package ca.uhn.hl7v2.hoh.sign;

import ca.uhn.hl7v2.hoh.util.StringUtils;
import ca.uhn.hl7v2.hoh.util.repackage.Base64;
import java.security.GeneralSecurityException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.Security;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import org.bouncycastle.cert.jcajce.JcaCertStore;
import org.bouncycastle.cms.CMSProcessableByteArray;
import org.bouncycastle.cms.CMSSignedData;
import org.bouncycastle.cms.CMSSignedDataGenerator;
import org.bouncycastle.cms.CMSSignerDigestMismatchException;
import org.bouncycastle.cms.SignerInformation;
import org.bouncycastle.cms.SignerInformationVerifier;
import org.bouncycastle.cms.jcajce.JcaSignerInfoGeneratorBuilder;
import org.bouncycastle.cms.jcajce.JcaSimpleSignerInfoVerifierBuilder;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder;
import org.bouncycastle.operator.jcajce.JcaDigestCalculatorProviderBuilder;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:ca/uhn/hl7v2/hoh/sign/BouncyCastleCmsMessageSigner.class */
public class BouncyCastleCmsMessageSigner implements ISigner {
    static final String MSG_KEY_IS_NOT_A_PRIVATE_KEY = "Key is not a private key: ";
    static final String MSG_KEY_IS_NOT_A_PUBLIC_KEY = "Key is not a public key: ";
    static final String MSG_KEYSTORE_DOES_NOT_CONTAIN_KEY_WITH_ALIAS = "Keystore does not contain key with alias: ";
    private static final Logger ourLog = LoggerFactory.getLogger(BouncyCastleCmsMessageSigner.class);
    private String myAlgorithm = "SHA512withRSA";
    private String myAliasPassword;
    private String myKeyAlias;
    private KeyStore myKeyStore;
    private PrivateKey myPrivateKey;
    private PublicKey myPublicKey;

    private PrivateKey getPrivateKey() throws GeneralSecurityException, SignatureFailureException {
        if (this.myKeyStore == null) {
            throw new SignatureFailureException("Keystore is not set");
        }
        if (StringUtils.isBlank(this.myKeyAlias)) {
            throw new SignatureFailureException("Key alias is not set");
        }
        if (StringUtils.isBlank(this.myAliasPassword)) {
            throw new SignatureFailureException("Key alias password is not set");
        }
        if (this.myPrivateKey == null) {
            this.myPrivateKey = (PrivateKey) this.myKeyStore.getKey(this.myKeyAlias, this.myAliasPassword.toCharArray());
            if (this.myPrivateKey == null) {
                if (!this.myKeyStore.containsAlias(this.myKeyAlias)) {
                    throw new SignatureFailureException(MSG_KEYSTORE_DOES_NOT_CONTAIN_KEY_WITH_ALIAS + this.myKeyAlias);
                }
                if (this.myKeyStore.isCertificateEntry(this.myKeyAlias)) {
                    throw new SignatureFailureException(MSG_KEY_IS_NOT_A_PRIVATE_KEY + this.myKeyAlias);
                }
            }
        }
        return this.myPrivateKey;
    }

    private PublicKey getPublicKey() throws SignatureFailureException {
        if (this.myKeyStore == null) {
            throw new SignatureFailureException("Keystore is not set");
        }
        if (StringUtils.isBlank(this.myKeyAlias)) {
            throw new SignatureFailureException("Key alias is not set");
        }
        if (this.myPublicKey == null) {
            try {
                Certificate certificate = this.myKeyStore.getCertificate(this.myKeyAlias);
                this.myPublicKey = certificate != null ? certificate.getPublicKey() : null;
                if (this.myPublicKey == null) {
                    if (!this.myKeyStore.containsAlias(this.myKeyAlias)) {
                        throw new SignatureFailureException(MSG_KEYSTORE_DOES_NOT_CONTAIN_KEY_WITH_ALIAS + this.myKeyAlias);
                    }
                    if (this.myKeyStore.isKeyEntry(this.myKeyAlias)) {
                        throw new SignatureFailureException(MSG_KEY_IS_NOT_A_PUBLIC_KEY + this.myKeyAlias);
                    }
                }
            } catch (KeyStoreException e) {
                throw new SignatureFailureException("Failed to retrieve key with alias " + this.myKeyAlias + " from keystore", e);
            }
        }
        return this.myPublicKey;
    }

    public void setAliasPassword(String str) {
        this.myAliasPassword = str;
    }

    public void setKeyAlias(String str) {
        this.myKeyAlias = str;
    }

    public void setKeyStore(KeyStore keyStore) {
        if (keyStore == null) {
            throw new NullPointerException("Keystore can not be null");
        }
        this.myKeyStore = keyStore;
    }

    @Override // ca.uhn.hl7v2.hoh.sign.ISigner
    public String sign(byte[] bArr) throws SignatureFailureException {
        try {
            Security.addProvider(new BouncyCastleProvider());
            ArrayList arrayList = new ArrayList();
            CMSProcessableByteArray cMSProcessableByteArray = new CMSProcessableByteArray(bArr);
            X509Certificate x509Certificate = (X509Certificate) this.myKeyStore.getCertificate(this.myKeyAlias);
            arrayList.add(x509Certificate);
            JcaCertStore jcaCertStore = new JcaCertStore(arrayList);
            CMSSignedDataGenerator cMSSignedDataGenerator = new CMSSignedDataGenerator();
            cMSSignedDataGenerator.addSignerInfoGenerator(new JcaSignerInfoGeneratorBuilder(new JcaDigestCalculatorProviderBuilder().setProvider("BC").build()).build(new JcaContentSignerBuilder(this.myAlgorithm).setProvider("BC").build(getPrivateKey()), x509Certificate));
            cMSSignedDataGenerator.addCertificates(jcaCertStore);
            return this.myAlgorithm + ' ' + Base64.encodeBase64String(cMSSignedDataGenerator.generate(cMSProcessableByteArray, false).getEncoded());
        } catch (Exception e) {
            throw new SignatureFailureException(e);
        }
    }

    @Override // ca.uhn.hl7v2.hoh.sign.ISigner
    public void verify(byte[] bArr, String str) throws SignatureVerificationException, SignatureFailureException {
        PublicKey publicKey = getPublicKey();
        try {
            int indexOf = str.indexOf(32);
            if (indexOf == -1) {
                throw new SignatureVerificationException("No algorithm found in signature block: " + str);
            }
            CMSSignedData cMSSignedData = new CMSSignedData(new CMSProcessableByteArray(bArr), Base64.decodeBase64(str.substring(indexOf + 1)));
            ourLog.debug("Verifying message against public key with alias[{}]", this.myKeyAlias);
            SignerInformationVerifier build = new JcaSimpleSignerInfoVerifierBuilder().build(publicKey);
            boolean z = false;
            for (SignerInformation signerInformation : cMSSignedData.getSignerInfos().getSigners()) {
                try {
                    ourLog.debug("Signer: {}", signerInformation.getSID());
                    if (signerInformation.verify(build)) {
                        z = true;
                    }
                } catch (CMSSignerDigestMismatchException e) {
                    throw new SignatureVerificationException((Exception) e);
                }
            }
            if (!z) {
                throw new SignatureVerificationException();
            }
        } catch (SignatureVerificationException e2) {
            throw e2;
        } catch (Exception e3) {
            throw new SignatureFailureException(e3);
        }
    }
}
