package io.helidon.security.providers.httpsign;

import io.helidon.common.pki.KeyConfig;
import io.helidon.security.SecurityEnvironment;
import java.net.URI;
import java.nio.charset.StandardCharsets;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.Signature;
import java.security.SignatureException;
import java.time.ZoneId;
import java.time.ZonedDateTime;
import java.time.format.DateTimeFormatter;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Base64;
import java.util.Collections;
import java.util.List;
import java.util.Map;
import java.util.Optional;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.crypto.Mac;
import javax.crypto.spec.SecretKeySpec;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: input_file:io/helidon/security/providers/httpsign/HttpSignature.class */
public class HttpSignature {
    private static final DateTimeFormatter DATE_FORMATTER = DateTimeFormatter.RFC_1123_DATE_TIME;
    private static final Logger LOGGER = Logger.getLogger(HttpSignature.class.getName());
    private static final List<String> DEFAULT_HEADERS = List.of("date");
    private static final byte[] EMPTY_BYTES = new byte[0];
    private final String keyId;
    private final String algorithm;
    private final List<String> headers;
    private String base64Signature;
    private byte[] signatureBytes;

    HttpSignature(String str, String str2, List<String> list) {
        this.keyId = str;
        this.algorithm = str2;
        this.headers = list;
    }

    private HttpSignature(String str, String str2, String str3, List<String> list, String str4) {
        this.keyId = str2;
        this.algorithm = str3;
        this.headers = list;
        this.base64Signature = str4;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* JADX WARN: Failed to find 'out' block for switch in B:12:0x00a6. Please report as an issue. */
    public static HttpSignature fromHeader(String str) {
        int indexOf;
        String str2 = null;
        String str3 = null;
        List<String> list = DEFAULT_HEADERS;
        String str4 = null;
        int i = 0;
        do {
            int indexOf2 = str.indexOf(44, i);
            int indexOf3 = str.indexOf(61, i);
            if (indexOf3 == -1) {
                return new HttpSignature(str, str2, str3, list, str4);
            }
            if (indexOf3 > indexOf2) {
                i = indexOf2 + 1;
            }
            int indexOf4 = str.indexOf(34, indexOf3);
            if (indexOf4 != -1 && (indexOf = str.indexOf(34, indexOf4 + 1)) != -1) {
                String trim = str.substring(i, indexOf3).trim();
                String substring = str.substring(indexOf4 + 1, indexOf);
                boolean z = -1;
                switch (trim.hashCode()) {
                    case 101944282:
                        if (trim.equals("keyId")) {
                            z = false;
                            break;
                        }
                        break;
                    case 225490031:
                        if (trim.equals("algorithm")) {
                            z = true;
                            break;
                        }
                        break;
                    case 795307910:
                        if (trim.equals("headers")) {
                            z = 3;
                            break;
                        }
                        break;
                    case 1073584312:
                        if (trim.equals("signature")) {
                            z = 2;
                            break;
                        }
                        break;
                }
                switch (z) {
                    case false:
                        str2 = substring;
                        break;
                    case true:
                        str3 = substring;
                        break;
                    case true:
                        str4 = substring;
                        break;
                    case true:
                        list = Arrays.asList(substring.split(" "));
                        break;
                    default:
                        LOGGER.finest(() -> {
                            return "Invalid signature header field: " + trim + ": \"" + substring + "\"";
                        });
                        break;
                }
                i = indexOf + 1;
            }
            return new HttpSignature(str, str2, str3, list, str4);
        } while (i < str.length());
        return new HttpSignature(str, str2, str3, list, str4);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static HttpSignature sign(SecurityEnvironment securityEnvironment, OutboundTargetDefinition outboundTargetDefinition, Map<String, List<String>> map) {
        HttpSignature httpSignature = new HttpSignature(outboundTargetDefinition.keyId(), outboundTargetDefinition.algorithm(), outboundTargetDefinition.signedHeadersConfig().headers(securityEnvironment.method(), securityEnvironment.headers()));
        String algorithm = httpSignature.getAlgorithm();
        boolean z = -1;
        switch (algorithm.hashCode()) {
            case -698327468:
                if (algorithm.equals("rsa-sha256")) {
                    z = false;
                    break;
                }
                break;
            case -255044915:
                if (algorithm.equals("hmac-sha256")) {
                    z = true;
                    break;
                }
                break;
        }
        switch (z) {
            case false:
                httpSignature.signatureBytes = httpSignature.signRsaSha256(securityEnvironment, outboundTargetDefinition.keyConfig().orElseThrow(() -> {
                    return new HttpSignatureException("Private key configuration must be present to use rsa-sha256 algorithm");
                }), map);
                break;
            case true:
                httpSignature.signatureBytes = httpSignature.signHmacSha256(securityEnvironment, outboundTargetDefinition.hmacSharedSecret().orElseThrow(() -> {
                    return new HttpSignatureException("HMAC shared secret must be configured to use hmac-sha256 algorithm");
                }), map);
                break;
            default:
                throw new HttpSignatureException("Unsupported signature algorithm: " + httpSignature.getAlgorithm());
        }
        httpSignature.base64Signature = Base64.getEncoder().encodeToString(httpSignature.signatureBytes);
        return httpSignature;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public String toSignatureHeader() {
        return "keyId=\"" + this.keyId + "\",algorithm=\"" + this.algorithm + "\",headers=\"" + String.join(" ", this.headers) + "\",signature=\"" + this.base64Signature + "\"";
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public String getKeyId() {
        return this.keyId;
    }

    String getAlgorithm() {
        return this.algorithm;
    }

    List<String> getHeaders() {
        return Collections.unmodifiableList(this.headers);
    }

    String getBase64Signature() {
        return this.base64Signature;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public Optional<String> validate() {
        ArrayList arrayList = new ArrayList();
        if (null == this.keyId) {
            arrayList.add("keyId is a mandatory signature header component");
        }
        if (null != this.algorithm) {
            String str = this.algorithm;
            boolean z = -1;
            switch (str.hashCode()) {
                case -698327468:
                    if (str.equals("rsa-sha256")) {
                        z = false;
                        break;
                    }
                    break;
                case -255044915:
                    if (str.equals("hmac-sha256")) {
                        z = true;
                        break;
                    }
                    break;
            }
            switch (z) {
                case false:
                case true:
                    break;
                default:
                    arrayList.add("Unsupported signature algorithm: " + this.algorithm);
                    break;
            }
        } else {
            arrayList.add("algorithm is a mandatory signature header component");
        }
        if (null == this.base64Signature) {
            arrayList.add("signature is a mandatory signature header component");
        }
        try {
            this.signatureBytes = Base64.getDecoder().decode(this.base64Signature);
        } catch (Exception e) {
            LOGGER.log(Level.FINEST, "Cannot get bytes from base64: " + this.base64Signature, (Throwable) e);
            arrayList.add("cannot get bytes from base64 encoded signature: " + e.getMessage());
        }
        return arrayList.isEmpty() ? Optional.empty() : Optional.of("HttpSignature is not valid. Problems: " + String.join(", ", arrayList));
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public Optional<String> validate(SecurityEnvironment securityEnvironment, InboundClientDefinition inboundClientDefinition, List<String> list) {
        if (!this.algorithm.equalsIgnoreCase(inboundClientDefinition.algorithm())) {
            return Optional.of("Algorithm of signature is " + this.algorithm + ", configured: " + inboundClientDefinition.algorithm());
        }
        for (String str : list) {
            if (!this.headers.contains(str)) {
                return Optional.of("Header " + str + " is required, yet not signed");
            }
        }
        String str2 = this.algorithm;
        boolean z = -1;
        switch (str2.hashCode()) {
            case -698327468:
                if (str2.equals("rsa-sha256")) {
                    z = false;
                    break;
                }
                break;
            case -255044915:
                if (str2.equals("hmac-sha256")) {
                    z = true;
                    break;
                }
                break;
        }
        switch (z) {
            case false:
                return validateRsaSha256(securityEnvironment, inboundClientDefinition);
            case true:
                return validateHmacSha256(securityEnvironment, inboundClientDefinition);
            default:
                return Optional.of("Unsupported algorithm: " + this.algorithm);
        }
    }

    private byte[] signRsaSha256(SecurityEnvironment securityEnvironment, KeyConfig keyConfig, Map<String, List<String>> map) {
        try {
            Signature signature = Signature.getInstance("SHA256withRSA");
            signature.initSign((PrivateKey) keyConfig.privateKey().orElseThrow(() -> {
                return new HttpSignatureException("Private key is required, yet not configured");
            }));
            signature.update(getBytesToSign(securityEnvironment, map));
            return signature.sign();
        } catch (InvalidKeyException | NoSuchAlgorithmException | SignatureException e) {
            throw new HttpSignatureException(e);
        }
    }

    private Optional<String> validateRsaSha256(SecurityEnvironment securityEnvironment, InboundClientDefinition inboundClientDefinition) {
        try {
            Signature signature = Signature.getInstance("SHA256withRSA");
            signature.initVerify((PublicKey) inboundClientDefinition.keyConfig().orElseThrow(() -> {
                return new HttpSignatureException("RSA public key configuration is required");
            }).publicKey().orElseThrow(() -> {
                return new HttpSignatureException("Public key is required, yet not configured");
            }));
            signature.update(getBytesToSign(securityEnvironment, null));
            return !signature.verify(this.signatureBytes) ? Optional.of("Signature is not valid") : Optional.empty();
        } catch (InvalidKeyException e) {
            LOGGER.log(Level.FINEST, "Invalid RSA key", (Throwable) e);
            return Optional.of("Invalid RSA key: " + e.getMessage());
        } catch (NoSuchAlgorithmException e2) {
            LOGGER.log(Level.FINEST, "SHA256withRSA algorithm not found", (Throwable) e2);
            return Optional.of("SHA256withRSA algorithm not found: " + e2.getMessage());
        } catch (SignatureException e3) {
            LOGGER.log(Level.FINEST, "Signature exception", (Throwable) e3);
            return Optional.of("SignatureException: " + e3.getMessage());
        }
    }

    private byte[] signHmacSha256(SecurityEnvironment securityEnvironment, byte[] bArr, Map<String, List<String>> map) {
        try {
            Mac mac = Mac.getInstance("HmacSHA256");
            mac.init(new SecretKeySpec(bArr, "HmacSHA256"));
            return mac.doFinal(getBytesToSign(securityEnvironment, map));
        } catch (InvalidKeyException | NoSuchAlgorithmException e) {
            throw new HttpSignatureException(e);
        }
    }

    private Optional<String> validateHmacSha256(SecurityEnvironment securityEnvironment, InboundClientDefinition inboundClientDefinition) {
        try {
            return !Arrays.equals(signHmacSha256(securityEnvironment, inboundClientDefinition.hmacSharedSecret().orElse(EMPTY_BYTES), null), this.signatureBytes) ? Optional.of("Signature is not valid") : Optional.empty();
        } catch (SecurityException e) {
            LOGGER.log(Level.FINEST, "Failed to validate hmac-sha256", (Throwable) e);
            return Optional.of("Failed to validate hmac-sha256: " + e.getMessage());
        }
    }

    private byte[] getBytesToSign(SecurityEnvironment securityEnvironment, Map<String, List<String>> map) {
        return getSignedString(map, securityEnvironment).getBytes(StandardCharsets.UTF_8);
    }

    String getSignedString(Map<String, List<String>> map, SecurityEnvironment securityEnvironment) {
        StringBuilder sb = new StringBuilder();
        Map headers = securityEnvironment.headers();
        for (String str : this.headers) {
            if (SignedHeadersConfig.REQUEST_TARGET.equals(str)) {
                sb.append(str).append(": ").append(securityEnvironment.method().toLowerCase()).append(" ").append((String) securityEnvironment.path().orElse("/")).append('\n');
            } else {
                List<String> list = (List) headers.get(str);
                if (null == list && null == map) {
                    throw new HttpSignatureException("Header " + str + " is required for signature, yet not defined in request");
                }
                if (null == list) {
                    if ("date".equalsIgnoreCase(str)) {
                        String format = ZonedDateTime.now(ZoneId.of("GMT")).format(DATE_FORMATTER);
                        list = List.of(format);
                        map.put("date", list);
                        LOGGER.finest(() -> {
                            return "Added date header to request: " + format;
                        });
                    } else {
                        if (!"host".equalsIgnoreCase(str)) {
                            throw new HttpSignatureException("Header " + str + " is required for signature, yet not defined in request");
                        }
                        URI targetUri = securityEnvironment.targetUri();
                        String str2 = targetUri.getHost() + ":" + targetUri.getPort();
                        list = List.of(str2);
                        map.put("host", list);
                        LOGGER.finest(() -> {
                            return "Added host header to request: " + str2;
                        });
                    }
                }
                sb.append(str).append(": ").append(String.join(" ", list)).append('\n');
            }
        }
        LOGGER.finest(() -> {
            return "Data to sign: " + sb;
        });
        return sb.toString();
    }
}
