package br.gov.frameworkdemoiselle.certificate.signer.pkcs7.impl;

import br.gov.frameworkdemoiselle.certificate.ca.manager.CAManager;
import br.gov.frameworkdemoiselle.certificate.signer.SignerAlgorithmEnum;
import br.gov.frameworkdemoiselle.certificate.signer.SignerException;
import br.gov.frameworkdemoiselle.certificate.signer.factory.PKCS1Factory;
import br.gov.frameworkdemoiselle.certificate.signer.pkcs1.PKCS1Signer;
import br.gov.frameworkdemoiselle.certificate.signer.pkcs7.PKCS7Signer;
import br.gov.frameworkdemoiselle.certificate.signer.pkcs7.attribute.SignedOrUnsignedAttribute;
import br.gov.frameworkdemoiselle.certificate.signer.pkcs7.attribute.factory.AttributeFactory;
import br.gov.frameworkdemoiselle.policy.engine.asn1.etsi.AlgAndLength;
import br.gov.frameworkdemoiselle.policy.engine.asn1.etsi.CertificateTrustPoint;
import br.gov.frameworkdemoiselle.policy.engine.asn1.etsi.ObjectIdentifier;
import br.gov.frameworkdemoiselle.policy.engine.asn1.etsi.SignaturePolicy;
import br.gov.frameworkdemoiselle.policy.engine.factory.PolicyFactory;
import java.io.IOException;
import java.security.PrivateKey;
import java.security.Provider;
import java.security.PublicKey;
import java.security.Security;
import java.security.cert.Certificate;
import java.security.cert.CertificateEncodingException;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.security.interfaces.RSAKey;
import java.text.SimpleDateFormat;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Date;
import java.util.GregorianCalendar;
import java.util.HashSet;
import java.util.Iterator;
import org.bouncycastle.asn1.ASN1EncodableVector;
import org.bouncycastle.asn1.ASN1ObjectIdentifier;
import org.bouncycastle.asn1.cms.Attribute;
import org.bouncycastle.asn1.cms.AttributeTable;
import org.bouncycastle.asn1.cms.CMSAttributes;
import org.bouncycastle.asn1.cms.ContentInfo;
import org.bouncycastle.cert.X509CertificateHolder;
import org.bouncycastle.cert.jcajce.JcaCertStore;
import org.bouncycastle.cms.CMSAbsentContent;
import org.bouncycastle.cms.CMSException;
import org.bouncycastle.cms.CMSProcessableByteArray;
import org.bouncycastle.cms.CMSSignedData;
import org.bouncycastle.cms.CMSSignedDataGenerator;
import org.bouncycastle.cms.CMSTypedData;
import org.bouncycastle.cms.DefaultSignedAttributeTableGenerator;
import org.bouncycastle.cms.SignerInformation;
import org.bouncycastle.cms.SimpleAttributeTableGenerator;
import org.bouncycastle.cms.jcajce.JcaSimpleSignerInfoGeneratorBuilder;
import org.bouncycastle.cms.jcajce.JcaSimpleSignerInfoVerifierBuilder;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.bouncycastle.operator.OperatorCreationException;
import org.bouncycastle.util.Store;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:br/gov/frameworkdemoiselle/certificate/signer/pkcs7/impl/CAdESSigner.class */
public class CAdESSigner implements PKCS7Signer {
    private static final Logger logger = LoggerFactory.getLogger(CAdESSigner.class);
    private X509Certificate certificate;
    private Certificate[] certificateChain;
    private final PKCS1Signer pkcs1 = PKCS1Factory.getInstance().factoryDefault();
    private boolean attached = false;
    private SignaturePolicy signaturePolicy = null;
    private boolean defaultCertificateValidators = true;

    /* loaded from: input_file:br/gov/frameworkdemoiselle/certificate/signer/pkcs7/impl/CAdESSigner$AlgorithmNames.class */
    private enum AlgorithmNames {
        sha1WithRSAEncryption("1.2.840.113549.1.1.5", "SHA1withRSA"),
        sha256WithRSAEncryption("1.2.840.113549.1.1.11", "SHA256withRSA");

        private final String identifier;
        private final String algorithmName;

        AlgorithmNames(String str, String str2) {
            this.identifier = str;
            this.algorithmName = str2;
        }

        private String getAlgorithmName() {
            return this.algorithmName;
        }

        public static String getAlgorithmNameByOID(String str) {
            boolean z = -1;
            switch (str.hashCode()) {
                case -2096004505:
                    if (str.equals("1.2.840.113549.1.1.5")) {
                        z = false;
                        break;
                    }
                    break;
                case -551630290:
                    if (str.equals("1.2.840.113549.1.1.11")) {
                        z = true;
                        break;
                    }
                    break;
            }
            switch (z) {
                case false:
                    return sha1WithRSAEncryption.getAlgorithmName();
                case true:
                    return sha256WithRSAEncryption.getAlgorithmName();
                default:
                    return sha1WithRSAEncryption.getAlgorithmName();
            }
        }
    }

    public CAdESSigner() {
        this.pkcs1.setAlgorithm((String) null);
        setSignaturePolicy(PolicyFactory.Policies.AD_RB_CADES_2_1);
    }

    @Override // br.gov.frameworkdemoiselle.certificate.signer.Signer
    public boolean check(byte[] bArr, byte[] bArr2) {
        Security.addProvider(new BouncyCastleProvider());
        try {
            CMSSignedData cMSSignedData = bArr == null ? new CMSSignedData(bArr2) : new CMSSignedData(new CMSProcessableByteArray(bArr), bArr2);
            int i = 0;
            Store certificates = cMSSignedData.getCertificates();
            for (SignerInformation signerInformation : cMSSignedData.getSignerInfos().getSigners()) {
                try {
                    if (signerInformation.verify(new JcaSimpleSignerInfoVerifierBuilder().setProvider("BC").build((X509CertificateHolder) certificates.getMatches(signerInformation.getSID()).iterator().next()))) {
                        i++;
                        logger.info("Validada a assinatura digital de sequencia [{}]", Integer.valueOf(i));
                    }
                    logger.info("Efetuando a verificação dos atributos assinados");
                    AttributeTable signedAttributes = signerInformation.getSignedAttributes();
                    if (signedAttributes.size() == 0) {
                        throw new SignerException("O pacote PKCS7 não contém atributos assinados.");
                    }
                    if (signerInformation.getUnsignedAttributes().size() == 0) {
                        logger.info("O pacote PKCS7 não contem atributos nao assinados.");
                    }
                    logger.info("UTCTime yyMMddHHmmssz : {}", signedAttributes.get(new ASN1ObjectIdentifier("1.2.840.113549.1.9.5")).getAttrValues().getObjectAt(0).getTime());
                    logger.info("Iniciando a validacao dos atributos");
                    Attribute attribute = signedAttributes.get(CMSAttributes.contentType);
                    if (attribute == null) {
                        throw new SignerException("O pacote PKCS7 não contém o atributo \"ContentType\"");
                    }
                    if (!attribute.getAttrValues().getObjectAt(0).equals(ContentInfo.data)) {
                        throw new SignerException("\"ContentType\" não é do tipo \"DATA\"");
                    }
                    if (signedAttributes.get(CMSAttributes.messageDigest) == null) {
                        throw new SignerException("O pacote PKCS7 não contém o atributo \"MessageDigest\"");
                    }
                } catch (CMSException e) {
                    throw new SignerException("A assinatura fornecida é inválida.", e);
                } catch (OperatorCreationException | CertificateException e2) {
                    throw new SignerException((Throwable) e2);
                }
            }
            logger.info("Verificada(s) {} assinatura(s).", Integer.valueOf(i));
            return true;
        } catch (CMSException e3) {
            throw new SignerException("Bytes inválidos localizados no pacote PKCS7.", e3);
        }
    }

    private Store generatedCertStore() {
        try {
            ArrayList arrayList = new ArrayList();
            arrayList.addAll(Arrays.asList(this.certificateChain));
            return new JcaCertStore(arrayList);
        } catch (CertificateEncodingException e) {
            throw new SignerException(e);
        }
    }

    @Override // br.gov.frameworkdemoiselle.certificate.signer.Signer
    public String getAlgorithm() {
        return this.signaturePolicy.getSignPolicyHashAlg().getAlgorithm().getValue();
    }

    public byte[] getAttached(byte[] bArr) {
        return getAttached(bArr, true);
    }

    @Override // br.gov.frameworkdemoiselle.certificate.signer.pkcs7.PKCS7Signer
    public byte[] getAttached(byte[] bArr, boolean z) {
        byte[] bArr2 = null;
        if (z) {
            check(null, bArr);
        }
        try {
            try {
                CMSTypedData signedContent = new CMSSignedData(bArr).getSignedContent();
                if (signedContent != null) {
                    bArr2 = (byte[]) signedContent.getContent();
                }
                return bArr2;
            } catch (Exception e) {
                throw new SignerException("Error on get content from PKCS7", e);
            }
        } catch (CMSException e2) {
            throw new SignerException("Invalid bytes for a package PKCS7", e2);
        }
    }

    @Override // br.gov.frameworkdemoiselle.certificate.signer.Signer
    public PrivateKey getPrivateKey() {
        return this.pkcs1.getPrivateKey();
    }

    @Override // br.gov.frameworkdemoiselle.certificate.signer.Signer
    public Provider getProvider() {
        return this.pkcs1.getProvider();
    }

    @Override // br.gov.frameworkdemoiselle.certificate.signer.Signer
    public PublicKey getPublicKey() {
        return this.pkcs1.getPublicKey();
    }

    public boolean isDefaultCertificateValidators() {
        return this.defaultCertificateValidators;
    }

    @Override // br.gov.frameworkdemoiselle.certificate.signer.Signer
    public void setAlgorithm(SignerAlgorithmEnum signerAlgorithmEnum) {
        this.pkcs1.setAlgorithm(signerAlgorithmEnum);
    }

    @Override // br.gov.frameworkdemoiselle.certificate.signer.Signer
    public void setAlgorithm(String str) {
        this.pkcs1.setAlgorithm(str);
    }

    @Override // br.gov.frameworkdemoiselle.certificate.signer.pkcs7.PKCS7Signer
    public void setAttached(boolean z) {
        this.attached = z;
    }

    @Override // br.gov.frameworkdemoiselle.certificate.signer.pkcs7.PKCS7Signer
    public void setCertificates(Certificate[] certificateArr) {
        this.certificateChain = certificateArr;
    }

    public void setDefaultCertificateValidators(boolean z) {
        this.defaultCertificateValidators = z;
    }

    @Override // br.gov.frameworkdemoiselle.certificate.signer.Signer
    public void setPrivateKey(PrivateKey privateKey) {
        this.pkcs1.setPrivateKey(privateKey);
    }

    @Override // br.gov.frameworkdemoiselle.certificate.signer.Signer
    public void setProvider(Provider provider) {
        this.pkcs1.setProvider(provider);
    }

    @Override // br.gov.frameworkdemoiselle.certificate.signer.Signer
    public void setPublicKey(PublicKey publicKey) {
        this.pkcs1.setPublicKey(publicKey);
    }

    @Override // br.gov.frameworkdemoiselle.certificate.signer.Signer
    public byte[] doSign(byte[] bArr) {
        try {
            Security.addProvider(new BouncyCastleProvider());
            if (this.certificate == null && this.certificateChain != null && this.certificateChain.length > 0) {
                this.certificate = (X509Certificate) this.certificateChain[0];
            }
            if (this.certificateChain == null || this.certificateChain.length <= 1) {
                this.certificateChain = CAManager.getInstance().getCertificateChainArray(this.certificate);
            }
            AttributeFactory attributeFactory = AttributeFactory.getInstance();
            ASN1EncodableVector aSN1EncodableVector = new ASN1EncodableVector();
            logger.info("Identificando os atributos assinados");
            if (this.signaturePolicy.getSignPolicyInfo().getSignatureValidationPolicy().getCommonRules().getSignerAndVeriferRules().getSignerRules().getMandatedSignedAttr().getObjectIdentifiers() != null) {
                Iterator it = this.signaturePolicy.getSignPolicyInfo().getSignatureValidationPolicy().getCommonRules().getSignerAndVeriferRules().getSignerRules().getMandatedSignedAttr().getObjectIdentifiers().iterator();
                while (it.hasNext()) {
                    SignedOrUnsignedAttribute factory = attributeFactory.factory(((ObjectIdentifier) it.next()).getValue());
                    factory.initialize(this.pkcs1.getPrivateKey(), this.certificateChain, bArr, this.signaturePolicy);
                    aSN1EncodableVector.add(factory.getValue());
                }
            }
            ASN1EncodableVector aSN1EncodableVector2 = new ASN1EncodableVector();
            logger.info("Identificando os atributos não assinados");
            if (this.signaturePolicy.getSignPolicyInfo().getSignatureValidationPolicy().getCommonRules().getSignerAndVeriferRules().getSignerRules().getMandatedUnsignedAttr().getObjectIdentifiers() != null) {
                Iterator it2 = this.signaturePolicy.getSignPolicyInfo().getSignatureValidationPolicy().getCommonRules().getSignerAndVeriferRules().getSignerRules().getMandatedUnsignedAttr().getObjectIdentifiers().iterator();
                while (it2.hasNext()) {
                    SignedOrUnsignedAttribute factory2 = attributeFactory.factory(((ObjectIdentifier) it2.next()).getValue());
                    factory2.initialize(this.pkcs1.getPrivateKey(), this.certificateChain, bArr, this.signaturePolicy);
                    aSN1EncodableVector2.add(factory2.getValue());
                }
            }
            AttributeTable attributeTable = new AttributeTable(aSN1EncodableVector);
            AttributeTable attributeTable2 = new AttributeTable(aSN1EncodableVector2);
            DefaultSignedAttributeTableGenerator defaultSignedAttributeTableGenerator = new DefaultSignedAttributeTableGenerator(attributeTable);
            SimpleAttributeTableGenerator simpleAttributeTableGenerator = new SimpleAttributeTableGenerator(attributeTable2);
            AlgAndLength algAndLength = (AlgAndLength) this.signaturePolicy.getSignPolicyInfo().getSignatureValidationPolicy().getCommonRules().getAlgorithmConstraintSet().getSignerAlgorithmConstraints().getAlgAndLengths().iterator().next();
            logger.info("AlgID........... {}", algAndLength.getAlgID().getValue());
            logger.info("Alg Name........ {}", AlgorithmNames.getAlgorithmNameByOID(algAndLength.getAlgID().getValue()));
            logger.info("MinKeyLength.... {}", algAndLength.getMinKeyLength());
            logger.info("Validando o tamanho da chave");
            if (((RSAKey) this.certificate.getPublicKey()).getModulus().bitLength() < algAndLength.getMinKeyLength().intValue()) {
                throw new SignerException("O tamanho mínimo da chave  deve ser de ".concat(algAndLength.getMinKeyLength().toString()).concat(" bits"));
            }
            HashSet hashSet = new HashSet();
            for (CertificateTrustPoint certificateTrustPoint : this.signaturePolicy.getSignPolicyInfo().getSignatureValidationPolicy().getCommonRules().getSigningCertTrustCondition().getSignerTrustTrees().getCertificateTrustPoints()) {
                logger.info("Trust Point... {}", certificateTrustPoint.getTrustpoint().getSubjectDN().toString());
                hashSet.add(certificateTrustPoint.getTrustpoint());
            }
            CAManager.getInstance().validateRootCAs(hashSet, this.certificate);
            logger.info("Verificando o período de validade da politica");
            Date date = this.signaturePolicy.getSignPolicyInfo().getSignatureValidationPolicy().getSigningPeriod().getNotBefore().getDate();
            Date date2 = this.signaturePolicy.getSignPolicyInfo().getSignatureValidationPolicy().getSigningPeriod().getNotAfter().getDate();
            Date time = new GregorianCalendar().getTime();
            if (time.before(date) || time.after(date2)) {
                SimpleDateFormat simpleDateFormat = new SimpleDateFormat("dd/MM/yyyy - hh:mm:ss");
                throw new SignerException("Esta política é válida somente entre ".concat(simpleDateFormat.format(date)).concat(" e ").concat(simpleDateFormat.format(date)));
            }
            CMSSignedDataGenerator cMSSignedDataGenerator = new CMSSignedDataGenerator();
            cMSSignedDataGenerator.addCertificates(generatedCertStore());
            cMSSignedDataGenerator.addSignerInfoGenerator(new JcaSimpleSignerInfoGeneratorBuilder().setSignedAttributeGenerator(defaultSignedAttributeTableGenerator).setUnsignedAttributeGenerator(simpleAttributeTableGenerator).build(AlgorithmNames.getAlgorithmNameByOID(algAndLength.getAlgID().getValue()), this.pkcs1.getPrivateKey(), this.certificate));
            return cMSSignedDataGenerator.generate(bArr == null ? new CMSAbsentContent() : new CMSProcessableByteArray(bArr), this.attached).getEncoded();
        } catch (CMSException | IOException | OperatorCreationException | CertificateEncodingException e) {
            throw new SignerException((Throwable) e);
        }
    }

    @Override // br.gov.frameworkdemoiselle.certificate.signer.pkcs7.PKCS7Signer
    public void setSignaturePolicy(PolicyFactory.Policies policies) {
        this.signaturePolicy = PolicyFactory.getInstance().loadPolicy(policies);
    }
}
