package net.ripe.rpki.commons.provisioning.cms;

import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.security.cert.CRLException;
import java.security.cert.Certificate;
import java.security.cert.CertificateEncodingException;
import java.security.cert.CertificateException;
import java.security.cert.X509CRL;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.Collection;
import java.util.HashSet;
import java.util.List;
import net.ripe.rpki.commons.crypto.util.BouncyCastleUtil;
import net.ripe.rpki.commons.crypto.x509cert.AbstractX509CertificateWrapperException;
import net.ripe.rpki.commons.crypto.x509cert.X509CertificateUtil;
import net.ripe.rpki.commons.provisioning.payload.AbstractProvisioningPayload;
import net.ripe.rpki.commons.provisioning.payload.PayloadParser;
import net.ripe.rpki.commons.provisioning.x509.ProvisioningCmsCertificateParser;
import net.ripe.rpki.commons.validation.ValidationLocation;
import net.ripe.rpki.commons.validation.ValidationResult;
import net.ripe.rpki.commons.validation.ValidationString;
import org.apache.commons.io.IOUtils;
import org.bouncycastle.asn1.ASN1InputStream;
import org.bouncycastle.asn1.ASN1ObjectIdentifier;
import org.bouncycastle.asn1.cms.Attribute;
import org.bouncycastle.asn1.cms.AttributeTable;
import org.bouncycastle.asn1.cms.CMSAttributes;
import org.bouncycastle.asn1.cms.ContentInfo;
import org.bouncycastle.asn1.cms.SignedData;
import org.bouncycastle.asn1.x509.AlgorithmIdentifier;
import org.bouncycastle.asn1.x509.BasicConstraints;
import org.bouncycastle.asn1.x509.X509Extension;
import org.bouncycastle.cms.CMSException;
import org.bouncycastle.cms.CMSSignedDataParser;
import org.bouncycastle.cms.CMSSignedGenerator;
import org.bouncycastle.cms.SignerId;
import org.bouncycastle.cms.SignerInformation;
import org.bouncycastle.cms.SignerInformationStore;
import org.bouncycastle.cms.jcajce.JcaSignerInfoVerifierBuilder;
import org.bouncycastle.operator.OperatorCreationException;
import org.bouncycastle.operator.bc.BcDigestCalculatorProvider;
import org.bouncycastle.util.StoreException;
import org.bouncycastle.x509.extension.X509ExtensionUtil;

/* loaded from: input_file:net/ripe/rpki/commons/provisioning/cms/ProvisioningCmsObjectParser.class */
public class ProvisioningCmsObjectParser {
    private static final BcDigestCalculatorProvider DIGEST_CALCULATOR_PROVIDER = new BcDigestCalculatorProvider();
    private static final ASN1ObjectIdentifier PROVISIONING_OBJECT_OID_STRING = new ASN1ObjectIdentifier("1.2.840.113549.1.9.16.1.28");
    private static final int CMS_OBJECT_SIGNER_VERSION = 3;
    private static final int CMS_OBJECT_VERSION = 3;
    private byte[] encoded;
    private X509Certificate cmsCertificate;
    private Collection<X509Certificate> caCertificates;
    private X509CRL crl;
    private CMSSignedDataParser sp;
    private ValidationResult validationResult;
    private String location;
    private AbstractProvisioningPayload payload;

    public ProvisioningCmsObjectParser() {
        this(ValidationResult.withLocation("n/a"));
    }

    public ProvisioningCmsObjectParser(ValidationResult validationResult) {
        this.caCertificates = new HashSet();
        this.validationResult = validationResult;
    }

    public ValidationResult getValidationResult() {
        return this.validationResult;
    }

    public void parseCms(String str, byte[] bArr) {
        this.location = str;
        this.encoded = bArr;
        this.validationResult.setLocation(new ValidationLocation(str));
        try {
            this.sp = new CMSSignedDataParser(DIGEST_CALCULATOR_PROVIDER, bArr);
            this.validationResult.rejectIfFalse(true, ValidationString.CMS_DATA_PARSING, new String[0]);
            verifyVersionNumber();
            verifyDigestAlgorithm(bArr);
            verifyContentType();
            parseContent();
            parseCertificates();
            parseCmsCrl();
            verifySignerInfos();
        } catch (CMSException e) {
            this.validationResult.rejectIfFalse(false, ValidationString.CMS_DATA_PARSING, new String[0]);
        }
    }

    public ProvisioningCmsObject getProvisioningCmsObject() {
        if (this.validationResult.hasFailures()) {
            throw new ProvisioningCmsObjectParserException("provisioning cms object validation failed: " + this.validationResult.getFailuresForCurrentLocation());
        }
        return new ProvisioningCmsObject(this.encoded, this.cmsCertificate, this.caCertificates, this.crl, this.payload);
    }

    private void verifyVersionNumber() {
        this.validationResult.rejectIfFalse(this.sp.getVersion() == 3, ValidationString.CMS_SIGNED_DATA_VERSION, new String[0]);
    }

    private void verifyDigestAlgorithm(byte[] bArr) {
        this.validationResult.rejectIfFalse(CMSSignedGenerator.DIGEST_SHA256.equals(getDigestAlgorithmOidFromEncodedCmsObject(bArr).getAlgorithm().getId()), ValidationString.CMS_SIGNED_DATA_DIGEST_ALGORITHM, new String[0]);
    }

    private AlgorithmIdentifier getDigestAlgorithmOidFromEncodedCmsObject(byte[] bArr) {
        try {
            return AlgorithmIdentifier.getInstance(SignedData.getInstance(ContentInfo.getInstance(new ASN1InputStream(new ByteArrayInputStream(bArr)).readObject()).getContent()).getDigestAlgorithms().getObjectAt(0).toASN1Primitive());
        } catch (IOException e) {
            throw new ProvisioningCmsObjectParserException("error while reading cms object content info", e);
        }
    }

    private void verifyContentType() {
        this.validationResult.rejectIfFalse(PROVISIONING_OBJECT_OID_STRING.equals(this.sp.getSignedContent().getContentType()), ValidationString.CMS_CONTENT_TYPE, new String[0]);
    }

    private void parseContent() {
        try {
            this.payload = PayloadParser.parse(IOUtils.toString(this.sp.getSignedContent().getContentStream(), "UTF-8"), this.validationResult);
            this.validationResult.rejectIfFalse(true, ValidationString.CMS_CONTENT_PARSING, new String[0]);
        } catch (IOException e) {
            this.validationResult.rejectIfFalse(false, ValidationString.CMS_CONTENT_PARSING, new String[0]);
        }
    }

    private void parseCertificates() {
        Collection<? extends Certificate> extractCertificates = extractCertificates(this.sp);
        if (this.validationResult.rejectIfNull(extractCertificates, ValidationString.GET_CERTS_AND_CRLS, new String[0])) {
            for (Certificate certificate : extractCertificates) {
                if (this.validationResult.rejectIfFalse(certificate instanceof X509Certificate, ValidationString.CERT_IS_X509CERT, new String[0])) {
                    processX509Certificate((X509Certificate) certificate);
                }
            }
        }
    }

    private void processX509Certificate(X509Certificate x509Certificate) {
        if (!isEndEntityCertificate(x509Certificate)) {
            this.caCertificates.add(x509Certificate);
        } else {
            if (this.cmsCertificate != null) {
                this.validationResult.rejectIfFalse(false, ValidationString.ONLY_ONE_EE_CERT_ALLOWED, new String[0]);
                return;
            }
            this.cmsCertificate = parseCmsCertificate(x509Certificate);
            this.validationResult.rejectIfFalse(true, ValidationString.CERT_IS_EE_CERT, new String[0]);
            this.validationResult.rejectIfNull(Boolean.valueOf(X509CertificateUtil.getSubjectKeyIdentifier(this.cmsCertificate) != null), ValidationString.CERT_HAS_SKI, new String[0]);
        }
    }

    private X509Certificate parseCmsCertificate(X509Certificate x509Certificate) {
        ProvisioningCmsCertificateParser provisioningCmsCertificateParser = new ProvisioningCmsCertificateParser();
        try {
            provisioningCmsCertificateParser.parse(ValidationResult.withLocation(this.location), x509Certificate.getEncoded());
            return provisioningCmsCertificateParser.getCertificate().getCertificate();
        } catch (CertificateEncodingException e) {
            throw new AbstractX509CertificateWrapperException(e);
        }
    }

    private boolean isEndEntityCertificate(X509Certificate x509Certificate) {
        try {
            byte[] extensionValue = x509Certificate.getExtensionValue(X509Extension.basicConstraints.getId());
            if (extensionValue == null) {
                return true;
            }
            return !BasicConstraints.getInstance(X509ExtensionUtil.fromExtensionValue(extensionValue)).isCA();
        } catch (IOException e) {
            throw new ProvisioningCmsObjectParserException("error while reading cms object certificate", e);
        }
    }

    private Collection<? extends Certificate> extractCertificates(CMSSignedDataParser cMSSignedDataParser) {
        try {
            return BouncyCastleUtil.extractCertificates(cMSSignedDataParser);
        } catch (CMSException e) {
            return null;
        } catch (CertificateException e2) {
            return null;
        } catch (StoreException e3) {
            return null;
        }
    }

    private void parseCmsCrl() {
        List<? extends X509CRL> extractCrl = extractCrl(this.sp);
        if (this.validationResult.rejectIfNull(extractCrl, ValidationString.GET_CERTS_AND_CRLS, new String[0])) {
            if (this.validationResult.rejectIfFalse(extractCrl.size() == 1, ValidationString.ONLY_ONE_CRL_ALLOWED, new String[0])) {
                X509CRL x509crl = extractCrl.get(0);
                if (this.validationResult.rejectIfFalse(x509crl instanceof X509CRL, ValidationString.CRL_IS_X509CRL, new String[0])) {
                    this.crl = x509crl;
                }
            }
        }
    }

    private List<? extends X509CRL> extractCrl(CMSSignedDataParser cMSSignedDataParser) {
        try {
            return BouncyCastleUtil.extractCrls(cMSSignedDataParser);
        } catch (CRLException e) {
            return null;
        } catch (StoreException e2) {
            return null;
        } catch (CMSException e3) {
            return null;
        }
    }

    private void verifySignerInfos() {
        SignerInformationStore signerStore = getSignerStore();
        if (this.validationResult.rejectIfNull(signerStore, ValidationString.GET_SIGNER_INFO, new String[0])) {
            Collection signers = signerStore.getSigners();
            this.validationResult.rejectIfFalse(signers.size() == 1, ValidationString.ONLY_ONE_SIGNER, new String[0]);
            SignerInformation signerInformation = (SignerInformation) signers.iterator().next();
            verifySignerVersion(signerInformation);
            verifySubjectKeyIdentifier(signerInformation);
            verifyDigestAlgorithm(signerInformation);
            verifySignedAttributes(signerInformation);
            verifyEncryptionAlgorithm(signerInformation);
            verifySignature(signerInformation);
            verifyUnsignedAttributes(signerInformation);
        }
    }

    private SignerInformationStore getSignerStore() {
        SignerInformationStore signerInformationStore;
        try {
            signerInformationStore = this.sp.getSignerInfos();
        } catch (CMSException e) {
            signerInformationStore = null;
        }
        return signerInformationStore;
    }

    private void verifySignerVersion(SignerInformation signerInformation) {
        this.validationResult.rejectIfFalse(signerInformation.getVersion() == 3, ValidationString.CMS_SIGNER_INFO_VERSION, new String[0]);
    }

    private void verifySubjectKeyIdentifier(SignerInformation signerInformation) {
        SignerId sid = signerInformation.getSID();
        this.validationResult.rejectIfFalse(Arrays.equals(X509CertificateUtil.getSubjectKeyIdentifier(this.cmsCertificate), sid.getSubjectKeyIdentifier()), ValidationString.CMS_SIGNER_INFO_SKI, new String[0]);
        this.validationResult.rejectIfFalse(sid.getIssuer() == null && sid.getSerialNumber() == null, ValidationString.CMS_SIGNER_INFO_SKI_ONLY, new String[0]);
    }

    private void verifyDigestAlgorithm(SignerInformation signerInformation) {
        this.validationResult.rejectIfFalse(CMSSignedGenerator.DIGEST_SHA256.equals(signerInformation.getDigestAlgOID()), ValidationString.CMS_SIGNER_INFO_DIGEST_ALGORITHM, new String[0]);
    }

    private void verifySignedAttributes(SignerInformation signerInformation) {
        AttributeTable signedAttributes = signerInformation.getSignedAttributes();
        if (this.validationResult.rejectIfNull(signedAttributes, ValidationString.SIGNED_ATTRS_PRESENT, new String[0])) {
            verifyContentType(signedAttributes);
            verifyMessageDigest(signedAttributes);
            verifySigningTime(signedAttributes);
        }
    }

    private void verifyContentType(AttributeTable attributeTable) {
        Attribute attribute = attributeTable.get(CMSAttributes.contentType);
        if (this.validationResult.rejectIfNull(attribute, ValidationString.CONTENT_TYPE_ATTR_PRESENT, new String[0])) {
            if (this.validationResult.rejectIfFalse(attribute.getAttrValues().size() == 1, ValidationString.CONTENT_TYPE_VALUE_COUNT, new String[0])) {
                this.validationResult.rejectIfFalse(PROVISIONING_OBJECT_OID_STRING.equals(attribute.getAttrValues().getObjectAt(0)), ValidationString.CONTENT_TYPE_VALUE, new String[0]);
            }
        }
    }

    private void verifyMessageDigest(AttributeTable attributeTable) {
        Attribute attribute = attributeTable.get(CMSAttributes.messageDigest);
        if (this.validationResult.rejectIfNull(attribute, ValidationString.MSG_DIGEST_ATTR_PRESENT, new String[0])) {
            if (this.validationResult.rejectIfFalse(attribute.getAttrValues().size() == 1, ValidationString.MSG_DIGEST_VALUE_COUNT, new String[0])) {
            }
        }
    }

    private void verifySigningTime(AttributeTable attributeTable) {
        Attribute attribute = attributeTable.get(CMSAttributes.signingTime);
        if (this.validationResult.rejectIfNull(attribute, ValidationString.SIGNING_TIME_ATTR_PRESENT, new String[0])) {
            if (this.validationResult.rejectIfFalse(attribute.getAttrValues().size() == 1, ValidationString.ONLY_ONE_SIGNING_TIME_ATTR, new String[0])) {
            }
        }
    }

    private void verifyEncryptionAlgorithm(SignerInformation signerInformation) {
        this.validationResult.rejectIfFalse(CMSSignedGenerator.ENCRYPTION_RSA.equals(signerInformation.getEncryptionAlgOID()), ValidationString.ENCRYPTION_ALGORITHM, new String[0]);
    }

    private void verifySignature(SignerInformation signerInformation) {
        String str = null;
        try {
            this.validationResult.rejectIfFalse(signerInformation.verify(new JcaSignerInfoVerifierBuilder(BouncyCastleUtil.DIGEST_CALCULATOR_PROVIDER).build(this.cmsCertificate)), ValidationString.SIGNATURE_VERIFICATION, new String[0]);
        } catch (OperatorCreationException e) {
            str = String.valueOf(e.getMessage());
        } catch (CMSException e2) {
            str = String.valueOf(e2.getMessage());
        }
        if (str != null) {
            this.validationResult.rejectIfFalse(false, ValidationString.SIGNATURE_VERIFICATION, str);
        }
    }

    private void verifyUnsignedAttributes(SignerInformation signerInformation) {
        this.validationResult.rejectIfFalse(signerInformation.getUnsignedAttributes() == null, ValidationString.UNSIGNED_ATTRS_OMITTED, new String[0]);
    }
}
