// 
// Decompiled by Procyon v0.6.0
// 

package com.google.crypto.tink.jwt;

import com.google.crypto.tink.proto.KeyData;
import com.google.protobuf.MessageLite;
import com.google.protobuf.Parser;
import com.google.crypto.tink.internal.LegacyKeyManagerImpl;
import com.google.crypto.tink.internal.MutableParametersRegistry;
import com.google.crypto.tink.internal.MutablePrimitiveRegistry;
import com.google.crypto.tink.jwt.internal.JwtEcdsaProtoSerialization;
import com.google.crypto.tink.internal.MutableKeyCreationRegistry;
import com.google.crypto.tink.internal.KeyManagerRegistry;
import java.util.Collections;
import java.util.HashMap;
import com.google.crypto.tink.Parameters;
import java.util.Map;
import java.security.KeyPair;
import com.google.crypto.tink.util.SecretBigInteger;
import com.google.crypto.tink.InsecureSecretKeyAccess;
import java.security.interfaces.ECPrivateKey;
import java.security.interfaces.ECPublicKey;
import com.google.crypto.tink.subtle.EllipticCurves;
import javax.annotation.Nullable;
import java.nio.charset.StandardCharsets;
import com.google.crypto.tink.PublicKeySign;
import com.google.crypto.tink.subtle.EcdsaSignJce;
import com.google.crypto.tink.AccessesPartialKey;
import java.security.GeneralSecurityException;
import com.google.crypto.tink.signature.EcdsaPrivateKey;
import com.google.crypto.tink.config.internal.TinkFipsUtil;
import com.google.crypto.tink.internal.KeyCreator;
import com.google.crypto.tink.internal.PrimitiveConstructor;
import com.google.crypto.tink.KeyManager;
import com.google.crypto.tink.PrivateKeyManager;

public final class JwtEcdsaSignKeyManager
{
    private static final PrivateKeyManager<Void> legacyPrivateKeyManager;
    private static final KeyManager<Void> legacyPublicKeyManager;
    private static final PrimitiveConstructor<JwtEcdsaPrivateKey, JwtPublicKeySign> PRIMITIVE_CONSTRUCTOR;
    private static final KeyCreator<JwtEcdsaParameters> KEY_CREATOR;
    private static final TinkFipsUtil.AlgorithmFipsCompatibility FIPS;
    
    @AccessesPartialKey
    private static EcdsaPrivateKey toEcdsaPrivateKey(final JwtEcdsaPrivateKey privateKey) throws GeneralSecurityException {
        return privateKey.getEcdsaPrivateKey();
    }
    
    static JwtPublicKeySign createFullPrimitive(final JwtEcdsaPrivateKey privateKey) throws GeneralSecurityException {
        final EcdsaPrivateKey ecdsaPrivateKey = toEcdsaPrivateKey(privateKey);
        final PublicKeySign signer = EcdsaSignJce.create(ecdsaPrivateKey);
        final String algorithm = privateKey.getParameters().getAlgorithm().getStandardName();
        return new JwtPublicKeySign() {
            @Override
            public String signAndEncode(final RawJwt rawJwt) throws GeneralSecurityException {
                final String unsignedCompact = JwtFormat.createUnsignedCompact(algorithm, privateKey.getPublicKey().getKid(), rawJwt);
                return JwtFormat.createSignedCompact(unsignedCompact, signer.sign(unsignedCompact.getBytes(StandardCharsets.US_ASCII)));
            }
        };
    }
    
    @AccessesPartialKey
    private static JwtEcdsaPrivateKey createKey(final JwtEcdsaParameters parameters, @Nullable final Integer idRequirement) throws GeneralSecurityException {
        final KeyPair keyPair = EllipticCurves.generateKeyPair(parameters.getAlgorithm().getEcParameterSpec());
        final ECPublicKey pubKey = (ECPublicKey)keyPair.getPublic();
        final ECPrivateKey privKey = (ECPrivateKey)keyPair.getPrivate();
        final JwtEcdsaPublicKey.Builder publicKeyBuilder = JwtEcdsaPublicKey.builder().setParameters(parameters).setPublicPoint(pubKey.getW());
        if (idRequirement != null) {
            publicKeyBuilder.setIdRequirement(idRequirement);
        }
        return JwtEcdsaPrivateKey.create(publicKeyBuilder.build(), SecretBigInteger.fromBigInteger(privKey.getS(), InsecureSecretKeyAccess.get()));
    }
    
    private JwtEcdsaSignKeyManager() {
    }
    
    static String getKeyType() {
        return "type.googleapis.com/google.crypto.tink.JwtEcdsaPrivateKey";
    }
    
    private static Map<String, Parameters> namedParameters() throws GeneralSecurityException {
        final Map<String, Parameters> result = new HashMap<String, Parameters>();
        result.put("JWT_ES256_RAW", JwtEcdsaParameters.builder().setAlgorithm(JwtEcdsaParameters.Algorithm.ES256).setKidStrategy(JwtEcdsaParameters.KidStrategy.IGNORED).build());
        result.put("JWT_ES256", JwtEcdsaParameters.builder().setAlgorithm(JwtEcdsaParameters.Algorithm.ES256).setKidStrategy(JwtEcdsaParameters.KidStrategy.BASE64_ENCODED_KEY_ID).build());
        result.put("JWT_ES384_RAW", JwtEcdsaParameters.builder().setAlgorithm(JwtEcdsaParameters.Algorithm.ES384).setKidStrategy(JwtEcdsaParameters.KidStrategy.IGNORED).build());
        result.put("JWT_ES384", JwtEcdsaParameters.builder().setAlgorithm(JwtEcdsaParameters.Algorithm.ES384).setKidStrategy(JwtEcdsaParameters.KidStrategy.BASE64_ENCODED_KEY_ID).build());
        result.put("JWT_ES512_RAW", JwtEcdsaParameters.builder().setAlgorithm(JwtEcdsaParameters.Algorithm.ES512).setKidStrategy(JwtEcdsaParameters.KidStrategy.IGNORED).build());
        result.put("JWT_ES512", JwtEcdsaParameters.builder().setAlgorithm(JwtEcdsaParameters.Algorithm.ES512).setKidStrategy(JwtEcdsaParameters.KidStrategy.BASE64_ENCODED_KEY_ID).build());
        return Collections.unmodifiableMap((Map<? extends String, ? extends Parameters>)result);
    }
    
    public static void registerPair(final boolean newKeyAllowed) throws GeneralSecurityException {
        if (!JwtEcdsaSignKeyManager.FIPS.isCompatible()) {
            throw new GeneralSecurityException("Can not use ECDSA in FIPS-mode, as BoringCrypto module is not available.");
        }
        KeyManagerRegistry.globalInstance().registerKeyManagerWithFipsCompatibility(JwtEcdsaSignKeyManager.legacyPrivateKeyManager, JwtEcdsaSignKeyManager.FIPS, newKeyAllowed);
        KeyManagerRegistry.globalInstance().registerKeyManagerWithFipsCompatibility(JwtEcdsaSignKeyManager.legacyPublicKeyManager, JwtEcdsaSignKeyManager.FIPS, false);
        MutableKeyCreationRegistry.globalInstance().add(JwtEcdsaSignKeyManager.KEY_CREATOR, JwtEcdsaParameters.class);
        JwtEcdsaProtoSerialization.register();
        MutablePrimitiveRegistry.globalInstance().registerPrimitiveConstructor(JwtEcdsaVerifyKeyManager.PRIMITIVE_CONSTRUCTOR);
        MutablePrimitiveRegistry.globalInstance().registerPrimitiveConstructor(JwtEcdsaSignKeyManager.PRIMITIVE_CONSTRUCTOR);
        MutableParametersRegistry.globalInstance().putAll(namedParameters());
    }
    
    static {
        legacyPrivateKeyManager = LegacyKeyManagerImpl.createPrivateKeyManager(getKeyType(), Void.class, com.google.crypto.tink.proto.JwtEcdsaPrivateKey.parser());
        legacyPublicKeyManager = LegacyKeyManagerImpl.create(JwtEcdsaVerifyKeyManager.getKeyType(), Void.class, KeyData.KeyMaterialType.ASYMMETRIC_PUBLIC, com.google.crypto.tink.proto.JwtEcdsaPublicKey.parser());
        PRIMITIVE_CONSTRUCTOR = PrimitiveConstructor.create(JwtEcdsaSignKeyManager::createFullPrimitive, JwtEcdsaPrivateKey.class, JwtPublicKeySign.class);
        KEY_CREATOR = JwtEcdsaSignKeyManager::createKey;
        FIPS = TinkFipsUtil.AlgorithmFipsCompatibility.ALGORITHM_REQUIRES_BORINGCRYPTO;
    }
}