package br.gov.frameworkdemoiselle.certificate.signer.util;

import br.gov.frameworkdemoiselle.certificate.ca.manager.CAManager;
import br.gov.frameworkdemoiselle.certificate.signer.SignerException;
import java.io.ByteArrayInputStream;
import java.security.Security;
import java.security.cert.CertPath;
import java.security.cert.CertPathValidator;
import java.security.cert.CertificateFactory;
import java.security.cert.PKIXCertPathValidatorResult;
import java.security.cert.PKIXParameters;
import java.security.cert.TrustAnchor;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
import java.util.HashSet;
import java.util.Iterator;
import org.bouncycastle.asn1.ASN1InputStream;
import org.bouncycastle.asn1.DEROctetString;
import org.bouncycastle.asn1.DERSequence;
import org.bouncycastle.jce.provider.BouncyCastleProvider;

/* loaded from: input_file:br/gov/frameworkdemoiselle/certificate/signer/util/ValidadorUtil.class */
public class ValidadorUtil {

    /* loaded from: input_file:br/gov/frameworkdemoiselle/certificate/signer/util/ValidadorUtil$CertPathEncoding.class */
    public enum CertPathEncoding {
        PKCS7,
        PkiPath
    }

    public static void validate(byte[] bArr, String str, CertPathEncoding certPathEncoding) throws SignerException {
        SignerException signerException;
        X509Certificate x509Certificate = null;
        Collection signaturePolicyRootCAs = CAManager.getInstance().getSignaturePolicyRootCAs(str);
        try {
            CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509", "BC");
            new ByteArrayInputStream(new byte[512]);
            Security.addProvider(new BouncyCastleProvider());
            ByteArrayInputStream byteArrayInputStream = new ByteArrayInputStream(bArr);
            CertPath certPath = null;
            switch (certPathEncoding) {
                case PKCS7:
                    certPath = certificateFactory.generateCertPath(byteArrayInputStream, "PKCS7");
                    break;
                case PkiPath:
                    certPath = certificateFactory.generateCertPath(byteArrayInputStream, "PkiPath");
                    break;
            }
            x509Certificate = (X509Certificate) certPath.getCertificates().iterator().next();
            ArrayList arrayList = new ArrayList();
            Iterator it = signaturePolicyRootCAs.iterator();
            while (it.hasNext()) {
                arrayList.add(new TrustAnchor((X509Certificate) it.next(), null));
            }
            HashSet hashSet = new HashSet();
            Collections.addAll(hashSet, arrayList.toArray());
            PKIXParameters pKIXParameters = new PKIXParameters(hashSet);
            pKIXParameters.setSigProvider("BC");
            pKIXParameters.setRevocationEnabled(false);
            ((PKIXCertPathValidatorResult) CertPathValidator.getInstance("PKIX").validate(certPath, pKIXParameters)).getTrustAnchor().getTrustedCert();
        } finally {
            try {
            } catch (Throwable th) {
            }
        }
    }

    public static void validate(X509Certificate x509Certificate) {
        try {
            ASN1InputStream aSN1InputStream = new ASN1InputStream(new ByteArrayInputStream(x509Certificate.getExtensionValue("2.5.29.32")));
            DEROctetString readObject = aSN1InputStream.readObject();
            aSN1InputStream.close();
            ASN1InputStream aSN1InputStream2 = new ASN1InputStream(new ByteArrayInputStream(readObject.getOctets()));
            DERSequence readObject2 = aSN1InputStream2.readObject();
            aSN1InputStream2.close();
            String dERObjectIdentifier = readObject2.getObjectAt(0).getDERObject().getObjectAt(0).toString();
            if (!dERObjectIdentifier.startsWith("2.16.76.1.2.1.") && !dERObjectIdentifier.startsWith("2.16.76.1.2.2.") && !dERObjectIdentifier.startsWith("2.16.76.1.2.3.") && !dERObjectIdentifier.startsWith("2.16.76.1.2.4.")) {
                throw new SignerException("O OID não corresponde a uma Política de Certificado.");
            }
            int parseInt = Integer.parseInt(dERObjectIdentifier.substring(dERObjectIdentifier.lastIndexOf(".") + 1));
            if (parseInt < 1 || parseInt > 100) {
                throw new SignerException("O certificado deve ser do tipo A1, A2, A3 ou A4.");
            }
        } catch (Throwable th) {
            throw new SignerException("A assinaturas digital deve ser criada com chave privada associada ao certificado ICP-Brasil tipo A1, A2, A3 ou A4", th);
        }
    }
}
