package org.springframework.vault.authentication;

import java.nio.charset.StandardCharsets;
import java.security.spec.RSAPrivateCrtKeySpec;
import java.time.Clock;
import java.time.LocalDateTime;
import java.time.format.DateTimeFormatter;
import java.util.HashMap;
import java.util.Map;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.bouncycastle.crypto.CryptoException;
import org.bouncycastle.crypto.digests.SHA256Digest;
import org.bouncycastle.crypto.engines.RSAEngine;
import org.bouncycastle.crypto.params.RSAKeyParameters;
import org.bouncycastle.crypto.signers.PSSSigner;
import org.springframework.util.Assert;
import org.springframework.util.Base64Utils;
import org.springframework.vault.VaultException;
import org.springframework.vault.support.PemObject;
import org.springframework.vault.support.VaultResponse;
import org.springframework.vault.support.VaultToken;
import org.springframework.web.client.RestClientException;
import org.springframework.web.client.RestOperations;

/* loaded from: input_file:org/springframework/vault/authentication/PcfAuthentication.class */
public class PcfAuthentication implements ClientAuthentication, AuthenticationStepsFactory {
    private static final Log logger = LogFactory.getLog((Class<?>) PcfAuthentication.class);
    private static final DateTimeFormatter TIME_FORMAT = DateTimeFormatter.ofPattern("yyyy-MM-dd'T'HH:mm:ss'Z'");
    private static final int SALT_LENGTH = 222;
    private final PcfAuthenticationOptions options;
    private final RestOperations restOperations;

    public PcfAuthentication(PcfAuthenticationOptions pcfAuthenticationOptions, RestOperations restOperations) {
        Assert.notNull(pcfAuthenticationOptions, "PcfAuthenticationOptions must not be null");
        Assert.notNull(restOperations, "RestOperations must not be null");
        this.options = pcfAuthenticationOptions;
        this.restOperations = restOperations;
    }

    public static AuthenticationSteps createAuthenticationSteps(PcfAuthenticationOptions pcfAuthenticationOptions) {
        Assert.notNull(pcfAuthenticationOptions, "PcfAuthenticationOptions must not be null");
        return AuthenticationSteps.fromSupplier(pcfAuthenticationOptions.getInstanceCertSupplier()).zipWith(AuthenticationSteps.fromSupplier(pcfAuthenticationOptions.getInstanceKeySupplier())).map(pair -> {
            return getPcfLogin(pcfAuthenticationOptions.getRole(), pcfAuthenticationOptions.getClock(), (String) pair.getLeft(), (String) pair.getRight());
        }).login(AuthenticationUtil.getLoginPath(pcfAuthenticationOptions.getPath()), new String[0]);
    }

    @Override // org.springframework.vault.authentication.ClientAuthentication
    public VaultToken login() throws VaultException {
        try {
            VaultResponse vaultResponse = (VaultResponse) this.restOperations.postForObject(AuthenticationUtil.getLoginPath(this.options.getPath()), getPcfLogin(this.options.getRole(), this.options.getClock(), this.options.getInstanceCertSupplier().get(), this.options.getInstanceKeySupplier().get()), VaultResponse.class, new Object[0]);
            Assert.state((vaultResponse == null || vaultResponse.getAuth() == null) ? false : true, "Auth field must not be null");
            logger.debug("Login successful using PCF authentication");
            return LoginTokenUtil.from(vaultResponse.getAuth());
        } catch (RestClientException e) {
            throw VaultLoginException.create("PCF", e);
        }
    }

    @Override // org.springframework.vault.authentication.AuthenticationStepsFactory
    public AuthenticationSteps getAuthenticationSteps() {
        return createAuthenticationSteps(this.options);
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static Map<String, String> getPcfLogin(String str, Clock clock, String str2, String str3) {
        Assert.hasText(str, "Role must not be empty");
        String format = TIME_FORMAT.format(LocalDateTime.now(clock));
        String sign = sign(getMessage(str, format, str2), str3);
        HashMap hashMap = new HashMap();
        hashMap.put("role", str);
        hashMap.put("cf_instance_cert", str2);
        hashMap.put("signing_time", format);
        hashMap.put("signature", sign);
        return hashMap;
    }

    private static String sign(String str, String str2) {
        try {
            return doSign(str.getBytes(StandardCharsets.US_ASCII), str2);
        } catch (CryptoException e) {
            throw new VaultException("Cannot sign PCF login", e);
        }
    }

    private static String getMessage(String str, String str2, String str3) {
        return str2 + str3 + str;
    }

    private static String doSign(byte[] bArr, String str) throws CryptoException {
        RSAPrivateCrtKeySpec rSAKeySpec = PemObject.fromKey(str).getRSAKeySpec();
        PSSSigner pSSSigner = new PSSSigner(new RSAEngine(), new SHA256Digest(), SALT_LENGTH);
        pSSSigner.init(true, new RSAKeyParameters(true, rSAKeySpec.getModulus(), rSAKeySpec.getPrivateExponent()));
        pSSSigner.update(bArr, 0, bArr.length);
        return Base64Utils.encodeToUrlSafeString(pSSSigner.generateSignature());
    }
}
