package kz.gov.pki.provider.utils;

import java.io.IOException;
import java.net.URL;
import java.security.InvalidAlgorithmParameterException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.PrivateKey;
import java.security.Provider;
import java.security.UnrecoverableKeyException;
import java.security.cert.CertPathBuilderException;
import java.security.cert.CertStore;
import java.security.cert.CertStoreException;
import java.security.cert.Certificate;
import java.security.cert.CertificateEncodingException;
import java.security.cert.CertificateException;
import java.security.cert.CertificateExpiredException;
import java.security.cert.CertificateNotYetValidException;
import java.security.cert.CertificateParsingException;
import java.security.cert.CollectionCertStoreParameters;
import java.security.cert.X509CRL;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.HashSet;
import java.util.Hashtable;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import kz.gov.pki.kalkan.Storage;
import kz.gov.pki.kalkan.asn1.ASN1InputStream;
import kz.gov.pki.kalkan.asn1.DERSet;
import kz.gov.pki.kalkan.asn1.cms.Attribute;
import kz.gov.pki.kalkan.asn1.cms.AttributeTable;
import kz.gov.pki.kalkan.asn1.cryptopro.CryptoProObjectIdentifiers;
import kz.gov.pki.kalkan.asn1.ess.ESSCertIDv2;
import kz.gov.pki.kalkan.asn1.ess.SigningCertificateV2;
import kz.gov.pki.kalkan.asn1.knca.KNCAObjectIdentifiers;
import kz.gov.pki.kalkan.asn1.pkcs.PKCSObjectIdentifiers;
import kz.gov.pki.kalkan.jce.provider.cms.CMSException;
import kz.gov.pki.kalkan.jce.provider.cms.CMSProcessable;
import kz.gov.pki.kalkan.jce.provider.cms.CMSProcessableByteArray;
import kz.gov.pki.kalkan.jce.provider.cms.CMSSignedData;
import kz.gov.pki.kalkan.jce.provider.cms.CMSSignedDataGenerator;
import kz.gov.pki.kalkan.jce.provider.cms.CMSSignedGenerator;
import kz.gov.pki.kalkan.jce.provider.cms.SignerId;
import kz.gov.pki.kalkan.jce.provider.cms.SignerInformation;
import kz.gov.pki.kalkan.jce.provider.cms.SignerInformationStore;
import kz.gov.pki.kalkan.ocsp.OCSPException;
import kz.gov.pki.kalkan.tsp.TSPException;
import kz.gov.pki.kalkan.tsp.TimeStampResponse;
import kz.gov.pki.kalkan.tsp.TimeStampToken;
import kz.gov.pki.provider.exception.ProviderUtilException;
import kz.gov.pki.provider.exception.ProviderUtilExceptionCode;
import kz.gov.pki.provider.utils.model.SigningEntity;
import kz.gov.pki.provider.utils.model.TSAProfile;
import kz.gov.pki.provider.utils.verifier.Verifier;
import kz.gov.pki.provider.utils.verifier.VerifierFlags;
import kz.gov.pki.provider.utils.verifier.VerifyCMSSignatureResult;
import kz.gov.pki.reference.KNCAServiceRequestMethod;
import kz.gov.pki.reference.KalkanHashAlgorithm;
import kz.gov.pki.reference.TSAPolicy;
import org.apache.commons.codec.digest.MessageDigestAlgorithms;

/* loaded from: input_file:kz/gov/pki/provider/utils/CMSUtil.class */
public class CMSUtil {
    public static CMSSignedData parseAsCMS(byte[] bArr) throws CMSException {
        return new CMSSignedData(bArr);
    }

    public static CMSSignedData createCAdES(Storage storage, KeyStore keyStore, String str, char[] cArr, byte[] bArr, boolean z, KalkanHashAlgorithm kalkanHashAlgorithm, TSAPolicy tSAPolicy, KNCAServiceRequestMethod kNCAServiceRequestMethod, Provider provider) throws KeyStoreException, IOException, NoSuchAlgorithmException, UnrecoverableKeyException, CertificateEncodingException, InvalidAlgorithmParameterException, CertStoreException, CertificateNotYetValidException, ProviderUtilException, TSPException, CertificateExpiredException, NoSuchProviderException, CMSException {
        return createCAdES(keyStore, str, cArr, bArr, z, kalkanHashAlgorithm, tSAPolicy, kNCAServiceRequestMethod, provider);
    }

    public static CMSSignedData createCAdES(KeyStore keyStore, String str, char[] cArr, byte[] bArr, boolean z, KalkanHashAlgorithm kalkanHashAlgorithm, TSAPolicy tSAPolicy, KNCAServiceRequestMethod kNCAServiceRequestMethod, Provider provider) throws KeyStoreException, IOException, NoSuchAlgorithmException, UnrecoverableKeyException, CertificateEncodingException, InvalidAlgorithmParameterException, CertStoreException, CertificateNotYetValidException, ProviderUtilException, TSPException, CertificateExpiredException, NoSuchProviderException, CMSException {
        TSAProfile tSAProfile = new TSAProfile();
        tSAProfile.setHashAlgorithm(kalkanHashAlgorithm);
        tSAProfile.setRequestMethod(kNCAServiceRequestMethod);
        tSAProfile.setTsaPolicy(tSAPolicy);
        SigningEntity signingEntity = KeyStoreUtil.getSigningEntity(keyStore, str, cArr);
        CMSSignedData createCAdES = createCAdES(signingEntity, bArr, z, false, provider);
        if (kalkanHashAlgorithm != null && kNCAServiceRequestMethod != null && tSAPolicy != null) {
            createCAdES = applyCAdEST(createCAdES, signingEntity, tSAProfile, provider);
        }
        return createCAdES;
    }

    public static CMSSignedData createCAdES(SigningEntity signingEntity, byte[] bArr, boolean z, boolean z2, Provider provider) throws ProviderUtilException {
        String str;
        CMSProcessableByteArray cMSProcessableByteArray;
        CMSSignedData parseAsCMS;
        CMSProcessable signedContent;
        try {
            PrivateKey key = signingEntity.getKey();
            X509Certificate x509Certificate = signingEntity.getCertificateChain().get(0);
            ArrayList arrayList = new ArrayList();
            arrayList.add(x509Certificate);
            CertStore certStore = CertStore.getInstance("Collection", new CollectionCertStoreParameters(arrayList), provider);
            if (z2) {
                str = CMSSignedGenerator.DIGEST_NULL;
            } else if (x509Certificate.getSigAlgOID().equals(PKCSObjectIdentifiers.sha1WithRSAEncryption.getId())) {
                str = CMSSignedDataGenerator.DIGEST_SHA1;
            } else if (x509Certificate.getSigAlgOID().equals(PKCSObjectIdentifiers.sha256WithRSAEncryption.getId())) {
                str = CMSSignedDataGenerator.DIGEST_SHA256;
            } else if (x509Certificate.getSigAlgOID().equals(KNCAObjectIdentifiers.gost34311_95_with_gost34310_2004.getId())) {
                str = CMSSignedDataGenerator.DIGEST_GOST34311_95;
            } else {
                if (!x509Certificate.getSigAlgOID().equals(CryptoProObjectIdentifiers.gostR3411_94_with_gostR34310_2004.getId())) {
                    throw new ProviderUtilException(ProviderUtilExceptionCode.UNKNOWN_ALGORITHM);
                }
                str = CMSSignedDataGenerator.DIGEST_GOST3411_GT;
            }
            Hashtable hashtable = new Hashtable();
            Attribute attribute = new Attribute(PKCSObjectIdentifiers.id_aa_signingCertificateV2, new DERSet(new SigningCertificateV2(new ESSCertIDv2[]{new ESSCertIDv2(null, MessageDigest.getInstance(MessageDigestAlgorithms.SHA_256, provider).digest(x509Certificate.getEncoded()))})));
            hashtable.put(attribute.getAttrType(), attribute);
            AttributeTable attributeTable = new AttributeTable(hashtable);
            CMSSignedDataGenerator cMSSignedDataGenerator = new CMSSignedDataGenerator();
            cMSSignedDataGenerator.addSigner(key, x509Certificate, str, attributeTable, (AttributeTable) null);
            cMSSignedDataGenerator.addCertificatesAndCRLs(certStore);
            try {
                parseAsCMS = parseAsCMS(bArr);
                signedContent = parseAsCMS.getSignedContent();
            } catch (CMSException e) {
                cMSProcessableByteArray = new CMSProcessableByteArray(bArr);
            }
            if (signedContent == null) {
                throw new ProviderUtilException(ProviderUtilExceptionCode.CMS_NO_ENCAPSULATED_DATA);
            }
            cMSProcessableByteArray = new CMSProcessableByteArray((byte[]) signedContent.getContent());
            cMSSignedDataGenerator.addSigners(parseAsCMS.getSignerInfos());
            cMSSignedDataGenerator.addCertificatesAndCRLs(parseAsCMS.getCertificatesAndCRLs("Collection", provider.getName()));
            return cMSSignedDataGenerator.generate(cMSProcessableByteArray, z, provider.getName());
        } catch (InvalidAlgorithmParameterException | NoSuchAlgorithmException | NoSuchProviderException | CertStoreException | CertificateEncodingException e2) {
            throw new ProviderUtilException(ProviderUtilExceptionCode.PROVIDER_INVOCATION_FAILURE, e2);
        } catch (CMSException e3) {
            throw new ProviderUtilException(ProviderUtilExceptionCode.CMS_PROCESSING_FAILURE, e3);
        }
    }

    public static CMSSignedData createCAdES(SigningEntity signingEntity, byte[] bArr, boolean z, Provider provider) throws ProviderUtilException {
        return createCAdES(signingEntity, bArr, z, false, provider);
    }

    public static CMSSignedData createCAdES(SigningEntity signingEntity, byte[] bArr, Provider provider) throws ProviderUtilException {
        return createCAdES(signingEntity, bArr, false, true, provider);
    }

    public static CMSSignedData applyCAdEST(CMSSignedData cMSSignedData, SigningEntity signingEntity, TSAProfile tSAProfile, Provider provider) throws ProviderUtilException {
        SignerId signerId = new SignerId();
        X509Certificate x509Certificate = signingEntity.getCertificateChain().get(0);
        signerId.setSerialNumber(x509Certificate.getSerialNumber());
        signerId.setIssuer(x509Certificate.getIssuerX500Principal());
        SignerInformation signerInformation = cMSSignedData.getSignerInfos().get(signerId);
        Collection signers = cMSSignedData.getSignerInfos().getSigners();
        signers.remove(signerInformation);
        signers.add(addTimestampToken(signerInformation, tSAProfile, provider));
        return CMSSignedData.replaceSigners(cMSSignedData, new SignerInformationStore(signers));
    }

    private static SignerInformation addTimestampToken(SignerInformation signerInformation, TSAProfile tSAProfile, Provider provider) throws ProviderUtilException {
        try {
            TimeStampResponse timeStampResponse = TSPUtil.getTimeStampResponse(signerInformation.getSignature(), tSAProfile, provider);
            Hashtable hashtable = new Hashtable();
            ASN1InputStream aSN1InputStream = new ASN1InputStream(timeStampResponse.getTimeStampToken().getEncoded());
            Attribute attribute = new Attribute(PKCSObjectIdentifiers.id_aa_signatureTimeStampToken, new DERSet(aSN1InputStream.readObject()));
            hashtable.put(attribute.getAttrType(), attribute);
            aSN1InputStream.close();
            return SignerInformation.replaceUnsignedAttributes(signerInformation, new AttributeTable(hashtable));
        } catch (IOException | NoSuchAlgorithmException | NoSuchProviderException | CertStoreException | CertificateExpiredException | CertificateNotYetValidException | CMSException | TSPException e) {
            throw new ProviderUtilException(ProviderUtilExceptionCode.TIMESTAMP_CREATION_FAILURE, e);
        }
    }

    public static List<SignerInformation> getSignerInformations(CMSSignedData cMSSignedData) {
        return Collections.unmodifiableList(new ArrayList(cMSSignedData.getSignerInfos().getSigners()));
    }

    public static List<X509Certificate> getX509Certificates(CMSSignedData cMSSignedData, Provider provider) throws CMSException, NoSuchAlgorithmException, NoSuchProviderException, CertStoreException {
        return getX509Certificates(cMSSignedData, provider);
    }

    public static List<X509Certificate> getSignerCertificates(CMSSignedData cMSSignedData, Provider provider) throws ProviderUtilException {
        try {
            List<SignerInformation> signerInformations = getSignerInformations(cMSSignedData);
            CertStore certificatesAndCRLs = cMSSignedData.getCertificatesAndCRLs("Collection", provider.getName());
            ArrayList arrayList = new ArrayList();
            Iterator<SignerInformation> it = signerInformations.iterator();
            while (it.hasNext()) {
                arrayList.add((X509Certificate) certificatesAndCRLs.getCertificates(it.next().getSID()).iterator().next());
            }
            return Collections.unmodifiableList(arrayList);
        } catch (NoSuchAlgorithmException | NoSuchProviderException | CertStoreException e) {
            throw new ProviderUtilException(ProviderUtilExceptionCode.PROVIDER_INVOCATION_FAILURE, e);
        } catch (CMSException e2) {
            throw new ProviderUtilException(ProviderUtilExceptionCode.CMS_PROCESSING_FAILURE, e2);
        }
    }

    public static void verifyCMS(byte[] bArr, byte[] bArr2, Provider provider) throws ProviderUtilException {
        try {
            CMSSignedData parseAsCMS = parseAsCMS(bArr);
            if (parseAsCMS.getSignedContent() == null) {
                if (bArr2 == null) {
                    throw new ProviderUtilException(ProviderUtilExceptionCode.CMS_NO_ENCAPSULATED_DATA);
                }
                parseAsCMS = new CMSSignedData(new CMSProcessableByteArray(bArr2), bArr);
            }
            SignerInformationStore signerInfos = parseAsCMS.getSignerInfos();
            CertStore certificatesAndCRLs = parseAsCMS.getCertificatesAndCRLs("Collection", provider.getName());
            for (SignerInformation signerInformation : signerInfos.getSigners()) {
                Iterator<? extends Certificate> it = certificatesAndCRLs.getCertificates(signerInformation.getSID()).iterator();
                if (!it.hasNext()) {
                    throw new ProviderUtilException(ProviderUtilExceptionCode.SIGNER_CERTIFICATE_NOT_FOUND);
                }
                X509Certificate x509Certificate = (X509Certificate) it.next();
                try {
                    if (!signerInformation.verify(x509Certificate, provider.getName())) {
                        throw new ProviderUtilException(ProviderUtilExceptionCode.CMS_SIGNATURE_NOT_VALID);
                    }
                    Attribute attribute = signerInformation.getSignedAttributes().get(PKCSObjectIdentifiers.id_aa_signingCertificateV2);
                    if (attribute != null) {
                        ESSCertIDv2 eSSCertIDv2 = SigningCertificateV2.getInstance(attribute.getAttrValues().getObjectAt(0)).getCerts()[0];
                        if (!Arrays.equals(MessageDigest.getInstance(eSSCertIDv2.getHashAlgorithm().getObjectId().getId(), provider).digest(x509Certificate.getEncoded()), eSSCertIDv2.getCertHash())) {
                            throw new ProviderUtilException(ProviderUtilExceptionCode.CMS_ESSCERTIDV2_DIFF_CERTHASH);
                        }
                    }
                } catch (CertificateExpiredException | CertificateNotYetValidException e) {
                    throw new ProviderUtilException(ProviderUtilExceptionCode.CERTIFICATE_DATE_NOT_VALID, e);
                }
            }
        } catch (NoSuchAlgorithmException | NoSuchProviderException | CertStoreException | CertificateEncodingException e2) {
            throw new ProviderUtilException(ProviderUtilExceptionCode.PROVIDER_INVOCATION_FAILURE, e2);
        } catch (CMSException e3) {
            throw new ProviderUtilException(ProviderUtilExceptionCode.CMS_PROCESSING_FAILURE, e3);
        }
    }

    public static void verifyCMS(byte[] bArr, Provider provider) throws ProviderUtilException {
        verifyCMS(bArr, null, provider);
    }

    public static Set<VerifyCMSSignatureResult> verifyCMS(byte[] bArr, byte[] bArr2, VerifierFlags verifierFlags, Collection<X509Certificate> collection, Collection<X509CRL> collection2, Provider provider) throws CMSException, NoSuchProviderException, NoSuchAlgorithmException, CertStoreException, CertificateNotYetValidException, CertificateExpiredException, ProviderUtilException, CertificateEncodingException, IOException, TSPException, CertificateException, CertificateParsingException, InvalidAlgorithmParameterException, CertPathBuilderException {
        CMSSignedData parseAsCMS = parseAsCMS(bArr);
        if (parseAsCMS.getSignedContent() == null) {
            if (bArr2 == null) {
                throw new ProviderUtilException(ProviderUtilExceptionCode.CMS_NO_ENCAPSULATED_DATA);
            }
            parseAsCMS = new CMSSignedData(new CMSProcessableByteArray(bArr2), bArr);
        }
        SignerInformationStore signerInfos = parseAsCMS.getSignerInfos();
        CertStore certificatesAndCRLs = parseAsCMS.getCertificatesAndCRLs("Collection", provider.getName());
        HashSet hashSet = new HashSet();
        for (SignerInformation signerInformation : signerInfos.getSigners()) {
            Iterator<? extends Certificate> it = certificatesAndCRLs.getCertificates(signerInformation.getSID()).iterator();
            if (!it.hasNext()) {
                throw new ProviderUtilException(ProviderUtilExceptionCode.SIGNER_CERTIFICATE_NOT_FOUND);
            }
            X509Certificate x509Certificate = (X509Certificate) it.next();
            VerifyCMSSignatureResult verifyCMSSignatureResult = new VerifyCMSSignatureResult(verifierFlags != null ? Verifier.verifyX509Certificate(x509Certificate, collection, collection2, verifierFlags) : null, signerInformation.verify(x509Certificate, provider.getName()));
            Attribute attribute = signerInformation.getSignedAttributes().get(PKCSObjectIdentifiers.id_aa_signingCertificateV2);
            if (attribute != null) {
                ESSCertIDv2 eSSCertIDv2 = SigningCertificateV2.getInstance(attribute.getAttrValues().getObjectAt(0)).getCerts()[0];
                if (!Arrays.equals(MessageDigest.getInstance(eSSCertIDv2.getHashAlgorithm().getObjectId().getId(), provider).digest(x509Certificate.getEncoded()), eSSCertIDv2.getCertHash())) {
                    throw new ProviderUtilException(ProviderUtilExceptionCode.CMS_ESSCERTIDV2_DIFF_CERTHASH);
                }
            }
            TimeStampToken timestampToken = getTimestampToken(signerInformation, provider);
            if (timestampToken != null) {
                TSPUtil.validateTimeStampToken(timestampToken, signerInformation.getSignature(), provider);
                verifyCMSSignatureResult.setTsToken(timestampToken);
            }
            hashSet.add(verifyCMSSignatureResult);
        }
        return hashSet;
    }

    public static TimeStampToken getTimestampToken(SignerInformation signerInformation, Provider provider) throws ProviderUtilException {
        Attribute attribute;
        try {
            TimeStampToken timeStampToken = null;
            AttributeTable unsignedAttributes = signerInformation.getUnsignedAttributes();
            if (unsignedAttributes != null && (attribute = unsignedAttributes.get(PKCSObjectIdentifiers.id_aa_signatureTimeStampToken)) != null) {
                timeStampToken = new TimeStampToken(new CMSSignedData(attribute.getAttrValues().getObjectAt(0).getDERObject().getEncoded()));
            }
            return timeStampToken;
        } catch (IOException | CMSException | TSPException e) {
            throw new ProviderUtilException(ProviderUtilExceptionCode.TIMESTAMP_PARSING_FAILURE);
        }
    }

    @Deprecated
    public static Set<VerifyCMSSignatureResult> verifyCMS(byte[] bArr, byte[] bArr2, VerifierFlags verifierFlags, Map<String, X509Certificate> map, URL url, Provider provider) throws CMSException, NoSuchProviderException, NoSuchAlgorithmException, CertStoreException, CertificateNotYetValidException, CertificateExpiredException, ProviderUtilException, CertificateEncodingException, IOException, TSPException, CertificateException, CertificateParsingException, OCSPException {
        CMSSignedData parseAsCMS = parseAsCMS(bArr);
        if (parseAsCMS.getSignedContent() == null) {
            if (bArr2 == null) {
                throw new ProviderUtilException(ProviderUtilExceptionCode.CMS_NO_ENCAPSULATED_DATA);
            }
            parseAsCMS = new CMSSignedData(new CMSProcessableByteArray(bArr2), bArr);
        }
        SignerInformationStore signerInfos = parseAsCMS.getSignerInfos();
        CertStore certificatesAndCRLs = parseAsCMS.getCertificatesAndCRLs("Collection", provider.getName());
        HashSet hashSet = new HashSet();
        for (SignerInformation signerInformation : signerInfos.getSigners()) {
            Iterator<? extends Certificate> it = certificatesAndCRLs.getCertificates(signerInformation.getSID()).iterator();
            if (!it.hasNext()) {
                throw new ProviderUtilException(ProviderUtilExceptionCode.SIGNER_CERTIFICATE_NOT_FOUND);
            }
            X509Certificate x509Certificate = (X509Certificate) it.next();
            hashSet.add(new VerifyCMSSignatureResult(verifierFlags != null ? Verifier.verifyX509Certificate(x509Certificate, map, provider, url, verifierFlags) : null, signerInformation.verify(x509Certificate, provider.getName())));
            Attribute attribute = signerInformation.getSignedAttributes().get(PKCSObjectIdentifiers.id_aa_signingCertificateV2);
            if (attribute != null) {
                ESSCertIDv2 eSSCertIDv2 = SigningCertificateV2.getInstance(attribute.getAttrValues().getObjectAt(0)).getCerts()[0];
                if (!Arrays.equals(MessageDigest.getInstance(eSSCertIDv2.getHashAlgorithm().getObjectId().getId(), provider).digest(x509Certificate.getEncoded()), eSSCertIDv2.getCertHash())) {
                    throw new ProviderUtilException(ProviderUtilExceptionCode.CMS_ESSCERTIDV2_DIFF_CERTHASH);
                }
            }
            TSPUtil.validateTimeStampToken(getTimestampToken(signerInformation, provider), signerInformation.getSignature(), provider);
        }
        return hashSet;
    }
}
