHelper.class */
public final class X509DelegationHelper {
    public static X509Delegation newDelegation(CertPath certPath, KeyPairCache keyPairCache) throws NoSuchAlgorithmException, NoSuchProviderException {
        X509Certificate[] x509CertificateArr = (X509Certificate[]) certPath.getCertificates().toArray(i -> {
            return new X509Certificate[i];
        });
        if (x509CertificateArr.length == 0) {
            throw new IllegalArgumentException("Certificate path is empty.");
        }
        return new X509Delegation(keyPairCache.getKeyPair(((RSAPublicKey) x509CertificateArr[0].getPublicKey()).getModulus().bitLength()), x509CertificateArr);
    }

    public static String createRequest(X509Certificate[] x509CertificateArr, KeyPair keyPair) throws GeneralSecurityException, IOException {
        ProxyCertificateOptions proxyCertificateOptions = new ProxyCertificateOptions(x509CertificateArr);
        proxyCertificateOptions.setPublicKey(keyPair.getPublic());
        proxyCertificateOptions.setLimited(true);
        return pemEncode(ProxyCSRGenerator.generate(proxyCertificateOptions, keyPair.getPrivate()).getCSR());
    }

    public static X509Credential acceptCertificate(String str, X509Delegation x509Delegation) throws GeneralSecurityException {
        return new KeyAndCertCredential(x509Delegation.getKeyPair().getPrivate(), finalizeChain(str, x509Delegation.getCertificates()));
    }

    public static X509Certificate[] finalizeChain(String str, X509Certificate[] x509CertificateArr) throws GeneralSecurityException {
        try {
            return (X509Certificate[]) Stream.concat(Stream.of(CertificateUtils.loadCertificate(new ByteArrayInputStream(str.getBytes(StandardCharsets.UTF_8)), CertificateUtils.Encoding.PEM)), Stream.of((Object[]) x509CertificateArr)).toArray(i -> {
                return new X509Certificate[i];
            });
        } catch (IOException e) {
            throw new GeneralSecurityException("Supplied certificate is unacceptable: " + e.getMessage());
        }
    }

    private static String pemEncode(Object obj) throws IOException {
        StringWriter stringWriter = new StringWriter();
        JcaPEMWriter jcaPEMWriter = new JcaPEMWriter(stringWriter);
        try {
            jcaPEMWriter.writeObject(obj);
            jcaPEMWriter.close();
            return stringWriter.toString();
        } catch (Throwable th) {
            try {
                jcaPEMWriter.close();
            } catch (Throwable th2) {
                th.addSuppressed(th2);
            }
            throw th;
        }
    }

    private X509DelegationHelper() {
    }
}
