package com.yahoo.vespa.hosted.ca;

import com.yahoo.security.Pkcs10Csr;
import com.yahoo.security.SignatureAlgorithm;
import com.yahoo.security.SubjectAlternativeName;
import com.yahoo.security.X509CertificateBuilder;
import com.yahoo.security.X509CertificateUtils;
import com.yahoo.vespa.athenz.identityprovider.api.VespaUniqueInstanceId;
import java.security.PrivateKey;
import java.security.cert.X509Certificate;
import java.time.Clock;
import java.time.Duration;
import java.time.Instant;
import java.time.temporal.TemporalAmount;
import java.util.Iterator;
import java.util.List;
import java.util.Objects;
import java.util.Optional;
import java.util.stream.Collectors;
import javax.security.auth.x500.X500Principal;

/* loaded from: input_file:com/yahoo/vespa/hosted/ca/Certificates.class */
public class Certificates {
    private static final Duration CERTIFICATE_TTL = Duration.ofDays(30);
    private static final String INSTANCE_ID_DELIMITER = ".instanceid.athenz.";
    private final Clock clock;

    public Certificates(Clock clock) {
        this.clock = (Clock) Objects.requireNonNull(clock, "clock must be non-null");
    }

    public X509Certificate create(Pkcs10Csr pkcs10Csr, X509Certificate x509Certificate, PrivateKey privateKey) {
        X500Principal subjectX500Principal = x509Certificate.getSubjectX500Principal();
        Instant instant = this.clock.instant();
        X509CertificateBuilder fromCsr = X509CertificateBuilder.fromCsr(pkcs10Csr, subjectX500Principal, instant.minus((TemporalAmount) Duration.ofHours(1L)), instant.plus((TemporalAmount) CERTIFICATE_TTL), privateKey, SignatureAlgorithm.SHA256_WITH_ECDSA, X509CertificateBuilder.generateRandomSerialNumber());
        Iterator it = pkcs10Csr.getSubjectAlternativeNames().iterator();
        while (it.hasNext()) {
            fromCsr = fromCsr.addSubjectAlternativeName(((SubjectAlternativeName) it.next()).decode());
        }
        return fromCsr.build();
    }

    public static String instanceIdFrom(Pkcs10Csr pkcs10Csr) {
        return getInstanceIdFromSAN(pkcs10Csr.getSubjectAlternativeNames()).orElseThrow(() -> {
            return new IllegalArgumentException("No instance ID found in CSR");
        });
    }

    public static Optional<String> instanceIdFrom(X509Certificate x509Certificate) {
        return getInstanceIdFromSAN(X509CertificateUtils.getSubjectAlternativeNames(x509Certificate));
    }

    private static Optional<String> getInstanceIdFromSAN(List<SubjectAlternativeName> list) {
        return list.stream().filter(subjectAlternativeName -> {
            return subjectAlternativeName.getType() == SubjectAlternativeName.Type.DNS_NAME;
        }).map((v0) -> {
            return v0.getValue();
        }).map(Certificates::parseInstanceId).flatMap((v0) -> {
            return v0.stream();
        }).map((v0) -> {
            return v0.asDottedString();
        }).findFirst();
    }

    private static Optional<VespaUniqueInstanceId> parseInstanceId(String str) {
        int indexOf = str.indexOf(INSTANCE_ID_DELIMITER);
        if (indexOf == -1) {
            return Optional.empty();
        }
        try {
            return Optional.of(VespaUniqueInstanceId.fromDottedString(str.substring(0, indexOf)));
        } catch (IllegalArgumentException e) {
            return Optional.empty();
        }
    }

    public static String getSubjectAlternativeNames(Pkcs10Csr pkcs10Csr, SubjectAlternativeName.Type type) {
        return (String) pkcs10Csr.getSubjectAlternativeNames().stream().map((v0) -> {
            return v0.decode();
        }).filter(subjectAlternativeName -> {
            return subjectAlternativeName.getType() == type;
        }).map((v0) -> {
            return v0.getValue();
        }).collect(Collectors.joining(","));
    }
}
