package io.quarkiverse.githubapp.runtime.signing;

import io.quarkiverse.githubapp.runtime.config.GitHubAppRuntimeConfig;
import java.nio.charset.StandardCharsets;
import java.security.InvalidKeyException;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import javax.crypto.Mac;
import javax.crypto.spec.SecretKeySpec;
import javax.inject.Singleton;

@Singleton
/* loaded from: input_file:io/quarkiverse/githubapp/runtime/signing/PayloadSignatureChecker.class */
public class PayloadSignatureChecker {
    private static final String HMAC_SHA256_ALGORITHM = "HmacSHA256";
    private static final String HEADER_SIGNATURE_PREFIX = "sha256=";
    private final SecretKeySpec secretKeySpec;
    private final Mac sharedMac;
    private final boolean supportsClone;

    PayloadSignatureChecker(GitHubAppRuntimeConfig gitHubAppRuntimeConfig) {
        if (gitHubAppRuntimeConfig.webhookSecret.isPresent()) {
            this.secretKeySpec = new SecretKeySpec(gitHubAppRuntimeConfig.webhookSecret.get().getBytes(StandardCharsets.UTF_8), HMAC_SHA256_ALGORITHM);
            this.sharedMac = createNewMacInstance(this.secretKeySpec);
            this.supportsClone = supportsClone(this.sharedMac);
        } else {
            this.secretKeySpec = null;
            this.sharedMac = null;
            this.supportsClone = false;
        }
    }

    public boolean matches(byte[] bArr, String str) {
        if (this.secretKeySpec == null || this.sharedMac == null) {
            throw new IllegalStateException("Payload signature checking is disabled, this method should not be called");
        }
        return MessageDigest.isEqual(hex(getMacInstance().doFinal(bArr)).getBytes(), str.substring(HEADER_SIGNATURE_PREFIX.length()).getBytes());
    }

    public static boolean supportsClone(Mac mac) {
        try {
            mac.clone();
            return true;
        } catch (CloneNotSupportedException e) {
            return false;
        }
    }

    public Mac getMacInstance() {
        if (this.supportsClone) {
            try {
                return (Mac) this.sharedMac.clone();
            } catch (CloneNotSupportedException e) {
            }
        }
        return createNewMacInstance(this.secretKeySpec);
    }

    public static Mac createNewMacInstance(SecretKeySpec secretKeySpec) {
        try {
            Mac mac = Mac.getInstance(HMAC_SHA256_ALGORITHM);
            mac.init(secretKeySpec);
            return mac;
        } catch (InvalidKeyException | NoSuchAlgorithmException e) {
            throw new IllegalStateException("Unable to initialize the payload signature checker", e);
        }
    }

    public static String hex(byte[] bArr) {
        StringBuilder sb = new StringBuilder();
        for (byte b : bArr) {
            sb.append(String.format("%02x", Byte.valueOf(b)));
        }
        return sb.toString();
    }
}
