package com.ebay.api.security.openid.jwt;

import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.util.HashMap;
import java.util.Map;
import java.util.concurrent.atomic.AtomicBoolean;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import okhttp3.OkHttpClient;
import okhttp3.Request;
import okhttp3.Response;
import org.apache.commons.codec.binary.StringUtils;
import org.joda.time.DateTime;
import org.json.JSONObject;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/ebay/api/security/openid/jwt/IdTokenCertificateHolder.class */
public class IdTokenCertificateHolder {
    private static final String CERTIFICATE_URL = "https://auth.ebay.com/oauth2/certs/v1/pem";
    private static final int BUFFER_TIME_FOR_REFRESH_IN_SECS = 300;
    private static DateTime expiresAt;
    private static final Logger logger = LoggerFactory.getLogger(IdTokenCertificateHolder.class);
    private static final Map<String, X509Certificate> CERT_HOLDER_MAP = new HashMap();
    private static final Integer DEFAULT_CERT_EXPIRATION_IN_SECS = 86400;
    private static final Pattern MAX_AGE_REGEX = Pattern.compile("^.*max-age=(\\d+)\\,.*$");
    private static AtomicBoolean locked = new AtomicBoolean(false);

    private static void refreshCertificates() throws IOException, CertificateException {
        if (locked.compareAndSet(false, true)) {
            Response execute = new OkHttpClient().newCall(new Request.Builder().url(CERTIFICATE_URL).get().build()).execute();
            CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509");
            if (execute.isSuccessful()) {
                JSONObject jSONObject = new JSONObject(execute.body().string());
                CERT_HOLDER_MAP.clear();
                for (String str : jSONObject.keySet()) {
                    CERT_HOLDER_MAP.put(str, (X509Certificate) certificateFactory.generateCertificate(new ByteArrayInputStream(StringUtils.getBytesUtf8(jSONObject.get(str).toString()))));
                    calculateExpiresAt(execute.header("Cache-Control"));
                }
            } else {
                logger.error("Error in response for Certificate URL: " + execute.toString());
            }
            locked.compareAndSet(true, false);
        }
    }

    private static void calculateExpiresAt(String str) {
        Integer num = DEFAULT_CERT_EXPIRATION_IN_SECS;
        if (str == null || !str.contains("max-age=")) {
            return;
        }
        Matcher matcher = MAX_AGE_REGEX.matcher(str.toLowerCase());
        if (matcher.matches()) {
            String group = matcher.group(1);
            if (org.apache.commons.lang3.StringUtils.isNumeric(group)) {
                num = Integer.valueOf(group);
            }
        }
        expiresAt = DateTime.now().plusSeconds(num.intValue() - BUFFER_TIME_FOR_REFRESH_IN_SECS);
    }

    public static Certificate getCertificate(String str) throws IOException, CertificateException {
        if (CERT_HOLDER_MAP.isEmpty() || expiresAt == null || DateTime.now().isAfter(expiresAt)) {
            refreshCertificates();
        }
        return CERT_HOLDER_MAP.get(str);
    }
}
