package org.xipki.security.pkcs11;

import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.io.OutputStream;
import java.security.interfaces.RSAPublicKey;
import java.util.Arrays;
import org.bouncycastle.asn1.ASN1ObjectIdentifier;
import org.bouncycastle.asn1.nist.NISTObjectIdentifiers;
import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers;
import org.bouncycastle.asn1.x509.AlgorithmIdentifier;
import org.bouncycastle.crypto.RuntimeCryptoException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.xipki.common.util.LogUtil;
import org.xipki.common.util.ParamUtil;
import org.xipki.security.HashAlgoType;
import org.xipki.security.bc.XiContentSigner;
import org.xipki.security.exception.P11TokenException;
import org.xipki.security.exception.XiSecurityException;
import org.xipki.security.pkcs11.proxy.P11ProxyConstants;
import org.xipki.security.util.SignerUtil;

/* loaded from: input_file:org/xipki/security/pkcs11/P11RSAContentSigner.class */
class P11RSAContentSigner implements XiContentSigner {
    private static final Logger LOG = LoggerFactory.getLogger(P11RSAContentSigner.class);
    private final AlgorithmIdentifier algorithmIdentifier;
    private final byte[] encodedAlgorithmIdentifier;
    private final long mechanism;
    private final OutputStream outputStream;
    private final P11CryptService cryptService;
    private final P11EntityIdentifier identityId;
    private final byte[] digestPkcsPrefix;
    private final int modulusBitLen;

    /* renamed from: org.xipki.security.pkcs11.P11RSAContentSigner$1, reason: invalid class name */
    /* loaded from: input_file:org/xipki/security/pkcs11/P11RSAContentSigner$1.class */
    static /* synthetic */ class AnonymousClass1 {
        static final /* synthetic */ int[] $SwitchMap$org$xipki$security$HashAlgoType = new int[HashAlgoType.values().length];

        static {
            try {
                $SwitchMap$org$xipki$security$HashAlgoType[HashAlgoType.SHA1.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$org$xipki$security$HashAlgoType[HashAlgoType.SHA224.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
            try {
                $SwitchMap$org$xipki$security$HashAlgoType[HashAlgoType.SHA256.ordinal()] = 3;
            } catch (NoSuchFieldError e3) {
            }
            try {
                $SwitchMap$org$xipki$security$HashAlgoType[HashAlgoType.SHA384.ordinal()] = 4;
            } catch (NoSuchFieldError e4) {
            }
            try {
                $SwitchMap$org$xipki$security$HashAlgoType[HashAlgoType.SHA512.ordinal()] = 5;
            } catch (NoSuchFieldError e5) {
            }
            try {
                $SwitchMap$org$xipki$security$HashAlgoType[HashAlgoType.SHA3_224.ordinal()] = 6;
            } catch (NoSuchFieldError e6) {
            }
            try {
                $SwitchMap$org$xipki$security$HashAlgoType[HashAlgoType.SHA3_256.ordinal()] = 7;
            } catch (NoSuchFieldError e7) {
            }
            try {
                $SwitchMap$org$xipki$security$HashAlgoType[HashAlgoType.SHA3_384.ordinal()] = 8;
            } catch (NoSuchFieldError e8) {
            }
            try {
                $SwitchMap$org$xipki$security$HashAlgoType[HashAlgoType.SHA3_512.ordinal()] = 9;
            } catch (NoSuchFieldError e9) {
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public P11RSAContentSigner(P11CryptService p11CryptService, P11EntityIdentifier p11EntityIdentifier, AlgorithmIdentifier algorithmIdentifier) throws XiSecurityException, P11TokenException {
        HashAlgoType hashAlgoType;
        this.cryptService = (P11CryptService) ParamUtil.requireNonNull("cryptService", p11CryptService);
        this.identityId = (P11EntityIdentifier) ParamUtil.requireNonNull("identityId", p11EntityIdentifier);
        this.algorithmIdentifier = (AlgorithmIdentifier) ParamUtil.requireNonNull("signatureAlgId", algorithmIdentifier);
        try {
            this.encodedAlgorithmIdentifier = this.algorithmIdentifier.getEncoded();
            ASN1ObjectIdentifier algorithm = algorithmIdentifier.getAlgorithm();
            if (PKCSObjectIdentifiers.sha1WithRSAEncryption.equals(algorithm)) {
                hashAlgoType = HashAlgoType.SHA1;
            } else if (PKCSObjectIdentifiers.sha224WithRSAEncryption.equals(algorithm)) {
                hashAlgoType = HashAlgoType.SHA224;
            } else if (PKCSObjectIdentifiers.sha256WithRSAEncryption.equals(algorithm)) {
                hashAlgoType = HashAlgoType.SHA256;
            } else if (PKCSObjectIdentifiers.sha384WithRSAEncryption.equals(algorithm)) {
                hashAlgoType = HashAlgoType.SHA384;
            } else if (PKCSObjectIdentifiers.sha512WithRSAEncryption.equals(algorithm)) {
                hashAlgoType = HashAlgoType.SHA512;
            } else if (NISTObjectIdentifiers.id_rsassa_pkcs1_v1_5_with_sha3_224.equals(algorithm)) {
                hashAlgoType = HashAlgoType.SHA3_224;
            } else if (NISTObjectIdentifiers.id_rsassa_pkcs1_v1_5_with_sha3_256.equals(algorithm)) {
                hashAlgoType = HashAlgoType.SHA3_256;
            } else if (NISTObjectIdentifiers.id_rsassa_pkcs1_v1_5_with_sha3_384.equals(algorithm)) {
                hashAlgoType = HashAlgoType.SHA3_384;
            } else {
                if (!NISTObjectIdentifiers.id_rsassa_pkcs1_v1_5_with_sha3_512.equals(algorithm)) {
                    throw new XiSecurityException("unsupported signature algorithm " + algorithm.getId());
                }
                hashAlgoType = HashAlgoType.SHA3_512;
            }
            P11Slot slot = p11CryptService.getSlot(p11EntityIdentifier.slotId());
            if (slot.supportsMechanism(1L)) {
                this.mechanism = 1L;
            } else if (slot.supportsMechanism(3L)) {
                this.mechanism = 3L;
            } else {
                switch (AnonymousClass1.$SwitchMap$org$xipki$security$HashAlgoType[hashAlgoType.ordinal()]) {
                    case 1:
                        this.mechanism = 6L;
                        break;
                    case 2:
                        this.mechanism = 70L;
                        break;
                    case 3:
                        this.mechanism = 64L;
                        break;
                    case P11ProxyConstants.RC_BAD_REQUEST /* 4 */:
                        this.mechanism = 65L;
                        break;
                    case 5:
                        this.mechanism = 66L;
                        break;
                    case 6:
                        this.mechanism = 102L;
                        break;
                    case 7:
                        this.mechanism = 96L;
                        break;
                    case 8:
                        this.mechanism = 97L;
                        break;
                    case 9:
                        this.mechanism = 98L;
                        break;
                    default:
                        throw new RuntimeException("should not reach here, unknown HashAlgoType " + hashAlgoType);
                }
                if (!slot.supportsMechanism(this.mechanism)) {
                    throw new XiSecurityException("unsupported signature algorithm " + algorithm.getId());
                }
            }
            if (this.mechanism == 1 || this.mechanism == 3) {
                this.digestPkcsPrefix = SignerUtil.getDigestPkcsPrefix(hashAlgoType);
                this.outputStream = new DigestOutputStream(SignerUtil.getDigest(hashAlgoType));
            } else {
                this.digestPkcsPrefix = null;
                this.outputStream = new ByteArrayOutputStream();
            }
            this.modulusBitLen = ((RSAPublicKey) p11CryptService.getIdentity(p11EntityIdentifier).publicKey()).getModulus().bitLength();
        } catch (IOException e) {
            throw new XiSecurityException("could not encode AlgorithmIdentifier", e);
        }
    }

    public AlgorithmIdentifier getAlgorithmIdentifier() {
        return this.algorithmIdentifier;
    }

    @Override // org.xipki.security.bc.XiContentSigner
    public byte[] getEncodedAlgorithmIdentifier() {
        return Arrays.copyOf(this.encodedAlgorithmIdentifier, this.encodedAlgorithmIdentifier.length);
    }

    public OutputStream getOutputStream() {
        if (this.outputStream instanceof ByteArrayOutputStream) {
            ((ByteArrayOutputStream) this.outputStream).reset();
        } else {
            ((DigestOutputStream) this.outputStream).reset();
        }
        return this.outputStream;
    }

    public byte[] getSignature() {
        byte[] bArr;
        if (this.outputStream instanceof ByteArrayOutputStream) {
            bArr = ((ByteArrayOutputStream) this.outputStream).toByteArray();
            ((ByteArrayOutputStream) this.outputStream).reset();
        } else {
            byte[] digest = ((DigestOutputStream) this.outputStream).digest();
            ((DigestOutputStream) this.outputStream).reset();
            bArr = new byte[this.digestPkcsPrefix.length + digest.length];
            System.arraycopy(this.digestPkcsPrefix, 0, bArr, 0, this.digestPkcsPrefix.length);
            System.arraycopy(digest, 0, bArr, this.digestPkcsPrefix.length, digest.length);
        }
        try {
            if (this.mechanism == 3) {
                bArr = SignerUtil.EMSA_PKCS1_v1_5_encoding(bArr, this.modulusBitLen);
            }
            return this.cryptService.getIdentity(this.identityId).sign(this.mechanism, null, bArr);
        } catch (P11TokenException | XiSecurityException e) {
            LogUtil.error(LOG, e, "could not sign");
            throw new RuntimeCryptoException("SignerException: " + e.getMessage());
        }
    }
}
