package com.amazonaws.services.sns.message;

import com.amazonaws.SdkBaseException;
import com.amazonaws.SdkClientException;
import com.amazonaws.annotation.GuardedBy;
import com.amazonaws.annotation.SdkInternalApi;
import com.amazonaws.annotation.ThreadSafe;
import com.amazonaws.http.apache.utils.ApacheUtils;
import com.amazonaws.internal.FIFOCache;
import com.amazonaws.services.sns.util.SignatureChecker;
import com.amazonaws.util.IOUtils;
import com.fasterxml.jackson.databind.JsonNode;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.net.URI;
import java.nio.charset.Charset;
import java.security.PublicKey;
import java.security.cert.CertificateExpiredException;
import java.security.cert.CertificateFactory;
import java.security.cert.CertificateNotYetValidException;
import java.security.cert.X509Certificate;
import java.util.HashMap;
import java.util.Iterator;
import java.util.Map;
import java.util.regex.Pattern;
import javax.net.ssl.SSLException;
import org.apache.http.HttpResponse;
import org.apache.http.client.HttpClient;
import org.apache.http.client.methods.HttpGet;
import org.apache.http.conn.ssl.DefaultHostnameVerifier;

@ThreadSafe
@SdkInternalApi
/* loaded from: input_file:WEB-INF/lib/aws-java-sdk-sns-1.12.306.jar:com/amazonaws/services/sns/message/SignatureVerifier.class */
class SignatureVerifier {
    private static final String SIGNING_CERT_URL = "SigningCertURL";
    private static final Pattern X509_PATTERN = Pattern.compile("^[\\s]*-----BEGIN [A-Z]+-----\\n[A-Za-z\\d+\\/\\n]+[=]{0,2}\\n-----END [A-Z]+-----[\\s]*$");
    private final HttpClient client;
    private final SigningCertUrlVerifier signingCertUrlVerifier;
    private final String expectedCertCommonName;
    private final DefaultHostnameVerifier hostnameVerifier = new DefaultHostnameVerifier();
    private final SignatureChecker signatureChecker = new SignatureChecker();

    @GuardedBy("this")
    private final FIFOCache<PublicKey> certificateCache = new FIFOCache<>(2);

    /* JADX INFO: Access modifiers changed from: package-private */
    public SignatureVerifier(HttpClient httpClient, String str, String str2) {
        this.client = httpClient;
        this.signingCertUrlVerifier = new SigningCertUrlVerifier(str);
        this.expectedCertCommonName = str2;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void verifySignature(JsonNode jsonNode) {
        if (!this.signatureChecker.verifySignature(toMap(jsonNode), fetchPublicKey(jsonNode))) {
            throw new SdkClientException("Signature in SNS message was invalid");
        }
    }

    private synchronized PublicKey fetchPublicKey(JsonNode jsonNode) {
        URI create = URI.create(jsonNode.get(SIGNING_CERT_URL).asText());
        PublicKey publicKey = (PublicKey) this.certificateCache.get(create.toString());
        if (publicKey == null) {
            String downloadCertWithRetries = downloadCertWithRetries(create);
            validateCertificateData(downloadCertWithRetries);
            publicKey = createPublicKey(downloadCertWithRetries);
            this.certificateCache.add(create.toString(), publicKey);
        }
        return publicKey;
    }

    private String downloadCertWithRetries(URI uri) {
        try {
            return downloadCert(uri);
        } catch (SdkBaseException e) {
            if (isRetryable(e)) {
                return downloadCert(uri);
            }
            throw e;
        }
    }

    private boolean isRetryable(SdkBaseException sdkBaseException) {
        if (sdkBaseException.getCause() instanceof IOException) {
            return true;
        }
        return (sdkBaseException instanceof HttpException) && ((HttpException) sdkBaseException).getStatusCode() / 100 == 5;
    }

    private String downloadCert(URI uri) {
        try {
            this.signingCertUrlVerifier.verifyCertUrl(uri);
            HttpResponse execute = this.client.execute(new HttpGet(uri));
            if (!ApacheUtils.isRequestSuccessful(execute)) {
                throw new HttpException("Could not download the certificate from SNS", execute);
            }
            try {
                String iOUtils = IOUtils.toString(execute.getEntity().getContent());
                execute.getEntity().getContent().close();
                return iOUtils;
            } catch (Throwable th) {
                execute.getEntity().getContent().close();
                throw th;
            }
        } catch (IOException e) {
            throw new SdkClientException("Unable to download SNS certificate from " + uri.toString(), e);
        }
    }

    private Map<String, String> toMap(JsonNode jsonNode) {
        HashMap hashMap = new HashMap(jsonNode.size());
        Iterator fields = jsonNode.fields();
        while (fields.hasNext()) {
            Map.Entry entry = (Map.Entry) fields.next();
            hashMap.put(entry.getKey(), ((JsonNode) entry.getValue()).asText());
        }
        return hashMap;
    }

    private PublicKey createPublicKey(String str) {
        try {
            X509Certificate x509Certificate = (X509Certificate) CertificateFactory.getInstance("X.509").generateCertificate(new ByteArrayInputStream(str.getBytes(Charset.forName("UTF-8"))));
            validateCertificate(x509Certificate);
            return x509Certificate.getPublicKey();
        } catch (Exception e) {
            throw new SdkClientException("Could not create public key from certificate", e);
        } catch (SdkBaseException e2) {
            throw e2;
        }
    }

    private void validateCertificate(X509Certificate x509Certificate) throws CertificateExpiredException, CertificateNotYetValidException {
        verifyHostname(x509Certificate);
        x509Certificate.checkValidity();
    }

    private void verifyHostname(X509Certificate x509Certificate) {
        try {
            this.hostnameVerifier.verify(this.expectedCertCommonName, x509Certificate);
        } catch (SSLException e) {
            throw new SdkClientException("Certificate does not match expected common name: " + this.expectedCertCommonName, e);
        }
    }

    private void validateCertificateData(String str) {
        if (!X509_PATTERN.matcher(str).matches()) {
            throw new SdkClientException("Certificate does not match expected X509 PEM format.");
        }
    }
}
