package io.jenkins.cli.shaded.org.apache.sshd.certificate;

import io.jenkins.cli.shaded.org.apache.sshd.common.BaseBuilder;
import io.jenkins.cli.shaded.org.apache.sshd.common.NamedFactory;
import io.jenkins.cli.shaded.org.apache.sshd.common.config.keys.KeyUtils;
import io.jenkins.cli.shaded.org.apache.sshd.common.config.keys.OpenSshCertificate;
import io.jenkins.cli.shaded.org.apache.sshd.common.config.keys.OpenSshCertificateImpl;
import io.jenkins.cli.shaded.org.apache.sshd.common.keyprovider.KeyPairProvider;
import io.jenkins.cli.shaded.org.apache.sshd.common.signature.BuiltinSignatures;
import io.jenkins.cli.shaded.org.apache.sshd.common.signature.Signature;
import io.jenkins.cli.shaded.org.apache.sshd.common.signature.SignatureFactory;
import io.jenkins.cli.shaded.org.apache.sshd.common.util.MapEntryUtils;
import io.jenkins.cli.shaded.org.apache.sshd.common.util.ValidateUtils;
import io.jenkins.cli.shaded.org.apache.sshd.common.util.buffer.ByteArrayBuffer;
import java.security.KeyPair;
import java.security.PublicKey;
import java.security.SecureRandom;
import java.time.Instant;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
import java.util.Comparator;
import java.util.HashSet;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.stream.Collectors;

/* loaded from: input_file:WEB-INF/lib/cli-2.420-rc34110.7dfa_26b_225cc.jar:io/jenkins/cli/shaded/org/apache/sshd/certificate/OpenSshCertificateBuilder.class */
public class OpenSshCertificateBuilder {
    protected static final Map<String, String> SIGNATURE_ALGORITHM_MAP = MapEntryUtils.MapBuilder.builder().put((MapEntryUtils.MapBuilder) "ssh-rsa", "ssh-rsa-cert-v01@openssh.com").put((MapEntryUtils.MapBuilder) "ssh-ed25519", "ssh-ed25519-cert-v01@openssh.com").put((MapEntryUtils.MapBuilder) KeyPairProvider.ECDSA_SHA2_NISTP256, "ecdsa-sha2-nistp256-cert-v01@openssh.com").put((MapEntryUtils.MapBuilder) KeyPairProvider.ECDSA_SHA2_NISTP384, "ecdsa-sha2-nistp384-cert-v01@openssh.com").put((MapEntryUtils.MapBuilder) KeyPairProvider.ECDSA_SHA2_NISTP521, "ecdsa-sha2-nistp521-cert-v01@openssh.com").build();
    protected final OpenSshCertificate.Type type;
    protected PublicKey publicKey;
    protected long serial;
    protected String id;
    protected Collection<String> principals;
    protected List<OpenSshCertificate.CertificateOption> criticalOptions;
    protected List<OpenSshCertificate.CertificateOption> extensions;
    protected long validAfter = 0;
    protected long validBefore = -1;
    protected byte[] nonce;

    protected OpenSshCertificateBuilder(OpenSshCertificate.Type type) {
        this.type = type;
    }

    public static OpenSshCertificateBuilder userCertificate() {
        return new OpenSshCertificateBuilder(OpenSshCertificate.Type.USER);
    }

    public static OpenSshCertificateBuilder hostCertificate() {
        return new OpenSshCertificateBuilder(OpenSshCertificate.Type.HOST);
    }

    public OpenSshCertificateBuilder publicKey(PublicKey publicKey) {
        this.publicKey = publicKey;
        return this;
    }

    public OpenSshCertificateBuilder serial(long j) {
        this.serial = j;
        return this;
    }

    public OpenSshCertificateBuilder id(String str) {
        this.id = str;
        return this;
    }

    public OpenSshCertificateBuilder principals(Collection<String> collection) {
        this.principals = collection;
        return this;
    }

    public OpenSshCertificateBuilder criticalOptions(List<OpenSshCertificate.CertificateOption> list) {
        validateOptions(list);
        this.criticalOptions = lexicallyOrderOptions(list);
        return this;
    }

    public OpenSshCertificateBuilder extensions(List<OpenSshCertificate.CertificateOption> list) {
        validateOptions(list);
        this.extensions = lexicallyOrderOptions(list);
        return this;
    }

    public OpenSshCertificateBuilder validAfter(long j) {
        this.validAfter = j;
        return this;
    }

    public OpenSshCertificateBuilder nonce(byte[] bArr) {
        this.nonce = bArr;
        return this;
    }

    public OpenSshCertificateBuilder validAfter(Instant instant) {
        if (instant == null) {
            return validAfter(0L);
        }
        if (Instant.EPOCH.compareTo(instant) <= 0) {
            return validAfter(instant.getEpochSecond());
        }
        throw new IllegalArgumentException("Valid-after cannot be < epoch");
    }

    public OpenSshCertificateBuilder validBefore(long j) {
        this.validBefore = j;
        return this;
    }

    public OpenSshCertificateBuilder validBefore(Instant instant) {
        if (instant == null) {
            return validBefore(-1L);
        }
        if (Instant.EPOCH.compareTo(instant) <= 0) {
            return validBefore(instant.getEpochSecond());
        }
        throw new IllegalArgumentException("Valid-before cannot be < epoch");
    }

    protected void validate() {
        if (this.nonce != null && this.nonce.length != 16 && this.nonce.length != 32) {
            throw new IllegalStateException("'nonce' must be 16 or 32 bytes");
        }
        if (this.type == null) {
            throw new IllegalStateException("'type' is required");
        }
        if (this.id == null) {
            throw new IllegalStateException("'id' is required");
        }
        if (this.publicKey == null) {
            throw new IllegalStateException("'publicKey' is required");
        }
    }

    public OpenSshCertificate sign(KeyPair keyPair) throws Exception {
        return sign(keyPair, null);
    }

    public OpenSshCertificate sign(KeyPair keyPair, String str) throws Exception {
        NamedFactory<? extends Signature> resolveSignatureFactory;
        validate();
        String keyType = KeyUtils.getKeyType(this.publicKey);
        String str2 = SIGNATURE_ALGORITHM_MAP.get(keyType);
        if (str2 == null) {
            throw new UnsupportedOperationException("unsupported public key type '" + keyType + "' for OpenSSH Certificate");
        }
        OpenSshCertificateImpl openSshCertificateImpl = new OpenSshCertificateImpl();
        openSshCertificateImpl.setKeyType(str2);
        openSshCertificateImpl.setType(this.type);
        openSshCertificateImpl.setCertPubKey(this.publicKey);
        openSshCertificateImpl.setSerial(this.serial);
        openSshCertificateImpl.setId(this.id);
        if (this.principals != null && !this.principals.isEmpty()) {
            openSshCertificateImpl.setPrincipals(new ArrayList(this.principals));
        }
        if (this.criticalOptions != null && !this.criticalOptions.isEmpty()) {
            openSshCertificateImpl.setCriticalOptions(new ArrayList(this.criticalOptions));
        }
        if (this.extensions != null && !this.extensions.isEmpty()) {
            openSshCertificateImpl.setExtensions(new ArrayList(this.extensions));
        }
        openSshCertificateImpl.setValidAfter(this.validAfter);
        openSshCertificateImpl.setValidBefore(this.validBefore);
        openSshCertificateImpl.setCaPubKey(keyPair.getPublic());
        if (this.nonce != null) {
            openSshCertificateImpl.setNonce(this.nonce);
        } else {
            byte[] bArr = new byte[32];
            new SecureRandom().nextBytes(bArr);
            openSshCertificateImpl.setNonce(bArr);
        }
        String keyType2 = KeyUtils.getKeyType(keyPair.getPublic());
        if (str != null) {
            ValidateUtils.checkTrue(KeyUtils.getAllEquivalentKeyTypes(keyType2).contains(str), "Invalid CA signature algorithm %s for CA key type %s", str, keyType2);
            keyType2 = str;
            resolveSignatureFactory = BuiltinSignatures.fromFactoryName(keyType2);
        } else {
            resolveSignatureFactory = SignatureFactory.resolveSignatureFactory(keyType2, BaseBuilder.DEFAULT_SIGNATURE_PREFERENCE);
        }
        Signature create = resolveSignatureFactory == null ? null : resolveSignatureFactory.create();
        ValidateUtils.checkNotNull(create, "No signer could be located for signature algorithm=%s", keyType2);
        ByteArrayBuffer byteArrayBuffer = new ByteArrayBuffer();
        byteArrayBuffer.putRawPublicKey(openSshCertificateImpl);
        byte[] compactData = byteArrayBuffer.getCompactData();
        create.initSigner(null, keyPair.getPrivate());
        create.update(null, compactData);
        ByteArrayBuffer byteArrayBuffer2 = new ByteArrayBuffer();
        byteArrayBuffer2.putString(resolveSignatureFactory.getName());
        byteArrayBuffer2.putBytes(create.sign(null));
        openSshCertificateImpl.setMessage(compactData);
        openSshCertificateImpl.setSignature(byteArrayBuffer2.getCompactData());
        return openSshCertificateImpl;
    }

    private void validateOptions(List<OpenSshCertificate.CertificateOption> list) {
        if (list == null || list.isEmpty()) {
            return;
        }
        HashSet hashSet = new HashSet();
        Set set = (Set) list.stream().filter(certificateOption -> {
            return !hashSet.add(certificateOption.getName());
        }).map((v0) -> {
            return v0.getName();
        }).collect(Collectors.toSet());
        if (!set.isEmpty()) {
            throw new IllegalArgumentException("Duplicate option: " + set);
        }
    }

    private List<OpenSshCertificate.CertificateOption> lexicallyOrderOptions(List<OpenSshCertificate.CertificateOption> list) {
        return (list == null || list.isEmpty()) ? Collections.emptyList() : (List) list.stream().sorted(Comparator.comparing((v0) -> {
            return v0.getName();
        })).collect(Collectors.toList());
    }
}
