package cn.felord.payment.wechat.v3;

import cn.felord.payment.PayException;
import cn.felord.payment.wechat.enumeration.WeChatServer;
import cn.felord.payment.wechat.enumeration.WechatPayV3Type;
import cn.felord.payment.wechat.v3.model.ResponseSignVerifyParams;
import com.fasterxml.jackson.databind.JsonNode;
import com.fasterxml.jackson.databind.node.ArrayNode;
import com.fasterxml.jackson.databind.node.ObjectNode;
import java.io.ByteArrayInputStream;
import java.nio.charset.StandardCharsets;
import java.security.GeneralSecurityException;
import java.security.InvalidAlgorithmParameterException;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.security.Signature;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.util.Arrays;
import java.util.Collections;
import java.util.Map;
import java.util.Objects;
import java.util.concurrent.ConcurrentHashMap;
import java.util.stream.Collectors;
import javax.crypto.Cipher;
import javax.crypto.NoSuchPaddingException;
import javax.crypto.spec.GCMParameterSpec;
import javax.crypto.spec.SecretKeySpec;
import org.springframework.http.HttpHeaders;
import org.springframework.http.HttpMethod;
import org.springframework.http.MediaType;
import org.springframework.http.RequestEntity;
import org.springframework.util.AlternativeJdkIdGenerator;
import org.springframework.util.Base64Utils;
import org.springframework.util.IdGenerator;
import org.springframework.web.client.RestOperations;
import org.springframework.web.client.RestTemplate;
import org.springframework.web.util.UriComponents;
import org.springframework.web.util.UriComponentsBuilder;

/* loaded from: input_file:cn/felord/payment/wechat/v3/SignatureProvider.class */
public class SignatureProvider {
    private static final String SCHEMA = "WECHATPAY2-SHA256-RSA2048 ";
    public static final String TOKEN_PATTERN = "mchid=\"%s\",nonce_str=\"%s\",timestamp=\"%d\",serial_no=\"%s\",signature=\"%s\"";
    private final RestOperations restOperations = new RestTemplate();
    private final WechatMetaContainer wechatMetaContainer;
    private static final IdGenerator ID_GENERATOR = new AlternativeJdkIdGenerator();
    private static final Map<String, Certificate> CERTIFICATE_MAP = new ConcurrentHashMap();

    public SignatureProvider(WechatMetaContainer wechatMetaContainer) {
        this.wechatMetaContainer = wechatMetaContainer;
        wechatMetaContainer.getTenantIds().forEach(this::refreshCertificate);
    }

    public String requestSign(String str, String str2, String str3, String str4) {
        Signature signature = Signature.getInstance("SHA256withRSA");
        WechatMetaBean wechatMeta = this.wechatMetaContainer.getWechatMeta(str);
        signature.initSign(wechatMeta.getKeyPair().getPrivate());
        long currentTimeMillis = System.currentTimeMillis() / 1000;
        String replaceAll = ID_GENERATOR.generateId().toString().replaceAll("-", "");
        signature.update(createSign(str2, str3, String.valueOf(currentTimeMillis), replaceAll, str4).getBytes(StandardCharsets.UTF_8));
        return SCHEMA.concat(String.format(TOKEN_PATTERN, wechatMeta.getV3().getMchId(), replaceAll, Long.valueOf(currentTimeMillis), wechatMeta.getSerialNumber(), Base64Utils.encodeToString(signature.sign())));
    }

    public boolean responseSignVerify(ResponseSignVerifyParams responseSignVerifyParams) {
        String wechatpaySerial = responseSignVerifyParams.getWechatpaySerial();
        if (CERTIFICATE_MAP.isEmpty() || !CERTIFICATE_MAP.containsKey(wechatpaySerial)) {
            this.wechatMetaContainer.getTenantIds().forEach(this::refreshCertificate);
        }
        Certificate certificate = CERTIFICATE_MAP.get(wechatpaySerial);
        String createSign = createSign(responseSignVerifyParams.getWechatpayTimestamp(), responseSignVerifyParams.getWechatpayNonce(), responseSignVerifyParams.getBody());
        Signature signature = Signature.getInstance("SHA256withRSA");
        signature.initVerify(certificate);
        signature.update(createSign.getBytes(StandardCharsets.UTF_8));
        return signature.verify(Base64Utils.decodeFromString(responseSignVerifyParams.getWechatpaySignature()));
    }

    private synchronized void refreshCertificate(String str) {
        UriComponents build = UriComponentsBuilder.fromHttpUrl(WechatPayV3Type.CERT.uri(WeChatServer.CHINA)).build();
        String path = build.getPath();
        String query = build.getQuery();
        if (query != null) {
            path = path + "?" + query;
        }
        HttpMethod method = WechatPayV3Type.CERT.method();
        String requestSign = requestSign(str, method.name(), path, "");
        HttpHeaders httpHeaders = new HttpHeaders();
        httpHeaders.setAccept(Collections.singletonList(MediaType.APPLICATION_JSON));
        httpHeaders.setContentType(MediaType.APPLICATION_JSON);
        httpHeaders.add("Authorization", requestSign);
        httpHeaders.add("User-Agent", "X-Pay-Service");
        ObjectNode objectNode = (ObjectNode) this.restOperations.exchange(new RequestEntity(httpHeaders, method, build.toUri()), ObjectNode.class).getBody();
        if (Objects.isNull(objectNode)) {
            throw new PayException("cant obtain the response body");
        }
        ArrayNode withArray = objectNode.withArray("data");
        if (withArray.isArray() && withArray.size() > 0) {
            CERTIFICATE_MAP.clear();
            CertificateFactory certificateFactory = CertificateFactory.getInstance("X509");
            withArray.forEach(jsonNode -> {
                JsonNode jsonNode = jsonNode.get("encrypt_certificate");
                Certificate certificate = null;
                try {
                    certificate = certificateFactory.generateCertificate(new ByteArrayInputStream(decryptResponseBody(str, jsonNode.get("associated_data").asText(), jsonNode.get("nonce").asText(), jsonNode.get("ciphertext").asText()).getBytes(StandardCharsets.UTF_8)));
                } catch (CertificateException e) {
                    e.printStackTrace();
                }
                CERTIFICATE_MAP.put(jsonNode.get("serial_no").asText(), certificate);
            });
        }
    }

    public String decryptResponseBody(String str, String str2, String str3, String str4) {
        try {
            Cipher cipher = Cipher.getInstance("AES/GCM/NoPadding");
            cipher.init(2, new SecretKeySpec(this.wechatMetaContainer.getWechatMeta(str).getV3().getAppV3Secret().getBytes(StandardCharsets.UTF_8), "AES"), new GCMParameterSpec(128, str3.getBytes(StandardCharsets.UTF_8)));
            cipher.updateAAD(str2.getBytes(StandardCharsets.UTF_8));
            try {
                return new String(cipher.doFinal(Base64Utils.decodeFromString(str4)), StandardCharsets.UTF_8);
            } catch (GeneralSecurityException e) {
                throw new PayException(e);
            }
        } catch (InvalidAlgorithmParameterException | InvalidKeyException | NoSuchAlgorithmException | NoSuchPaddingException e2) {
            throw new PayException(e2);
        }
    }

    public WechatMetaContainer wechatMetaContainer() {
        return this.wechatMetaContainer;
    }

    private String createSign(String... strArr) {
        return (String) Arrays.stream(strArr).collect(Collectors.joining("\n", "", "\n"));
    }
}
