package com.wechat.pay.contrib.apache.httpclient.cert;

import com.tunshugongshe.client.webchat.core.cipher.Constant;
import com.wechat.pay.contrib.apache.httpclient.Credentials;
import com.wechat.pay.contrib.apache.httpclient.Validator;
import com.wechat.pay.contrib.apache.httpclient.WechatPayHttpClientBuilder;
import com.wechat.pay.contrib.apache.httpclient.auth.Verifier;
import com.wechat.pay.contrib.apache.httpclient.auth.WechatPay2Validator;
import com.wechat.pay.contrib.apache.httpclient.exception.HttpCodeException;
import com.wechat.pay.contrib.apache.httpclient.exception.NotFoundException;
import com.wechat.pay.contrib.apache.httpclient.util.CertSerializeUtil;
import java.io.IOException;
import java.math.BigInteger;
import java.security.GeneralSecurityException;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.security.Signature;
import java.security.SignatureException;
import java.security.cert.CertificateExpiredException;
import java.security.cert.CertificateNotYetValidException;
import java.security.cert.X509Certificate;
import java.time.Instant;
import java.util.Base64;
import java.util.Map;
import java.util.NoSuchElementException;
import java.util.concurrent.ConcurrentHashMap;
import java.util.concurrent.ScheduledExecutorService;
import java.util.concurrent.TimeUnit;
import org.apache.http.HttpHost;
import org.apache.http.client.methods.CloseableHttpResponse;
import org.apache.http.client.methods.HttpGet;
import org.apache.http.client.methods.HttpUriRequest;
import org.apache.http.entity.ContentType;
import org.apache.http.impl.client.CloseableHttpClient;
import org.apache.http.util.EntityUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: classes2.dex */
public class CertificatesManager {
    private static final String CERT_DOWNLOAD_PATH = "https://api.mch.weixin.qq.com/v3/certificates";
    private static final String SCHEDULE_UPDATE_CERT_THREAD_NAME = "scheduled_update_cert_thread";
    protected static final int UPDATE_INTERVAL_MINUTE = 1440;
    private ConcurrentHashMap<String, byte[]> apiV3Keys = new ConcurrentHashMap<>();
    private ConcurrentHashMap<String, ConcurrentHashMap<BigInteger, X509Certificate>> certificates = new ConcurrentHashMap<>();
    private ConcurrentHashMap<String, Credentials> credentialsMap = new ConcurrentHashMap<>();
    private ScheduledExecutorService executor;
    private HttpHost proxy;
    private static final Logger log = LoggerFactory.getLogger((Class<?>) CertificatesManager.class);
    private static volatile CertificatesManager instance = null;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: classes2.dex */
    public class DefaultVerifier implements Verifier {
        private String merchantId;

        private DefaultVerifier(String str) {
            this.merchantId = str;
        }

        @Override // com.wechat.pay.contrib.apache.httpclient.auth.Verifier
        public X509Certificate getValidCertificate() {
            try {
                return CertificatesManager.this.getLatestCertificate(this.merchantId);
            } catch (NotFoundException unused) {
                throw new NoSuchElementException("没有有效的微信支付平台证书");
            }
        }

        @Override // com.wechat.pay.contrib.apache.httpclient.auth.Verifier
        public boolean verify(String str, byte[] bArr, String str2) {
            if (str.isEmpty() || bArr.length == 0 || str2.isEmpty()) {
                throw new IllegalArgumentException("serialNumber或message或signature为空");
            }
            X509Certificate x509Certificate = (X509Certificate) ((ConcurrentHashMap) CertificatesManager.this.certificates.get(this.merchantId)).get(new BigInteger(str, 16));
            if (x509Certificate == null) {
                CertificatesManager.log.error("商户证书为空，serialNumber:{}", str);
                return false;
            }
            try {
                Signature signature = Signature.getInstance(Constant.SHA256WITHRSA);
                signature.initVerify(x509Certificate);
                signature.update(bArr);
                return signature.verify(Base64.getDecoder().decode(str2));
            } catch (InvalidKeyException e) {
                throw new RuntimeException("无效的证书", e);
            } catch (NoSuchAlgorithmException e2) {
                throw new RuntimeException("当前Java环境不支持SHA256withRSA", e2);
            } catch (SignatureException e3) {
                throw new RuntimeException("签名验证过程发生了错误", e3);
            }
        }
    }

    private CertificatesManager() {
    }

    private void beginScheduleUpdate() {
        this.executor = new SafeSingleScheduleExecutor();
        this.executor.scheduleAtFixedRate(new Runnable() { // from class: com.wechat.pay.contrib.apache.httpclient.cert.CertificatesManager$$ExternalSyntheticLambda1
            @Override // java.lang.Runnable
            public final void run() {
                CertificatesManager.this.m58xdc86f34b();
            }
        }, 0L, 1440L, TimeUnit.MINUTES);
    }

    private synchronized void downloadAndUpdateCert(String str, Verifier verifier, Credentials credentials, byte[] bArr) throws HttpCodeException, IOException, GeneralSecurityException {
        CloseableHttpClient build = WechatPayHttpClientBuilder.create().withCredentials(credentials).withValidator(verifier == null ? new Validator() { // from class: com.wechat.pay.contrib.apache.httpclient.cert.CertificatesManager$$ExternalSyntheticLambda0
            @Override // com.wechat.pay.contrib.apache.httpclient.Validator
            public final boolean validate(CloseableHttpResponse closeableHttpResponse) {
                return CertificatesManager.lambda$downloadAndUpdateCert$1(closeableHttpResponse);
            }
        } : new WechatPay2Validator(verifier)).withProxy(this.proxy).build();
        try {
            HttpGet httpGet = new HttpGet(CERT_DOWNLOAD_PATH);
            httpGet.addHeader("Accept", ContentType.APPLICATION_JSON.toString());
            CloseableHttpResponse execute = build.execute((HttpUriRequest) httpGet);
            try {
                int statusCode = execute.getStatusLine().getStatusCode();
                String entityUtils = EntityUtils.toString(execute.getEntity());
                if (statusCode != 200) {
                    log.error("Auto update cert failed, statusCode = {}, body = {}", Integer.valueOf(statusCode), entityUtils);
                    throw new HttpCodeException("下载平台证书返回状态码异常，状态码为:" + statusCode);
                }
                Map<BigInteger, X509Certificate> deserializeToCerts = CertSerializeUtil.deserializeToCerts(bArr, entityUtils);
                if (deserializeToCerts.isEmpty()) {
                    log.warn("Cert list is empty");
                    if (execute != null) {
                        execute.close();
                    }
                    if (build != null) {
                        build.close();
                    }
                    return;
                }
                ConcurrentHashMap<BigInteger, X509Certificate> concurrentHashMap = this.certificates.get(str);
                concurrentHashMap.clear();
                concurrentHashMap.putAll(deserializeToCerts);
                if (execute != null) {
                    execute.close();
                }
                if (build != null) {
                    build.close();
                }
            } finally {
            }
        } finally {
        }
    }

    public static CertificatesManager getInstance() {
        if (instance == null) {
            synchronized (CertificatesManager.class) {
                if (instance == null) {
                    instance = new CertificatesManager();
                }
            }
        }
        return instance;
    }

    /* JADX INFO: Access modifiers changed from: private */
    public X509Certificate getLatestCertificate(String str) throws NotFoundException {
        if (str == null || str.isEmpty()) {
            throw new IllegalArgumentException("merchantId为空");
        }
        ConcurrentHashMap<BigInteger, X509Certificate> concurrentHashMap = this.certificates.get(str);
        if (concurrentHashMap == null || concurrentHashMap.isEmpty()) {
            throw new NotFoundException("没有最新的平台证书，merchantId:" + str);
        }
        X509Certificate x509Certificate = null;
        for (X509Certificate x509Certificate2 : concurrentHashMap.values()) {
            if (x509Certificate == null || x509Certificate2.getNotBefore().after(x509Certificate.getNotBefore())) {
                x509Certificate = x509Certificate2;
            }
        }
        try {
            x509Certificate.checkValidity();
            return x509Certificate;
        } catch (CertificateExpiredException | CertificateNotYetValidException unused) {
            log.error("平台证书未生效或已过期，merchantId:{}", str);
            throw new NotFoundException("没有最新的平台证书，merchantId:" + str);
        }
    }

    private void initCertificates(String str, Credentials credentials, byte[] bArr) throws HttpCodeException, IOException, GeneralSecurityException {
        downloadAndUpdateCert(str, null, credentials, bArr);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static /* synthetic */ boolean lambda$downloadAndUpdateCert$1(CloseableHttpResponse closeableHttpResponse) throws IOException {
        return true;
    }

    private void updateCertificates() {
        for (Map.Entry<String, Credentials> entry : this.credentialsMap.entrySet()) {
            String key = entry.getKey();
            try {
                downloadAndUpdateCert(key, new DefaultVerifier(key), entry.getValue(), this.apiV3Keys.get(key));
            } catch (Exception e) {
                log.error("downloadAndUpdateCert Failed.merchantId:{}, e:{}", key, e);
            }
        }
    }

    public Verifier getVerifier(String str) throws NotFoundException {
        ConcurrentHashMap<BigInteger, X509Certificate> concurrentHashMap = this.certificates.get(str);
        byte[] bArr = this.apiV3Keys.get(str);
        Credentials credentials = this.credentialsMap.get(str);
        if (str == null || str.isEmpty()) {
            throw new IllegalArgumentException("merchantId为空");
        }
        if (concurrentHashMap == null || concurrentHashMap.size() == 0) {
            throw new NotFoundException("平台证书为空，merchantId:" + str);
        }
        if (bArr.length == 0) {
            throw new NotFoundException("apiV3Key为空，merchantId:" + str);
        }
        if (credentials != null) {
            return new DefaultVerifier(str);
        }
        throw new NotFoundException("credentials为空，merchantId:" + str);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* renamed from: lambda$beginScheduleUpdate$0$com-wechat-pay-contrib-apache-httpclient-cert-CertificatesManager, reason: not valid java name */
    public /* synthetic */ void m58xdc86f34b() {
        try {
            Thread.currentThread().setName(SCHEDULE_UPDATE_CERT_THREAD_NAME);
            Logger logger = log;
            logger.info("Begin update Certificates.Date:{}", Instant.now());
            updateCertificates();
            logger.info("Finish update Certificates.Date:{}", Instant.now());
        } catch (Throwable th) {
            log.error("Update Certificates failed", th);
        }
    }

    public synchronized void putMerchant(String str, Credentials credentials, byte[] bArr) throws IOException, GeneralSecurityException, HttpCodeException {
        if (str != null) {
            if (!str.isEmpty()) {
                if (credentials == null) {
                    throw new IllegalArgumentException("credentials为空");
                }
                if (bArr.length == 0) {
                    throw new IllegalArgumentException("apiV3Key为空");
                }
                if (this.certificates.get(str) == null) {
                    this.certificates.put(str, new ConcurrentHashMap<>());
                }
                initCertificates(str, credentials, bArr);
                this.credentialsMap.put(str, credentials);
                this.apiV3Keys.put(str, bArr);
                if (this.executor == null) {
                    beginScheduleUpdate();
                }
            }
        }
        throw new IllegalArgumentException("merchantId为空");
    }

    public synchronized void setProxy(HttpHost httpHost) {
        this.proxy = httpHost;
    }

    public void stop() {
        ScheduledExecutorService scheduledExecutorService = this.executor;
        if (scheduledExecutorService != null) {
            try {
                scheduledExecutorService.shutdownNow();
            } catch (Exception e) {
                log.error("Executor shutdown now failed", (Throwable) e);
            }
        }
    }
}
