package org.apache.pdfbox.examples.signature;

import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.io.InputStream;
import java.net.HttpURLConnection;
import java.net.URI;
import java.net.URISyntaxException;
import java.net.URL;
import java.security.GeneralSecurityException;
import java.security.MessageDigest;
import java.security.cert.CertificateException;
import java.security.cert.CertificateParsingException;
import java.security.cert.X509Certificate;
import java.util.Collection;
import java.util.Comparator;
import java.util.Date;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Optional;
import java.util.Set;
import java.util.TreeSet;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.pdfbox.cos.COSArray;
import org.apache.pdfbox.cos.COSBase;
import org.apache.pdfbox.cos.COSDictionary;
import org.apache.pdfbox.cos.COSName;
import org.apache.pdfbox.cos.COSObjectKey;
import org.apache.pdfbox.examples.signature.cert.CertificateVerificationException;
import org.apache.pdfbox.examples.signature.cert.CertificateVerifier;
import org.apache.pdfbox.examples.util.ConnectedInputStream;
import org.apache.pdfbox.pdmodel.PDDocument;
import org.apache.pdfbox.pdmodel.encryption.SecurityProvider;
import org.apache.pdfbox.pdmodel.interactive.digitalsignature.PDSignature;
import org.bouncycastle.asn1.cms.Attribute;
import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers;
import org.bouncycastle.asn1.x509.KeyPurposeId;
import org.bouncycastle.cert.X509CertificateHolder;
import org.bouncycastle.cert.jcajce.JcaX509CertificateConverter;
import org.bouncycastle.cms.CMSException;
import org.bouncycastle.cms.CMSSignedData;
import org.bouncycastle.cms.SignerInformation;
import org.bouncycastle.cms.jcajce.JcaSimpleSignerInfoVerifierBuilder;
import org.bouncycastle.operator.OperatorCreationException;
import org.bouncycastle.tsp.TSPException;
import org.bouncycastle.tsp.TimeStampToken;
import org.bouncycastle.util.Selector;
import org.bouncycastle.util.Store;

/* loaded from: input_file:org/apache/pdfbox/examples/signature/SigUtils.class */
public class SigUtils {
    private static final Log LOG = LogFactory.getLog(SigUtils.class);

    private SigUtils() {
    }

    public static int getMDPPermission(PDDocument pDDocument) {
        COSDictionary cOSDictionary;
        COSArray cOSArray;
        COSDictionary cOSDictionary2 = pDDocument.getDocumentCatalog().getCOSObject().getCOSDictionary(COSName.PERMS);
        if (cOSDictionary2 == null || (cOSDictionary = cOSDictionary2.getCOSDictionary(COSName.DOCMDP)) == null || (cOSArray = cOSDictionary.getCOSArray(COSName.REFERENCE)) == null) {
            return 0;
        }
        for (int i = 0; i < cOSArray.size(); i++) {
            COSDictionary object = cOSArray.getObject(i);
            if (object instanceof COSDictionary) {
                COSDictionary cOSDictionary3 = object;
                if (COSName.DOCMDP.equals(cOSDictionary3.getDictionaryObject(COSName.TRANSFORM_METHOD))) {
                    COSDictionary dictionaryObject = cOSDictionary3.getDictionaryObject(COSName.TRANSFORM_PARAMS);
                    if (dictionaryObject instanceof COSDictionary) {
                        int i2 = dictionaryObject.getInt(COSName.P, 2);
                        if (i2 < 1 || i2 > 3) {
                            i2 = 2;
                        }
                        return i2;
                    }
                } else {
                    continue;
                }
            }
        }
        return 0;
    }

    public static void setMDPPermission(PDDocument pDDocument, PDSignature pDSignature, int i) throws IOException {
        for (PDSignature pDSignature2 : pDDocument.getSignatureDictionaries()) {
            if (!COSName.DOC_TIME_STAMP.equals(pDSignature2.getCOSObject().getItem(COSName.TYPE)) && pDSignature2.getCOSObject().containsKey(COSName.CONTENTS)) {
                throw new IOException("DocMDP transform method not allowed if an approval signature exists");
            }
        }
        COSDictionary cOSObject = pDSignature.getCOSObject();
        COSDictionary cOSDictionary = new COSDictionary();
        cOSDictionary.setItem(COSName.TYPE, COSName.TRANSFORM_PARAMS);
        cOSDictionary.setInt(COSName.P, i);
        cOSDictionary.setName(COSName.V, "1.2");
        cOSDictionary.setNeedToBeUpdated(true);
        cOSDictionary.setDirect(true);
        COSDictionary cOSDictionary2 = new COSDictionary();
        cOSDictionary2.setItem(COSName.TYPE, COSName.SIG_REF);
        cOSDictionary2.setItem(COSName.TRANSFORM_METHOD, COSName.DOCMDP);
        cOSDictionary2.setItem(COSName.DIGEST_METHOD, COSName.getPDFName("SHA1"));
        cOSDictionary2.setItem(COSName.TRANSFORM_PARAMS, cOSDictionary);
        cOSDictionary2.setNeedToBeUpdated(true);
        cOSDictionary2.setDirect(true);
        COSArray cOSArray = new COSArray();
        cOSArray.add(cOSDictionary2);
        cOSObject.setItem(COSName.REFERENCE, cOSArray);
        cOSArray.setNeedToBeUpdated(true);
        cOSArray.setDirect(true);
        COSDictionary cOSObject2 = pDDocument.getDocumentCatalog().getCOSObject();
        COSDictionary cOSDictionary3 = new COSDictionary();
        cOSObject2.setItem(COSName.PERMS, cOSDictionary3);
        cOSDictionary3.setItem(COSName.DOCMDP, pDSignature);
        cOSObject2.setNeedToBeUpdated(true);
        cOSDictionary3.setNeedToBeUpdated(true);
    }

    public static void checkCertificateUsage(X509Certificate x509Certificate) throws CertificateParsingException {
        boolean[] keyUsage = x509Certificate.getKeyUsage();
        if (keyUsage != null && !keyUsage[0] && !keyUsage[1]) {
            LOG.error("Certificate key usage does not include digitalSignature nor nonRepudiation");
        }
        List<String> extendedKeyUsage = x509Certificate.getExtendedKeyUsage();
        if (extendedKeyUsage == null || extendedKeyUsage.contains(KeyPurposeId.id_kp_emailProtection.toString()) || extendedKeyUsage.contains(KeyPurposeId.id_kp_codeSigning.toString()) || extendedKeyUsage.contains(KeyPurposeId.anyExtendedKeyUsage.toString()) || extendedKeyUsage.contains("1.2.840.113583.1.1.5") || extendedKeyUsage.contains("1.3.6.1.4.1.311.10.3.12")) {
            return;
        }
        LOG.error("Certificate extended key usage does not include emailProtection, nor codeSigning, nor anyExtendedKeyUsage, nor 'Adobe Authentic Documents Trust'");
    }

    public static void checkTimeStampCertificateUsage(X509Certificate x509Certificate) throws CertificateParsingException {
        List<String> extendedKeyUsage = x509Certificate.getExtendedKeyUsage();
        if (extendedKeyUsage == null || extendedKeyUsage.contains(KeyPurposeId.id_kp_timeStamping.toString())) {
            return;
        }
        LOG.error("Certificate extended key usage does not include timeStamping");
    }

    public static void checkResponderCertificateUsage(X509Certificate x509Certificate) throws CertificateParsingException {
        List<String> extendedKeyUsage = x509Certificate.getExtendedKeyUsage();
        if (extendedKeyUsage == null || extendedKeyUsage.contains(KeyPurposeId.id_kp_OCSPSigning.toString())) {
            return;
        }
        LOG.error("Certificate extended key usage does not include OCSP responding");
    }

    public static PDSignature getLastRelevantSignature(PDDocument pDDocument) {
        Optional findFirst = pDDocument.getSignatureDictionaries().stream().sorted(Comparator.comparing(pDSignature -> {
            return Integer.valueOf(pDSignature.getByteRange()[1]);
        }).reversed()).findFirst();
        if (!findFirst.isPresent()) {
            return null;
        }
        PDSignature pDSignature2 = (PDSignature) findFirst.get();
        COSBase item = pDSignature2.getCOSObject().getItem(COSName.TYPE);
        if (item == null || COSName.SIG.equals(item) || COSName.DOC_TIME_STAMP.equals(item)) {
            return pDSignature2;
        }
        return null;
    }

    public static TimeStampToken extractTimeStampTokenFromSignerInformation(SignerInformation signerInformation) throws CMSException, IOException, TSPException {
        Attribute attribute;
        if (signerInformation.getUnsignedAttributes() == null || (attribute = signerInformation.getUnsignedAttributes().get(PKCSObjectIdentifiers.id_aa_signatureTimeStampToken)) == null) {
            return null;
        }
        return new TimeStampToken(new CMSSignedData(attribute.getAttrValues().getObjectAt(0).getEncoded()));
    }

    public static void validateTimestampToken(TimeStampToken timeStampToken) throws TSPException, CertificateException, OperatorCreationException, IOException {
        timeStampToken.validate(new JcaSimpleSignerInfoVerifierBuilder().setProvider(SecurityProvider.getProvider()).build((X509CertificateHolder) timeStampToken.getCertificates().getMatches(timeStampToken.getSID()).iterator().next()));
    }

    public static void verifyCertificateChain(Store<X509CertificateHolder> store, X509Certificate x509Certificate, Date date) throws CertificateVerificationException, CertificateException {
        Collection matches = store.getMatches((Selector) null);
        HashSet hashSet = new HashSet();
        JcaX509CertificateConverter jcaX509CertificateConverter = new JcaX509CertificateConverter();
        Iterator it = matches.iterator();
        while (it.hasNext()) {
            X509Certificate certificate = jcaX509CertificateConverter.getCertificate((X509CertificateHolder) it.next());
            if (!certificate.equals(x509Certificate)) {
                hashSet.add(certificate);
            }
        }
        CertificateVerifier.verifyCertificate(x509Certificate, (Set<X509Certificate>) hashSet, true, date);
    }

    public static X509Certificate getTsaCertificate(String str) throws GeneralSecurityException, IOException, URISyntaxException {
        return getCertificateFromTimeStampToken(new TSAClient(new URI(str).toURL(), null, null, MessageDigest.getInstance("SHA-256")).getTimeStampToken(new ByteArrayInputStream(new byte[0])));
    }

    public static X509Certificate getCertificateFromTimeStampToken(TimeStampToken timeStampToken) throws CertificateException {
        return new JcaX509CertificateConverter().getCertificate((X509CertificateHolder) timeStampToken.getCertificates().getMatches(timeStampToken.getSID()).iterator().next());
    }

    public static void checkCrossReferenceTable(PDDocument pDDocument) {
        TreeSet treeSet = new TreeSet(pDDocument.getDocument().getXrefTable().keySet());
        if (treeSet.size() != ((COSObjectKey) treeSet.last()).getNumber()) {
            long j = 0;
            Iterator it = treeSet.iterator();
            while (it.hasNext()) {
                COSObjectKey cOSObjectKey = (COSObjectKey) it.next();
                while (true) {
                    j++;
                    if (j < cOSObjectKey.getNumber()) {
                        LOG.warn("Object " + j + " missing, signature verification may fail in Adobe Reader, see https://stackoverflow.com/questions/71267471/");
                    }
                }
            }
        }
    }

    public static InputStream openURL(String str) throws IOException, URISyntaxException {
        URL url = new URI(str).toURL();
        if (!str.startsWith("http")) {
            return url.openStream();
        }
        HttpURLConnection httpURLConnection = (HttpURLConnection) url.openConnection();
        int responseCode = httpURLConnection.getResponseCode();
        LOG.info(responseCode + " " + httpURLConnection.getResponseMessage());
        if (responseCode == 302 || responseCode == 301 || responseCode == 303) {
            String headerField = httpURLConnection.getHeaderField("Location");
            if (str.startsWith("http://") && headerField.startsWith("https://") && str.substring(7).equals(headerField.substring(8))) {
                LOG.info("redirection to " + headerField + " followed");
                httpURLConnection.disconnect();
                httpURLConnection = (HttpURLConnection) new URI(headerField).toURL().openConnection();
            } else {
                LOG.info("redirection to " + headerField + " ignored");
            }
        }
        return new ConnectedInputStream(httpURLConnection, httpURLConnection.getInputStream());
    }
}
