package se.linkon.x2ab.mtb.util;

import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.JWSAlgorithm;
import com.nimbusds.jose.JWSHeader;
import com.nimbusds.jose.JWSSigner;
import com.nimbusds.jose.JWSVerifier;
import com.nimbusds.jose.crypto.ECDSASigner;
import com.nimbusds.jose.crypto.ECDSAVerifier;
import com.nimbusds.jose.crypto.RSASSASigner;
import com.nimbusds.jose.crypto.RSASSAVerifier;
import com.nimbusds.jose.util.Base64URL;
import java.security.InvalidKeyException;
import java.security.Key;
import java.security.KeyFactory;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.Signature;
import java.security.SignatureException;
import java.security.interfaces.ECPrivateKey;
import java.security.interfaces.ECPublicKey;
import java.security.interfaces.RSAPrivateKey;
import java.security.interfaces.RSAPublicKey;
import java.security.spec.InvalidKeySpecException;
import java.security.spec.X509EncodedKeySpec;
import se.linkon.x2ab.mtb.domain.exception.MTBSignatureException;
import se.linkon.x2ab.mtb.domain.security.IssuerSignatureAlgorithm;

/* loaded from: classes21.dex */
public class IssuerSignatureUtil {
    private IssuerSignatureUtil() {
    }

    public static byte[] createJWSSignature(byte[] bArr, PrivateKey privateKey, IssuerSignatureAlgorithm issuerSignatureAlgorithm) throws MTBSignatureException, InvalidKeyException {
        try {
            return getJWSSigner(issuerSignatureAlgorithm, privateKey).sign(new JWSHeader(getJWSAlgorithm(issuerSignatureAlgorithm)), bArr).decode();
        } catch (JOSEException e) {
            throw new MTBSignatureException("Failed to create JWS issuer signature", e);
        }
    }

    public static PublicKey createPublicKey(byte[] bArr, IssuerSignatureAlgorithm issuerSignatureAlgorithm) throws NoSuchAlgorithmException, InvalidKeySpecException {
        return KeyFactory.getInstance(issuerSignatureAlgorithm.getKeyAlgorithm()).generatePublic(new X509EncodedKeySpec(bArr));
    }

    public static byte[] createSignature(byte[] bArr, PrivateKey privateKey, IssuerSignatureAlgorithm issuerSignatureAlgorithm) throws NoSuchAlgorithmException, InvalidKeyException, SignatureException {
        Signature signature = Signature.getInstance(issuerSignatureAlgorithm.getSignatureAlgorithm());
        signature.initSign(privateKey);
        signature.update(bArr);
        return signature.sign();
    }

    private static JWSAlgorithm getJWSAlgorithm(IssuerSignatureAlgorithm issuerSignatureAlgorithm) throws MTBSignatureException {
        if (issuerSignatureAlgorithm == IssuerSignatureAlgorithm.ELLIPTIC_CURVE) {
            return JWSAlgorithm.ES256;
        }
        if (issuerSignatureAlgorithm == IssuerSignatureAlgorithm.RSA) {
            return JWSAlgorithm.RS256;
        }
        throw new MTBSignatureException(String.format("Unsupported algorithm '%s'.", issuerSignatureAlgorithm.getJwaAlgorithm()));
    }

    private static JWSSigner getJWSSigner(IssuerSignatureAlgorithm issuerSignatureAlgorithm, PrivateKey privateKey) throws JOSEException, InvalidKeyException, MTBSignatureException {
        if (issuerSignatureAlgorithm == IssuerSignatureAlgorithm.ELLIPTIC_CURVE) {
            verifyInstanceOf(privateKey, ECPrivateKey.class);
            return new ECDSASigner((ECPrivateKey) privateKey);
        }
        if (issuerSignatureAlgorithm != IssuerSignatureAlgorithm.RSA) {
            throw new MTBSignatureException(String.format("Unsupported algorithm '%s'.", issuerSignatureAlgorithm.getJwaAlgorithm()));
        }
        verifyInstanceOf(privateKey, RSAPrivateKey.class);
        return new RSASSASigner((RSAPrivateKey) privateKey);
    }

    private static JWSVerifier getJWSVerifier(IssuerSignatureAlgorithm issuerSignatureAlgorithm, PublicKey publicKey) throws JOSEException, InvalidKeyException, MTBSignatureException {
        if (issuerSignatureAlgorithm == IssuerSignatureAlgorithm.ELLIPTIC_CURVE) {
            verifyInstanceOf(publicKey, ECPublicKey.class);
            return new ECDSAVerifier((ECPublicKey) publicKey);
        }
        if (issuerSignatureAlgorithm != IssuerSignatureAlgorithm.RSA) {
            throw new MTBSignatureException(String.format("Unsupported algorithm '%s'.", issuerSignatureAlgorithm.getJwaAlgorithm()));
        }
        verifyInstanceOf(publicKey, RSAPublicKey.class);
        return new RSASSAVerifier((RSAPublicKey) publicKey);
    }

    private static void verifyInstanceOf(Key key, Class<?> cls) throws InvalidKeyException {
        if (!cls.isInstance(key)) {
            throw new InvalidKeyException(String.format("Invalid key. Expected %s but was %s.", cls.getSimpleName(), key.getClass().getSimpleName()));
        }
    }

    public static boolean verifyJWSSignature(byte[] bArr, byte[] bArr2, PublicKey publicKey, IssuerSignatureAlgorithm issuerSignatureAlgorithm) throws MTBSignatureException, InvalidKeyException {
        try {
            return getJWSVerifier(issuerSignatureAlgorithm, publicKey).verify(new JWSHeader(getJWSAlgorithm(issuerSignatureAlgorithm)), bArr2, Base64URL.encode(bArr));
        } catch (JOSEException e) {
            throw new MTBSignatureException("Failed to verify JWS issuer signature", e);
        }
    }

    public static boolean verifySignature(byte[] bArr, byte[] bArr2, PublicKey publicKey, IssuerSignatureAlgorithm issuerSignatureAlgorithm) throws NoSuchAlgorithmException, InvalidKeyException, SignatureException {
        Signature signature = Signature.getInstance(issuerSignatureAlgorithm.getSignatureAlgorithm());
        signature.initVerify(publicKey);
        signature.update(bArr2);
        return signature.verify(bArr);
    }
}
