package com.google.crypto.tink.signature;

import com.google.crypto.tink.KeysetReader;
import com.google.crypto.tink.PemKeyType;
import com.google.crypto.tink.proto.EcdsaParams;
import com.google.crypto.tink.proto.EcdsaSignatureEncoding;
import com.google.crypto.tink.proto.EllipticCurveType;
import com.google.crypto.tink.proto.EncryptedKeyset;
import com.google.crypto.tink.proto.HashType;
import com.google.crypto.tink.proto.KeyData;
import com.google.crypto.tink.proto.KeyStatusType;
import com.google.crypto.tink.proto.Keyset;
import com.google.crypto.tink.proto.OutputPrefixType;
import com.google.crypto.tink.proto.RsaSsaPkcs1Params;
import com.google.crypto.tink.proto.RsaSsaPssParams;
import com.google.crypto.tink.signature.internal.SigUtil;
import com.google.crypto.tink.subtle.Random;
import com.google.errorprone.annotations.CanIgnoreReturnValue;
import java.io.BufferedReader;
import java.io.IOException;
import java.io.StringReader;
import java.security.Key;
import java.security.interfaces.ECPublicKey;
import java.security.interfaces.RSAPublicKey;
import java.util.ArrayList;
import java.util.List;
import javax.annotation.Nullable;

/* loaded from: input_file:com/google/crypto/tink/signature/SignaturePemKeysetReader.class */
public final class SignaturePemKeysetReader implements KeysetReader {
    private List<PemKey> pemKeys;

    /* loaded from: input_file:com/google/crypto/tink/signature/SignaturePemKeysetReader$Builder.class */
    public static final class Builder {
        private List<PemKey> pemKeys = new ArrayList();

        Builder() {
        }

        public KeysetReader build() {
            return new SignaturePemKeysetReader(this.pemKeys);
        }

        @CanIgnoreReturnValue
        public Builder addPem(String str, PemKeyType pemKeyType) {
            PemKey pemKey = new PemKey();
            pemKey.reader = new BufferedReader(new StringReader(str));
            pemKey.type = pemKeyType;
            this.pemKeys.add(pemKey);
            return this;
        }
    }

    /* loaded from: input_file:com/google/crypto/tink/signature/SignaturePemKeysetReader$PemKey.class */
    private static final class PemKey {
        BufferedReader reader;
        PemKeyType type;

        private PemKey() {
        }
    }

    SignaturePemKeysetReader(List<PemKey> list) {
        this.pemKeys = list;
    }

    public static Builder newBuilder() {
        return new Builder();
    }

    @Override // com.google.crypto.tink.KeysetReader
    public Keyset read() throws IOException {
        Keyset.Builder newBuilder = Keyset.newBuilder();
        for (PemKey pemKey : this.pemKeys) {
            Keyset.Key readKey = readKey(pemKey.reader, pemKey.type);
            while (true) {
                Keyset.Key key = readKey;
                if (key != null) {
                    newBuilder.addKey(key);
                    readKey = readKey(pemKey.reader, pemKey.type);
                }
            }
        }
        if (newBuilder.getKeyCount() == 0) {
            throw new IOException("cannot find any key");
        }
        newBuilder.setPrimaryKeyId(newBuilder.getKey(0).getKeyId());
        return newBuilder.m4975build();
    }

    @Override // com.google.crypto.tink.KeysetReader
    public EncryptedKeyset readEncrypted() throws IOException {
        throw new UnsupportedOperationException();
    }

    @Nullable
    private static Keyset.Key readKey(BufferedReader bufferedReader, PemKeyType pemKeyType) throws IOException {
        KeyData convertEcPublicKey;
        Key readKey = pemKeyType.readKey(bufferedReader);
        if (readKey == null) {
            return null;
        }
        if (readKey instanceof RSAPublicKey) {
            convertEcPublicKey = convertRsaPublicKey(pemKeyType, (RSAPublicKey) readKey);
        } else {
            if (!(readKey instanceof ECPublicKey)) {
                return null;
            }
            convertEcPublicKey = convertEcPublicKey(pemKeyType, (ECPublicKey) readKey);
        }
        return Keyset.Key.newBuilder().setKeyData(convertEcPublicKey).setStatus(KeyStatusType.ENABLED).setOutputPrefixType(OutputPrefixType.RAW).setKeyId(Random.randInt()).m5040build();
    }

    private static KeyData convertRsaPublicKey(PemKeyType pemKeyType, RSAPublicKey rSAPublicKey) throws IOException {
        if (pemKeyType.algorithm.equals("RSASSA-PKCS1-v1_5")) {
            return KeyData.newBuilder().setTypeUrl(RsaSsaPkcs1VerifyKeyManager.getKeyType()).setValue(com.google.crypto.tink.proto.RsaSsaPkcs1PublicKey.newBuilder().setVersion(0).setParams(RsaSsaPkcs1Params.newBuilder().setHashType(getHashType(pemKeyType)).m5826build()).setE(SigUtil.toUnsignedIntByteString(rSAPublicKey.getPublicExponent())).setN(SigUtil.toUnsignedIntByteString(rSAPublicKey.getModulus())).m5956build().toByteString()).setKeyMaterialType(KeyData.KeyMaterialType.ASYMMETRIC_PUBLIC).m4776build();
        }
        if (!pemKeyType.algorithm.equals("RSASSA-PSS")) {
            throw new IOException("unsupported RSA signature algorithm: " + pemKeyType.algorithm);
        }
        return KeyData.newBuilder().setTypeUrl(RsaSsaPssVerifyKeyManager.getKeyType()).setValue(com.google.crypto.tink.proto.RsaSsaPssPublicKey.newBuilder().setVersion(0).setParams(RsaSsaPssParams.newBuilder().setSigHash(getHashType(pemKeyType)).setMgf1Hash(getHashType(pemKeyType)).setSaltLength(getDigestSizeInBytes(pemKeyType)).m6087build()).setE(SigUtil.toUnsignedIntByteString(rSAPublicKey.getPublicExponent())).setN(SigUtil.toUnsignedIntByteString(rSAPublicKey.getModulus())).m6217build().toByteString()).setKeyMaterialType(KeyData.KeyMaterialType.ASYMMETRIC_PUBLIC).m4776build();
    }

    private static KeyData convertEcPublicKey(PemKeyType pemKeyType, ECPublicKey eCPublicKey) throws IOException {
        if (!pemKeyType.algorithm.equals("ECDSA")) {
            throw new IOException("unsupported EC signature algorithm: " + pemKeyType.algorithm);
        }
        return KeyData.newBuilder().setTypeUrl(EcdsaVerifyKeyManager.getKeyType()).setValue(com.google.crypto.tink.proto.EcdsaPublicKey.newBuilder().setVersion(0).setParams(EcdsaParams.newBuilder().setHashType(getHashType(pemKeyType)).setCurve(getCurveType(pemKeyType)).setEncoding(EcdsaSignatureEncoding.DER).m2081build()).setX(SigUtil.toUnsignedIntByteString(eCPublicKey.getW().getAffineX())).setY(SigUtil.toUnsignedIntByteString(eCPublicKey.getW().getAffineY())).m2211build().toByteString()).setKeyMaterialType(KeyData.KeyMaterialType.ASYMMETRIC_PUBLIC).m4776build();
    }

    private static HashType getHashType(PemKeyType pemKeyType) {
        switch (pemKeyType.hash) {
            case SHA256:
                return HashType.SHA256;
            case SHA384:
                return HashType.SHA384;
            case SHA512:
                return HashType.SHA512;
            default:
                throw new IllegalArgumentException("unsupported hash type: " + pemKeyType.hash.name());
        }
    }

    private static int getDigestSizeInBytes(PemKeyType pemKeyType) {
        switch (pemKeyType.hash) {
            case SHA256:
                return 32;
            case SHA384:
                return 48;
            case SHA512:
                return 64;
            default:
                throw new IllegalArgumentException("unsupported hash type: " + pemKeyType.hash.name());
        }
    }

    private static EllipticCurveType getCurveType(PemKeyType pemKeyType) {
        switch (pemKeyType.keySizeInBits) {
            case 256:
                return EllipticCurveType.NIST_P256;
            case 384:
                return EllipticCurveType.NIST_P384;
            case 521:
                return EllipticCurveType.NIST_P521;
            default:
                throw new IllegalArgumentException("unsupported curve for key size: " + pemKeyType.keySizeInBits);
        }
    }
}
