package com.unwire.ssg.signer.provider;

import com.squareup.moshi.JsonAdapter;
import com.squareup.moshi.Moshi;
import com.unwire.ssg.signer.common.util.Validation;
import com.unwire.ssg.signer.core.AuthenticationMethod;
import com.unwire.ssg.signer.core.Credential;
import com.unwire.ssg.signer.core.CredentialProvider;
import com.unwire.ssg.signer.core.TransformerFactory;
import com.unwire.ssg.signer.provider.api.RotatorService;
import com.unwire.ssg.signer.provider.api.model.AppInstanceRequest;
import com.unwire.ssg.signer.provider.api.model.AppInstanceResponse;
import com.unwire.ssg.signer.provider.api.model.SecureRandom;
import java.io.IOException;
import java.math.BigInteger;
import java.security.GeneralSecurityException;
import java.security.KeyPair;
import java.util.concurrent.TimeUnit;
import okhttp3.OkHttpClient;
import okhttp3.logging.HttpLoggingInterceptor;
import retrofit2.Call;
import retrofit2.Response;
import retrofit2.Retrofit;
import retrofit2.converter.moshi.MoshiConverterFactory;
import s70.b;
import s70.c;
import s70.d;
import u70.e;

/* loaded from: classes4.dex */
public class RotatingCredentialProvider implements CredentialProvider {
    private static final Long ROTATE_MARGIN = Long.valueOf(TimeUnit.HOURS.toMillis(24));
    private final CredentialStore credentialStore;
    JsonAdapter<AppInstanceRequest> jsonAdapter;
    private final Registration registration;
    private final RotatorService rotatorService;

    /* loaded from: classes4.dex */
    public static final class Builder {
        private final String baseUrl;
        private CredentialStore credentialStore;
        private boolean debug;
        private final Registration registration;

        public Builder(Registration registration, String str) {
            Validation.checkNotNull("Registration data cannot be null", registration);
            checkBaseUrl(str);
            this.registration = registration;
            this.baseUrl = str;
        }

        private void checkBaseUrl(String str) {
            Validation.checkNotNullOrEmpty("Base URL must be set", str);
            if (!str.endsWith("/")) {
                throw new IllegalArgumentException("Base URL must end with a /");
            }
        }

        public RotatingCredentialProvider build() {
            CredentialStore credentialStore = this.credentialStore;
            if (credentialStore == null) {
                this.credentialStore = new MemoryStore();
            } else {
                this.credentialStore = new CredentialMemoryCache(credentialStore);
            }
            TransformerInterceptor transformerInterceptor = new TransformerInterceptor(TransformerFactory.createSsgTransformer(new CredentialProvider() { // from class: com.unwire.ssg.signer.provider.RotatingCredentialProvider.Builder.1
                @Override // com.unwire.ssg.signer.core.CredentialProvider
                public Credential fetchCredentials() throws IOException {
                    Credential load = Builder.this.credentialStore.load();
                    return load == null ? Builder.this.credentialStore.loadInitial() : load;
                }

                @Override // com.unwire.ssg.signer.core.CredentialProvider
                public AuthenticationMethod getAuthenticationMethod() {
                    return AuthenticationMethod.APP_INSTANCE;
                }

                @Override // com.unwire.ssg.signer.core.CredentialInvalidator
                public void invalidateCredentials() {
                }
            }));
            OkHttpClient.Builder builder = new OkHttpClient.Builder();
            builder.addInterceptor(transformerInterceptor);
            if (this.debug) {
                builder.addInterceptor(new HttpLoggingInterceptor().setLevel(HttpLoggingInterceptor.Level.BODY));
            }
            return new RotatingCredentialProvider(this.registration, (RotatorService) new Retrofit.Builder().baseUrl(this.baseUrl).addConverterFactory(MoshiConverterFactory.create(new Moshi.Builder().build())).client(builder.build()).build().create(RotatorService.class), this.credentialStore);
        }

        public Builder debug(boolean z11) {
            this.debug = z11;
            return this;
        }

        public Builder store(CredentialStore credentialStore) {
            this.credentialStore = credentialStore;
            return this;
        }
    }

    private RotatingCredentialProvider(Registration registration, RotatorService rotatorService, CredentialStore credentialStore) {
        this.registration = registration;
        this.rotatorService = rotatorService;
        this.credentialStore = credentialStore;
        this.jsonAdapter = new Moshi.Builder().build().adapter(AppInstanceRequest.class);
    }

    private Call<AppInstanceResponse> createRotateCall(Credential credential, KeyPair keyPair) throws GeneralSecurityException {
        String encode = b.BASE64.encode(keyPair.getPublic().getEncoded());
        return this.rotatorService.rotateAppInstanceSecret(new AppInstanceRequest.Builder().setTenantId(this.registration.getTenantIdentifier()).setOsType(this.registration.getOsType()).setPublicKeyBase64(encode).setHardwareId(this.registration.getHardwareDescription()).setPublicKeySignature(d.a().b(b.HEX.decode(credential.getKey())).a(encode)).build());
    }

    private Credential fromNetworkSync(Credential credential) throws IOException {
        try {
            long nanoTime = System.nanoTime();
            Response<SecureRandom> execute = this.rotatorService.getSecureRandom().execute();
            BigInteger valueOf = BigInteger.valueOf(System.nanoTime() - nanoTime);
            if (execute.isSuccessful()) {
                SecureRandom body = execute.body();
                if (body == null) {
                    throw new IOException("secure random missing");
                }
                KeyPair a11 = e.a(new BigInteger(b.BASE64.decode(body.getSecureRandom())).xor(valueOf).toByteArray());
                Response<AppInstanceResponse> execute2 = createRotateCall(credential, a11).execute();
                if (execute2.isSuccessful() && execute2.body() != null) {
                    AppInstanceResponse.AppInstance appInstance = execute2.body().getAppInstance();
                    return new Credential(appInstance.getAppInstanceId(), c.a().b(a11).a(appInstance.getEncryptedSecret()), appInstance.getSecretExpiresAt());
                }
            }
            return null;
        } catch (IOException | GeneralSecurityException e11) {
            throw new IOException("Could not retrieve credentials", e11);
        }
    }

    private boolean shouldRotate(Credential credential) {
        return credential != null && (credential.getExpiresAt() == null || credential.getExpiresAt().longValue() - ROTATE_MARGIN.longValue() < System.currentTimeMillis());
    }

    @Override // com.unwire.ssg.signer.core.CredentialProvider
    public Credential fetchCredentials() throws IOException {
        Credential load;
        Credential load2 = this.credentialStore.load();
        if (load2 != null && !shouldRotate(load2)) {
            return load2;
        }
        synchronized (this.credentialStore) {
            load = this.credentialStore.load();
            if (load == null) {
                load = this.credentialStore.loadInitial();
            }
            if (shouldRotate(load) && (load = fromNetworkSync(load)) != null) {
                this.credentialStore.save(load);
            }
        }
        return load;
    }

    @Override // com.unwire.ssg.signer.core.CredentialProvider
    public AuthenticationMethod getAuthenticationMethod() {
        return AuthenticationMethod.APP_INSTANCE;
    }

    @Override // com.unwire.ssg.signer.core.CredentialInvalidator
    public void invalidateCredentials() {
        synchronized (this.credentialStore) {
            this.credentialStore.clear();
        }
    }
}
