package com.yeepay.yop.sdk.auth.credentials.provider.loader;

import com.google.common.collect.Maps;
import com.yeepay.yop.sdk.auth.credentials.YopPlatformCredentials;
import com.yeepay.yop.sdk.auth.credentials.YopPlatformCredentialsHolder;
import com.yeepay.yop.sdk.auth.credentials.provider.EncryptCertificate;
import com.yeepay.yop.sdk.auth.credentials.provider.YopCredentialsProviderRegistry;
import com.yeepay.yop.sdk.config.provider.YopSdkConfigProviderRegistry;
import com.yeepay.yop.sdk.config.provider.file.YopCertConfig;
import com.yeepay.yop.sdk.config.provider.file.YopCertStore;
import com.yeepay.yop.sdk.security.CertTypeEnum;
import com.yeepay.yop.sdk.service.common.YopClientBuilder;
import com.yeepay.yop.sdk.service.common.YopClientImpl;
import com.yeepay.yop.sdk.service.common.request.YopRequest;
import com.yeepay.yop.sdk.service.common.response.YopResponse;
import com.yeepay.yop.sdk.utils.Encodes;
import com.yeepay.yop.sdk.utils.Sm2CertUtils;
import com.yeepay.yop.sdk.utils.Sm4Utils;
import java.io.File;
import java.io.FileWriter;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Collections;
import java.util.HashMap;
import java.util.Iterator;
import java.util.LinkedHashMap;
import java.util.List;
import java.util.Map;
import java.util.concurrent.ConcurrentHashMap;
import org.apache.commons.collections4.CollectionUtils;
import org.apache.commons.collections4.MapUtils;
import org.apache.commons.lang3.StringUtils;
import org.bouncycastle.openssl.jcajce.JcaPEMWriter;
import org.bouncycastle.util.io.pem.PemObject;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/yeepay/yop/sdk/auth/credentials/provider/loader/YopSm2PlatformCredentialsLoader.class */
public class YopSm2PlatformCredentialsLoader implements YopPlatformCredentialsLoader {
    private static final Logger LOGGER = LoggerFactory.getLogger(YopSm2PlatformCredentialsLoader.class);
    private static final String CERT_DOWNLOAD_API_URI = "/rest/v1.0/yop/platform/certs";
    private static final String CERT_DOWNLOAD_API_METHOD = "GET";
    private static final String CERT_DOWNLOAD_API_SECURITY = "YOP-SM2-SM3";
    private Map<String, YopPlatformCredentials> credentialsMap = new ConcurrentHashMap();

    @Override // com.yeepay.yop.sdk.auth.credentials.provider.loader.YopPlatformCredentialsLoader
    public Map<String, YopPlatformCredentials> load(String str, String str2) {
        if (!this.credentialsMap.containsKey(str2)) {
            reload(str, str2);
        }
        return Collections.unmodifiableMap(this.credentialsMap);
    }

    @Override // com.yeepay.yop.sdk.auth.credentials.provider.loader.YopPlatformCredentialsLoader
    public synchronized Map<String, YopPlatformCredentials> reload(String str, String str2) {
        Map<String, X509Certificate> loadAndVerifyFromRemote = loadAndVerifyFromRemote(str, str2, YopCredentialsProviderRegistry.getProvider().getIsvEncryptKey(str));
        if (MapUtils.isNotEmpty(loadAndVerifyFromRemote)) {
            this.credentialsMap.putAll(storeCerts(YopSdkConfigProviderRegistry.getProvider().getConfig().getYopCertStore(), loadAndVerifyFromRemote));
        }
        return Collections.unmodifiableMap(this.credentialsMap);
    }

    private Map<String, YopPlatformCredentials> storeCerts(YopCertStore yopCertStore, Map<String, X509Certificate> map) {
        LinkedHashMap linkedHashMap = new LinkedHashMap();
        for (Map.Entry<String, X509Certificate> entry : map.entrySet()) {
            try {
                linkedHashMap.put(entry.getKey(), new YopPlatformCredentialsHolder().withSerialNo(entry.getKey()).withPublicKey(CertTypeEnum.SM2, entry.getValue().getPublicKey()));
                if (yopCertStore.getEnable().booleanValue()) {
                    File file = new File(yopCertStore.getPath());
                    if (!file.exists()) {
                        file.mkdirs();
                    }
                    JcaPEMWriter jcaPEMWriter = new JcaPEMWriter(new FileWriter(new File(file, "yop_cert_" + entry.getKey() + ".pem")));
                    Throwable th = null;
                    try {
                        try {
                            jcaPEMWriter.writeObject(new PemObject("CERTIFICATE", entry.getValue().getEncoded()));
                            if (jcaPEMWriter != null) {
                                if (0 != 0) {
                                    try {
                                        jcaPEMWriter.close();
                                    } catch (Throwable th2) {
                                        th.addSuppressed(th2);
                                    }
                                } else {
                                    jcaPEMWriter.close();
                                }
                            }
                        } catch (Throwable th3) {
                            if (jcaPEMWriter != null) {
                                if (th != null) {
                                    try {
                                        jcaPEMWriter.close();
                                    } catch (Throwable th4) {
                                        th.addSuppressed(th4);
                                    }
                                } else {
                                    jcaPEMWriter.close();
                                }
                            }
                            throw th3;
                            break;
                        }
                    } catch (Throwable th5) {
                        th = th5;
                        throw th5;
                        break;
                    }
                }
            } catch (Exception e) {
                LOGGER.error("error when store yop cert, ex:", e);
            }
        }
        return linkedHashMap;
    }

    private Map<String, X509Certificate> loadAndVerifyFromRemote(String str, String str2, YopCertConfig[] yopCertConfigArr) {
        try {
            YopClientImpl build = YopClientBuilder.builder().build();
            YopRequest yopRequest = new YopRequest(CERT_DOWNLOAD_API_URI, "GET");
            if (StringUtils.isNotBlank(str) && !StringUtils.equals("default", str)) {
                yopRequest.getRequestConfig().setAppKey(str);
            }
            yopRequest.getRequestConfig().setSkipVerifySign(true);
            yopRequest.getRequestConfig().setSecurityReq(CERT_DOWNLOAD_API_SECURITY);
            if (StringUtils.isNotBlank(str2)) {
                yopRequest.addParameter("serialNo", str2);
            }
            return decryptCerts(parseYopResponse(build.request(yopRequest)), yopCertConfigArr);
        } catch (Exception e) {
            LOGGER.error("error when load sm2 cert from remote, ex:", e);
            return null;
        }
    }

    private Map<String, X509Certificate> decryptCerts(List<EncryptCertificate> list, YopCertConfig[] yopCertConfigArr) {
        if (!CollectionUtils.isNotEmpty(list)) {
            return null;
        }
        HashMap newHashMapWithExpectedSize = Maps.newHashMapWithExpectedSize(list.size());
        Iterator<EncryptCertificate> it = list.iterator();
        while (it.hasNext()) {
            X509Certificate decryptCert = decryptCert(it.next(), yopCertConfigArr);
            if (null != decryptCert) {
                newHashMapWithExpectedSize.put(decryptCert.getSerialNumber().toString(), decryptCert);
            }
        }
        return newHashMapWithExpectedSize;
    }

    private X509Certificate decryptCert(EncryptCertificate encryptCertificate, YopCertConfig[] yopCertConfigArr) {
        for (YopCertConfig yopCertConfig : yopCertConfigArr) {
            if (yopCertConfig.getCertType() == CertTypeEnum.SM4) {
                byte[] bArr = null;
                String value = yopCertConfig.getValue();
                try {
                    bArr = Sm4Utils.decrypt_GCM_NoPadding(Encodes.decodeBase64(value), encryptCertificate.getAssociatedData(), encryptCertificate.getNonce(), encryptCertificate.getCiphertext());
                } catch (Exception e) {
                    LOGGER.warn("fail to try decrypt cert, certKey:" + value + ", cert:" + encryptCertificate + ", ex:", e);
                }
                if (null != bArr) {
                    try {
                        return Sm2CertUtils.getX509Certificate(bArr);
                    } catch (Exception e2) {
                        LOGGER.error("error to parse cert bytes, certKey:" + value + ", cert:" + encryptCertificate + ", ex:", e2);
                    }
                } else {
                    continue;
                }
            } else {
                LOGGER.warn("no available sm4 isv_encrypt_key found!");
            }
        }
        return null;
    }

    private List<EncryptCertificate> parseYopResponse(YopResponse yopResponse) {
        ArrayList arrayList = new ArrayList();
        Map map = (Map) yopResponse.getResult();
        if (MapUtils.isNotEmpty(map)) {
            List list = (List) map.get("data");
            if (CollectionUtils.isNotEmpty(list)) {
                Iterator it = list.iterator();
                while (it.hasNext()) {
                    Map map2 = (Map) ((Map) it.next()).get("encryptCertificate");
                    if (null != map2) {
                        arrayList.add(new EncryptCertificate((String) map2.get("algorithm"), (String) map2.get("nonce"), (String) map2.get("associatedData"), (String) map2.get("cipherText")));
                    }
                }
            }
        }
        return arrayList;
    }
}
