package de.tk.opensource.secon;

import java.io.IOException;
import java.security.cert.X509CertSelector;
import java.security.cert.X509Certificate;
import java.util.Collection;
import java.util.Iterator;
import java.util.Optional;
import javax.security.auth.x500.X500Principal;
import org.bouncycastle.asn1.x500.X500Name;
import org.bouncycastle.cert.X509CertificateHolder;
import org.bouncycastle.cert.jcajce.JcaX509CertificateConverter;
import org.bouncycastle.cms.CMSException;
import org.bouncycastle.cms.SignerId;
import org.bouncycastle.cms.SignerInformation;
import org.bouncycastle.cms.jcajce.JcaSimpleSignerInfoVerifierBuilder;
import org.bouncycastle.operator.OperatorCreationException;
import org.bouncycastle.util.Store;

/* loaded from: input_file:de/tk/opensource/secon/SignatureValidator.class */
final class SignatureValidator {
    private final Verifier verifier;
    private final Directory[] directories;

    public SignatureValidator(Verifier verifier, Directory[] directoryArr) {
        this.verifier = verifier;
        this.directories = directoryArr;
    }

    public void verify(SignerInformation signerInformation, Store<X509CertificateHolder> store) throws Exception {
        Optional<X509Certificate> certificate = certificate(signerInformation.getSID());
        if (certificate.isPresent()) {
            verify(signerInformation, certificate.get());
        } else {
            verify(signerInformation, store.getMatches(signerInformation.getSID()));
        }
    }

    private void verify(SignerInformation signerInformation, Collection<X509CertificateHolder> collection) throws Exception {
        if (collection.isEmpty()) {
            throw new IllegalArgumentException("No certificates found for verification of signer: " + signerInformation.getSID().getSerialNumber());
        }
        Iterator<X509CertificateHolder> it = collection.iterator();
        while (it.hasNext()) {
            X509Certificate certificate = new JcaX509CertificateConverter().getCertificate(it.next());
            Optional<X509Certificate> issuer = issuer(certificate);
            if (!issuer.isPresent()) {
                throw new CertificateNotFoundException(String.format("Issuer: %s not found for certificate: %s", certificate.getIssuerX500Principal().getName(), certificate.getSubjectX500Principal().getName()));
            }
            verifyIssuer(certificate, issuer.get());
            verifySignature(this.verifier, signerInformation, certificate);
        }
    }

    private void verifyIssuer(X509Certificate x509Certificate, X509Certificate x509Certificate2) throws CertificateVerificationException {
        try {
            x509Certificate.verify(x509Certificate2.getPublicKey());
        } catch (Exception e) {
            throw new CertificateVerificationException(String.format("Invalid issuer certificate for certificate: %s", x509Certificate.getSubjectX500Principal().getName()), e);
        }
    }

    private void verify(SignerInformation signerInformation, X509Certificate x509Certificate) throws Exception {
        verifySignature(this.verifier, signerInformation, x509Certificate);
    }

    private void verifySignature(Verifier verifier, SignerInformation signerInformation, X509Certificate x509Certificate) throws OperatorCreationException, CMSException, InvalidSignatureException, CertificateVerificationException, Exception {
        if (!signerInformation.verify(new JcaSimpleSignerInfoVerifierBuilder().setProvider("BC").build(x509Certificate))) {
            throw new InvalidSignatureException();
        }
        verifier.verify(x509Certificate);
    }

    private Optional<X509Certificate> certificate(SignerId signerId) throws Exception {
        X509CertSelector selector = selector(signerId);
        for (Directory directory : this.directories) {
            Optional<X509Certificate> certificate = directory.certificate(selector);
            if (certificate.isPresent()) {
                return certificate;
            }
        }
        return Optional.empty();
    }

    private Optional<X509Certificate> issuer(X509Certificate x509Certificate) throws Exception {
        for (Directory directory : this.directories) {
            Optional<X509Certificate> issuer = directory.issuer(x509Certificate);
            if (issuer.isPresent()) {
                return issuer;
            }
        }
        return Optional.empty();
    }

    private static X509CertSelector selector(X500Principal x500Principal) {
        X509CertSelector x509CertSelector = new X509CertSelector();
        x509CertSelector.setSubject(x500Principal);
        return x509CertSelector;
    }

    private static X509CertSelector selector(SignerId signerId) {
        X509CertSelector x509CertSelector = new X509CertSelector();
        Optional.ofNullable(signerId.getIssuer()).ifPresent(x500Name -> {
            x509CertSelector.setIssuer(principal(x500Name));
        });
        x509CertSelector.setSerialNumber(signerId.getSerialNumber());
        x509CertSelector.setSubjectKeyIdentifier(signerId.getSubjectKeyIdentifier());
        return x509CertSelector;
    }

    private static X500Principal principal(X500Name x500Name) {
        try {
            return new X500Principal(x500Name.getEncoded());
        } catch (IOException e) {
            throw new AssertionError(e);
        }
    }
}
