package org.xipki.security.pkcs11;

import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.io.OutputStream;
import java.security.InvalidKeyException;
import java.security.SecureRandom;
import java.util.Arrays;
import org.bouncycastle.asn1.ASN1ObjectIdentifier;
import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers;
import org.bouncycastle.asn1.pkcs.RSASSAPSSparams;
import org.bouncycastle.asn1.x509.AlgorithmIdentifier;
import org.bouncycastle.crypto.CryptoException;
import org.bouncycastle.crypto.DataLengthException;
import org.bouncycastle.crypto.RuntimeCryptoException;
import org.bouncycastle.crypto.params.ParametersWithRandom;
import org.bouncycastle.crypto.signers.PSSSigner;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.xipki.common.util.LogUtil;
import org.xipki.common.util.ParamUtil;
import org.xipki.security.HashAlgoType;
import org.xipki.security.bc.XiContentSigner;
import org.xipki.security.exception.P11TokenException;
import org.xipki.security.exception.XiSecurityException;
import org.xipki.security.pkcs11.proxy.P11ProxyConstants;
import org.xipki.security.util.SignerUtil;

/* loaded from: input_file:org/xipki/security/pkcs11/P11RSAPSSContentSigner.class */
class P11RSAPSSContentSigner implements XiContentSigner {
    private static final Logger LOG = LoggerFactory.getLogger(P11RSAPSSContentSigner.class);
    private final AlgorithmIdentifier algorithmIdentifier;
    private final byte[] encodedAlgorithmIdentifier;
    private final P11CryptService cryptService;
    private final P11EntityIdentifier identityId;
    private final long mechanism;
    private final P11RSAPkcsPssParams parameters;
    private final OutputStream outputStream;

    /* renamed from: org.xipki.security.pkcs11.P11RSAPSSContentSigner$1, reason: invalid class name */
    /* loaded from: input_file:org/xipki/security/pkcs11/P11RSAPSSContentSigner$1.class */
    static /* synthetic */ class AnonymousClass1 {
        static final /* synthetic */ int[] $SwitchMap$org$xipki$security$HashAlgoType = new int[HashAlgoType.values().length];

        static {
            try {
                $SwitchMap$org$xipki$security$HashAlgoType[HashAlgoType.SHA1.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$org$xipki$security$HashAlgoType[HashAlgoType.SHA224.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
            try {
                $SwitchMap$org$xipki$security$HashAlgoType[HashAlgoType.SHA256.ordinal()] = 3;
            } catch (NoSuchFieldError e3) {
            }
            try {
                $SwitchMap$org$xipki$security$HashAlgoType[HashAlgoType.SHA384.ordinal()] = 4;
            } catch (NoSuchFieldError e4) {
            }
            try {
                $SwitchMap$org$xipki$security$HashAlgoType[HashAlgoType.SHA512.ordinal()] = 5;
            } catch (NoSuchFieldError e5) {
            }
            try {
                $SwitchMap$org$xipki$security$HashAlgoType[HashAlgoType.SHA3_224.ordinal()] = 6;
            } catch (NoSuchFieldError e6) {
            }
            try {
                $SwitchMap$org$xipki$security$HashAlgoType[HashAlgoType.SHA3_256.ordinal()] = 7;
            } catch (NoSuchFieldError e7) {
            }
            try {
                $SwitchMap$org$xipki$security$HashAlgoType[HashAlgoType.SHA3_384.ordinal()] = 8;
            } catch (NoSuchFieldError e8) {
            }
            try {
                $SwitchMap$org$xipki$security$HashAlgoType[HashAlgoType.SHA3_512.ordinal()] = 9;
            } catch (NoSuchFieldError e9) {
            }
        }
    }

    /* loaded from: input_file:org/xipki/security/pkcs11/P11RSAPSSContentSigner$PSSSignerOutputStream.class */
    private static class PSSSignerOutputStream extends OutputStream {
        private PSSSigner pssSigner;

        PSSSignerOutputStream(PSSSigner pSSSigner) {
            this.pssSigner = pSSSigner;
        }

        @Override // java.io.OutputStream
        public void write(int i) throws IOException {
            this.pssSigner.update((byte) i);
        }

        @Override // java.io.OutputStream
        public void write(byte[] bArr) throws IOException {
            this.pssSigner.update(bArr, 0, bArr.length);
        }

        @Override // java.io.OutputStream
        public void write(byte[] bArr, int i, int i2) throws IOException {
            this.pssSigner.update(bArr, i, i2);
        }

        public void reset() {
            this.pssSigner.reset();
        }

        @Override // java.io.OutputStream, java.io.Flushable
        public void flush() throws IOException {
        }

        @Override // java.io.OutputStream, java.io.Closeable, java.lang.AutoCloseable
        public void close() throws IOException {
        }

        byte[] generateSignature() throws DataLengthException, CryptoException {
            byte[] generateSignature = this.pssSigner.generateSignature();
            this.pssSigner.reset();
            return generateSignature;
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public P11RSAPSSContentSigner(P11CryptService p11CryptService, P11EntityIdentifier p11EntityIdentifier, AlgorithmIdentifier algorithmIdentifier, SecureRandom secureRandom) throws XiSecurityException, P11TokenException {
        this.cryptService = (P11CryptService) ParamUtil.requireNonNull("cryptService", p11CryptService);
        this.identityId = (P11EntityIdentifier) ParamUtil.requireNonNull("identityId", p11EntityIdentifier);
        this.algorithmIdentifier = (AlgorithmIdentifier) ParamUtil.requireNonNull("signatureAlgId", algorithmIdentifier);
        try {
            this.encodedAlgorithmIdentifier = this.algorithmIdentifier.getEncoded();
            ParamUtil.requireNonNull("random", secureRandom);
            if (!PKCSObjectIdentifiers.id_RSASSA_PSS.equals(algorithmIdentifier.getAlgorithm())) {
                throw new XiSecurityException("unsupported signature algorithm " + algorithmIdentifier.getAlgorithm());
            }
            RSASSAPSSparams rSASSAPSSparams = RSASSAPSSparams.getInstance(algorithmIdentifier.getParameters());
            ASN1ObjectIdentifier algorithm = rSASSAPSSparams.getHashAlgorithm().getAlgorithm();
            HashAlgoType hashAlgoType = HashAlgoType.getHashAlgoType(algorithm);
            if (hashAlgoType == null) {
                throw new XiSecurityException("unsupported hash algorithm " + algorithm.getId());
            }
            P11Slot slot = p11CryptService.getSlot(p11EntityIdentifier.slotId());
            if (slot.supportsMechanism(13L)) {
                this.mechanism = 13L;
                this.parameters = new P11RSAPkcsPssParams(rSASSAPSSparams);
                this.outputStream = new DigestOutputStream(SignerUtil.getDigest(hashAlgoType));
                return;
            }
            if (slot.supportsMechanism(3L)) {
                this.mechanism = 3L;
                this.parameters = null;
                P11PlainRSASigner p11PlainRSASigner = new P11PlainRSASigner();
                try {
                    P11RSAKeyParameter p11RSAKeyParameter = P11RSAKeyParameter.getInstance(p11CryptService, p11EntityIdentifier);
                    PSSSigner createPSSRSASigner = SignerUtil.createPSSRSASigner(algorithmIdentifier, p11PlainRSASigner);
                    createPSSRSASigner.init(true, new ParametersWithRandom(p11RSAKeyParameter, secureRandom));
                    this.outputStream = new PSSSignerOutputStream(createPSSRSASigner);
                    return;
                } catch (InvalidKeyException e) {
                    throw new XiSecurityException(e.getMessage(), e);
                }
            }
            switch (AnonymousClass1.$SwitchMap$org$xipki$security$HashAlgoType[hashAlgoType.ordinal()]) {
                case 1:
                    this.mechanism = 14L;
                    break;
                case 2:
                    this.mechanism = 71L;
                    break;
                case 3:
                    this.mechanism = 67L;
                    break;
                case P11ProxyConstants.RC_BAD_REQUEST /* 4 */:
                    this.mechanism = 68L;
                    break;
                case 5:
                    this.mechanism = 69L;
                    break;
                case 6:
                    this.mechanism = 103L;
                    break;
                case 7:
                    this.mechanism = 99L;
                    break;
                case 8:
                    this.mechanism = 100L;
                    break;
                case 9:
                    this.mechanism = 101L;
                    break;
                default:
                    throw new RuntimeException("should not reach here, unknown HashAlgoType " + hashAlgoType);
            }
            if (!slot.supportsMechanism(this.mechanism)) {
                throw new XiSecurityException("unsupported signature algorithm " + PKCSObjectIdentifiers.id_RSASSA_PSS.getId() + " with " + hashAlgoType);
            }
            this.parameters = new P11RSAPkcsPssParams(rSASSAPSSparams);
            this.outputStream = new ByteArrayOutputStream();
        } catch (IOException e2) {
            throw new XiSecurityException("could not encode AlgorithmIdentifier", e2);
        }
    }

    public AlgorithmIdentifier getAlgorithmIdentifier() {
        return this.algorithmIdentifier;
    }

    @Override // org.xipki.security.bc.XiContentSigner
    public byte[] getEncodedAlgorithmIdentifier() {
        return Arrays.copyOf(this.encodedAlgorithmIdentifier, this.encodedAlgorithmIdentifier.length);
    }

    public OutputStream getOutputStream() {
        if (this.outputStream instanceof ByteArrayOutputStream) {
            ((ByteArrayOutputStream) this.outputStream).reset();
        } else if (this.outputStream instanceof DigestOutputStream) {
            ((DigestOutputStream) this.outputStream).reset();
        } else {
            ((PSSSignerOutputStream) this.outputStream).reset();
        }
        return this.outputStream;
    }

    public byte[] getSignature() {
        if (this.outputStream instanceof PSSSignerOutputStream) {
            try {
                return ((PSSSignerOutputStream) this.outputStream).generateSignature();
            } catch (CryptoException e) {
                LogUtil.warn(LOG, e);
                throw new RuntimeCryptoException("CryptoException: " + e.getMessage());
            }
        }
        try {
            return this.cryptService.getIdentity(this.identityId).sign(this.mechanism, this.parameters, this.outputStream instanceof ByteArrayOutputStream ? ((ByteArrayOutputStream) this.outputStream).toByteArray() : ((DigestOutputStream) this.outputStream).digest());
        } catch (P11TokenException | XiSecurityException e2) {
            LogUtil.warn(LOG, e2, "could not sign");
            throw new RuntimeCryptoException("SignerException: " + e2.getMessage());
        }
    }
}
