package com.amazonaws.cloudhsm.jce.provider;

import com.amazonaws.cloudhsm.jce.jni.CloudHsmSignature;
import com.amazonaws.cloudhsm.jce.jni.CloudHsmVerify;
import com.amazonaws.cloudhsm.jce.jni.DigestMechanism;
import com.amazonaws.cloudhsm.jce.jni.JniUtility;
import com.amazonaws.cloudhsm.jce.provider.CloudHsmSignatureBase;
import java.security.InvalidAlgorithmParameterException;
import java.security.InvalidKeyException;
import java.security.Key;
import java.security.spec.AlgorithmParameterSpec;
import java.security.spec.MGF1ParameterSpec;
import java.security.spec.PSSParameterSpec;
import java.text.MessageFormat;
import java.util.Optional;

/* loaded from: input_file:com/amazonaws/cloudhsm/jce/provider/RsaPssSignature.class */
public class RsaPssSignature extends CloudHsmSignatureBase {
    private Optional<Integer> saltLen;
    private Optional<DigestMechanism> digestMechanism;
    private static final int DEFAULT_TRAILER_FIELD = 1;
    private static final String MGF1 = "MGF1";

    public RsaPssSignature(CloudHsmProvider cloudHsmProvider) {
        super(cloudHsmProvider);
        this.saltLen = Optional.empty();
        this.digestMechanism = Optional.empty();
    }

    public RsaPssSignature(DigestMechanism digestMechanism, CloudHsmProvider cloudHsmProvider) {
        super(cloudHsmProvider);
        this.saltLen = Optional.of(Integer.valueOf(JniUtility.digestLength(digestMechanism)));
        this.digestMechanism = Optional.of(digestMechanism);
    }

    @Override // com.amazonaws.cloudhsm.jce.provider.CloudHsmSignatureBase
    protected void setKey(Key key) throws InvalidKeyException {
        if (key == null) {
            throw new InvalidKeyException(ErrorMessages.SIGNATURE_KEY_REQUIRED_FOR_THIS_OPERATION.getMessage());
        }
        if (!(key instanceof CloudHsmKey)) {
            throw new InvalidKeyException(ErrorMessages.SIGNATURE_NON_CLOUDHSM_KEY_NOT_SUPPORTED.getMessage());
        }
        KeyUtil.validateKeyProvider((CloudHsmKey) key, getProvider());
        this.key = Optional.of((CloudHsmKey) key);
        tryValidateParameters();
    }

    private void tryValidateParameters() {
        if (this.saltLen.isPresent() && this.digestMechanism.isPresent() && this.key.isPresent()) {
            this.session = Optional.of(getProvider().getSession());
            try {
                switch (AnonymousClass1.$SwitchMap$com$amazonaws$cloudhsm$jce$provider$CloudHsmSignatureBase$Mode[this.opMode.ordinal()]) {
                    case DEFAULT_TRAILER_FIELD /* 1 */:
                        initSignatureInstance();
                        break;
                    case 2:
                        initVerifyInstance();
                        break;
                    default:
                        throw new UnsupportedOperationException(MessageFormat.format(ErrorMessages.SIGNATURE_OPERATION_MODE_NOT_SUPPORTED.getMessage(), this.opMode));
                }
            } finally {
                this.session = Optional.empty();
            }
        }
    }

    @Override // com.amazonaws.cloudhsm.jce.provider.CloudHsmSignatureBase
    Optional<CloudHsmSignature> initSignatureInstance() {
        switch (AnonymousClass1.$SwitchMap$com$amazonaws$cloudhsm$jce$provider$CloudHsmSignatureBase$Mode[this.opMode.ordinal()]) {
            case DEFAULT_TRAILER_FIELD /* 1 */:
                return getSignInstance();
            default:
                throw new UnsupportedOperationException(MessageFormat.format(ErrorMessages.SIGNATURE_OPERATION_MODE_NOT_SUPPORTED.getMessage(), this.opMode));
        }
    }

    private Optional<CloudHsmSignature> getSignInstance() {
        CloudHsmKey cloudHsmKey = getCloudHsmKey();
        Optional.empty();
        if (!this.saltLen.isPresent() || !this.digestMechanism.isPresent()) {
            throw ErrorHandling.asCloudhsmException(new IllegalStateException(ErrorMessages.SIGNATURE_RSA_PSS_PARAMETERS_NOT_SET.getMessage()));
        }
        try {
            return Optional.of(getSession().rsaPkcsPssSign(cloudHsmKey.getCoreKey(), this.saltLen.get().intValue(), this.digestMechanism.get()));
        } catch (Exception e) {
            throw ErrorHandling.asCloudhsmException(e);
        }
    }

    private CloudHsmSignature getSignInstanceNoDigest(int i, Key key) {
        this.opMode = CloudHsmSignatureBase.Mode.SIGN_MODE;
        this.saltLen = Optional.of(Integer.valueOf(i));
        try {
            setKey(key);
            this.session = Optional.of(getProvider().getSession());
            CloudHsmKey cloudHsmKey = getCloudHsmKey();
            if (!this.saltLen.isPresent() || !this.digestMechanism.isPresent()) {
                throw ErrorHandling.asCloudhsmException(new IllegalStateException(ErrorMessages.SIGNATURE_RSA_PSS_PARAMETERS_NOT_SET.getMessage()));
            }
            try {
                this.cloudHsmSignature = Optional.of(getSession().rsaPkcsPssSignNoDigest(cloudHsmKey.getCoreKey(), this.saltLen.get().intValue(), this.digestMechanism.get()));
                return this.cloudHsmSignature.get();
            } catch (Exception e) {
                throw ErrorHandling.asCloudhsmException(e);
            }
        } catch (InvalidKeyException e2) {
            throw ErrorHandling.asCloudhsmException(e2);
        }
    }

    @Override // com.amazonaws.cloudhsm.jce.provider.CloudHsmSignatureBase
    Optional<CloudHsmVerify> initVerifyInstance() {
        switch (this.opMode) {
            case VERIFY_MODE:
                return getVerifyInstance();
            default:
                throw new UnsupportedOperationException(MessageFormat.format(ErrorMessages.SIGNATURE_OPERATION_MODE_NOT_SUPPORTED.getMessage(), this.opMode));
        }
    }

    private Optional<CloudHsmVerify> getVerifyInstance() {
        CloudHsmKey cloudHsmKey = getCloudHsmKey();
        Optional.empty();
        if (!this.saltLen.isPresent() || !this.digestMechanism.isPresent()) {
            throw ErrorHandling.asCloudhsmException(new IllegalStateException(ErrorMessages.SIGNATURE_RSA_PSS_PARAMETERS_NOT_SET.getMessage()));
        }
        try {
            return Optional.of(getSession().rsaPkcsPssVerify(cloudHsmKey.getCoreKey(), this.saltLen.get().intValue(), this.digestMechanism.get()));
        } catch (Exception e) {
            throw ErrorHandling.asCloudhsmException(e);
        }
    }

    private CloudHsmVerify getVerifyInstanceNoDigest(int i, Key key) {
        this.opMode = CloudHsmSignatureBase.Mode.VERIFY_MODE;
        this.saltLen = Optional.of(Integer.valueOf(i));
        try {
            setKey(key);
            this.session = Optional.of(getProvider().getSession());
            CloudHsmKey cloudHsmKey = getCloudHsmKey();
            if (!this.saltLen.isPresent() || !this.digestMechanism.isPresent()) {
                throw ErrorHandling.asCloudhsmException(new IllegalStateException(ErrorMessages.SIGNATURE_RSA_PSS_PARAMETERS_NOT_SET.getMessage()));
            }
            try {
                this.cloudHsmVerify = Optional.of(getSession().rsaPkcsPssVerifyNoDigest(cloudHsmKey.getCoreKey(), this.saltLen.get().intValue(), this.digestMechanism.get()));
                return this.cloudHsmVerify.get();
            } catch (Exception e) {
                throw ErrorHandling.asCloudhsmException(e);
            }
        } catch (InvalidKeyException e2) {
            throw ErrorHandling.asCloudhsmException(e2);
        }
    }

    @Override // com.amazonaws.cloudhsm.jce.provider.CloudHsmSignatureBase, java.security.SignatureSpi
    protected void engineSetParameter(AlgorithmParameterSpec algorithmParameterSpec) throws InvalidAlgorithmParameterException {
        if (this.session.isPresent()) {
            throw ErrorHandling.asCloudhsmException(new IllegalStateException(ErrorMessages.SIGNATURE_RSA_PSS_OPERATION_IN_PROGESS.getMessage()));
        }
        if (null == algorithmParameterSpec) {
            throw new InvalidAlgorithmParameterException(ErrorMessages.PARAMETER_SPEC_CANNOT_BE_NULL.getMessage());
        }
        if (!(algorithmParameterSpec instanceof PSSParameterSpec)) {
            throw new InvalidAlgorithmParameterException(ErrorMessages.SIGNATURE_RSA_PSS_PARAMETER_SPEC_NOT_PSS.getMessage());
        }
        PSSParameterSpec pSSParameterSpec = (PSSParameterSpec) algorithmParameterSpec;
        String digestAlgorithm = pSSParameterSpec.getDigestAlgorithm();
        DigestMechanism validateDigestString = Validations.validateDigestString(digestAlgorithm);
        if (this.digestMechanism.isPresent() && !this.digestMechanism.get().equals(validateDigestString)) {
            throw new InvalidAlgorithmParameterException(MessageFormat.format(ErrorMessages.SIGNATURE_RSA_PSS_INVALID_DIGEST.getMessage(), digestAlgorithm));
        }
        int andValidateSaltLength = getAndValidateSaltLength(pSSParameterSpec);
        validateTrailerField(pSSParameterSpec);
        validateMGF1ParameterSpec(pSSParameterSpec, validateDigestString);
        this.saltLen = Optional.of(Integer.valueOf(andValidateSaltLength));
        this.digestMechanism = Optional.of(validateDigestString);
        tryValidateParameters();
    }

    private int getAndValidateSaltLength(PSSParameterSpec pSSParameterSpec) throws InvalidAlgorithmParameterException {
        int saltLength = pSSParameterSpec.getSaltLength();
        if (saltLength < 0) {
            throw new InvalidAlgorithmParameterException(ErrorMessages.SIGNATURE_RSA_PSS_INVALID_SALT_LENGTH.getMessage());
        }
        return saltLength;
    }

    private void validateTrailerField(PSSParameterSpec pSSParameterSpec) throws InvalidAlgorithmParameterException {
        if (pSSParameterSpec.getTrailerField() != DEFAULT_TRAILER_FIELD) {
            throw new InvalidAlgorithmParameterException(MessageFormat.format(ErrorMessages.SIGNATURE_RSA_PSS_INVALID_TRAILER_FIELD.getMessage(), Integer.valueOf(DEFAULT_TRAILER_FIELD)));
        }
    }

    private void validateMGF1ParameterSpec(PSSParameterSpec pSSParameterSpec, DigestMechanism digestMechanism) throws InvalidAlgorithmParameterException {
        if (pSSParameterSpec.getMGFAlgorithm() == null || !"MGF1".equalsIgnoreCase(pSSParameterSpec.getMGFAlgorithm())) {
            throw new InvalidAlgorithmParameterException(ErrorMessages.SIGNATURE_RSA_PSS_MGF1_ALGORITHM_ONLY.getMessage());
        }
        AlgorithmParameterSpec mGFParameters = pSSParameterSpec.getMGFParameters();
        if (!(mGFParameters instanceof MGF1ParameterSpec)) {
            throw new InvalidAlgorithmParameterException(ErrorMessages.SIGNATURE_RSA_PSS_MGF_SPEC_NOT_MGF1.getMessage());
        }
        DigestMechanism validateDigestString = Validations.validateDigestString(((MGF1ParameterSpec) mGFParameters).getDigestAlgorithm());
        if (validateDigestString != digestMechanism) {
            throw new InvalidAlgorithmParameterException(MessageFormat.format(ErrorMessages.SIGNATURE_RSA_PSS_MGF1_DIGEST_DOES_NOT_MATCH_PSS.getMessage(), validateDigestString.toString(), digestMechanism.toString()));
        }
    }
}
