package net.jsign.jca;

import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.nio.charset.StandardCharsets;
import java.security.GeneralSecurityException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.SecureRandom;
import java.security.UnrecoverableKeyException;
import java.security.cert.Certificate;
import java.security.cert.CertificateFactory;
import java.util.Base64;
import java.util.Collections;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import javax.net.ssl.HttpsURLConnection;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.SSLContext;
import net.jsign.DigestAlgorithm;

/* loaded from: input_file:net/jsign/jca/SignServerSigningService.class */
public class SignServerSigningService implements SigningService {
    private final Map<String, Certificate[]> certificates = new HashMap();
    private final RESTClient client;

    public SignServerSigningService(String str, SignServerCredentials signServerCredentials) {
        this.client = new RESTClient(str).authentication(httpURLConnection -> {
            if ((httpURLConnection instanceof HttpsURLConnection) && signServerCredentials.keystore != null) {
                try {
                    KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
                    keyManagerFactory.init(signServerCredentials.keystore.getKeyStore(), ((KeyStore.PasswordProtection) signServerCredentials.keystore.getProtectionParameter("")).getPassword());
                    SSLContext sSLContext = SSLContext.getInstance("TLS");
                    sSLContext.init(keyManagerFactory.getKeyManagers(), null, new SecureRandom());
                    ((HttpsURLConnection) httpURLConnection).setSSLSocketFactory(sSLContext.getSocketFactory());
                } catch (GeneralSecurityException e) {
                    throw new RuntimeException("Unable to load the SignServer client certificate", e);
                }
            }
            if (signServerCredentials.username != null) {
                httpURLConnection.setRequestProperty("Authorization", "Basic " + Base64.getEncoder().encodeToString((signServerCredentials.username + ":" + (signServerCredentials.password == null ? "" : signServerCredentials.password)).getBytes(StandardCharsets.UTF_8)));
            }
        }).errorHandler(map -> {
            return (String) map.get("error");
        });
    }

    @Override // net.jsign.jca.SigningService
    public String getName() {
        return "SignServer";
    }

    @Override // net.jsign.jca.SigningService
    public List<String> aliases() throws KeyStoreException {
        return Collections.emptyList();
    }

    @Override // net.jsign.jca.SigningService
    public Certificate[] getCertificateChain(String str) throws KeyStoreException {
        if (!this.certificates.containsKey(str)) {
            try {
                String str2 = str;
                boolean z = false;
                if (str2.endsWith("|serverside")) {
                    str2 = str2.substring(0, str2.length() - 11);
                    z = true;
                }
                HashMap hashMap = new HashMap();
                if (z) {
                    hashMap.put("data", "");
                    HashMap hashMap2 = new HashMap();
                    hashMap2.put("USING_CLIENTSUPPLIED_HASH", "false");
                    hashMap.put("metaData", hashMap2);
                } else {
                    hashMap.put("data", "47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=");
                    hashMap.put("encoding", "BASE64");
                    HashMap hashMap3 = new HashMap();
                    hashMap3.put("USING_CLIENTSUPPLIED_HASH", "true");
                    hashMap3.put("CLIENTSIDE_HASHDIGESTALGORITHM", "SHA-256");
                    hashMap.put("metaData", hashMap3);
                }
                this.certificates.put(str, new Certificate[]{CertificateFactory.getInstance("X.509").generateCertificate(new ByteArrayInputStream(Base64.getDecoder().decode(this.client.post("/rest/v1/workers/" + str2 + "/process", JsonWriter.format(hashMap)).get("signerCertificate").toString())))});
            } catch (Exception e) {
                throw new KeyStoreException("Unable to retrieve the certificate chain '" + str + "'", e);
            }
        }
        return this.certificates.get(str);
    }

    @Override // net.jsign.jca.SigningService
    public SigningServicePrivateKey getPrivateKey(String str, char[] cArr) throws UnrecoverableKeyException {
        try {
            return new SigningServicePrivateKey(str, getCertificateChain(str)[0].getPublicKey().getAlgorithm(), this);
        } catch (KeyStoreException e) {
            throw ((UnrecoverableKeyException) new UnrecoverableKeyException().initCause(e));
        }
    }

    @Override // net.jsign.jca.SigningService
    public byte[] sign(SigningServicePrivateKey signingServicePrivateKey, String str, byte[] bArr) throws GeneralSecurityException {
        String id = signingServicePrivateKey.getId();
        boolean z = false;
        if (id.endsWith("|serverside")) {
            id = id.substring(0, id.length() - 11);
            z = true;
        }
        HashMap hashMap = new HashMap();
        if (z) {
            hashMap.put("data", Base64.getEncoder().encodeToString(bArr));
            HashMap hashMap2 = new HashMap();
            hashMap2.put("USING_CLIENTSUPPLIED_HASH", "false");
            hashMap.put("metaData", hashMap2);
        } else {
            DigestAlgorithm of = DigestAlgorithm.of(str.substring(0, str.toLowerCase().indexOf("with")));
            hashMap.put("data", Base64.getEncoder().encodeToString(of.getMessageDigest().digest(bArr)));
            HashMap hashMap3 = new HashMap();
            hashMap3.put("USING_CLIENTSUPPLIED_HASH", "true");
            hashMap3.put("CLIENTSIDE_HASHDIGESTALGORITHM", of.id);
            hashMap.put("metaData", hashMap3);
        }
        hashMap.put("encoding", "BASE64");
        try {
            return Base64.getDecoder().decode((String) this.client.post("/rest/v1/workers/" + id + "/process", JsonWriter.format(hashMap)).get("data"));
        } catch (IOException e) {
            throw new GeneralSecurityException(e);
        }
    }
}
