package net.jsign.jca;

import com.cedarsoftware.util.io.JsonWriter;
import java.io.IOException;
import java.net.HttpURLConnection;
import java.net.URL;
import java.nio.charset.StandardCharsets;
import java.security.GeneralSecurityException;
import java.security.InvalidAlgorithmParameterException;
import java.security.KeyStoreException;
import java.security.MessageDigest;
import java.security.UnrecoverableKeyException;
import java.security.cert.Certificate;
import java.text.SimpleDateFormat;
import java.util.ArrayList;
import java.util.Base64;
import java.util.Collections;
import java.util.Date;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.TimeZone;
import java.util.TreeMap;
import java.util.function.BiConsumer;
import java.util.function.Function;
import java.util.function.Supplier;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import java.util.stream.Collectors;
import javax.crypto.Mac;
import javax.crypto.spec.SecretKeySpec;
import net.jsign.DigestAlgorithm;
import org.apache.commons.codec.binary.Hex;

/* loaded from: input_file:net/jsign/jca/AmazonSigningService.class */
public class AmazonSigningService implements SigningService {
    private final Function<String, Certificate[]> certificateStore;
    private final Map<String, SigningServicePrivateKey> keys;
    private final RESTClient client;
    private final Map<String, String> algorithmMapping;

    public AmazonSigningService(String str, Supplier<AmazonCredentials> supplier, Function<String, Certificate[]> function) {
        this.keys = new HashMap();
        this.algorithmMapping = new HashMap();
        this.algorithmMapping.put("SHA256withRSA", "RSASSA_PKCS1_V1_5_SHA_256");
        this.algorithmMapping.put("SHA384withRSA", "RSASSA_PKCS1_V1_5_SHA_384");
        this.algorithmMapping.put("SHA512withRSA", "RSASSA_PKCS1_V1_5_SHA_512");
        this.algorithmMapping.put("SHA256withECDSA", "ECDSA_SHA_256");
        this.algorithmMapping.put("SHA384withECDSA", "ECDSA_SHA_384");
        this.algorithmMapping.put("SHA512withECDSA", "ECDSA_SHA_512");
        this.algorithmMapping.put("SHA256withRSA/PSS", "RSASSA_PSS_SHA_256");
        this.algorithmMapping.put("SHA384withRSA/PSS", "RSASSA_PSS_SHA_384");
        this.algorithmMapping.put("SHA512withRSA/PSS", "RSASSA_PSS_SHA_512");
        this.certificateStore = function;
        this.client = new RESTClient("https://kms." + str + ".amazonaws.com", (BiConsumer<HttpURLConnection, byte[]>) (httpURLConnection, bArr) -> {
            sign(httpURLConnection, (AmazonCredentials) supplier.get(), bArr, null);
        });
    }

    public AmazonSigningService(String str, AmazonCredentials amazonCredentials, Function<String, Certificate[]> function) {
        this(str, (Supplier<AmazonCredentials>) () -> {
            return amazonCredentials;
        }, function);
    }

    @Deprecated
    public AmazonSigningService(String str, String str2, Function<String, Certificate[]> function) {
        this(str, AmazonCredentials.parse(str2), function);
    }

    @Override // net.jsign.jca.SigningService
    public String getName() {
        return "AWS";
    }

    @Override // net.jsign.jca.SigningService
    public List<String> aliases() throws KeyStoreException {
        ArrayList arrayList = new ArrayList();
        try {
            for (Object obj : (Object[]) query("TrentService.ListKeys", "{}").get("Keys")) {
                arrayList.add((String) ((Map) obj).get("KeyId"));
            }
            return arrayList;
        } catch (IOException e) {
            throw new KeyStoreException(e);
        }
    }

    @Override // net.jsign.jca.SigningService
    public Certificate[] getCertificateChain(String str) throws KeyStoreException {
        return this.certificateStore.apply(str);
    }

    @Override // net.jsign.jca.SigningService
    public SigningServicePrivateKey getPrivateKey(String str, char[] cArr) throws UnrecoverableKeyException {
        if (this.keys.containsKey(str)) {
            return this.keys.get(str);
        }
        try {
            Map map = (Map) query("TrentService.DescribeKey", "{\"KeyId\":\"" + normalizeKeyId(str) + "\"}").get("KeyMetadata");
            if (!"SIGN_VERIFY".equals((String) map.get("KeyUsage"))) {
                throw new UnrecoverableKeyException("The key '" + str + "' is not a signing key");
            }
            String str2 = (String) map.get("KeyState");
            if (!"Enabled".equals(str2)) {
                throw new UnrecoverableKeyException("The key '" + str + "' is not enabled (" + str2 + ")");
            }
            String str3 = (String) map.get("KeySpec");
            String substring = str3.substring(0, str3.indexOf(95));
            if ("ECC".equals(substring)) {
                substring = "EC";
            }
            SigningServicePrivateKey signingServicePrivateKey = new SigningServicePrivateKey(str, substring, this);
            this.keys.put(str, signingServicePrivateKey);
            return signingServicePrivateKey;
        } catch (IOException e) {
            throw ((UnrecoverableKeyException) new UnrecoverableKeyException("Unable to fetch AWS key '" + str + "'").initCause(e));
        }
    }

    @Override // net.jsign.jca.SigningService
    public byte[] sign(SigningServicePrivateKey signingServicePrivateKey, String str, byte[] bArr) throws GeneralSecurityException {
        String str2 = this.algorithmMapping.get(str);
        if (str2 == null) {
            throw new InvalidAlgorithmParameterException("Unsupported signing algorithm: " + str);
        }
        byte[] digest = DigestAlgorithm.of(str.substring(0, str.toLowerCase().indexOf("with"))).getMessageDigest().digest(bArr);
        HashMap hashMap = new HashMap();
        hashMap.put("KeyId", normalizeKeyId(signingServicePrivateKey.getId()));
        hashMap.put("MessageType", "DIGEST");
        hashMap.put("Message", Base64.getEncoder().encodeToString(digest));
        hashMap.put("SigningAlgorithm", str2);
        hashMap.put("TYPE", "false");
        try {
            return Base64.getDecoder().decode((String) query("TrentService.Sign", JsonWriter.objectToJson(hashMap)).get("Signature"));
        } catch (IOException e) {
            throw new GeneralSecurityException(e);
        }
    }

    private Map<String, ?> query(String str, String str2) throws IOException {
        HashMap hashMap = new HashMap();
        hashMap.put("X-Amz-Target", str);
        hashMap.put("Content-Type", "application/x-amz-json-1.1");
        return this.client.post("/", str2, hashMap);
    }

    private String normalizeKeyId(String str) {
        return (str.startsWith("arn:") || str.startsWith("alias/")) ? str : !str.matches("^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$") ? "alias/" + str : str;
    }

    void sign(HttpURLConnection httpURLConnection, AmazonCredentials amazonCredentials, byte[] bArr, Date date) {
        SimpleDateFormat simpleDateFormat = new SimpleDateFormat("yyyyMMdd");
        simpleDateFormat.setTimeZone(TimeZone.getTimeZone("UTC"));
        SimpleDateFormat simpleDateFormat2 = new SimpleDateFormat("yyyyMMdd'T'HHmmss'Z'");
        simpleDateFormat2.setTimeZone(TimeZone.getTimeZone("UTC"));
        if (date == null) {
            date = new Date();
        }
        URL url = httpURLConnection.getURL();
        Pattern compile = Pattern.compile("^([^.]+)\\.([^.]+)\\.amazonaws\\.com$");
        String host = url.getHost();
        Matcher matcher = compile.matcher(host);
        String group = matcher.matches() ? matcher.group(2) : "us-east-1";
        String group2 = matcher.matches() ? matcher.group(1) : host.substring(0, host.indexOf(46));
        String str = simpleDateFormat.format(date) + "/" + group + "/" + group2 + "/aws4_request";
        httpURLConnection.addRequestProperty("X-Amz-Date", simpleDateFormat2.format(date));
        TreeMap treeMap = new TreeMap(String.CASE_INSENSITIVE_ORDER);
        treeMap.putAll(httpURLConnection.getRequestProperties());
        treeMap.put("Host", Collections.singletonList(host));
        httpURLConnection.setRequestProperty("Authorization", "AWS4-HMAC-SHA256 Credential=" + amazonCredentials.getAccessKey() + "/" + str + ", SignedHeaders=" + signedHeaders(treeMap) + ", Signature=" + Hex.encodeHexString(hmac("AWS4-HMAC-SHA256\n" + simpleDateFormat2.format(date) + "\n" + str + "\n" + sha256((httpURLConnection.getRequestMethod() + "\n" + url.getPath() + (url.getPath().endsWith("/") ? "" : "/") + "\n\n" + canonicalHeaders(treeMap) + "\n" + signedHeaders(treeMap) + "\n" + sha256(bArr)).getBytes(StandardCharsets.UTF_8)), hmac("aws4_request", hmac(group2, hmac(group, hmac(simpleDateFormat.format(date), ("AWS4" + amazonCredentials.getSecretKey()).getBytes(StandardCharsets.UTF_8))))))).toLowerCase());
        if (amazonCredentials.getSessionToken() != null) {
            httpURLConnection.setRequestProperty("X-Amz-Security-Token", amazonCredentials.getSessionToken());
        }
    }

    private String canonicalHeaders(Map<String, List<String>> map) {
        return ((String) map.entrySet().stream().map(entry -> {
            return ((String) entry.getKey()).toLowerCase() + ":" + String.join(",", (Iterable<? extends CharSequence>) entry.getValue()).replaceAll("\\s+", " ");
        }).collect(Collectors.joining("\n"))) + "\n";
    }

    private String signedHeaders(Map<String, List<String>> map) {
        return (String) map.keySet().stream().map((v0) -> {
            return v0.toLowerCase();
        }).collect(Collectors.joining(";"));
    }

    private byte[] hmac(String str, byte[] bArr) {
        return hmac(str.getBytes(StandardCharsets.UTF_8), bArr);
    }

    private byte[] hmac(byte[] bArr, byte[] bArr2) {
        try {
            Mac mac = Mac.getInstance("HmacSHA256");
            mac.init(new SecretKeySpec(bArr2, mac.getAlgorithm()));
            return mac.doFinal(bArr);
        } catch (Exception e) {
            throw new RuntimeException(e);
        }
    }

    private String sha256(byte[] bArr) {
        MessageDigest messageDigest = DigestAlgorithm.SHA256.getMessageDigest();
        messageDigest.update(bArr);
        return Hex.encodeHexString(messageDigest.digest()).toLowerCase();
    }
}
