package org.apache.pdfbox.examples.signature.cert;

import java.io.IOException;
import java.io.InputStream;
import java.security.GeneralSecurityException;
import java.security.InvalidKeyException;
import java.security.SignatureException;
import java.security.cert.CertPathBuilder;
import java.security.cert.CertPathBuilderException;
import java.security.cert.CertStore;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.CollectionCertStoreParameters;
import java.security.cert.PKIXBuilderParameters;
import java.security.cert.PKIXCertPathBuilderResult;
import java.security.cert.TrustAnchor;
import java.security.cert.X509CertSelector;
import java.security.cert.X509Certificate;
import java.security.cert.X509Extension;
import java.util.Calendar;
import java.util.Collection;
import java.util.Date;
import java.util.Enumeration;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Set;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.pdfbox.examples.signature.SigUtils;
import org.apache.pdfbox.io.IOUtils;
import org.apache.pdfbox.pdmodel.encryption.SecurityProvider;
import org.bouncycastle.asn1.ASN1Encodable;
import org.bouncycastle.asn1.ASN1Sequence;
import org.bouncycastle.asn1.ASN1TaggedObject;
import org.bouncycastle.asn1.ocsp.OCSPObjectIdentifiers;
import org.bouncycastle.asn1.x509.Extension;
import org.bouncycastle.asn1.x509.X509ObjectIdentifiers;
import org.bouncycastle.cert.X509CertificateHolder;
import org.bouncycastle.cert.jcajce.JcaX509CertificateConverter;
import org.bouncycastle.cert.jcajce.JcaX509ExtensionUtils;
import org.bouncycastle.cert.ocsp.BasicOCSPResp;
import org.bouncycastle.cert.ocsp.OCSPException;
import org.bouncycastle.cert.ocsp.OCSPResp;

/* loaded from: input_file:org/apache/pdfbox/examples/signature/cert/CertificateVerifier.class */
public final class CertificateVerifier {
    private static final Log LOG = LogFactory.getLog(CertificateVerifier.class);

    private CertificateVerifier() {
    }

    public static PKIXCertPathBuilderResult verifyCertificate(X509Certificate x509Certificate, Set<X509Certificate> set, boolean z, Date date) throws CertificateVerificationException {
        if (!z) {
            try {
                if (isSelfSigned(x509Certificate)) {
                    throw new CertificateVerificationException("The certificate is self-signed.");
                }
            } catch (CertPathBuilderException e) {
                throw new CertificateVerificationException("Error building certification path: " + x509Certificate.getSubjectX500Principal(), e);
            } catch (CertificateVerificationException e2) {
                throw e2;
            } catch (Exception e3) {
                throw new CertificateVerificationException("Error verifying the certificate: " + x509Certificate.getSubjectX500Principal(), e3);
            }
        }
        HashSet<X509Certificate> hashSet = new HashSet(set);
        HashSet hashSet2 = new HashSet();
        hashSet2.add(x509Certificate);
        hashSet2.addAll(set);
        int i = 0;
        while (!hashSet2.isEmpty()) {
            HashSet hashSet3 = new HashSet();
            Iterator it = hashSet2.iterator();
            while (it.hasNext()) {
                for (X509Certificate x509Certificate2 : downloadExtraCertificates((X509Certificate) it.next())) {
                    if (!hashSet.contains(x509Certificate2)) {
                        hashSet3.add(x509Certificate2);
                        hashSet.add(x509Certificate2);
                        i++;
                    }
                }
            }
            hashSet2 = hashSet3;
        }
        if (i > 0) {
            LOG.info("CA issuers: " + i + " downloaded certificate(s) are new");
        }
        HashSet hashSet4 = new HashSet();
        HashSet hashSet5 = new HashSet();
        for (X509Certificate x509Certificate3 : hashSet) {
            if (isSelfSigned(x509Certificate3)) {
                hashSet5.add(new TrustAnchor(x509Certificate3, null));
            } else {
                hashSet4.add(x509Certificate3);
            }
        }
        if (hashSet5.isEmpty()) {
            throw new CertificateVerificationException("No root certificate in the chain");
        }
        PKIXCertPathBuilderResult verifyCertificate = verifyCertificate(x509Certificate, hashSet5, hashSet4, date);
        LOG.info("Certification chain verified successfully up to this root: " + verifyCertificate.getTrustAnchor().getTrustedCert().getSubjectX500Principal());
        checkRevocations(x509Certificate, hashSet, date);
        return verifyCertificate;
    }

    private static void checkRevocations(X509Certificate x509Certificate, Set<X509Certificate> set, Date date) throws IOException, CertificateVerificationException, OCSPException, RevokedCertificateException, GeneralSecurityException {
        if (isSelfSigned(x509Certificate)) {
            return;
        }
        for (X509Certificate x509Certificate2 : set) {
            try {
                x509Certificate.verify(x509Certificate2.getPublicKey(), SecurityProvider.getProvider().getName());
                checkRevocationsWithIssuer(x509Certificate, x509Certificate2, set, date);
            } catch (GeneralSecurityException e) {
            }
        }
    }

    private static void checkRevocationsWithIssuer(X509Certificate x509Certificate, X509Certificate x509Certificate2, Set<X509Certificate> set, Date date) throws CertificateVerificationException, IOException, RevokedCertificateException, GeneralSecurityException, OCSPException {
        String extractOCSPURL = extractOCSPURL(x509Certificate);
        if (extractOCSPURL != null) {
            try {
                verifyOCSP(new OcspHelper(x509Certificate, date, x509Certificate2, set, extractOCSPURL), set);
            } catch (OCSPException e) {
                LOG.warn("OCSPException trying OCSP, will try CRL", e);
                LOG.warn("Certificate# to check: " + x509Certificate.getSerialNumber().toString(16));
                CRLVerifier.verifyCertificateCRLs(x509Certificate, date, set);
            } catch (IOException e2) {
                LOG.warn("IOException trying OCSP, will try CRL", e2);
                LOG.warn("Certificate# to check: " + x509Certificate.getSerialNumber().toString(16));
                CRLVerifier.verifyCertificateCRLs(x509Certificate, date, set);
            }
        } else {
            LOG.info("OCSP not available, will try CRL");
            CRLVerifier.verifyCertificateCRLs(x509Certificate, date, set);
        }
        checkRevocations(x509Certificate2, set, date);
    }

    public static boolean isSelfSigned(X509Certificate x509Certificate) throws GeneralSecurityException {
        try {
            x509Certificate.verify(x509Certificate.getPublicKey(), SecurityProvider.getProvider().getName());
            return true;
        } catch (IOException e) {
            LOG.debug("Couldn't get signature information - returning false", e);
            return false;
        } catch (InvalidKeyException e2) {
            LOG.debug("Couldn't get signature information - returning false", e2);
            return false;
        } catch (SignatureException e3) {
            LOG.debug("Couldn't get signature information - returning false", e3);
            return false;
        }
    }

    public static Set<X509Certificate> downloadExtraCertificates(X509Extension x509Extension) {
        HashSet hashSet = new HashSet();
        byte[] extensionValue = x509Extension.getExtensionValue(Extension.authorityInfoAccess.getId());
        if (extensionValue == null) {
            return hashSet;
        }
        try {
            ASN1Sequence parseExtensionValue = JcaX509ExtensionUtils.parseExtensionValue(extensionValue);
            if (!(parseExtensionValue instanceof ASN1Sequence)) {
                LOG.warn("ASN1Sequence expected, got " + parseExtensionValue.getClass().getSimpleName());
                return hashSet;
            }
            Enumeration objects = parseExtensionValue.getObjects();
            while (objects.hasMoreElements()) {
                ASN1Sequence aSN1Sequence = (ASN1Sequence) objects.nextElement();
                if (X509ObjectIdentifiers.id_ad_caIssuers.equals(aSN1Sequence.getObjectAt(0))) {
                    String str = new String(aSN1Sequence.getObjectAt(1).getBaseObject().getOctets());
                    InputStream inputStream = null;
                    try {
                        try {
                            try {
                                LOG.info("CA issuers URL: " + str);
                                inputStream = SigUtils.openURL(str);
                                Collection<? extends Certificate> generateCertificates = CertificateFactory.getInstance("X.509").generateCertificates(inputStream);
                                Iterator<? extends Certificate> it = generateCertificates.iterator();
                                while (it.hasNext()) {
                                    hashSet.add((X509Certificate) it.next());
                                }
                                LOG.info("CA issuers URL: " + generateCertificates.size() + " certificate(s) downloaded");
                                IOUtils.closeQuietly(inputStream);
                            } catch (CertificateException e) {
                                LOG.warn(e.getMessage(), e);
                                IOUtils.closeQuietly(inputStream);
                            }
                        } catch (IOException e2) {
                            LOG.warn(str + " failure: " + e2.getMessage(), e2);
                            IOUtils.closeQuietly(inputStream);
                        }
                    } catch (Throwable th) {
                        IOUtils.closeQuietly(inputStream);
                        throw th;
                    }
                }
            }
            LOG.info("CA issuers: Downloaded " + hashSet.size() + " certificate(s) total");
            return hashSet;
        } catch (IOException e3) {
            LOG.warn(e3.getMessage(), e3);
            return hashSet;
        }
    }

    private static PKIXCertPathBuilderResult verifyCertificate(X509Certificate x509Certificate, Set<TrustAnchor> set, Set<X509Certificate> set2, Date date) throws GeneralSecurityException {
        X509CertSelector x509CertSelector = new X509CertSelector();
        x509CertSelector.setCertificate(x509Certificate);
        PKIXBuilderParameters pKIXBuilderParameters = new PKIXBuilderParameters(set, x509CertSelector);
        pKIXBuilderParameters.setRevocationEnabled(false);
        pKIXBuilderParameters.setPolicyQualifiersRejected(false);
        pKIXBuilderParameters.setDate(date);
        pKIXBuilderParameters.addCertStore(CertStore.getInstance("Collection", new CollectionCertStoreParameters(set2)));
        return (PKIXCertPathBuilderResult) CertPathBuilder.getInstance("PKIX").build(pKIXBuilderParameters);
    }

    private static String extractOCSPURL(X509Certificate x509Certificate) throws IOException {
        byte[] extensionValue = x509Certificate.getExtensionValue(Extension.authorityInfoAccess.getId());
        if (extensionValue == null) {
            return null;
        }
        Enumeration objects = JcaX509ExtensionUtils.parseExtensionValue(extensionValue).getObjects();
        while (objects.hasMoreElements()) {
            ASN1Sequence aSN1Sequence = (ASN1Sequence) objects.nextElement();
            ASN1Encodable objectAt = aSN1Sequence.getObjectAt(0);
            ASN1TaggedObject objectAt2 = aSN1Sequence.getObjectAt(1);
            if (X509ObjectIdentifiers.id_ad_ocsp.equals(objectAt) && objectAt2.getTagNo() == 6) {
                String str = new String(objectAt2.getBaseObject().getOctets());
                LOG.info("OCSP URL: " + str);
                return str;
            }
        }
        return null;
    }

    private static void verifyOCSP(OcspHelper ocspHelper, Set<X509Certificate> set) throws RevokedCertificateException, IOException, OCSPException, CertificateVerificationException {
        Date time = Calendar.getInstance().getTime();
        OCSPResp responseOcsp = ocspHelper.getResponseOcsp();
        if (responseOcsp.getStatus() != 0) {
            throw new CertificateVerificationException("OCSP check not successful, status: " + responseOcsp.getStatus());
        }
        LOG.info("OCSP check successful");
        BasicOCSPResp basicOCSPResp = (BasicOCSPResp) responseOcsp.getResponseObject();
        X509Certificate ocspResponderCertificate = ocspHelper.getOcspResponderCertificate();
        if (ocspResponderCertificate.getExtensionValue(OCSPObjectIdentifiers.id_pkix_ocsp_nocheck.getId()) != null) {
            LOG.info("Revocation check of OCSP responder certificate skipped (id-pkix-ocsp-nocheck is set)");
            return;
        }
        if (ocspHelper.getCertificateToCheck().equals(ocspResponderCertificate)) {
            LOG.info("OCSP responder certificate is identical to certificate to check");
            return;
        }
        LOG.info("Check of OCSP responder certificate");
        HashSet hashSet = new HashSet(set);
        JcaX509CertificateConverter jcaX509CertificateConverter = new JcaX509CertificateConverter();
        for (X509CertificateHolder x509CertificateHolder : basicOCSPResp.getCerts()) {
            try {
                X509Certificate certificate = jcaX509CertificateConverter.getCertificate(x509CertificateHolder);
                if (!ocspResponderCertificate.equals(certificate)) {
                    hashSet.add(certificate);
                }
            } catch (CertificateException e) {
                LOG.error(e, e);
            }
        }
        verifyCertificate(ocspResponderCertificate, (Set<X509Certificate>) hashSet, true, time);
        LOG.info("Check of OCSP responder certificate done");
    }
}
