package uk.gov.di.ipv.cri.common.library.util;

import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.JWSAlgorithm;
import com.nimbusds.jose.JWSHeader;
import com.nimbusds.jose.JWSSigner;
import com.nimbusds.jose.jca.JCAContext;
import com.nimbusds.jose.util.Base64URL;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.util.Objects;
import java.util.Set;
import software.amazon.awssdk.core.SdkBytes;
import software.amazon.awssdk.services.kms.KmsClient;
import software.amazon.awssdk.services.kms.model.MessageType;
import software.amazon.awssdk.services.kms.model.SignRequest;
import software.amazon.awssdk.services.kms.model.SigningAlgorithmSpec;
import uk.gov.di.ipv.cri.common.library.annotations.ExcludeFromGeneratedCoverageReport;

/* loaded from: input_file:uk/gov/di/ipv/cri/common/library/util/KMSSigner.class */
public class KMSSigner implements JWSSigner {
    private final KmsClient kmsClient;
    private final JCAContext jcaContext;
    private final String keyId;

    @ExcludeFromGeneratedCoverageReport
    public KMSSigner(String str) {
        this.jcaContext = new JCAContext();
        this.keyId = str;
        this.kmsClient = (KmsClient) KmsClient.builder().build();
    }

    public KMSSigner(String str, KmsClient kmsClient) {
        this.jcaContext = new JCAContext();
        this.keyId = str;
        this.kmsClient = kmsClient;
    }

    public Base64URL sign(JWSHeader jWSHeader, byte[] bArr) throws JOSEException {
        Objects.requireNonNull(bArr, "Signing input must not be null");
        try {
            return Base64URL.encode(this.kmsClient.sign((SignRequest) SignRequest.builder().signingAlgorithm(SigningAlgorithmSpec.ECDSA_SHA_256.toString()).keyId(this.keyId).message(SdkBytes.fromByteArray(MessageDigest.getInstance("SHA-256").digest(bArr))).messageType(MessageType.DIGEST).build()).signature().asByteArray());
        } catch (NoSuchAlgorithmException e) {
            throw new JOSEException(e.getMessage());
        }
    }

    public Set<JWSAlgorithm> supportedJWSAlgorithms() {
        return Set.of(JWSAlgorithm.ES256);
    }

    public JCAContext getJCAContext() {
        return this.jcaContext;
    }
}
