package io.github.aapplet.wechat.cert;

import io.github.aapplet.wechat.cert.WeChatCertificateResponse;
import io.github.aapplet.wechat.common.WeChatPaymentResponse;
import io.github.aapplet.wechat.config.WeChatConfig;
import io.github.aapplet.wechat.exception.WeChatException;
import io.github.aapplet.wechat.exception.WeChatResponseException;
import io.github.aapplet.wechat.exception.WeChatValidationException;
import io.github.aapplet.wechat.http.WeChatHttpRequest;
import io.github.aapplet.wechat.util.WeChatPemUtil;
import io.github.aapplet.wechat.util.WeChatValidator;
import java.net.http.HttpResponse;
import java.security.cert.CertificateExpiredException;
import java.security.cert.CertificateNotYetValidException;
import java.security.cert.X509Certificate;
import java.util.Comparator;
import java.util.HashMap;
import java.util.Map;
import java.util.Objects;
import java.util.concurrent.ConcurrentHashMap;

/* loaded from: input_file:io/github/aapplet/wechat/cert/WeChatCertificateService.class */
public class WeChatCertificateService implements WeChatCertificateManager {
    private static final Map<String, X509Certificate> CERTIFICATE_MAP = new ConcurrentHashMap(4);
    private static final Map<String, X509Certificate> LATEST_MAP = new ConcurrentHashMap(4);
    private final WeChatConfig weChatConfig;

    public WeChatCertificateService(WeChatConfig weChatConfig) {
        this.weChatConfig = weChatConfig;
    }

    @Override // io.github.aapplet.wechat.cert.WeChatCertificateManager
    public X509Certificate getCertificate() {
        String mchId = this.weChatConfig.getMchId();
        X509Certificate x509Certificate = LATEST_MAP.get(mchId);
        try {
            x509Certificate.checkValidity();
        } catch (NullPointerException | CertificateExpiredException | CertificateNotYetValidException e) {
            synchronized (WeChatCertificateService.class) {
                X509Certificate x509Certificate2 = LATEST_MAP.get(mchId);
                if (x509Certificate2 == null || Objects.equals(x509Certificate2, x509Certificate)) {
                    loadCertificate();
                    checkCertificate(LATEST_MAP);
                }
                X509Certificate x509Certificate3 = LATEST_MAP.get(mchId);
                x509Certificate = x509Certificate3;
                if (x509Certificate3 == null) {
                    throw new WeChatException("平台证书加载失败");
                }
            }
        }
        return x509Certificate;
    }

    @Override // io.github.aapplet.wechat.cert.WeChatCertificateManager
    public X509Certificate getCertificate(String str) {
        X509Certificate x509Certificate = CERTIFICATE_MAP.get(str);
        if (x509Certificate == null) {
            synchronized (WeChatCertificateService.class) {
                if (!CERTIFICATE_MAP.containsKey(str)) {
                    loadCertificate();
                    checkCertificate(CERTIFICATE_MAP);
                }
            }
            X509Certificate x509Certificate2 = CERTIFICATE_MAP.get(str);
            x509Certificate = x509Certificate2;
            if (x509Certificate2 == null) {
                throw new WeChatException("未知的平台证书序列号");
            }
        }
        return x509Certificate;
    }

    private void loadCertificate() {
        HttpResponse<byte[]> v3 = WeChatHttpRequest.v3(this.weChatConfig, new WeChatCertificateRequest());
        if (v3.statusCode() == 401) {
            throw new WeChatException("签名信息错误,请检查配置信息");
        }
        if (v3.statusCode() != 200) {
            throw new WeChatResponseException(WeChatPaymentResponse.fromJson((byte[]) v3.body()));
        }
        HashMap hashMap = new HashMap(4);
        for (WeChatCertificateResponse.WeChatCertificate weChatCertificate : WeChatCertificateResponse.fromJson((byte[]) v3.body()).getCertificates()) {
            WeChatCertificateResponse.EncryptCertificate encryptCertificate = weChatCertificate.getEncryptCertificate();
            String associatedData = encryptCertificate.getAssociatedData();
            String ciphertext = encryptCertificate.getCiphertext();
            hashMap.put(weChatCertificate.getSerialNo(), WeChatPemUtil.getCertificate(this.weChatConfig.decrypt(encryptCertificate.getNonce(), associatedData, ciphertext)));
        }
        WeChatValidator weChatValidator = new WeChatValidator(this.weChatConfig, v3);
        X509Certificate x509Certificate = (X509Certificate) hashMap.get(weChatValidator.getWeChatHeaders().getSerial());
        if (x509Certificate == null || !weChatValidator.verify(x509Certificate)) {
            throw new WeChatValidationException("平台证书错误,验签失败");
        }
        CERTIFICATE_MAP.putAll(hashMap);
        hashMap.values().stream().max(Comparator.comparing((v0) -> {
            return v0.getNotBefore();
        })).ifPresent(x509Certificate2 -> {
            LATEST_MAP.put(this.weChatConfig.getMchId(), x509Certificate2);
        });
    }

    private void checkCertificate(Map<String, X509Certificate> map) {
        map.forEach((str, x509Certificate) -> {
            try {
                x509Certificate.checkValidity();
            } catch (CertificateExpiredException | CertificateNotYetValidException e) {
                map.remove(str);
            }
        });
    }
}
