package net.jsign.jca;

import java.io.IOException;
import java.net.HttpURLConnection;
import java.net.InetAddress;
import java.net.UnknownHostException;
import java.nio.charset.StandardCharsets;
import java.security.GeneralSecurityException;
import java.security.InvalidAlgorithmParameterException;
import java.security.KeyStoreException;
import java.security.PrivateKey;
import java.security.Signature;
import java.security.UnrecoverableKeyException;
import java.security.cert.Certificate;
import java.text.SimpleDateFormat;
import java.util.ArrayList;
import java.util.Base64;
import java.util.Date;
import java.util.HashMap;
import java.util.List;
import java.util.Locale;
import java.util.Map;
import java.util.TimeZone;
import java.util.function.Function;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import net.jsign.DigestAlgorithm;

/* loaded from: input_file:net/jsign/jca/OracleCloudSigningService.class */
public class OracleCloudSigningService implements SigningService {
    private final Function<String, Certificate[]> certificateStore;
    private final OracleCloudCredentials credentials;
    private final Map<String, String> algorithmMapping = new HashMap();

    public OracleCloudSigningService(OracleCloudCredentials oracleCloudCredentials, Function<String, Certificate[]> function) {
        this.algorithmMapping.put("SHA256withRSA", "SHA_256_RSA_PKCS1_V1_5");
        this.algorithmMapping.put("SHA384withRSA", "SHA_384_RSA_PKCS1_V1_5");
        this.algorithmMapping.put("SHA512withRSA", "SHA_512_RSA_PKCS1_V1_5");
        this.algorithmMapping.put("SHA256withECDSA", "ECDSA_SHA_256");
        this.algorithmMapping.put("SHA384withECDSA", "ECDSA_SHA_384");
        this.algorithmMapping.put("SHA512withECDSA", "ECDSA_SHA_512");
        this.algorithmMapping.put("SHA256withRSA/PSS", "SHA_256_RSA_PKCS_PSS");
        this.algorithmMapping.put("SHA384withRSA/PSS", "SHA_394_RSA_PKCS_PSS");
        this.algorithmMapping.put("SHA512withRSA/PSS", "SHA_512_RSA_PKCS_PSS");
        this.credentials = oracleCloudCredentials;
        this.certificateStore = function;
    }

    @Override // net.jsign.jca.SigningService
    public String getName() {
        return "OracleCloud";
    }

    String getVaultEndpoint() {
        return "https://kms." + this.credentials.getRegion() + ".oraclecloud.com";
    }

    @Override // net.jsign.jca.SigningService
    public List<String> aliases() throws KeyStoreException {
        ArrayList arrayList = new ArrayList();
        try {
            for (Object obj : (Object[]) new RESTClient(getVaultEndpoint()).authentication(this::sign).errorHandler(this::error).get("/20180608/vaults?compartmentId=" + this.credentials.getTenancy()).get("result")) {
                Map map = (Map) obj;
                if ("ACTIVE".equals(map.get("lifecycleState"))) {
                    for (Object obj2 : (Object[]) new RESTClient((String) map.get("managementEndpoint")).authentication(this::sign).errorHandler(this::error).get("/20180608/keys?compartmentId=" + this.credentials.getTenancy()).get("result")) {
                        Map map2 = (Map) obj2;
                        if ("ENABLED".equals(map2.get("lifecycleState")) && !"EXTERNAL".equals(map2.get("protectionMode"))) {
                            arrayList.add((String) map2.get("id"));
                        }
                    }
                }
            }
            return arrayList;
        } catch (IOException e) {
            throw new KeyStoreException(e);
        }
    }

    @Override // net.jsign.jca.SigningService
    public Certificate[] getCertificateChain(String str) {
        return this.certificateStore.apply(str);
    }

    @Override // net.jsign.jca.SigningService
    public SigningServicePrivateKey getPrivateKey(String str, char[] cArr) throws UnrecoverableKeyException {
        return new SigningServicePrivateKey(str, getCertificateChain(str)[0].getPublicKey().getAlgorithm(), this);
    }

    @Override // net.jsign.jca.SigningService
    public byte[] sign(SigningServicePrivateKey signingServicePrivateKey, String str, byte[] bArr) throws GeneralSecurityException {
        String str2 = this.algorithmMapping.get(str);
        if (str2 == null) {
            throw new InvalidAlgorithmParameterException("Unsupported signing algorithm: " + str);
        }
        HashMap hashMap = new HashMap();
        hashMap.put("keyId", signingServicePrivateKey.getId());
        hashMap.put("messageType", "RAW");
        hashMap.put("message", Base64.getEncoder().encodeToString(bArr));
        hashMap.put("signingAlgorithm", str2);
        try {
            return Base64.getDecoder().decode((String) new RESTClient(getKeyEndpoint(signingServicePrivateKey.getId())).authentication(this::sign).errorHandler(this::error).post("/20180608/sign", JsonWriter.format(hashMap)).get("signature"));
        } catch (IOException e) {
            throw new GeneralSecurityException(e);
        }
    }

    String getKeyEndpoint(String str) {
        Matcher matcher = Pattern.compile("ocid1\\.key\\.oc1\\.([^.]*)\\.([^.]*)\\..*").matcher(str);
        if (!matcher.matches()) {
            throw new IllegalArgumentException("Invalid key id: " + str);
        }
        String group = matcher.group(1);
        String group2 = matcher.group(2);
        String str2 = group2 + "-crypto.kms." + group + ".oci.oraclecloud.com";
        if (isUnknownHost(str2)) {
            str2 = group2 + "-crypto.kms." + group + ".oraclecloud.com";
        }
        return "https://" + str2;
    }

    boolean isUnknownHost(String str) {
        try {
            InetAddress.getByName(str);
            return false;
        } catch (UnknownHostException e) {
            return true;
        }
    }

    private void sign(HttpURLConnection httpURLConnection, byte[] bArr) {
        StringBuilder sb = new StringBuilder();
        StringBuilder sb2 = new StringBuilder();
        SimpleDateFormat simpleDateFormat = new SimpleDateFormat("EEE, dd MMM yyyy HH:mm:ss z", Locale.US);
        simpleDateFormat.setTimeZone(TimeZone.getTimeZone("GMT"));
        String format = simpleDateFormat.format(new Date());
        httpURLConnection.setRequestProperty("Date", format);
        addSignedHeader(sb, sb2, "date", format);
        addSignedHeader(sb, sb2, "(request-target)", httpURLConnection.getRequestMethod().toLowerCase() + " " + (httpURLConnection.getURL().getPath() + (httpURLConnection.getURL().getQuery() != null ? "?" + httpURLConnection.getURL().getQuery() : "")));
        addSignedHeader(sb, sb2, "host", httpURLConnection.getURL().getHost());
        if (bArr != null) {
            int length = bArr.length;
            httpURLConnection.setRequestProperty("Content-Length", String.valueOf(length));
            addSignedHeader(sb, sb2, "content-length", String.valueOf(length));
            httpURLConnection.setRequestProperty("Content-Type", "application/json");
            addSignedHeader(sb, sb2, "content-type", "application/json");
            String encodeToString = Base64.getEncoder().encodeToString(DigestAlgorithm.SHA256.getMessageDigest().digest(bArr));
            httpURLConnection.setRequestProperty("x-content-sha256", encodeToString);
            addSignedHeader(sb, sb2, "x-content-sha256", encodeToString);
        }
        httpURLConnection.setRequestProperty("Authorization", String.format("Signature headers=\"%s\",keyId=\"%s\",algorithm=\"rsa-sha256\",signature=\"%s\",version=\"1\"", sb.toString().trim(), this.credentials.getKeyId(), Base64.getEncoder().encodeToString(rsa256sign(this.credentials.getPrivateKey(), sb2.toString().trim()))));
    }

    private void addSignedHeader(StringBuilder sb, StringBuilder sb2, String str, String str2) {
        sb.append(str).append(" ");
        sb2.append(str).append(": ").append(str2).append("\n");
    }

    private byte[] rsa256sign(PrivateKey privateKey, String str) {
        try {
            Signature signature = Signature.getInstance("SHA256withRSA");
            signature.initSign(privateKey);
            signature.update(str.getBytes(StandardCharsets.UTF_8));
            return signature.sign();
        } catch (GeneralSecurityException e) {
            throw new RuntimeException(e);
        }
    }

    private String error(Map<String, ?> map) {
        return map.get("code") + ": " + map.get("message");
    }
}
