package org.xipki.security.pkcs11;

import java.math.BigInteger;
import java.security.NoSuchAlgorithmException;
import java.security.PublicKey;
import java.security.cert.CertPathBuilderException;
import java.security.interfaces.DSAPublicKey;
import java.security.interfaces.ECPublicKey;
import java.security.interfaces.RSAPublicKey;
import java.security.spec.ECPoint;
import java.util.ArrayList;
import java.util.HashSet;
import org.bouncycastle.asn1.ASN1ObjectIdentifier;
import org.bouncycastle.asn1.gm.GMObjectIdentifiers;
import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers;
import org.bouncycastle.asn1.x509.AlgorithmIdentifier;
import org.bouncycastle.jcajce.interfaces.EdDSAKey;
import org.xipki.security.ConcurrentContentSigner;
import org.xipki.security.DfltConcurrentContentSigner;
import org.xipki.security.SecurityFactory;
import org.xipki.security.X509Cert;
import org.xipki.security.XiContentSigner;
import org.xipki.security.XiSecurityException;
import org.xipki.security.pkcs11.P11ContentSigner;
import org.xipki.security.util.AlgorithmUtil;
import org.xipki.security.util.GMUtil;
import org.xipki.security.util.X509Util;
import org.xipki.util.Args;

/* loaded from: input_file:WEB-INF/lib/security-5.3.9.jar:org/xipki/security/pkcs11/P11ContentSignerBuilder.class */
public class P11ContentSignerBuilder {
    private final PublicKey publicKey;
    private final X509Cert[] certificateChain;
    private final P11CryptService cryptService;
    private final SecurityFactory securityFactory;
    private final P11IdentityId identityId;

    public P11ContentSignerBuilder(P11CryptService p11CryptService, SecurityFactory securityFactory, P11IdentityId p11IdentityId, X509Cert[] x509CertArr) throws XiSecurityException, P11TokenException {
        X509Cert x509Cert;
        this.cryptService = (P11CryptService) Args.notNull(p11CryptService, "cryptService");
        this.securityFactory = (SecurityFactory) Args.notNull(securityFactory, "securityFactory");
        this.identityId = (P11IdentityId) Args.notNull(p11IdentityId, "identityId");
        P11Identity identity = p11CryptService.getIdentity(p11IdentityId);
        X509Cert certificate = identity.getCertificate();
        PublicKey publicKey = certificate != null ? certificate.getPublicKey() : identity.getPublicKey();
        if (publicKey == null) {
            throw new XiSecurityException("public key with " + p11IdentityId + " does not exist");
        }
        HashSet hashSet = new HashSet();
        if (x509CertArr == null || x509CertArr.length <= 0) {
            this.publicKey = publicKey;
            x509Cert = certificate;
        } else {
            int length = x509CertArr.length;
            x509Cert = x509CertArr[0];
            if (length > 1) {
                for (int i = 1; i < length; i++) {
                    hashSet.add(x509CertArr[i]);
                }
            }
            this.publicKey = x509Cert.getPublicKey();
        }
        if (x509Cert == null) {
            this.certificateChain = null;
            return;
        }
        X509Cert[] certificateChain = identity.certificateChain();
        if (certificateChain != null && certificateChain.length > 1) {
            for (int i2 = 1; i2 < certificateChain.length; i2++) {
                hashSet.add(certificateChain[i2]);
            }
        }
        try {
            this.certificateChain = X509Util.buildCertPath(x509Cert, hashSet);
        } catch (CertPathBuilderException e) {
            throw new XiSecurityException(e);
        }
    }

    public ConcurrentContentSigner createSigner(AlgorithmIdentifier algorithmIdentifier, int i) throws XiSecurityException, P11TokenException {
        XiContentSigner createEdDSAContentSigner;
        Args.positive(i, "parallelism");
        ArrayList arrayList = new ArrayList(i);
        Boolean bool = null;
        for (int i2 = 0; i2 < i; i2++) {
            if (this.publicKey instanceof RSAPublicKey) {
                if (i2 == 0 && !AlgorithmUtil.isRSASigAlgId(algorithmIdentifier)) {
                    throw new XiSecurityException("the given algorithm is not a valid RSA signature algorithm '" + algorithmIdentifier.getAlgorithm().getId() + "'");
                }
                createEdDSAContentSigner = createRSAContentSigner(algorithmIdentifier);
            } else if (this.publicKey instanceof ECPublicKey) {
                ECPublicKey eCPublicKey = (ECPublicKey) this.publicKey;
                if (i2 == 0) {
                    bool = Boolean.valueOf(GMUtil.isSm2primev2Curve(eCPublicKey.getParams().getCurve()));
                    if (bool.booleanValue()) {
                        if (!AlgorithmUtil.isSM2SigAlg(algorithmIdentifier)) {
                            throw new XiSecurityException("the given algorithm is not a valid SM2 signature algorithm '" + algorithmIdentifier.getAlgorithm().getId() + "'");
                        }
                    } else if (!AlgorithmUtil.isECSigAlg(algorithmIdentifier)) {
                        throw new XiSecurityException("the given algorithm is not a valid EC signature algorithm '" + algorithmIdentifier.getAlgorithm().getId() + "'");
                    }
                }
                if (bool.booleanValue()) {
                    ECPoint w = eCPublicKey.getW();
                    createEdDSAContentSigner = createSM2ContentSigner(algorithmIdentifier, GMObjectIdentifiers.sm2p256v1, w.getAffineX(), w.getAffineY());
                } else {
                    createEdDSAContentSigner = createECContentSigner(algorithmIdentifier);
                }
            } else if (this.publicKey instanceof DSAPublicKey) {
                if (i2 == 0 && !AlgorithmUtil.isDSASigAlg(algorithmIdentifier)) {
                    throw new XiSecurityException("the given algorithm is not a valid DSA signature algorithm '" + algorithmIdentifier.getAlgorithm().getId() + "'");
                }
                createEdDSAContentSigner = createDSAContentSigner(algorithmIdentifier);
            } else {
                if (!(this.publicKey instanceof EdDSAKey)) {
                    throw new XiSecurityException("unsupported key " + this.publicKey.getClass().getName());
                }
                createEdDSAContentSigner = createEdDSAContentSigner(algorithmIdentifier);
            }
            arrayList.add(createEdDSAContentSigner);
        }
        try {
            DfltConcurrentContentSigner dfltConcurrentContentSigner = new DfltConcurrentContentSigner(false, arrayList, new P11PrivateKey(this.cryptService, this.identityId));
            if (this.certificateChain != null) {
                dfltConcurrentContentSigner.setCertificateChain(this.certificateChain);
            } else {
                dfltConcurrentContentSigner.setPublicKey(this.publicKey);
            }
            return dfltConcurrentContentSigner;
        } catch (NoSuchAlgorithmException e) {
            throw new XiSecurityException(e.getMessage(), e);
        }
    }

    private XiContentSigner createRSAContentSigner(AlgorithmIdentifier algorithmIdentifier) throws XiSecurityException, P11TokenException {
        return PKCSObjectIdentifiers.id_RSASSA_PSS.equals(algorithmIdentifier.getAlgorithm()) ? new P11ContentSigner.RSAPSS(this.cryptService, this.identityId, algorithmIdentifier, this.securityFactory.getRandom4Sign()) : new P11ContentSigner.RSA(this.cryptService, this.identityId, algorithmIdentifier);
    }

    private XiContentSigner createECContentSigner(AlgorithmIdentifier algorithmIdentifier) throws XiSecurityException, P11TokenException {
        return new P11ContentSigner.ECDSA(this.cryptService, this.identityId, algorithmIdentifier, AlgorithmUtil.isDSAPlainSigAlg(algorithmIdentifier));
    }

    private XiContentSigner createSM2ContentSigner(AlgorithmIdentifier algorithmIdentifier, ASN1ObjectIdentifier aSN1ObjectIdentifier, BigInteger bigInteger, BigInteger bigInteger2) throws XiSecurityException, P11TokenException {
        return new P11ContentSigner.SM2(this.cryptService, this.identityId, algorithmIdentifier, aSN1ObjectIdentifier, bigInteger, bigInteger2);
    }

    private XiContentSigner createDSAContentSigner(AlgorithmIdentifier algorithmIdentifier) throws XiSecurityException, P11TokenException {
        return new P11ContentSigner.DSA(this.cryptService, this.identityId, algorithmIdentifier, AlgorithmUtil.isDSAPlainSigAlg(algorithmIdentifier));
    }

    private XiContentSigner createEdDSAContentSigner(AlgorithmIdentifier algorithmIdentifier) throws XiSecurityException, P11TokenException {
        return new P11ContentSigner.EdDSA(this.cryptService, this.identityId, algorithmIdentifier);
    }
}
