package com.ksyun.ks3.signer;

import com.ksyun.ks3.dto.Authorization;
import com.ksyun.ks3.http.Request;
import com.ksyun.ks3.service.Ks3ClientConfig;
import com.ksyun.ks3.signer.internal.FIFOCache;
import com.ksyun.ks3.signer.internal.KSSSignerRequestParams;
import com.ksyun.ks3.signer.internal.SdkDigestInputStream;
import com.ksyun.ks3.signer.internal.SignerKey;
import com.ksyun.ks3.utils.AuthUtils;
import com.ksyun.ks3.utils.BinaryUtils;
import com.ksyun.ks3.utils.DateUtils;
import com.ksyun.ks3.utils.HttpUtils;
import com.ksyun.ks3.utils.SdkUtils;
import com.ksyun.ks3.utils.StringUtils;
import java.io.ByteArrayInputStream;
import java.io.InputStream;
import java.nio.charset.Charset;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.SignatureException;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
import java.util.Date;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.TreeMap;
import java.util.concurrent.TimeUnit;
import javax.crypto.Mac;
import javax.crypto.spec.SecretKeySpec;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;

/* loaded from: input_file:com/ksyun/ks3/signer/Ks3V4Signer.class */
public class Ks3V4Signer {
    private static final String LINE_SEPARATOR = "\n";
    private static final String KSS4_TERMINATOR = "kss4_request";
    private static final String KSS4_SIGNING_ALGORITHM = "KSS4-HMAC-SHA256";
    private static final String X_Kss_CREDENTIAL = "X-Kss-Credential";
    private static final String X_Kss_DATE = "X-Kss-Date";
    private static final String X_Kss_EXPIRES = "X-Kss-Expires";
    private static final String X_Kss_SIGNED_HEADER = "X-Kss-SignedHeaders";
    private static final String X_Kss_CONTENT_SHA256 = "X-Kss-content-sha256";
    private static final String X_Kss_SIGNATURE = "X-Kss-Signature";
    private static final String X_Kss_ALGORITHM = "X-Kss-Algorithm";
    private static final String AUTHORIZATION = "Authorization";
    private static final String HMAC_SHA256_ALGORITHM = "HmacSHA256";
    private static final String HOST = "Host";
    private static final String UNSIGNED_PAYLOAD = "UNSIGNED-PAYLOAD";
    private static final int SIGNER_CACHE_MAX_SIZE = 300;
    private static final FIFOCache<SignerKey> signerCache = new FIFOCache<>(SIGNER_CACHE_MAX_SIZE);
    private static final Log log = LogFactory.getLog(AuthUtils.class);
    private static final List<String> listOfHeadersToIgnoreInLowerCase = Arrays.asList("connection", "x-kss-trace-id");

    public String sign(Authorization authorization, Request request, Ks3ClientConfig ks3ClientConfig) throws SignatureException {
        KSSSignerRequestParams kSSSignerRequestParams = new KSSSignerRequestParams(request, new Date(), request.getRegion(), "ks3", KSS4_SIGNING_ALGORITHM);
        request.addHeader(X_Kss_DATE, kSSSignerRequestParams.getFormattedSigningDateTime());
        addHost(request, ks3ClientConfig);
        String calculateContentHash = calculateContentHash(request, ks3ClientConfig);
        request.addHeader(X_Kss_CONTENT_SHA256, calculateContentHash);
        String buildAuthorizationHeader = buildAuthorizationHeader(request, computeSignature(createStringToSign(createCanonicalRequest(request, calculateContentHash, ks3ClientConfig.isPathStyleAccess()), kSSSignerRequestParams), deriveSigningKey(authorization, kSSSignerRequestParams), kSSSignerRequestParams), authorization, kSSSignerRequestParams);
        request.addHeader(AUTHORIZATION, buildAuthorizationHeader);
        return buildAuthorizationHeader;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public String calcSignature(Authorization authorization, Request request, Ks3ClientConfig ks3ClientConfig) throws SignatureException {
        KSSSignerRequestParams kSSSignerRequestParams = new KSSSignerRequestParams(request, new Date(), request.getRegion(), "ks3", KSS4_SIGNING_ALGORITHM);
        addHost(request, ks3ClientConfig);
        request.getHeaders().remove("User-Agent");
        String str = authorization.getAccessKeyId() + "/" + kSSSignerRequestParams.getScope();
        request.getQueryParams().put(X_Kss_ALGORITHM, KSS4_SIGNING_ALGORITHM);
        request.getQueryParams().put(X_Kss_CREDENTIAL, str);
        request.getQueryParams().put(X_Kss_DATE, kSSSignerRequestParams.getFormattedSigningDateTime());
        request.getQueryParams().put(X_Kss_EXPIRES, String.valueOf((request.getExpires().getTime() - new Date().getTime()) / 1000));
        request.addQueryParam(X_Kss_SIGNED_HEADER, getSignedHeadersString(request));
        return BinaryUtils.toHex(computeSignature(createStringToSign(createCanonicalRequest(request, UNSIGNED_PAYLOAD, ks3ClientConfig.isPathStyleAccess()), kSSSignerRequestParams), deriveSigningKey(authorization, kSSSignerRequestParams), kSSSignerRequestParams));
    }

    private void addHost(Request request, Ks3ClientConfig ks3ClientConfig) {
        String str = "";
        if (!ks3ClientConfig.isPathStyleAccess() && !ks3ClientConfig.isDomainMode() && !StringUtils.isBlank(request.getBucket())) {
            str = str + request.getBucket() + ".";
        }
        request.addHeader(HOST, str + request.getEndpoint());
    }

    protected String calculateContentHash(Request request, Ks3ClientConfig ks3ClientConfig) throws SignatureException {
        if (Ks3ClientConfig.SignerVersion.V4_UNSIGNED_PAYLOAD_SIGNER == ks3ClientConfig.getVersion()) {
            return UNSIGNED_PAYLOAD;
        }
        InputStream content = request.getContent();
        if (content != null && !content.markSupported()) {
            return UNSIGNED_PAYLOAD;
        }
        InputStream binaryRequestPayloadStream = getBinaryRequestPayloadStream(request);
        binaryRequestPayloadStream.mark(0);
        String hex = BinaryUtils.toHex(hash(binaryRequestPayloadStream));
        try {
            binaryRequestPayloadStream.reset();
            return hex;
        } catch (Exception e) {
            throw new SignatureException("Unable to reset stream after calculating kss signature" + e);
        }
    }

    protected byte[] hash(InputStream inputStream) throws SignatureException {
        try {
            SdkDigestInputStream sdkDigestInputStream = new SdkDigestInputStream(inputStream, getMessageDigestInstance());
            do {
            } while (sdkDigestInputStream.read(new byte[1024]) > -1);
            return sdkDigestInputStream.getMessageDigest().digest();
        } catch (Exception e) {
            throw new SignatureException("Unable to compute hash while signing request: " + e.getMessage(), e);
        }
    }

    private static MessageDigest getMessageDigestInstance() {
        try {
            MessageDigest messageDigest = MessageDigest.getInstance("SHA-256");
            messageDigest.reset();
            return messageDigest;
        } catch (NoSuchAlgorithmException e) {
            throw new IllegalStateException(e);
        }
    }

    protected String getCanonicalizedQueryString(Request request) {
        return getCanonicalizedQueryString2(request.getQueryParams());
    }

    protected String getCanonicalizedQueryString2(Map<String, String> map) {
        TreeMap treeMap = new TreeMap();
        ArrayList<String> arrayList = new ArrayList();
        Iterator<Map.Entry<String, String>> it = map.entrySet().iterator();
        while (it.hasNext()) {
            arrayList.add(it.next().getKey());
        }
        Collections.sort(arrayList);
        for (String str : arrayList) {
            treeMap.put(str, map.get(str));
        }
        StringBuilder sb = new StringBuilder();
        for (Map.Entry entry : treeMap.entrySet()) {
            if (sb.length() > 0) {
                sb.append("&");
            }
            sb.append(HttpUtils.urlEncode((String) entry.getKey(), false)).append("=").append(HttpUtils.urlEncode((String) entry.getValue(), false));
        }
        return sb.toString();
    }

    protected InputStream getBinaryRequestPayloadStream(Request request) throws SignatureException {
        return getBinaryRequestPayloadStreamWithoutQueryParams(request);
    }

    protected InputStream getBinaryRequestPayloadStreamWithoutQueryParams(Request request) throws SignatureException {
        try {
            InputStream content = request.getContent();
            if (content == null) {
                return new ByteArrayInputStream(new byte[0]);
            }
            if (content.markSupported()) {
                return content;
            }
            throw new Exception("Unable to read request payload to sign request.");
        } catch (SignatureException e) {
            throw e;
        } catch (Exception e2) {
            throw new SignatureException("Unable to read request payload to sign request: " + e2.getMessage(), e2);
        }
    }

    protected String createCanonicalRequest(Request request, String str, boolean z) {
        String str2 = "";
        if (z && !StringUtils.isBlank(request.getBucket())) {
            str2 = str2 + "/" + request.getBucket();
        }
        String appendUri = SdkUtils.appendUri(str2, StringUtils.isBlank(request.getKey()) ? "" : "/" + request.getKey());
        StringBuilder sb = new StringBuilder(request.getMethod().toString());
        sb.append(LINE_SEPARATOR).append(getCanonicalizedResourcePath(appendUri)).append(LINE_SEPARATOR).append(getCanonicalizedQueryString(request)).append(LINE_SEPARATOR).append(getCanonicalizedHeaderString(request)).append(LINE_SEPARATOR).append(getSignedHeadersString(request)).append(LINE_SEPARATOR).append(str);
        String sb2 = sb.toString();
        if (log.isDebugEnabled()) {
            log.debug("kss4 Canonical Request: '\"" + sb2 + "\"");
        }
        return sb2;
    }

    protected String createStringToSign(String str, KSSSignerRequestParams kSSSignerRequestParams) throws SignatureException {
        StringBuilder sb = new StringBuilder(kSSSignerRequestParams.getSigningAlgorithm());
        sb.append(LINE_SEPARATOR).append(kSSSignerRequestParams.getFormattedSigningDateTime()).append(LINE_SEPARATOR).append(kSSSignerRequestParams.getScope()).append(LINE_SEPARATOR).append(BinaryUtils.toHex(hash(str)));
        String sb2 = sb.toString();
        if (log.isDebugEnabled()) {
            log.debug("kss4 String to Sign: '\"" + sb2 + "\"");
        }
        return sb2;
    }

    public byte[] hash(String str) throws SignatureException {
        return doHash(str);
    }

    private static byte[] doHash(String str) throws SignatureException {
        try {
            MessageDigest messageDigestInstance = getMessageDigestInstance();
            messageDigestInstance.update(str.getBytes(StringUtils.UTF8));
            return messageDigestInstance.digest();
        } catch (Exception e) {
            throw new SignatureException("Unable to compute hash while signing request: " + e.getMessage(), e);
        }
    }

    protected String getCanonicalizedResourcePath(String str) {
        return getCanonicalizedResourcePath(str, true);
    }

    protected String getCanonicalizedResourcePath(String str, boolean z) {
        if (str == null || str.isEmpty()) {
            return "/";
        }
        String urlEncode = z ? HttpUtils.urlEncode(str, true) : str;
        return urlEncode.startsWith("/") ? urlEncode : "/".concat(urlEncode);
    }

    private String getCanonicalizedHeaderString(Request request) {
        ArrayList<String> arrayList = new ArrayList(request.getHeaders().keySet());
        Map<String, String> headers = request.getHeaders();
        Collections.sort(arrayList, String.CASE_INSENSITIVE_ORDER);
        StringBuilder sb = new StringBuilder();
        for (String str : arrayList) {
            if (!shouldExcludeHeaderFromSigning(str)) {
                sb.append((str.toLowerCase() + ":" + headers.get(str)).trim());
                sb.append(LINE_SEPARATOR);
            }
        }
        return sb.toString();
    }

    protected boolean shouldExcludeHeaderFromSigning(String str) {
        return listOfHeadersToIgnoreInLowerCase.contains(str.toLowerCase());
    }

    protected String getSignedHeadersString(Request request) {
        ArrayList<String> arrayList = new ArrayList(request.getHeaders().keySet());
        Collections.sort(arrayList, String.CASE_INSENSITIVE_ORDER);
        StringBuilder sb = new StringBuilder();
        for (String str : arrayList) {
            if (!shouldExcludeHeaderFromSigning(str)) {
                if (sb.length() > 0) {
                    sb.append(";");
                }
                sb.append(StringUtils.lowerCase(str));
            }
        }
        return sb.toString();
    }

    private final byte[] deriveSigningKey(Authorization authorization, KSSSignerRequestParams kSSSignerRequestParams) throws SignatureException {
        String computeSigningCacheKeyName = computeSigningCacheKeyName(authorization, kSSSignerRequestParams);
        long numberOfDaysSinceEpoch = DateUtils.numberOfDaysSinceEpoch(kSSSignerRequestParams.getSigningDateTimeMilli());
        SignerKey signerKey = signerCache.get(computeSigningCacheKeyName);
        if (signerKey != null && numberOfDaysSinceEpoch == signerKey.getNumberOfDaysSinceEpoch()) {
            return signerKey.getSigningKey();
        }
        if (log.isDebugEnabled()) {
            log.debug("Generating a new signing key as the signing key not available in the cache for the date " + TimeUnit.DAYS.toMillis(numberOfDaysSinceEpoch));
        }
        byte[] newSigningKey = newSigningKey(authorization, kSSSignerRequestParams.getFormattedSigningDate(), kSSSignerRequestParams.getRegionName(), kSSSignerRequestParams.getServiceName());
        signerCache.add(computeSigningCacheKeyName, new SignerKey(numberOfDaysSinceEpoch, newSigningKey));
        return newSigningKey;
    }

    private final String computeSigningCacheKeyName(Authorization authorization, KSSSignerRequestParams kSSSignerRequestParams) {
        return authorization.getAccessKeySecret() + "-" + kSSSignerRequestParams.getRegionName() + "-" + kSSSignerRequestParams.getServiceName();
    }

    protected final byte[] computeSignature(String str, byte[] bArr, KSSSignerRequestParams kSSSignerRequestParams) throws SignatureException {
        return sign(str.getBytes(Charset.forName("UTF-8")), bArr, HMAC_SHA256_ALGORITHM);
    }

    private String buildAuthorizationHeader(Request request, byte[] bArr, Authorization authorization, KSSSignerRequestParams kSSSignerRequestParams) {
        String str = "Credential=" + (authorization.getAccessKeyId() + "/" + kSSSignerRequestParams.getScope());
        String str2 = "SignedHeaders=" + getSignedHeadersString(request);
        String str3 = "Signature=" + BinaryUtils.toHex(bArr);
        StringBuilder sb = new StringBuilder();
        sb.append(KSS4_SIGNING_ALGORITHM).append(" ").append(str).append(", ").append(str2).append(", ").append(str3);
        return sb.toString();
    }

    protected byte[] newSigningKey(Authorization authorization, String str, String str2, String str3) throws SignatureException {
        return sign(KSS4_TERMINATOR, sign(str3, sign(str2, sign(str, ("KSS4" + authorization.getAccessKeySecret()).getBytes(Charset.forName("UTF-8")), HMAC_SHA256_ALGORITHM), HMAC_SHA256_ALGORITHM), HMAC_SHA256_ALGORITHM), HMAC_SHA256_ALGORITHM);
    }

    public byte[] sign(String str, byte[] bArr, String str2) throws SignatureException {
        try {
            return sign(str.getBytes(StringUtils.UTF8), bArr, str2);
        } catch (Exception e) {
            throw new SignatureException("Unable to calculate a request signature: " + e.getMessage(), e);
        }
    }

    protected byte[] sign(byte[] bArr, byte[] bArr2, String str) throws SignatureException {
        try {
            Mac mac = Mac.getInstance(HMAC_SHA256_ALGORITHM);
            mac.init(new SecretKeySpec(bArr2, str));
            return mac.doFinal(bArr);
        } catch (Exception e) {
            throw new SignatureException("Unable to calculate a request signature: " + e.getMessage(), e);
        }
    }
}
