package net.jsign.jca;

import java.io.IOException;
import java.security.GeneralSecurityException;
import java.security.KeyStoreException;
import java.security.UnrecoverableKeyException;
import java.security.cert.Certificate;
import java.util.ArrayList;
import java.util.Base64;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.function.Function;
import net.jsign.DigestAlgorithm;

/* loaded from: input_file:net/jsign/jca/GoogleCloudSigningService.class */
public class GoogleCloudSigningService implements SigningService {
    private final String keyring;
    private final Function<String, Certificate[]> certificateStore;
    private final Map<String, SigningServicePrivateKey> keys;
    private final RESTClient client;

    public GoogleCloudSigningService(String str, String str2, Function<String, Certificate[]> function) {
        this("https://cloudkms.googleapis.com/v1/", str, str2, function);
    }

    GoogleCloudSigningService(String str, String str2, String str3, Function<String, Certificate[]> function) {
        this.keys = new HashMap();
        this.keyring = str2;
        this.certificateStore = function;
        this.client = new RESTClient(str).authentication(httpURLConnection -> {
            httpURLConnection.setRequestProperty("Authorization", "Bearer " + str3);
        }).errorHandler(map -> {
            StringBuilder sb = new StringBuilder();
            if (map.get("error") instanceof Map) {
                Map map = (Map) map.get("error");
                if (map.get("code") != null) {
                    sb.append(map.get("code"));
                }
                if (map.get("status") != null) {
                    if (sb.length() > 0) {
                        sb.append(" - ");
                    }
                    sb.append(map.get("status"));
                }
                if (map.get("message") != null) {
                    if (sb.length() > 0) {
                        sb.append(": ");
                    }
                    sb.append(map.get("message"));
                }
            }
            return sb.toString();
        });
    }

    @Override // net.jsign.jca.SigningService
    public String getName() {
        return "GoogleCloud";
    }

    @Override // net.jsign.jca.SigningService
    public List<String> aliases() throws KeyStoreException {
        ArrayList arrayList = new ArrayList();
        try {
            for (Object obj : (Object[]) this.client.get(this.keyring + "/cryptoKeys").get("cryptoKeys")) {
                String str = (String) ((Map) obj).get("name");
                arrayList.add(str.substring(str.lastIndexOf("/") + 1));
            }
            return arrayList;
        } catch (IOException e) {
            throw new KeyStoreException(e);
        }
    }

    @Override // net.jsign.jca.SigningService
    public Certificate[] getCertificateChain(String str) {
        return this.certificateStore.apply(str);
    }

    @Override // net.jsign.jca.SigningService
    public SigningServicePrivateKey getPrivateKey(String str, char[] cArr) throws UnrecoverableKeyException {
        String str2;
        if (!str.startsWith("projects/")) {
            str = this.keyring + "/cryptoKeys/" + str;
        }
        if (this.keys.containsKey(str)) {
            return this.keys.get(str);
        }
        try {
            if (!str.contains("cryptoKeyVersions")) {
                Object[] objArr = (Object[]) this.client.get(str + "/cryptoKeyVersions?filter=state%3DENABLED").get("cryptoKeyVersions");
                if (objArr == null || objArr.length == 0) {
                    throw new UnrecoverableKeyException("Unable to fetch Google Cloud private key '" + str + "', no version found");
                }
                Map map = (Map) objArr[objArr.length - 1];
                str = (String) map.get("name");
                str2 = (String) map.get("algorithm");
            } else if (str.contains(":")) {
                str2 = str.substring(str.indexOf(58) + 1) + "_SIGN";
                str = str.substring(0, str.indexOf(58));
            } else {
                Certificate[] certificateChain = getCertificateChain(str);
                if (certificateChain == null || certificateChain.length <= 0) {
                    str2 = (String) this.client.get(str).get("algorithm");
                } else {
                    str2 = certificateChain[0].getPublicKey().getAlgorithm() + "_SIGN";
                }
            }
            String substring = str2.substring(0, str2.indexOf("_"));
            SigningServicePrivateKey signingServicePrivateKey = new SigningServicePrivateKey(str, substring, this);
            this.keys.put(str, signingServicePrivateKey);
            this.keys.put(str.substring(0, str.indexOf("/cryptoKeyVersions")), signingServicePrivateKey);
            this.keys.put(str + ":" + substring, signingServicePrivateKey);
            return signingServicePrivateKey;
        } catch (IOException e) {
            throw ((UnrecoverableKeyException) new UnrecoverableKeyException("Unable to fetch Google Cloud private key '" + str + "'").initCause(e));
        }
    }

    @Override // net.jsign.jca.SigningService
    public byte[] sign(SigningServicePrivateKey signingServicePrivateKey, String str, byte[] bArr) throws GeneralSecurityException {
        DigestAlgorithm of = DigestAlgorithm.of(str.substring(0, str.toLowerCase().indexOf("with")));
        byte[] digest = of.getMessageDigest().digest(bArr);
        HashMap hashMap = new HashMap();
        hashMap.put(of.name().toLowerCase(), Base64.getEncoder().encodeToString(digest));
        HashMap hashMap2 = new HashMap();
        hashMap2.put("digest", hashMap);
        try {
            return Base64.getDecoder().decode((String) this.client.post(signingServicePrivateKey.getId() + ":asymmetricSign", JsonWriter.format(hashMap2)).get("signature"));
        } catch (IOException e) {
            throw new GeneralSecurityException(e);
        }
    }
}
