package net.jsign.jca;

import com.cedarsoftware.util.io.JsonWriter;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.net.HttpURLConnection;
import java.nio.ByteBuffer;
import java.security.GeneralSecurityException;
import java.security.KeyStoreException;
import java.security.UnrecoverableKeyException;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.util.ArrayList;
import java.util.Base64;
import java.util.HashMap;
import java.util.LinkedHashMap;
import java.util.List;
import java.util.Map;
import java.util.function.Consumer;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import javax.crypto.Mac;
import javax.crypto.spec.SecretKeySpec;
import net.jsign.DigestAlgorithm;
import org.bouncycastle.operator.DefaultSignatureAlgorithmIdentifierFinder;

/* loaded from: input_file:net/jsign/jca/ESignerSigningService.class */
public class ESignerSigningService implements SigningService {
    private final Map<String, Map<String, ?>> certificates;
    private final RESTClient client;

    public ESignerSigningService(String str, String str2, String str3) throws IOException {
        this(str, getAccessToken(str.contains("-try.ssl.com") ? "https://oauth-sandbox.ssl.com" : "https://login.ssl.com", str.contains("-try.ssl.com") ? "qOUeZCCzSqgA93acB3LYq6lBNjgZdiOxQc-KayC3UMw" : "kaXTRACNijSWsFdRKg_KAfD3fqrBlzMbWs6TwWHwAn8", str2, str3));
    }

    public ESignerSigningService(String str, String str2) {
        this.certificates = new HashMap();
        this.client = new RESTClient(str, (Consumer<HttpURLConnection>) httpURLConnection -> {
            httpURLConnection.setRequestProperty("Authorization", "Bearer " + str2);
        });
    }

    private static String getAccessToken(String str, String str2, String str3, String str4) throws IOException {
        LinkedHashMap linkedHashMap = new LinkedHashMap();
        linkedHashMap.put("client_id", str2);
        linkedHashMap.put("grant_type", "password");
        linkedHashMap.put("username", str3);
        linkedHashMap.put("password", str4);
        return (String) new RESTClient(str).post("/oauth2/token", JsonWriter.objectToJson(linkedHashMap)).get("access_token");
    }

    @Override // net.jsign.jca.SigningService
    public String getName() {
        return "ESIGNER";
    }

    @Override // net.jsign.jca.SigningService
    public List<String> aliases() throws KeyStoreException {
        try {
            HashMap hashMap = new HashMap();
            hashMap.put("clientData", "EVCS");
            return (List) Stream.of((Object[]) this.client.post("/csc/v0/credentials/list", JsonWriter.objectToJson(hashMap)).get("credentialIDs")).map((v0) -> {
                return v0.toString();
            }).collect(Collectors.toList());
        } catch (IOException e) {
            throw new KeyStoreException("Unable to retrieve SSL.com certificate aliases", e);
        }
    }

    private Map<String, ?> getCertificateInfo(String str) throws IOException {
        if (!this.certificates.containsKey(str)) {
            HashMap hashMap = new HashMap();
            hashMap.put("credentialID", str);
            hashMap.put("certificates", "chain");
            this.certificates.put(str, (Map) this.client.post("/csc/v0/credentials/info", JsonWriter.objectToJson(hashMap)).get("cert"));
        }
        return this.certificates.get(str);
    }

    @Override // net.jsign.jca.SigningService
    public Certificate[] getCertificateChain(String str) throws KeyStoreException {
        try {
            Object[] objArr = (Object[]) getCertificateInfo(str).get("certificates");
            ArrayList arrayList = new ArrayList();
            for (Object obj : objArr) {
                arrayList.add(CertificateFactory.getInstance("X.509").generateCertificate(new ByteArrayInputStream(Base64.getDecoder().decode(obj.toString()))));
            }
            return (Certificate[]) arrayList.toArray(new Certificate[0]);
        } catch (IOException | CertificateException e) {
            throw new KeyStoreException("Unable to retrieve SSL.com certificate '" + str + "'", e);
        }
    }

    @Override // net.jsign.jca.SigningService
    public SigningServicePrivateKey getPrivateKey(String str, char[] cArr) throws UnrecoverableKeyException {
        try {
            SigningServicePrivateKey signingServicePrivateKey = new SigningServicePrivateKey(str, getCertificateChain(str)[0].getPublicKey().getAlgorithm(), this);
            if (cArr != null) {
                signingServicePrivateKey.getProperties().put("totpsecret", new String(cArr));
            }
            return signingServicePrivateKey;
        } catch (KeyStoreException e) {
            throw ((UnrecoverableKeyException) new UnrecoverableKeyException().initCause(e));
        }
    }

    private void scan(SigningServicePrivateKey signingServicePrivateKey, String str, String str2) {
        HashMap hashMap = new HashMap();
        hashMap.put("TYPE", "false");
        LinkedHashMap linkedHashMap = new LinkedHashMap();
        linkedHashMap.put("credential_id", signingServicePrivateKey.getId());
        try {
            if (Boolean.TRUE.equals(this.client.post("/scan/settings", JsonWriter.objectToJson(linkedHashMap, hashMap)).get("malware_scan_enabled"))) {
                LinkedHashMap linkedHashMap2 = new LinkedHashMap();
                linkedHashMap2.put("credential_id", signingServicePrivateKey.getId());
                linkedHashMap2.put("hash_to_scan", str2);
                linkedHashMap2.put("hash_to_sign", str);
                try {
                    this.client.post("/scan/hash", JsonWriter.objectToJson(linkedHashMap2, hashMap));
                } catch (IOException e) {
                    throw new RuntimeException(e);
                }
            }
        } catch (IOException e2) {
            throw new RuntimeException(e2);
        }
    }

    @Override // net.jsign.jca.SigningService
    public byte[] sign(SigningServicePrivateKey signingServicePrivateKey, String str, byte[] bArr) throws GeneralSecurityException {
        byte[] digest = DigestAlgorithm.of(str.substring(0, str.toLowerCase().indexOf("with"))).getMessageDigest().digest(bArr);
        String encodeToString = Base64.getEncoder().encodeToString(digest);
        scan(signingServicePrivateKey, encodeToString, Base64.getEncoder().encodeToString(DigestAlgorithm.SHA256.getMessageDigest().digest(digest)));
        LinkedHashMap linkedHashMap = new LinkedHashMap();
        linkedHashMap.put("credentialID", signingServicePrivateKey.getId());
        linkedHashMap.put("SAD", getSignatureActivationData(signingServicePrivateKey, encodeToString));
        linkedHashMap.put("hash", new String[]{encodeToString});
        linkedHashMap.put("signAlgo", new DefaultSignatureAlgorithmIdentifierFinder().find(str).getAlgorithm().getId());
        HashMap hashMap = new HashMap();
        hashMap.put("TYPE", "false");
        try {
            return Base64.getDecoder().decode(((Object[]) this.client.post("/csc/v0/signatures/signHash", JsonWriter.objectToJson(linkedHashMap, hashMap)).get("signatures"))[0].toString());
        } catch (IOException e) {
            throw new GeneralSecurityException(e);
        }
    }

    private String getSignatureActivationData(SigningServicePrivateKey signingServicePrivateKey, String str) throws GeneralSecurityException {
        LinkedHashMap linkedHashMap = new LinkedHashMap();
        linkedHashMap.put("credentialID", signingServicePrivateKey.getId());
        linkedHashMap.put("numSignatures", 1);
        linkedHashMap.put("hash", new String[]{str});
        String str2 = (String) signingServicePrivateKey.getProperties().get("totpsecret");
        if (str2 != null) {
            linkedHashMap.put("OTP", generateOTP(str2));
        }
        try {
            HashMap hashMap = new HashMap();
            hashMap.put("TYPE", "false");
            return (String) this.client.post("/csc/v0/credentials/authorize", JsonWriter.objectToJson(linkedHashMap, hashMap)).get("SAD");
        } catch (IOException e) {
            throw new GeneralSecurityException("Couldn't get signing authorization for SSL.com certificate " + signingServicePrivateKey.getId(), e);
        }
    }

    private String generateOTP(String str) throws GeneralSecurityException {
        Mac mac = Mac.getInstance("HmacSHA1");
        byte[] bArr = new byte[8];
        ByteBuffer.wrap(bArr).putLong(System.currentTimeMillis() / 30000);
        mac.init(new SecretKeySpec(Base64.getDecoder().decode(str), "RAW"));
        mac.update(bArr);
        ByteBuffer wrap = ByteBuffer.wrap(mac.doFinal());
        return String.format("%06d", Long.valueOf((wrap.getInt(wrap.get(wrap.capacity() - 1) & 15) & Integer.MAX_VALUE) % 1000000));
    }
}
