package net.jsign.jca;

import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.security.GeneralSecurityException;
import java.security.InvalidAlgorithmParameterException;
import java.security.KeyStoreException;
import java.security.UnrecoverableKeyException;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.util.ArrayList;
import java.util.Base64;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import net.jsign.DigestAlgorithm;
import org.bouncycastle.asn1.DERNull;
import org.bouncycastle.asn1.x509.AlgorithmIdentifier;
import org.bouncycastle.asn1.x509.DigestInfo;

/* loaded from: input_file:net/jsign/jca/AzureKeyVaultSigningService.class */
public class AzureKeyVaultSigningService implements SigningService {
    private final RESTClient client;
    private final Map<String, Map<String, ?>> certificates = new HashMap();
    private final Map<String, String> algorithmMapping = new HashMap();

    public AzureKeyVaultSigningService(String str, String str2) {
        this.algorithmMapping.put("SHA1withRSA", "RSNULL");
        this.algorithmMapping.put("SHA256withRSA", "RS256");
        this.algorithmMapping.put("SHA384withRSA", "RS384");
        this.algorithmMapping.put("SHA512withRSA", "RS512");
        this.algorithmMapping.put("SHA256withECDSA", "ES256");
        this.algorithmMapping.put("SHA384withECDSA", "ES384");
        this.algorithmMapping.put("SHA512withECDSA", "ES512");
        this.algorithmMapping.put("SHA256withRSA/PSS", "PS256");
        this.algorithmMapping.put("SHA384withRSA/PSS", "PS384");
        this.algorithmMapping.put("SHA512withRSA/PSS", "PS512");
        this.client = new RESTClient(str.startsWith("http") ? str : "https://" + str + ".vault.azure.net").authentication(httpURLConnection -> {
            httpURLConnection.setRequestProperty("Authorization", "Bearer " + str2);
        }).errorHandler(map -> {
            Map map = (Map) map.get("error");
            return map.get("code") + ": " + map.get("message");
        });
    }

    @Override // net.jsign.jca.SigningService
    public String getName() {
        return "AzureKeyVault";
    }

    private Map<String, ?> getCertificateInfo(String str) throws IOException {
        if (!this.certificates.containsKey(str)) {
            this.certificates.put(str, this.client.get("/certificates/" + str + "?api-version=7.2"));
        }
        return this.certificates.get(str);
    }

    @Override // net.jsign.jca.SigningService
    public List<String> aliases() throws KeyStoreException {
        ArrayList arrayList = new ArrayList();
        try {
            for (Object obj : (Object[]) this.client.get("/certificates?api-version=7.2").get("value")) {
                String str = (String) ((Map) obj).get("id");
                arrayList.add(str.substring(str.lastIndexOf(47) + 1));
            }
        } catch (IOException e) {
            if (!isCalledByJarSigner(e.getStackTrace())) {
                throw new KeyStoreException("Unable to retrieve Azure Key Vault certificate aliases", e);
            }
        }
        return arrayList;
    }

    private boolean isCalledByJarSigner(StackTraceElement[] stackTraceElementArr) {
        for (StackTraceElement stackTraceElement : stackTraceElementArr) {
            if (stackTraceElement.getClassName().contains("jarsigner")) {
                return true;
            }
        }
        return false;
    }

    @Override // net.jsign.jca.SigningService
    public Certificate[] getCertificateChain(String str) throws KeyStoreException {
        try {
            return new Certificate[]{CertificateFactory.getInstance("X.509").generateCertificate(new ByteArrayInputStream(Base64.getDecoder().decode((String) getCertificateInfo(str).get("cer"))))};
        } catch (IOException | CertificateException e) {
            if (e.getMessage() == null || !e.getMessage().contains("was not found in this key vault")) {
                throw new KeyStoreException("Unable to retrieve Azure Key Vault certificate '" + str + "'", e);
            }
            return null;
        }
    }

    @Override // net.jsign.jca.SigningService
    public SigningServicePrivateKey getPrivateKey(String str, char[] cArr) throws UnrecoverableKeyException {
        try {
            Map<String, ?> certificateInfo = getCertificateInfo(str);
            return new SigningServicePrivateKey((String) certificateInfo.get("kid"), ((String) ((Map) ((Map) certificateInfo.get("policy")).get("key_props")).get("kty")).replace("-HSM", ""), this);
        } catch (IOException e) {
            throw ((UnrecoverableKeyException) new UnrecoverableKeyException("Unable to fetch Azure Key Vault private key for the certificate '" + str + "'").initCause(e));
        }
    }

    @Override // net.jsign.jca.SigningService
    public byte[] sign(SigningServicePrivateKey signingServicePrivateKey, String str, byte[] bArr) throws GeneralSecurityException {
        String str2 = this.algorithmMapping.get(str);
        if (str2 == null) {
            throw new InvalidAlgorithmParameterException("Unsupported signing algorithm: " + str);
        }
        DigestAlgorithm of = DigestAlgorithm.of(str.substring(0, str.toLowerCase().indexOf("with")));
        byte[] digest = of.getMessageDigest().digest(bArr);
        if (str2.equals("RSNULL")) {
            try {
                digest = new DigestInfo(new AlgorithmIdentifier(of.oid, DERNull.INSTANCE), digest).getEncoded("DER");
            } catch (IOException e) {
                throw new GeneralSecurityException(e);
            }
        }
        HashMap hashMap = new HashMap();
        hashMap.put("alg", str2);
        hashMap.put("value", Base64.getEncoder().encodeToString(digest));
        try {
            return Base64.getUrlDecoder().decode((String) this.client.post(signingServicePrivateKey.getId() + "/sign?api-version=7.2", JsonWriter.format(hashMap)).get("value"));
        } catch (IOException e2) {
            throw new GeneralSecurityException(e2);
        }
    }
}
