package net.n2oapp.security.admin.auth.server.esia;

import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.nio.charset.StandardCharsets;
import java.security.KeyFactory;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.Security;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.security.spec.InvalidKeySpecException;
import java.security.spec.PKCS8EncodedKeySpec;
import java.util.ArrayList;
import java.util.Base64;
import java.util.Objects;
import org.bouncycastle.cert.jcajce.JcaCertStore;
import org.bouncycastle.cms.CMSProcessableByteArray;
import org.bouncycastle.cms.CMSSignedDataGenerator;
import org.bouncycastle.cms.jcajce.JcaSignerInfoGeneratorBuilder;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.bouncycastle.operator.ContentSigner;
import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder;
import org.bouncycastle.operator.jcajce.JcaDigestCalculatorProviderBuilder;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.core.io.Resource;
import org.springframework.stereotype.Component;

@Component
/* loaded from: input_file:net/n2oapp/security/admin/auth/server/esia/Pkcs7Util.class */
public final class Pkcs7Util {

    @Value("${access.esia.path-to-keystore:#{null}}")
    private Resource pathToKeystore;

    @Value("${access.esia.key-alias:#{null}}")
    private String keyAlias;

    @Value("${access.esia.key-store-password:#{null}}")
    private String keyStorePassword;

    @Value("${access.esia.signing-key:#{null}}")
    private String signingKey;

    @Value("${access.esia.certificate:#{null}}")
    private String certificate;
    private static final String SIGNATURE_ALG = "SHA256withRSA";
    private static final String DEFAULT_KEY_ALIAS = "default_key_alias";
    private CMSSignedDataGenerator generator;

    public String getUrlSafeSign(String str) {
        try {
            return new String(Base64.getUrlEncoder().encode(signPkcs7(str.getBytes(StandardCharsets.UTF_8))));
        } catch (Exception e) {
            throw new IllegalStateException(e);
        }
    }

    private KeyStore loadKeyStore() throws KeyStoreException, IOException, NoSuchAlgorithmException, CertificateException, InvalidKeySpecException {
        KeyStore keyStore = KeyStore.getInstance("PKCS12");
        if (Objects.nonNull(this.pathToKeystore)) {
            keyStore.load(this.pathToKeystore.getInputStream(), this.keyStorePassword.toCharArray());
        } else {
            CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509");
            formatCertificate();
            Certificate generateCertificate = certificateFactory.generateCertificate(new ByteArrayInputStream(this.certificate.getBytes(StandardCharsets.UTF_8)));
            keyStore.load(null, null);
            this.keyAlias = DEFAULT_KEY_ALIAS;
            this.keyStorePassword = this.keyAlias;
            keyStore.setCertificateEntry(this.keyAlias, generateCertificate);
            keyStore.setKeyEntry(this.keyAlias, privateKeyFromPem(), this.keyStorePassword.toCharArray(), new Certificate[]{generateCertificate});
        }
        return keyStore;
    }

    private CMSSignedDataGenerator setUpProvider(KeyStore keyStore) throws Exception {
        Security.addProvider(new BouncyCastleProvider());
        Certificate[] certificateChain = keyStore.getCertificateChain(this.keyAlias);
        ArrayList arrayList = new ArrayList();
        int length = certificateChain == null ? 0 : certificateChain.length;
        for (int i = 0; i < length; i++) {
            arrayList.add(certificateChain[i]);
        }
        JcaCertStore jcaCertStore = new JcaCertStore(arrayList);
        Certificate certificate = keyStore.getCertificate(this.keyAlias);
        ContentSigner build = new JcaContentSignerBuilder(SIGNATURE_ALG).setProvider("BC").build((PrivateKey) keyStore.getKey(this.keyAlias, this.keyStorePassword.toCharArray()));
        CMSSignedDataGenerator cMSSignedDataGenerator = new CMSSignedDataGenerator();
        cMSSignedDataGenerator.addSignerInfoGenerator(new JcaSignerInfoGeneratorBuilder(new JcaDigestCalculatorProviderBuilder().setProvider("BC").build()).build(build, (X509Certificate) certificate));
        cMSSignedDataGenerator.addCertificates(jcaCertStore);
        return cMSSignedDataGenerator;
    }

    private byte[] signPkcs7(byte[] bArr) throws Exception {
        if (this.generator == null) {
            this.generator = setUpProvider(loadKeyStore());
        }
        return this.generator.generate(new CMSProcessableByteArray(bArr), true).getEncoded();
    }

    private PrivateKey privateKeyFromPem() throws NoSuchAlgorithmException, InvalidKeySpecException {
        return KeyFactory.getInstance("RSA").generatePrivate(new PKCS8EncodedKeySpec(Base64.getDecoder().decode(this.signingKey.strip().replace("\n", "").replace("-----BEGIN PRIVATE KEY-----", "").replace("-----END PRIVATE KEY-----", "")), "RSA"));
    }

    private void formatCertificate() {
        this.certificate = this.certificate.replace("\n", "").replace("-----BEGIN CERTIFICATE-----", "").replace("-----END CERTIFICATE-----", "");
        this.certificate = "-----BEGIN CERTIFICATE-----\n" + this.certificate + "\n-----END CERTIFICATE-----";
    }
}
