package org.apache.sshd.certificate;

import j$.time.Instant;
import j$.util.Collection;
import j$.util.Comparator$CC;
import j$.util.function.Predicate$CC;
import j$.util.stream.Collectors;
import java.security.KeyPair;
import java.security.PublicKey;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
import java.util.HashSet;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.function.Predicate;
import org.apache.sshd.common.BaseBuilder;
import org.apache.sshd.common.NamedFactory;
import org.apache.sshd.common.config.keys.KeyUtils;
import org.apache.sshd.common.config.keys.OpenSshCertificate;
import org.apache.sshd.common.config.keys.OpenSshCertificateImpl;
import org.apache.sshd.common.keyprovider.KeyPairProvider;
import org.apache.sshd.common.random.JceRandom;
import org.apache.sshd.common.signature.BuiltinSignatures;
import org.apache.sshd.common.signature.Signature;
import org.apache.sshd.common.signature.SignatureFactory;
import org.apache.sshd.common.util.MapEntryUtils;
import org.apache.sshd.common.util.ValidateUtils;
import org.apache.sshd.common.util.buffer.ByteArrayBuffer;

/* loaded from: classes.dex */
public class OpenSshCertificateBuilder {
    protected static final Map<String, String> SIGNATURE_ALGORITHM_MAP = MapEntryUtils.MapBuilder.builder().put((MapEntryUtils.MapBuilder) KeyPairProvider.SSH_RSA, KeyPairProvider.SSH_RSA_CERT).put((MapEntryUtils.MapBuilder) KeyPairProvider.SSH_ED25519, KeyPairProvider.SSH_ED25519_CERT).put((MapEntryUtils.MapBuilder) KeyPairProvider.ECDSA_SHA2_NISTP256, KeyPairProvider.SSH_ECDSA_SHA2_NISTP256_CERT).put((MapEntryUtils.MapBuilder) KeyPairProvider.ECDSA_SHA2_NISTP384, KeyPairProvider.SSH_ECDSA_SHA2_NISTP384_CERT).put((MapEntryUtils.MapBuilder) KeyPairProvider.ECDSA_SHA2_NISTP521, KeyPairProvider.SSH_ECDSA_SHA2_NISTP521_CERT).build();
    protected List<OpenSshCertificate.CertificateOption> criticalOptions;
    protected List<OpenSshCertificate.CertificateOption> extensions;
    protected String id;
    protected byte[] nonce;
    protected Collection<String> principals;
    protected PublicKey publicKey;
    protected long serial;
    protected final OpenSshCertificate.Type type;
    protected long validAfter = 0;
    protected long validBefore = -1;

    public static /* synthetic */ boolean $r8$lambda$pO5pA1rig_Pi_VKzB7EUCMMBahk(Set set, OpenSshCertificate.CertificateOption certificateOption) {
        return !set.add(certificateOption.getName());
    }

    protected OpenSshCertificateBuilder(OpenSshCertificate.Type type) {
        this.type = type;
    }

    public static OpenSshCertificateBuilder hostCertificate() {
        return new OpenSshCertificateBuilder(OpenSshCertificate.Type.HOST);
    }

    private List<OpenSshCertificate.CertificateOption> lexicallyOrderOptions(List<OpenSshCertificate.CertificateOption> list) {
        return (list == null || list.isEmpty()) ? Collections.EMPTY_LIST : (List) Collection.EL.stream(list).sorted(Comparator$CC.comparing(new OpenSshCertificateBuilder$$ExternalSyntheticLambda0())).collect(Collectors.toList());
    }

    public static OpenSshCertificateBuilder userCertificate() {
        return new OpenSshCertificateBuilder(OpenSshCertificate.Type.USER);
    }

    private void validateOptions(List<OpenSshCertificate.CertificateOption> list) {
        if (list == null || list.isEmpty()) {
            return;
        }
        final HashSet hashSet = new HashSet();
        Set set = (Set) Collection.EL.stream(list).filter(new Predicate() { // from class: org.apache.sshd.certificate.OpenSshCertificateBuilder$$ExternalSyntheticLambda1
            public /* synthetic */ Predicate and(Predicate predicate) {
                return Predicate$CC.$default$and(this, predicate);
            }

            public /* synthetic */ Predicate negate() {
                return Predicate$CC.$default$negate(this);
            }

            public /* synthetic */ Predicate or(Predicate predicate) {
                return Predicate$CC.$default$or(this, predicate);
            }

            @Override // java.util.function.Predicate
            public final boolean test(Object obj) {
                return OpenSshCertificateBuilder.$r8$lambda$pO5pA1rig_Pi_VKzB7EUCMMBahk(hashSet, (OpenSshCertificate.CertificateOption) obj);
            }
        }).map(new OpenSshCertificateBuilder$$ExternalSyntheticLambda0()).collect(Collectors.toSet());
        if (set.isEmpty()) {
            return;
        }
        throw new IllegalArgumentException("Duplicate option: " + set);
    }

    public OpenSshCertificateBuilder criticalOptions(List<OpenSshCertificate.CertificateOption> list) {
        validateOptions(list);
        this.criticalOptions = lexicallyOrderOptions(list);
        return this;
    }

    public OpenSshCertificateBuilder extensions(List<OpenSshCertificate.CertificateOption> list) {
        validateOptions(list);
        this.extensions = lexicallyOrderOptions(list);
        return this;
    }

    public OpenSshCertificateBuilder id(String str) {
        this.id = str;
        return this;
    }

    public OpenSshCertificateBuilder nonce(byte[] bArr) {
        this.nonce = bArr;
        return this;
    }

    public OpenSshCertificateBuilder principals(java.util.Collection<String> collection) {
        this.principals = collection;
        return this;
    }

    public OpenSshCertificateBuilder publicKey(PublicKey publicKey) {
        this.publicKey = publicKey;
        return this;
    }

    public OpenSshCertificateBuilder serial(long j) {
        this.serial = j;
        return this;
    }

    public OpenSshCertificate sign(KeyPair keyPair) {
        return sign(keyPair, null);
    }

    public OpenSshCertificate sign(KeyPair keyPair, String str) {
        NamedFactory resolveSignatureFactory;
        validate();
        String keyType = KeyUtils.getKeyType(this.publicKey);
        String str2 = SIGNATURE_ALGORITHM_MAP.get(keyType);
        if (str2 == null) {
            throw new UnsupportedOperationException("unsupported public key type '" + keyType + "' for OpenSSH Certificate");
        }
        OpenSshCertificateImpl openSshCertificateImpl = new OpenSshCertificateImpl();
        openSshCertificateImpl.setKeyType(str2);
        openSshCertificateImpl.setType(this.type);
        openSshCertificateImpl.setCertPubKey(this.publicKey);
        openSshCertificateImpl.setSerial(this.serial);
        openSshCertificateImpl.setId(this.id);
        java.util.Collection<String> collection = this.principals;
        if (collection != null && !collection.isEmpty()) {
            openSshCertificateImpl.setPrincipals(new ArrayList(this.principals));
        }
        List<OpenSshCertificate.CertificateOption> list = this.criticalOptions;
        if (list != null && !list.isEmpty()) {
            openSshCertificateImpl.setCriticalOptions(new ArrayList(this.criticalOptions));
        }
        List<OpenSshCertificate.CertificateOption> list2 = this.extensions;
        if (list2 != null && !list2.isEmpty()) {
            openSshCertificateImpl.setExtensions(new ArrayList(this.extensions));
        }
        openSshCertificateImpl.setValidAfter(this.validAfter);
        openSshCertificateImpl.setValidBefore(this.validBefore);
        openSshCertificateImpl.setCaPubKey(keyPair.getPublic());
        byte[] bArr = this.nonce;
        if (bArr != null) {
            openSshCertificateImpl.setNonce(bArr);
        } else {
            byte[] bArr2 = new byte[32];
            JceRandom.getGlobalInstance().nextBytes(bArr2);
            openSshCertificateImpl.setNonce(bArr2);
        }
        String keyType2 = KeyUtils.getKeyType(keyPair.getPublic());
        if (str != null) {
            ValidateUtils.checkTrue(KeyUtils.getAllEquivalentKeyTypes(keyType2).contains(str), "Invalid CA signature algorithm %s for CA key type %s", str, keyType2);
            resolveSignatureFactory = BuiltinSignatures.fromFactoryName(str);
        } else {
            resolveSignatureFactory = SignatureFactory.CC.resolveSignatureFactory(keyType2, BaseBuilder.DEFAULT_SIGNATURE_PREFERENCE);
            str = keyType2;
        }
        Signature signature = resolveSignatureFactory == null ? null : (Signature) resolveSignatureFactory.create();
        ValidateUtils.checkNotNull(signature, "No signer could be located for signature algorithm=%s", str);
        ByteArrayBuffer byteArrayBuffer = new ByteArrayBuffer();
        byteArrayBuffer.putRawPublicKey(openSshCertificateImpl);
        byte[] compactData = byteArrayBuffer.getCompactData();
        signature.initSigner(null, keyPair.getPrivate());
        signature.update(null, compactData);
        ByteArrayBuffer byteArrayBuffer2 = new ByteArrayBuffer();
        byteArrayBuffer2.putString(resolveSignatureFactory.getName());
        byteArrayBuffer2.putBytes(signature.sign(null));
        openSshCertificateImpl.setMessage(compactData);
        openSshCertificateImpl.setSignature(byteArrayBuffer2.getCompactData());
        return openSshCertificateImpl;
    }

    public OpenSshCertificateBuilder validAfter(long j) {
        this.validAfter = j;
        return this;
    }

    public OpenSshCertificateBuilder validAfter(Instant instant) {
        if (instant == null) {
            return validAfter(0L);
        }
        if (Instant.EPOCH.compareTo(instant) <= 0) {
            return validAfter(instant.getEpochSecond());
        }
        throw new IllegalArgumentException("Valid-after cannot be < epoch");
    }

    public OpenSshCertificateBuilder validBefore(long j) {
        this.validBefore = j;
        return this;
    }

    public OpenSshCertificateBuilder validBefore(Instant instant) {
        if (instant == null) {
            return validBefore(-1L);
        }
        if (Instant.EPOCH.compareTo(instant) <= 0) {
            return validBefore(instant.getEpochSecond());
        }
        throw new IllegalArgumentException("Valid-before cannot be < epoch");
    }

    protected void validate() {
        byte[] bArr = this.nonce;
        if (bArr != null && bArr.length != 16 && bArr.length != 32) {
            throw new IllegalStateException("'nonce' must be 16 or 32 bytes");
        }
        if (this.type == null) {
            throw new IllegalStateException("'type' is required");
        }
        if (this.id == null) {
            throw new IllegalStateException("'id' is required");
        }
        if (this.publicKey == null) {
            throw new IllegalStateException("'publicKey' is required");
        }
    }
}
