package org.xipki.scep.message;

import java.io.IOException;
import java.security.PrivateKey;
import java.security.cert.CertificateEncodingException;
import java.util.Iterator;
import java.util.List;
import org.bouncycastle.asn1.cms.CMSObjectIdentifiers;
import org.bouncycastle.asn1.cms.ContentInfo;
import org.bouncycastle.cms.CMSAbsentContent;
import org.bouncycastle.cms.CMSException;
import org.bouncycastle.cms.CMSProcessableByteArray;
import org.bouncycastle.cms.CMSSignedDataGenerator;
import org.bouncycastle.cms.DefaultSignedAttributeTableGenerator;
import org.bouncycastle.cms.jcajce.JcaSignerInfoGeneratorBuilder;
import org.bouncycastle.operator.ContentSigner;
import org.bouncycastle.operator.OperatorCreationException;
import org.bouncycastle.operator.bc.BcDigestCalculatorProvider;
import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder;
import org.xipki.scep.util.ScepUtil;
import org.xipki.security.HashAlgo;
import org.xipki.security.X509Cert;
import org.xipki.util.Args;
import org.xipki.util.CollectionUtil;
import org.xipki.util.exception.EncodeException;

/* loaded from: input_file:org/xipki/scep/message/NextCaMessage.class */
public class NextCaMessage {
    private X509Cert caCert;
    private List<X509Cert> raCerts;

    public X509Cert getCaCert() {
        return this.caCert;
    }

    public void setCaCert(X509Cert x509Cert) {
        this.caCert = x509Cert;
    }

    public List<X509Cert> getRaCerts() {
        return this.raCerts;
    }

    public void setRaCerts(List<X509Cert> list) {
        this.raCerts = CollectionUtil.isEmpty(list) ? null : List.copyOf(list);
    }

    public ContentInfo encode(PrivateKey privateKey, X509Cert x509Cert, X509Cert[] x509CertArr) throws EncodeException {
        Args.notNull(privateKey, "signingKey");
        Args.notNull(x509Cert, "signerCert");
        try {
            CMSSignedDataGenerator cMSSignedDataGenerator = new CMSSignedDataGenerator();
            cMSSignedDataGenerator.addCertificate(this.caCert.toBcCert());
            if (CollectionUtil.isNotEmpty(this.raCerts)) {
                Iterator<X509Cert> it = this.raCerts.iterator();
                while (it.hasNext()) {
                    cMSSignedDataGenerator.addCertificate(it.next().toBcCert());
                }
            }
            byte[] encoded = cMSSignedDataGenerator.generate(new CMSAbsentContent()).getEncoded();
            CMSSignedDataGenerator cMSSignedDataGenerator2 = new CMSSignedDataGenerator();
            ContentSigner build = new JcaContentSignerBuilder(getSignatureAlgorithm(privateKey, HashAlgo.SHA1)).build(privateKey);
            JcaSignerInfoGeneratorBuilder jcaSignerInfoGeneratorBuilder = new JcaSignerInfoGeneratorBuilder(new BcDigestCalculatorProvider());
            jcaSignerInfoGeneratorBuilder.setSignedAttributeGenerator(new DefaultSignedAttributeTableGenerator());
            cMSSignedDataGenerator2.addSignerInfoGenerator(jcaSignerInfoGeneratorBuilder.build(build, x509Cert.toBcCert()));
            CMSProcessableByteArray cMSProcessableByteArray = new CMSProcessableByteArray(CMSObjectIdentifiers.signedData, encoded);
            ScepUtil.addCmsCertSet(cMSSignedDataGenerator2, x509CertArr);
            return cMSSignedDataGenerator2.generate(cMSProcessableByteArray, true).toASN1Structure();
        } catch (CMSException | IOException | CertificateEncodingException | OperatorCreationException e) {
            throw new EncodeException(e);
        }
    }

    private static String getSignatureAlgorithm(PrivateKey privateKey, HashAlgo hashAlgo) {
        if ("RSA".equalsIgnoreCase(privateKey.getAlgorithm())) {
            return hashAlgo.getJceName() + "withRSA";
        }
        throw new UnsupportedOperationException("getSignatureAlgorithm() for non-RSA is not supported yet.");
    }
}
