package com.spotify.helios.client.tls;

import com.eaio.uuid.UUID;
import com.google.common.base.Throwables;
import com.google.common.io.BaseEncoding;
import com.spotify.sshagentproxy.AgentProxy;
import com.spotify.sshagentproxy.Identity;
import java.math.BigInteger;
import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.SecureRandom;
import java.security.Security;
import java.security.cert.Certificate;
import java.util.Calendar;
import java.util.Date;
import org.bouncycastle.asn1.ASN1Encodable;
import org.bouncycastle.asn1.ASN1Sequence;
import org.bouncycastle.asn1.oiw.OIWObjectIdentifiers;
import org.bouncycastle.asn1.x500.X500Name;
import org.bouncycastle.asn1.x500.X500NameBuilder;
import org.bouncycastle.asn1.x500.style.BCStyle;
import org.bouncycastle.asn1.x509.AlgorithmIdentifier;
import org.bouncycastle.asn1.x509.BasicConstraints;
import org.bouncycastle.asn1.x509.Extension;
import org.bouncycastle.asn1.x509.KeyUsage;
import org.bouncycastle.asn1.x509.SubjectKeyIdentifier;
import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo;
import org.bouncycastle.cert.X509CertificateHolder;
import org.bouncycastle.cert.X509ExtensionUtils;
import org.bouncycastle.cert.X509v3CertificateBuilder;
import org.bouncycastle.cert.jcajce.JcaX509CertificateConverter;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.bouncycastle.operator.bc.BcDigestCalculatorProvider;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/spotify/helios/client/tls/X509CertificateFactory.class */
public class X509CertificateFactory {
    private static final Logger log = LoggerFactory.getLogger((Class<?>) X509CertificateFactory.class);
    private static final JcaX509CertificateConverter CERTIFICATE_CONVERTER = new JcaX509CertificateConverter().setProvider(BouncyCastleProvider.PROVIDER_NAME);
    private static final BaseEncoding KEY_ID_ENCODING = BaseEncoding.base16().upperCase().withSeparator(":", 2);
    private static final BaseEncoding CERT_ENCODING = BaseEncoding.base64().withSeparator("\n", 64);
    private static final int KEY_SIZE = 2048;
    private static final int HOURS_BEFORE = 1;
    private static final int HOURS_AFTER = 48;

    /* loaded from: input_file:com/spotify/helios/client/tls/X509CertificateFactory$CertificateAndKeyPair.class */
    public static class CertificateAndKeyPair {
        private final Certificate certificate;
        private final KeyPair keyPair;

        public CertificateAndKeyPair(Certificate certificate, KeyPair keyPair) {
            this.certificate = certificate;
            this.keyPair = keyPair;
        }

        public Certificate getCertificate() {
            return this.certificate;
        }

        public KeyPair getKeyPair() {
            return this.keyPair;
        }
    }

    public static CertificateAndKeyPair get(AgentProxy agentProxy, Identity identity, String str) {
        UUID uuid = new UUID();
        Calendar calendar = Calendar.getInstance();
        X500Name x500Name = new X500Name("C=US,O=Spotify,CN=helios-client");
        X500Name build = new X500NameBuilder().addRDN(BCStyle.UID, str).build();
        calendar.add(10, -1);
        Date time = calendar.getTime();
        calendar.add(10, 49);
        Date time2 = calendar.getTime();
        BigInteger abs = BigInteger.valueOf(uuid.getTime()).abs();
        try {
            KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA", BouncyCastleProvider.PROVIDER_NAME);
            keyPairGenerator.initialize(2048, new SecureRandom());
            KeyPair generateKeyPair = keyPairGenerator.generateKeyPair();
            SubjectPublicKeyInfo subjectPublicKeyInfo = SubjectPublicKeyInfo.getInstance(ASN1Sequence.getInstance(generateKeyPair.getPublic().getEncoded()));
            X509v3CertificateBuilder x509v3CertificateBuilder = new X509v3CertificateBuilder(x500Name, abs, time, time2, build, subjectPublicKeyInfo);
            X509ExtensionUtils x509ExtensionUtils = new X509ExtensionUtils(new BcDigestCalculatorProvider().get(new AlgorithmIdentifier(OIWObjectIdentifiers.idSHA1)));
            SubjectKeyIdentifier createSubjectKeyIdentifier = x509ExtensionUtils.createSubjectKeyIdentifier(subjectPublicKeyInfo);
            log.info("generating an X509 certificate with key ID {}", KEY_ID_ENCODING.encode(createSubjectKeyIdentifier.getKeyIdentifier()));
            x509v3CertificateBuilder.addExtension(Extension.subjectKeyIdentifier, false, (ASN1Encodable) createSubjectKeyIdentifier);
            x509v3CertificateBuilder.addExtension(Extension.authorityKeyIdentifier, false, (ASN1Encodable) x509ExtensionUtils.createAuthorityKeyIdentifier(subjectPublicKeyInfo));
            x509v3CertificateBuilder.addExtension(Extension.keyUsage, false, (ASN1Encodable) new KeyUsage(132));
            x509v3CertificateBuilder.addExtension(Extension.basicConstraints, true, (ASN1Encodable) new BasicConstraints(false));
            X509CertificateHolder build2 = x509v3CertificateBuilder.build(new SshAgentContentSigner(agentProxy, identity));
            log.debug("generated certificate:\n{}\n{}\n{}", "-----BEGIN CERTIFICATE-----", CERT_ENCODING.encode(build2.getEncoded()), "-----END CERTIFICATE-----");
            return new CertificateAndKeyPair(CERTIFICATE_CONVERTER.getCertificate(build2), generateKeyPair);
        } catch (Exception e) {
            throw Throwables.propagate(e);
        }
    }

    static {
        Security.addProvider(new BouncyCastleProvider());
    }
}
