package ai.vespa.hosted.api;

import com.yahoo.security.KeyUtils;
import com.yahoo.security.SignatureAlgorithm;
import com.yahoo.security.SignatureUtils;
import java.io.InputStream;
import java.net.http.HttpRequest;
import java.nio.charset.StandardCharsets;
import java.security.PrivateKey;
import java.security.Signature;
import java.security.SignatureException;
import java.time.Clock;
import java.util.Base64;
import java.util.Objects;
import java.util.function.Supplier;

/* loaded from: input_file:ai/vespa/hosted/api/RequestSigner.class */
public class RequestSigner {
    private final Signature signer;
    private final String keyId;
    private final String base64PemPublicKey;
    private final Clock clock;

    public RequestSigner(String str, String str2) {
        this(str, str2, Clock.systemUTC());
    }

    public RequestSigner(String str, String str2, Clock clock) {
        this(KeyUtils.fromPemEncodedPrivateKey(str), str2, clock);
    }

    public RequestSigner(PrivateKey privateKey, String str, Clock clock) {
        this.signer = SignatureUtils.createSigner(privateKey, SignatureAlgorithm.SHA256_WITH_ECDSA);
        this.keyId = str;
        this.base64PemPublicKey = Base64.getEncoder().encodeToString(KeyUtils.toPem(KeyUtils.extractPublicKey(privateKey)).getBytes(StandardCharsets.UTF_8));
        this.clock = clock;
    }

    public HttpRequest signed(HttpRequest.Builder builder, Method method, Supplier<InputStream> supplier) {
        try {
            String instant = this.clock.instant().toString();
            Base64.Encoder encoder = Base64.getEncoder();
            Objects.requireNonNull(supplier);
            String encodeToString = encoder.encodeToString(Signatures.sha256Digest(supplier::get));
            this.signer.update(Signatures.canonicalMessageOf(method.name(), builder.copy().build().uri(), instant, encodeToString));
            String encodeToString2 = Base64.getEncoder().encodeToString(this.signer.sign());
            builder.setHeader("X-Timestamp", instant);
            builder.setHeader("X-Content-Hash", encodeToString);
            builder.setHeader("X-Key-Id", this.keyId);
            builder.setHeader("X-Key", this.base64PemPublicKey);
            builder.setHeader("X-Authorization", encodeToString2);
            builder.method(method.name(), HttpRequest.BodyPublishers.ofInputStream(supplier));
            return builder.build();
        } catch (SignatureException e) {
            throw new IllegalArgumentException(e);
        }
    }
}
