package com.spotify.sshagenttls;

import com.eaio.uuid.UUID;
import com.google.common.annotations.VisibleForTesting;
import com.google.common.io.BaseEncoding;
import java.math.BigInteger;
import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.SecureRandom;
import java.security.Security;
import java.security.cert.X509Certificate;
import java.util.Calendar;
import java.util.Date;
import java.util.concurrent.TimeUnit;
import org.bouncycastle.asn1.ASN1Sequence;
import org.bouncycastle.asn1.oiw.OIWObjectIdentifiers;
import org.bouncycastle.asn1.x500.X500Name;
import org.bouncycastle.asn1.x500.X500NameBuilder;
import org.bouncycastle.asn1.x500.style.BCStyle;
import org.bouncycastle.asn1.x509.AlgorithmIdentifier;
import org.bouncycastle.asn1.x509.BasicConstraints;
import org.bouncycastle.asn1.x509.Extension;
import org.bouncycastle.asn1.x509.KeyUsage;
import org.bouncycastle.asn1.x509.SubjectKeyIdentifier;
import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo;
import org.bouncycastle.cert.X509ExtensionUtils;
import org.bouncycastle.cert.X509v3CertificateBuilder;
import org.bouncycastle.cert.jcajce.JcaX509CertificateConverter;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.bouncycastle.operator.ContentSigner;
import org.bouncycastle.operator.bc.BcDigestCalculatorProvider;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/spotify/sshagenttls/X509CertKeyCreator.class */
public class X509CertKeyCreator implements CertKeyCreator {
    private static final Logger LOG = LoggerFactory.getLogger(X509CertKeyCreator.class);
    private static final JcaX509CertificateConverter CERT_CONVERTER = new JcaX509CertificateConverter().setProvider("BC");
    private static final BaseEncoding KEY_ID_ENCODING = BaseEncoding.base16().upperCase().withSeparator(":", 2);
    private static final int KEY_SIZE = 2048;
    private final ContentSigner contentSigner;
    private final String username;
    private final int validBeforeMillis;
    private final int validAfterMillis;

    private X509CertKeyCreator(String str, ContentSigner contentSigner, int i, int i2) {
        this.username = str;
        this.validBeforeMillis = i;
        this.validAfterMillis = i2;
        this.contentSigner = contentSigner;
    }

    public static X509CertKeyCreator create(String str, ContentSigner contentSigner) {
        return create(str, contentSigner, (int) TimeUnit.HOURS.toMillis(1L), (int) TimeUnit.HOURS.toMillis(48L));
    }

    @VisibleForTesting
    static X509CertKeyCreator create(String str, ContentSigner contentSigner, int i, int i2) {
        return new X509CertKeyCreator(str, contentSigner, i, i2);
    }

    @Override // com.spotify.sshagenttls.CertKeyCreator
    public CertKey createCertKey() {
        UUID uuid = new UUID();
        Calendar calendar = Calendar.getInstance();
        X500Name x500Name = new X500Name("C=US,O=Spotify,CN=sshagenttls");
        X500Name build = new X500NameBuilder().addRDN(BCStyle.UID, this.username).build();
        calendar.add(14, -this.validBeforeMillis);
        Date time = calendar.getTime();
        calendar.add(14, this.validBeforeMillis + this.validAfterMillis);
        Date time2 = calendar.getTime();
        BigInteger abs = BigInteger.valueOf(uuid.getTime()).abs();
        try {
            KeyPair generateRandomKeyPair = generateRandomKeyPair();
            SubjectPublicKeyInfo subjectPublicKeyInfo = SubjectPublicKeyInfo.getInstance(ASN1Sequence.getInstance(generateRandomKeyPair.getPublic().getEncoded()));
            X509v3CertificateBuilder x509v3CertificateBuilder = new X509v3CertificateBuilder(x500Name, abs, time, time2, build, subjectPublicKeyInfo);
            X509ExtensionUtils x509ExtensionUtils = new X509ExtensionUtils(new BcDigestCalculatorProvider().get(new AlgorithmIdentifier(OIWObjectIdentifiers.idSHA1)));
            SubjectKeyIdentifier createSubjectKeyIdentifier = x509ExtensionUtils.createSubjectKeyIdentifier(subjectPublicKeyInfo);
            LOG.info("generating an X509 certificate for {} with key ID={}", this.username, KEY_ID_ENCODING.encode(createSubjectKeyIdentifier.getKeyIdentifier()));
            x509v3CertificateBuilder.addExtension(Extension.subjectKeyIdentifier, false, createSubjectKeyIdentifier);
            x509v3CertificateBuilder.addExtension(Extension.authorityKeyIdentifier, false, x509ExtensionUtils.createAuthorityKeyIdentifier(subjectPublicKeyInfo));
            x509v3CertificateBuilder.addExtension(Extension.keyUsage, false, new KeyUsage(132));
            x509v3CertificateBuilder.addExtension(Extension.basicConstraints, true, new BasicConstraints(false));
            X509Certificate certificate = CERT_CONVERTER.getCertificate(x509v3CertificateBuilder.build(this.contentSigner));
            LOG.debug("generated certificate:\n{}", Utils.asPemString(certificate));
            return CertKey.create(certificate, generateRandomKeyPair.getPrivate());
        } catch (Exception e) {
            throw new RuntimeException(e);
        }
    }

    private static KeyPair generateRandomKeyPair() throws NoSuchAlgorithmException, NoSuchProviderException {
        Security.addProvider(new BouncyCastleProvider());
        KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA", "BC");
        keyPairGenerator.initialize(KEY_SIZE, new SecureRandom());
        return keyPairGenerator.generateKeyPair();
    }
}
