package net.ripe.rpki.commons.crypto.cms;

import java.io.IOException;
import java.security.cert.Certificate;
import java.security.cert.CertificateEncodingException;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.Collection;
import net.ripe.rpki.commons.crypto.util.BouncyCastleUtil;
import net.ripe.rpki.commons.crypto.x509cert.AbstractX509CertificateWrapperException;
import net.ripe.rpki.commons.crypto.x509cert.X509ResourceCertificate;
import net.ripe.rpki.commons.crypto.x509cert.X509ResourceCertificateParser;
import net.ripe.rpki.commons.validation.ValidationResult;
import net.ripe.rpki.commons.validation.ValidationString;
import org.bouncycastle.asn1.ASN1Encodable;
import org.bouncycastle.asn1.ASN1EncodableVector;
import org.bouncycastle.asn1.ASN1InputStream;
import org.bouncycastle.asn1.ASN1ObjectIdentifier;
import org.bouncycastle.asn1.cms.Attribute;
import org.bouncycastle.asn1.cms.CMSAttributes;
import org.bouncycastle.asn1.cms.Time;
import org.bouncycastle.cert.jcajce.JcaX509CertificateHolder;
import org.bouncycastle.cms.CMSException;
import org.bouncycastle.cms.CMSSignedDataParser;
import org.bouncycastle.cms.CMSTypedStream;
import org.bouncycastle.cms.SignerInformation;
import org.bouncycastle.cms.SignerInformationStore;
import org.bouncycastle.cms.jcajce.JcaSignerInfoVerifierBuilder;
import org.bouncycastle.operator.OperatorCreationException;
import org.bouncycastle.util.StoreException;
import org.joda.time.DateTime;
import org.joda.time.DateTimeZone;

/* loaded from: input_file:net/ripe/rpki/commons/crypto/cms/RpkiSignedObjectParser.class */
public abstract class RpkiSignedObjectParser {
    private byte[] encoded;
    private X509ResourceCertificate certificate;
    protected ASN1ObjectIdentifier contentType;
    private DateTime signingTime;
    private ValidationResult validationResult;

    public final void parse(String str, byte[] bArr) {
        parse(ValidationResult.withLocation(str), bArr);
    }

    public void parse(ValidationResult validationResult, byte[] bArr) {
        this.validationResult = validationResult;
        this.encoded = bArr;
        parseCms();
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public byte[] getEncoded() {
        return this.encoded;
    }

    public ValidationResult getValidationResult() {
        return this.validationResult;
    }

    protected X509ResourceCertificate getCertificate() {
        return this.certificate;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public X509ResourceCertificate getResourceCertificate() {
        return this.certificate;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public ASN1ObjectIdentifier getContentType() {
        return this.contentType;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public DateTime getSigningTime() {
        return this.signingTime;
    }

    public abstract void decodeContent(ASN1Encodable aSN1Encodable);

    private void parseCms() {
        try {
            CMSSignedDataParser cMSSignedDataParser = new CMSSignedDataParser(BouncyCastleUtil.DIGEST_CALCULATOR_PROVIDER, this.encoded);
            this.validationResult.rejectIfFalse(true, ValidationString.CMS_DATA_PARSING, new String[0]);
            if (!this.validationResult.hasFailures()) {
                parseContent(cMSSignedDataParser);
            }
            if (!this.validationResult.hasFailures()) {
                parseCmsCertificate(cMSSignedDataParser);
            }
            if (this.validationResult.hasFailures()) {
                return;
            }
            verifyCmsSigning(cMSSignedDataParser, this.certificate.getCertificate());
        } catch (CMSException e) {
            this.validationResult.rejectIfFalse(false, ValidationString.CMS_DATA_PARSING, new String[0]);
        }
    }

    protected void parseContent(CMSSignedDataParser cMSSignedDataParser) {
        CMSTypedStream signedContent = cMSSignedDataParser.getSignedContent();
        this.contentType = signedContent.getContentType();
        ASN1InputStream aSN1InputStream = new ASN1InputStream(signedContent.getContentStream());
        try {
            decodeContent(aSN1InputStream.readObject());
            this.validationResult.rejectIfFalse(true, ValidationString.DECODE_CONTENT, new String[0]);
            try {
                this.validationResult.rejectIfFalse(aSN1InputStream.readObject() == null, ValidationString.ONLY_ONE_SIGNED_OBJECT, new String[0]);
                aSN1InputStream.close();
            } catch (IOException e) {
                this.validationResult.rejectIfFalse(false, ValidationString.CMS_CONTENT_PARSING, new String[0]);
            }
            this.validationResult.rejectIfFalse(true, ValidationString.CMS_CONTENT_PARSING, new String[0]);
        } catch (IOException e2) {
            this.validationResult.rejectIfFalse(false, ValidationString.DECODE_CONTENT, new String[0]);
        }
    }

    private void parseCmsCertificate(CMSSignedDataParser cMSSignedDataParser) {
        Collection<? extends Certificate> extractCertificate = extractCertificate(cMSSignedDataParser);
        if (this.validationResult.rejectIfNull(extractCertificate, ValidationString.GET_CERTS_AND_CRLS, new String[0])) {
            if (this.validationResult.rejectIfFalse(extractCertificate.size() == 1, ValidationString.ONLY_ONE_EE_CERT_ALLOWED, new String[0]) && this.validationResult.rejectIfFalse(extractCertificate.iterator().next() instanceof X509Certificate, ValidationString.CERT_IS_X509CERT, new String[0])) {
                this.certificate = parseCertificate(extractCertificate.iterator().next());
                if (this.validationResult.hasFailureForCurrentLocation()) {
                    return;
                }
                this.validationResult.rejectIfFalse(this.certificate.isEe(), ValidationString.CERT_IS_EE_CERT, new String[0]);
                this.validationResult.rejectIfNull(this.certificate.getSubjectKeyIdentifier(), ValidationString.CERT_HAS_SKI, new String[0]);
            }
        }
    }

    private X509ResourceCertificate parseCertificate(Certificate certificate) {
        try {
            X509ResourceCertificateParser x509ResourceCertificateParser = new X509ResourceCertificateParser();
            x509ResourceCertificateParser.parse(this.validationResult, ((X509Certificate) certificate).getEncoded());
            if (x509ResourceCertificateParser.isSuccess()) {
                return x509ResourceCertificateParser.getCertificate();
            }
            return null;
        } catch (CertificateEncodingException e) {
            throw new AbstractX509CertificateWrapperException("cannot parse already decoded X509 certificate: " + e, e);
        }
    }

    private Collection<? extends Certificate> extractCertificate(CMSSignedDataParser cMSSignedDataParser) {
        try {
            return BouncyCastleUtil.extractCertificates(cMSSignedDataParser);
        } catch (CMSException e) {
            return null;
        } catch (CertificateException e2) {
            return null;
        } catch (StoreException e3) {
            return null;
        }
    }

    private void verifyCmsSigning(CMSSignedDataParser cMSSignedDataParser, X509Certificate x509Certificate) {
        SignerInformation extractSingleCmsSigner = extractSingleCmsSigner(cMSSignedDataParser);
        if (extractSingleCmsSigner != null && verifySigner(extractSingleCmsSigner, x509Certificate) && verifyAndStoreSigningTime(extractSingleCmsSigner)) {
            verifySignature(x509Certificate, extractSingleCmsSigner);
        }
    }

    private SignerInformation extractSingleCmsSigner(CMSSignedDataParser cMSSignedDataParser) {
        SignerInformationStore signerStore = getSignerStore(cMSSignedDataParser);
        if (!this.validationResult.rejectIfNull(signerStore, ValidationString.GET_SIGNER_INFO, new String[0])) {
            return null;
        }
        Collection signers = signerStore.getSigners();
        if (this.validationResult.rejectIfFalse(signers.size() == 1, ValidationString.ONLY_ONE_SIGNER, new String[0])) {
            return (SignerInformation) signers.iterator().next();
        }
        return null;
    }

    private SignerInformationStore getSignerStore(CMSSignedDataParser cMSSignedDataParser) {
        try {
            return cMSSignedDataParser.getSignerInfos();
        } catch (RuntimeException e) {
            return null;
        } catch (CMSException e2) {
            return null;
        }
    }

    private boolean isAllowedSignedAttribute(Attribute attribute) {
        ASN1ObjectIdentifier aSN1ObjectIdentifier = new ASN1ObjectIdentifier("1.2.840.113549.1.9.16.2.46");
        ASN1ObjectIdentifier attrType = attribute.getAttrType();
        return aSN1ObjectIdentifier.equals(attrType) || CMSAttributes.signingTime.equals(attrType) || CMSAttributes.contentType.equals(attrType) || CMSAttributes.messageDigest.equals(attrType);
    }

    private boolean verifyOptionalSignedAttributes(SignerInformation signerInformation) {
        ASN1EncodableVector aSN1EncodableVector = signerInformation.getSignedAttributes().toASN1EncodableVector();
        boolean z = true;
        int i = 0;
        while (true) {
            if (i >= aSN1EncodableVector.size()) {
                break;
            }
            if (!isAllowedSignedAttribute((Attribute) aSN1EncodableVector.get(i))) {
                z = false;
                break;
            }
            i++;
        }
        if (z) {
            this.validationResult.pass(ValidationString.SIGNED_ATTRS_CORRECT, new String[0]);
        } else {
            this.validationResult.warn(ValidationString.SIGNED_ATTRS_CORRECT, new String[0]);
        }
        return z;
    }

    private boolean verifySigner(SignerInformation signerInformation, X509Certificate x509Certificate) {
        this.validationResult.rejectIfFalse(RpkiSignedObject.DIGEST_ALGORITHM_OID.equals(signerInformation.getDigestAlgOID()), ValidationString.CMS_SIGNER_INFO_DIGEST_ALGORITHM, new String[0]);
        this.validationResult.rejectIfFalse(RpkiSignedObject.RSA_ENCRYPTION_OID.equals(signerInformation.getEncryptionAlgOID()) || RpkiSignedObject.SHA256WITHRSA_ENCRYPTION_OID.equals(signerInformation.getEncryptionAlgOID()), ValidationString.ENCRYPTION_ALGORITHM, new String[0]);
        if (!this.validationResult.rejectIfNull(signerInformation.getSignedAttributes(), ValidationString.SIGNED_ATTRS_PRESENT, new String[0])) {
            return false;
        }
        this.validationResult.rejectIfNull(signerInformation.getSignedAttributes().get(CMSAttributes.contentType), ValidationString.CONTENT_TYPE_ATTR_PRESENT, new String[0]);
        this.validationResult.rejectIfNull(signerInformation.getSignedAttributes().get(CMSAttributes.messageDigest), ValidationString.MSG_DIGEST_ATTR_PRESENT, new String[0]);
        verifyOptionalSignedAttributes(signerInformation);
        try {
            this.validationResult.rejectIfFalse(signerInformation.getSID().match(new JcaX509CertificateHolder(x509Certificate)), ValidationString.SIGNER_ID_MATCH, new String[0]);
            return true;
        } catch (CertificateEncodingException e) {
            throw new AbstractX509CertificateWrapperException(e);
        }
    }

    private boolean verifyAndStoreSigningTime(SignerInformation signerInformation) {
        Attribute attribute = signerInformation.getSignedAttributes().get(CMSAttributes.signingTime);
        if (!this.validationResult.rejectIfNull(attribute, ValidationString.SIGNING_TIME_ATTR_PRESENT, new String[0])) {
            return false;
        }
        if (!this.validationResult.rejectIfFalse(attribute.getAttrValues().size() == 1, ValidationString.ONLY_ONE_SIGNING_TIME_ATTR, new String[0])) {
            return false;
        }
        this.signingTime = new DateTime(Time.getInstance(attribute.getAttrValues().getObjectAt(0)).getDate().getTime(), DateTimeZone.UTC);
        return true;
    }

    private void verifySignature(X509Certificate x509Certificate, SignerInformation signerInformation) {
        String str = null;
        try {
            this.validationResult.rejectIfFalse(signerInformation.verify(new JcaSignerInfoVerifierBuilder(BouncyCastleUtil.DIGEST_CALCULATOR_PROVIDER).build(x509Certificate.getPublicKey())), ValidationString.SIGNATURE_VERIFICATION, new String[0]);
        } catch (OperatorCreationException e) {
            str = String.valueOf(e.getMessage());
        } catch (CMSException e2) {
            str = String.valueOf(e2.getMessage());
        }
        if (str != null) {
            this.validationResult.rejectIfFalse(false, ValidationString.SIGNATURE_VERIFICATION, str);
        }
    }
}
