package es.gob.afirma.signers.batch;

import es.gob.afirma.core.misc.Base64;
import es.gob.afirma.core.signers.TriphaseData;
import es.gob.afirma.triphase.server.ConfigManager;
import java.io.IOException;
import java.nio.charset.Charset;
import java.nio.charset.StandardCharsets;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.security.PublicKey;
import java.security.cert.CertificateEncodingException;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.logging.Logger;
import javax.crypto.Cipher;
import javax.crypto.Mac;
import javax.crypto.spec.SecretKeySpec;

/* loaded from: input_file:WEB-INF/classes/es/gob/afirma/signers/batch/TriPhaseHelper.class */
public class TriPhaseHelper {
    private static final String HMAC_ALGORITHM = "HmacSHA256";
    private static final String TRIPHASE_PROP_PRESIGN = "PRE";
    private static final String TRIPHASE_PROP_PKCS1 = "PK1";
    private static final String TRIPHASE_PROP_HMAC = "HMAC";
    private static final Logger LOGGER = Logger.getLogger(TriPhaseHelper.class.getName());
    private static final Charset DEFAULT_CHARSET = StandardCharsets.UTF_8;

    /* JADX INFO: Access modifiers changed from: package-private */
    public static void addVerificationCodes(TriphaseData triphaseData, X509Certificate x509Certificate) throws NoSuchAlgorithmException, InvalidKeyException, CertificateEncodingException, IllegalStateException {
        String hMacKey = ConfigManager.getHMacKey();
        if (hMacKey == null) {
            return;
        }
        SecretKeySpec secretKeySpec = new SecretKeySpec(hMacKey.getBytes(DEFAULT_CHARSET), HMAC_ALGORITHM);
        for (TriphaseData.TriSign triSign : triphaseData.getTriSigns()) {
            String property = triSign.getProperty(TRIPHASE_PROP_PRESIGN);
            Mac mac = Mac.getInstance(HMAC_ALGORITHM);
            mac.init(secretKeySpec);
            mac.update(property.getBytes(DEFAULT_CHARSET));
            mac.update(hMacKey.getBytes(DEFAULT_CHARSET));
            mac.update(x509Certificate.getEncoded());
            triSign.addProperty(TRIPHASE_PROP_HMAC, Base64.encode(mac.doFinal()));
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static void checkSignaturesIntegrity(TriphaseData triphaseData, X509Certificate x509Certificate) throws SecurityException, IOException {
        String hMacKey = ConfigManager.getHMacKey();
        if (hMacKey == null) {
            return;
        }
        SecretKeySpec secretKeySpec = new SecretKeySpec(hMacKey.getBytes(DEFAULT_CHARSET), HMAC_ALGORITHM);
        for (TriphaseData.TriSign triSign : triphaseData.getTriSigns()) {
            String property = triSign.getProperty(TRIPHASE_PROP_HMAC);
            if (property == null) {
                throw new SecurityException("Alguna de las firmas no contenida el codigo de verificacion");
            }
            String property2 = triSign.getProperty(TRIPHASE_PROP_PRESIGN);
            try {
                Mac mac = Mac.getInstance(HMAC_ALGORITHM);
                mac.init(secretKeySpec);
                mac.update(property2.getBytes(DEFAULT_CHARSET));
                mac.update(hMacKey.getBytes(DEFAULT_CHARSET));
                mac.update(x509Certificate.getEncoded());
                if (!Arrays.equals(mac.doFinal(), Base64.decode(property))) {
                    throw new SecurityException("Se ha detectado un error de integridad en los datos de firma");
                }
                String property3 = triSign.getProperty(TRIPHASE_PROP_PKCS1);
                if (property3 == null) {
                    throw new SecurityException("No se ha proporcionado el PKCS#1 de la firma");
                }
                verifyPkcs1(Base64.decode(property3), x509Certificate.getPublicKey());
            } catch (Exception e) {
                throw new SecurityException("No se pudo completar la verificacion de integridad de la firma", e);
            }
        }
    }

    public static void verifyPkcs1(byte[] bArr, PublicKey publicKey) throws SecurityException {
        try {
            if (!"RSA".equalsIgnoreCase(publicKey.getAlgorithm())) {
                LOGGER.warning("No se soporta la validacion del PKCS#1 con el algoritmo de cifrado asociado a la clave de firma utilizada");
                return;
            }
            Cipher cipher = Cipher.getInstance(publicKey.getAlgorithm());
            cipher.init(2, publicKey);
            cipher.doFinal(bArr);
        } catch (Exception e) {
            throw new SecurityException("El PKCS#1 de la firma no se ha generado con el certificado indicado", e);
        }
    }
}
