package com.aliyun.encryptionsdk.provider;

import com.aliyun.encryptionsdk.exception.AliyunException;
import com.aliyun.encryptionsdk.exception.InvalidAlgorithmException;
import com.aliyun.encryptionsdk.exception.InvalidArgumentException;
import com.aliyun.encryptionsdk.kms.AliyunKms;
import com.aliyun.encryptionsdk.logger.CommonLogger;
import com.aliyun.encryptionsdk.model.CmkId;
import com.aliyun.encryptionsdk.model.Constants;
import com.aliyun.encryptionsdk.model.SignatureAlgorithm;
import com.aliyun.encryptionsdk.model.SignatureMaterial;
import com.aliyun.encryptionsdk.model.VerifyMaterial;
import com.aliyuncs.utils.StringUtils;
import java.io.ByteArrayInputStream;
import java.nio.charset.StandardCharsets;
import java.security.KeyFactory;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.Provider;
import java.security.PublicKey;
import java.security.Security;
import java.security.Signature;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.security.spec.InvalidKeySpecException;
import java.security.spec.MGF1ParameterSpec;
import java.security.spec.PSSParameterSpec;
import java.security.spec.X509EncodedKeySpec;
import java.util.Base64;
import org.bouncycastle.asn1.gm.GMNamedCurves;
import org.bouncycastle.asn1.x9.X9ECParameters;
import org.bouncycastle.crypto.Digest;
import org.bouncycastle.crypto.digests.SM3Digest;
import org.bouncycastle.crypto.params.ECDomainParameters;
import org.bouncycastle.crypto.params.ECPublicKeyParameters;
import org.bouncycastle.jcajce.provider.asymmetric.ec.BCECPublicKey;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.bouncycastle.math.ec.ECFieldElement;

/* loaded from: input_file:com/aliyun/encryptionsdk/provider/KmsAsymmetricKeyProvider.class */
public class KmsAsymmetricKeyProvider implements SignatureProvider {
    private AliyunKms kms;
    private CmkId keyId;
    private String keyVersionId;
    private PublicKey publicKey;
    private SignatureAlgorithm signatureAlgorithm;

    public KmsAsymmetricKeyProvider(String str, String str2, SignatureAlgorithm signatureAlgorithm) {
        if (StringUtils.isEmpty(str) || StringUtils.isEmpty(str2)) {
            throw new InvalidArgumentException("keyId and keyVersionId cannot be empty");
        }
        this.keyId = new CmkId(str);
        this.keyVersionId = str2;
        this.signatureAlgorithm = signatureAlgorithm;
    }

    public KmsAsymmetricKeyProvider(String str, SignatureAlgorithm signatureAlgorithm) {
        this.signatureAlgorithm = signatureAlgorithm;
        this.publicKey = parsePublicKey(str, signatureAlgorithm);
    }

    public KmsAsymmetricKeyProvider(PublicKey publicKey, SignatureAlgorithm signatureAlgorithm) {
        this.signatureAlgorithm = signatureAlgorithm;
        this.publicKey = publicKey;
    }

    public KmsAsymmetricKeyProvider(String str) {
        this.signatureAlgorithm = parseCertSigAlgName(str);
        this.publicKey = parseCertPublicKey(str);
    }

    @Override // com.aliyun.encryptionsdk.provider.SignatureProvider
    public SignatureMaterial sign(SignatureMaterial signatureMaterial) {
        signatureMaterial.setSignatureAlgorithm(this.signatureAlgorithm);
        return asymmetricSign(signatureMaterial);
    }

    private SignatureMaterial asymmetricSign(SignatureMaterial signatureMaterial) {
        byte[] digest = signatureMaterial.getDigest();
        if (digest == null || digest.length == 0) {
            digest = getDigest(signatureMaterial.getMessage());
        }
        AliyunKms.AsymmetricSignResult asymmetricSign = this.kms.asymmetricSign(this.keyId, this.keyVersionId, this.signatureAlgorithm, digest);
        signatureMaterial.setKeyId(asymmetricSign.getKeyId());
        signatureMaterial.setKeyVersionId(asymmetricSign.getKeyVersionId());
        signatureMaterial.setValue(asymmetricSign.getValue());
        return signatureMaterial;
    }

    @Override // com.aliyun.encryptionsdk.provider.SignatureProvider
    public VerifyMaterial verify(VerifyMaterial verifyMaterial) {
        verifyMaterial.setSignatureAlgorithm(this.signatureAlgorithm);
        return (this.keyId == null || this.keyVersionId == null) ? localVerify(verifyMaterial) : asymmetricVerify(verifyMaterial);
    }

    @Override // com.aliyun.encryptionsdk.provider.SignatureProvider
    public void setAliyunKms(AliyunKms aliyunKms) {
        if (this.kms == null) {
            this.kms = aliyunKms;
        }
    }

    @Override // com.aliyun.encryptionsdk.provider.SignatureProvider
    public SignatureAlgorithm getSignatureAlgorithm() {
        return this.signatureAlgorithm;
    }

    private VerifyMaterial asymmetricVerify(VerifyMaterial verifyMaterial) {
        byte[] digest = verifyMaterial.getDigest();
        if (digest == null || digest.length == 0) {
            digest = getDigest(verifyMaterial.getMessage());
        }
        AliyunKms.AsymmetricVerifyResult asymmetricVerify = this.kms.asymmetricVerify(this.keyId, this.keyVersionId, this.signatureAlgorithm, digest, verifyMaterial.getSignature());
        verifyMaterial.setKeyId(asymmetricVerify.getKeyId());
        verifyMaterial.setKeyVersionId(asymmetricVerify.getKeyVersionId());
        verifyMaterial.setValue(asymmetricVerify.getValue());
        return verifyMaterial;
    }

    private VerifyMaterial localVerify(VerifyMaterial verifyMaterial) {
        Signature signature;
        String algorithm = verifyMaterial.getSignatureAlgorithm().getAlgorithm();
        byte[] signature2 = verifyMaterial.getSignature();
        try {
            boolean z = -1;
            switch (algorithm.hashCode()) {
                case -1846079110:
                    if (algorithm.equals("SM2DSA")) {
                        z = 2;
                        break;
                    }
                    break;
                case 592100072:
                    if (algorithm.equals("RSA_PKCS1_SHA_256")) {
                        z = true;
                        break;
                    }
                    break;
                case 1823122930:
                    if (algorithm.equals("RSA_PSS_SHA_256")) {
                        z = false;
                        break;
                    }
                    break;
            }
            switch (z) {
                case false:
                    signature = Signature.getInstance("RSASSA-PSS");
                    signature.setParameter(new PSSParameterSpec("SHA-256", "MGF1", MGF1ParameterSpec.SHA256, 32, 1));
                    signature.initVerify(this.publicKey);
                    signature.update(verifyMaterial.getMessage());
                    break;
                case Constants.SDK_VERSION /* 1 */:
                    signature = Signature.getInstance("SHA256withRSA");
                    signature.initVerify(this.publicKey);
                    signature.update(verifyMaterial.getMessage());
                    break;
                case true:
                    Security.addProvider(new BouncyCastleProvider());
                    signature = Signature.getInstance("SM3withSM2", (Provider) new BouncyCastleProvider());
                    signature.initVerify(this.publicKey);
                    signature.update(verifyMaterial.getMessage());
                    break;
                default:
                    throw new InvalidAlgorithmException(String.format("algorithm '%s' not support.", algorithm));
            }
            verifyMaterial.setValue(Boolean.valueOf(signature.verify(signature2)));
            return verifyMaterial;
        } catch (Exception e) {
            CommonLogger.getCommonLogger(Constants.MODE_NAME).errorf("localVerify verify failed", e);
            throw new AliyunException("localVerify verify failed", e);
        }
    }

    public byte[] getDigest(byte[] bArr) {
        if (bArr == null) {
            throw new NullPointerException("content must not be null");
        }
        try {
            if (!"SM2DSA".equals(this.signatureAlgorithm.getAlgorithm())) {
                return MessageDigest.getInstance(this.signatureAlgorithm.getDigestAlgorithm()).digest(bArr);
            }
            if (this.publicKey == null) {
                this.publicKey = parsePublicKey(this.kms.getPublicKey(this.keyId, this.keyVersionId), this.signatureAlgorithm);
            }
            return calcSM3Digest(this.publicKey, bArr);
        } catch (Exception e) {
            throw new AliyunException(e.getMessage(), e.getCause());
        }
    }

    private PublicKey parsePublicKey(String str, SignatureAlgorithm signatureAlgorithm) {
        byte[] decode = Base64.getDecoder().decode(str.replaceFirst("-----BEGIN PUBLIC KEY-----", "").replaceFirst("-----END PUBLIC KEY-----", "").replaceAll("\\s", ""));
        try {
            return "SM2DSA".equals(signatureAlgorithm.getAlgorithm()) ? KeyFactory.getInstance("EC", (Provider) new BouncyCastleProvider()).generatePublic(new X509EncodedKeySpec(decode)) : KeyFactory.getInstance("RSA").generatePublic(new X509EncodedKeySpec(decode));
        } catch (NoSuchAlgorithmException | InvalidKeySpecException e) {
            CommonLogger.getCommonLogger(Constants.MODE_NAME).errorf(String.format("publicKey parsing failed: %s", str), e);
            throw new AliyunException("publicKey parsing failed: %s", e);
        }
    }

    private Certificate parseCertificate(String str) {
        try {
            return CertificateFactory.getInstance("X.509", (Provider) new BouncyCastleProvider()).generateCertificate(new ByteArrayInputStream(str.getBytes(StandardCharsets.UTF_8)));
        } catch (CertificateException e) {
            CommonLogger.getCommonLogger(Constants.MODE_NAME).errorf(String.format("Certificate parsing failed: %s", str), e);
            throw new AliyunException(String.format("Certificate parsing failed: %s", str), e);
        }
    }

    private PublicKey parseCertPublicKey(String str) {
        return ((X509Certificate) parseCertificate(str)).getPublicKey();
    }

    private SignatureAlgorithm parseCertSigAlgName(String str) {
        String sigAlgName = ((X509Certificate) parseCertificate(str)).getSigAlgName();
        boolean z = -1;
        switch (sigAlgName.hashCode()) {
            case -821652647:
                if (sigAlgName.equals("SM3withSM2")) {
                    z = 3;
                    break;
                }
                break;
            case -280290445:
                if (sigAlgName.equals("SHA256withRSA")) {
                    z = true;
                    break;
                }
                break;
            case -103638183:
                if (sigAlgName.equals("SM3WITHSM2")) {
                    z = 2;
                    break;
                }
                break;
            case 437724019:
                if (sigAlgName.equals("SHA256WITHRSA")) {
                    z = false;
                    break;
                }
                break;
        }
        switch (z) {
            case false:
            case Constants.SDK_VERSION /* 1 */:
                return SignatureAlgorithm.RSA_PKCS1_SHA_256;
            case true:
            case true:
                return SignatureAlgorithm.SM2DSA;
            default:
                CommonLogger.getCommonLogger(Constants.MODE_NAME).errorf(String.format("signature algorithm '%s' not support.", sigAlgName), new Object[0]);
                throw new InvalidAlgorithmException(String.format("signature algorithm '%s' not support.", sigAlgName));
        }
    }

    private byte[] calcSM3Digest(PublicKey publicKey, byte[] bArr) {
        X9ECParameters byName = GMNamedCurves.getByName("sm2p256v1");
        ECDomainParameters eCDomainParameters = new ECDomainParameters(byName.getCurve(), byName.getG(), byName.getN());
        byte[] z = getZ(new ECPublicKeyParameters(((BCECPublicKey) publicKey).getQ(), eCDomainParameters), eCDomainParameters);
        SM3Digest sM3Digest = new SM3Digest();
        sM3Digest.update(z, 0, z.length);
        sM3Digest.update(bArr, 0, bArr.length);
        byte[] bArr2 = new byte[sM3Digest.getDigestSize()];
        sM3Digest.doFinal(bArr2, 0);
        return bArr2;
    }

    private byte[] getZ(ECPublicKeyParameters eCPublicKeyParameters, ECDomainParameters eCDomainParameters) {
        SM3Digest sM3Digest = new SM3Digest();
        sM3Digest.reset();
        addUserID(sM3Digest, "1234567812345678".getBytes());
        addFieldElement(sM3Digest, eCDomainParameters.getCurve().getA());
        addFieldElement(sM3Digest, eCDomainParameters.getCurve().getB());
        addFieldElement(sM3Digest, eCDomainParameters.getG().getAffineXCoord());
        addFieldElement(sM3Digest, eCDomainParameters.getG().getAffineYCoord());
        addFieldElement(sM3Digest, eCPublicKeyParameters.getQ().getAffineXCoord());
        addFieldElement(sM3Digest, eCPublicKeyParameters.getQ().getAffineYCoord());
        byte[] bArr = new byte[sM3Digest.getDigestSize()];
        sM3Digest.doFinal(bArr, 0);
        return bArr;
    }

    private void addUserID(Digest digest, byte[] bArr) {
        int length = bArr.length * 8;
        digest.update((byte) ((length >> 8) & 255));
        digest.update((byte) (length & 255));
        digest.update(bArr, 0, bArr.length);
    }

    private void addFieldElement(Digest digest, ECFieldElement eCFieldElement) {
        byte[] encoded = eCFieldElement.getEncoded();
        digest.update(encoded, 0, encoded.length);
    }
}
