package org.apache.camel.component.crypto.cms.crypt;

import java.io.IOException;
import java.io.InputStream;
import java.security.PrivateKey;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Hashtable;
import java.util.Iterator;
import org.apache.camel.Exchange;
import org.apache.camel.component.crypto.cms.common.CryptoCmsUnmarshaller;
import org.apache.camel.component.crypto.cms.exception.CryptoCmsException;
import org.apache.camel.component.crypto.cms.exception.CryptoCmsFormatException;
import org.apache.camel.component.crypto.cms.exception.CryptoCmsNoCertificateForRecipientsException;
import org.apache.camel.converter.stream.OutputStreamBuilder;
import org.apache.camel.util.IOHelper;
import org.bouncycastle.asn1.cms.Attribute;
import org.bouncycastle.asn1.cms.AttributeTable;
import org.bouncycastle.cert.X509CRLEntryHolder;
import org.bouncycastle.cert.X509CRLHolder;
import org.bouncycastle.cert.X509CertificateHolder;
import org.bouncycastle.cms.CMSEnvelopedDataParser;
import org.bouncycastle.cms.CMSException;
import org.bouncycastle.cms.KeyTransRecipientId;
import org.bouncycastle.cms.KeyTransRecipientInformation;
import org.bouncycastle.cms.OriginatorInformation;
import org.bouncycastle.cms.RecipientInformation;
import org.bouncycastle.cms.RecipientInformationStore;
import org.bouncycastle.cms.jcajce.JceKeyTransEnvelopedRecipient;
import org.bouncycastle.cms.jcajce.JceKeyTransRecipientId;
import org.bouncycastle.util.Selector;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/camel/component/crypto/cms/crypt/EnvelopedDataDecryptor.class */
public class EnvelopedDataDecryptor extends CryptoCmsUnmarshaller {
    private static final Logger LOG = LoggerFactory.getLogger(EnvelopedDataDecryptor.class);
    private final EnvelopedDataDecryptorConfiguration conf;

    public EnvelopedDataDecryptor(EnvelopedDataDecryptorConfiguration envelopedDataDecryptorConfiguration) {
        super(envelopedDataDecryptorConfiguration);
        this.conf = envelopedDataDecryptorConfiguration;
    }

    @Override // org.apache.camel.component.crypto.cms.common.CryptoCmsUnmarshaller
    protected Object unmarshalInternal(InputStream inputStream, Exchange exchange) throws Exception {
        try {
            return unmarshal(new CMSEnvelopedDataParser(inputStream), exchange);
        } catch (NullPointerException e) {
            throw new CryptoCmsFormatException(getFormatErrorMessage(), e);
        } catch (CMSException e2) {
            throw new CryptoCmsFormatException(getFormatErrorMessage(), e2);
        }
    }

    String getFormatErrorMessage() {
        return "Message has invalid format. It was not possible to parse the message into a PKCS7/CMS enveloped data object.";
    }

    private Object unmarshal(CMSEnvelopedDataParser cMSEnvelopedDataParser, Exchange exchange) throws Exception {
        AttributeTable unprotectedAttributes;
        LOG.debug("Decrypting CMS Enveloped Data started");
        debugLog(cMSEnvelopedDataParser);
        RecipientInformationStore recipientInfos = cMSEnvelopedDataParser.getRecipientInfos();
        if (recipientInfos.size() == 0) {
            throw new CryptoCmsException("PKCS7/CMS enveloped data message is incorrect. No recipient information found in enveloped data.");
        }
        RecipientInformation recipientInformation = null;
        Collection<PrivateKeyWithCertificate> privateKeyCertificateCollection = this.conf.getPrivateKeyCertificateCollection(exchange);
        if (privateKeyCertificateCollection.isEmpty()) {
            throw new CryptoCmsNoCertificateForRecipientsException("Cannot decrypt PKCS7/CMS enveloped data object. No private key for the decryption configured.");
        }
        PrivateKey privateKey = null;
        Iterator<PrivateKeyWithCertificate> it = privateKeyCertificateCollection.iterator();
        while (true) {
            if (!it.hasNext()) {
                break;
            }
            PrivateKeyWithCertificate next = it.next();
            X509Certificate certificate = next.getCertificate();
            recipientInformation = recipientInfos.get(new JceKeyTransRecipientId(certificate));
            if (recipientInformation != null) {
                LOG.debug("Recipient found for certificate with subjectDN={}, issuerDN={}, and serial number={}", new Object[]{certificate.getSubjectDN(), certificate.getIssuerDN(), certificate.getSerialNumber()});
                privateKey = next.getPrivateKey();
                break;
            }
        }
        if (recipientInformation == null) {
            ArrayList arrayList = new ArrayList(privateKeyCertificateCollection.size());
            Iterator<PrivateKeyWithCertificate> it2 = privateKeyCertificateCollection.iterator();
            while (it2.hasNext()) {
                arrayList.add(it2.next().getCertificate());
            }
            throw new CryptoCmsNoCertificateForRecipientsException("Cannot decrypt PKCS7/CMS enveloped data object. No certificate found among the configured certificates which fit to one of the recipients in the enveloped data object. The recipients in the enveloped data object are: " + recipientsToString(recipientInfos.getRecipients()) + "The configured certificates are: " + certsToString(arrayList) + ". Specify a certificate with private key which fits to one of the recipients in the configruation or check whether the encrypted message is encrypted with the correct key.");
        }
        try {
            InputStream contentStream = recipientInformation.getContentStream(new JceKeyTransEnvelopedRecipient(privateKey)).getContentStream();
            try {
                Object transformToStreamCacheOrByteArray = transformToStreamCacheOrByteArray(exchange, contentStream);
                IOHelper.close(contentStream);
                if (LOG.isDebugEnabled() && (unprotectedAttributes = cMSEnvelopedDataParser.getUnprotectedAttributes()) != null) {
                    LOG.debug("Unprotected attributes size {}", Integer.valueOf(unprotectedAttributes.size()));
                    Hashtable<String, Attribute> hashtable = unprotectedAttributes.toHashtable();
                    if (hashtable != null) {
                        LOG.debug("Unprotected attributes: {}", attributesToString(hashtable));
                    }
                }
                return transformToStreamCacheOrByteArray;
            } catch (Throwable th) {
                IOHelper.close(contentStream);
                throw th;
            }
        } catch (CMSException | IOException e) {
            throw new CryptoCmsException("Error during decrypting an enveloped data object", e);
        }
    }

    protected void debugLog(CMSEnvelopedDataParser cMSEnvelopedDataParser) {
        if (LOG.isDebugEnabled()) {
            OriginatorInformation originatorInfo = cMSEnvelopedDataParser.getOriginatorInfo();
            if (originatorInfo != null) {
                LOG.debug("Enveloped Data has originator information");
                Collection<X509CertificateHolder> matches = originatorInfo.getCertificates().getMatches((Selector) null);
                if (matches != null && matches.size() > 0) {
                    LOG.debug("Certificates in the originator information:");
                    for (X509CertificateHolder x509CertificateHolder : matches) {
                        LOG.debug("    subject=" + x509CertificateHolder.getSubject() + ", issuer=" + x509CertificateHolder.getIssuer() + ", serial number=" + x509CertificateHolder.getSerialNumber());
                    }
                }
                Collection<X509CRLHolder> matches2 = originatorInfo.getCRLs().getMatches((Selector) null);
                if (matches2 != null && matches2.size() > 0) {
                    LOG.debug("CRLs in the originator information:");
                    for (X509CRLHolder x509CRLHolder : matches2) {
                        LOG.debug("    CRL issuer={}", x509CRLHolder.getIssuer());
                        for (X509CRLEntryHolder x509CRLEntryHolder : x509CRLHolder.getRevokedCertificates()) {
                            LOG.debug("        Revoked Certificate: issuer=" + x509CRLEntryHolder.getCertificateIssuer() + ", serial number=" + x509CRLEntryHolder.getSerialNumber() + ", date=" + x509CRLEntryHolder.getRevocationDate());
                        }
                    }
                }
            }
            LOG.debug("Content encryption algorithm OID: {}", cMSEnvelopedDataParser.getEncryptionAlgOID());
            LOG.debug("Recipient Infos:");
            int i = 0;
            Iterator it = cMSEnvelopedDataParser.getRecipientInfos().getRecipients().iterator();
            while (it.hasNext()) {
                i++;
                LOG.debug("   Recipient Info {}: {}", Integer.valueOf(i), recipientToString((RecipientInformation) it.next()));
            }
        }
    }

    protected String recipientsToString(Collection<RecipientInformation> collection) {
        StringBuilder sb = new StringBuilder();
        int i = 0;
        int size = collection.size();
        for (RecipientInformation recipientInformation : collection) {
            i++;
            sb.append('[');
            sb.append(recipientToString(recipientInformation));
            sb.append(']');
            if (i < size) {
                sb.append(';');
            }
        }
        return sb.toString();
    }

    protected String recipientToString(RecipientInformation recipientInformation) {
        if (!(recipientInformation instanceof KeyTransRecipientInformation)) {
            return "not a KeyTransRecipientInformation: " + recipientInformation.getRID().getType();
        }
        KeyTransRecipientId rid = recipientInformation.getRID();
        return "Issuer=" + rid.getIssuer() + ", serial number=" + rid.getSerialNumber() + ", key encryption algorithm OID=" + recipientInformation.getKeyEncryptionAlgOID();
    }

    protected String attributesToString(Hashtable<String, Attribute> hashtable) {
        if (hashtable == null) {
            return null;
        }
        StringBuilder sb = new StringBuilder();
        int size = hashtable.size();
        int i = 0;
        Iterator<Attribute> it = hashtable.values().iterator();
        while (it.hasNext()) {
            i++;
            sb.append(it.next().getAttrType());
            if (i < size) {
                sb.append(",");
            }
        }
        return sb.toString();
    }

    private Object transformToStreamCacheOrByteArray(Exchange exchange, InputStream inputStream) throws CryptoCmsException {
        OutputStreamBuilder withExchange = OutputStreamBuilder.withExchange(exchange);
        try {
            try {
                if (inputStream != null) {
                    try {
                        IOHelper.copy(inputStream, withExchange);
                        IOHelper.close(inputStream);
                    } catch (Throwable th) {
                        IOHelper.close(inputStream);
                        throw th;
                    }
                }
                LOG.debug("CMS Enveloped Data decryption successful");
                Object build = withExchange.build();
                IOHelper.close(withExchange);
                return build;
            } catch (IOException e) {
                throw new CryptoCmsException("Error during reading the unencrypted content of the enveloped data object", e);
            }
        } catch (Throwable th2) {
            IOHelper.close(withExchange);
            throw th2;
        }
    }
}
