package top.gabin.tools.auth;

import com.fasterxml.jackson.databind.JsonNode;
import com.fasterxml.jackson.databind.ObjectMapper;
import com.wechat.pay.contrib.apache.httpclient.Credentials;
import com.wechat.pay.contrib.apache.httpclient.WechatPayHttpClientBuilder;
import com.wechat.pay.contrib.apache.httpclient.auth.CertificatesVerifier;
import com.wechat.pay.contrib.apache.httpclient.auth.Verifier;
import com.wechat.pay.contrib.apache.httpclient.auth.WechatPay2Validator;
import com.wechat.pay.contrib.apache.httpclient.util.AesUtil;
import com.wechat.pay.contrib.apache.httpclient.util.PemUtil;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.security.GeneralSecurityException;
import java.security.cert.CertificateExpiredException;
import java.security.cert.CertificateNotYetValidException;
import java.security.cert.X509Certificate;
import java.time.Duration;
import java.time.Instant;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.List;
import java.util.concurrent.locks.ReentrantLock;
import org.apache.http.client.methods.CloseableHttpResponse;
import org.apache.http.client.methods.HttpGet;
import org.apache.http.impl.client.CloseableHttpClient;
import org.apache.http.util.EntityUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:top/gabin/tools/auth/AutoUpdateInCloudCertificatesVerifier.class */
public class AutoUpdateInCloudCertificatesVerifier implements Verifier {
    private static final Logger log = LoggerFactory.getLogger(AutoUpdateInCloudCertificatesVerifier.class);
    private boolean cloud;
    private final String UPDATE_TIME_CACHE_KEY = "UPDATE_TIME_CACHE_KEY";
    private final String NEW_CREDENTIALS_CACHE_KEY = "NEW_CREDENTIALS_CACHE_KEY";
    private CacheService cacheService;
    private static final String CertDownloadPath = "https://api.mch.weixin.qq.com/v3/certificates";
    private volatile Instant instant;
    private int minutesInterval;
    private Verifier verifier;
    private Credentials credentials;
    private byte[] apiV3Key;
    private ReentrantLock lock;
    private List<X509Certificate> certificateList;

    /* loaded from: input_file:top/gabin/tools/auth/AutoUpdateInCloudCertificatesVerifier$TimeInterval.class */
    public enum TimeInterval {
        OneHour(60),
        SixHours(360),
        TwelveHours(720);

        private int minutes;

        TimeInterval(int i) {
            this.minutes = i;
        }

        public int getMinutes() {
            return this.minutes;
        }
    }

    public String getSerialNo() {
        return null;
    }

    public List<X509Certificate> getLastCertificateList() {
        if (getCertificateList().isEmpty()) {
            try {
                autoUpdateCert();
                setInstant(Instant.now());
            } catch (IOException | GeneralSecurityException e) {
                throw new RuntimeException(e);
            }
        }
        return getCertificateList();
    }

    private List<X509Certificate> getCertificateList() {
        return this.cloud ? (List) this.cacheService.get("NEW_CREDENTIALS_CACHE_KEY", List.class) : this.certificateList;
    }

    public AutoUpdateInCloudCertificatesVerifier(Credentials credentials, byte[] bArr) {
        this(credentials, bArr, TimeInterval.OneHour.getMinutes(), null);
    }

    public AutoUpdateInCloudCertificatesVerifier(Credentials credentials, byte[] bArr, CacheService cacheService) {
        this(credentials, bArr, TimeInterval.OneHour.getMinutes(), cacheService);
    }

    public AutoUpdateInCloudCertificatesVerifier(Credentials credentials, byte[] bArr, int i, CacheService cacheService) {
        this.UPDATE_TIME_CACHE_KEY = "UPDATE_TIME_CACHE_KEY";
        this.NEW_CREDENTIALS_CACHE_KEY = "NEW_CREDENTIALS_CACHE_KEY";
        this.lock = new ReentrantLock();
        this.credentials = credentials;
        this.apiV3Key = bArr;
        this.minutesInterval = i;
        if (cacheService != null) {
            setCacheService(cacheService);
        }
        try {
            autoUpdateCert();
            setInstant(Instant.now());
        } catch (IOException | GeneralSecurityException e) {
            throw new RuntimeException(e);
        }
    }

    public Instant getInstant() {
        return !this.cloud ? this.instant : (Instant) this.cacheService.get("UPDATE_TIME_CACHE_KEY", Instant.class);
    }

    public void setInstant(Instant instant) {
        if (this.cloud) {
            this.cacheService.cache("UPDATE_TIME_CACHE_KEY", instant);
        } else {
            this.instant = instant;
        }
    }

    public CacheService getCacheService() {
        return this.cacheService;
    }

    public void setCacheService(CacheService cacheService) {
        this.cacheService = cacheService;
        this.cloud = true;
        this.verifier = new CloudCertificatesVerifier(cacheService);
    }

    public boolean verify(String str, byte[] bArr, String str2) {
        if (invalidInstant() && this.lock.tryLock()) {
            try {
                try {
                    autoUpdateCert();
                    setInstant(Instant.now());
                    this.lock.unlock();
                } catch (IOException | GeneralSecurityException e) {
                    log.warn("Auto update cert failed, exception = " + e);
                    this.lock.unlock();
                }
            } catch (Throwable th) {
                this.lock.unlock();
                throw th;
            }
        }
        return this.verifier.verify(str, bArr, str2);
    }

    private boolean invalidInstant() {
        Instant instant = getInstant();
        return instant == null || Duration.between(instant, Instant.now()).toMinutes() >= ((long) this.minutesInterval);
    }

    private void autoUpdateCert() throws IOException, GeneralSecurityException {
        CloseableHttpClient build = WechatPayHttpClientBuilder.create().withCredentials(this.credentials).withValidator(invalidInstant() ? closeableHttpResponse -> {
            return true;
        } : new WechatPay2Validator(this.verifier)).build();
        HttpGet httpGet = new HttpGet(CertDownloadPath);
        httpGet.addHeader("Accept", "application/json");
        CloseableHttpResponse execute = build.execute(httpGet);
        int statusCode = execute.getStatusLine().getStatusCode();
        String entityUtils = EntityUtils.toString(execute.getEntity());
        if (statusCode != 200) {
            log.warn("Auto update cert failed, statusCode = " + statusCode + ",body = " + entityUtils);
            return;
        }
        List<X509Certificate> deserializeToCerts = deserializeToCerts(this.apiV3Key, entityUtils);
        if (deserializeToCerts.isEmpty()) {
            log.warn("Cert list is empty");
            return;
        }
        if (!this.cloud) {
            this.certificateList = deserializeToCerts;
            this.verifier = new CertificatesVerifier(deserializeToCerts);
            return;
        }
        this.cacheService.cache("NEW_CREDENTIALS_CACHE_KEY", deserializeToCerts);
        HashMap hashMap = new HashMap();
        for (X509Certificate x509Certificate : deserializeToCerts) {
            hashMap.put(x509Certificate.getSerialNumber(), x509Certificate);
        }
        this.cacheService.cache(CloudCertificatesVerifier.CACHE_KEY, hashMap);
    }

    private List<X509Certificate> deserializeToCerts(byte[] bArr, String str) throws GeneralSecurityException, IOException {
        AesUtil aesUtil = new AesUtil(bArr);
        JsonNode jsonNode = new ObjectMapper().readTree(str).get("data");
        ArrayList arrayList = new ArrayList();
        if (jsonNode != null) {
            int size = jsonNode.size();
            for (int i = 0; i < size; i++) {
                JsonNode jsonNode2 = jsonNode.get(i).get("encrypt_certificate");
                X509Certificate loadCertificate = PemUtil.loadCertificate(new ByteArrayInputStream(aesUtil.decryptToString(jsonNode2.get("associated_data").toString().replaceAll("\"", "").getBytes("utf-8"), jsonNode2.get("nonce").toString().replaceAll("\"", "").getBytes("utf-8"), jsonNode2.get("ciphertext").toString().replaceAll("\"", "")).getBytes("utf-8")));
                try {
                    loadCertificate.checkValidity();
                    arrayList.add(loadCertificate);
                } catch (CertificateExpiredException | CertificateNotYetValidException e) {
                }
            }
        }
        return arrayList;
    }
}
