package com.vmware.vapi.internal.cis.authn.json;

import com.vmware.vapi.Message;
import com.vmware.vapi.MessageFactory;
import com.vmware.vapi.dsig.json.SignatureException;
import com.vmware.vapi.dsig.json.StsTrustChain;
import com.vmware.vapi.internal.cis.authn.Signer;
import com.vmware.vapi.internal.dsig.json.Canonicalizer;
import com.vmware.vapi.internal.dsig.json.Verifier;
import com.vmware.vapi.internal.protocol.common.json.JsonSecurityContextSerializer;
import com.vmware.vapi.internal.util.Validate;
import java.io.UnsupportedEncodingException;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.Signature;
import java.security.cert.X509Certificate;
import java.util.Map;
import org.apache.commons.codec.binary.Base64;

/* loaded from: input_file:com/vmware/vapi/internal/cis/authn/json/JsonSignerImpl.class */
public final class JsonSignerImpl implements Signer, Verifier {
    private static final String UTF_8 = "UTF-8";
    private static final Message SIGN_ERROR;
    private static final Message VERIFY_ERROR;
    private final Canonicalizer jsonCanonicalizer;
    private final StsTrustChain stsTrustChain;
    private final JsonSecurityContextSerializer deserializer;
    static final /* synthetic */ boolean $assertionsDisabled;

    public JsonSignerImpl(Canonicalizer canonicalizer) {
        this(canonicalizer, null);
    }

    public JsonSignerImpl(Canonicalizer canonicalizer, StsTrustChain stsTrustChain) {
        this.deserializer = new JsonSecurityContextSerializer();
        Validate.notNull(canonicalizer);
        this.jsonCanonicalizer = canonicalizer;
        this.stsTrustChain = stsTrustChain;
    }

    @Override // com.vmware.vapi.internal.cis.authn.Signer
    public String sign(String str, PrivateKey privateKey, JsonSignatureAlgorithm jsonSignatureAlgorithm) {
        Validate.notNull(str);
        Validate.notNull(privateKey);
        try {
            return signInternal(this.jsonCanonicalizer.asCanonicalString(str), privateKey, jsonSignatureAlgorithm);
        } catch (InvalidKeyException e) {
            throw new SignatureException(SIGN_ERROR, e);
        } catch (NoSuchAlgorithmException e2) {
            throw new SignatureException(SIGN_ERROR, e2);
        } catch (java.security.SignatureException e3) {
            throw new SignatureException(SIGN_ERROR, e3);
        }
    }

    @Override // com.vmware.vapi.internal.dsig.json.Verifier
    public boolean verifySignature(String str, Map<String, Object> map, long j) {
        Validate.notNull(str);
        Validate.notNull(map);
        Validate.isTrue(j > -1);
        if (this.stsTrustChain == null) {
            throw new IllegalStateException("STS trust chain retriever not set");
        }
        String stripSignature = stripSignature(str);
        try {
            JsonSignatureStruct parseJsonSignatureStruct = JsonSignatureStruct.parseJsonSignatureStruct(map, this.stsTrustChain.getStsTrustChain(), j);
            return verify(parseJsonSignatureStruct.getSamlToken().getConfirmationCertificate(), this.jsonCanonicalizer.asCanonicalString(stripSignature), parseJsonSignatureStruct.getSigValue(), parseJsonSignatureStruct.getAlg());
        } catch (InvalidKeyException e) {
            throw new SignatureException(VERIFY_ERROR, e);
        } catch (NoSuchAlgorithmException e2) {
            throw new SignatureException(VERIFY_ERROR, e2);
        } catch (java.security.SignatureException e3) {
            throw new SignatureException(VERIFY_ERROR, e3);
        }
    }

    private String signInternal(String str, PrivateKey privateKey, JsonSignatureAlgorithm jsonSignatureAlgorithm) throws NoSuchAlgorithmException, InvalidKeyException, java.security.SignatureException {
        if (!$assertionsDisabled && str == null) {
            throw new AssertionError();
        }
        if (!$assertionsDisabled && privateKey == null) {
            throw new AssertionError();
        }
        Signature signature = Signature.getInstance(jsonSignatureAlgorithm.getJavaName());
        signature.initSign(privateKey);
        try {
            signature.update(str.getBytes("UTF-8"));
            return Base64.encodeBase64String(signature.sign());
        } catch (UnsupportedEncodingException e) {
            throw new SignatureException(SIGN_ERROR, e);
        }
    }

    private boolean verify(X509Certificate x509Certificate, String str, String str2, String str3) throws NoSuchAlgorithmException, InvalidKeyException, java.security.SignatureException {
        if (!$assertionsDisabled && x509Certificate == null) {
            throw new AssertionError();
        }
        if (!$assertionsDisabled && str == null) {
            throw new AssertionError();
        }
        if (!$assertionsDisabled && str2 == null) {
            throw new AssertionError();
        }
        try {
            Signature signature = Signature.getInstance(JsonSignatureAlgorithm.valueOf(str3).getJavaName());
            signature.initVerify(x509Certificate);
            try {
                signature.update(str.getBytes("UTF-8"));
                return signature.verify(Base64.decodeBase64(str2));
            } catch (UnsupportedEncodingException e) {
                throw new SignatureException(VERIFY_ERROR, e);
            }
        } catch (IllegalArgumentException e2) {
            throw new SignatureException(MessageFactory.getMessage("vapi.signature.unknowndsigalg", str3));
        }
    }

    private String stripSignature(String str) {
        if ($assertionsDisabled || str != null) {
            return this.deserializer.removeSignature(str);
        }
        throw new AssertionError();
    }

    static {
        $assertionsDisabled = !JsonSignerImpl.class.desiredAssertionStatus();
        SIGN_ERROR = MessageFactory.getMessage("vapi.signature.sign", new String[0]);
        VERIFY_ERROR = MessageFactory.getMessage("vapi.signature.verify", new String[0]);
    }
}
