package net.netca.pki.impl.jce;

import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.Signature;
import java.security.SignatureException;
import java.util.Date;
import net.netca.pki.Freeable;
import net.netca.pki.PkiException;
import net.netca.pki.encoding.asn1.ASN1Object;
import net.netca.pki.encoding.asn1.AnyType;
import net.netca.pki.encoding.asn1.pki.AlgorithmIdentifier;
import net.netca.pki.encoding.asn1.pki.Attribute;
import net.netca.pki.encoding.asn1.pki.Attributes;
import net.netca.pki.encoding.asn1.pki.X509Certificate;
import net.netca.pki.encoding.asn1.pki.cms.ContentInfo;
import net.netca.pki.encoding.asn1.pki.cms.SignedData;
import net.netca.pki.encoding.asn1.pki.cms.SignedDataBuilder;
import net.netca.pki.encoding.asn1.pki.cms.Signer;
import net.netca.pki.encoding.asn1.pki.cms.SignerInfo;
import net.netca.pki.global.IGetTimeStamp;
import net.netca.pki.global.IHash;
import net.netca.pki.global.ISignedDataDetachedSign;

/* loaded from: classes3.dex */
public class JCESignedDataDetachedSign implements ISignedDataDetachedSign {
    private JCEX509Certificate cert;
    private boolean hasSignedAttr;
    private IHash hasher;
    private SignedDataSignInfo info;
    private JCEPki pki;
    private PrivateKey privateKey;
    private AlgorithmIdentifier signAlgo;
    private Signature signature;
    private SignedData signedData;
    private Date tsaTime = null;

    public JCESignedDataDetachedSign(JCEPki jCEPki, JCEX509Certificate jCEX509Certificate, AlgorithmIdentifier algorithmIdentifier, SignedDataSignInfo signedDataSignInfo) throws PkiException {
        this.pki = jCEPki;
        PrivateKey jCEPrivateKey = jCEX509Certificate.getJCEPrivateKey();
        this.privateKey = jCEPrivateKey;
        if (jCEPrivateKey == null) {
            throw new PkiException("no private key");
        }
        this.cert = jCEX509Certificate;
        this.signAlgo = algorithmIdentifier;
        this.info = signedDataSignInfo;
        if (!signedDataSignInfo.hasSigningCertAttribute && !signedDataSignInfo.useSigningTime) {
            this.hasSignedAttr = false;
            this.signature = createSignatureObject();
            return;
        }
        this.hasSignedAttr = true;
        IHash hashObject = jCEPki.getHashObject(getHashAlgoFromSignatureAlgo(algorithmIdentifier));
        this.hasher = hashObject;
        if (hashObject == null) {
            throw new PkiException("create hash object fail");
        }
    }

    public static Date attachSignatureTimeStamp(JCEPki jCEPki, SignedData signedData) throws PkiException {
        SignerInfo signerInfo = signedData.getSignerInfos().get(0);
        TimeStampRespInfo timeStamp = getTimeStamp(jCEPki, signerInfo.getSignature());
        updateSignatureTimeStampAttribute(signerInfo, timeStamp.token);
        return timeStamp.time;
    }

    private Signature createSignatureObject() throws PkiException {
        try {
            Signature signature = Signature.getInstance(this.signAlgo.getOid());
            signature.initSign(this.privateKey);
            return signature;
        } catch (InvalidKeyException e2) {
            throw new PkiException("bad private key", e2);
        } catch (NoSuchAlgorithmException e3) {
            throw new PkiException("bad sign algo", e3);
        }
    }

    private Signer createSigner(X509Certificate x509Certificate, Date date, X509Certificate[] x509CertificateArr) throws PkiException {
        Signer signer = new Signer(x509Certificate, null);
        signer.setSignatureAlgorithm(this.signAlgo);
        signer.setSignerIdType(this.info.useSubjectKeyId ? 2 : 1);
        if (this.info.useSigningTime) {
            JCESignedDataSign.addSigningTimeAttribute(signer, date);
        }
        SignedDataSignInfo signedDataSignInfo = this.info;
        if (signedDataSignInfo.hasSigningCertAttribute) {
            JCESignedDataSign.addSigningCertHashAttribute(signer, signedDataSignInfo.signingCertHashAlgo, x509CertificateArr);
        }
        return signer;
    }

    private String getHashAlgoFromSignatureAlgo(AlgorithmIdentifier algorithmIdentifier) {
        String oid = algorithmIdentifier.getOid();
        if (oid.equals(AlgorithmIdentifier.SHA1WithRSA_OID) || oid.equals(AlgorithmIdentifier.ECDSAWithSHA1_OID)) {
            return AlgorithmIdentifier.SHA1_OID;
        }
        if (oid.equals(AlgorithmIdentifier.SHA224WithRSA_OID) || oid.equals(AlgorithmIdentifier.ECDSAWithSHA224_OID)) {
            return AlgorithmIdentifier.SHA224_OID;
        }
        if (oid.equals(AlgorithmIdentifier.SHA256WithRSA_OID) || oid.equals(AlgorithmIdentifier.ECDSAWithSHA256_OID)) {
            return AlgorithmIdentifier.SHA256_OID;
        }
        if (oid.equals(AlgorithmIdentifier.SHA384WithRSA_OID) || oid.equals(AlgorithmIdentifier.ECDSAWithSHA384_OID)) {
            return AlgorithmIdentifier.SHA384_OID;
        }
        if (oid.equals(AlgorithmIdentifier.SHA512WithRSA_OID) || oid.equals(AlgorithmIdentifier.ECDSAWithSHA512_OID)) {
            return AlgorithmIdentifier.SHA512_OID;
        }
        if (oid.equals(AlgorithmIdentifier.SHA512_224WithRSA_OID)) {
            return AlgorithmIdentifier.SHA512_224_OID;
        }
        if (oid.equals(AlgorithmIdentifier.SHA512_256WithRSA_OID)) {
            return AlgorithmIdentifier.SHA512_256_OID;
        }
        if (oid.equals(AlgorithmIdentifier.SHA3_384WithRSA_OID) || oid.equals(AlgorithmIdentifier.ECDSAWithSHA3_384_OID)) {
            return AlgorithmIdentifier.SHA3_384_OID;
        }
        if (oid.equals(AlgorithmIdentifier.SHA3_512WithRSA_OID) || oid.equals(AlgorithmIdentifier.ECDSAWithSHA3_512_OID)) {
            return AlgorithmIdentifier.SHA3_512_OID;
        }
        if (oid.equals(AlgorithmIdentifier.SM3WithSM2_OID)) {
            return AlgorithmIdentifier.SM3_OID;
        }
        return null;
    }

    private static TimeStampRespInfo getTimeStamp(JCEPki jCEPki, byte[] bArr) throws PkiException {
        IGetTimeStamp iGetTimeStamp;
        TimeStampRespInfo timeStampRespInfo = new TimeStampRespInfo();
        try {
            iGetTimeStamp = jCEPki.getGetTimeStampObject();
            try {
                timeStampRespInfo.token = iGetTimeStamp.getToken(bArr, 0, bArr.length);
                timeStampRespInfo.time = iGetTimeStamp.getTime();
                if (iGetTimeStamp instanceof Freeable) {
                    ((Freeable) iGetTimeStamp).free();
                }
                return timeStampRespInfo;
            } catch (Throwable th) {
                th = th;
                if (iGetTimeStamp instanceof Freeable) {
                    ((Freeable) iGetTimeStamp).free();
                }
                throw th;
            }
        } catch (Throwable th2) {
            th = th2;
            iGetTimeStamp = null;
        }
    }

    private static Attribute newSignatureTimeStampAttribute(byte[] bArr) throws PkiException {
        return new Attribute(Attribute.SIGNATURE_TIMESTAMP, ASN1Object.decode(bArr, AnyType.getInstance()));
    }

    private static Attributes newUnsignedAttributes(Attributes attributes, Attribute attribute) throws PkiException {
        Attributes attributes2 = new Attributes();
        if (attributes != null) {
            int size = attributes.size();
            for (int i2 = 0; i2 < size; i2++) {
                Attribute attribute2 = attributes.get(i2);
                if (!attribute2.getType().equals(Attribute.SIGNATURE_TIMESTAMP)) {
                    attributes2.add(attribute2);
                }
            }
        }
        attributes2.add(attribute);
        return attributes2;
    }

    private SignedData sign(byte[] bArr) throws PkiException {
        String str;
        byte[] sign;
        SignedDataBuilder signedDataBuilder = new SignedDataBuilder();
        X509Certificate x509Certificate = new X509Certificate(this.cert.derEncode());
        Date date = new Date();
        X509Certificate[] builderCertPath = this.info.hasSigningCertAttribute ? JCESignedDataSign.builderCertPath(this.pki, x509Certificate) : null;
        Signer createSigner = createSigner(x509Certificate, date, builderCertPath);
        signedDataBuilder.setDetached(true);
        int i2 = this.info.includeCertOption;
        int i3 = 0;
        if (i2 == 1) {
            signedDataBuilder.setIncludeSignCert(false);
        } else if (i2 == 4) {
            if (builderCertPath != null) {
                builderCertPath = JCESignedDataSign.builderCertPath(this.pki, x509Certificate);
            }
            X509Certificate[] x509CertificateArr = builderCertPath;
            signedDataBuilder.setIncludeSignCert(false);
            while (i3 < x509CertificateArr.length) {
                signedDataBuilder.addX509PublicKeyCertificate(x509CertificateArr[i3]);
                i3++;
            }
            builderCertPath = x509CertificateArr;
        } else if (i2 == 3) {
            if (builderCertPath != null) {
                builderCertPath = JCESignedDataSign.builderCertPath(this.pki, x509Certificate);
            }
            X509Certificate[] x509CertificateArr2 = builderCertPath;
            if (x509CertificateArr2.length == 1) {
                signedDataBuilder.setIncludeSignCert(true);
            } else {
                signedDataBuilder.setIncludeSignCert(false);
                while (i3 < x509CertificateArr2.length - 1) {
                    signedDataBuilder.addX509PublicKeyCertificate(x509CertificateArr2[i3]);
                    i3++;
                }
            }
            builderCertPath = x509CertificateArr2;
        } else {
            signedDataBuilder.setIncludeSignCert(false);
            signedDataBuilder.addX509PublicKeyCertificate(x509Certificate);
        }
        if (this.info.isQ7) {
            signedDataBuilder.setSM2Q7(true);
            str = "1.2.156.10197.6.1.4.2.1";
        } else {
            str = ContentInfo.DATA_OID;
        }
        if (this.hasSignedAttr) {
            byte[] signedAttributesEncode = createSigner.getSignedAttributesEncode(str, bArr);
            Signature createSignatureObject = createSignatureObject();
            try {
                createSignatureObject.update(signedAttributesEncode);
                sign = createSignatureObject.sign();
            } catch (Exception e2) {
                throw new PkiException("sign fail", e2);
            }
        } else {
            try {
                sign = this.signature.sign();
            } catch (SignatureException e3) {
                throw new PkiException("sign fail", e3);
            }
        }
        signedDataBuilder.addSigner(createSigner(x509Certificate, date, builderCertPath));
        return this.hasSignedAttr ? signedDataBuilder.setSignatureValue(bArr, sign) : signedDataBuilder.setSignatureValue(sign);
    }

    private static void updateSignatureTimeStampAttribute(SignerInfo signerInfo, byte[] bArr) throws PkiException {
        signerInfo.updateUnsignedAttrs(newUnsignedAttributes(signerInfo.getUnsignedAttrs(), newSignatureTimeStampAttribute(bArr)));
    }

    @Override // net.netca.pki.global.ISignedDataDetachedSign
    public byte[] attachSignatureTimeStamp() throws PkiException {
        SignedData signedData = this.signedData;
        if (signedData == null) {
            throw new PkiException("must sign first");
        }
        this.tsaTime = attachSignatureTimeStamp(this.pki, signedData);
        return this.signedData.encode(this.info.isContentInfo);
    }

    @Override // net.netca.pki.global.ISignedDataDetachedSign
    public byte[] detachedSignFinal() throws PkiException {
        this.signedData = sign(this.hasSignedAttr ? this.hasher.doFinal() : null);
        return this.signedData.encode(this.info.isContentInfo);
    }

    @Override // net.netca.pki.global.ISignedDataDetachedSign
    public void detachedSignUpdate(byte[] bArr, int i2, int i3) throws PkiException {
        if (this.hasSignedAttr) {
            this.hasher.update(bArr, i2, i3);
            return;
        }
        try {
            this.signature.update(bArr, i2, i3);
        } catch (SignatureException e2) {
            throw new PkiException("sign update fail", e2);
        }
    }

    @Override // net.netca.pki.global.ISignedDataDetachedSign
    public Date getSignatureTimeStampTime() throws PkiException {
        return this.tsaTime;
    }
}
