package org.xipki.scep.message;

import java.io.IOException;
import java.security.PrivateKey;
import java.security.cert.CertificateEncodingException;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Collections;
import java.util.Iterator;
import java.util.List;
import org.bouncycastle.asn1.cms.CMSObjectIdentifiers;
import org.bouncycastle.asn1.cms.ContentInfo;
import org.bouncycastle.cert.X509CertificateHolder;
import org.bouncycastle.cms.CMSAbsentContent;
import org.bouncycastle.cms.CMSException;
import org.bouncycastle.cms.CMSProcessableByteArray;
import org.bouncycastle.cms.CMSSignedDataGenerator;
import org.bouncycastle.cms.DefaultSignedAttributeTableGenerator;
import org.bouncycastle.cms.jcajce.JcaSignerInfoGeneratorBuilder;
import org.bouncycastle.operator.ContentSigner;
import org.bouncycastle.operator.OperatorCreationException;
import org.bouncycastle.operator.bc.BcDigestCalculatorProvider;
import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder;
import org.xipki.scep.util.ScepHashAlgo;
import org.xipki.scep.util.ScepUtil;
import org.xipki.util.Args;
import org.xipki.util.CollectionUtil;

/* loaded from: input_file:org/xipki/scep/message/NextCaMessage.class */
public class NextCaMessage {
    private X509Certificate caCert;
    private List<X509Certificate> raCerts;

    public X509Certificate getCaCert() {
        return this.caCert;
    }

    public void setCaCert(X509Certificate x509Certificate) {
        this.caCert = x509Certificate;
    }

    public List<X509Certificate> getRaCerts() {
        return this.raCerts;
    }

    public void setRaCerts(List<X509Certificate> list) {
        this.raCerts = CollectionUtil.isEmpty(list) ? null : Collections.unmodifiableList(new ArrayList(list));
    }

    public ContentInfo encode(PrivateKey privateKey, X509Certificate x509Certificate, X509Certificate[] x509CertificateArr) throws MessageEncodingException {
        Args.notNull(privateKey, "signingKey");
        Args.notNull(x509Certificate, "signerCert");
        try {
            try {
                CMSSignedDataGenerator cMSSignedDataGenerator = new CMSSignedDataGenerator();
                cMSSignedDataGenerator.addCertificate(new X509CertificateHolder(this.caCert.getEncoded()));
                if (CollectionUtil.isNotEmpty(this.raCerts)) {
                    Iterator<X509Certificate> it = this.raCerts.iterator();
                    while (it.hasNext()) {
                        cMSSignedDataGenerator.addCertificate(new X509CertificateHolder(it.next().getEncoded()));
                    }
                }
                byte[] encoded = cMSSignedDataGenerator.generate(new CMSAbsentContent()).getEncoded();
                CMSSignedDataGenerator cMSSignedDataGenerator2 = new CMSSignedDataGenerator();
                ContentSigner build = new JcaContentSignerBuilder(getSignatureAlgorithm(privateKey, ScepHashAlgo.SHA1)).build(privateKey);
                JcaSignerInfoGeneratorBuilder jcaSignerInfoGeneratorBuilder = new JcaSignerInfoGeneratorBuilder(new BcDigestCalculatorProvider());
                jcaSignerInfoGeneratorBuilder.setSignedAttributeGenerator(new DefaultSignedAttributeTableGenerator());
                cMSSignedDataGenerator2.addSignerInfoGenerator(jcaSignerInfoGeneratorBuilder.build(build, x509Certificate));
                CMSProcessableByteArray cMSProcessableByteArray = new CMSProcessableByteArray(CMSObjectIdentifiers.signedData, encoded);
                ScepUtil.addCmsCertSet(cMSSignedDataGenerator2, x509CertificateArr);
                return cMSSignedDataGenerator2.generate(cMSProcessableByteArray, true).toASN1Structure();
            } catch (CertificateEncodingException e) {
                throw new MessageEncodingException(e.getMessage(), e);
            }
        } catch (CMSException | IOException | CertificateEncodingException | OperatorCreationException e2) {
            throw new MessageEncodingException((Throwable) e2);
        }
    }

    private static String getSignatureAlgorithm(PrivateKey privateKey, ScepHashAlgo scepHashAlgo) {
        if ("RSA".equalsIgnoreCase(privateKey.getAlgorithm())) {
            return scepHashAlgo.getName() + "withRSA";
        }
        throw new UnsupportedOperationException("getSignatureAlgorithm() for non-RSA is not supported yet.");
    }
}
