package org.digidoc4j.ddoc.factory;

import java.io.FileInputStream;
import java.io.OutputStream;
import java.security.Provider;
import java.security.Security;
import java.security.cert.X509Certificate;
import org.bouncycastle.asn1.ASN1Primitive;
import org.bouncycastle.asn1.ocsp.BasicOCSPResponse;
import org.bouncycastle.asn1.ocsp.ResponderID;
import org.bouncycastle.cert.X509CertificateHolder;
import org.bouncycastle.cert.ocsp.BasicOCSPResp;
import org.bouncycastle.cert.ocsp.CertificateID;
import org.bouncycastle.cert.ocsp.CertificateStatus;
import org.bouncycastle.cert.ocsp.OCSPResp;
import org.bouncycastle.cert.ocsp.RevokedStatus;
import org.bouncycastle.cert.ocsp.SingleResp;
import org.bouncycastle.cert.ocsp.UnknownStatus;
import org.bouncycastle.operator.ContentVerifier;
import org.bouncycastle.operator.ContentVerifierProvider;
import org.bouncycastle.operator.DigestCalculatorProvider;
import org.bouncycastle.operator.jcajce.JcaContentVerifierProviderBuilder;
import org.bouncycastle.operator.jcajce.JcaDigestCalculatorProviderBuilder;
import org.digidoc4j.ddoc.Base64Util;
import org.digidoc4j.ddoc.CertID;
import org.digidoc4j.ddoc.CertValue;
import org.digidoc4j.ddoc.DigiDocException;
import org.digidoc4j.ddoc.Notary;
import org.digidoc4j.ddoc.Signature;
import org.digidoc4j.ddoc.SignedDoc;
import org.digidoc4j.ddoc.utils.BouncyCastleNotaryUtil;
import org.digidoc4j.ddoc.utils.ConfigManager;
import org.digidoc4j.ddoc.utils.ConvertUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/digidoc4j/ddoc/factory/BouncyCastleNotaryFactory.class */
public class BouncyCastleNotaryFactory implements NotaryFactory {
    private static final Logger m_logger = LoggerFactory.getLogger(BouncyCastleNotaryFactory.class);

    public X509Certificate[] getNotaryCerts(String str, String str2) {
        try {
            return ConfigManager.instance().getTslFactory().findOcspsByCNAndNr(str, true, str2);
        } catch (Exception e) {
            m_logger.error("Error searching responder cert for: " + str + " - " + e);
            return null;
        }
    }

    public boolean isSignatureValid(BasicOCSPResp basicOCSPResp, ContentVerifierProvider contentVerifierProvider) throws Exception {
        try {
            ContentVerifier contentVerifier = contentVerifierProvider.get(basicOCSPResp.getSignatureAlgorithmID());
            OutputStream outputStream = contentVerifier.getOutputStream();
            outputStream.write(basicOCSPResp.getTBSResponseData());
            outputStream.close();
            BasicOCSPResponse basicOCSPResponse = BasicOCSPResponse.getInstance(ASN1Primitive.fromByteArray(basicOCSPResp.getEncoded()));
            boolean verify = contentVerifier.verify(basicOCSPResponse.getSignature().getBytes());
            if (m_logger.isDebugEnabled()) {
                m_logger.debug("Verify ocsp sig: " + ConvertUtils.bin2hex(basicOCSPResponse.getSignature().getBytes()) + " RC: " + verify);
            }
            return verify;
        } catch (Exception e) {
            m_logger.error("ocsp exception: " + e);
            m_logger.error("Trace; " + ConvertUtils.getTrace(e));
            throw e;
        }
    }

    private void checkCertStatus(Signature signature, BasicOCSPResp basicOCSPResp) throws DigiDocException {
        checkCertStatus(signature.getKeyInfo().getSignersCertificate(), basicOCSPResp, null);
    }

    private void checkCertStatus(X509Certificate x509Certificate, BasicOCSPResp basicOCSPResp, X509Certificate x509Certificate2) throws DigiDocException {
        try {
            if (m_logger.isDebugEnabled()) {
                m_logger.debug("Checking response status, CERT: " + (x509Certificate != null ? x509Certificate.getSubjectDN().getName() : "NULL") + " SEARCH: " + (x509Certificate != null ? SignedDoc.getCommonName(ConvertUtils.convX509Name(x509Certificate.getIssuerX500Principal())) : "NULL"));
            }
            if (x509Certificate == null) {
                throw new DigiDocException(92, "No certificate to check! Error reading certificate from file?", null);
            }
            TrustServiceFactory tslFactory = ConfigManager.instance().getTslFactory();
            if (x509Certificate2 == null) {
                x509Certificate2 = tslFactory.findCaForCert(x509Certificate, true, null);
            }
            if (m_logger.isDebugEnabled()) {
                m_logger.debug("CA cert: " + (x509Certificate2 != null ? x509Certificate2.getSubjectDN().getName() : "NULL"));
                m_logger.debug("RESP: " + basicOCSPResp);
                m_logger.debug("CERT: " + x509Certificate.getSubjectDN().getName() + " ISSUER: " + ConvertUtils.convX509Name(x509Certificate.getIssuerX500Principal()) + " nr: " + (x509Certificate2 != null ? ConvertUtils.bin2hex(x509Certificate2.getSerialNumber().toByteArray()) : "NULL"));
            }
            if (x509Certificate2 == null) {
                throw new DigiDocException(92, "Unknown CA cert: " + x509Certificate.getIssuerDN().getName(), null);
            }
            SingleResp[] responses = basicOCSPResp.getResponses();
            CertificateID creatCertReq = creatCertReq(x509Certificate, x509Certificate2);
            if (m_logger.isDebugEnabled()) {
                m_logger.debug("Search alg: " + creatCertReq.getHashAlgOID() + " cert ser: " + x509Certificate.getSerialNumber().toString() + " serial: " + creatCertReq.getSerialNumber() + " issuer: " + Base64Util.encode(creatCertReq.getIssuerKeyHash()) + " subject: " + Base64Util.encode(creatCertReq.getIssuerNameHash()));
            }
            boolean z = false;
            int i = 0;
            while (true) {
                if (i >= responses.length) {
                    break;
                }
                CertificateID certID = responses[i].getCertID();
                if (certID != null) {
                    if (m_logger.isDebugEnabled()) {
                        m_logger.debug("Got alg: " + certID.getHashAlgOID() + " serial: " + certID.getSerialNumber() + " issuer: " + Base64Util.encode(certID.getIssuerKeyHash()) + " subject: " + Base64Util.encode(certID.getIssuerNameHash()));
                    }
                    if (creatCertReq.getHashAlgOID().equals(certID.getHashAlgOID()) && creatCertReq.getSerialNumber().equals(certID.getSerialNumber()) && SignedDoc.compareDigests(creatCertReq.getIssuerKeyHash(), certID.getIssuerKeyHash()) && SignedDoc.compareDigests(creatCertReq.getIssuerNameHash(), certID.getIssuerNameHash())) {
                        if (m_logger.isDebugEnabled()) {
                            m_logger.debug("Found it!");
                        }
                        z = true;
                        CertificateStatus certStatus = responses[i].getCertStatus();
                        if (certStatus != null) {
                            if (m_logger.isDebugEnabled()) {
                                m_logger.debug("CertStatus: " + certStatus.getClass().getName());
                            }
                            if (certStatus instanceof RevokedStatus) {
                                m_logger.error("Certificate has been revoked!");
                                throw new DigiDocException(91, "Certificate has been revoked!", null);
                            }
                            if (certStatus instanceof UnknownStatus) {
                                m_logger.error("Certificate status is unknown!");
                                throw new DigiDocException(92, "Certificate status is unknown!", null);
                            }
                        }
                    }
                }
                i++;
            }
            if (z) {
                return;
            }
            if (m_logger.isDebugEnabled()) {
                m_logger.debug("Error checkCertStatus - not found ");
            }
            throw new DigiDocException(88, "Bad OCSP response status!", null);
        } catch (DigiDocException e) {
            throw e;
        } catch (Exception e2) {
            m_logger.error("Error checkCertStatus: " + e2);
            e2.printStackTrace();
            throw new DigiDocException(88, "Error checking OCSP response status!", null);
        }
    }

    @Override // org.digidoc4j.ddoc.factory.NotaryFactory
    public Notary parseAndVerifyResponse(Signature signature, Notary notary) throws DigiDocException {
        BasicOCSPResp basicOCSPResp;
        X509Certificate[] x509CertificateArr;
        String responderIDtoString;
        CertValue certValueOfType;
        X509Certificate cert;
        try {
            OCSPResp oCSPResp = new OCSPResp(notary.getOcspResponseData());
            basicOCSPResp = (BasicOCSPResp) oCSPResp.getResponseObject();
            x509CertificateArr = null;
            try {
                responderIDtoString = responderIDtoString(basicOCSPResp);
                if (m_logger.isDebugEnabled()) {
                    m_logger.debug("SIG: " + (signature == null ? "NULL" : signature.getId()));
                    m_logger.debug("UP: " + (signature.getUnsignedProperties() == null ? "NULL" : "OK: " + signature.getUnsignedProperties().getNotary().getId()));
                    m_logger.debug("RESP-CERT: " + (signature.getUnsignedProperties().getRespondersCertificate() == null ? "NULL" : "OK"));
                    m_logger.debug("RESP-ID: " + responderIDtoString);
                    CertID certID = signature.getCertID(2);
                    if (certID != null) {
                        m_logger.debug("CID: " + certID.getType() + " id: " + certID.getId() + ", " + certID.getSerial() + " issuer: " + certID.getIssuer());
                    }
                    m_logger.debug("RESP: " + Base64Util.encode(oCSPResp.getEncoded()));
                }
                if (0 == 0 && signature != null) {
                    String str = responderIDtoString;
                    if (str.indexOf("CN") != -1) {
                        str = ConvertUtils.getCommonName(responderIDtoString);
                    }
                    if (str.startsWith("byKey: ")) {
                        str = str.substring("byKey: ".length());
                    }
                    int indexOf = str.indexOf(44);
                    if (indexOf > 0) {
                        str = str.substring(0, indexOf);
                    }
                    if (m_logger.isDebugEnabled()) {
                        m_logger.debug("Search not cert by: " + str);
                    }
                    x509CertificateArr = getNotaryCerts(str, null);
                }
            } catch (Exception e) {
                m_logger.error("Signature verification error: " + e);
                e.printStackTrace();
                DigiDocException.handleException(e, 70);
            }
        } catch (DigiDocException e2) {
            throw e2;
        } catch (Exception e3) {
            DigiDocException.handleException(e3, 72);
        }
        if (x509CertificateArr == null || x509CertificateArr.length == 0) {
            throw new DigiDocException(DigiDocException.ERR_OCSP_RECPONDER_NOT_TRUSTED, "No certificate for responder: '" + responderIDtoString + "' found in local certificate store!", null);
        }
        boolean z = false;
        for (int i = 0; x509CertificateArr != null && i < x509CertificateArr.length && !z; i++) {
            X509Certificate x509Certificate = x509CertificateArr[i];
            if (m_logger.isDebugEnabled()) {
                m_logger.debug("Verify using responders cert: " + (x509Certificate != null ? ConvertUtils.getCommonName(x509Certificate.getSubjectDN().getName()) + " nr: " + x509Certificate.getSerialNumber().toString() : "NULL"));
            }
            z = x509Certificate != null ? isSignatureValid(basicOCSPResp, new JcaContentVerifierProviderBuilder().setProvider("BC").build(new X509CertificateHolder(x509Certificate.getEncoded()))) : false;
            if (m_logger.isDebugEnabled()) {
                m_logger.debug("OCSP resp: " + (basicOCSPResp != null ? responderIDtoString(basicOCSPResp) : "NULL") + " verify using: " + (x509Certificate != null ? ConvertUtils.getCommonName(x509Certificate.getSubjectDN().getName()) : "NULL") + " verify: " + z);
            }
        }
        if (z && (certValueOfType = signature.getCertValueOfType(2)) != null && (cert = certValueOfType.getCert()) != null) {
            z = isSignatureValid(basicOCSPResp, new JcaContentVerifierProviderBuilder().setProvider("BC").build(new X509CertificateHolder(cert.getEncoded())));
            if (m_logger.isDebugEnabled()) {
                m_logger.debug("OCSP resp: " + (basicOCSPResp != null ? responderIDtoString(basicOCSPResp) : "NULL") + " verify using cert in xml: " + ConvertUtils.getCommonName(cert.getSubjectDN().getName()) + " verify: " + z);
            }
        }
        if (!z) {
            throw new DigiDocException(70, "OCSP verification error!", null);
        }
        try {
        } catch (Exception e4) {
            DigiDocException.handleException(e4, DigiDocException.ERR_OCSP_RESPONDER_TM);
        }
        if (!ConfigManager.instance().getAllowedOcspProviders().contains(ConvertUtils.getCommonName(responderIDtoString(basicOCSPResp)))) {
            throw new DigiDocException(DigiDocException.ERR_OCSP_RESPONDER_TM, "OCSP Responder does not meet TM requirements", null);
        }
        if (m_logger.isDebugEnabled()) {
            m_logger.debug("Verif sig: " + signature.getId() + " format: " + signature.getSignedDoc().getFormat() + " nonce policy: " + signature.hasBdoc2NoncePolicy());
        }
        if (BouncyCastleNotaryUtil.isApplicableFormatForOcspNonce(signature.getSignedDoc())) {
            byte[] digestOfType = SignedDoc.digestOfType(signature.getSignatureValue().getValue(), SignedDoc.SHA1_DIGEST_TYPE);
            byte[] nonce = BouncyCastleNotaryUtil.getNonce(basicOCSPResp, signature.getSignedDoc());
            boolean z2 = (digestOfType == null || nonce == null || digestOfType.length != nonce.length) ? false : true;
            for (int i2 = 0; digestOfType != null && nonce != null && i2 < digestOfType.length && i2 < nonce.length; i2++) {
                if (digestOfType[i2] != nonce[i2]) {
                    z2 = false;
                }
            }
            if (!z2 && signature.getSignedDoc() != null) {
                if (m_logger.isDebugEnabled()) {
                    m_logger.debug("SigVal\n---\n" + Base64Util.encode(signature.getSignatureValue().getValue()) + "\n---\nOCSP\n---\n" + Base64Util.encode(notary.getOcspResponseData()) + "\n---\n");
                    m_logger.debug("DDOC ver: " + signature.getSignedDoc().getVersion() + " SIG: " + signature.getId() + " NOT: " + notary.getId() + " Real nonce: " + (nonce != null ? Base64Util.encode(nonce, 0) : "NULL") + " noncelen: " + (nonce != null ? nonce.length : 0) + " SigVal hash: " + (digestOfType != null ? Base64Util.encode(digestOfType, 0) : "NULL") + " SigVal hash hex: " + (digestOfType != null ? ConvertUtils.bin2hex(digestOfType) : "NULL") + " svlen: " + (digestOfType != null ? digestOfType.length : 0));
                }
                throw new DigiDocException(71, "OCSP response's nonce doesn't match the requests nonce!", null);
            }
        }
        if (m_logger.isDebugEnabled()) {
            m_logger.debug("Verify not: " + notary.getId());
        }
        checkCertStatus(signature, basicOCSPResp);
        notary.setProducedAt(basicOCSPResp.getProducedAt());
        notary.setResponderId(responderIDtoString(basicOCSPResp));
        return notary;
    }

    static String responderIDtoString(BasicOCSPResp basicOCSPResp) {
        if (basicOCSPResp == null) {
            return null;
        }
        ResponderID aSN1Primitive = basicOCSPResp.getResponderId().toASN1Primitive();
        return aSN1Primitive.getKeyHash() != null ? "byKey: " + SignedDoc.bin2hex(aSN1Primitive.getKeyHash()) : "byName: " + aSN1Primitive.getName().toString();
    }

    private CertificateID creatCertReq(X509Certificate x509Certificate, X509Certificate x509Certificate2) throws Exception {
        DigestCalculatorProvider build = new JcaDigestCalculatorProviderBuilder().setProvider("BC").build();
        return new CertificateID(build.get(CertificateID.HASH_SHA1), new X509CertificateHolder(x509Certificate2.getEncoded()), x509Certificate.getSerialNumber());
    }

    @Override // org.digidoc4j.ddoc.factory.NotaryFactory
    public void init() throws DigiDocException {
        FileInputStream fileInputStream = null;
        try {
            try {
                String property = ConfigManager.instance().getProperty("DIGIDOC_PROXY_HOST");
                String property2 = ConfigManager.instance().getProperty("DIGIDOC_PROXY_PORT");
                if (property != null && property2 != null) {
                    System.setProperty("http.proxyHost", property);
                    System.setProperty("http.proxyPort", property2);
                }
                Security.addProvider((Provider) Class.forName(ConfigManager.instance().getProperty("DIGIDOC_SECURITY_PROVIDER")).newInstance());
                if (0 != 0) {
                    try {
                        fileInputStream.close();
                    } catch (Exception e) {
                        m_logger.error("Error closing input stream: " + e);
                    }
                }
            } catch (Exception e2) {
                DigiDocException.handleException(e2, 67);
                if (0 != 0) {
                    try {
                        fileInputStream.close();
                    } catch (Exception e3) {
                        m_logger.error("Error closing input stream: " + e3);
                    }
                }
            }
        } catch (Throwable th) {
            if (0 != 0) {
                try {
                    fileInputStream.close();
                } catch (Exception e4) {
                    m_logger.error("Error closing input stream: " + e4);
                }
            }
            throw th;
        }
    }
}
