package net.jsign.jca;

import com.cedarsoftware.util.io.JsonWriter;
import java.io.ByteArrayInputStream;
import java.io.File;
import java.io.IOException;
import java.security.GeneralSecurityException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.Provider;
import java.security.SecureRandom;
import java.security.UnrecoverableKeyException;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.util.ArrayList;
import java.util.Base64;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.regex.Pattern;
import javax.net.ssl.HttpsURLConnection;
import javax.net.ssl.KeyManager;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.SSLContext;
import javax.net.ssl.X509KeyManager;
import net.jsign.DigestAlgorithm;
import net.jsign.KeyStoreUtils;
import net.jsign.SignerHelper;

/* loaded from: input_file:net/jsign/jca/DigiCertOneSigningService.class */
public class DigiCertOneSigningService implements SigningService {
    private final Map<String, Map<String, ?>> certificates;
    private final RESTClient client;
    private static final Pattern ID_PATTERN = Pattern.compile("[0-9a-f\\-]+");

    public DigiCertOneSigningService(String str, File file, String str2) {
        this(str, (X509KeyManager) getKeyManager(file, str2));
    }

    public DigiCertOneSigningService(String str, X509KeyManager x509KeyManager) {
        this.certificates = new HashMap();
        this.client = new RESTClient("https://one.digicert.com/signingmanager/api/v1/", httpURLConnection -> {
            httpURLConnection.setRequestProperty("x-api-key", str);
            try {
                SSLContext sSLContext = SSLContext.getInstance("TLS");
                sSLContext.init(new KeyManager[]{x509KeyManager}, null, new SecureRandom());
                ((HttpsURLConnection) httpURLConnection).setSSLSocketFactory(sSLContext.getSocketFactory());
            } catch (GeneralSecurityException e) {
                throw new RuntimeException("Unable to load the DigiCert ONE client certificate", e);
            }
        });
    }

    @Override // net.jsign.jca.SigningService
    public String getName() {
        return "DigiCertONE";
    }

    private Map<String, ?> getCertificateInfo(String str) throws IOException {
        if (!this.certificates.containsKey(str)) {
            for (Object obj : (Object[]) this.client.get("certificates?" + (isIdentifier(str) ? "id" : SignerHelper.PARAM_ALIAS) + "=" + str).get("items")) {
                Map<String, ?> map = (Map) obj;
                this.certificates.put((String) map.get("id"), map);
                this.certificates.put((String) map.get(SignerHelper.PARAM_ALIAS), map);
            }
        }
        return this.certificates.get(str);
    }

    private boolean isIdentifier(String str) {
        return ID_PATTERN.matcher(str).matches();
    }

    @Override // net.jsign.jca.SigningService
    public List<String> aliases() throws KeyStoreException {
        ArrayList arrayList = new ArrayList();
        try {
            for (Object obj : (Object[]) this.client.get("certificates?limit=100&certificate_status=ACTIVE").get("items")) {
                Map<String, ?> map = (Map) obj;
                this.certificates.put((String) map.get("id"), map);
                this.certificates.put((String) map.get(SignerHelper.PARAM_ALIAS), map);
                arrayList.add((String) map.get(SignerHelper.PARAM_ALIAS));
            }
            return arrayList;
        } catch (IOException e) {
            throw new KeyStoreException("Unable to retrieve DigiCert ONE certificate aliases", e);
        }
    }

    @Override // net.jsign.jca.SigningService
    public Certificate[] getCertificateChain(String str) throws KeyStoreException {
        try {
            Map<String, ?> certificateInfo = getCertificateInfo(str);
            if (certificateInfo == null) {
                throw new KeyStoreException("Unable to retrieve DigiCert ONE certificate '" + str + "'");
            }
            ArrayList arrayList = new ArrayList();
            arrayList.add((String) certificateInfo.get("cert"));
            if (certificateInfo.get("chain") != null) {
                for (Object obj : (Object[]) certificateInfo.get("chain")) {
                    arrayList.add((String) ((Map) obj).get("blob"));
                }
            }
            ArrayList arrayList2 = new ArrayList();
            Iterator it = arrayList.iterator();
            while (it.hasNext()) {
                arrayList2.add(CertificateFactory.getInstance("X.509").generateCertificate(new ByteArrayInputStream(Base64.getDecoder().decode((String) it.next()))));
            }
            return (Certificate[]) arrayList2.toArray(new Certificate[0]);
        } catch (IOException | CertificateException e) {
            throw new KeyStoreException("Unable to retrieve DigiCert ONE certificate '" + str + "'", e);
        }
    }

    @Override // net.jsign.jca.SigningService
    public SigningServicePrivateKey getPrivateKey(String str, char[] cArr) throws UnrecoverableKeyException {
        try {
            String str2 = (String) ((Map) getCertificateInfo(str).get("keypair")).get("id");
            Map<String, ?> map = this.client.get("/keypairs/" + str2);
            SigningServicePrivateKey signingServicePrivateKey = new SigningServicePrivateKey(str2, (String) map.get("key_alg"));
            signingServicePrivateKey.getProperties().put("account", map.get("account"));
            return signingServicePrivateKey;
        } catch (IOException e) {
            throw ((UnrecoverableKeyException) new UnrecoverableKeyException("Unable to fetch DigiCert ONE private key for the certificate '" + str + "'").initCause(e));
        }
    }

    @Override // net.jsign.jca.SigningService
    public byte[] sign(SigningServicePrivateKey signingServicePrivateKey, String str, byte[] bArr) throws GeneralSecurityException {
        byte[] digest = DigestAlgorithm.of(str.substring(0, str.toLowerCase().indexOf("with"))).getMessageDigest().digest(bArr);
        HashMap hashMap = new HashMap();
        hashMap.put("account", signingServicePrivateKey.getProperties().get("account"));
        hashMap.put("sig_alg", str);
        hashMap.put("hash", Base64.getEncoder().encodeToString(digest));
        try {
            HashMap hashMap2 = new HashMap();
            hashMap2.put("TYPE", "false");
            return Base64.getDecoder().decode((String) this.client.post("https://clientauth.one.digicert.com/signingmanager/api/v1/keypairs/" + signingServicePrivateKey.getId() + "/sign", JsonWriter.objectToJson(hashMap, hashMap2)).get("signature"));
        } catch (IOException e) {
            throw new GeneralSecurityException(e);
        }
    }

    private static KeyManager getKeyManager(File file, String str) {
        try {
            KeyStore load = KeyStoreUtils.load(file, (String) null, str, (Provider) null);
            KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
            keyManagerFactory.init(load, str.toCharArray());
            return keyManagerFactory.getKeyManagers()[0];
        } catch (Exception e) {
            throw new RuntimeException("Failed to load the client certificate for DigiCert ONE", e);
        }
    }
}
