package com.spotify.helios.client.tls;

import com.eaio.uuid.UUID;
import com.google.common.base.Throwables;
import com.google.common.collect.ImmutableSet;
import com.google.common.io.BaseEncoding;
import com.spotify.helios.common.Hash;
import com.spotify.sshagentproxy.AgentProxy;
import com.spotify.sshagentproxy.Identity;
import java.io.IOException;
import java.io.StringWriter;
import java.math.BigInteger;
import java.nio.ByteBuffer;
import java.nio.channels.SeekableByteChannel;
import java.nio.file.Files;
import java.nio.file.LinkOption;
import java.nio.file.Path;
import java.nio.file.Paths;
import java.nio.file.StandardOpenOption;
import java.nio.file.attribute.FileAttribute;
import java.nio.file.attribute.PosixFilePermission;
import java.nio.file.attribute.PosixFilePermissions;
import java.security.GeneralSecurityException;
import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.MessageDigest;
import java.security.SecureRandom;
import java.security.Security;
import java.security.cert.X509Certificate;
import java.util.Calendar;
import java.util.Date;
import java.util.Set;
import java.util.concurrent.TimeUnit;
import org.bouncycastle.asn1.ASN1Encodable;
import org.bouncycastle.asn1.ASN1Sequence;
import org.bouncycastle.asn1.oiw.OIWObjectIdentifiers;
import org.bouncycastle.asn1.x500.X500Name;
import org.bouncycastle.asn1.x500.X500NameBuilder;
import org.bouncycastle.asn1.x500.style.BCStyle;
import org.bouncycastle.asn1.x509.AlgorithmIdentifier;
import org.bouncycastle.asn1.x509.BasicConstraints;
import org.bouncycastle.asn1.x509.Extension;
import org.bouncycastle.asn1.x509.KeyUsage;
import org.bouncycastle.asn1.x509.SubjectKeyIdentifier;
import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo;
import org.bouncycastle.cert.X509ExtensionUtils;
import org.bouncycastle.cert.X509v3CertificateBuilder;
import org.bouncycastle.cert.jcajce.JcaX509CertificateConverter;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.bouncycastle.openssl.jcajce.JcaPEMWriter;
import org.bouncycastle.operator.bc.BcDigestCalculatorProvider;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/spotify/helios/client/tls/X509CertificateFactory.class */
public class X509CertificateFactory {
    private static final Path HELIOS_HOME = Paths.get(System.getProperty("user.home"), ".helios");
    private static final BaseEncoding HEX_ENCODING = BaseEncoding.base16().lowerCase();
    private static final Logger log = LoggerFactory.getLogger((Class<?>) X509CertificateFactory.class);
    private static final JcaX509CertificateConverter CERTIFICATE_CONVERTER = new JcaX509CertificateConverter().setProvider(BouncyCastleProvider.PROVIDER_NAME);
    private static final BaseEncoding KEY_ID_ENCODING = BaseEncoding.base16().upperCase().withSeparator(":", 2);
    private static final int KEY_SIZE = 2048;
    private final Path cacheDirectory;
    private final int validBeforeMilliseconds;
    private final int validAfterMilliseconds;

    public X509CertificateFactory() {
        this(HELIOS_HOME, (int) TimeUnit.HOURS.toMillis(1L), (int) TimeUnit.HOURS.toMillis(48L));
    }

    public X509CertificateFactory(Path path, int i, int i2) {
        this.cacheDirectory = path;
        this.validBeforeMilliseconds = i;
        this.validAfterMilliseconds = i2;
    }

    public CertificateAndPrivateKey get(AgentProxy agentProxy, Identity identity, String str) {
        MessageDigest sha1 = Hash.sha1();
        sha1.update(identity.getKeyBlob());
        sha1.update(str.getBytes());
        String substring = HEX_ENCODING.encode(sha1.digest()).substring(0, 8);
        Path resolve = this.cacheDirectory.resolve(substring + ".crt");
        Path resolve2 = this.cacheDirectory.resolve(substring + ".pem");
        boolean z = false;
        CertificateAndPrivateKey certificateAndPrivateKey = null;
        try {
            if (Files.exists(resolve, new LinkOption[0]) && Files.exists(resolve2, new LinkOption[0])) {
                certificateAndPrivateKey = CertificateAndPrivateKey.from(resolve, resolve2);
            }
        } catch (IOException | GeneralSecurityException e) {
            log.debug("error reading cached certificate and key from {} for identity={}", this.cacheDirectory, identity.getComment(), e);
        }
        if (certificateAndPrivateKey != null && (certificateAndPrivateKey.getCertificate() instanceof X509Certificate)) {
            X509Certificate x509Certificate = (X509Certificate) certificateAndPrivateKey.getCertificate();
            Date date = new Date();
            if (date.after(x509Certificate.getNotBefore()) && date.before(x509Certificate.getNotAfter())) {
                z = true;
            }
        }
        if (z) {
            log.info("using existing certificate for {} from {}", str, resolve);
            return certificateAndPrivateKey;
        }
        CertificateAndPrivateKey generate = generate(agentProxy, identity, str);
        saveToCache(this.cacheDirectory, resolve, resolve2, generate);
        return generate;
    }

    private CertificateAndPrivateKey generate(AgentProxy agentProxy, Identity identity, String str) {
        UUID uuid = new UUID();
        Calendar calendar = Calendar.getInstance();
        X500Name x500Name = new X500Name("C=US,O=Spotify,CN=helios-client");
        X500Name build = new X500NameBuilder().addRDN(BCStyle.UID, str).build();
        calendar.add(14, -this.validBeforeMilliseconds);
        Date time = calendar.getTime();
        calendar.add(14, this.validBeforeMilliseconds + this.validAfterMilliseconds);
        Date time2 = calendar.getTime();
        BigInteger abs = BigInteger.valueOf(uuid.getTime()).abs();
        try {
            KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA", BouncyCastleProvider.PROVIDER_NAME);
            keyPairGenerator.initialize(2048, new SecureRandom());
            KeyPair generateKeyPair = keyPairGenerator.generateKeyPair();
            SubjectPublicKeyInfo subjectPublicKeyInfo = SubjectPublicKeyInfo.getInstance(ASN1Sequence.getInstance(generateKeyPair.getPublic().getEncoded()));
            X509v3CertificateBuilder x509v3CertificateBuilder = new X509v3CertificateBuilder(x500Name, abs, time, time2, build, subjectPublicKeyInfo);
            X509ExtensionUtils x509ExtensionUtils = new X509ExtensionUtils(new BcDigestCalculatorProvider().get(new AlgorithmIdentifier(OIWObjectIdentifiers.idSHA1)));
            SubjectKeyIdentifier createSubjectKeyIdentifier = x509ExtensionUtils.createSubjectKeyIdentifier(subjectPublicKeyInfo);
            log.info("generating an X509 certificate for {} with key ID={} and identity={}", str, KEY_ID_ENCODING.encode(createSubjectKeyIdentifier.getKeyIdentifier()), identity.getComment());
            x509v3CertificateBuilder.addExtension(Extension.subjectKeyIdentifier, false, (ASN1Encodable) createSubjectKeyIdentifier);
            x509v3CertificateBuilder.addExtension(Extension.authorityKeyIdentifier, false, (ASN1Encodable) x509ExtensionUtils.createAuthorityKeyIdentifier(subjectPublicKeyInfo));
            x509v3CertificateBuilder.addExtension(Extension.keyUsage, false, (ASN1Encodable) new KeyUsage(132));
            x509v3CertificateBuilder.addExtension(Extension.basicConstraints, true, (ASN1Encodable) new BasicConstraints(false));
            X509Certificate certificate = CERTIFICATE_CONVERTER.getCertificate(x509v3CertificateBuilder.build(new SshAgentContentSigner(agentProxy, identity)));
            log.debug("generated certificate:\n{}", asPEMString(certificate));
            return new CertificateAndPrivateKey(certificate, generateKeyPair.getPrivate());
        } catch (Exception e) {
            throw Throwables.propagate(e);
        }
    }

    private static void saveToCache(Path path, Path path2, Path path3, CertificateAndPrivateKey certificateAndPrivateKey) {
        try {
            Files.createDirectories(path, new FileAttribute[0]);
            String asPEMString = asPEMString(certificateAndPrivateKey.getCertificate());
            String asPEMString2 = asPEMString(certificateAndPrivateKey.getPrivateKey());
            ImmutableSet of = ImmutableSet.of(StandardOpenOption.CREATE, StandardOpenOption.WRITE);
            FileAttribute<Set<PosixFilePermission>> asFileAttribute = PosixFilePermissions.asFileAttribute(ImmutableSet.of(PosixFilePermission.OWNER_READ, PosixFilePermission.OWNER_WRITE));
            SeekableByteChannel newByteChannel = Files.newByteChannel(path2, of, asFileAttribute);
            Throwable th = null;
            try {
                try {
                    newByteChannel.write(ByteBuffer.wrap(asPEMString.getBytes()));
                    if (newByteChannel != null) {
                        if (0 != 0) {
                            try {
                                newByteChannel.close();
                            } catch (Throwable th2) {
                                th.addSuppressed(th2);
                            }
                        } else {
                            newByteChannel.close();
                        }
                    }
                    SeekableByteChannel newByteChannel2 = Files.newByteChannel(path3, of, asFileAttribute);
                    Throwable th3 = null;
                    try {
                        newByteChannel2.write(ByteBuffer.wrap(asPEMString2.getBytes()));
                        if (newByteChannel2 != null) {
                            if (0 != 0) {
                                try {
                                    newByteChannel2.close();
                                } catch (Throwable th4) {
                                    th3.addSuppressed(th4);
                                }
                            } else {
                                newByteChannel2.close();
                            }
                        }
                        log.debug("cached generated certificate to {}", path2);
                    } finally {
                    }
                } catch (Throwable th5) {
                    th = th5;
                    throw th5;
                }
            } finally {
            }
        } catch (IOException e) {
            log.warn("error caching generated certificate", (Throwable) e);
        }
    }

    private static String asPEMString(Object obj) throws IOException {
        StringWriter stringWriter = new StringWriter();
        JcaPEMWriter jcaPEMWriter = new JcaPEMWriter(stringWriter);
        Throwable th = null;
        try {
            jcaPEMWriter.writeObject(obj);
            if (jcaPEMWriter != null) {
                if (0 != 0) {
                    try {
                        jcaPEMWriter.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                } else {
                    jcaPEMWriter.close();
                }
            }
            return stringWriter.toString();
        } catch (Throwable th3) {
            if (jcaPEMWriter != null) {
                if (0 != 0) {
                    try {
                        jcaPEMWriter.close();
                    } catch (Throwable th4) {
                        th.addSuppressed(th4);
                    }
                } else {
                    jcaPEMWriter.close();
                }
            }
            throw th3;
        }
    }

    static {
        Security.addProvider(new BouncyCastleProvider());
    }
}
