package dev.responsive.kafka.internal.license;

import com.fasterxml.jackson.databind.ObjectMapper;
import dev.responsive.kafka.internal.license.exception.LicenseAuthenticationException;
import dev.responsive.kafka.internal.license.model.LicenseDocument;
import dev.responsive.kafka.internal.license.model.LicenseDocumentV1;
import dev.responsive.kafka.internal.license.model.LicenseInfo;
import dev.responsive.kafka.internal.license.model.SigningKeys;
import java.io.IOException;
import java.security.GeneralSecurityException;
import java.security.KeyFactory;
import java.security.NoSuchAlgorithmException;
import java.security.PublicKey;
import java.security.Signature;
import java.security.spec.InvalidKeySpecException;
import java.security.spec.MGF1ParameterSpec;
import java.security.spec.PSSParameterSpec;
import java.security.spec.X509EncodedKeySpec;
import java.util.Objects;

/* loaded from: input_file:dev/responsive/kafka/internal/license/LicenseAuthenticator.class */
public class LicenseAuthenticator {
    private static final ObjectMapper MAPPER = new ObjectMapper();
    private final SigningKeys signingKeys;

    public LicenseAuthenticator(SigningKeys signingKeys) {
        this.signingKeys = (SigningKeys) Objects.requireNonNull(signingKeys);
    }

    public LicenseInfo authenticate(LicenseDocument licenseDocument) {
        if (licenseDocument instanceof LicenseDocumentV1) {
            return authenticateLicenseV1((LicenseDocumentV1) licenseDocument);
        }
        throw new IllegalArgumentException("unrecognized license doc type: " + licenseDocument.getClass().getName());
    }

    private LicenseInfo authenticateLicenseV1(LicenseDocumentV1 licenseDocumentV1) {
        try {
            return (LicenseInfo) MAPPER.readValue(verifyLicenseV1Signature(licenseDocumentV1), LicenseInfo.class);
        } catch (IOException e) {
            throw new RuntimeException(e);
        }
    }

    private byte[] verifyLicenseV1Signature(LicenseDocumentV1 licenseDocumentV1) {
        if (!licenseDocumentV1.algo().equals("RSASSA_PSS_SHA_256")) {
            throw new IllegalArgumentException("unrecognized license algo: " + licenseDocumentV1.algo());
        }
        PublicKey loadPublicKey = loadPublicKey(this.signingKeys.lookupKey(licenseDocumentV1.key()));
        try {
            Signature signature = Signature.getInstance("RSASSA-PSS");
            signature.setParameter(new PSSParameterSpec("SHA-256", "MGF1", MGF1ParameterSpec.SHA256, 32, 1));
            signature.initVerify(loadPublicKey);
            byte[] decodeInfo = licenseDocumentV1.decodeInfo();
            signature.update(decodeInfo);
            if (signature.verify(licenseDocumentV1.decodeSignature())) {
                return decodeInfo;
            }
            throw new LicenseAuthenticationException("license info did not match signature");
        } catch (GeneralSecurityException e) {
            throw new RuntimeException(e);
        }
    }

    private PublicKey loadPublicKey(SigningKeys.SigningKey signingKey) {
        try {
            try {
                return KeyFactory.getInstance("RSA").generatePublic(new X509EncodedKeySpec(PublicKeyPemFileParser.parsePemFileInResource(signingKey.path())));
            } catch (InvalidKeySpecException e) {
                throw new RuntimeException(e);
            }
        } catch (NoSuchAlgorithmException e2) {
            throw new RuntimeException(e2);
        }
    }
}
