package net.netca.pki.encoding.json.jose;

import java.util.ArrayList;
import net.netca.pki.PkiException;
import net.netca.pki.encoding.Base64Url;
import net.netca.pki.encoding.asn1.pki.Extension;
import net.netca.pki.encoding.asn1.pki.Extensions;
import net.netca.pki.encoding.asn1.pki.NamedBitStringExtension;
import net.netca.pki.encoding.asn1.pki.X509Certificate;
import net.netca.pki.encoding.json.JSON;
import net.netca.pki.encoding.json.JSONArray;
import net.netca.pki.encoding.json.JSONBoolean;
import net.netca.pki.encoding.json.JSONString;

/* loaded from: classes3.dex */
public class JWSSigner {
    private ArrayList<X509Certificate> certsChain;
    private Header protectedHeader = new Header();
    private Header unprotectedHeader = new Header();
    private IJWSSign signImpl = null;
    private IMac macImpl = null;
    private int certId = 2;
    private X509Certificate signCert = null;
    private String signAlgoName = null;
    private byte[] macKey = null;
    private boolean bUseMac = false;

    private boolean IsMatchMacAlgo(String str) {
        return str.equals(JWS.HMAC_SHA256) || str.equals(JWS.HMAC_SHA384) || str.equals(JWS.HMAC_SHA512) || str.equals(JWS.HMAC_SM3);
    }

    private void checkPublicHeaderParam(String str) throws PkiException {
        if (str.equals(HeaderParameterNames.ALGORITHM)) {
            throw new PkiException("Cannt set PublicHeaderParam alg");
        }
    }

    public static JWSSigner getInstance() {
        return new JWSSigner();
    }

    private boolean hasSameStringInJSONArray(JSONArray jSONArray, String str) {
        for (int i2 = 0; i2 < jSONArray.size(); i2++) {
            JSON json = jSONArray.get(i2);
            if ((json instanceof JSONString) && ((JSONString) json).getString().equals(str)) {
                return true;
            }
        }
        return false;
    }

    private boolean isAcceptableMacKeyLength(String str, int i2) {
        return str.equals(JWS.HMAC_SHA256) ? i2 >= 32 : str.equals(JWS.HMAC_SHA384) ? i2 >= 48 : str.equals(JWS.HMAC_SHA512) ? i2 >= 64 : str.equals(JWS.HMAC_SM3) && i2 >= 32;
    }

    private boolean isMatchCertAlgo(String str) {
        return str.equals(JWS.RSA_SHA256) || str.equals(JWS.RSA_SHA384) || str.equals(JWS.RSA_SHA512) || str.equals(JWS.ECDSA_SHA256) || str.equals(JWS.ECDSA_SHA384) || str.equals(JWS.ECDSA_SHA512) || str.equals(JWS.RSASSA_PSS_256) || str.equals(JWS.RSASSA_PSS_384) || str.equals(JWS.RSASSA_PSS_512) || str.equals(JWS.SM2_SM3);
    }

    private boolean isSignCert(X509Certificate x509Certificate) {
        Extension extension;
        try {
            Extensions extensions = x509Certificate.getExtensions();
            if (extensions == null || (extension = extensions.get(Extension.KEYUSAGE_OID)) == null) {
                return true;
            }
            NamedBitStringExtension namedBitStringExtension = (NamedBitStringExtension) extension.getExtensionObject();
            if (!namedBitStringExtension.isSet(0)) {
                if (!namedBitStringExtension.isSet(1)) {
                    return false;
                }
            }
            return true;
        } catch (PkiException unused) {
            return false;
        }
    }

    private void updateCritHeader(int i2) throws PkiException {
        if ((i2 & 2) != 0) {
            addProtectedHeader(HeaderParameterNames.BASE64URL_ENCODE_PAYLOAD, JSONBoolean.False);
            addProtectCritHeaderValue(HeaderParameterNames.BASE64URL_ENCODE_PAYLOAD);
        }
    }

    private void updateProtectedHeader(String str, X509Certificate x509Certificate, IHash iHash) throws PkiException {
        if (x509Certificate != null) {
            Utils.addCertInfo(this.protectedHeader, this.certId, x509Certificate, iHash, this.certsChain);
        }
        this.protectedHeader.addHeaderValue(HeaderParameterNames.ALGORITHM, str);
    }

    public JWSSigner addCertChain(ArrayList<X509Certificate> arrayList) {
        this.certsChain = arrayList;
        return this;
    }

    public JWSSigner addProtectCritHeaderValue(String str) throws PkiException {
        boolean z;
        JSON headerJsonValue = this.protectedHeader.getHeaderJsonValue(HeaderParameterNames.CRITICAL);
        if (headerJsonValue == null) {
            headerJsonValue = new JSONArray();
            z = true;
        } else {
            if (!(headerJsonValue instanceof JSONArray)) {
                throw new PkiException("crit no  JSONArray Object!");
            }
            z = false;
        }
        JSONArray jSONArray = (JSONArray) headerJsonValue;
        if (!hasSameStringInJSONArray(jSONArray, str)) {
            jSONArray.add(new JSONString(str));
        }
        if (z) {
            this.protectedHeader.addHeaderValue(HeaderParameterNames.CRITICAL, jSONArray);
        }
        return this;
    }

    public JWSSigner addProtectedHeader(String str, String str2) throws PkiException {
        checkPublicHeaderParam(str);
        this.protectedHeader.addHeaderValue(str, str2);
        return this;
    }

    public JWSSigner addProtectedHeader(String str, JSON json) throws PkiException {
        checkPublicHeaderParam(str);
        this.protectedHeader.addHeaderValue(str, json);
        return this;
    }

    public JWSSigner addUnProtectedHeader(String str, String str2) throws PkiException {
        checkPublicHeaderParam(str);
        this.unprotectedHeader.addHeaderValue(str, str2);
        return this;
    }

    public JWSSigner addUnProtectedHeader(String str, JSON json) throws PkiException {
        checkPublicHeaderParam(str);
        this.unprotectedHeader.addHeaderValue(str, json);
        return this;
    }

    public String getProtectHeaderEncode() throws PkiException {
        byte[] normalize = this.protectedHeader.getJSONObject().normalize();
        return Base64Url.encode(false, false, 0, null, normalize, 0, normalize.length);
    }

    public JWSSigner setMacImplement(IMac iMac) {
        this.macImpl = iMac;
        return this;
    }

    public JWSSigner setMacKey(byte[] bArr, String str) throws PkiException {
        if (!IsMatchMacAlgo(str)) {
            throw new PkiException("no suppot mac algo " + str);
        }
        if (bArr == null) {
            throw new PkiException("key is null");
        }
        if (isAcceptableMacKeyLength(str, bArr.length)) {
            this.signAlgoName = str;
            this.macKey = bArr;
            this.bUseMac = true;
            return this;
        }
        throw new PkiException("algo " + str + "no match keylength " + bArr.length);
    }

    public JWSSigner setSignCert(int i2, String str, X509Certificate x509Certificate, IJWSSign iJWSSign) throws PkiException {
        if (!isSignCert(x509Certificate)) {
            throw new PkiException("not sign cert");
        }
        if (!x509Certificate.isInValidity()) {
            throw new PkiException("cert is not in validity");
        }
        if (!isMatchCertAlgo(str)) {
            throw new PkiException("unsupport cert algo" + str);
        }
        this.certId = i2;
        this.signCert = x509Certificate;
        this.signImpl = iJWSSign;
        this.signAlgoName = str;
        return this;
    }

    public JWSSignerInfo sign(JWS jws, IHash iHash) throws PkiException {
        X509Certificate x509Certificate;
        int i2;
        String str = this.signAlgoName;
        if (str == null) {
            throw new PkiException("no set algo param !");
        }
        if (this.bUseMac) {
            if (this.macImpl == null) {
                throw new PkiException("no set mac Implement !");
            }
            x509Certificate = null;
            i2 = 0;
        } else {
            if (this.signImpl == null) {
                throw new PkiException("no set Sign Implement !");
            }
            i2 = this.certId;
            x509Certificate = this.signCert;
        }
        updateProtectedHeader(str, this.signCert, iHash);
        updateCritHeader(jws.getFlag());
        byte[] signingInput = jws.getSigningInput(getProtectHeaderEncode());
        return new JWSSignerInfo(this.protectedHeader, this.unprotectedHeader, i2, !this.bUseMac ? this.signImpl.sign(this.signAlgoName, signingInput, 0, signingInput.length) : this.macImpl.mac(this.signAlgoName, signingInput, this.macKey), x509Certificate);
    }
}
