package org.xipki.security.pkcs12;

import java.io.IOException;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Arrays;
import javax.crypto.KeyAgreement;
import javax.crypto.SecretKey;
import javax.crypto.spec.SecretKeySpec;
import org.bouncycastle.asn1.ASN1EncodableVector;
import org.bouncycastle.asn1.DEROctetString;
import org.bouncycastle.asn1.DERSequence;
import org.bouncycastle.asn1.pkcs.IssuerAndSerialNumber;
import org.bouncycastle.asn1.x500.X500Name;
import org.bouncycastle.asn1.x509.AlgorithmIdentifier;
import org.bouncycastle.operator.RuntimeOperatorException;
import org.xipki.security.ConcurrentContentSigner;
import org.xipki.security.DfltConcurrentContentSigner;
import org.xipki.security.EdECConstants;
import org.xipki.security.HashAlgo;
import org.xipki.security.ObjectIdentifiers;
import org.xipki.security.XiSecurityException;
import org.xipki.util.Args;

/* loaded from: input_file:WEB-INF/lib/security-5.3.5.jar:org/xipki/security/pkcs12/P12XdhMacContentSignerBuilder.class */
public class P12XdhMacContentSignerBuilder {
    private SecretKey key;
    private AlgorithmIdentifier algId;
    private HashAlgo hash;
    private IssuerAndSerialNumber peerIssuerAndSerial;
    private final PublicKey publicKey;
    private final X509Certificate[] certificateChain;

    /* loaded from: input_file:WEB-INF/lib/security-5.3.5.jar:org/xipki/security/pkcs12/P12XdhMacContentSignerBuilder$XdhMacContentSigner.class */
    private static class XdhMacContentSigner extends HmacContentSigner {
        private final byte[] prefix;
        private final int hashLen;

        private XdhMacContentSigner(HashAlgo hashAlgo, AlgorithmIdentifier algorithmIdentifier, SecretKey secretKey, IssuerAndSerialNumber issuerAndSerialNumber) throws XiSecurityException {
            super(hashAlgo, algorithmIdentifier, secretKey);
            this.hashLen = hashAlgo.getLength();
            ASN1EncodableVector aSN1EncodableVector = new ASN1EncodableVector();
            if (issuerAndSerialNumber != null) {
                aSN1EncodableVector.add(issuerAndSerialNumber);
            }
            aSN1EncodableVector.add(new DEROctetString(new byte[this.hashLen]));
            try {
                byte[] encoded = new DERSequence(aSN1EncodableVector).getEncoded();
                this.prefix = Arrays.copyOfRange(encoded, 0, encoded.length - this.hashLen);
            } catch (IOException e) {
                throw new XiSecurityException("exception initializing ContentSigner: " + e.getMessage(), e);
            }
        }

        @Override // org.xipki.security.pkcs12.HmacContentSigner
        public byte[] getSignature() {
            byte[] signature = super.getSignature();
            if (signature.length != this.hashLen) {
                throw new RuntimeOperatorException("exception obtaining signature: invalid signature length");
            }
            byte[] bArr = new byte[this.prefix.length + this.hashLen];
            System.arraycopy(this.prefix, 0, bArr, 0, this.prefix.length);
            System.arraycopy(signature, 0, bArr, this.prefix.length, this.hashLen);
            return bArr;
        }
    }

    public P12XdhMacContentSignerBuilder(X509Certificate x509Certificate, PrivateKey privateKey, PublicKey publicKey) throws XiSecurityException {
        Args.notNull(privateKey, "privateKey");
        Args.notNull(x509Certificate, "peerCert");
        this.publicKey = (PublicKey) Args.notNull(publicKey, "publicKey");
        this.certificateChain = null;
        init(privateKey, x509Certificate);
    }

    public P12XdhMacContentSignerBuilder(KeypairWithCert keypairWithCert, X509Certificate x509Certificate) throws XiSecurityException {
        Args.notNull(keypairWithCert, "keypairWithCert");
        Args.notNull(x509Certificate, "peerCert");
        this.publicKey = keypairWithCert.getPublicKey();
        this.certificateChain = keypairWithCert.getCertificateChain();
        init(keypairWithCert.getKey(), x509Certificate);
    }

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r1v12, types: [byte[], byte[][]] */
    private void init(PrivateKey privateKey, X509Certificate x509Certificate) throws XiSecurityException {
        String algorithm = privateKey.getAlgorithm();
        if (EdECConstants.X25519.equalsIgnoreCase(algorithm)) {
            this.algId = new AlgorithmIdentifier(ObjectIdentifiers.Xipki.id_alg_dhPop_x25519_sha256);
            this.hash = HashAlgo.SHA256;
        } else {
            if (!EdECConstants.X448.equalsIgnoreCase(algorithm)) {
                throw new IllegalArgumentException("unsupported key.getAlgorithm(): " + algorithm);
            }
            this.algId = new AlgorithmIdentifier(ObjectIdentifiers.Xipki.id_alg_dhPop_x448_sha512);
            this.hash = HashAlgo.SHA512;
        }
        PublicKey publicKey = x509Certificate.getPublicKey();
        if (!algorithm.equalsIgnoreCase(publicKey.getAlgorithm())) {
            throw new IllegalArgumentException("peerCert and key does not match");
        }
        try {
            KeyAgreement keyAgreement = KeyAgreement.getInstance(algorithm, "BC");
            keyAgreement.init(privateKey);
            keyAgreement.doPhase(publicKey, true);
            byte[] generateSecret = keyAgreement.generateSecret();
            byte[] encoded = x509Certificate.getSubjectX500Principal().getEncoded();
            byte[] encoded2 = x509Certificate.getIssuerX500Principal().getEncoded();
            this.key = new SecretKeySpec(this.hash.hash(new byte[]{encoded, generateSecret, encoded2}), "HMAC-" + this.hash.getName());
            this.peerIssuerAndSerial = new IssuerAndSerialNumber(X500Name.getInstance(encoded2), x509Certificate.getSerialNumber());
        } catch (IllegalStateException | InvalidKeyException | NoSuchAlgorithmException | NoSuchProviderException e) {
            throw new XiSecurityException("KeyChange error", e);
        }
    }

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r2v5, types: [byte[], byte[][]] */
    public ConcurrentContentSigner createSigner(int i) throws XiSecurityException {
        Args.positive(i, "parallelism");
        ArrayList arrayList = new ArrayList(i);
        for (int i2 = 0; i2 < i; i2++) {
            arrayList.add(new XdhMacContentSigner(this.hash, this.algId, this.key, this.peerIssuerAndSerial));
        }
        try {
            DfltConcurrentContentSigner dfltConcurrentContentSigner = new DfltConcurrentContentSigner(true, arrayList, this.key);
            dfltConcurrentContentSigner.setSha1DigestOfMacKey(HashAlgo.SHA1.hash(new byte[]{this.key.getEncoded()}));
            if (this.certificateChain != null) {
                dfltConcurrentContentSigner.setCertificateChain(this.certificateChain);
            } else {
                dfltConcurrentContentSigner.setPublicKey(this.publicKey);
            }
            return dfltConcurrentContentSigner;
        } catch (NoSuchAlgorithmException e) {
            throw new XiSecurityException(e.getMessage(), e);
        }
    }
}
