package se.digg.dgc.signatures.impl;

import com.upokecenter.cbor.CBORException;
import com.upokecenter.cbor.CBORObject;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.Provider;
import java.security.PublicKey;
import java.security.SignatureException;
import java.security.cert.CertificateEncodingException;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.security.interfaces.ECPublicKey;
import java.security.interfaces.RSAPublicKey;
import java.time.Instant;
import java.util.Optional;
import org.bouncycastle.asn1.ASN1InputStream;
import org.bouncycastle.asn1.ASN1ObjectIdentifier;
import org.bouncycastle.asn1.ASN1String;
import org.bouncycastle.asn1.x500.RDN;
import org.bouncycastle.asn1.x509.Certificate;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import se.digg.dgc.signatures.DGCSigner;
import se.digg.dgc.signatures.cose.CoseSign1_Object;
import se.digg.dgc.signatures.cose.HeaderParameterKey;
import se.digg.dgc.signatures.cose.SignatureAlgorithm;
import se.digg.dgc.signatures.cwt.Cwt;
import se.swedenconnect.security.credential.PkiCredential;

/* loaded from: input_file:se/digg/dgc/signatures/impl/DefaultDGCSigner.class */
public class DefaultDGCSigner implements DGCSigner {
    private static final Logger log = LoggerFactory.getLogger(DefaultDGCSigner.class);
    private final CredentialWrapper signerCredential;
    private Provider securityProvider;
    private final String country;
    private final byte[] keyIdentifier;
    private final Instant signerExpiration;
    private SignatureAlgorithm algorithmIdentifier;

    /* loaded from: input_file:se/digg/dgc/signatures/impl/DefaultDGCSigner$CredentialWrapper.class */
    private static class CredentialWrapper {
        private PrivateKey signerKey;
        private X509Certificate signerCertificate;
        private PkiCredential signerCredential;

        public CredentialWrapper(PrivateKey privateKey, X509Certificate x509Certificate) {
            this.signerKey = (PrivateKey) Optional.ofNullable(privateKey).orElseThrow(() -> {
                return new IllegalArgumentException("signerKey must not be null");
            });
            this.signerCertificate = (X509Certificate) Optional.ofNullable(x509Certificate).orElseThrow(() -> {
                return new IllegalArgumentException("signerCertificate must not be null");
            });
        }

        public CredentialWrapper(PkiCredential pkiCredential) {
            this.signerCredential = (PkiCredential) Optional.ofNullable(pkiCredential).orElseThrow(() -> {
                return new IllegalArgumentException("signerCredential must not be null");
            });
        }

        public PublicKey getPublicKey() {
            return getCertificate().getPublicKey();
        }

        public X509Certificate getCertificate() {
            return this.signerCredential != null ? this.signerCredential.getCertificate() : this.signerCertificate;
        }

        public PrivateKey getPrivateKey() {
            return this.signerCredential != null ? this.signerCredential.getPrivateKey() : this.signerKey;
        }
    }

    public DefaultDGCSigner(PrivateKey privateKey, X509Certificate x509Certificate) throws CertificateException {
        this(new CredentialWrapper(privateKey, x509Certificate));
    }

    public DefaultDGCSigner(PkiCredential pkiCredential) throws CertificateException {
        this(new CredentialWrapper(pkiCredential));
    }

    private DefaultDGCSigner(CredentialWrapper credentialWrapper) throws CertificateException {
        this.signerCredential = credentialWrapper;
        this.country = getCountry(credentialWrapper.getCertificate());
        this.keyIdentifier = calculateKid(credentialWrapper.getCertificate());
        this.signerExpiration = Instant.ofEpochMilli(credentialWrapper.getCertificate().getNotAfter().getTime());
        if (ECPublicKey.class.isInstance(this.signerCredential.getPublicKey())) {
            this.algorithmIdentifier = SignatureAlgorithm.ES256;
        } else {
            if (!RSAPublicKey.class.isInstance(this.signerCredential.getPublicKey())) {
                throw new SecurityException("Unsupported key");
            }
            this.algorithmIdentifier = SignatureAlgorithm.PS256;
        }
    }

    @Override // se.digg.dgc.signatures.DGCSigner
    public byte[] sign(byte[] bArr, Instant instant) throws SignatureException {
        if (instant.isAfter(this.signerExpiration)) {
            log.warn("Expiration of DGC goes beyond the signer certificate validity");
        }
        try {
            CoseSign1_Object build = CoseSign1_Object.builder().protectedAttribute(HeaderParameterKey.ALG.getCborObject(), this.algorithmIdentifier.getCborObject()).protectedAttribute(HeaderParameterKey.KID.getCborObject(), CBORObject.FromObject(this.keyIdentifier)).content(Cwt.builder().issuer(this.country).issuedAt(Instant.now()).expiration(instant).dgcV1(bArr).build().encode()).build();
            build.sign(this.signerCredential.getPrivateKey(), this.securityProvider);
            return build.encode();
        } catch (CBORException e) {
            throw new SignatureException("CBOR error - " + e.getMessage(), e);
        }
    }

    @Override // se.digg.dgc.signatures.DGCSigner
    public Instant getSignerExpiration() {
        return this.signerExpiration;
    }

    @Override // se.digg.dgc.signatures.DGCSigner
    public String getSignerCountry() {
        return this.country;
    }

    public void setAlgorithmIdentifier(SignatureAlgorithm signatureAlgorithm) {
        if (signatureAlgorithm != null) {
            this.algorithmIdentifier = signatureAlgorithm;
        }
    }

    private static String getCountry(X509Certificate x509Certificate) throws CertificateException {
        try {
            ByteArrayInputStream byteArrayInputStream = new ByteArrayInputStream(x509Certificate.getEncoded());
            try {
                ASN1InputStream aSN1InputStream = new ASN1InputStream(byteArrayInputStream);
                try {
                    Certificate certificate = Certificate.getInstance(aSN1InputStream.readObject());
                    if (certificate.getSubject() == null || certificate.getSubject().getRDNs() == null) {
                        throw new CertificateException("Missing country in certificate subject");
                    }
                    RDN[] rDNs = certificate.getSubject().getRDNs(new ASN1ObjectIdentifier("2.5.4.6"));
                    if (rDNs == null || rDNs.length == 0) {
                        throw new CertificateException("Missing country in certificate subject");
                    }
                    ASN1String aSN1Primitive = rDNs[0].getFirst().getValue().toASN1Primitive();
                    if (!(aSN1Primitive instanceof ASN1String)) {
                        throw new CertificateException("Missing country in certificate subject");
                    }
                    String string = aSN1Primitive.getString();
                    aSN1InputStream.close();
                    byteArrayInputStream.close();
                    return string;
                } catch (Throwable th) {
                    try {
                        aSN1InputStream.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                    throw th;
                }
            } finally {
            }
        } catch (IOException e) {
            throw new CertificateException("Failed to read certificate", e);
        }
    }

    private static byte[] calculateKid(X509Certificate x509Certificate) {
        try {
            byte[] bArr = new byte[8];
            System.arraycopy(MessageDigest.getInstance("SHA-256").digest(x509Certificate.getEncoded()), 0, bArr, 0, 8);
            return bArr;
        } catch (NoSuchAlgorithmException | CertificateEncodingException e) {
            throw new SecurityException(e);
        }
    }

    public void setSecurityProvider(Provider provider) {
        this.securityProvider = provider;
    }
}
