package org.mule.modules.salesforce.analytics.internal.connection.service;

import java.io.IOException;
import java.io.InputStream;
import java.security.InvalidKeyException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.Signature;
import java.security.SignatureException;
import java.security.UnrecoverableKeyException;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.Enumeration;
import org.mule.modules.salesforce.analytics.internal.exception.AnalyticsErrorType;
import org.mule.modules.salesforce.analytics.internal.exception.AnalyticsException;
import org.opensaml.common.SignableSAMLObject;
import org.opensaml.xml.Configuration;
import org.opensaml.xml.io.MarshallingException;
import org.opensaml.xml.security.SecurityConfiguration;
import org.opensaml.xml.security.SecurityException;
import org.opensaml.xml.security.SecurityHelper;
import org.opensaml.xml.security.x509.BasicX509Credential;
import org.opensaml.xml.signature.Signer;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/mule/modules/salesforce/analytics/internal/connection/service/SignerService.class */
public class SignerService {
    private static final Logger logger = LoggerFactory.getLogger(SignerService.class);

    public byte[] signPayload(String str, byte[] bArr, InputStream inputStream, String str2, char[] cArr) {
        try {
            KeyStore loadKeyStore = loadKeyStore(inputStream, str2, cArr);
            String extractAlias = extractAlias(loadKeyStore);
            PrivateKey privateKey = (PrivateKey) loadKeyStore.getKey(extractAlias, cArr);
            Signature signature = Signature.getInstance(validateCertificateAgainstAllowedAlg(str, loadKeyStore.getCertificate(extractAlias)));
            signature.initSign(privateKey);
            signature.update(bArr);
            return signature.sign();
        } catch (InvalidKeyException | KeyStoreException | NoSuchAlgorithmException | SignatureException | UnrecoverableKeyException e) {
            throw new AnalyticsException("Unable to load key store file. Message: " + e.getMessage(), AnalyticsErrorType.CONNECTIVITY, e);
        }
    }

    private String validateCertificateAgainstAllowedAlg(String str, Certificate certificate) {
        validateCertificateTypeAgainstX509(certificate);
        return validateCerticateAlgorithm(str, (X509Certificate) certificate);
    }

    private String validateCerticateAlgorithm(String str, X509Certificate x509Certificate) {
        String sigAlgName = x509Certificate.getSigAlgName();
        if (str.equalsIgnoreCase(sigAlgName)) {
            return sigAlgName;
        }
        throw new AnalyticsException(String.format("Algorithm used by keystore: \"%s\", not allowed. Expected algorithm: \"%s\"", sigAlgName, str), AnalyticsErrorType.CONNECTIVITY);
    }

    private void validateCertificateTypeAgainstX509(Certificate certificate) {
        if (!(certificate instanceof X509Certificate)) {
            throw new AnalyticsException("Unknown certificate type: " + certificate.getClass().getName(), AnalyticsErrorType.CONNECTIVITY);
        }
    }

    private KeyStore loadKeyStore(InputStream inputStream, String str, char[] cArr) {
        try {
            KeyStore keyStore = KeyStore.getInstance(str);
            keyStore.load(inputStream, cArr);
            return keyStore;
        } catch (IOException | KeyStoreException | NoSuchAlgorithmException | CertificateException e) {
            throw new AnalyticsException("Unable to load key store file. Message: " + e.getMessage(), AnalyticsErrorType.CONNECTIVITY, e);
        }
    }

    private String extractAlias(KeyStore keyStore) {
        try {
            Enumeration<String> aliases = keyStore.aliases();
            if (!aliases.hasMoreElements()) {
                throw new AnalyticsException("Keystore contains no certificate", AnalyticsErrorType.CONNECTIVITY);
            }
            String nextElement = aliases.nextElement();
            if (aliases.hasMoreElements()) {
                logger.warn("There are more than one alias, picked first one with name: {}", nextElement);
            }
            return nextElement;
        } catch (KeyStoreException e) {
            throw new AnalyticsException(e.getMessage(), AnalyticsErrorType.CONNECTIVITY);
        }
    }

    public void signSAMLObject(SignableSAMLObject signableSAMLObject, InputStream inputStream, String str, char[] cArr) {
        try {
            KeyStore loadKeyStore = loadKeyStore(inputStream, str, cArr);
            String extractAlias = extractAlias(loadKeyStore);
            PrivateKey privateKey = (PrivateKey) loadKeyStore.getKey(extractAlias, cArr);
            Certificate certificate = loadKeyStore.getCertificate(extractAlias);
            validateCertificateTypeAgainstX509(certificate);
            X509Certificate x509Certificate = (X509Certificate) certificate;
            BasicX509Credential basicX509Credential = new BasicX509Credential();
            basicX509Credential.setEntityCertificate(x509Certificate);
            basicX509Credential.setPrivateKey(privateKey);
            org.opensaml.xml.signature.Signature buildObject = Configuration.getBuilderFactory().getBuilder(org.opensaml.xml.signature.Signature.DEFAULT_ELEMENT_NAME).buildObject(org.opensaml.xml.signature.Signature.DEFAULT_ELEMENT_NAME);
            buildObject.setSigningCredential(basicX509Credential);
            SecurityHelper.prepareSignatureParams(buildObject, basicX509Credential, (SecurityConfiguration) null, (String) null);
            signableSAMLObject.setSignature(buildObject);
            Configuration.getMarshallerFactory().getMarshaller(signableSAMLObject).marshall(signableSAMLObject);
            Signer.signObject(buildObject);
        } catch (KeyStoreException | NoSuchAlgorithmException | UnrecoverableKeyException | SecurityException e) {
            throw new AnalyticsException("Unable to load key store file. Message: " + e.getMessage(), AnalyticsErrorType.CONNECTIVITY, e);
        } catch (MarshallingException | org.opensaml.xml.signature.SignatureException e2) {
            throw new AnalyticsException(e2.getMessage(), AnalyticsErrorType.CONNECTIVITY);
        }
    }
}
