package software.amazon.smithy.java.aws.client.auth.scheme.sigv4;

import java.net.URI;
import java.nio.ByteBuffer;
import java.nio.charset.StandardCharsets;
import java.security.InvalidKeyException;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.time.Clock;
import java.time.Instant;
import java.time.LocalDateTime;
import java.time.ZoneOffset;
import java.util.HexFormat;
import java.util.Iterator;
import java.util.List;
import java.util.Locale;
import java.util.Map;
import java.util.Set;
import java.util.TreeMap;
import java.util.concurrent.CompletableFuture;
import javax.crypto.Mac;
import javax.crypto.spec.SecretKeySpec;
import software.amazon.smithy.java.auth.api.AuthProperties;
import software.amazon.smithy.java.auth.api.Signer;
import software.amazon.smithy.java.aws.client.auth.scheme.sigv4.SigningCache;
import software.amazon.smithy.java.aws.client.core.identity.AwsCredentialsIdentity;
import software.amazon.smithy.java.http.api.HttpHeaders;
import software.amazon.smithy.java.http.api.HttpRequest;
import software.amazon.smithy.java.io.datastream.DataStream;
import software.amazon.smithy.java.io.uri.URLEncoding;
import software.amazon.smithy.java.logging.InternalLogger;

/* loaded from: input_file:software/amazon/smithy/java/aws/client/auth/scheme/sigv4/SigV4Signer.class */
final class SigV4Signer implements Signer<HttpRequest, AwsCredentialsIdentity> {
    private static final int BUFFER_SIZE = 512;
    private static final String HMAC_SHA_256 = "HmacSHA256";
    private static final String ALGORITHM = "AWS4-HMAC-SHA256";
    private static final String TERMINATOR = "aws4_request";
    private final SigningResources signingResources = RESOURCES_POOL.get();
    private static final InternalLogger LOGGER = InternalLogger.getLogger(SigV4Signer.class);
    private static final List<String> HEADERS_TO_IGNORE_IN_LOWER_CASE = List.of("connection", "x-amzn-trace-id", "user-agent", "expect");
    private static final SigningCache SIGNER_CACHE = new SigningCache(300);
    private static final int POOL_SIZE = 32;
    private static final Pool<SigningResources> RESOURCES_POOL = new Pool<>(POOL_SIZE, SigningResources::new);

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:software/amazon/smithy/java/aws/client/auth/scheme/sigv4/SigV4Signer$SigningResources.class */
    public static final class SigningResources {
        final StringBuilder sb = new StringBuilder(SigV4Signer.BUFFER_SIZE);
        final MessageDigest sha256Digest;
        final Mac sha256Mac;

        SigningResources() {
            try {
                this.sha256Digest = MessageDigest.getInstance("SHA-256");
                try {
                    this.sha256Mac = Mac.getInstance(SigV4Signer.HMAC_SHA_256);
                } catch (NoSuchAlgorithmException e) {
                    throw new RuntimeException("Unable to fetch Mac instance for HmacSHA256", e);
                }
            } catch (NoSuchAlgorithmException e2) {
                throw new RuntimeException("Unable to fetch message digest instance for SHA-256", e2);
            }
        }

        void reset() {
            this.sb.setLength(0);
            this.sha256Digest.reset();
            this.sha256Mac.reset();
        }
    }

    public static SigV4Signer create() {
        return new SigV4Signer();
    }

    private SigV4Signer() {
        this.signingResources.reset();
    }

    public void close() {
        RESOURCES_POOL.release(this.signingResources);
    }

    public CompletableFuture<HttpRequest> sign(HttpRequest httpRequest, AwsCredentialsIdentity awsCredentialsIdentity, AuthProperties authProperties) {
        String str = (String) authProperties.expect(SigV4Settings.REGION);
        String str2 = (String) authProperties.expect(SigV4Settings.SIGNING_NAME);
        Clock clock = (Clock) authProperties.getOrDefault(SigV4Settings.CLOCK, Clock.systemUTC());
        return getPayloadHash(httpRequest.body()).thenApply(str3 -> {
            Map<String, List<String>> createSignedHeaders = createSignedHeaders(httpRequest.method(), httpRequest.uri(), httpRequest.headers(), str3, str, str2, clock.instant(), awsCredentialsIdentity.accessKeyId(), awsCredentialsIdentity.secretAccessKey(), awsCredentialsIdentity.sessionToken(), !httpRequest.body().hasKnownLength());
            StringBuilder sb = this.signingResources.sb;
            if (sb.length() > BUFFER_SIZE) {
                sb.setLength(BUFFER_SIZE);
                sb.trimToSize();
            }
            sb.setLength(0);
            return httpRequest.toBuilder().headers(HttpHeaders.of(createSignedHeaders)).build();
        });
    }

    private CompletableFuture<String> getPayloadHash(DataStream dataStream) {
        return dataStream.asByteBuffer().thenApply(this::hexHash);
    }

    private String hexHash(ByteBuffer byteBuffer) {
        return HexFormat.of().formatHex(hash(byteBuffer));
    }

    private Map<String, List<String>> createSignedHeaders(String str, URI uri, HttpHeaders httpHeaders, String str2, String str3, String str4, Instant instant, String str5, String str6, String str7, boolean z) {
        Map<String, List<String>> copyHeaders = copyHeaders(httpHeaders);
        copyHeaders.put("host", List.of(uriUsingNonStandardPort(uri) ? uri.getHost() + ":" + uri.getPort() : uri.getHost()));
        StringBuilder sb = this.signingResources.sb;
        LocalDateTime localDateTime = instant.atOffset(ZoneOffset.UTC).toLocalDateTime();
        String formatDate = formatDate(localDateTime, sb);
        String formatRfc3339 = formatRfc3339(localDateTime, formatDate, sb);
        copyHeaders.put("x-amz-date", List.of(formatRfc3339));
        if (z) {
            copyHeaders.put("x-amz-content-sha256", List.of(str2));
        }
        if (str7 != null) {
            copyHeaders.put("x-amz-security-token", List.of(str7));
        }
        String signedHeaders = getSignedHeaders(copyHeaders.keySet(), sb);
        byte[] canonicalRequest = getCanonicalRequest(str, uri, copyHeaders, copyHeaders.keySet(), signedHeaders, str2, sb);
        byte[] deriveSigningKey = deriveSigningKey(str6, formatDate, str3, str4, instant);
        String createScope = createScope(formatDate, str3, str4, sb);
        copyHeaders.put("authorization", List.of(getAuthHeader(str5, createScope, signedHeaders, computeSignature(canonicalRequest, createScope, formatRfc3339, deriveSigningKey, sb), sb)));
        return copyHeaders;
    }

    private static String createScope(String str, String str2, String str3, StringBuilder sb) {
        sb.setLength(0);
        sb.append(str).append('/');
        sb.append(str2).append('/');
        sb.append(str3).append('/');
        sb.append(TERMINATOR);
        return sb.toString();
    }

    private static Map<String, List<String>> copyHeaders(HttpHeaders httpHeaders) {
        TreeMap treeMap = new TreeMap(String.CASE_INSENSITIVE_ORDER);
        for (Map.Entry entry : httpHeaders.map().entrySet()) {
            treeMap.put(((String) entry.getKey()).toLowerCase(Locale.ENGLISH), (List) entry.getValue());
        }
        return treeMap;
    }

    private static String formatDate(LocalDateTime localDateTime, StringBuilder sb) {
        sb.setLength(0);
        sb.append(localDateTime.getYear());
        appendTwoDigits(localDateTime.getMonthValue(), sb);
        appendTwoDigits(localDateTime.getDayOfMonth(), sb);
        return sb.toString();
    }

    private static String formatRfc3339(LocalDateTime localDateTime, String str, StringBuilder sb) {
        sb.setLength(0);
        sb.append(str);
        sb.append('T');
        appendTwoDigits(localDateTime.getHour(), sb);
        appendTwoDigits(localDateTime.getMinute(), sb);
        appendTwoDigits(localDateTime.getSecond(), sb);
        sb.append('Z');
        return sb.toString();
    }

    private static void appendTwoDigits(int i, StringBuilder sb) {
        if (i < 10) {
            sb.append('0');
        }
        sb.append(i);
    }

    private static boolean uriUsingNonStandardPort(URI uri) {
        switch (uri.getPort()) {
            case -1:
                return false;
            case 80:
                return uri.getScheme().equals("http");
            case 443:
                return uri.getScheme().equals("https");
            default:
                throw new IllegalStateException("Unexpected value for URI scheme: " + uri.getScheme());
        }
    }

    private static String getSignedHeaders(Set<String> set, StringBuilder sb) {
        sb.setLength(0);
        for (String str : set) {
            if (!HEADERS_TO_IGNORE_IN_LOWER_CASE.contains(str)) {
                sb.append(str).append(';');
            }
        }
        sb.setLength(sb.length() - 1);
        return sb.toString();
    }

    private static String getAuthHeader(String str, String str2, String str3, String str4, StringBuilder sb) {
        sb.setLength(0);
        sb.append(ALGORITHM).append(" Credential=").append(str).append('/').append(str2).append(", SignedHeaders=").append(str3).append(", Signature=").append(str4);
        return sb.toString();
    }

    private byte[] getCanonicalRequest(String str, URI uri, Map<String, List<String>> map, Set<String> set, String str2, String str3, StringBuilder sb) {
        sb.setLength(0);
        sb.append(str).append('\n');
        addCanonicalizedResourcePath(uri, sb);
        sb.append('\n');
        addCanonicalizedQueryString(uri, sb);
        sb.append('\n');
        addCanonicalizedHeaderString(map, set, sb);
        sb.append('\n');
        sb.append(str2).append('\n').append(str3);
        return sb.toString().getBytes(StandardCharsets.UTF_8);
    }

    private static void addCanonicalizedResourcePath(URI uri, StringBuilder sb) {
        String rawPath = uri.normalize().getRawPath();
        if (rawPath.isEmpty()) {
            sb.append('/');
            return;
        }
        if (!rawPath.startsWith("/")) {
            rawPath = "/" + rawPath;
        }
        URLEncoding.encodeUnreserved(rawPath, sb, true);
    }

    private static void addCanonicalizedQueryString(URI uri, StringBuilder sb) {
        String rawQuery = uri.getRawQuery();
        if (rawQuery == null) {
            return;
        }
        TreeMap treeMap = new TreeMap();
        for (String str : rawQuery.split("&")) {
            String[] split = str.split("=");
            String str2 = split[0];
            String encodeUnreserved = URLEncoding.encodeUnreserved(str2, false);
            if (split.length == 2) {
                treeMap.put(encodeUnreserved, URLEncoding.encodeUnreserved(split[1], false));
            } else {
                treeMap.put(str2, "");
            }
        }
        for (Map.Entry entry : treeMap.entrySet()) {
            sb.append((String) entry.getKey());
            sb.append('=');
            sb.append((String) entry.getValue());
            sb.append('&');
        }
        sb.setLength(sb.length() - 1);
    }

    private static void addCanonicalizedHeaderString(Map<String, List<String>> map, Set<String> set, StringBuilder sb) {
        for (String str : set) {
            if (!HEADERS_TO_IGNORE_IN_LOWER_CASE.contains(str)) {
                sb.append(str);
                sb.append(':');
                Iterator<String> it = map.get(str).iterator();
                while (it.hasNext()) {
                    addAndTrim(sb, it.next());
                    sb.append(',');
                }
                sb.setLength(sb.length() - 1);
                sb.append('\n');
            }
        }
    }

    private static void addAndTrim(StringBuilder sb, String str) {
        for (int i = 0; i < str.length(); i++) {
            if (isWhiteSpace(str.charAt(i))) {
                addAndTrimSlow(sb, str);
                return;
            }
        }
        sb.append(str);
    }

    private static void addAndTrimSlow(StringBuilder sb, String str) {
        sb.ensureCapacity(sb.length() + str.length());
        int i = 0;
        while (i < str.length() && isWhiteSpace(str.charAt(i))) {
            i++;
        }
        boolean z = false;
        while (i < str.length()) {
            char charAt = str.charAt(i);
            if (!isWhiteSpace(charAt)) {
                sb.append(charAt);
                z = false;
            } else if (!z) {
                sb.append(' ');
                z = true;
            }
            i++;
        }
        if (sb.isEmpty() || sb.charAt(sb.length() - 1) != POOL_SIZE) {
            return;
        }
        sb.setLength(sb.length() - 1);
    }

    private static boolean isWhiteSpace(char c) {
        return c == POOL_SIZE || (c >= '\t' && c <= '\f');
    }

    private byte[] deriveSigningKey(String str, String str2, String str3, String str4, Instant instant) {
        SigningCache.CacheKey cacheKey = new SigningCache.CacheKey(str, str3, str4);
        SigningKey signingKey = SIGNER_CACHE.get(cacheKey);
        if (signingKey != null && signingKey.isValidFor(instant)) {
            return signingKey.signingKey();
        }
        LOGGER.trace("Generating new key as signing key could not be found in cache.", new Object[0]);
        byte[] newSigningKey = newSigningKey(str, str2, str3, str4);
        SIGNER_CACHE.put(cacheKey, new SigningKey(newSigningKey, instant));
        return newSigningKey;
    }

    private byte[] newSigningKey(String str, String str2, String str3, String str4) {
        return sign(TERMINATOR, sign(str4, sign(str3, sign(str2, ("AWS4" + str).getBytes(StandardCharsets.UTF_8)))));
    }

    private String computeSignature(byte[] bArr, String str, String str2, byte[] bArr2, StringBuilder sb) {
        sb.setLength(0);
        sb.append(ALGORITHM).append('\n').append(str2).append('\n').append(str).append('\n').append(HexFormat.of().formatHex(hash(bArr)));
        return HexFormat.of().formatHex(sign(sb.toString(), bArr2));
    }

    private byte[] sign(String str, byte[] bArr) {
        try {
            Mac mac = this.signingResources.sha256Mac;
            mac.reset();
            mac.init(new SecretKeySpec(bArr, HMAC_SHA_256));
            return mac.doFinal(str.getBytes(StandardCharsets.UTF_8));
        } catch (InvalidKeyException e) {
            throw new RuntimeException(e);
        }
    }

    private byte[] hash(ByteBuffer byteBuffer) {
        MessageDigest messageDigest = this.signingResources.sha256Digest;
        messageDigest.reset();
        messageDigest.update(byteBuffer);
        return messageDigest.digest();
    }

    private byte[] hash(byte[] bArr) {
        MessageDigest messageDigest = this.signingResources.sha256Digest;
        messageDigest.reset();
        messageDigest.update(bArr);
        return messageDigest.digest();
    }
}
