package de.tk.opensource.secon;

import global.namespace.fun.io.api.Socket;
import global.namespace.fun.io.api.function.XFunction;
import java.io.BufferedInputStream;
import java.io.FilterInputStream;
import java.io.IOException;
import java.io.InputStream;
import java.io.OutputStream;
import java.security.AlgorithmParameters;
import java.security.PrivateKey;
import java.security.cert.X509CertSelector;
import java.security.cert.X509Certificate;
import java.security.spec.PSSParameterSpec;
import java.util.Iterator;
import java.util.Objects;
import java.util.Optional;
import java.util.concurrent.Callable;
import javax.security.auth.x500.X500Principal;
import org.bouncycastle.asn1.ASN1ObjectIdentifier;
import org.bouncycastle.asn1.ASN1Primitive;
import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers;
import org.bouncycastle.asn1.x500.X500Name;
import org.bouncycastle.cms.CMSAlgorithm;
import org.bouncycastle.cms.CMSEnvelopedDataParser;
import org.bouncycastle.cms.CMSEnvelopedDataStreamGenerator;
import org.bouncycastle.cms.CMSSignedDataParser;
import org.bouncycastle.cms.CMSSignedDataStreamGenerator;
import org.bouncycastle.cms.CMSTypedStream;
import org.bouncycastle.cms.RecipientInformation;
import org.bouncycastle.cms.SignerId;
import org.bouncycastle.cms.SignerInformation;
import org.bouncycastle.cms.jcajce.JcaSignerInfoGeneratorBuilder;
import org.bouncycastle.cms.jcajce.JcaSimpleSignerInfoVerifierBuilder;
import org.bouncycastle.cms.jcajce.JceCMSContentEncryptorBuilder;
import org.bouncycastle.cms.jcajce.JceKeyTransEnvelopedRecipient;
import org.bouncycastle.cms.jcajce.JceKeyTransRecipientId;
import org.bouncycastle.cms.jcajce.JceKeyTransRecipientInfoGenerator;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.bouncycastle.operator.ContentSigner;
import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder;
import org.bouncycastle.operator.jcajce.JcaDigestCalculatorProviderBuilder;

/* loaded from: input_file:de/tk/opensource/secon/Subscriber.class */
public final class Subscriber {
    private volatile PrivateKey privateKey;
    private volatile X509Certificate certificate;
    private final Identity identity;
    private final Directory[] directories;
    private final XFunction<OutputStream, OutputStream> sign = Streams.fixOutputstreamClose(this::sign);
    private final XFunction<InputStream, InputStream> decrypt = Streams.fixInputstreamClose(this::decrypt);

    /* JADX INFO: Access modifiers changed from: package-private */
    public Subscriber(Identity identity, Directory[] directoryArr) {
        this.identity = identity;
        this.directories = directoryArr;
    }

    private PrivateKey privateKey() throws Exception {
        PrivateKey privateKey = this.privateKey;
        if (null != privateKey) {
            return privateKey;
        }
        PrivateKey privateKey2 = this.identity.privateKey();
        this.privateKey = privateKey2;
        return privateKey2;
    }

    private X509Certificate certificate() throws Exception {
        X509Certificate x509Certificate = this.certificate;
        if (null != x509Certificate) {
            return x509Certificate;
        }
        X509Certificate certificate = this.identity.certificate();
        this.certificate = certificate;
        return certificate;
    }

    private static X500Principal principal(X500Name x500Name) {
        try {
            return new X500Principal(x500Name.getEncoded());
        } catch (IOException e) {
            throw new AssertionError(e);
        }
    }

    private static X509CertSelector selector(SignerId signerId) {
        X509CertSelector x509CertSelector = new X509CertSelector();
        Optional.ofNullable(signerId.getIssuer()).ifPresent(x500Name -> {
            x509CertSelector.setIssuer(principal(x500Name));
        });
        x509CertSelector.setSerialNumber(signerId.getSerialNumber());
        x509CertSelector.setSubjectKeyIdentifier(signerId.getSubjectKeyIdentifier());
        return x509CertSelector;
    }

    /* JADX INFO: Access modifiers changed from: private */
    public X509Certificate certificate(SignerId signerId) throws Exception {
        return certificate(selector(signerId));
    }

    private X509Certificate certificate(X509CertSelector x509CertSelector) throws Exception {
        for (Directory directory : this.directories) {
            Optional<X509Certificate> certificate = directory.certificate(x509CertSelector);
            if (certificate.isPresent()) {
                return certificate.get();
            }
        }
        throw new CertificateNotFoundException(x509CertSelector.toString());
    }

    private X509Certificate certificate(String str) throws Exception {
        for (Directory directory : this.directories) {
            Optional<X509Certificate> certificate = directory.certificate(str);
            if (certificate.isPresent()) {
                return certificate.get();
            }
        }
        throw new CertificateNotFoundException(str);
    }

    private OutputStream sign(OutputStream outputStream) throws Exception {
        ContentSigner build;
        X509Certificate certificate = certificate();
        PrivateKey privateKey = privateKey();
        if (PKCSObjectIdentifiers.id_RSASSA_PSS.equals((ASN1Primitive) new ASN1ObjectIdentifier(certificate.getSigAlgOID()))) {
            AlgorithmParameters algorithmParameters = AlgorithmParameters.getInstance(certificate.getSigAlgName());
            algorithmParameters.init(certificate.getSigAlgParams());
            build = new JcaContentSignerBuilder(certificate.getSigAlgName(), algorithmParameters.getParameterSpec(PSSParameterSpec.class)).setProvider(BouncyCastleProvider.PROVIDER_NAME).build(privateKey);
        } else {
            build = new JcaContentSignerBuilder(certificate.getSigAlgName()).setProvider(BouncyCastleProvider.PROVIDER_NAME).build(privateKey);
        }
        CMSSignedDataStreamGenerator cMSSignedDataStreamGenerator = new CMSSignedDataStreamGenerator();
        cMSSignedDataStreamGenerator.addSignerInfoGenerator(new JcaSignerInfoGeneratorBuilder(new JcaDigestCalculatorProviderBuilder().setProvider(BouncyCastleProvider.PROVIDER_NAME).build()).build(build, certificate));
        return cMSSignedDataStreamGenerator.open(outputStream, true);
    }

    private InputStream verify(InputStream inputStream, final Verifier verifier) throws Exception {
        final CMSSignedDataParser cMSSignedDataParser = new CMSSignedDataParser(new JcaDigestCalculatorProviderBuilder().setProvider(BouncyCastleProvider.PROVIDER_NAME).build(), new BufferedInputStream(inputStream));
        final CMSTypedStream signedContent = cMSSignedDataParser.getSignedContent();
        return new FilterInputStream(signedContent.getContentStream()) { // from class: de.tk.opensource.secon.Subscriber.1
            @Override // java.io.FilterInputStream, java.io.InputStream, java.io.Closeable, java.lang.AutoCloseable
            public void close() throws IOException {
                CMSTypedStream cMSTypedStream = signedContent;
                Objects.requireNonNull(cMSTypedStream);
                SideEffect.runAll(cMSTypedStream::drain, this::verifyIo);
            }

            private void verifyIo() throws IOException {
                try {
                    verify();
                } catch (IOException | RuntimeException e) {
                    throw e;
                } catch (Exception e2) {
                    throw new IOException(e2);
                }
            }

            private void verify() throws Exception {
                Iterator<SignerInformation> it = cMSSignedDataParser.getSignerInfos().iterator();
                while (it.hasNext()) {
                    SignerInformation next = it.next();
                    X509Certificate certificate = Subscriber.this.certificate(next.getSID());
                    if (!next.verify(new JcaSimpleSignerInfoVerifierBuilder().setProvider(BouncyCastleProvider.PROVIDER_NAME).build(certificate))) {
                        throw new InvalidSignatureException();
                    }
                    verifier.verify(certificate);
                }
            }
        };
    }

    private XFunction<InputStream, InputStream> verify(Verifier verifier) {
        return Streams.fixInputstreamClose(inputStream -> {
            return verify(inputStream, verifier);
        });
    }

    private OutputStream encrypt(OutputStream outputStream, Callable<X509Certificate>[] callableArr) throws Exception {
        CMSEnvelopedDataStreamGenerator cMSEnvelopedDataStreamGenerator = new CMSEnvelopedDataStreamGenerator();
        for (Callable<X509Certificate> callable : callableArr) {
            cMSEnvelopedDataStreamGenerator.addRecipientInfoGenerator(new JceKeyTransRecipientInfoGenerator(callable.call()).setProvider(BouncyCastleProvider.PROVIDER_NAME));
        }
        return cMSEnvelopedDataStreamGenerator.open(outputStream, new JceCMSContentEncryptorBuilder(CMSAlgorithm.AES256_CBC).setProvider(BouncyCastleProvider.PROVIDER_NAME).build());
    }

    private XFunction<OutputStream, OutputStream> encrypt(Callable<X509Certificate>[] callableArr) {
        return Streams.fixOutputstreamClose(outputStream -> {
            return encrypt(outputStream, callableArr);
        });
    }

    private InputStream decrypt(InputStream inputStream) throws Exception {
        return ((RecipientInformation) Optional.ofNullable(new CMSEnvelopedDataParser(new BufferedInputStream(inputStream)).getRecipientInfos().get(new JceKeyTransRecipientId(certificate()))).orElseThrow(CertificateMismatchException::new)).getContentStream(new JceKeyTransEnvelopedRecipient(privateKey()).setProvider(BouncyCastleProvider.PROVIDER_NAME)).getContentStream();
    }

    private Socket<OutputStream> signAndEncryptTo(Socket<OutputStream> socket, Callable<X509Certificate>[] callableArr) {
        return socket.map(this.sign.compose(encrypt(callableArr)));
    }

    public SeconCallable<OutputStream> signAndEncryptTo(Callable<OutputStream> callable, X509Certificate x509Certificate, X509Certificate... x509CertificateArr) {
        Callable<X509Certificate>[] callableArr = new Callable[x509CertificateArr.length + 1];
        Objects.requireNonNull(x509Certificate);
        callableArr[0] = () -> {
            return x509Certificate;
        };
        int i = 0;
        while (i < x509CertificateArr.length) {
            X509Certificate x509Certificate2 = (X509Certificate) Objects.requireNonNull(x509CertificateArr[i]);
            i++;
            callableArr[i] = () -> {
                return x509Certificate2;
            };
        }
        return SECON.callable(signAndEncryptTo(SECON.socket(callable), callableArr));
    }

    public SeconCallable<OutputStream> signAndEncryptTo(Callable<OutputStream> callable, String str, String... strArr) {
        Callable<X509Certificate>[] callableArr = new Callable[strArr.length + 1];
        Objects.requireNonNull(str);
        callableArr[0] = () -> {
            return certificate(str);
        };
        int i = 0;
        while (i < strArr.length) {
            String str2 = (String) Objects.requireNonNull(strArr[i]);
            i++;
            callableArr[i] = () -> {
                return certificate(str2);
            };
        }
        return SECON.callable(signAndEncryptTo(SECON.socket(callable), callableArr));
    }

    private Socket<InputStream> decryptAndVerifyFrom(Socket<InputStream> socket, Verifier verifier) {
        return socket.map(verify(verifier).compose(this.decrypt));
    }

    public SeconCallable<InputStream> decryptAndVerifyFrom(Callable<InputStream> callable) {
        return SECON.callable(decryptAndVerifyFrom(SECON.socket(callable), Verifier.NULL));
    }

    public SeconCallable<InputStream> decryptAndVerifyFrom(Callable<InputStream> callable, Verifier verifier) {
        return SECON.callable(decryptAndVerifyFrom(SECON.socket(callable), verifier));
    }
}
