package org.apache.camel.component.crypto.cms.sig;

import java.io.IOException;
import java.io.InputStream;
import java.security.cert.X509Certificate;
import java.util.Collection;
import java.util.Hashtable;
import java.util.Iterator;
import org.apache.camel.Exchange;
import org.apache.camel.component.crypto.cms.common.CryptoCmsUnmarshaller;
import org.apache.camel.component.crypto.cms.exception.CryptoCmsException;
import org.apache.camel.component.crypto.cms.exception.CryptoCmsFormatException;
import org.apache.camel.component.crypto.cms.exception.CryptoCmsNoCertificateForSignerInfoException;
import org.apache.camel.component.crypto.cms.exception.CryptoCmsNoCertificateForSignerInfosException;
import org.apache.camel.component.crypto.cms.exception.CryptoCmsSignatureException;
import org.apache.camel.component.crypto.cms.exception.CryptoCmsSignatureInvalidContentHashException;
import org.apache.camel.component.crypto.cms.exception.CryptoCmsVerifierCertificateNotValidException;
import org.apache.camel.converter.stream.OutputStreamBuilder;
import org.apache.camel.util.IOHelper;
import org.bouncycastle.asn1.cms.Attribute;
import org.bouncycastle.asn1.cms.CMSAttributes;
import org.bouncycastle.asn1.x509.AlgorithmIdentifier;
import org.bouncycastle.cert.X509CertificateHolder;
import org.bouncycastle.cert.jcajce.JcaCertStore;
import org.bouncycastle.cms.CMSException;
import org.bouncycastle.cms.CMSSignedDataParser;
import org.bouncycastle.cms.CMSSignerDigestMismatchException;
import org.bouncycastle.cms.CMSVerifierCertificateNotValidException;
import org.bouncycastle.cms.SignerInformation;
import org.bouncycastle.cms.SignerInformationStore;
import org.bouncycastle.cms.jcajce.JcaSimpleSignerInfoVerifierBuilder;
import org.bouncycastle.operator.jcajce.JcaDigestCalculatorProviderBuilder;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/camel/component/crypto/cms/sig/SignedDataVerifier.class */
public class SignedDataVerifier extends CryptoCmsUnmarshaller {
    private static final Logger LOG = LoggerFactory.getLogger(SignedDataVerifier.class);
    private final SignedDataVerifierConfiguration conf;

    public SignedDataVerifier(SignedDataVerifierConfiguration signedDataVerifierConfiguration) {
        super(signedDataVerifierConfiguration);
        this.conf = signedDataVerifierConfiguration;
    }

    @Override // org.apache.camel.component.crypto.cms.common.CryptoCmsUnmarshaller
    protected Object unmarshalInternal(InputStream inputStream, Exchange exchange) throws Exception {
        try {
            CMSSignedDataParser cMSSignedDataParser = new CMSSignedDataParser(new JcaDigestCalculatorProviderBuilder().setProvider("BC").build(), inputStream);
            OutputStreamBuilder outputStream = getOutputStream(cMSSignedDataParser, exchange);
            debugLog(cMSSignedDataParser);
            verify(cMSSignedDataParser, exchange);
            return outputStream.build();
        } catch (CMSException e) {
            throw new CryptoCmsFormatException(getFormatErrorMessage(), e);
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public String getFormatErrorMessage() {
        return "Message has invalid format. It was not possible to parse the message into a PKCS7/CMS content info object containing PKCS7/CMS Signed Data.";
    }

    protected OutputStreamBuilder getOutputStream(CMSSignedDataParser cMSSignedDataParser, Exchange exchange) throws Exception {
        try {
            InputStream contentStream = cMSSignedDataParser.getSignedContent().getContentStream();
            OutputStreamBuilder withExchange = OutputStreamBuilder.withExchange(exchange);
            try {
                if (contentStream != null) {
                    try {
                        IOHelper.copy(contentStream, withExchange);
                        IOHelper.close(contentStream);
                    } catch (Throwable th) {
                        IOHelper.close(contentStream);
                        throw th;
                    }
                }
                return withExchange;
            } catch (IOException e) {
                throw new CryptoCmsException("Error during reading the signed content of the signed data object", e);
            }
        } catch (NullPointerException e2) {
            throw getContentMissingException(e2);
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public CryptoCmsException getContentMissingException(NullPointerException nullPointerException) {
        return new CryptoCmsException("PKCS7/CMS signature validation not possible: The content for which the hash-value must be calculated is missing in the PKCS7/CMS signed data instance. Please check the configuration of the sender of the PKCS7/CMS signature.", nullPointerException);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void debugLog(CMSSignedDataParser cMSSignedDataParser) throws CMSException {
        Hashtable<String, Attribute> hashtable;
        Hashtable<String, Attribute> hashtable2;
        if (LOG.isDebugEnabled()) {
            SignerInformationStore signerInfos = cMSSignedDataParser.getSignerInfos();
            Iterator it = cMSSignedDataParser.getDigestAlgorithmIDs().iterator();
            while (it.hasNext()) {
                LOG.debug("Message digest algorithm: {}", ((AlgorithmIdentifier) it.next()).getAlgorithm().getId());
            }
            LOG.debug("Included Signer Infos:");
            int i = 0;
            for (SignerInformation signerInformation : signerInfos.getSigners()) {
                i++;
                LOG.debug("    Signer {}: {} ", new Object[]{Integer.valueOf(i), signerInformationToString(signerInformation)});
                if (signerInformation.getSignedAttributes() != null && (hashtable2 = signerInformation.getSignedAttributes().toHashtable()) != null) {
                    LOG.debug("    Signed attributes of signer {}: {}", Integer.valueOf(i), attributesToString(hashtable2));
                }
                if (signerInformation.getUnsignedAttributes() != null && (hashtable = signerInformation.getUnsignedAttributes().toHashtable()) != null) {
                    LOG.debug("    Unsigned attributes of signer {}: {}", Integer.valueOf(i), attributesToString(hashtable));
                }
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void verify(CMSSignedDataParser cMSSignedDataParser, Exchange exchange) throws Exception {
        SignerInformationStore nonEmptySenderInfos = getNonEmptySenderInfos(cMSSignedDataParser);
        Collection<X509Certificate> certificates = this.conf.getCertificates(exchange);
        if (certificates.isEmpty()) {
            throw new CryptoCmsNoCertificateForSignerInfosException("Cannot verify the signatures of the PKCS7/CMS Signed Data object: No verifier certificate is configured.");
        }
        JcaCertStore jcaCertStore = new JcaCertStore(certificates);
        boolean z = false;
        for (SignerInformation signerInformation : nonEmptySenderInfos.getSigners()) {
            Collection matches = jcaCertStore.getMatches(signerInformation.getSID());
            if (!matches.isEmpty()) {
                X509CertificateHolder x509CertificateHolder = (X509CertificateHolder) matches.iterator().next();
                try {
                    if (!signerInformation.verify(new JcaSimpleSignerInfoVerifierBuilder().setProvider("BC").build(x509CertificateHolder))) {
                        throw new CryptoCmsSignatureException("PKCS7/CMS signature verification failed for signer information with " + issuerSerialNumberSubject(x509CertificateHolder));
                    }
                    LOG.debug("Verification successful");
                    z = true;
                    if (!this.conf.isVerifySignaturesOfAllSigners(exchange).booleanValue()) {
                        return;
                    }
                } catch (CMSVerifierCertificateNotValidException e) {
                    throw new CryptoCmsVerifierCertificateNotValidException("PKCS7/CMS signature verification failed for signer information with " + issuerSerialNumberSubject(x509CertificateHolder) + ". Certificate was not valid at the signing time.", e);
                } catch (CMSSignerDigestMismatchException e2) {
                    throw new CryptoCmsSignatureInvalidContentHashException("PKCS7/CMS signature verification failed for signer information with " + issuerSerialNumberSubject(x509CertificateHolder) + ". Calculated hash differs from the signed hash value. Either the message content does not correspond to the signature or the message might be tampered.", e2);
                }
            } else if (this.conf.isVerifySignaturesOfAllSigners(exchange).booleanValue()) {
                throw new CryptoCmsNoCertificateForSignerInfoException("KCS7/CMS signature verification failed. The public key for the signer information with" + signerInformationToString(signerInformation) + " cannot be found in the configured certificates: " + certsToString(certificates));
            }
        }
        if (!z) {
            throw new CryptoCmsNoCertificateForSignerInfosException("Cannot verify the signature of the PKCS7/CMS signed data object with the certificates " + certsToString(certificates) + " specified in the configuration. The signers in the signed data object are: " + signersToString(nonEmptySenderInfos));
        }
    }

    SignerInformationStore getNonEmptySenderInfos(CMSSignedDataParser cMSSignedDataParser) throws CryptoCmsException, CMSException {
        SignerInformationStore signerInfos = cMSSignedDataParser.getSignerInfos();
        if (signerInfos.size() == 0) {
            throw new CryptoCmsException("Sent CMS/PKCS7 signed data message is incorrect. No signer info found in signed data. Correct the sent message.");
        }
        return signerInfos;
    }

    protected String signerInformationToString(SignerInformation signerInformation) {
        if (signerInformation == null) {
            return null;
        }
        return "ContentTypeOID=" + signerInformation.getContentType() + ", Issuer=" + signerInformation.getSID().getIssuer() + ", SerialNumber=" + signerInformation.getSID().getSerialNumber() + ", SignerInfoVersion=" + signerInformation.getVersion() + ", SignatureAlgorithmOID=" + signerInformation.getDigestAlgOID() + ", EncryptionAlgorithmOID=" + signerInformation.getEncryptionAlgOID() + ", isCounterSignature=" + signerInformation.isCounterSignature();
    }

    protected String signersToString(SignerInformationStore signerInformationStore) {
        if (signerInformationStore == null) {
            return null;
        }
        StringBuilder sb = new StringBuilder();
        Collection<SignerInformation> signers = signerInformationStore.getSigners();
        int size = signers.size();
        int i = 0;
        for (SignerInformation signerInformation : signers) {
            i++;
            sb.append('[');
            sb.append("Issuer=");
            sb.append(signerInformation.getSID().getIssuer());
            sb.append(", SerialNumber=");
            sb.append(signerInformation.getSID().getSerialNumber());
            sb.append(']');
            if (i < size) {
                sb.append("; ");
            }
        }
        return sb.toString();
    }

    protected String attributesToString(Hashtable<String, Attribute> hashtable) {
        if (hashtable == null) {
            return null;
        }
        StringBuilder sb = new StringBuilder();
        for (Attribute attribute : hashtable.values()) {
            sb.append(attribute.getAttrType());
            if (CMSAttributes.signingTime.equals(attribute.getAttrType()) || CMSAttributes.messageDigest.equals(attribute.getAttrType()) || CMSAttributes.cmsAlgorithmProtect.equals(attribute.getAttrType()) || "contentType".equals(attribute.getAttrType())) {
                sb.append("=");
                sb.append(attribute.getAttrValues());
            }
            sb.append(",");
        }
        return sb.toString();
    }
}
