package dev.paseto.jpaseto.impl.crypto;

import dev.paseto.jpaseto.PasetoSignatureException;
import java.nio.charset.StandardCharsets;
import java.security.InvalidAlgorithmParameterException;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.Signature;
import java.security.SignatureException;
import java.security.spec.MGF1ParameterSpec;
import java.security.spec.PSSParameterSpec;

/* loaded from: input_file:dev/paseto/jpaseto/impl/crypto/JcaV1PublicCryptoProvider.class */
public class JcaV1PublicCryptoProvider implements V1PublicCryptoProvider {
    private static final boolean IS_IN_BC_FIPS_MODE = Boolean.getBoolean("org.bouncycastle.fips.approved_only");
    private static final byte[] HEADER_BYTES = "v1.public.".getBytes(StandardCharsets.UTF_8);

    /* JADX WARN: Type inference failed for: r0v1, types: [byte[], byte[][]] */
    @Override // dev.paseto.jpaseto.impl.crypto.V1PublicCryptoProvider
    public byte[] sign(byte[] bArr, byte[] bArr2, PrivateKey privateKey) {
        byte[] encode = PreAuthEncoder.encode(new byte[]{HEADER_BYTES, bArr, bArr2});
        try {
            Signature pssSignature = pssSignature();
            pssSignature.initSign(privateKey);
            pssSignature.update(encode);
            return pssSignature.sign();
        } catch (InvalidKeyException | SignatureException e) {
            throw new PasetoSignatureException("Failed to sign token", e);
        }
    }

    /* JADX WARN: Type inference failed for: r0v1, types: [byte[], byte[][]] */
    @Override // dev.paseto.jpaseto.impl.crypto.V1PublicCryptoProvider
    public boolean verify(byte[] bArr, byte[] bArr2, byte[] bArr3, PublicKey publicKey) {
        byte[] encode = PreAuthEncoder.encode(new byte[]{HEADER_BYTES, bArr, bArr2});
        try {
            Signature pssSignature = pssSignature();
            pssSignature.initVerify(publicKey);
            pssSignature.update(encode);
            return pssSignature.verify(bArr3);
        } catch (InvalidKeyException | SignatureException e) {
            throw new PasetoSignatureException("Could not verify token signature", e);
        }
    }

    private Signature pssSignature() {
        if (IS_IN_BC_FIPS_MODE) {
            try {
                Signature signature = Signature.getInstance("SHA384withRSAandMGF1", "BCFIPS");
                signature.setParameter(new PSSParameterSpec("SHA-384", "MGF1", new MGF1ParameterSpec("SHA-384"), 48, 1));
                return signature;
            } catch (InvalidAlgorithmParameterException | NoSuchAlgorithmException | NoSuchProviderException e) {
                throw new PasetoSignatureException("Could not load signature algorithm 'SHA384withRSAandMGF1' ensure you are using bc-fips.jar", e);
            }
        }
        try {
            Signature signature2 = Signature.getInstance("RSASSA-PSS");
            signature2.setParameter(new PSSParameterSpec("SHA-384", "MGF1", new MGF1ParameterSpec("SHA-384"), 48, 1));
            return signature2;
        } catch (InvalidAlgorithmParameterException | NoSuchAlgorithmException e2) {
            throw new PasetoSignatureException("Could not load signature algorithm 'RSASSA-PSS' ensure you are using jpaseto-bouncy-castle.jar or Java 11+", e2);
        }
    }
}
