package net.jsign;

import java.io.File;
import java.io.FileInputStream;
import java.io.IOException;
import java.net.Authenticator;
import java.net.InetSocketAddress;
import java.net.MalformedURLException;
import java.net.PasswordAuthentication;
import java.net.Proxy;
import java.net.ProxySelector;
import java.net.SocketAddress;
import java.net.URI;
import java.net.URL;
import java.nio.charset.Charset;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.PrivateKey;
import java.security.Security;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.util.Collections;
import java.util.LinkedHashSet;
import java.util.List;
import net.jsign.jca.AzureKeyVaultSigningService;
import net.jsign.jca.DigiCertOneSigningService;
import net.jsign.jca.GoogleCloudSigningService;
import net.jsign.jca.SigningServiceJcaProvider;
import net.jsign.mscab.CFFolder;
import net.jsign.mscab.CFHeader;
import net.jsign.timestamp.TimestampingMode;
import org.apache.commons.io.FileUtils;
import org.bouncycastle.asn1.ASN1InputStream;
import org.bouncycastle.asn1.cms.ContentInfo;
import org.bouncycastle.cms.CMSException;
import org.bouncycastle.cms.CMSProcessable;
import org.bouncycastle.cms.CMSSignedData;

/* loaded from: input_file:net/jsign/SignerHelper.class */
class SignerHelper {
    public static final String PARAM_KEYSTORE = "keystore";
    public static final String PARAM_STOREPASS = "storepass";
    public static final String PARAM_STORETYPE = "storetype";
    public static final String PARAM_ALIAS = "alias";
    public static final String PARAM_KEYPASS = "keypass";
    public static final String PARAM_KEYFILE = "keyfile";
    public static final String PARAM_CERTFILE = "certfile";
    public static final String PARAM_ALG = "alg";
    public static final String PARAM_TSAURL = "tsaurl";
    public static final String PARAM_TSMODE = "tsmode";
    public static final String PARAM_TSRETRIES = "tsretries";
    public static final String PARAM_TSRETRY_WAIT = "tsretrywait";
    public static final String PARAM_NAME = "name";
    public static final String PARAM_URL = "url";
    public static final String PARAM_PROXY_URL = "proxyUrl";
    public static final String PARAM_PROXY_USER = "proxyUser";
    public static final String PARAM_PROXY_PASS = "proxyPass";
    public static final String PARAM_REPLACE = "replace";
    public static final String PARAM_ENCODING = "encoding";
    public static final String PARAM_DETACHED = "detached";
    private final Console console;
    private final String parameterName;
    private File keystore;
    private String storepass;
    private String storetype;
    private String alias;
    private String keypass;
    private File keyfile;
    private File certfile;
    private String tsaurl;
    private String tsmode;
    private int tsretries = -1;
    private int tsretrywait = -1;
    private String alg;
    private String name;
    private String url;
    private String proxyUrl;
    private String proxyUser;
    private String proxyPass;
    private boolean replace;
    private Charset encoding;
    private boolean detached;
    private AuthenticodeSigner signer;

    public SignerHelper(Console console, String str) {
        this.console = console;
        this.parameterName = str;
    }

    public SignerHelper keystore(String str) {
        keystore(createFile(str));
        return this;
    }

    public SignerHelper keystore(File file) {
        this.keystore = file;
        return this;
    }

    public SignerHelper storepass(String str) {
        this.storepass = str;
        return this;
    }

    public SignerHelper storetype(String str) {
        this.storetype = str;
        return this;
    }

    public SignerHelper alias(String str) {
        this.alias = str;
        return this;
    }

    public SignerHelper keypass(String str) {
        this.keypass = str;
        return this;
    }

    public SignerHelper keyfile(String str) {
        keyfile(createFile(str));
        return this;
    }

    public SignerHelper keyfile(File file) {
        this.keyfile = file;
        return this;
    }

    public SignerHelper certfile(String str) {
        certfile(createFile(str));
        return this;
    }

    public SignerHelper certfile(File file) {
        this.certfile = file;
        return this;
    }

    public SignerHelper alg(String str) {
        this.alg = str;
        return this;
    }

    public SignerHelper tsaurl(String str) {
        this.tsaurl = str;
        return this;
    }

    public SignerHelper tsmode(String str) {
        this.tsmode = str;
        return this;
    }

    public SignerHelper tsretries(int i) {
        this.tsretries = i;
        return this;
    }

    public SignerHelper tsretrywait(int i) {
        this.tsretrywait = i;
        return this;
    }

    public SignerHelper name(String str) {
        this.name = str;
        return this;
    }

    public SignerHelper url(String str) {
        this.url = str;
        return this;
    }

    public SignerHelper proxyUrl(String str) {
        this.proxyUrl = str;
        return this;
    }

    public SignerHelper proxyUser(String str) {
        this.proxyUser = str;
        return this;
    }

    public SignerHelper proxyPass(String str) {
        this.proxyPass = str;
        return this;
    }

    public SignerHelper replace(boolean z) {
        this.replace = z;
        return this;
    }

    public SignerHelper encoding(String str) {
        this.encoding = Charset.forName(str);
        return this;
    }

    public SignerHelper detached(boolean z) {
        this.detached = z;
        return this;
    }

    public SignerHelper param(String str, String str2) {
        if (str2 == null) {
            return this;
        }
        boolean z = -1;
        switch (str.hashCode()) {
            case -985185247:
                if (str.equals(PARAM_PROXY_URL)) {
                    z = 14;
                    break;
                }
                break;
            case -864775059:
                if (str.equals(PARAM_TSAURL)) {
                    z = 8;
                    break;
                }
                break;
            case -864423774:
                if (str.equals(PARAM_TSMODE)) {
                    z = 9;
                    break;
                }
                break;
            case -814920613:
                if (str.equals(PARAM_KEYFILE)) {
                    z = 5;
                    break;
                }
                break;
            case -814630160:
                if (str.equals(PARAM_KEYPASS)) {
                    z = 4;
                    break;
                }
                break;
            case -737882720:
                if (str.equals(PARAM_CERTFILE)) {
                    z = 6;
                    break;
                }
                break;
            case -476136545:
                if (str.equals(PARAM_PROXY_PASS)) {
                    z = 16;
                    break;
                }
                break;
            case -475970727:
                if (str.equals(PARAM_PROXY_USER)) {
                    z = 15;
                    break;
                }
                break;
            case -123015042:
                if (str.equals(PARAM_TSRETRY_WAIT)) {
                    z = 11;
                    break;
                }
                break;
            case 96668:
                if (str.equals(PARAM_ALG)) {
                    z = 7;
                    break;
                }
                break;
            case 116079:
                if (str.equals(PARAM_URL)) {
                    z = 13;
                    break;
                }
                break;
            case 3373707:
                if (str.equals(PARAM_NAME)) {
                    z = 12;
                    break;
                }
                break;
            case 92902992:
                if (str.equals(PARAM_ALIAS)) {
                    z = 3;
                    break;
                }
                break;
            case 446782951:
                if (str.equals(PARAM_TSRETRIES)) {
                    z = 10;
                    break;
                }
                break;
            case 519601634:
                if (str.equals(PARAM_KEYSTORE)) {
                    z = false;
                    break;
                }
                break;
            case 1044548466:
                if (str.equals(PARAM_DETACHED)) {
                    z = 19;
                    break;
                }
                break;
            case 1094496948:
                if (str.equals(PARAM_REPLACE)) {
                    z = 17;
                    break;
                }
                break;
            case 1692796018:
                if (str.equals(PARAM_STOREPASS)) {
                    z = true;
                    break;
                }
                break;
            case 1692938139:
                if (str.equals(PARAM_STORETYPE)) {
                    z = 2;
                    break;
                }
                break;
            case 1711222099:
                if (str.equals(PARAM_ENCODING)) {
                    z = 18;
                    break;
                }
                break;
        }
        switch (z) {
            case false:
                return keystore(str2);
            case CFHeader.FLAG_PREV_CABINET /* 1 */:
                return storepass(str2);
            case CFHeader.FLAG_NEXT_CABINET /* 2 */:
                return storetype(str2);
            case true:
                return alias(str2);
            case CFHeader.FLAG_RESERVE_PRESENT /* 4 */:
                return keypass(str2);
            case true:
                return keyfile(str2);
            case true:
                return certfile(str2);
            case true:
                return alg(str2);
            case CFFolder.BASE_SIZE /* 8 */:
                return tsaurl(str2);
            case true:
                return tsmode(str2);
            case true:
                return tsretries(Integer.parseInt(str2));
            case true:
                return tsretrywait(Integer.parseInt(str2));
            case true:
                return name(str2);
            case true:
                return url(str2);
            case true:
                return proxyUrl(str2);
            case true:
                return proxyUser(str2);
            case true:
                return proxyPass(str2);
            case true:
                return replace("true".equalsIgnoreCase(str2));
            case true:
                return encoding(str2);
            case true:
                return detached("true".equalsIgnoreCase(str2));
            default:
                throw new IllegalArgumentException("Unknown " + this.parameterName + ": " + str);
        }
    }

    private File createFile(String str) {
        if (str == null) {
            return null;
        }
        return new File(str);
    }

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r0v181, types: [java.security.Provider] */
    /* JADX WARN: Type inference failed for: r0v190, types: [java.security.Provider] */
    /* JADX WARN: Type inference failed for: r0v43, types: [java.security.Provider] */
    private AuthenticodeSigner build() throws SignerException {
        Certificate[] certificateChain;
        PrivateKey privateKey;
        if (this.keystore == null && this.keyfile == null && this.certfile == null && !"YUBIKEY".equals(this.storetype) && !"DIGICERTONE".equals(this.storetype)) {
            throw new SignerException("keystore " + this.parameterName + ", or keyfile and certfile " + this.parameterName + "s must be set");
        }
        if (this.keystore != null && this.keyfile != null) {
            throw new SignerException("keystore " + this.parameterName + " can't be mixed with keyfile");
        }
        if ("AZUREKEYVAULT".equals(this.storetype)) {
            if (this.keystore == null) {
                throw new SignerException("keystore " + this.parameterName + " must specify the Azure vault name");
            }
            if (this.storepass == null) {
                throw new SignerException("storepass " + this.parameterName + " must specify the Azure API access token");
            }
        } else if ("DIGICERTONE".equals(this.storetype)) {
            if (this.storepass == null || this.storepass.split("\\|").length != 3) {
                throw new SignerException("storepass " + this.parameterName + " must specify the DigiCert ONE API key and the client certificate: <apikey>|<keystore>|<password>");
            }
        } else if ("GOOGLECLOUD".equals(this.storetype)) {
            if (this.keystore == null) {
                throw new SignerException("keystore " + this.parameterName + " must specify the Goole Cloud keyring");
            }
            if (this.storepass == null) {
                throw new SignerException("storepass " + this.parameterName + " must specify the Goole Cloud API access token");
            }
            if (this.certfile == null) {
                throw new SignerException("certfile " + this.parameterName + " must be set");
            }
        }
        SigningServiceJcaProvider signingServiceJcaProvider = null;
        if ("PKCS11".equals(this.storetype)) {
            if (this.keystore != null && this.keystore.exists()) {
                signingServiceJcaProvider = ProviderUtils.createSunPKCS11Provider(this.keystore.getPath());
            } else {
                if (this.keystore == null || !this.keystore.getName().startsWith("SunPKCS11-")) {
                    throw new SignerException("keystore " + this.parameterName + " should either refer to the SunPKCS11 configuration file or to the name of the provider configured in jre/lib/security/java.security");
                }
                signingServiceJcaProvider = Security.getProvider(this.keystore.getName());
                if (signingServiceJcaProvider == null) {
                    throw new SignerException("Security provider " + this.keystore.getName() + " not found");
                }
            }
        } else if ("YUBIKEY".equals(this.storetype)) {
            signingServiceJcaProvider = YubiKey.getProvider();
        } else if ("AZUREKEYVAULT".equals(this.storetype)) {
            signingServiceJcaProvider = new SigningServiceJcaProvider(new AzureKeyVaultSigningService(this.keystore.getName(), this.storepass));
        } else if ("DIGICERTONE".equals(this.storetype)) {
            String[] split = this.storepass.split("\\|");
            signingServiceJcaProvider = new SigningServiceJcaProvider(new DigiCertOneSigningService(split[0], new File(split[1]), split[2]));
        } else if ("GOOGLECLOUD".equals(this.storetype)) {
            signingServiceJcaProvider = new SigningServiceJcaProvider(new GoogleCloudSigningService(this.keystore.getPath(), this.storepass, str -> {
                try {
                    return loadCertificateChain(this.certfile);
                } catch (IOException | CertificateException e) {
                    throw new RuntimeException("Failed to load the certificate from " + this.certfile, e);
                }
            }));
        }
        if (this.keystore != null || "YUBIKEY".equals(this.storetype) || "DIGICERTONE".equals(this.storetype)) {
            try {
                KeyStore load = KeyStoreUtils.load(this.keystore, "YUBIKEY".equals(this.storetype) ? "PKCS11" : this.storetype, this.storepass, signingServiceJcaProvider);
                LinkedHashSet linkedHashSet = null;
                if (this.alias == null) {
                    if ("YUBIKEY".equals(this.storetype)) {
                        this.alias = "X.509 Certificate for Digital Signature";
                    } else {
                        try {
                            linkedHashSet = new LinkedHashSet(Collections.list(load.aliases()));
                            if (linkedHashSet.isEmpty()) {
                                throw new SignerException("No certificate found in the keystore " + (signingServiceJcaProvider != null ? signingServiceJcaProvider.getName() : this.keystore));
                            }
                            if (linkedHashSet.size() != 1) {
                                throw new SignerException("alias " + this.parameterName + " must be set to select a certificate (available aliases: " + String.join(", ", linkedHashSet) + ")");
                            }
                            this.alias = (String) linkedHashSet.iterator().next();
                        } catch (KeyStoreException e) {
                            throw new SignerException(e.getMessage(), e);
                        }
                    }
                }
                try {
                    certificateChain = load.getCertificateChain(this.alias);
                    if (certificateChain == null) {
                        String str2 = "No certificate found under the alias '" + this.alias + "' in the keystore " + (signingServiceJcaProvider != null ? signingServiceJcaProvider.getName() : this.keystore);
                        if (linkedHashSet == null) {
                            try {
                                LinkedHashSet linkedHashSet2 = new LinkedHashSet(Collections.list(load.aliases()));
                                if (linkedHashSet2.isEmpty()) {
                                    str2 = "No certificate found in the keystore " + (signingServiceJcaProvider != null ? signingServiceJcaProvider.getName() : this.keystore);
                                } else {
                                    str2 = str2 + " (available aliases: " + String.join(", ", linkedHashSet2) + ")";
                                }
                            } catch (KeyStoreException e2) {
                                str2 = str2 + " (couldn't load the list of available aliases: " + e2.getMessage() + ")";
                            }
                        }
                        throw new SignerException(str2);
                    }
                    if (this.certfile != null && !"GOOGLECLOUD".equals(this.storetype)) {
                        if (certificateChain.length != 1) {
                            throw new SignerException("certfile " + this.parameterName + " can only be specified if the certificate from the keystore contains only one entry");
                        }
                        try {
                            Certificate[] loadCertificateChain = loadCertificateChain(this.certfile);
                            if (!loadCertificateChain[0].equals(certificateChain[0])) {
                                throw new SignerException("The certificate chain in " + this.certfile + " does not match the chain from the keystore");
                            }
                            certificateChain = loadCertificateChain;
                        } catch (SignerException e3) {
                            throw e3;
                        } catch (Exception e4) {
                            throw new SignerException("Failed to load the certificate from " + this.certfile, e4);
                        }
                    }
                    try {
                        privateKey = (PrivateKey) load.getKey(this.alias, this.keypass != null ? this.keypass.toCharArray() : this.storepass.toCharArray());
                    } catch (Exception e5) {
                        throw new SignerException("Failed to retrieve the private key from the keystore", e5);
                    }
                } catch (KeyStoreException e6) {
                    throw new SignerException(e6.getMessage(), e6);
                }
            } catch (KeyStoreException e7) {
                throw new SignerException("Failed to load the keystore " + this.keystore, e7);
            }
        } else {
            if (this.keyfile == null) {
                throw new SignerException("keyfile " + this.parameterName + " must be set");
            }
            if (!this.keyfile.exists()) {
                throw new SignerException("The keyfile " + this.keyfile + " couldn't be found");
            }
            if (this.certfile == null) {
                throw new SignerException("certfile " + this.parameterName + " must be set");
            }
            if (!this.certfile.exists()) {
                throw new SignerException("The certfile " + this.certfile + " couldn't be found");
            }
            try {
                certificateChain = loadCertificateChain(this.certfile);
                try {
                    privateKey = PrivateKeyUtils.load(this.keyfile, this.keypass != null ? this.keypass : this.storepass);
                } catch (Exception e8) {
                    throw new SignerException("Failed to load the private key from " + this.keyfile, e8);
                }
            } catch (Exception e9) {
                throw new SignerException("Failed to load the certificate from " + this.certfile, e9);
            }
        }
        if (this.alg != null && DigestAlgorithm.of(this.alg) == null) {
            throw new SignerException("The digest algorithm " + this.alg + " is not supported");
        }
        try {
            initializeProxy(this.proxyUrl, this.proxyUser, this.proxyPass);
            return new AuthenticodeSigner(certificateChain, privateKey).withProgramName(this.name).withProgramURL(this.url).withDigestAlgorithm(DigestAlgorithm.of(this.alg)).withSignatureProvider(signingServiceJcaProvider).withSignaturesReplaced(this.replace).withTimestamping((this.tsaurl == null && this.tsmode == null) ? false : true).withTimestampingMode(this.tsmode != null ? TimestampingMode.of(this.tsmode) : TimestampingMode.AUTHENTICODE).withTimestampingRetries(this.tsretries).withTimestampingRetryWait(this.tsretrywait).withTimestampingAuthority(this.tsaurl != null ? this.tsaurl.split(",") : null);
        } catch (Exception e10) {
            throw new SignerException("Couldn't initialize proxy", e10);
        }
    }

    public void sign(File file) throws SignerException {
        if (file == null) {
            throw new SignerException("file must be set");
        }
        if (!file.exists()) {
            throw new SignerException("The file " + file + " couldn't be found");
        }
        try {
            Signable of = Signable.of(file, this.encoding);
            if (this.detached && getDetachedSignature(file).exists()) {
                try {
                    if (this.console != null) {
                        this.console.info("Attaching Authenticode signature to " + file);
                    }
                    attach(file);
                    return;
                } catch (Exception e) {
                    throw new SignerException("Couldn't attach the signature to " + file, e);
                }
            }
            try {
                if (this.signer == null) {
                    this.signer = build();
                }
                if (this.console != null) {
                    this.console.info("Adding Authenticode signature to " + file);
                }
                this.signer.sign(of);
                if (this.detached) {
                    detach(file);
                }
            } catch (SignerException e2) {
                throw e2;
            } catch (Exception e3) {
                throw new SignerException("Couldn't sign " + file, e3);
            }
        } catch (IOException e4) {
            throw new SignerException("Couldn't open the file " + file, e4);
        } catch (UnsupportedOperationException e5) {
            throw new SignerException(e5.getMessage());
        }
    }

    private void attach(File file) throws IOException, CMSException {
        CMSSignedData cMSSignedData = new CMSSignedData((CMSProcessable) null, ContentInfo.getInstance(new ASN1InputStream(FileUtils.readFileToByteArray(getDetachedSignature(file))).readObject()));
        Signable of = Signable.of(file, this.encoding);
        of.setSignature(cMSSignedData);
        of.save();
    }

    private void detach(File file) throws IOException {
        FileUtils.writeByteArrayToFile(getDetachedSignature(file), Signable.of(file, this.encoding).getSignatures().get(0).toASN1Structure().getEncoded("DER"));
    }

    private File getDetachedSignature(File file) {
        return new File(file.getParentFile(), file.getName() + ".sig");
    }

    private Certificate[] loadCertificateChain(File file) throws IOException, CertificateException {
        FileInputStream fileInputStream = new FileInputStream(file);
        Throwable th = null;
        try {
            try {
                Certificate[] certificateArr = (Certificate[]) CertificateFactory.getInstance("X.509").generateCertificates(fileInputStream).toArray(new Certificate[0]);
                if (fileInputStream != null) {
                    if (0 != 0) {
                        try {
                            fileInputStream.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    } else {
                        fileInputStream.close();
                    }
                }
                return certificateArr;
            } finally {
            }
        } catch (Throwable th3) {
            if (fileInputStream != null) {
                if (th != null) {
                    try {
                        fileInputStream.close();
                    } catch (Throwable th4) {
                        th.addSuppressed(th4);
                    }
                } else {
                    fileInputStream.close();
                }
            }
            throw th3;
        }
    }

    private void initializeProxy(String str, final String str2, final String str3) throws MalformedURLException {
        if (str == null || str.trim().length() <= 0) {
            return;
        }
        if (!str.trim().startsWith("http")) {
            str = "http://" + str.trim();
        }
        final URL url = new URL(str);
        final int port = url.getPort() < 0 ? 80 : url.getPort();
        ProxySelector.setDefault(new ProxySelector() { // from class: net.jsign.SignerHelper.1
            @Override // java.net.ProxySelector
            public List<Proxy> select(URI uri) {
                Proxy proxy = uri.getScheme().equals("socket") ? new Proxy(Proxy.Type.SOCKS, new InetSocketAddress(url.getHost(), port)) : new Proxy(Proxy.Type.HTTP, new InetSocketAddress(url.getHost(), port));
                if (SignerHelper.this.console != null) {
                    SignerHelper.this.console.debug("Proxy selected for " + uri + " : " + proxy);
                }
                return Collections.singletonList(proxy);
            }

            @Override // java.net.ProxySelector
            public void connectFailed(URI uri, SocketAddress socketAddress, IOException iOException) {
            }
        });
        if (str2 == null || str2.length() <= 0 || str3 == null) {
            return;
        }
        Authenticator.setDefault(new Authenticator() { // from class: net.jsign.SignerHelper.2
            @Override // java.net.Authenticator
            protected PasswordAuthentication getPasswordAuthentication() {
                return new PasswordAuthentication(str2, str3.toCharArray());
            }
        });
    }
}
