package pl.unizeto.android.cryptoapi.etsi;

import iaik.asn1.ASN1;
import iaik.asn1.CodingException;
import iaik.asn1.ObjectID;
import iaik.asn1.structures.AlgorithmID;
import iaik.cms.CMSException;
import iaik.cms.CMSParsingException;
import iaik.cms.SignedDataStream;
import iaik.cms.SignerInfo;
import iaik.cms.attributes.CMSContentType;
import iaik.cms.attributes.SigningTime;
import iaik.smime.ess.SigningCertificate;
import iaik.utils.ASN1InputStream;
import iaik.utils.Util;
import iaik.x509.X509Certificate;
import iaik.x509.attr.AttributeCertificate;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.io.InputStream;
import java.io.OutputStream;
import java.security.PrivateKey;
import java.security.SignatureException;
import java.security.cert.Certificate;
import java.util.ArrayList;
import java.util.List;
import org.apache.commons.io.IOUtils;
import org.apache.commons.io.output.ByteArrayOutputStream;
import org.apache.commons.lang3.StringUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import pl.unizeto.android.cryptoapi.SignProperties;
import pl.unizeto.android.cryptoapi.exception.PKIErrorCode;
import pl.unizeto.android.cryptoapi.exception.PKIException;
import pl.unizeto.android.cryptoapi.pdf.PDFSignProperties;
import pl.unizeto.android.cryptoapi.util.SignatureType;
import pl.unizeto.android.cryptoapi.util.cert.CertificateInfoUtil;
import pl.unizeto.android.cryptoapi.util.cert.CertificateUsage;
import pl.unizeto.android.cryptoapi.util.key.KeyUtils;
import pl.unizeto.android.cryptoapi.util.policy.PolicyInfoUtil;
import pl.unizeto.pki.electronicsignaturepolicies.SignaturePolicy;

/* loaded from: classes.dex */
public class UniETSI {
    private static final String DEFAULT_HASH_ALGORITHM_NAME = "SHA-1";
    private static final Logger log = LoggerFactory.getLogger(UniETSI.class.getSimpleName());
    private SignProperties signProperties = new SignProperties();
    private SignaturePolicy signaturePolicy;

    private UniETSI() {
    }

    private void checkSigningCertificate(SigningCertificate signingCertificate, X509Certificate x509Certificate, SignedDataStream signedDataStream, int i) throws CMSException {
        Certificate[] policyInformationCerts;
        if (!signedDataStream.getSignerInfos()[i].isSignerCertificate(x509Certificate)) {
            throw new CMSException("Cert ERROR!!! The certificate used for signing is not the one identified by the SignerCertificate attribute!");
        }
        log.debug("SigningCertificate attribute: Signer cert ok!");
        if (signingCertificate != null) {
            Certificate[] authorizedCertificates = signingCertificate.getAuthorizedCertificates(signedDataStream.getCertificates());
            if (authorizedCertificates != null) {
                log.debug("SignedData contains the following authorization certs for SignerInfo No " + (i + 1) + ":");
                for (int i2 = 0; i2 < authorizedCertificates.length; i2++) {
                    if (authorizedCertificates[i2].getType().equalsIgnoreCase("X.509")) {
                        log.debug("X.509 public key cert: " + ((X509Certificate) authorizedCertificates[i2]).getSubjectDN());
                    } else {
                        log.debug("X.509 attribute cert: " + ((AttributeCertificate) authorizedCertificates[i2]).getHolder());
                    }
                }
            }
            if (signingCertificate.countPolicies() <= 0 || (policyInformationCerts = signingCertificate.getPolicyInformationCerts(signedDataStream.getCertificates())) == null) {
                return;
            }
            log.debug("SignedData contains the following certs corresponding to policy informations of SignerInfo No " + (i + 1) + ":");
            for (int i3 = 0; i3 < policyInformationCerts.length; i3++) {
                if (policyInformationCerts[i3].getType().equalsIgnoreCase("X.509")) {
                    log.debug("X.509 public key cert: " + ((X509Certificate) policyInformationCerts[i3]).getSubjectDN());
                } else {
                    log.debug("X.509 attribute cert: " + ((AttributeCertificate) policyInformationCerts[i3]).getHolder());
                }
            }
        }
    }

    private SignaturePolicy getDefaultSignaturePolicy(boolean z) throws IOException, UniETSIException {
        String str = z ? "policy/cades_qualified.spol" : "policy/cades.spol";
        try {
            InputStream resourceAsStream = getClass().getClassLoader().getResourceAsStream(str);
            if (resourceAsStream == null) {
                throw new RuntimeException("Nie znaleziono pliku polityki podpisu: " + str);
            }
            return new SignaturePolicy(new ASN1(resourceAsStream).toASN1Object());
        } catch (CodingException e) {
            log.error("Błąd podczas ustawiania polityki podpisu", (Throwable) e);
            throw new UniETSIException(PKIErrorCode.UNI_ETSI_LOADING_SIGNATURE_POLICY_FAILED, new String[0]);
        }
    }

    public static UniETSI getInstance() {
        return new UniETSI();
    }

    public void addSign(InputStream inputStream, InputStream inputStream2, X509Certificate x509Certificate, PrivateKey privateKey, OutputStream outputStream) throws UniETSIException {
        if (inputStream == null) {
            throw new IllegalArgumentException("is is null");
        }
        if (x509Certificate == null) {
            throw new IllegalArgumentException("cert is null");
        }
        if (outputStream == null) {
            throw new IllegalArgumentException("os is null");
        }
        if (!KeyUtils.isKeyPair(privateKey, x509Certificate.getPublicKey())) {
            throw new IllegalArgumentException("Signing key and certificate public key are not pair");
        }
        try {
            SignaturePolicy defaultSignaturePolicy = this.signaturePolicy != null ? this.signaturePolicy : getDefaultSignaturePolicy(false);
            if (!CertificateUsage.isForDigitalSignature(x509Certificate)) {
                throw new UniETSIException(PKIErrorCode.CERTIFICATE_IS_NOT_FOR_DIGITAL_SIGNATURE, CertificateInfoUtil.getSubjectAndSerialNumberString(x509Certificate));
            }
            new SignatureBuilder().addSign(inputStream, inputStream2, x509Certificate, privateKey, defaultSignaturePolicy, false, this.signProperties, outputStream);
        } catch (Exception e) {
            log.error("Błąd podczas podpisywania", (Throwable) e);
            throw new UniETSIException(e, PKIErrorCode.EXTERNAL_EXCEPTION, e.getClass().getName());
        }
    }

    public void getContent(InputStream inputStream, OutputStream outputStream) throws UniETSIException, IOException {
        if (inputStream == null) {
            throw new IllegalArgumentException("signature is null");
        }
        if (outputStream == null) {
            throw new IllegalArgumentException("os is null");
        }
        try {
            SignedDataStream signedDataStream = new SignedDataStream(new ASN1InputStream(inputStream));
            if (signedDataStream.getMode() != 1) {
                throw new IllegalArgumentException("wymagany podpis wewnętrzny");
            }
            IOUtils.copy(signedDataStream.getInputStream(), outputStream);
        } catch (CMSParsingException e) {
            log.error("Błąd podczas wczytywania podpisu", (Throwable) e);
            throw new UniETSIException(PKIErrorCode.UNI_ETSI_SIGNATURE_NOT_SIGNED, new String[0]);
        }
    }

    public AlgorithmID getHashAlg() throws IllegalArgumentException {
        String trimToNull = StringUtils.trimToNull((String) getSignProperties().get(PDFSignProperties.SIGNATURE_HASH_ALGORITHM_NAME));
        if (trimToNull == null) {
            log.debug("Using default hash algorithm: SHA-1");
            trimToNull = DEFAULT_HASH_ALGORITHM_NAME;
        }
        AlgorithmID algorithmID = AlgorithmID.getAlgorithmID(trimToNull);
        if (algorithmID == null) {
            throw new IllegalArgumentException("Invalid PDF signature algorithm name: " + trimToNull);
        }
        return algorithmID;
    }

    public SignProperties getSignProperties() {
        if (this.signProperties == null) {
            this.signProperties = new PDFSignProperties();
        }
        return this.signProperties;
    }

    public SignatureType getSignatureType(InputStream inputStream) throws UniETSIException, IOException {
        if (inputStream == null) {
            throw new IllegalArgumentException("signature is null");
        }
        try {
            return new SignedDataStream(new ASN1InputStream(inputStream)).getMode() == 1 ? SignatureType.IMPLICIT : SignatureType.EXPLICIT;
        } catch (CMSParsingException e) {
            log.error("Błąd podczas wczytywania podpisu", (Throwable) e);
            throw new UniETSIException(PKIErrorCode.UNI_ETSI_SIGNATURE_NOT_SIGNED, new String[0]);
        }
    }

    public List<ETSISignatureInfo> getSignatures(InputStream inputStream) throws IOException, PKIException {
        if (inputStream == null) {
            throw new IllegalArgumentException("signature is null");
        }
        new ArrayList();
        try {
            return new VerificationFacade().getSignatures(inputStream);
        } catch (CodingException e) {
            log.error("Błąd podczas tworzenia drzewa sygnatur", (Throwable) e);
            throw new IOException(e.getMessage());
        } catch (CMSException e2) {
            log.error("Błąd podczas tworzenia drzewa sygnatur", (Throwable) e2);
            throw new PKIException(e2);
        }
    }

    public void setSignProperties(SignProperties signProperties) {
        this.signProperties = signProperties;
    }

    public void setSignaturePolicy(InputStream inputStream) throws UniETSIException, IOException {
        if (inputStream == null) {
            this.signaturePolicy = null;
            return;
        }
        ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
        IOUtils.copy(inputStream, byteArrayOutputStream);
        setSignaturePolicy(byteArrayOutputStream.toByteArray());
    }

    public void setSignaturePolicy(byte[] bArr) throws UniETSIException {
        if (bArr == null) {
            this.signaturePolicy = null;
            return;
        }
        try {
            this.signaturePolicy = new SignaturePolicy(new ASN1(bArr).toASN1Object());
            if (log.isDebugEnabled()) {
                log.debug("Ustawiono politykę podpisu: " + PolicyInfoUtil.getPolicyURL(this.signaturePolicy) + " (" + this.signaturePolicy.getSignPolicyInfo().getSignPolicyIdentifier().getID() + ")");
            }
        } catch (CodingException e) {
            log.error("Błąd podczas ustawiania polityki podpisu", (Throwable) e);
            throw new UniETSIException(PKIErrorCode.UNI_ETSI_LOADING_SIGNATURE_POLICY_FAILED, new String[0]);
        }
    }

    public void sign(InputStream inputStream, X509Certificate x509Certificate, PrivateKey privateKey, SignatureType signatureType, OutputStream outputStream) throws UniETSIException {
        if (inputStream == null) {
            throw new IllegalArgumentException("is is null");
        }
        if (x509Certificate == null) {
            throw new IllegalArgumentException("cert is null");
        }
        if (outputStream == null) {
            throw new IllegalArgumentException("os is null");
        }
        if (privateKey == null) {
            throw new IllegalArgumentException("privateKey is null");
        }
        if (!KeyUtils.isKeyPair(privateKey, x509Certificate.getPublicKey())) {
            throw new IllegalArgumentException("Signing key and certificate public key are not pair");
        }
        try {
            SignaturePolicy defaultSignaturePolicy = this.signaturePolicy != null ? this.signaturePolicy : getDefaultSignaturePolicy(false);
            if (!CertificateUsage.isForDigitalSignature(x509Certificate)) {
                throw new UniETSIException(PKIErrorCode.CERTIFICATE_IS_NOT_FOR_DIGITAL_SIGNATURE, CertificateInfoUtil.getSubjectAndSerialNumberString(x509Certificate));
            }
            new SignatureBuilder().sign(inputStream, x509Certificate, privateKey, signatureType == SignatureType.EXPLICIT ? 2 : 1, defaultSignaturePolicy, false, this.signProperties, outputStream);
        } catch (Exception e) {
            log.error("Błąd podczas podpisywania", (Throwable) e);
            throw new UniETSIException(e, PKIErrorCode.EXTERNAL_EXCEPTION, e.getClass().getName());
        }
    }

    public byte[] verify(X509Certificate x509Certificate, byte[] bArr, byte[] bArr2) throws CMSException, IOException {
        SignedDataStream signedDataStream = new SignedDataStream(new ByteArrayInputStream(bArr));
        if (signedDataStream.getMode() == 2) {
            signedDataStream.setInputStream(new ByteArrayInputStream(bArr2));
        }
        InputStream inputStream = signedDataStream.getInputStream();
        ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
        Util.copyStream(inputStream, byteArrayOutputStream, null);
        log.debug("SignedData contains the following signer information:");
        SignerInfo[] signerInfos = signedDataStream.getSignerInfos();
        for (int i = 0; i < signerInfos.length; i++) {
            try {
                X509Certificate verify = signedDataStream.verify(i);
                log.debug("Signature OK from signer: " + verify.getSubjectDN());
                SigningTime signingTime = (SigningTime) signerInfos[i].getSignedAttributeValue(ObjectID.signingTime);
                if (signingTime != null) {
                    log.debug("This message has been signed at " + signingTime.get());
                }
                CMSContentType cMSContentType = (CMSContentType) signerInfos[i].getSignedAttributeValue(ObjectID.contentType);
                if (cMSContentType != null) {
                    log.debug("The content has CMS content type " + cMSContentType.get().getName());
                }
                try {
                    SigningCertificate signingCertificateAttribute = signerInfos[i].getSigningCertificateAttribute();
                    if (signingCertificateAttribute != null) {
                        checkSigningCertificate(signingCertificateAttribute, verify, signedDataStream, i);
                    }
                } catch (CMSException e) {
                    throw new CMSException("Error parsing SigningCertificate attribute: " + e.getMessage());
                }
            } catch (SignatureException e2) {
                log.debug("Signature ERROR from signer: " + signedDataStream.getCertificate(signerInfos[i].getSignerIdentifier()).getSubjectDN());
                throw new CMSException(e2.toString());
            }
        }
        log.debug("Now check the signature assuming that no certs have been included:");
        try {
            signedDataStream.verify(x509Certificate);
            log.debug("Signature OK from signer: " + x509Certificate.getSubjectDN());
            log.debug("Included attribute certificates:");
            AttributeCertificate[] attributeCertificates = signedDataStream.getAttributeCertificates();
            if (attributeCertificates == null || attributeCertificates.length == 0) {
                log.debug("No attribute certificates");
            } else {
                for (AttributeCertificate attributeCertificate : attributeCertificates) {
                    log.debug(attributeCertificate.getHolder().toString());
                }
            }
            return byteArrayOutputStream.toByteArray();
        } catch (SignatureException e3) {
            log.debug("Signature ERROR from signer: " + x509Certificate.getSubjectDN());
            throw new CMSException(e3.toString());
        }
    }
}
