package me.youm.frame.pay.wechat.v3;

import com.fasterxml.jackson.databind.JsonNode;
import com.fasterxml.jackson.databind.node.ArrayNode;
import com.fasterxml.jackson.databind.node.ObjectNode;
import java.io.ByteArrayInputStream;
import java.nio.charset.StandardCharsets;
import java.security.GeneralSecurityException;
import java.security.InvalidAlgorithmParameterException;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.PrivateKey;
import java.security.Security;
import java.security.Signature;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.time.LocalDateTime;
import java.time.ZoneOffset;
import java.util.Arrays;
import java.util.Collections;
import java.util.Map;
import java.util.Objects;
import java.util.concurrent.ConcurrentHashMap;
import java.util.stream.Collectors;
import javax.crypto.Cipher;
import javax.crypto.NoSuchPaddingException;
import javax.crypto.spec.GCMParameterSpec;
import javax.crypto.spec.SecretKeySpec;
import me.youm.frame.common.exception.PayException;
import me.youm.frame.pay.wechat.enumeration.WeChatServer;
import me.youm.frame.pay.wechat.enumeration.WechatPayV3Type;
import me.youm.frame.pay.wechat.v3.model.ResponseSignVerifyParams;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.http.HttpHeaders;
import org.springframework.http.HttpMethod;
import org.springframework.http.MediaType;
import org.springframework.http.RequestEntity;
import org.springframework.util.AlternativeJdkIdGenerator;
import org.springframework.util.Base64Utils;
import org.springframework.util.IdGenerator;
import org.springframework.web.client.RestOperations;
import org.springframework.web.client.RestTemplate;
import org.springframework.web.util.UriComponents;
import org.springframework.web.util.UriComponentsBuilder;

/* loaded from: input_file:me/youm/frame/pay/wechat/v3/SignatureProvider.class */
public class SignatureProvider {
    private static final String SCHEMA = "WECHATPAY2-SHA256-RSA2048 ";
    public static final String TOKEN_PATTERN = "mchid=\"%s\",nonce_str=\"%s\",timestamp=\"%d\",serial_no=\"%s\",signature=\"%s\"";
    private static final String BC_PROVIDER = "BC";
    private final WechatMetaContainer wechatMetaContainer;
    private static final Logger log = LoggerFactory.getLogger(SignatureProvider.class);
    private static final Map<String, Certificate> CERTIFICATE_MAP = new ConcurrentHashMap();
    private final IdGenerator nonceStrGenerator = new AlternativeJdkIdGenerator();
    private final RestOperations restOperations = new RestTemplate();

    public SignatureProvider(WechatMetaContainer wechatMetaContainer) {
        Security.addProvider(new BouncyCastleProvider());
        this.wechatMetaContainer = wechatMetaContainer;
        wechatMetaContainer.getTenantIds().forEach(this::refreshCertificate);
    }

    public String requestSign(boolean z, String str, String str2, String str3, String str4) {
        long epochSecond = LocalDateTime.now().toEpochSecond(ZoneOffset.of("+8"));
        String replaceAll = this.nonceStrGenerator.generateId().toString().replaceAll("-", "");
        WechatMetaBean wechatMeta = this.wechatMetaContainer.getWechatMeta(str);
        return SCHEMA.concat(String.format(TOKEN_PATTERN, wechatMeta.getV3().getMchId(), replaceAll, Long.valueOf(epochSecond), wechatMeta.getSerialNumber(), doRequestSign(z, wechatMeta.getKeyPair().getPrivate(), str2, str3, String.valueOf(epochSecond), replaceAll, str4)));
    }

    public String doRequestSign(boolean z, PrivateKey privateKey, String... strArr) {
        Signature signature = Signature.getInstance("SHA256withRSA", BC_PROVIDER);
        signature.initSign(privateKey);
        signature.update(createSign(z, strArr).getBytes(StandardCharsets.UTF_8));
        return Base64Utils.encodeToString(signature.sign());
    }

    public boolean responseSignVerify(ResponseSignVerifyParams responseSignVerifyParams) {
        String wechatpaySerial = responseSignVerifyParams.getWechatpaySerial();
        if (CERTIFICATE_MAP.isEmpty() || !CERTIFICATE_MAP.containsKey(wechatpaySerial)) {
            this.wechatMetaContainer.getTenantIds().forEach(this::refreshCertificate);
        }
        Certificate certificate = CERTIFICATE_MAP.get(wechatpaySerial);
        String createSign = createSign(true, responseSignVerifyParams.getWechatpayTimestamp(), responseSignVerifyParams.getWechatpayNonce(), responseSignVerifyParams.getBody());
        Signature signature = Signature.getInstance("SHA256withRSA");
        signature.initVerify(certificate);
        signature.update(createSign.getBytes(StandardCharsets.UTF_8));
        return signature.verify(Base64Utils.decodeFromString(responseSignVerifyParams.getWechatpaySignature()));
    }

    private synchronized void refreshCertificate(String str) {
        UriComponents build = UriComponentsBuilder.fromHttpUrl(WechatPayV3Type.CERT.uri(WeChatServer.CHINA)).build();
        String path = build.getPath();
        String query = build.getQuery();
        if (query != null) {
            path = path + "?" + query;
        }
        HttpMethod method = WechatPayV3Type.CERT.method();
        String requestSign = requestSign(true, str, method.name(), path, "");
        HttpHeaders httpHeaders = new HttpHeaders();
        httpHeaders.setAccept(Collections.singletonList(MediaType.APPLICATION_JSON));
        httpHeaders.setContentType(MediaType.APPLICATION_JSON);
        httpHeaders.add("Authorization", requestSign);
        httpHeaders.add("User-Agent", "X-Pay-Service");
        ObjectNode objectNode = (ObjectNode) this.restOperations.exchange(new RequestEntity(httpHeaders, method, build.toUri()), ObjectNode.class).getBody();
        if (Objects.isNull(objectNode)) {
            throw new PayException("cant obtain the response body");
        }
        ArrayNode withArray = objectNode.withArray("data");
        if (withArray.isArray() && withArray.size() > 0) {
            CERTIFICATE_MAP.clear();
            CertificateFactory certificateFactory = CertificateFactory.getInstance("X509", BC_PROVIDER);
            withArray.forEach(jsonNode -> {
                JsonNode jsonNode = jsonNode.get("encrypt_certificate");
                try {
                    Certificate generateCertificate = certificateFactory.generateCertificate(new ByteArrayInputStream(decryptResponseBody(str, jsonNode.get("associated_data").asText(), jsonNode.get("nonce").asText(), jsonNode.get("ciphertext").asText()).getBytes(StandardCharsets.UTF_8)));
                    CERTIFICATE_MAP.put(jsonNode.get("serial_no").asText(), generateCertificate);
                } catch (CertificateException e) {
                    throw new PayException("An error occurred while generating the wechat v3 certificate, reason : " + e.getMessage());
                }
            });
        }
    }

    public String decryptResponseBody(String str, String str2, String str3, String str4) {
        try {
            Cipher cipher = Cipher.getInstance("AES/GCM/NoPadding", BC_PROVIDER);
            cipher.init(2, new SecretKeySpec(this.wechatMetaContainer.getWechatMeta(str).getV3().getAppV3Secret().getBytes(StandardCharsets.UTF_8), "AES"), new GCMParameterSpec(128, str3.getBytes(StandardCharsets.UTF_8)));
            cipher.updateAAD(str2.getBytes(StandardCharsets.UTF_8));
            try {
                return new String(cipher.doFinal(Base64Utils.decodeFromString(str4)), StandardCharsets.UTF_8);
            } catch (GeneralSecurityException e) {
                throw new PayException("wechat pay general security exception");
            }
        } catch (InvalidAlgorithmParameterException | InvalidKeyException | NoSuchAlgorithmException | NoSuchProviderException | NoSuchPaddingException e2) {
            throw new PayException("wechat pay decrypt responseBody failed");
        }
    }

    public String encryptRequestMessage(String str, Certificate certificate) {
        try {
            Cipher cipher = Cipher.getInstance("RSA/ECB/OAEPWithSHA-1AndMGF1Padding", BC_PROVIDER);
            cipher.init(1, certificate.getPublicKey());
            return Base64Utils.encodeToString(cipher.doFinal(str.getBytes(StandardCharsets.UTF_8)));
        } catch (Exception e) {
            throw new PayException("wechat pay encrypt request message exception");
        }
    }

    public X509WechatCertificateInfo getCertificate() {
        for (String str : CERTIFICATE_MAP.keySet()) {
            X509Certificate x509Certificate = (X509Certificate) CERTIFICATE_MAP.get(str);
            try {
                x509Certificate.checkValidity();
                X509WechatCertificateInfo x509WechatCertificateInfo = new X509WechatCertificateInfo();
                x509WechatCertificateInfo.setWechatPaySerial(str);
                x509WechatCertificateInfo.setX509Certificate(x509Certificate);
                return x509WechatCertificateInfo;
            } catch (Exception e) {
                log.warn("the wechat certificate is invalid , {}", e.getMessage());
                this.wechatMetaContainer.getTenantIds().forEach(this::refreshCertificate);
            }
        }
        throw new PayException("failed to obtain wechat pay x509Certificate ");
    }

    public WechatMetaContainer wechatMetaContainer() {
        return this.wechatMetaContainer;
    }

    public IdGenerator nonceStrGenerator() {
        return this.nonceStrGenerator;
    }

    private static String createSign(boolean z, String... strArr) {
        return (String) Arrays.stream(strArr).collect(Collectors.joining("\n", "", z ? "\n" : ""));
    }
}
