package eu.europa.esig.dss.spi.x509;

import eu.europa.esig.dss.enumerations.CertificateOrigin;
import eu.europa.esig.dss.enumerations.CertificateRefOrigin;
import eu.europa.esig.dss.enumerations.DigestAlgorithm;
import eu.europa.esig.dss.model.Digest;
import eu.europa.esig.dss.model.x509.CertificateToken;
import eu.europa.esig.dss.spi.DSSASN1Utils;
import eu.europa.esig.dss.spi.DSSUtils;
import eu.europa.esig.dss.spi.OID;
import eu.europa.esig.dss.spi.SignatureCertificateSource;
import eu.europa.esig.dss.utils.Utils;
import java.util.Arrays;
import java.util.Iterator;
import java.util.List;
import java.util.Objects;
import java.util.Set;
import org.bouncycastle.asn1.ASN1Encodable;
import org.bouncycastle.asn1.ASN1EncodableVector;
import org.bouncycastle.asn1.ASN1ObjectIdentifier;
import org.bouncycastle.asn1.ASN1Sequence;
import org.bouncycastle.asn1.ASN1Set;
import org.bouncycastle.asn1.cms.Attribute;
import org.bouncycastle.asn1.cms.AttributeTable;
import org.bouncycastle.asn1.ess.ESSCertID;
import org.bouncycastle.asn1.ess.ESSCertIDv2;
import org.bouncycastle.asn1.ess.OtherCertID;
import org.bouncycastle.asn1.ess.SigningCertificate;
import org.bouncycastle.asn1.ess.SigningCertificateV2;
import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers;
import org.bouncycastle.asn1.x509.Certificate;
import org.bouncycastle.cert.X509CertificateHolder;
import org.bouncycastle.cms.CMSSignedData;
import org.bouncycastle.cms.SignerInformation;
import org.bouncycastle.util.Selector;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:eu/europa/esig/dss/spi/x509/CMSCertificateSource.class */
public abstract class CMSCertificateSource extends SignatureCertificateSource {
    private static final Logger LOG = LoggerFactory.getLogger(CMSCertificateSource.class);
    private final transient CMSSignedData cmsSignedData;
    private final transient SignerInformation currentSignerInformation;

    /* JADX INFO: Access modifiers changed from: protected */
    public CMSCertificateSource(CMSSignedData cMSSignedData, SignerInformation signerInformation) {
        Objects.requireNonNull(cMSSignedData, "CMS SignedData is null, it must be provided!");
        Objects.requireNonNull(signerInformation, "currentSignerInformation is null, it must be provided!");
        this.cmsSignedData = cMSSignedData;
        this.currentSignerInformation = signerInformation;
        extractCertificateIdentifiers();
        extractSignedCertificates();
        extractSigningCertificateReferences();
        extractCertificateValues();
        extractCertificateRefsFromUnsignedAttribute(PKCSObjectIdentifiers.id_aa_ets_certificateRefs, CertificateRefOrigin.COMPLETE_CERTIFICATE_REFS);
        extractCertificateRefsFromUnsignedAttribute(OID.attributeCertificateRefsOid, CertificateRefOrigin.ATTRIBUTE_CERTIFICATE_REFS);
    }

    private void extractCertificateIdentifiers() {
        SignerIdentifier signerIdentifier = DSSASN1Utils.toSignerIdentifier(this.currentSignerInformation.getSID());
        boolean z = false;
        Iterator it = this.cmsSignedData.getSignerInfos().getSigners().iterator();
        while (it.hasNext()) {
            SignerIdentifier signerIdentifier2 = DSSASN1Utils.toSignerIdentifier(((SignerInformation) it.next()).getSID());
            if (signerIdentifier2.isEquivalent(signerIdentifier)) {
                signerIdentifier2.setCurrent(true);
                z = true;
            }
            addCertificateIdentifier(signerIdentifier2, CertificateOrigin.SIGNED_DATA);
        }
        if (z) {
            return;
        }
        LOG.warn("SID not found in SignerInfos");
        signerIdentifier.setCurrent(true);
        addCertificateIdentifier(signerIdentifier, CertificateOrigin.SIGNED_DATA);
    }

    private void extractSignedCertificates() {
        try {
            Iterator it = this.cmsSignedData.getCertificates().getMatches((Selector) null).iterator();
            while (it.hasNext()) {
                addCertificate(DSSASN1Utils.getCertificate((X509CertificateHolder) it.next()), CertificateOrigin.SIGNED_DATA);
            }
        } catch (Exception e) {
            LOG.warn("Cannot extract certificates from CMS Signed Data : {}", e.getMessage());
        }
    }

    private void extractSigningCertificateReferences() {
        AttributeTable signedAttributes = this.currentSignerInformation.getSignedAttributes();
        if (signedAttributes == null || signedAttributes.size() <= 0) {
            return;
        }
        ASN1EncodableVector all = signedAttributes.getAll(PKCSObjectIdentifiers.id_aa_signingCertificate);
        if (all != null) {
            for (int i = 0; i < all.size(); i++) {
                Attribute attribute = Attribute.getInstance(all.get(i));
                if (attribute != null) {
                    extractSigningCertificateV1(attribute);
                }
            }
        }
        ASN1EncodableVector all2 = signedAttributes.getAll(PKCSObjectIdentifiers.id_aa_signingCertificateV2);
        if (all2 != null) {
            for (int i2 = 0; i2 < all2.size(); i2++) {
                Attribute attribute2 = Attribute.getInstance(all2.get(i2));
                if (attribute2 != null) {
                    extractSigningCertificateV2(attribute2);
                }
            }
        }
    }

    private void extractSigningCertificateV1(Attribute attribute) {
        ASN1Set attrValues = attribute.getAttrValues();
        for (int i = 0; i < attrValues.size(); i++) {
            ASN1Encodable objectAt = attrValues.getObjectAt(i);
            try {
                SigningCertificate signingCertificate = SigningCertificate.getInstance(objectAt);
                if (signingCertificate != null) {
                    extractESSCertIDs(signingCertificate.getCerts(), CertificateRefOrigin.SIGNING_CERTIFICATE);
                } else {
                    LOG.warn("SigningCertificate attribute is null");
                }
            } catch (Exception e) {
                LOG.warn("SigningCertificate attribute '{}' is not well defined!", Utils.toBase64(DSSASN1Utils.getDEREncoded(objectAt)));
            }
        }
    }

    private void extractESSCertIDs(ESSCertID[] eSSCertIDArr, CertificateRefOrigin certificateRefOrigin) {
        for (ESSCertID eSSCertID : eSSCertIDArr) {
            CertificateRef certificateRef = new CertificateRef();
            byte[] certHash = eSSCertID.getCertHash();
            if (Utils.isArrayNotEmpty(certHash)) {
                certificateRef.setCertDigest(new Digest(DigestAlgorithm.SHA1, certHash));
                if (LOG.isDebugEnabled()) {
                    LOG.debug("Found Certificate Hash in signingCertificateAttributeV1 {} with algorithm {}", Utils.toHex(certHash), DigestAlgorithm.SHA1);
                }
            }
            certificateRef.setCertificateIdentifier(DSSASN1Utils.toSignerIdentifier(eSSCertID.getIssuerSerial()));
            addCertificateRef(certificateRef, certificateRefOrigin);
        }
    }

    private void extractSigningCertificateV2(Attribute attribute) {
        ASN1Set attrValues = attribute.getAttrValues();
        for (int i = 0; i < attrValues.size(); i++) {
            ASN1Encodable objectAt = attrValues.getObjectAt(i);
            try {
                SigningCertificateV2 signingCertificateV2 = SigningCertificateV2.getInstance(objectAt);
                if (signingCertificateV2 != null) {
                    extractESSCertIDv2s(signingCertificateV2.getCerts(), CertificateRefOrigin.SIGNING_CERTIFICATE);
                } else {
                    LOG.warn("SigningCertificateV2 attribute is null");
                }
            } catch (Exception e) {
                LOG.warn("SigningCertificateV2 attribute '{}' is not well defined!", Utils.toBase64(DSSASN1Utils.getDEREncoded(objectAt)));
            }
        }
    }

    private void extractESSCertIDv2s(ESSCertIDv2[] eSSCertIDv2Arr, CertificateRefOrigin certificateRefOrigin) {
        for (ESSCertIDv2 eSSCertIDv2 : eSSCertIDv2Arr) {
            CertificateRef certificateRef = new CertificateRef();
            DigestAlgorithm forOID = DigestAlgorithm.forOID(eSSCertIDv2.getHashAlgorithm().getAlgorithm().getId());
            byte[] certHash = eSSCertIDv2.getCertHash();
            certificateRef.setCertDigest(new Digest(forOID, certHash));
            if (LOG.isDebugEnabled()) {
                LOG.debug("Found Certificate Hash in SigningCertificateV2 {} with algorithm {}", Utils.toHex(certHash), forOID);
            }
            certificateRef.setCertificateIdentifier(DSSASN1Utils.toSignerIdentifier(eSSCertIDv2.getIssuerSerial()));
            addCertificateRef(certificateRef, certificateRefOrigin);
        }
    }

    private void extractCertificateValues() {
        AttributeTable unsignedAttributes = this.currentSignerInformation.getUnsignedAttributes();
        if (unsignedAttributes != null) {
            Attribute[] asn1Attributes = DSSASN1Utils.getAsn1Attributes(unsignedAttributes, PKCSObjectIdentifiers.id_aa_ets_certValues);
            if (Utils.isArrayNotEmpty(asn1Attributes)) {
                for (Attribute attribute : asn1Attributes) {
                    extractCertificateValues(attribute);
                }
            }
        }
    }

    private void extractCertificateValues(Attribute attribute) {
        ASN1Sequence objectAt = attribute.getAttrValues().getObjectAt(0);
        for (int i = 0; i < objectAt.size(); i++) {
            try {
                addCertificate(DSSUtils.loadCertificate(Certificate.getInstance(objectAt.getObjectAt(i)).getEncoded()), CertificateOrigin.CERTIFICATE_VALUES);
            } catch (Exception e) {
                LOG.warn("Unable to parse encapsulated certificate : {}", e.getMessage());
            }
        }
    }

    private void extractCertificateRefsFromUnsignedAttribute(ASN1ObjectIdentifier aSN1ObjectIdentifier, CertificateRefOrigin certificateRefOrigin) {
        AttributeTable unsignedAttributes = this.currentSignerInformation.getUnsignedAttributes();
        if (unsignedAttributes != null) {
            Attribute[] asn1Attributes = DSSASN1Utils.getAsn1Attributes(unsignedAttributes, aSN1ObjectIdentifier);
            if (Utils.isArrayNotEmpty(asn1Attributes)) {
                for (Attribute attribute : asn1Attributes) {
                    ASN1Sequence objectAt = attribute.getAttrValues().getObjectAt(0);
                    for (int i = 0; i < objectAt.size(); i++) {
                        try {
                            addCertificateRef(DSSASN1Utils.getCertificateRef(OtherCertID.getInstance(objectAt.getObjectAt(i))), certificateRefOrigin);
                        } catch (Exception e) {
                            LOG.warn("Unable to parse encapsulated OtherCertID : {}", e.getMessage());
                        }
                    }
                }
            }
        }
    }

    @Override // eu.europa.esig.dss.spi.SignatureCertificateSource
    protected CandidatesForSigningCertificate extractCandidatesForSigningCertificate(CertificateSource certificateSource) {
        CandidatesForSigningCertificate candidatesForSigningCertificate = new CandidatesForSigningCertificate();
        SignerIdentifier currentCertificateIdentifier = getCurrentCertificateIdentifier();
        if (currentCertificateIdentifier != null && !currentCertificateIdentifier.isEmpty()) {
            CertificateToken certificateToken = getCertificateToken(currentCertificateIdentifier);
            if (certificateToken == null && certificateSource != null) {
                Set<CertificateToken> bySignerIdentifier = certificateSource.getBySignerIdentifier(currentCertificateIdentifier);
                if (Utils.isCollectionNotEmpty(bySignerIdentifier)) {
                    LOG.debug("Resolved signing certificate by certificate identifier");
                    certificateToken = bySignerIdentifier.iterator().next();
                }
            }
            CertificateValidity certificateValidity = certificateToken != null ? new CertificateValidity(certificateToken) : new CertificateValidity(currentCertificateIdentifier);
            List<CertificateRef> signingCertificateRefs = getSigningCertificateRefs();
            if (Utils.isCollectionNotEmpty(signingCertificateRefs)) {
                CertificateRef next = signingCertificateRefs.iterator().next();
                Digest certDigest = next.getCertDigest();
                certificateValidity.setDigestPresent(certDigest != null);
                if (certificateToken != null) {
                    certificateValidity.setDigestEqual(Arrays.equals(certificateToken.getDigest(certDigest.getAlgorithm()), certDigest.getValue()));
                }
                SignerIdentifier certificateIdentifier = next.getCertificateIdentifier();
                certificateValidity.setIssuerSerialPresent(certificateIdentifier != null);
                if (certificateIdentifier != null) {
                    if (certificateToken != null) {
                        certificateValidity.setSerialNumberEqual(certificateToken.getSerialNumber().equals(certificateIdentifier.getSerialNumber()));
                        certificateValidity.setDistinguishedNameEqual(DSSASN1Utils.x500PrincipalAreEquals(certificateToken.getIssuerX500Principal(), certificateIdentifier.getIssuerName()));
                    } else {
                        certificateValidity.setSerialNumberEqual(currentCertificateIdentifier.getSerialNumber().equals(certificateIdentifier.getSerialNumber()));
                        certificateValidity.setDistinguishedNameEqual(DSSASN1Utils.x500PrincipalAreEquals(currentCertificateIdentifier.getIssuerName(), certificateIdentifier.getIssuerName()));
                    }
                    certificateValidity.setSignerIdMatch(currentCertificateIdentifier.isEquivalent(certificateIdentifier));
                }
            }
            candidatesForSigningCertificate.add(certificateValidity);
            candidatesForSigningCertificate.setTheCertificateValidity(certificateValidity);
        } else if (certificateSource != null) {
            List<CertificateToken> certificates = certificateSource.getCertificates();
            LOG.debug("No signing certificate reference found. Resolve all {} certificates from the provided certificate source as signing candidates.", Integer.valueOf(certificates.size()));
            Iterator<CertificateToken> it = certificates.iterator();
            while (it.hasNext()) {
                candidatesForSigningCertificate.add(new CertificateValidity(it.next()));
            }
        }
        return candidatesForSigningCertificate;
    }
}
