package eu.europa.esig.dss.jades.validation;

import eu.europa.esig.dss.enumerations.CertificateOrigin;
import eu.europa.esig.dss.enumerations.CertificateRefOrigin;
import eu.europa.esig.dss.enumerations.DigestAlgorithm;
import eu.europa.esig.dss.enumerations.PKIEncoding;
import eu.europa.esig.dss.jades.DSSJsonUtils;
import eu.europa.esig.dss.jades.JAdESHeaderParameterNames;
import eu.europa.esig.dss.model.Digest;
import eu.europa.esig.dss.model.x509.CertificateToken;
import eu.europa.esig.dss.spi.DSSASN1Utils;
import eu.europa.esig.dss.spi.DSSUtils;
import eu.europa.esig.dss.spi.x509.CandidatesForSigningCertificate;
import eu.europa.esig.dss.spi.x509.CertificateRef;
import eu.europa.esig.dss.spi.x509.CertificateSource;
import eu.europa.esig.dss.spi.x509.CertificateValidity;
import eu.europa.esig.dss.utils.Utils;
import eu.europa.esig.dss.validation.SignatureCertificateSource;
import java.security.PublicKey;
import java.util.Arrays;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Set;
import org.bouncycastle.asn1.x509.IssuerSerial;
import org.jose4j.jwk.PublicJsonWebKey;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:eu/europa/esig/dss/jades/validation/JAdESCertificateSource.class */
public class JAdESCertificateSource extends SignatureCertificateSource {
    private static final long serialVersionUID = -8170607661341382049L;
    private static final Logger LOG = LoggerFactory.getLogger(JAdESCertificateSource.class);
    private final transient JWS jws;
    private final transient JAdESEtsiUHeader etsiUHeader;

    public JAdESCertificateSource(JWS jws, JAdESEtsiUHeader jAdESEtsiUHeader) {
        Objects.requireNonNull(jws, "JSON Web signature cannot be null");
        Objects.requireNonNull(jAdESEtsiUHeader, "etsiUHeader cannot be null");
        this.jws = jws;
        this.etsiUHeader = jAdESEtsiUHeader;
        extractX5T();
        extractX5TS256();
        extractX5TO();
        extractSigX5Ts();
        extractX5C();
        extractEtsiU();
    }

    private void extractX5T() {
        String stringHeaderValue = this.jws.getHeaders().getStringHeaderValue("x5t");
        if (Utils.isStringNotEmpty(stringHeaderValue)) {
            LOG.warn("Found {} with value {} but not supported by the JAdES standard", "x5t", new Digest(DigestAlgorithm.SHA1, DSSJsonUtils.fromBase64Url(stringHeaderValue)));
        }
    }

    private void extractX5TS256() {
        String stringHeaderValue = this.jws.getHeaders().getStringHeaderValue("x5t#S256");
        if (Utils.isStringNotEmpty(stringHeaderValue)) {
            CertificateRef certificateRef = new CertificateRef();
            certificateRef.setOrigin(CertificateRefOrigin.SIGNING_CERTIFICATE);
            certificateRef.setCertDigest(new Digest(DigestAlgorithm.SHA256, DSSJsonUtils.fromBase64Url(stringHeaderValue)));
            addCertificateRef(certificateRef, CertificateRefOrigin.SIGNING_CERTIFICATE);
        }
    }

    private void extractX5TO() {
        extractX5TO((Map) this.jws.getHeaders().getObjectHeaderValue(JAdESHeaderParameterNames.X5T_O));
    }

    private void extractX5TO(Map<?, ?> map) {
        Digest digest;
        if (map == null || (digest = DSSJsonUtils.getDigest(map)) == null) {
            return;
        }
        CertificateRef certificateRef = new CertificateRef();
        certificateRef.setOrigin(CertificateRefOrigin.SIGNING_CERTIFICATE);
        certificateRef.setCertDigest(digest);
        addCertificateRef(certificateRef, CertificateRefOrigin.SIGNING_CERTIFICATE);
    }

    private void extractSigX5Ts() {
        List list = (List) this.jws.getHeaders().getObjectHeaderValue(JAdESHeaderParameterNames.SIG_X5T_S);
        if (Utils.isCollectionNotEmpty(list)) {
            for (Object obj : list) {
                if (obj instanceof Map) {
                    extractX5TO((Map) obj);
                } else {
                    LOG.warn("Unsupported type for {} : {}", JAdESHeaderParameterNames.SIG_X5T_S, obj.getClass());
                }
            }
        }
    }

    private void extractX5C() {
        List list = (List) this.jws.getHeaders().getObjectHeaderValue("x5c");
        if (Utils.isCollectionNotEmpty(list)) {
            for (Object obj : list) {
                if (obj instanceof String) {
                    addCertificate(DSSUtils.loadCertificateFromBase64EncodedString((String) obj), CertificateOrigin.KEY_INFO);
                } else {
                    LOG.warn("Unsupported type for {} : {}", "x5c", obj.getClass());
                }
            }
        }
    }

    private void extractEtsiU() {
        if (this.etsiUHeader.isExist()) {
            for (EtsiUComponent etsiUComponent : this.etsiUHeader.getAttributes()) {
                extractCertificateValues(etsiUComponent);
                extractAttrAuthoritiesCertValues(etsiUComponent);
                extractTimestampValidationData(etsiUComponent);
                extractCompleteCertificateRefs(etsiUComponent);
                extractAttributeCertificateRefs(etsiUComponent);
            }
        }
    }

    private void extractCertificateValues(JAdESAttribute jAdESAttribute) {
        if (JAdESHeaderParameterNames.X_VALS.equals(jAdESAttribute.getHeaderName())) {
            extractCertificateValues((List) jAdESAttribute.getValue(), CertificateOrigin.CERTIFICATE_VALUES);
        }
    }

    private void extractAttrAuthoritiesCertValues(JAdESAttribute jAdESAttribute) {
        if (JAdESHeaderParameterNames.AX_VALS.equals(jAdESAttribute.getHeaderName())) {
            extractCertificateValues((List) jAdESAttribute.getValue(), CertificateOrigin.ATTR_AUTHORITIES_CERT_VALUES);
        }
    }

    private void extractTimestampValidationData(JAdESAttribute jAdESAttribute) {
        if (JAdESHeaderParameterNames.TST_VD.equals(jAdESAttribute.getHeaderName())) {
            List<?> list = (List) ((Map) jAdESAttribute.getValue()).get(JAdESHeaderParameterNames.X_VALS);
            if (Utils.isCollectionNotEmpty(list)) {
                extractCertificateValues(list, CertificateOrigin.TIMESTAMP_VALIDATION_DATA);
            }
        }
    }

    private void extractCompleteCertificateRefs(JAdESAttribute jAdESAttribute) {
        if (JAdESHeaderParameterNames.X_REFS.equals(jAdESAttribute.getHeaderName())) {
            extractCertificateRefs((List) jAdESAttribute.getValue(), CertificateRefOrigin.COMPLETE_CERTIFICATE_REFS);
        }
    }

    private void extractAttributeCertificateRefs(JAdESAttribute jAdESAttribute) {
        if (JAdESHeaderParameterNames.AX_REFS.equals(jAdESAttribute.getHeaderName())) {
            extractCertificateRefs((List) jAdESAttribute.getValue(), CertificateRefOrigin.ATTRIBUTE_CERTIFICATE_REFS);
        }
    }

    private void extractCertificateValues(List<?> list, CertificateOrigin certificateOrigin) {
        for (Object obj : list) {
            if (obj instanceof Map) {
                Map map = (Map) obj;
                Map<?, ?> map2 = (Map) map.get(JAdESHeaderParameterNames.X509_CERT);
                Map map3 = (Map) map.get(JAdESHeaderParameterNames.OTHER_CERT);
                if (map2 != null) {
                    extractX509Cert(map2, certificateOrigin);
                } else if (map3 != null) {
                    LOG.warn("Unsupported otherCert found");
                }
            }
        }
    }

    private void extractCertificateRefs(List<?> list, CertificateRefOrigin certificateRefOrigin) {
        CertificateRef createCertificateRef;
        for (Object obj : list) {
            if ((obj instanceof Map) && (createCertificateRef = JAdESCertificateRefExtractionUtils.createCertificateRef((Map) obj)) != null) {
                addCertificateRef(createCertificateRef, certificateRefOrigin);
            }
        }
    }

    private void extractX509Cert(Map<?, ?> map, CertificateOrigin certificateOrigin) {
        String str = (String) map.get(JAdESHeaderParameterNames.ENCODING);
        if (Utils.isStringEmpty(str) || Utils.areStringsEqual(PKIEncoding.DER.getUri(), str)) {
            addCertificate(DSSUtils.loadCertificateFromBase64EncodedString((String) map.get(JAdESHeaderParameterNames.VAL)), certificateOrigin);
        } else {
            LOG.warn("Unsupported encoding '{}'", str);
        }
    }

    protected CandidatesForSigningCertificate extractCandidatesForSigningCertificate(CertificateSource certificateSource) {
        CandidatesForSigningCertificate candidatesForSigningCertificate = new CandidatesForSigningCertificate();
        Iterator it = getKeyInfoCertificates().iterator();
        while (it.hasNext()) {
            candidatesForSigningCertificate.add(new CertificateValidity((CertificateToken) it.next()));
        }
        if (certificateSource != null) {
            resolveFromSource(certificateSource, candidatesForSigningCertificate);
        }
        PublicKey extractPublicKey = extractPublicKey();
        if (extractPublicKey != null) {
            candidatesForSigningCertificate.add(new CertificateValidity(extractPublicKey));
        }
        checkSigningCertificateRef(candidatesForSigningCertificate);
        return candidatesForSigningCertificate;
    }

    private void resolveFromSource(CertificateSource certificateSource, CandidatesForSigningCertificate candidatesForSigningCertificate) {
        if (Utils.isStringNotEmpty(this.jws.getKeyIdHeaderValue())) {
            if (certificateSource instanceof KidCertificateSource) {
                CertificateToken certificateByKid = ((KidCertificateSource) certificateSource).getCertificateByKid(this.jws.getKeyIdHeaderValue());
                if (certificateByKid != null) {
                    LOG.debug("Resolved certificate by kid");
                    candidatesForSigningCertificate.add(new CertificateValidity(certificateByKid));
                    return;
                }
            } else {
                LOG.warn("JWS/JAdES contains a kid (provide a KidCertificateSource to resolve it)");
            }
        }
        Digest signingCertificateDigest = getSigningCertificateDigest();
        if (signingCertificateDigest != null) {
            Set byCertificateDigest = certificateSource.getByCertificateDigest(signingCertificateDigest);
            if (Utils.isCollectionNotEmpty(byCertificateDigest)) {
                LOG.debug("Resolved certificate by digest");
                Iterator it = byCertificateDigest.iterator();
                while (it.hasNext()) {
                    candidatesForSigningCertificate.add(new CertificateValidity((CertificateToken) it.next()));
                }
                return;
            }
            return;
        }
        if (candidatesForSigningCertificate.isEmpty()) {
            List certificates = certificateSource.getCertificates();
            LOG.debug("No signing certificate reference found. Resolve all {} certificates from the provided certificate source as signing candidates.", Integer.valueOf(certificates.size()));
            Iterator it2 = certificates.iterator();
            while (it2.hasNext()) {
                candidatesForSigningCertificate.add(new CertificateValidity((CertificateToken) it2.next()));
            }
        }
    }

    private PublicKey extractPublicKey() {
        try {
            PublicJsonWebKey jwkHeader = this.jws.getJwkHeader();
            if (jwkHeader != null) {
                return jwkHeader.getPublicKey();
            }
            return null;
        } catch (Exception e) {
            LOG.warn("Unable to extract the public key", e);
            return null;
        }
    }

    private void checkSigningCertificateRef(CandidatesForSigningCertificate candidatesForSigningCertificate) {
        IssuerSerial currentIssuerSerial = getCurrentIssuerSerial();
        Digest signingCertificateDigest = getSigningCertificateDigest();
        CertificateValidity certificateValidity = null;
        for (CertificateValidity certificateValidity2 : candidatesForSigningCertificate.getCertificateValidityList()) {
            CertificateToken certificateToken = certificateValidity2.getCertificateToken();
            if (signingCertificateDigest != null) {
                certificateValidity2.setDigestPresent(true);
                if (Arrays.equals(signingCertificateDigest.getValue(), certificateToken.getDigest(signingCertificateDigest.getAlgorithm()))) {
                    certificateValidity2.setDigestEqual(true);
                }
            }
            if (currentIssuerSerial != null) {
                certificateValidity2.setIssuerSerialPresent(true);
                IssuerSerial issuerSerial = DSSASN1Utils.getIssuerSerial(certificateToken);
                if (Objects.equals(currentIssuerSerial.getIssuer(), issuerSerial.getIssuer())) {
                    certificateValidity2.setDistinguishedNameEqual(true);
                }
                if (Objects.equals(currentIssuerSerial.getSerial(), issuerSerial.getSerial())) {
                    certificateValidity2.setSerialNumberEqual(true);
                }
            }
            if (certificateValidity2.isValid()) {
                certificateValidity = certificateValidity2;
            }
        }
        if (certificateValidity != null) {
            candidatesForSigningCertificate.setTheCertificateValidity(certificateValidity);
        }
    }

    private Digest getSigningCertificateDigest() {
        List signingCertificateRefs = getSigningCertificateRefs();
        if (Utils.isCollectionNotEmpty(signingCertificateRefs)) {
            return ((CertificateRef) signingCertificateRefs.get(0)).getCertDigest();
        }
        return null;
    }

    private IssuerSerial getCurrentIssuerSerial() {
        return DSSJsonUtils.getIssuerSerial(this.jws.getKeyIdHeaderValue());
    }
}
