package org.xipki.security.pkcs11;

import iaik.pkcs.pkcs11.constants.PKCS11Constants;
import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.io.OutputStream;
import java.math.BigInteger;
import java.security.InvalidKeyException;
import java.security.SecureRandom;
import java.security.interfaces.RSAPublicKey;
import java.util.Arrays;
import java.util.HashMap;
import java.util.Map;
import org.bouncycastle.asn1.ASN1ObjectIdentifier;
import org.bouncycastle.asn1.bsi.BSIObjectIdentifiers;
import org.bouncycastle.asn1.gm.GMObjectIdentifiers;
import org.bouncycastle.asn1.nist.NISTObjectIdentifiers;
import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers;
import org.bouncycastle.asn1.pkcs.RSASSAPSSparams;
import org.bouncycastle.asn1.x509.AlgorithmIdentifier;
import org.bouncycastle.asn1.x9.X9ObjectIdentifiers;
import org.bouncycastle.crypto.CryptoException;
import org.bouncycastle.crypto.DataLengthException;
import org.bouncycastle.crypto.RuntimeCryptoException;
import org.bouncycastle.crypto.params.ParametersWithRandom;
import org.bouncycastle.crypto.signers.PSSSigner;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.xipki.security.HashAlgo;
import org.xipki.security.XiContentSigner;
import org.xipki.security.XiSecurityException;
import org.xipki.security.pkcs11.P11Params;
import org.xipki.security.util.GMUtil;
import org.xipki.security.util.SignerUtil;
import org.xipki.util.Args;
import org.xipki.util.LogUtil;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: input_file:org/xipki/security/pkcs11/P11ContentSigner.class */
public abstract class P11ContentSigner implements XiContentSigner {
    private static final Logger LOG = LoggerFactory.getLogger(P11ContentSigner.class);
    protected final P11CryptService cryptService;
    protected final P11IdentityId identityId;
    protected final AlgorithmIdentifier algorithmIdentifier;
    protected final byte[] encodedAlgorithmIdentifier;

    /* loaded from: input_file:org/xipki/security/pkcs11/P11ContentSigner$DSA.class */
    static class DSA extends P11ContentSigner {
        private static final Map<String, HashAlgo> sigAlgHashMap = new HashMap();
        private static final Map<HashAlgo, Long> hashMechMap = new HashMap();
        private final OutputStream outputStream;
        private final long mechanism;
        private final boolean plain;

        /* JADX INFO: Access modifiers changed from: package-private */
        public DSA(P11CryptService p11CryptService, P11IdentityId p11IdentityId, AlgorithmIdentifier algorithmIdentifier, boolean z) throws XiSecurityException, P11TokenException {
            super(p11CryptService, p11IdentityId, algorithmIdentifier);
            this.plain = z;
            String id = algorithmIdentifier.getAlgorithm().getId();
            HashAlgo hashAlgo = sigAlgHashMap.get(id);
            if (hashAlgo == null) {
                throw new XiSecurityException("unsupported signature algorithm " + id);
            }
            P11Slot slot = p11CryptService.getSlot(p11IdentityId.getSlotId());
            if (slot.supportsMechanism(17L)) {
                this.mechanism = 17L;
                this.outputStream = new DigestOutputStream(hashAlgo.createDigest());
            } else {
                this.mechanism = hashMechMap.get(hashAlgo).longValue();
                if (!slot.supportsMechanism(this.mechanism)) {
                    throw new XiSecurityException("unsupported signature algorithm " + id);
                }
                this.outputStream = new ByteArrayOutputStream();
            }
        }

        public OutputStream getOutputStream() {
            if (this.outputStream instanceof ByteArrayOutputStream) {
                ((ByteArrayOutputStream) this.outputStream).reset();
            } else {
                ((DigestOutputStream) this.outputStream).reset();
            }
            return this.outputStream;
        }

        public byte[] getSignature() {
            try {
                byte[] plainSignature = getPlainSignature();
                return this.plain ? plainSignature : SignerUtil.dsaSigPlainToX962(plainSignature);
            } catch (XiSecurityException e) {
                LogUtil.warn(P11ContentSigner.LOG, e);
                throw new RuntimeCryptoException("XiSecurityException: " + e.getMessage());
            } catch (Throwable th) {
                LogUtil.warn(P11ContentSigner.LOG, th);
                throw new RuntimeCryptoException(th.getClass().getName() + ": " + th.getMessage());
            }
        }

        private byte[] getPlainSignature() throws XiSecurityException, P11TokenException {
            byte[] digest;
            if (this.outputStream instanceof ByteArrayOutputStream) {
                digest = ((ByteArrayOutputStream) this.outputStream).toByteArray();
                ((ByteArrayOutputStream) this.outputStream).reset();
            } else {
                digest = ((DigestOutputStream) this.outputStream).digest();
                ((DigestOutputStream) this.outputStream).reset();
            }
            return this.cryptService.getIdentity(this.identityId).sign(this.mechanism, null, digest);
        }

        static {
            sigAlgHashMap.put(X9ObjectIdentifiers.id_dsa_with_sha1.getId(), HashAlgo.SHA1);
            sigAlgHashMap.put(NISTObjectIdentifiers.dsa_with_sha224.getId(), HashAlgo.SHA224);
            sigAlgHashMap.put(NISTObjectIdentifiers.dsa_with_sha256.getId(), HashAlgo.SHA256);
            sigAlgHashMap.put(NISTObjectIdentifiers.dsa_with_sha384.getId(), HashAlgo.SHA384);
            sigAlgHashMap.put(NISTObjectIdentifiers.dsa_with_sha512.getId(), HashAlgo.SHA512);
            sigAlgHashMap.put(NISTObjectIdentifiers.id_dsa_with_sha3_224.getId(), HashAlgo.SHA3_224);
            sigAlgHashMap.put(NISTObjectIdentifiers.id_dsa_with_sha3_256.getId(), HashAlgo.SHA3_256);
            sigAlgHashMap.put(NISTObjectIdentifiers.id_dsa_with_sha3_384.getId(), HashAlgo.SHA3_384);
            sigAlgHashMap.put(NISTObjectIdentifiers.id_dsa_with_sha3_512.getId(), HashAlgo.SHA3_512);
            hashMechMap.put(HashAlgo.SHA1, 18L);
            hashMechMap.put(HashAlgo.SHA224, 19L);
            hashMechMap.put(HashAlgo.SHA256, 20L);
            hashMechMap.put(HashAlgo.SHA384, 21L);
            hashMechMap.put(HashAlgo.SHA512, 22L);
            hashMechMap.put(HashAlgo.SHA3_224, 24L);
            hashMechMap.put(HashAlgo.SHA3_256, 25L);
            hashMechMap.put(HashAlgo.SHA3_384, 26L);
            hashMechMap.put(HashAlgo.SHA3_512, 27L);
        }
    }

    /* loaded from: input_file:org/xipki/security/pkcs11/P11ContentSigner$ECDSA.class */
    static class ECDSA extends P11ContentSigner {
        private static final Map<String, HashAlgo> sigAlgHashMap = new HashMap();
        private static final Map<HashAlgo, Long> hashMechMap = new HashMap();
        private final OutputStream outputStream;
        private final long mechanism;
        private final boolean plain;

        /* JADX INFO: Access modifiers changed from: package-private */
        public ECDSA(P11CryptService p11CryptService, P11IdentityId p11IdentityId, AlgorithmIdentifier algorithmIdentifier, boolean z) throws XiSecurityException, P11TokenException {
            super(p11CryptService, p11IdentityId, algorithmIdentifier);
            this.plain = z;
            String id = algorithmIdentifier.getAlgorithm().getId();
            HashAlgo hashAlgo = sigAlgHashMap.get(id);
            if (hashAlgo == null) {
                throw new XiSecurityException("unsupported signature algorithm " + id);
            }
            P11Slot slot = p11CryptService.getSlot(p11IdentityId.getSlotId());
            if (slot.supportsMechanism(4161L)) {
                this.mechanism = 4161L;
                this.outputStream = new DigestOutputStream(hashAlgo.createDigest());
            } else {
                this.mechanism = hashMechMap.get(hashAlgo).longValue();
                if (!slot.supportsMechanism(this.mechanism)) {
                    throw new XiSecurityException("unsupported signature algorithm " + id);
                }
                this.outputStream = new ByteArrayOutputStream();
            }
        }

        public OutputStream getOutputStream() {
            if (this.outputStream instanceof ByteArrayOutputStream) {
                ((ByteArrayOutputStream) this.outputStream).reset();
            } else {
                ((DigestOutputStream) this.outputStream).reset();
            }
            return this.outputStream;
        }

        public byte[] getSignature() {
            try {
                byte[] plainSignature = getPlainSignature();
                return this.plain ? plainSignature : SignerUtil.dsaSigPlainToX962(plainSignature);
            } catch (XiSecurityException e) {
                LogUtil.warn(P11ContentSigner.LOG, e);
                throw new RuntimeCryptoException("XiSecurityException: " + e.getMessage());
            } catch (Throwable th) {
                LogUtil.warn(P11ContentSigner.LOG, th);
                throw new RuntimeCryptoException(th.getClass().getName() + ": " + th.getMessage());
            }
        }

        private byte[] getPlainSignature() throws XiSecurityException, P11TokenException {
            byte[] digest;
            if (this.outputStream instanceof ByteArrayOutputStream) {
                digest = ((ByteArrayOutputStream) this.outputStream).toByteArray();
                ((ByteArrayOutputStream) this.outputStream).reset();
            } else {
                digest = ((DigestOutputStream) this.outputStream).digest();
                ((DigestOutputStream) this.outputStream).reset();
            }
            return this.cryptService.getIdentity(this.identityId).sign(this.mechanism, null, digest);
        }

        static {
            sigAlgHashMap.put(X9ObjectIdentifiers.ecdsa_with_SHA1.getId(), HashAlgo.SHA1);
            sigAlgHashMap.put(X9ObjectIdentifiers.ecdsa_with_SHA224.getId(), HashAlgo.SHA224);
            sigAlgHashMap.put(X9ObjectIdentifiers.ecdsa_with_SHA256.getId(), HashAlgo.SHA256);
            sigAlgHashMap.put(X9ObjectIdentifiers.ecdsa_with_SHA384.getId(), HashAlgo.SHA384);
            sigAlgHashMap.put(X9ObjectIdentifiers.ecdsa_with_SHA512.getId(), HashAlgo.SHA512);
            sigAlgHashMap.put(NISTObjectIdentifiers.id_ecdsa_with_sha3_224.getId(), HashAlgo.SHA3_224);
            sigAlgHashMap.put(NISTObjectIdentifiers.id_ecdsa_with_sha3_256.getId(), HashAlgo.SHA3_256);
            sigAlgHashMap.put(NISTObjectIdentifiers.id_ecdsa_with_sha3_384.getId(), HashAlgo.SHA3_384);
            sigAlgHashMap.put(NISTObjectIdentifiers.id_ecdsa_with_sha3_512.getId(), HashAlgo.SHA3_512);
            sigAlgHashMap.put(BSIObjectIdentifiers.ecdsa_plain_SHA1.getId(), HashAlgo.SHA1);
            sigAlgHashMap.put(BSIObjectIdentifiers.ecdsa_plain_SHA224.getId(), HashAlgo.SHA224);
            sigAlgHashMap.put(BSIObjectIdentifiers.ecdsa_plain_SHA256.getId(), HashAlgo.SHA256);
            sigAlgHashMap.put(BSIObjectIdentifiers.ecdsa_plain_SHA384.getId(), HashAlgo.SHA384);
            sigAlgHashMap.put(BSIObjectIdentifiers.ecdsa_plain_SHA512.getId(), HashAlgo.SHA512);
            hashMechMap.put(HashAlgo.SHA1, 4162L);
            hashMechMap.put(HashAlgo.SHA224, 4163L);
            hashMechMap.put(HashAlgo.SHA256, 4164L);
            hashMechMap.put(HashAlgo.SHA384, 4165L);
            hashMechMap.put(HashAlgo.SHA512, 4166L);
            hashMechMap.put(HashAlgo.SHA3_224, 4167L);
            hashMechMap.put(HashAlgo.SHA3_256, 4168L);
            hashMechMap.put(HashAlgo.SHA3_384, 4169L);
            hashMechMap.put(HashAlgo.SHA3_512, 4170L);
        }
    }

    /* loaded from: input_file:org/xipki/security/pkcs11/P11ContentSigner$Mac.class */
    static class Mac extends P11ContentSigner {
        private final long mechanism;
        private final ByteArrayOutputStream outputStream;

        /* JADX INFO: Access modifiers changed from: package-private */
        public Mac(P11CryptService p11CryptService, P11IdentityId p11IdentityId, AlgorithmIdentifier algorithmIdentifier) throws XiSecurityException, P11TokenException {
            super(p11CryptService, p11IdentityId, algorithmIdentifier);
            ASN1ObjectIdentifier algorithm = algorithmIdentifier.getAlgorithm();
            if (PKCSObjectIdentifiers.id_hmacWithSHA1.equals(algorithm)) {
                this.mechanism = 545L;
            } else if (PKCSObjectIdentifiers.id_hmacWithSHA224.equals(algorithm)) {
                this.mechanism = 598L;
            } else if (PKCSObjectIdentifiers.id_hmacWithSHA256.equals(algorithm)) {
                this.mechanism = 593L;
            } else if (PKCSObjectIdentifiers.id_hmacWithSHA384.equals(algorithm)) {
                this.mechanism = 609L;
            } else if (PKCSObjectIdentifiers.id_hmacWithSHA512.equals(algorithm)) {
                this.mechanism = 625L;
            } else if (NISTObjectIdentifiers.id_hmacWithSHA3_224.equals(algorithm)) {
                this.mechanism = 694L;
            } else if (NISTObjectIdentifiers.id_hmacWithSHA3_256.equals(algorithm)) {
                this.mechanism = 689L;
            } else if (NISTObjectIdentifiers.id_hmacWithSHA3_384.equals(algorithm)) {
                this.mechanism = 705L;
            } else {
                if (!NISTObjectIdentifiers.id_hmacWithSHA3_512.equals(algorithm)) {
                    throw new IllegalArgumentException("unknown algorithm identifier " + algorithm.getId());
                }
                this.mechanism = 721L;
            }
            this.outputStream = new ByteArrayOutputStream();
        }

        public OutputStream getOutputStream() {
            this.outputStream.reset();
            return this.outputStream;
        }

        public byte[] getSignature() {
            try {
                byte[] byteArray = this.outputStream.toByteArray();
                this.outputStream.reset();
                return this.cryptService.getIdentity(this.identityId).sign(this.mechanism, null, byteArray);
            } catch (P11TokenException e) {
                LogUtil.warn(P11ContentSigner.LOG, e);
                throw new RuntimeCryptoException("P11TokenException: " + e.getMessage());
            } catch (Throwable th) {
                LogUtil.warn(P11ContentSigner.LOG, th);
                throw new RuntimeCryptoException(th.getClass().getName() + ": " + th.getMessage());
            }
        }
    }

    /* loaded from: input_file:org/xipki/security/pkcs11/P11ContentSigner$RSA.class */
    static class RSA extends P11ContentSigner {
        private static final Map<ASN1ObjectIdentifier, HashAlgo> sigAlgHashAlgMap = new HashMap();
        private static final Map<HashAlgo, Long> hashAlgMecMap = new HashMap();
        private final long mechanism;
        private final OutputStream outputStream;
        private final byte[] digestPkcsPrefix;
        private final int modulusBitLen;

        /* JADX INFO: Access modifiers changed from: package-private */
        public RSA(P11CryptService p11CryptService, P11IdentityId p11IdentityId, AlgorithmIdentifier algorithmIdentifier) throws XiSecurityException, P11TokenException {
            super(p11CryptService, p11IdentityId, algorithmIdentifier);
            ASN1ObjectIdentifier algorithm = algorithmIdentifier.getAlgorithm();
            HashAlgo hashAlgo = sigAlgHashAlgMap.get(algorithm);
            if (hashAlgo == null) {
                throw new XiSecurityException("unsupported signature algorithm " + algorithm.getId());
            }
            P11Slot slot = p11CryptService.getSlot(p11IdentityId.getSlotId());
            if (slot.supportsMechanism(1L)) {
                this.mechanism = 1L;
            } else if (slot.supportsMechanism(3L)) {
                this.mechanism = 3L;
            } else {
                Long l = hashAlgMecMap.get(hashAlgo);
                if (l == null) {
                    throw new IllegalStateException("should not reach here, unknown HashAlgo " + hashAlgo);
                }
                this.mechanism = l.longValue();
                if (!slot.supportsMechanism(this.mechanism)) {
                    throw new XiSecurityException("unsupported signature algorithm " + algorithm.getId());
                }
            }
            if (this.mechanism == 1 || this.mechanism == 3) {
                this.digestPkcsPrefix = SignerUtil.getDigestPkcsPrefix(hashAlgo);
                this.outputStream = new DigestOutputStream(hashAlgo.createDigest());
            } else {
                this.digestPkcsPrefix = null;
                this.outputStream = new ByteArrayOutputStream();
            }
            this.modulusBitLen = ((RSAPublicKey) p11CryptService.getIdentity(p11IdentityId).getPublicKey()).getModulus().bitLength();
        }

        public OutputStream getOutputStream() {
            if (this.outputStream instanceof ByteArrayOutputStream) {
                ((ByteArrayOutputStream) this.outputStream).reset();
            } else {
                ((DigestOutputStream) this.outputStream).reset();
            }
            return this.outputStream;
        }

        public byte[] getSignature() {
            byte[] bArr;
            if (this.outputStream instanceof ByteArrayOutputStream) {
                bArr = ((ByteArrayOutputStream) this.outputStream).toByteArray();
                ((ByteArrayOutputStream) this.outputStream).reset();
            } else {
                byte[] digest = ((DigestOutputStream) this.outputStream).digest();
                ((DigestOutputStream) this.outputStream).reset();
                bArr = new byte[this.digestPkcsPrefix.length + digest.length];
                System.arraycopy(this.digestPkcsPrefix, 0, bArr, 0, this.digestPkcsPrefix.length);
                System.arraycopy(digest, 0, bArr, this.digestPkcsPrefix.length, digest.length);
            }
            try {
                if (this.mechanism == 3) {
                    bArr = SignerUtil.EMSA_PKCS1_v1_5_encoding(bArr, this.modulusBitLen);
                }
                return this.cryptService.getIdentity(this.identityId).sign(this.mechanism, null, bArr);
            } catch (XiSecurityException | P11TokenException e) {
                LogUtil.error(P11ContentSigner.LOG, e, "could not sign");
                throw new RuntimeCryptoException("SignerException: " + e.getMessage());
            }
        }

        static {
            sigAlgHashAlgMap.put(PKCSObjectIdentifiers.sha1WithRSAEncryption, HashAlgo.SHA1);
            sigAlgHashAlgMap.put(PKCSObjectIdentifiers.sha224WithRSAEncryption, HashAlgo.SHA224);
            sigAlgHashAlgMap.put(PKCSObjectIdentifiers.sha256WithRSAEncryption, HashAlgo.SHA256);
            sigAlgHashAlgMap.put(PKCSObjectIdentifiers.sha384WithRSAEncryption, HashAlgo.SHA384);
            sigAlgHashAlgMap.put(PKCSObjectIdentifiers.sha512WithRSAEncryption, HashAlgo.SHA512);
            sigAlgHashAlgMap.put(NISTObjectIdentifiers.id_rsassa_pkcs1_v1_5_with_sha3_224, HashAlgo.SHA3_224);
            sigAlgHashAlgMap.put(NISTObjectIdentifiers.id_rsassa_pkcs1_v1_5_with_sha3_256, HashAlgo.SHA3_256);
            sigAlgHashAlgMap.put(NISTObjectIdentifiers.id_rsassa_pkcs1_v1_5_with_sha3_384, HashAlgo.SHA3_384);
            sigAlgHashAlgMap.put(NISTObjectIdentifiers.id_rsassa_pkcs1_v1_5_with_sha3_512, HashAlgo.SHA3_512);
            hashAlgMecMap.put(HashAlgo.SHA1, 6L);
            hashAlgMecMap.put(HashAlgo.SHA224, 70L);
            hashAlgMecMap.put(HashAlgo.SHA256, 64L);
            hashAlgMecMap.put(HashAlgo.SHA384, 65L);
            hashAlgMecMap.put(HashAlgo.SHA512, 66L);
            hashAlgMecMap.put(HashAlgo.SHA3_224, 102L);
            hashAlgMecMap.put(HashAlgo.SHA3_256, 96L);
            hashAlgMecMap.put(HashAlgo.SHA3_384, 97L);
            hashAlgMecMap.put(HashAlgo.SHA3_512, 98L);
        }
    }

    /* loaded from: input_file:org/xipki/security/pkcs11/P11ContentSigner$RSAPSS.class */
    static class RSAPSS extends P11ContentSigner {
        private static final Map<HashAlgo, Long> hashAlgMecMap = new HashMap();
        private final long mechanism;
        private final P11Params.P11RSAPkcsPssParams parameters;
        private final OutputStream outputStream;

        /* loaded from: input_file:org/xipki/security/pkcs11/P11ContentSigner$RSAPSS$PSSSignerOutputStream.class */
        private static class PSSSignerOutputStream extends OutputStream {
            private PSSSigner pssSigner;

            PSSSignerOutputStream(PSSSigner pSSSigner) {
                this.pssSigner = pSSSigner;
            }

            @Override // java.io.OutputStream
            public void write(int i) throws IOException {
                this.pssSigner.update((byte) i);
            }

            @Override // java.io.OutputStream
            public void write(byte[] bArr) throws IOException {
                this.pssSigner.update(bArr, 0, bArr.length);
            }

            @Override // java.io.OutputStream
            public void write(byte[] bArr, int i, int i2) throws IOException {
                this.pssSigner.update(bArr, i, i2);
            }

            public void reset() {
                this.pssSigner.reset();
            }

            @Override // java.io.OutputStream, java.io.Flushable
            public void flush() throws IOException {
            }

            @Override // java.io.OutputStream, java.io.Closeable, java.lang.AutoCloseable
            public void close() throws IOException {
            }

            byte[] generateSignature() throws DataLengthException, CryptoException {
                byte[] generateSignature = this.pssSigner.generateSignature();
                this.pssSigner.reset();
                return generateSignature;
            }
        }

        /* JADX INFO: Access modifiers changed from: package-private */
        public RSAPSS(P11CryptService p11CryptService, P11IdentityId p11IdentityId, AlgorithmIdentifier algorithmIdentifier, SecureRandom secureRandom) throws XiSecurityException, P11TokenException {
            super(p11CryptService, p11IdentityId, algorithmIdentifier);
            Args.notNull(secureRandom, "random");
            if (!PKCSObjectIdentifiers.id_RSASSA_PSS.equals(algorithmIdentifier.getAlgorithm())) {
                throw new XiSecurityException("unsupported signature algorithm " + algorithmIdentifier.getAlgorithm());
            }
            RSASSAPSSparams rSASSAPSSparams = RSASSAPSSparams.getInstance(algorithmIdentifier.getParameters());
            ASN1ObjectIdentifier algorithm = rSASSAPSSparams.getHashAlgorithm().getAlgorithm();
            HashAlgo hashAlgo = HashAlgo.getInstance(algorithm);
            if (hashAlgo == null) {
                throw new XiSecurityException("unsupported hash algorithm " + algorithm.getId());
            }
            P11Slot slot = p11CryptService.getSlot(p11IdentityId.getSlotId());
            if (slot.supportsMechanism(13L)) {
                this.mechanism = 13L;
                this.parameters = new P11Params.P11RSAPkcsPssParams(rSASSAPSSparams);
                this.outputStream = new DigestOutputStream(hashAlgo.createDigest());
                return;
            }
            if (!slot.supportsMechanism(3L)) {
                Long l = hashAlgMecMap.get(hashAlgo);
                if (l == null) {
                    throw new IllegalStateException("should not reach here, unknown HashAlgo " + hashAlgo);
                }
                this.mechanism = l.longValue();
                if (!slot.supportsMechanism(this.mechanism)) {
                    throw new XiSecurityException("unsupported signature algorithm " + PKCSObjectIdentifiers.id_RSASSA_PSS.getId() + " with " + hashAlgo);
                }
                this.parameters = new P11Params.P11RSAPkcsPssParams(rSASSAPSSparams);
                this.outputStream = new ByteArrayOutputStream();
                return;
            }
            this.mechanism = 3L;
            this.parameters = null;
            P11PlainRSASigner p11PlainRSASigner = new P11PlainRSASigner();
            try {
                P11RSAKeyParameter p11RSAKeyParameter = P11RSAKeyParameter.getInstance(p11CryptService, p11IdentityId);
                PSSSigner createPSSRSASigner = SignerUtil.createPSSRSASigner(algorithmIdentifier, p11PlainRSASigner);
                createPSSRSASigner.init(true, new ParametersWithRandom(p11RSAKeyParameter, secureRandom));
                this.outputStream = new PSSSignerOutputStream(createPSSRSASigner);
            } catch (InvalidKeyException e) {
                throw new XiSecurityException(e.getMessage(), e);
            }
        }

        public OutputStream getOutputStream() {
            if (this.outputStream instanceof ByteArrayOutputStream) {
                ((ByteArrayOutputStream) this.outputStream).reset();
            } else if (this.outputStream instanceof DigestOutputStream) {
                ((DigestOutputStream) this.outputStream).reset();
            } else {
                ((PSSSignerOutputStream) this.outputStream).reset();
            }
            return this.outputStream;
        }

        public byte[] getSignature() {
            if (this.outputStream instanceof PSSSignerOutputStream) {
                try {
                    return ((PSSSignerOutputStream) this.outputStream).generateSignature();
                } catch (CryptoException e) {
                    LogUtil.warn(P11ContentSigner.LOG, e);
                    throw new RuntimeCryptoException("CryptoException: " + e.getMessage());
                }
            }
            try {
                return this.cryptService.getIdentity(this.identityId).sign(this.mechanism, this.parameters, this.outputStream instanceof ByteArrayOutputStream ? ((ByteArrayOutputStream) this.outputStream).toByteArray() : ((DigestOutputStream) this.outputStream).digest());
            } catch (P11TokenException e2) {
                LogUtil.warn(P11ContentSigner.LOG, e2, "could not sign");
                throw new RuntimeCryptoException("SignerException: " + e2.getMessage());
            }
        }

        static {
            hashAlgMecMap.put(HashAlgo.SHA1, 14L);
            hashAlgMecMap.put(HashAlgo.SHA224, 71L);
            hashAlgMecMap.put(HashAlgo.SHA256, 67L);
            hashAlgMecMap.put(HashAlgo.SHA384, 68L);
            hashAlgMecMap.put(HashAlgo.SHA512, 69L);
            hashAlgMecMap.put(HashAlgo.SHA3_224, 103L);
            hashAlgMecMap.put(HashAlgo.SHA3_256, 99L);
            hashAlgMecMap.put(HashAlgo.SHA3_384, 100L);
            hashAlgMecMap.put(HashAlgo.SHA3_512, 101L);
        }
    }

    /* loaded from: input_file:org/xipki/security/pkcs11/P11ContentSigner$SM2.class */
    static class SM2 extends P11ContentSigner {
        private static final Map<String, HashAlgo> sigAlgHashMap = new HashMap();
        private static final Map<HashAlgo, Long> hashMechMap = new HashMap();
        private final long mechanism;
        private final OutputStream outputStream;
        private final byte[] z;

        /* JADX INFO: Access modifiers changed from: package-private */
        public SM2(P11CryptService p11CryptService, P11IdentityId p11IdentityId, AlgorithmIdentifier algorithmIdentifier, ASN1ObjectIdentifier aSN1ObjectIdentifier, BigInteger bigInteger, BigInteger bigInteger2) throws XiSecurityException, P11TokenException {
            super(p11CryptService, p11IdentityId, algorithmIdentifier);
            String id = algorithmIdentifier.getAlgorithm().getId();
            HashAlgo hashAlgo = sigAlgHashMap.get(id);
            if (hashAlgo == null) {
                throw new XiSecurityException("unsupported signature algorithm " + id);
            }
            P11Slot slot = p11CryptService.getSlot(p11IdentityId.getSlotId());
            if (slot.supportsMechanism(PKCS11Constants.CKM_VENDOR_SM2)) {
                this.z = GMUtil.getSM2Z(aSN1ObjectIdentifier, bigInteger, bigInteger2);
                this.mechanism = PKCS11Constants.CKM_VENDOR_SM2;
                this.outputStream = new DigestOutputStream(hashAlgo.createDigest());
                return;
            }
            this.z = null;
            Long l = hashMechMap.get(hashAlgo);
            if (l == null) {
                throw new XiSecurityException("hash algorithm " + hashAlgo + " is not suitable for SM2");
            }
            this.mechanism = l.longValue();
            if (!slot.supportsMechanism(this.mechanism)) {
                throw new XiSecurityException("unsupported signature algorithm " + id);
            }
            this.outputStream = new ByteArrayOutputStream();
        }

        public OutputStream getOutputStream() {
            reset();
            return this.outputStream;
        }

        private void reset() {
            if (this.outputStream instanceof ByteArrayOutputStream) {
                ((ByteArrayOutputStream) this.outputStream).reset();
                return;
            }
            ((DigestOutputStream) this.outputStream).reset();
            try {
                this.outputStream.write(this.z, 0, this.z.length);
            } catch (IOException e) {
                throw new IllegalStateException(e.getMessage());
            }
        }

        public byte[] getSignature() {
            try {
                return SignerUtil.dsaSigPlainToX962(getPlainSignature());
            } catch (XiSecurityException e) {
                LogUtil.warn(P11ContentSigner.LOG, e);
                throw new RuntimeCryptoException("XiSecurityException: " + e.getMessage());
            } catch (Throwable th) {
                LogUtil.warn(P11ContentSigner.LOG, th);
                throw new RuntimeCryptoException(th.getClass().getName() + ": " + th.getMessage());
            }
        }

        private byte[] getPlainSignature() throws XiSecurityException, P11TokenException {
            P11Params.P11ByteArrayParams p11ByteArrayParams;
            byte[] digest;
            if (this.outputStream instanceof ByteArrayOutputStream) {
                p11ByteArrayParams = new P11Params.P11ByteArrayParams(GMUtil.getDefaultIDA());
                digest = ((ByteArrayOutputStream) this.outputStream).toByteArray();
            } else {
                p11ByteArrayParams = null;
                digest = ((DigestOutputStream) this.outputStream).digest();
            }
            reset();
            return this.cryptService.getIdentity(this.identityId).sign(this.mechanism, p11ByteArrayParams, digest);
        }

        static {
            sigAlgHashMap.put(GMObjectIdentifiers.sm2sign_with_sm3.getId(), HashAlgo.SM3);
            hashMechMap.put(HashAlgo.SM3, Long.valueOf(PKCS11Constants.CKM_VENDOR_SM2_SM3));
        }
    }

    P11ContentSigner(P11CryptService p11CryptService, P11IdentityId p11IdentityId, AlgorithmIdentifier algorithmIdentifier) throws XiSecurityException, P11TokenException {
        this.identityId = (P11IdentityId) Args.notNull(p11IdentityId, "identityId");
        this.cryptService = (P11CryptService) Args.notNull(p11CryptService, "cryptService");
        this.algorithmIdentifier = (AlgorithmIdentifier) Args.notNull(algorithmIdentifier, "signatureAlgId");
        try {
            this.encodedAlgorithmIdentifier = this.algorithmIdentifier.getEncoded();
        } catch (IOException e) {
            throw new XiSecurityException("could not encode AlgorithmIdentifier", e);
        }
    }

    public final AlgorithmIdentifier getAlgorithmIdentifier() {
        return this.algorithmIdentifier;
    }

    @Override // org.xipki.security.XiContentSigner
    public final byte[] getEncodedAlgorithmIdentifier() {
        return Arrays.copyOf(this.encodedAlgorithmIdentifier, this.encodedAlgorithmIdentifier.length);
    }
}
