package de.rub.nds.x509attacker.repairchain;

import de.rub.nds.asn1.Asn1Encodable;
import de.rub.nds.asn1.model.Asn1Boolean;
import de.rub.nds.asn1.model.Asn1Integer;
import de.rub.nds.asn1.model.Asn1PrimitiveBitString;
import de.rub.nds.modifiablevariable.util.RandomHelper;
import de.rub.nds.signatureengine.EngineTuple;
import de.rub.nds.signatureengine.SignatureEngine;
import de.rub.nds.signatureengine.keyparsers.KeyType;
import de.rub.nds.x509attacker.exceptions.RepairChainException;
import de.rub.nds.x509attacker.exceptions.X509ModificationException;
import de.rub.nds.x509attacker.helper.KeyFactory;
import de.rub.nds.x509attacker.repairchain.RepairChainConfig;
import de.rub.nds.x509attacker.x509.X509Certificate;
import de.rub.nds.x509attacker.x509.X509CertificateChain;
import de.rub.nds.x509attacker.xmlsignatureengine.XmlSignatureEngineException;
import java.io.File;
import java.io.IOException;
import java.math.BigInteger;
import java.util.List;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;

/* loaded from: input_file:de/rub/nds/x509attacker/repairchain/RepairChain.class */
public class RepairChain {
    private static final Logger LOGGER = LogManager.getLogger(RepairChain.class);

    public static RepairChainStatus repair(RepairChainConfig repairChainConfig, X509CertificateChain x509CertificateChain) {
        LOGGER.trace("repair chain started (" + repairChainConfig.toString() + ")");
        boolean z = false;
        StringBuilder sb = new StringBuilder();
        if (repairChainConfig.isRepairIssuer()) {
            try {
                repairIssuer(x509CertificateChain);
                sb.append("repair Issuer: success").append("\n");
            } catch (RepairChainException e) {
                z = true;
                sb.append("repair Issuer: failed => \n").append(e).append("\n");
            }
        }
        if (repairChainConfig.isRepairAuthorityKeyIdentifier()) {
            try {
                repairAuthorityKeyIdentifier(x509CertificateChain);
                sb.append("repair AuthorityKeyIdentifier: success").append("\n");
            } catch (RepairChainException e2) {
                z = true;
                sb.append("repair AuthorityKeyIdentifier: failed => \n").append(e2).append("\n");
            }
        }
        if (repairChainConfig.isRepairCABit()) {
            try {
                repairCABit(x509CertificateChain);
                sb.append("repair CABit: success").append("\n");
            } catch (RepairChainException e3) {
                z = true;
                sb.append("repair CABit: failed => \n").append(e3).append("\n");
            }
        }
        if (repairChainConfig.isRepairPathLen()) {
            try {
                repairPathLen(x509CertificateChain);
                sb.append("repair PathLen: success").append("\n");
            } catch (RepairChainException e4) {
                z = true;
                sb.append("repair PathLen: failed => \n").append(e4).append("\n");
            }
        }
        if (repairChainConfig.isRepairKeyUsage()) {
            try {
                repairKeyUsage(x509CertificateChain);
                sb.append("repair KeyUsage: success").append("\n");
            } catch (RepairChainException e5) {
                z = true;
                sb.append("repair RepairKeyUsage: failed => \n").append(e5).append("\n");
            }
        }
        if (repairChainConfig.getRepairSignAlgoKeyRelation() != RepairChainConfig.SignAlgoKeyRelationRepairMode.NONE) {
            try {
                repairSignAlgoKeyRelation(x509CertificateChain, repairChainConfig);
                sb.append("repair SignAlgoKeyRelation: success").append("\n");
            } catch (RepairChainException e6) {
                z = true;
                sb.append("repair SignAlgoKeyRelation: failed => \n").append(e6).append("\n");
            }
        }
        if (repairChainConfig.isComputeChainSignatureAfterRepair()) {
            try {
                x509CertificateChain.signAllCertificates();
                sb.append("compute ChainSignature after repair: success").append("\n");
            } catch (XmlSignatureEngineException e7) {
                z = true;
                sb.append("compute ChainSignature after repair: failed => \n").append(e7).append("\n");
            }
        }
        if (sb.length() == 0) {
            sb.append("repair do nothing: success").append("\n");
        }
        RepairChainStatus repairChainStatus = new RepairChainStatus(!z, sb.toString());
        LOGGER.trace("repair chain finished (" + repairChainStatus.toString() + ")");
        return repairChainStatus;
    }

    private static void repairIssuer(X509CertificateChain x509CertificateChain) throws RepairChainException {
        List<X509Certificate> certificateChain = x509CertificateChain.getCertificateChain();
        boolean z = false;
        StringBuilder sb = new StringBuilder();
        if (certificateChain.size() >= 1) {
            try {
                certificateChain.get(0).getIdentifierMap().setElementByIDPath("/certificate/tbsCertificate/issuer", certificateChain.get(0).getIdentifierMap().getCopyByIDPath("/certificate/tbsCertificate/subject"));
            } catch (X509ModificationException e) {
                z = true;
                sb.append("failed to repair Issuer for certificate 0: ").append(e).append('\n');
            }
            for (int i = 1; i <= certificateChain.size() - 1; i++) {
                try {
                    certificateChain.get(i).getIdentifierMap().setElementByIDPath("/certificate/tbsCertificate/issuer", certificateChain.get(i - 1).getIdentifierMap().getCopyByIDPath("/certificate/tbsCertificate/subject"));
                } catch (X509ModificationException e2) {
                    z = true;
                    sb.append("failed to repair Issuer for certificate " + i + ":").append(e2).append('\n');
                }
            }
        }
        if (z) {
            throw new RepairChainException(sb.toString());
        }
    }

    private static void repairAuthorityKeyIdentifier(X509CertificateChain x509CertificateChain) throws RepairChainException {
        List<String> iDPathsByType;
        List<String> iDPathsByType2;
        List<String> iDPathsByType3;
        List<String> iDPathsByType4;
        List<X509Certificate> certificateChain = x509CertificateChain.getCertificateChain();
        boolean z = false;
        StringBuilder sb = new StringBuilder();
        if (certificateChain.size() >= 1) {
            try {
                iDPathsByType3 = certificateChain.get(0).getIdentifierMap().getIDPathsByType("AuthorityKeyIdentifier");
                iDPathsByType4 = certificateChain.get(0).getIdentifierMap().getIDPathsByType("SubjectKeyIdentifier");
            } catch (NullPointerException e) {
                z = true;
                sb.append("failed to repair AKI for certificate 0: ").append(e).append('\n');
            }
            if (iDPathsByType3 == null) {
                throw new NullPointerException("AuthorityKeyIdentifier is null");
            }
            if (iDPathsByType4 == null) {
                throw new NullPointerException("SubjectKeyIdentifier is null");
            }
            if (!iDPathsByType3.isEmpty() && !iDPathsByType4.isEmpty()) {
                certificateChain.get(0).getIdentifierMap().getElementByIDPath(iDPathsByType3.get(0) + "/keyIdentifier").setValue(certificateChain.get(0).getIdentifierMap().getElementByIDPath(iDPathsByType4.get(0)).getValue());
            }
            for (int i = 1; i <= certificateChain.size() - 1; i++) {
                try {
                    iDPathsByType = certificateChain.get(i).getIdentifierMap().getIDPathsByType("AuthorityKeyIdentifier");
                    iDPathsByType2 = certificateChain.get(i - 1).getIdentifierMap().getIDPathsByType("SubjectKeyIdentifier");
                } catch (NullPointerException e2) {
                    z = true;
                    sb.append("failed to repair AKI for certificate " + i + ":").append(e2).append('\n');
                }
                if (iDPathsByType == null) {
                    throw new NullPointerException("AuthorityKeyIdentifier is null");
                }
                if (iDPathsByType2 == null) {
                    throw new NullPointerException("SubjectKeyIdentifier is null");
                }
                if (!iDPathsByType.isEmpty() && !iDPathsByType2.isEmpty()) {
                    certificateChain.get(i).getIdentifierMap().getElementByIDPath(iDPathsByType.get(0) + "/keyIdentifier").setValue(certificateChain.get(i - 1).getIdentifierMap().getElementByIDPath(iDPathsByType2.get(0)).getValue());
                }
            }
        }
        if (z) {
            throw new RepairChainException(sb.toString());
        }
    }

    private static void repairCABit(X509CertificateChain x509CertificateChain) throws RepairChainException {
        List<String> iDPathsByType;
        List<X509Certificate> certificateChain = x509CertificateChain.getCertificateChain();
        boolean z = false;
        StringBuilder sb = new StringBuilder();
        if (certificateChain.size() >= 1) {
            try {
                iDPathsByType = certificateChain.get(0).getIdentifierMap().getIDPathsByType("BasicConstraints");
            } catch (X509ModificationException | NullPointerException e) {
                z = true;
                sb.append("failed to repair CABit for certificate 0:").append(e).append('\n');
            }
            if (iDPathsByType == null) {
                throw new NullPointerException("BasicConstraints is null");
            }
            if (!iDPathsByType.isEmpty()) {
                Asn1Boolean elementByIDPath = certificateChain.get(0).getIdentifierMap().getElementByIDPath(iDPathsByType.get(0) + "/ca");
                if (elementByIDPath != null) {
                    elementByIDPath.setValue(true);
                } else {
                    Asn1Encodable asn1Boolean = new Asn1Boolean();
                    asn1Boolean.setValue(true);
                    asn1Boolean.setIdentifier("ca");
                    certificateChain.get(0).getIdentifierMap().setElementByIDPath(iDPathsByType.get(0) + "/ca", asn1Boolean);
                }
            }
            for (int i = 1; i <= certificateChain.size() - 1; i++) {
                if (i != certificateChain.size()) {
                    try {
                        List<String> iDPathsByType2 = certificateChain.get(i).getIdentifierMap().getIDPathsByType("BasicConstraints");
                        if (iDPathsByType2 == null) {
                            throw new NullPointerException("cert does not contain a BasicConstraints (is null)");
                            break;
                        }
                        if (!iDPathsByType2.isEmpty()) {
                            Asn1Boolean elementByIDPath2 = certificateChain.get(i).getIdentifierMap().getElementByIDPath(iDPathsByType2.get(0) + "/ca");
                            if (elementByIDPath2 != null) {
                                elementByIDPath2.setValue(true);
                            } else {
                                Asn1Encodable asn1Boolean2 = new Asn1Boolean();
                                asn1Boolean2.setValue(true);
                                asn1Boolean2.setIdentifier("ca");
                                certificateChain.get(i).getIdentifierMap().setElementByIDPath(iDPathsByType2.get(0) + "/ca", asn1Boolean2);
                            }
                        }
                    } catch (X509ModificationException | NullPointerException e2) {
                        z = true;
                        sb.append("failed to repair CABit for certificate " + i + ":").append(e2).append('\n');
                    }
                }
            }
        }
        if (z) {
            throw new RepairChainException(sb.toString());
        }
    }

    private static void repairPathLen(X509CertificateChain x509CertificateChain) throws RepairChainException {
        Asn1Integer elementByIDPath;
        List<String> iDPathsByType;
        Asn1Integer elementByIDPath2;
        List<X509Certificate> certificateChain = x509CertificateChain.getCertificateChain();
        boolean z = false;
        StringBuilder sb = new StringBuilder();
        if (certificateChain.size() >= 1) {
            try {
                iDPathsByType = certificateChain.get(0).getIdentifierMap().getIDPathsByType("BasicConstraints");
            } catch (NullPointerException e) {
                z = true;
                sb.append("failed to repair PathLen for certificate 0:").append(e).append('\n');
            }
            if (iDPathsByType == null) {
                throw new NullPointerException("cert does not contain a BasicConstraints (is null)");
            }
            if (!iDPathsByType.isEmpty() && (elementByIDPath2 = certificateChain.get(0).getIdentifierMap().getElementByIDPath(iDPathsByType.get(0) + "/pathLenConstraint")) != null) {
                elementByIDPath2.setValue(BigInteger.valueOf(certificateChain.size() - 1));
            }
            for (int i = 1; i <= certificateChain.size() - 1; i++) {
                if (i != certificateChain.size()) {
                    try {
                        List<String> iDPathsByType2 = certificateChain.get(i).getIdentifierMap().getIDPathsByType("BasicConstraints");
                        if (iDPathsByType2 == null) {
                            throw new NullPointerException("cert does not contain a BasicConstraints (is null)");
                            break;
                        } else if (!iDPathsByType2.isEmpty() && (elementByIDPath = certificateChain.get(i).getIdentifierMap().getElementByIDPath(iDPathsByType2.get(0) + "/pathLenConstraint")) != null) {
                            elementByIDPath.setValue(BigInteger.valueOf((certificateChain.size() - 1) - i));
                        }
                    } catch (NullPointerException e2) {
                        z = true;
                        sb.append("failed to repair PathLen for certificate " + i + ":").append(e2).append('\n');
                    }
                }
            }
        }
        if (z) {
            throw new RepairChainException(sb.toString());
        }
    }

    private static void repairKeyUsage(X509CertificateChain x509CertificateChain) throws RepairChainException {
        List<X509Certificate> certificateChain = x509CertificateChain.getCertificateChain();
        boolean z = false;
        StringBuilder sb = new StringBuilder();
        if (certificateChain.size() >= 1) {
            List<Asn1Encodable> elementsByType = certificateChain.get(0).getIdentifierMap().getElementsByType("KeyUsage");
            if (elementsByType == null || elementsByType.isEmpty() || !(elementsByType.get(0) instanceof Asn1PrimitiveBitString)) {
                z = true;
                sb.append("failed to repair KeyUsage for certificate 0: keyUsage is null or not Asn1PrimitiveBitString").append('\n');
            } else {
                byte[] value = elementsByType.get(0).getValue();
                value[0] = (byte) (value[0] | 4);
                elementsByType.get(0).setValue(value);
                elementsByType.get(0).setUnusedBits(2);
            }
            for (int i = 1; i <= certificateChain.size() - 1; i++) {
                if (i != certificateChain.size()) {
                    List<Asn1Encodable> elementsByType2 = certificateChain.get(i).getIdentifierMap().getElementsByType("KeyUsage");
                    if (elementsByType2 == null || elementsByType2.isEmpty() || !(elementsByType2.get(0) instanceof Asn1PrimitiveBitString)) {
                        z = true;
                        sb.append("failed to repair KeyUsage for certificate " + i + ": keyUsage is null or not Asn1PrimitiveBitString").append('\n');
                    } else {
                        byte[] value2 = elementsByType2.get(0).getValue();
                        value2[0] = (byte) (value2[0] | 4);
                        elementsByType2.get(0).setValue(value2);
                        elementsByType2.get(0).setUnusedBits(2);
                    }
                }
            }
        }
        if (z) {
            throw new RepairChainException(sb.toString());
        }
    }

    private static void repairSignAlgoKeyRelation(X509CertificateChain x509CertificateChain, RepairChainConfig repairChainConfig) throws RepairChainException {
        RepairChainConfig.SignAlgoKeyRelationRepairMode repairSignAlgoKeyRelation = repairChainConfig.getRepairSignAlgoKeyRelation();
        List<X509Certificate> certificateChain = x509CertificateChain.getCertificateChain();
        boolean z = false;
        StringBuilder sb = new StringBuilder();
        if (certificateChain.isEmpty()) {
            sb.append("chain is empty").append('\n');
            throw new RepairChainException(sb.toString());
        }
        if (repairSignAlgoKeyRelation == RepairChainConfig.SignAlgoKeyRelationRepairMode.KEY_BASED) {
            try {
                KeyType keyType = certificateChain.get(0).getKeyInfo().getKeyType();
                if (!keyType.equals(SignatureEngine.getEngineTupelForOID(certificateChain.get(0).getEffectiveSignatureOID()).getKeyType())) {
                    List<EngineTuple> engineTupelForKeyType = SignatureEngine.getEngineTupelForKeyType(keyType);
                    certificateChain.get(0).getSignatureInfo().setSignatureAlgorithmOidValue(engineTupelForKeyType.get(RandomHelper.getRandom().nextInt(engineTupelForKeyType.size())).getObjectIdentifierString());
                }
            } catch (NullPointerException e) {
                z = true;
                sb.append("failed to repair SignAlgoKeyRelation for certificate 0:").append(e).append('\n');
            }
            for (int i = 0; i < certificateChain.size() - 1; i++) {
                try {
                    KeyType keyType2 = certificateChain.get(i).getKeyInfo().getKeyType();
                    if (!keyType2.equals(SignatureEngine.getEngineTupelForOID(certificateChain.get(i + 1).getEffectiveSignatureOID()).getKeyType())) {
                        List<EngineTuple> engineTupelForKeyType2 = SignatureEngine.getEngineTupelForKeyType(keyType2);
                        certificateChain.get(i + 1).getSignatureInfo().setSignatureAlgorithmOidValue(engineTupelForKeyType2.get(RandomHelper.getRandom().nextInt(engineTupelForKeyType2.size())).getObjectIdentifierString());
                    }
                } catch (NullPointerException e2) {
                    z = true;
                    sb.append("failed to repair SignAlgoKeyRelation for certificate " + i + ":").append(e2).append('\n');
                }
            }
        } else if (repairSignAlgoKeyRelation == RepairChainConfig.SignAlgoKeyRelationRepairMode.SIGN_ALGO_BASED) {
            File file = new File(repairChainConfig.getKeysResourceFolder());
            if (!file.exists()) {
                sb.append("keysResourceFolder: " + repairChainConfig.getKeysResourceFolder() + " does not exists").append('\n');
                throw new RepairChainException(sb.toString());
            }
            try {
                KeyType keyType3 = SignatureEngine.getEngineTupelForOID(certificateChain.get(0).getEffectiveSignatureOID()).getKeyType();
                if (certificateChain.size() > 1 && !keyType3.equals(SignatureEngine.getEngineTupelForOID(certificateChain.get(1).getEffectiveSignatureOID()).getKeyType())) {
                    List<EngineTuple> engineTupelForKeyType3 = SignatureEngine.getEngineTupelForKeyType(keyType3);
                    certificateChain.get(1).getSignatureInfo().setSignatureAlgorithmOidValue(engineTupelForKeyType3.get(RandomHelper.getRandom().nextInt(engineTupelForKeyType3.size())).getObjectIdentifierString());
                }
                if (!keyType3.equals(certificateChain.get(0).getKeyInfo().getKeyType())) {
                    certificateChain.get(0).setKeyFile(KeyFactory.getRandomKeyFile(file, keyType3));
                }
            } catch (IOException | NullPointerException e3) {
                z = true;
                sb.append("failed to repair SignAlgoKeyRelation for certificate 0:").append(e3).append('\n');
            }
            for (int i2 = 1; i2 < certificateChain.size() - 1; i2++) {
                try {
                    KeyType keyType4 = SignatureEngine.getEngineTupelForOID(certificateChain.get(i2 + 1).getEffectiveSignatureOID()).getKeyType();
                    if (!keyType4.equals(certificateChain.get(i2).getKeyInfo().getKeyType())) {
                        certificateChain.get(i2).setKeyFile(KeyFactory.getRandomKeyFile(file, keyType4));
                    }
                } catch (IOException | NullPointerException e4) {
                    z = true;
                    sb.append("failed to repair SignAlgoKeyRelation for certificate " + i2 + ":").append(e4).append('\n');
                }
            }
        }
        if (z) {
            throw new RepairChainException(sb.toString());
        }
    }
}
