package de.trustable.cmp.client.cmpClient;

import de.trustable.cmp.client.ProtectedMessageHandler;
import java.io.IOException;
import java.security.GeneralSecurityException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.PrivateKey;
import java.security.cert.Certificate;
import java.security.cert.CertificateEncodingException;
import java.security.cert.X509Certificate;
import java.security.spec.MGF1ParameterSpec;
import java.security.spec.PSSParameterSpec;
import org.bouncycastle.asn1.x500.X500Name;
import org.bouncycastle.cert.X509CertificateHolder;
import org.bouncycastle.cert.cmp.CMPException;
import org.bouncycastle.cert.cmp.ProtectedPKIMessage;
import org.bouncycastle.cert.cmp.ProtectedPKIMessageBuilder;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.bouncycastle.operator.OperatorCreationException;
import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder;
import org.bouncycastle.operator.jcajce.JcaContentVerifierProviderBuilder;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:de/trustable/cmp/client/cmpClient/KeystoreSigner.class */
public class KeystoreSigner implements ProtectedMessageHandler {
    private static final Logger LOGGER = LoggerFactory.getLogger((Class<?>) KeystoreSigner.class);
    private final KeyStore ks;
    private final String ksAlias;
    private final String ksSecret;
    private final Certificate signerCertificate;

    public KeystoreSigner(KeyStore keyStore, String str, String str2) throws KeyStoreException {
        this.ks = keyStore;
        this.ksAlias = str;
        this.ksSecret = str2;
        this.signerCertificate = keyStore.getCertificate(str);
    }

    @Override // de.trustable.cmp.client.ProtectedMessageHandler
    public ProtectedPKIMessage signMessage(ProtectedPKIMessageBuilder protectedPKIMessageBuilder) throws GeneralSecurityException {
        LOGGER.debug("in KeystoreSigner.signMessage using signer '" + ((X509Certificate) this.signerCertificate).getSubjectDN().getName());
        try {
            return protectedPKIMessageBuilder.build(new JcaContentSignerBuilder("SHA256withRSA/PSS", new PSSParameterSpec("SHA-256", "MGF1", MGF1ParameterSpec.SHA256, 32, 1)).setProvider(BouncyCastleProvider.PROVIDER_NAME).build((PrivateKey) this.ks.getKey(this.ksAlias, this.ksSecret.toCharArray())));
        } catch (CMPException | OperatorCreationException e) {
            throw new GeneralSecurityException(e);
        }
    }

    @Override // de.trustable.cmp.client.ProtectedMessageHandler
    public boolean verifyMessage(ProtectedPKIMessage protectedPKIMessage) throws GeneralSecurityException {
        LOGGER.debug("in KeystoreSigner.verifyMessage ...");
        if (protectedPKIMessage.hasPasswordBasedMacProtection()) {
            throw new GeneralSecurityException("Server used MacProtection, but certificate & key present!");
        }
        try {
            return protectedPKIMessage.verify(new JcaContentVerifierProviderBuilder().setProvider(BouncyCastleProvider.PROVIDER_NAME).build((X509Certificate) this.ks.getCertificate(this.ksAlias)));
        } catch (KeyStoreException | CMPException | OperatorCreationException e) {
            throw new GeneralSecurityException(e);
        }
    }

    @Override // de.trustable.cmp.client.ProtectedMessageHandler
    public X500Name getSender(X500Name x500Name) {
        try {
            return new X509CertificateHolder(this.signerCertificate.getEncoded()).getSubject();
        } catch (IOException | CertificateEncodingException e) {
            LOGGER.info("problem encoding signer certificate", e);
            return x500Name;
        }
    }

    @Override // de.trustable.cmp.client.ProtectedMessageHandler
    public void addCertificate(ProtectedPKIMessageBuilder protectedPKIMessageBuilder) {
        try {
            X509CertificateHolder x509CertificateHolder = new X509CertificateHolder(this.signerCertificate.getEncoded());
            protectedPKIMessageBuilder.addCMPCertificate(x509CertificateHolder);
            LOGGER.debug("adding protection certificate " + x509CertificateHolder.getSubject());
        } catch (IOException | CertificateEncodingException e) {
            LOGGER.info("problem adding signer certificate", e);
        }
    }
}
