package org.forgerock.openam.authentication.modules.oauth2.service.esia;

import com.google.common.cache.Cache;
import com.google.common.cache.CacheBuilder;
import com.iplanet.am.util.SystemProperties;
import java.io.FileReader;
import java.security.PrivateKey;
import java.security.Security;
import java.util.ArrayList;
import java.util.concurrent.ExecutionException;
import java.util.concurrent.TimeUnit;
import org.apache.commons.codec.binary.Base64;
import org.bouncycastle.asn1.pkcs.PrivateKeyInfo;
import org.bouncycastle.cert.X509CertificateHolder;
import org.bouncycastle.cert.jcajce.JcaCertStore;
import org.bouncycastle.cms.CMSProcessableByteArray;
import org.bouncycastle.cms.CMSSignedData;
import org.bouncycastle.cms.CMSSignedDataGenerator;
import org.bouncycastle.cms.jcajce.JcaSignerInfoGeneratorBuilder;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.bouncycastle.openssl.PEMKeyPair;
import org.bouncycastle.openssl.PEMParser;
import org.bouncycastle.openssl.jcajce.JcaPEMKeyConverter;
import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder;
import org.bouncycastle.operator.jcajce.JcaDigestCalculatorProviderBuilder;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/forgerock/openam/authentication/modules/oauth2/service/esia/Signer.class */
public class Signer {
    static final Logger logger = LoggerFactory.getLogger(Signer.class);
    private static final Cache<String, X509CertificateHolder> certificateHolderCache;
    private static final Cache<String, PrivateKey> privateKeyCache;
    static final String SIGNATURE_ALGORITHM = "GOST3411WITHGOST3410-2012-256";
    X509CertificateHolder certHolder;
    PrivateKey privateKey;

    public Signer(PrivateKey privateKey, X509CertificateHolder x509CertificateHolder) {
        this.certHolder = x509CertificateHolder;
        this.privateKey = privateKey;
    }

    public Signer() {
        this(SystemProperties.get(Signer.class.getName().concat(".keyPath"), "/etc/nginx/ssl/example.key"), SystemProperties.get(Signer.class.getName().concat(".certPath"), "/etc/nginx/ssl/example.crt"));
    }

    public Signer(String str, String str2) {
        try {
            this.privateKey = (PrivateKey) privateKeyCache.get(str, () -> {
                FileReader fileReader = new FileReader(str);
                Throwable th = null;
                try {
                    try {
                        PEMParser pEMParser = new PEMParser(fileReader);
                        Object readObject = pEMParser.readObject();
                        pEMParser.close();
                        if (fileReader != null) {
                            if (0 != 0) {
                                try {
                                    fileReader.close();
                                } catch (Throwable th2) {
                                    th.addSuppressed(th2);
                                }
                            } else {
                                fileReader.close();
                            }
                        }
                        return readObject instanceof PEMKeyPair ? new JcaPEMKeyConverter().getKeyPair((PEMKeyPair) readObject).getPrivate() : new JcaPEMKeyConverter().getPrivateKey((PrivateKeyInfo) readObject);
                    } finally {
                    }
                } catch (Throwable th3) {
                    if (fileReader != null) {
                        if (th != null) {
                            try {
                                fileReader.close();
                            } catch (Throwable th4) {
                                th.addSuppressed(th4);
                            }
                        } else {
                            fileReader.close();
                        }
                    }
                    throw th3;
                }
            });
            this.certHolder = (X509CertificateHolder) certificateHolderCache.get(str2, () -> {
                FileReader fileReader = new FileReader(str2);
                Throwable th = null;
                try {
                    try {
                        PEMParser pEMParser = new PEMParser(fileReader);
                        Object readObject = pEMParser.readObject();
                        pEMParser.close();
                        if (fileReader != null) {
                            if (0 != 0) {
                                try {
                                    fileReader.close();
                                } catch (Throwable th2) {
                                    th.addSuppressed(th2);
                                }
                            } else {
                                fileReader.close();
                            }
                        }
                        return (X509CertificateHolder) readObject;
                    } finally {
                    }
                } catch (Throwable th3) {
                    if (fileReader != null) {
                        if (th != null) {
                            try {
                                fileReader.close();
                            } catch (Throwable th4) {
                                th.addSuppressed(th4);
                            }
                        } else {
                            fileReader.close();
                        }
                    }
                    throw th3;
                }
            });
        } catch (ExecutionException e) {
            logger.error("error getting certificate or key", e);
        }
    }

    public String signString(String str) {
        String str2 = null;
        Security.addProvider(new BouncyCastleProvider());
        ArrayList arrayList = new ArrayList();
        CMSProcessableByteArray cMSProcessableByteArray = new CMSProcessableByteArray(str.getBytes());
        arrayList.add(this.certHolder);
        try {
            JcaCertStore jcaCertStore = new JcaCertStore(arrayList);
            CMSSignedDataGenerator cMSSignedDataGenerator = new CMSSignedDataGenerator();
            cMSSignedDataGenerator.addSignerInfoGenerator(new JcaSignerInfoGeneratorBuilder(new JcaDigestCalculatorProviderBuilder().setProvider("BC").build()).build(new JcaContentSignerBuilder(SIGNATURE_ALGORITHM).setProvider("BC").build(this.privateKey), this.certHolder));
            cMSSignedDataGenerator.addCertificates(jcaCertStore);
            CMSSignedData generate = cMSSignedDataGenerator.generate(cMSProcessableByteArray, false);
            generate.getSignerInfos();
            str2 = Base64.encodeBase64URLSafeString(generate.getEncoded());
        } catch (Exception e) {
            logger.error("error sign string{} {}", str, e.toString());
        }
        return str2;
    }

    static {
        Security.addProvider(new BouncyCastleProvider());
        certificateHolderCache = CacheBuilder.newBuilder().maximumSize(10L).expireAfterWrite(10L, TimeUnit.MINUTES).build();
        privateKeyCache = CacheBuilder.newBuilder().maximumSize(10L).expireAfterWrite(10L, TimeUnit.MINUTES).build();
    }
}
