package com.github.rwocj.wx.base;

import com.github.rwocj.wx.util.WxPayUtil;
import java.io.IOException;
import java.math.BigInteger;
import java.security.GeneralSecurityException;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.security.Signature;
import java.security.SignatureException;
import java.security.cert.X509Certificate;
import java.time.Duration;
import java.time.Instant;
import java.util.Base64;
import java.util.HashMap;
import java.util.concurrent.locks.ReentrantLock;
import okhttp3.OkHttpClient;
import okhttp3.Request;
import okhttp3.Response;
import okhttp3.ResponseBody;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/github/rwocj/wx/base/DefaultCertificatesVerifier.class */
public class DefaultCertificatesVerifier implements Verifier {
    private static final Logger log = LoggerFactory.getLogger(DefaultCertificatesVerifier.class);
    private static final String CertDownloadPath = "https://api.mch.weixin.qq.com/v3/certificates";
    private volatile Instant instant;
    private final byte[] apiV3Key;
    private final OkHttpClient okHttpClient;
    private final HashMap<BigInteger, X509Certificate> certificates = new HashMap<>();
    private int minutesInterval = TimeInterval.TwelveHours.minutes;
    private final ReentrantLock lock = new ReentrantLock();

    /* loaded from: input_file:com/github/rwocj/wx/base/DefaultCertificatesVerifier$TimeInterval.class */
    public enum TimeInterval {
        OneHour(60),
        SixHours(360),
        TwelveHours(720);

        private final int minutes;

        TimeInterval(int i) {
            this.minutes = i;
        }

        public int getMinutes() {
            return this.minutes;
        }
    }

    public DefaultCertificatesVerifier(byte[] bArr, OkHttpClient okHttpClient) {
        this.okHttpClient = okHttpClient;
        this.apiV3Key = bArr;
    }

    @Override // com.github.rwocj.wx.base.Verifier
    public boolean verify(String str, byte[] bArr, String str2) {
        if (this.instant == null || Duration.between(this.instant, Instant.now()).toMinutes() >= this.minutesInterval) {
            try {
                if (this.lock.tryLock()) {
                    try {
                        autoUpdateCert();
                        this.instant = Instant.now();
                        this.lock.unlock();
                    } catch (IOException | GeneralSecurityException e) {
                        log.warn("Auto update cert failed, exception = " + e);
                        this.lock.unlock();
                    }
                }
            } catch (Throwable th) {
                this.lock.unlock();
                throw th;
            }
        }
        BigInteger bigInteger = new BigInteger(str, 16);
        return this.certificates.containsKey(bigInteger) && verify(this.certificates.get(bigInteger), bArr, str2);
    }

    public void setMinutesInterval(int i) {
        this.minutesInterval = i;
    }

    private boolean verify(X509Certificate x509Certificate, byte[] bArr, String str) {
        try {
            Signature signature = Signature.getInstance("SHA256withRSA");
            signature.initVerify(x509Certificate);
            signature.update(bArr);
            return signature.verify(Base64.getDecoder().decode(str));
        } catch (InvalidKeyException e) {
            throw new RuntimeException("无效的证书", e);
        } catch (NoSuchAlgorithmException e2) {
            throw new RuntimeException("当前Java环境不支持SHA256withRSA", e2);
        } catch (SignatureException e3) {
            throw new RuntimeException("签名验证过程发生了错误", e3);
        }
    }

    private void autoUpdateCert() throws IOException, GeneralSecurityException {
        Response execute = this.okHttpClient.newCall(new Request.Builder().url(CertDownloadPath).get().build()).execute();
        ResponseBody body = execute.body();
        if (!execute.isSuccessful()) {
            log.error("下载证书失败：{}", body);
        } else if (body != null) {
            for (X509Certificate x509Certificate : WxPayUtil.deserializeToCerts(this.apiV3Key, body.string())) {
                this.certificates.put(x509Certificate.getSerialNumber(), x509Certificate);
            }
        }
        execute.close();
    }
}
