package com.yeepay.yop.sdk.auth.signer;

import com.google.common.base.Joiner;
import com.google.common.base.Preconditions;
import com.google.common.collect.Lists;
import com.google.common.collect.Maps;
import com.google.common.collect.Sets;
import com.yeepay.yop.sdk.YopConstants;
import com.yeepay.yop.sdk.auth.SignOptions;
import com.yeepay.yop.sdk.auth.Signer;
import com.yeepay.yop.sdk.auth.credentials.YopCredentials;
import com.yeepay.yop.sdk.auth.credentials.YopCredentialsWithoutSign;
import com.yeepay.yop.sdk.auth.credentials.YopRSACredentials;
import com.yeepay.yop.sdk.exception.VerifySignFailedException;
import com.yeepay.yop.sdk.exception.YopClientException;
import com.yeepay.yop.sdk.http.Headers;
import com.yeepay.yop.sdk.http.YopHttpResponse;
import com.yeepay.yop.sdk.internal.Request;
import com.yeepay.yop.sdk.internal.RestartableInputStream;
import com.yeepay.yop.sdk.model.BaseRequest;
import com.yeepay.yop.sdk.security.DigestAlgEnum;
import com.yeepay.yop.sdk.security.rsa.RSA;
import com.yeepay.yop.sdk.utils.CharacterConstants;
import com.yeepay.yop.sdk.utils.DateUtils;
import com.yeepay.yop.sdk.utils.Encodes;
import com.yeepay.yop.sdk.utils.HttpUtils;
import java.io.InputStream;
import java.security.DigestInputStream;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.util.ArrayList;
import java.util.Collections;
import java.util.Date;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Map;
import java.util.Set;
import java.util.SortedMap;
import java.util.TreeMap;
import org.apache.commons.lang3.StringUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/yeepay/yop/sdk/auth/signer/RsaSigner.class */
public class RsaSigner implements Signer {
    private static final ThreadLocal<MessageDigest> SHA256_MESSAGE_DIGEST;
    private static final String YOP_AUTH_VERSION = "yop-auth-v3";
    private static final String SEPARATOR = "$";
    private static final Logger LOGGER = LoggerFactory.getLogger(RsaSigner.class);
    private static final Set<String> defaultHeadersToSign = Sets.newHashSet();
    private static final Joiner headerJoiner = Joiner.on('\n');
    private static final Joiner signedHeaderStringJoiner = Joiner.on(';');

    @Override // com.yeepay.yop.sdk.auth.Signer
    public void sign(Request<? extends BaseRequest> request, YopCredentials yopCredentials, SignOptions signOptions) {
        Preconditions.checkNotNull(request, "request should not be null.");
        if (yopCredentials == null || (yopCredentials instanceof YopCredentialsWithoutSign)) {
            return;
        }
        if (!(yopCredentials instanceof YopRSACredentials)) {
            throw new YopClientException("UnSupported credentials type:" + yopCredentials.getClass().getSimpleName());
        }
        String appKey = yopCredentials.getAppKey();
        request.addHeader(Headers.HOST, HttpUtils.generateHostHeader(request.getEndpoint()));
        Date date = new Date();
        request.addHeader(Headers.YOP_CONTENT_SHA256, calculateContentHash(request));
        String canonicalQueryString = getCanonicalQueryString(request);
        SortedMap<String, String> headersToSign = getHeadersToSign(request.getHeaders(), defaultHeadersToSign);
        String canonicalHeaders = getCanonicalHeaders(headersToSign);
        String lowerCase = signedHeaderStringJoiner.join(headersToSign.keySet()).trim().toLowerCase();
        String str = "yop-auth-v3/" + appKey + CharacterConstants.SLASH + DateUtils.formatAlternateIso8601Date(date) + CharacterConstants.SLASH + signOptions.getExpirationInSeconds();
        String str2 = str + CharacterConstants.LF + request.getHttpMethod() + CharacterConstants.LF + getCanonicalURIPath(request.getResourcePath()) + CharacterConstants.LF + canonicalQueryString + CharacterConstants.LF + canonicalHeaders;
        String str3 = signOptions.getProtocolPrefix() + CharacterConstants.SPACE + str + CharacterConstants.SLASH + lowerCase + CharacterConstants.SLASH + computeSignature(str2, ((YopRSACredentials) yopCredentials).getPrivateKey(), signOptions.getDigestAlg());
        LOGGER.debug("CanonicalRequest:{}\tAuthorization:{}", str2.replace(CharacterConstants.LF, "[\\n]"), str3);
        request.addHeader(Headers.AUTHORIZATION, str3);
    }

    @Override // com.yeepay.yop.sdk.auth.Signer
    public void checkSignature(YopHttpResponse yopHttpResponse, String str, PublicKey publicKey, SignOptions signOptions) {
        if (!RSA.verifySign(yopHttpResponse.readContent().replaceAll("[ \t\n]", CharacterConstants.EMPTY), str, publicKey, signOptions.getDigestAlg())) {
            throw new VerifySignFailedException("response sign verify failure");
        }
    }

    private String getCanonicalQueryString(Request<? extends BaseRequest> request) {
        return HttpUtils.usePayloadForQueryParameters(request) ? CharacterConstants.EMPTY : HttpUtils.getCanonicalQueryString(request.getParameters(), true);
    }

    private String calculateContentHash(Request<? extends BaseRequest> request) {
        RestartableInputStream binaryRequestPayloadStream = getBinaryRequestPayloadStream(request);
        String encodeHex = Encodes.encodeHex(hash(binaryRequestPayloadStream));
        binaryRequestPayloadStream.restart();
        return encodeHex;
    }

    private byte[] hash(InputStream inputStream) {
        try {
            DigestInputStream digestInputStream = new DigestInputStream(inputStream, getMessageDigestInstance());
            do {
            } while (digestInputStream.read(new byte[1024]) > -1);
            return digestInputStream.getMessageDigest().digest();
        } catch (Exception e) {
            throw new YopClientException("Unable to compute hash while signing request: " + e.getMessage(), e);
        }
    }

    private RestartableInputStream getBinaryRequestPayloadStream(Request<? extends BaseRequest> request) {
        if (!HttpUtils.usePayloadForQueryParameters(request)) {
            return getBinaryRequestPayloadStreamWithoutQueryParams(request);
        }
        String canonicalQueryString = HttpUtils.getCanonicalQueryString(request.getParameters(), true);
        return StringUtils.isEmpty(canonicalQueryString) ? RestartableInputStream.wrap(new byte[0]) : RestartableInputStream.wrap(canonicalQueryString.getBytes(YopConstants.DEFAULT_CHARSET));
    }

    private RestartableInputStream getBinaryRequestPayloadStreamWithoutQueryParams(Request<? extends BaseRequest> request) {
        return request.getContent() instanceof RestartableInputStream ? (RestartableInputStream) request.getContent() : RestartableInputStream.wrap(new byte[0]);
    }

    private String getCanonicalURIPath(String str) {
        return str == null ? CharacterConstants.SLASH : str.startsWith(CharacterConstants.SLASH) ? HttpUtils.normalizePath(str) : CharacterConstants.SLASH + HttpUtils.normalizePath(str);
    }

    private SortedMap<String, String> getHeadersToSign(Map<String, String> map, Set<String> set) {
        TreeMap newTreeMap = Maps.newTreeMap();
        if (set != null) {
            HashSet newHashSet = Sets.newHashSet();
            Iterator<String> it = set.iterator();
            while (it.hasNext()) {
                newHashSet.add(it.next().trim().toLowerCase());
            }
            set = newHashSet;
        }
        for (Map.Entry<String, String> entry : map.entrySet()) {
            String key = entry.getKey();
            if (entry.getValue() != null && !entry.getValue().isEmpty() && set != null && set.contains(key.toLowerCase()) && !Headers.AUTHORIZATION.equalsIgnoreCase(key)) {
                newTreeMap.put(key, entry.getValue());
            }
        }
        return newTreeMap;
    }

    private String getCanonicalHeaders(SortedMap<String, String> sortedMap) {
        if (sortedMap.isEmpty()) {
            return CharacterConstants.EMPTY;
        }
        ArrayList newArrayList = Lists.newArrayList();
        for (Map.Entry<String, String> entry : sortedMap.entrySet()) {
            String key = entry.getKey();
            if (key != null) {
                String value = entry.getValue();
                if (value == null) {
                    value = CharacterConstants.EMPTY;
                }
                newArrayList.add(HttpUtils.normalize(key.trim().toLowerCase()) + ':' + HttpUtils.normalize(value.trim()));
            }
        }
        Collections.sort(newArrayList);
        return headerJoiner.join(newArrayList);
    }

    private String computeSignature(String str, PrivateKey privateKey, DigestAlgEnum digestAlgEnum) {
        return RSA.sign(str, privateKey, digestAlgEnum) + "$" + digestAlgEnum.getValue();
    }

    private static MessageDigest getMessageDigestInstance() {
        MessageDigest messageDigest = SHA256_MESSAGE_DIGEST.get();
        messageDigest.reset();
        return messageDigest;
    }

    static {
        defaultHeadersToSign.add(Headers.CONTENT_LENGTH.toLowerCase());
        defaultHeadersToSign.add(Headers.CONTENT_TYPE.toLowerCase());
        defaultHeadersToSign.add(Headers.CONTENT_MD5.toLowerCase());
        defaultHeadersToSign.add(Headers.YOP_REQUEST_ID);
        defaultHeadersToSign.add(Headers.YOP_DATE);
        defaultHeadersToSign.add("x-yop-appkey");
        defaultHeadersToSign.add(Headers.YOP_CONTENT_SHA256);
        defaultHeadersToSign.add(Headers.YOP_HASH_CRC64ECMA);
        SHA256_MESSAGE_DIGEST = new ThreadLocal<MessageDigest>() { // from class: com.yeepay.yop.sdk.auth.signer.RsaSigner.1
            /* JADX INFO: Access modifiers changed from: protected */
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // java.lang.ThreadLocal
            public MessageDigest initialValue() {
                try {
                    return MessageDigest.getInstance("SHA-256");
                } catch (NoSuchAlgorithmException e) {
                    throw new YopClientException("Unable to get SHA256 Function" + e.getMessage(), e);
                }
            }
        };
    }
}
