package org.apache.pdfbox.examples.signature.validation;

import java.io.FileInputStream;
import java.io.IOException;
import java.io.InputStream;
import java.net.URL;
import java.security.GeneralSecurityException;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.SignatureException;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.Collection;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Set;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.pdfbox.examples.signature.cert.CertificateVerifier;
import org.apache.pdfbox.io.IOUtils;
import org.apache.pdfbox.pdmodel.encryption.SecurityProvider;
import org.apache.pdfbox.pdmodel.interactive.digitalsignature.PDSignature;
import org.bouncycastle.asn1.DERSet;
import org.bouncycastle.asn1.cms.Attribute;
import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers;
import org.bouncycastle.asn1.x509.Extension;
import org.bouncycastle.cert.X509CertificateHolder;
import org.bouncycastle.cert.jcajce.JcaX509CertificateConverter;
import org.bouncycastle.cms.CMSException;
import org.bouncycastle.cms.CMSSignedData;
import org.bouncycastle.cms.SignerInformation;
import org.bouncycastle.tsp.TSPException;
import org.bouncycastle.tsp.TimeStampToken;
import org.bouncycastle.util.Selector;
import org.bouncycastle.util.Store;

/* loaded from: input_file:org/apache/pdfbox/examples/signature/validation/CertInformationCollector.class */
public class CertInformationCollector {
    private static final Log LOG = LogFactory.getLog(CertInformationCollector.class);
    private static final int MAX_CERTIFICATE_CHAIN_DEPTH = 5;
    private final Set<X509Certificate> certificateSet = new HashSet();
    private final JcaX509CertificateConverter certConverter = new JcaX509CertificateConverter();
    private CertSignatureInformation rootCertInfo;

    /* loaded from: input_file:org/apache/pdfbox/examples/signature/validation/CertInformationCollector$CertSignatureInformation.class */
    public class CertSignatureInformation {
        private X509Certificate certificate;
        private String signatureHash;
        private boolean isSelfSigned = false;
        private String ocspUrl;
        private String crlUrl;
        private String issuerUrl;
        private X509Certificate issuerCertificate;
        private CertSignatureInformation certChain;
        private CertSignatureInformation tsaCerts;
        private CertSignatureInformation alternativeCertChain;

        public CertSignatureInformation() {
        }

        public String getOcspUrl() {
            return this.ocspUrl;
        }

        public void setOcspUrl(String str) {
            this.ocspUrl = str;
        }

        public void setIssuerUrl(String str) {
            this.issuerUrl = str;
        }

        public String getCrlUrl() {
            return this.crlUrl;
        }

        public X509Certificate getCertificate() {
            return this.certificate;
        }

        public boolean isSelfSigned() {
            return this.isSelfSigned;
        }

        public X509Certificate getIssuerCertificate() {
            return this.issuerCertificate;
        }

        public String getSignatureHash() {
            return this.signatureHash;
        }

        public CertSignatureInformation getCertChain() {
            return this.certChain;
        }

        public CertSignatureInformation getTsaCerts() {
            return this.tsaCerts;
        }

        public CertSignatureInformation getAlternativeCertChain() {
            return this.alternativeCertChain;
        }
    }

    public CertSignatureInformation getLastCertInfo(PDSignature pDSignature, String str) throws CertificateProccessingException, IOException {
        FileInputStream fileInputStream = null;
        try {
            fileInputStream = new FileInputStream(str);
            CertSignatureInformation certInfo = getCertInfo(pDSignature.getContents(fileInputStream));
            IOUtils.closeQuietly(fileInputStream);
            return certInfo;
        } catch (Throwable th) {
            IOUtils.closeQuietly(fileInputStream);
            throw th;
        }
    }

    private CertSignatureInformation getCertInfo(byte[] bArr) throws CertificateProccessingException, IOException {
        this.rootCertInfo = new CertSignatureInformation();
        this.rootCertInfo.signatureHash = CertInformationHelper.getSha1Hash(bArr);
        try {
            CMSSignedData cMSSignedData = new CMSSignedData(bArr);
            addTimestampCerts(processSignerStore(cMSSignedData.getCertificates(), cMSSignedData, this.rootCertInfo));
            return this.rootCertInfo;
        } catch (CMSException e) {
            LOG.error("Error occurred getting Certificate Information from Signature", e);
            throw new CertificateProccessingException(e);
        }
    }

    private void addTimestampCerts(SignerInformation signerInformation) throws IOException, CertificateProccessingException {
        if (signerInformation.getUnsignedAttributes() == null) {
            return;
        }
        Attribute attribute = signerInformation.getUnsignedAttributes().get(PKCSObjectIdentifiers.id_aa_signatureTimeStampToken);
        if (attribute.getAttrValues() instanceof DERSet) {
            DERSet attrValues = attribute.getAttrValues();
            attrValues.getEncoded("DER");
            try {
                TimeStampToken timeStampToken = new TimeStampToken(new CMSSignedData(attrValues.getObjectAt(0).getEncoded("DER")));
                this.rootCertInfo.tsaCerts = new CertSignatureInformation();
                processSignerStore(timeStampToken.getCertificates(), timeStampToken.toCMSSignedData(), this.rootCertInfo.tsaCerts);
            } catch (CMSException e) {
                throw new IOException("Error parsing timestamp token", e);
            } catch (TSPException e2) {
                throw new IOException("Error parsing timestamp token", e2);
            }
        }
    }

    private SignerInformation processSignerStore(Store<X509CertificateHolder> store, CMSSignedData cMSSignedData, CertSignatureInformation certSignatureInformation) throws IOException, CertificateProccessingException {
        SignerInformation signerInformation = (SignerInformation) cMSSignedData.getSignerInfos().getSigners().iterator().next();
        X509Certificate certFromHolder = getCertFromHolder((X509CertificateHolder) store.getMatches(signerInformation.getSID()).iterator().next());
        this.certificateSet.add(certFromHolder);
        addAllCerts(store.getMatches((Selector) null));
        traverseChain(certFromHolder, certSignatureInformation, MAX_CERTIFICATE_CHAIN_DEPTH);
        return signerInformation;
    }

    private void traverseChain(X509Certificate x509Certificate, CertSignatureInformation certSignatureInformation, int i) throws IOException, CertificateProccessingException {
        certSignatureInformation.certificate = x509Certificate;
        byte[] extensionValue = x509Certificate.getExtensionValue(Extension.authorityInfoAccess.getId());
        if (extensionValue != null) {
            CertInformationHelper.getAuthorityInfoExtensionValue(extensionValue, certSignatureInformation);
        }
        if (certSignatureInformation.issuerUrl != null) {
            getAlternativeIssuerCertificate(certSignatureInformation, i);
        }
        byte[] extensionValue2 = x509Certificate.getExtensionValue(Extension.cRLDistributionPoints.getId());
        if (extensionValue2 != null) {
            certSignatureInformation.crlUrl = CertInformationHelper.getCrlUrlFromExtensionValue(extensionValue2);
        }
        try {
            certSignatureInformation.isSelfSigned = CertificateVerifier.isSelfSigned(x509Certificate);
            if (i <= 0 || certSignatureInformation.isSelfSigned) {
                return;
            }
            Iterator<X509Certificate> it = this.certificateSet.iterator();
            while (true) {
                if (!it.hasNext()) {
                    break;
                }
                X509Certificate next = it.next();
                if (x509Certificate.getIssuerX500Principal().equals(next.getSubjectX500Principal())) {
                    try {
                        x509Certificate.verify(next.getPublicKey(), SecurityProvider.getProvider().getName());
                        LOG.info("Found the right Issuer Cert! for Cert: " + x509Certificate.getSubjectX500Principal() + "\n" + next.getSubjectX500Principal());
                        certSignatureInformation.issuerCertificate = next;
                        certSignatureInformation.certChain = new CertSignatureInformation();
                        traverseChain(next, certSignatureInformation.certChain, i - 1);
                        break;
                    } catch (InvalidKeyException e) {
                        throw new CertificateProccessingException(e);
                    } catch (NoSuchAlgorithmException e2) {
                        throw new CertificateProccessingException(e2);
                    } catch (NoSuchProviderException e3) {
                        throw new CertificateProccessingException(e3);
                    } catch (SignatureException e4) {
                        throw new CertificateProccessingException(e4);
                    } catch (CertificateException e5) {
                        throw new CertificateProccessingException(e5);
                    }
                }
            }
            if (certSignatureInformation.issuerCertificate == null) {
                throw new IOException("No Issuer Certificate found for Cert: " + x509Certificate.getSubjectX500Principal());
            }
        } catch (GeneralSecurityException e6) {
            throw new CertificateProccessingException(e6);
        }
    }

    private void getAlternativeIssuerCertificate(CertSignatureInformation certSignatureInformation, int i) throws CertificateProccessingException {
        LOG.info("Get alternative issuer certificate from: " + certSignatureInformation.issuerUrl);
        try {
            URL url = new URL(certSignatureInformation.issuerUrl);
            CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509");
            InputStream openStream = url.openStream();
            X509Certificate x509Certificate = (X509Certificate) certificateFactory.generateCertificate(openStream);
            this.certificateSet.add(x509Certificate);
            certSignatureInformation.alternativeCertChain = new CertSignatureInformation();
            traverseChain(x509Certificate, certSignatureInformation.alternativeCertChain, i - 1);
            openStream.close();
        } catch (IOException e) {
            LOG.error("Error getting alternative issuer certificate from " + certSignatureInformation.issuerUrl, e);
        } catch (CertificateException e2) {
            LOG.error("Error getting alternative issuer certificate from " + certSignatureInformation.issuerUrl, e2);
        }
    }

    private X509Certificate getCertFromHolder(X509CertificateHolder x509CertificateHolder) throws CertificateProccessingException {
        try {
            return this.certConverter.getCertificate(x509CertificateHolder);
        } catch (CertificateException e) {
            LOG.error("Certificate Exception getting Certificate from certHolder.", e);
            throw new CertificateProccessingException(e);
        }
    }

    private void addAllCerts(Collection<X509CertificateHolder> collection) {
        Iterator<X509CertificateHolder> it = collection.iterator();
        while (it.hasNext()) {
            try {
                this.certificateSet.add(getCertFromHolder(it.next()));
            } catch (CertificateProccessingException e) {
                LOG.warn("Certificate Exception getting Certificate from certHolder.", e);
            }
        }
    }

    public void addAllCertsFromHolders(X509CertificateHolder[] x509CertificateHolderArr) throws CertificateProccessingException {
        addAllCerts(Arrays.asList(x509CertificateHolderArr));
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public CertSignatureInformation getCertInfo(X509Certificate x509Certificate) throws CertificateProccessingException {
        try {
            CertSignatureInformation certSignatureInformation = new CertSignatureInformation();
            traverseChain(x509Certificate, certSignatureInformation, MAX_CERTIFICATE_CHAIN_DEPTH);
            return certSignatureInformation;
        } catch (IOException e) {
            throw new CertificateProccessingException(e);
        }
    }

    public Set<X509Certificate> getCertificateSet() {
        return this.certificateSet;
    }
}
