package de.governikus.mcard.jce.sig.delegate;

import de.bos_bremen.gov2.jca_provider.OCFPrivateKey;
import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.nio.ByteBuffer;
import java.security.AlgorithmParameters;
import java.security.InvalidAlgorithmParameterException;
import java.security.InvalidKeyException;
import java.security.InvalidParameterException;
import java.security.KeyPairGenerator;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.SecureRandom;
import java.security.Signature;
import java.security.SignatureException;
import java.security.SignatureSpi;
import java.security.interfaces.RSAPrivateKey;
import java.security.interfaces.RSAPublicKey;
import java.security.spec.AlgorithmParameterSpec;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
import java.util.LinkedHashMap;
import java.util.List;
import java.util.Map;
import javax.crypto.Cipher;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.bouncycastle.asn1.ASN1ObjectIdentifier;
import org.bouncycastle.asn1.DERNull;
import org.bouncycastle.asn1.nist.NISTObjectIdentifiers;
import org.bouncycastle.asn1.x509.AlgorithmIdentifier;
import org.bouncycastle.asn1.x509.DigestInfo;
import org.bouncycastle.operator.DefaultDigestAlgorithmIdentifierFinder;
import org.bouncycastle.pqc.math.linearalgebra.ByteUtils;

/* loaded from: input_file:de/governikus/mcard/jce/sig/delegate/JCEDelegateRawRSASignature.class */
public class JCEDelegateRawRSASignature extends SignatureSpi {
    private static final String KEY_ALGORITHM_RSA = "RSA";
    private static final Logger LOG = LogManager.getLogger(JCEDelegateRawRSASignature.class);
    private static final Map<String, String> MAP_OID_TO_JCE_NAME;
    private static final Map<Integer, String> MAP_DIGEST_LENGTH_TO_JCE_NAME;
    private ByteArrayOutputStream baos;
    private final List<String> params = new ArrayList();
    private final List<Class<?>> paramSpecClasses = new ArrayList();
    private PrivateKey privateKey;
    private PublicKey publicKey;
    private Signature signature;

    private static DigestInfo createDigestInfo(byte[] bArr, boolean z) {
        try {
            DigestInfo digestInfo = DigestInfo.getInstance(bArr);
            if (digestInfo.getAlgorithmId().getParameters() == null) {
                digestInfo = new DigestInfo(new AlgorithmIdentifier(digestInfo.getAlgorithmId().getAlgorithm(), DERNull.INSTANCE), digestInfo.getDigest());
            }
            return digestInfo;
        } catch (Exception e) {
            if (!z) {
                throw new IllegalArgumentException("verification input as DigestInfo supported only", e);
            }
            return new DigestInfo(new AlgorithmIdentifier(new DefaultDigestAlgorithmIdentifierFinder().find(getJCEDigestAlgorithmName(bArr.length)).getAlgorithm(), DERNull.INSTANCE), bArr);
        }
    }

    private static String getJCEDigestAlgorithmName(int i) {
        String str = MAP_DIGEST_LENGTH_TO_JCE_NAME.get(Integer.valueOf(i));
        if (str == null) {
            throw new IllegalArgumentException("invalid digest length, no matching SHA-2 jce digest algorithm found: " + i);
        }
        return str;
    }

    @Override // java.security.SignatureSpi
    protected Object engineGetParameter(String str) throws InvalidParameterException {
        if (this.signature == null) {
            return null;
        }
        return this.signature.getParameter(str);
    }

    @Override // java.security.SignatureSpi
    protected AlgorithmParameters engineGetParameters() {
        if (this.signature == null) {
            return null;
        }
        return this.signature.getParameters();
    }

    @Override // java.security.SignatureSpi
    protected void engineInitSign(PrivateKey privateKey) throws InvalidKeyException {
        engineInitSign(privateKey, null);
    }

    @Override // java.security.SignatureSpi
    protected void engineInitSign(PrivateKey privateKey, SecureRandom secureRandom) throws InvalidKeyException {
        if (privateKey == null) {
            throw new InvalidKeyException("private key can not be null");
        }
        if (!KEY_ALGORITHM_RSA.equals(privateKey.getAlgorithm())) {
            throw new InvalidKeyException("private key must be a RSA key: " + privateKey.getAlgorithm());
        }
        initDelegate();
        this.privateKey = privateKey;
        if (!(this.privateKey instanceof OCFPrivateKey)) {
            if (!(this.privateKey instanceof RSAPrivateKey)) {
                throw new InvalidKeyException("RSA private key is expected: " + this.privateKey);
            }
            this.signature.initSign(this.privateKey, secureRandom);
        } else {
            if (!(this.privateKey.getOCFCertificatInfo().getCertificateBag().getCertificate().getPublicKey() instanceof RSAPublicKey)) {
                throw new InvalidKeyException("OCF private key must represent a RSA private key (checked by related certificate with public key is a RSA public key)");
            }
            int bitLength = ((RSAPublicKey) this.privateKey.getOCFCertificatInfo().getCertificateBag().getCertificate().getPublicKey()).getModulus().bitLength();
            try {
                KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance(KEY_ALGORITHM_RSA);
                keyPairGenerator.initialize(bitLength);
                this.signature.initSign(keyPairGenerator.generateKeyPair().getPrivate(), new SecureRandom());
            } catch (NoSuchAlgorithmException e) {
                throw new InvalidKeyException("substitute RSA private key can not be generated", e);
            }
        }
    }

    @Override // java.security.SignatureSpi
    protected void engineInitVerify(PublicKey publicKey) throws InvalidKeyException {
        if (!KEY_ALGORITHM_RSA.equals(publicKey.getAlgorithm())) {
            throw new InvalidKeyException("public key must be a RSA key: " + publicKey.getAlgorithm());
        }
        if (!(publicKey instanceof RSAPublicKey)) {
            throw new InvalidKeyException("public key must be a RSAPublicKey");
        }
        initDelegate();
        this.signature.initVerify(publicKey);
        this.publicKey = publicKey;
    }

    @Override // java.security.SignatureSpi
    protected void engineSetParameter(AlgorithmParameterSpec algorithmParameterSpec) throws InvalidAlgorithmParameterException {
        if (this.signature == null) {
            return;
        }
        LOG.debug("set parameter: {}", algorithmParameterSpec);
        this.paramSpecClasses.add(algorithmParameterSpec.getClass());
        this.signature.setParameter(algorithmParameterSpec);
    }

    @Override // java.security.SignatureSpi
    protected void engineSetParameter(String str, Object obj) throws InvalidParameterException {
        if (this.signature == null) {
            return;
        }
        LOG.debug("set parameter: {} = {}", str, obj);
        this.params.add(str);
        this.signature.setParameter(str, obj);
    }

    @Override // java.security.SignatureSpi
    protected byte[] engineSign() throws SignatureException {
        LOG.debug("parameters used: {}", this.params);
        LOG.debug("algorithm parameter specs used: {}", this.paramSpecClasses);
        LOG.debug("parameters: {}", this.signature.getParameters());
        LOG.debug("message length to sign (digest length): {}", Integer.valueOf(this.baos.toByteArray().length));
        DigestInfo createDigestInfo = createDigestInfo(this.baos.toByteArray(), true);
        if (!(this.privateKey instanceof OCFPrivateKey)) {
            try {
                this.signature.update(createDigestInfo.getEncoded());
                return this.signature.sign();
            } catch (IOException e) {
                throw new SignatureException(e);
            }
        }
        try {
            Signature signature = Signature.getInstance(getJCEDigestAlgorithmName(createDigestInfo.getAlgorithmId()) + "hashedWithRSA", "OCF");
            signature.initSign(this.privateKey);
            signature.update(createDigestInfo.getDigest());
            return signature.sign();
        } catch (InvalidKeyException | NoSuchAlgorithmException | NoSuchProviderException e2) {
            throw new SignatureException(e2);
        }
    }

    @Override // java.security.SignatureSpi
    protected int engineSign(byte[] bArr, int i, int i2) throws SignatureException {
        if (i < 0 || i > bArr.length) {
            throw new SignatureException("invalid offset");
        }
        if (i2 <= 0) {
            throw new SignatureException("invalid signature length");
        }
        if (i2 + i > bArr.length) {
            throw new SignatureException("invalid signature, offset and length does not match signature value");
        }
        byte[] engineSign = engineSign();
        if (engineSign == null || engineSign.length == 0) {
            throw new SignatureException("invalid signature value created");
        }
        if (engineSign.length > i2) {
            throw new SignatureException("invalid signature value, signature value has more bytes than expected");
        }
        System.arraycopy(engineSign, 0, bArr, i, Math.min(engineSign.length, i2));
        return engineSign.length;
    }

    @Override // java.security.SignatureSpi
    protected void engineUpdate(byte b) throws SignatureException {
        if (this.baos != null) {
            this.baos.write(b);
        }
    }

    @Override // java.security.SignatureSpi
    protected void engineUpdate(byte[] bArr, int i, int i2) throws SignatureException {
        if (this.baos != null) {
            this.baos.write(bArr, i, i2);
        }
    }

    @Override // java.security.SignatureSpi
    protected void engineUpdate(ByteBuffer byteBuffer) {
        if (this.baos != null) {
            this.baos.write(byteBuffer.array(), byteBuffer.arrayOffset(), byteBuffer.limit());
        }
    }

    @Override // java.security.SignatureSpi
    protected boolean engineVerify(byte[] bArr) throws SignatureException {
        if (this.signature == null) {
            return false;
        }
        if (bArr == null) {
            throw new SignatureException("invalid signature value");
        }
        return engineVerify(bArr, 0, bArr.length);
    }

    @Override // java.security.SignatureSpi
    protected boolean engineVerify(byte[] bArr, int i, int i2) throws SignatureException {
        if (this.signature == null) {
            return false;
        }
        if (bArr == null) {
            throw new SignatureException("invalid signature value");
        }
        if (i < 0 || i > bArr.length) {
            throw new SignatureException("invalid offset");
        }
        if (i2 <= 0) {
            throw new SignatureException("invalid signature length");
        }
        if (i2 + i > bArr.length) {
            throw new SignatureException("invalid signature, offset and length does not match signature value");
        }
        this.signature.update(this.baos.toByteArray());
        boolean verify = this.signature.verify(bArr, i, i2);
        if (!verify) {
            verify = fallbackValdidationForBCDigestAlgorithmDERNullFault(bArr, i, i2);
        }
        return verify;
    }

    private boolean fallbackValdidationForBCDigestAlgorithmDERNullFault(byte[] bArr, int i, int i2) {
        try {
            Cipher cipher = Cipher.getInstance("RSA/ECB/NoPadding", "BC");
            cipher.init(1, this.publicKey);
            byte[] doFinal = cipher.doFinal(bArr, i, i2);
            if (doFinal[0] != 0) {
                return false;
            }
            int i3 = -1;
            int i4 = 1;
            while (true) {
                if (i4 >= doFinal.length) {
                    break;
                }
                if (doFinal[i4] == 0) {
                    i3 = i4;
                    break;
                }
                i4++;
            }
            if (i3 < 0) {
                return false;
            }
            DigestInfo digestInfo = DigestInfo.getInstance(ByteUtils.subArray(doFinal, i3 + 1));
            DigestInfo createDigestInfo = createDigestInfo(this.baos.toByteArray(), false);
            if (digestInfo.getAlgorithmId().getAlgorithm().getId().equals(createDigestInfo.getAlgorithmId().getAlgorithm().getId())) {
                if (Arrays.equals(digestInfo.getDigest(), createDigestInfo.getDigest())) {
                    return true;
                }
            }
            return false;
        } catch (Exception e) {
            return false;
        }
    }

    private ASN1ObjectIdentifier getDigestObjectIdentifier(int i) {
        ASN1ObjectIdentifier aSN1ObjectIdentifier;
        switch (i) {
            case 32:
                aSN1ObjectIdentifier = NISTObjectIdentifiers.id_sha256;
                break;
            case 48:
                aSN1ObjectIdentifier = NISTObjectIdentifiers.id_sha384;
                break;
            case 64:
                aSN1ObjectIdentifier = NISTObjectIdentifiers.id_sha512;
                break;
            default:
                throw new IllegalArgumentException("invalid digest length, no matching SHA-2 digest object identifier found: " + i);
        }
        return aSN1ObjectIdentifier;
    }

    private String getJCEDigestAlgorithmName(AlgorithmIdentifier algorithmIdentifier) {
        if (algorithmIdentifier == null) {
            throw new IllegalArgumentException("invalid algorithm id null");
        }
        ASN1ObjectIdentifier algorithm = algorithmIdentifier.getAlgorithm();
        if (algorithm == null) {
            throw new IllegalArgumentException("invalid algorithm null");
        }
        String id = algorithm.getId();
        if (id == null) {
            throw new IllegalArgumentException("invalid algorithm OID null");
        }
        if (MAP_OID_TO_JCE_NAME.containsKey(id)) {
            return MAP_OID_TO_JCE_NAME.get(id);
        }
        throw new IllegalArgumentException("algorithm OID failed to be mapped to a JCE name: " + id);
    }

    private void initDelegate() throws InvalidKeyException {
        this.baos = new ByteArrayOutputStream();
        this.params.clear();
        this.paramSpecClasses.clear();
        this.privateKey = null;
        this.publicKey = null;
        try {
            this.signature = Signature.getInstance("NONEwithRSA", "BC");
        } catch (NoSuchAlgorithmException | NoSuchProviderException e) {
            throw new InvalidKeyException(e);
        }
    }

    static {
        LinkedHashMap linkedHashMap = new LinkedHashMap();
        linkedHashMap.put(NISTObjectIdentifiers.id_sha256.getId(), "SHA256");
        linkedHashMap.put(NISTObjectIdentifiers.id_sha512.getId(), "SHA512");
        linkedHashMap.put(NISTObjectIdentifiers.id_sha384.getId(), "SHA384");
        linkedHashMap.put(NISTObjectIdentifiers.id_sha224.getId(), "SHA224");
        MAP_OID_TO_JCE_NAME = Collections.unmodifiableMap(linkedHashMap);
        LinkedHashMap linkedHashMap2 = new LinkedHashMap();
        linkedHashMap2.put(32, "SHA256");
        linkedHashMap2.put(64, "SHA512");
        linkedHashMap2.put(48, "SHA384");
        linkedHashMap2.put(24, "SHA224");
        MAP_DIGEST_LENGTH_TO_JCE_NAME = Collections.unmodifiableMap(linkedHashMap2);
    }
}
