package eu.europa.esig.dss.jades.validation;

import eu.europa.esig.dss.enumerations.CertificateOrigin;
import eu.europa.esig.dss.enumerations.CertificateRefOrigin;
import eu.europa.esig.dss.enumerations.DigestAlgorithm;
import eu.europa.esig.dss.enumerations.PKIEncoding;
import eu.europa.esig.dss.jades.DSSJsonUtils;
import eu.europa.esig.dss.jades.JAdESHeaderParameterNames;
import eu.europa.esig.dss.model.Digest;
import eu.europa.esig.dss.model.x509.CertificateToken;
import eu.europa.esig.dss.spi.DSSASN1Utils;
import eu.europa.esig.dss.spi.DSSUtils;
import eu.europa.esig.dss.spi.SignatureCertificateSource;
import eu.europa.esig.dss.spi.x509.CandidatesForSigningCertificate;
import eu.europa.esig.dss.spi.x509.CertificateRef;
import eu.europa.esig.dss.spi.x509.CertificateSource;
import eu.europa.esig.dss.spi.x509.CertificateValidity;
import eu.europa.esig.dss.utils.Utils;
import java.security.PublicKey;
import java.util.Collection;
import java.util.Collections;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Set;
import org.bouncycastle.asn1.x509.IssuerSerial;
import org.jose4j.jwk.PublicJsonWebKey;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:eu/europa/esig/dss/jades/validation/JAdESCertificateSource.class */
public class JAdESCertificateSource extends SignatureCertificateSource {
    private static final long serialVersionUID = -8170607661341382049L;
    private static final Logger LOG = LoggerFactory.getLogger(JAdESCertificateSource.class);
    private final transient JWS jws;
    private final transient JAdESEtsiUHeader etsiUHeader;
    private final Map<String, Collection<CertificateToken>> x509UrlMap = new HashMap();

    public JAdESCertificateSource(JWS jws, JAdESEtsiUHeader jAdESEtsiUHeader) {
        Objects.requireNonNull(jws, "JSON Web signature cannot be null");
        Objects.requireNonNull(jAdESEtsiUHeader, "etsiUHeader cannot be null");
        this.jws = jws;
        this.etsiUHeader = jAdESEtsiUHeader;
        extractX5T();
        extractX5TS256();
        extractX5TO();
        extractSigX5Ts();
        extractKid();
        extractX509Url();
        extractX5C();
        extractEtsiU();
    }

    public List<CertificateRef> getKeyIdentifierCertificateRefs() {
        return getCertificateRefsByOrigin(CertificateRefOrigin.KEY_IDENTIFIER);
    }

    public Set<CertificateToken> getKeyIdentifierCertificates() {
        return findTokensFromRefs(getKeyIdentifierCertificateRefs());
    }

    private void extractX5T() {
        String protectedHeaderValueAsString = this.jws.getProtectedHeaderValueAsString("x5t");
        if (Utils.isStringNotEmpty(protectedHeaderValueAsString)) {
            LOG.warn("Found {} with value {} but not supported by the JAdES standard", "x5t", new Digest(DigestAlgorithm.SHA1, DSSJsonUtils.fromBase64Url(protectedHeaderValueAsString)));
        }
    }

    private void extractX5TS256() {
        String protectedHeaderValueAsString = this.jws.getProtectedHeaderValueAsString("x5t#S256");
        if (Utils.isStringNotEmpty(protectedHeaderValueAsString)) {
            CertificateRef certificateRef = new CertificateRef();
            certificateRef.setCertDigest(new Digest(DigestAlgorithm.SHA256, DSSJsonUtils.fromBase64Url(protectedHeaderValueAsString)));
            addCertificateRef(certificateRef, CertificateRefOrigin.SIGNING_CERTIFICATE);
        }
    }

    private void extractX5TO() {
        extractX5TO(this.jws.getProtectedHeaderValueAsMap(JAdESHeaderParameterNames.X5T_O));
    }

    private void extractX5TO(Map<?, ?> map) {
        Digest digest;
        if (!Utils.isMapNotEmpty(map) || (digest = DSSJsonUtils.getDigest(map)) == null) {
            return;
        }
        CertificateRef certificateRef = new CertificateRef();
        certificateRef.setCertDigest(digest);
        addCertificateRef(certificateRef, CertificateRefOrigin.SIGNING_CERTIFICATE);
    }

    private void extractSigX5Ts() {
        List<?> protectedHeaderValueAsList = this.jws.getProtectedHeaderValueAsList(JAdESHeaderParameterNames.SIG_X5T_S);
        if (Utils.isCollectionNotEmpty(protectedHeaderValueAsList)) {
            Iterator<?> it = protectedHeaderValueAsList.iterator();
            while (it.hasNext()) {
                extractX5TO(DSSJsonUtils.toMap(it.next(), JAdESHeaderParameterNames.X5T_O));
            }
        }
    }

    private void extractKid() {
        IssuerSerial kidIssuerSerial = getKidIssuerSerial();
        if (kidIssuerSerial != null) {
            CertificateRef certificateRef = new CertificateRef();
            certificateRef.setCertificateIdentifier(DSSASN1Utils.toSignerIdentifier(kidIssuerSerial));
            addCertificateRef(certificateRef, CertificateRefOrigin.KEY_IDENTIFIER);
        }
    }

    private void extractX509Url() {
        String protectedHeaderValueAsString = this.jws.getProtectedHeaderValueAsString("x5u");
        if (Utils.isStringNotEmpty(protectedHeaderValueAsString)) {
            CertificateRef certificateRef = new CertificateRef();
            certificateRef.setX509Url(protectedHeaderValueAsString);
            addCertificateRef(certificateRef, CertificateRefOrigin.X509_URL);
        }
    }

    private void extractX5C() {
        List<?> protectedHeaderValueAsList = this.jws.getProtectedHeaderValueAsList("x5c");
        if (Utils.isCollectionNotEmpty(protectedHeaderValueAsList)) {
            Iterator<?> it = protectedHeaderValueAsList.iterator();
            while (it.hasNext()) {
                String dSSJsonUtils = DSSJsonUtils.toString(it.next());
                if (Utils.isStringNotEmpty(dSSJsonUtils)) {
                    try {
                        addCertificate(DSSUtils.loadCertificateFromBase64EncodedString(dSSJsonUtils), CertificateOrigin.KEY_INFO);
                    } catch (Exception e) {
                        LOG.warn("Unable to decode a certificate from '{}'! Reason : {}", new Object[]{dSSJsonUtils, e.getMessage(), e});
                    }
                }
            }
        }
    }

    private void extractEtsiU() {
        if (this.etsiUHeader.isExist()) {
            for (EtsiUComponent etsiUComponent : this.etsiUHeader.getAttributes()) {
                extractCertificateValues(etsiUComponent);
                extractAttrAuthoritiesCertValues(etsiUComponent);
                extractTimestampValidationData(etsiUComponent);
                extractCompleteCertificateRefs(etsiUComponent);
                extractAttributeCertificateRefs(etsiUComponent);
            }
        }
    }

    private void extractCertificateValues(JAdESAttribute jAdESAttribute) {
        if (JAdESHeaderParameterNames.X_VALS.equals(jAdESAttribute.getHeaderName())) {
            extractCertificateValues(DSSJsonUtils.toList(jAdESAttribute.getValue(), JAdESHeaderParameterNames.X_VALS), CertificateOrigin.CERTIFICATE_VALUES);
        }
    }

    private void extractAttrAuthoritiesCertValues(JAdESAttribute jAdESAttribute) {
        if (JAdESHeaderParameterNames.AX_VALS.equals(jAdESAttribute.getHeaderName())) {
            extractCertificateValues(DSSJsonUtils.toList(jAdESAttribute.getValue(), JAdESHeaderParameterNames.AX_VALS), CertificateOrigin.ATTR_AUTHORITIES_CERT_VALUES);
        }
    }

    private void extractTimestampValidationData(JAdESAttribute jAdESAttribute) {
        if (JAdESHeaderParameterNames.TST_VD.equals(jAdESAttribute.getHeaderName())) {
            List<?> asList = DSSJsonUtils.getAsList(DSSJsonUtils.toMap(jAdESAttribute.getValue(), JAdESHeaderParameterNames.TST_VD), JAdESHeaderParameterNames.X_VALS);
            if (Utils.isCollectionNotEmpty(asList)) {
                extractCertificateValues(asList, CertificateOrigin.TIMESTAMP_VALIDATION_DATA);
            }
        }
    }

    private void extractCompleteCertificateRefs(JAdESAttribute jAdESAttribute) {
        if (JAdESHeaderParameterNames.X_REFS.equals(jAdESAttribute.getHeaderName())) {
            extractCertificateRefs(DSSJsonUtils.toList(jAdESAttribute.getValue(), JAdESHeaderParameterNames.X_REFS), CertificateRefOrigin.COMPLETE_CERTIFICATE_REFS);
        }
    }

    private void extractAttributeCertificateRefs(JAdESAttribute jAdESAttribute) {
        if (JAdESHeaderParameterNames.AX_REFS.equals(jAdESAttribute.getHeaderName())) {
            extractCertificateRefs(DSSJsonUtils.toList(jAdESAttribute.getValue(), JAdESHeaderParameterNames.AX_REFS), CertificateRefOrigin.ATTRIBUTE_CERTIFICATE_REFS);
        }
    }

    private void extractCertificateValues(List<?> list, CertificateOrigin certificateOrigin) {
        Iterator<?> it = list.iterator();
        while (it.hasNext()) {
            Map<?, ?> map = DSSJsonUtils.toMap(it.next());
            Map<?, ?> asMap = DSSJsonUtils.getAsMap(map, JAdESHeaderParameterNames.X509_CERT);
            Map<?, ?> asMap2 = DSSJsonUtils.getAsMap(map, JAdESHeaderParameterNames.OTHER_CERT);
            if (Utils.isMapNotEmpty(asMap)) {
                extractX509Cert(asMap, certificateOrigin);
            } else if (Utils.isMapNotEmpty(asMap2)) {
                LOG.warn("The header '{}' is not supported! The entry is skipped.", JAdESHeaderParameterNames.OTHER_CERT);
            }
        }
    }

    private void extractCertificateRefs(List<?> list, CertificateRefOrigin certificateRefOrigin) {
        Iterator<?> it = list.iterator();
        while (it.hasNext()) {
            CertificateRef createCertificateRef = JAdESCertificateRefExtractionUtils.createCertificateRef(DSSJsonUtils.toMap(it.next()));
            if (createCertificateRef != null) {
                addCertificateRef(createCertificateRef, certificateRefOrigin);
            }
        }
    }

    private void extractX509Cert(Map<?, ?> map, CertificateOrigin certificateOrigin) {
        String asString = DSSJsonUtils.getAsString(map, JAdESHeaderParameterNames.ENCODING);
        if (!Utils.isStringEmpty(asString) && !Utils.areStringsEqual(PKIEncoding.DER.getUri(), asString)) {
            LOG.warn("Unsupported encoding header value : '{}'", asString);
            return;
        }
        String asString2 = DSSJsonUtils.getAsString(map, JAdESHeaderParameterNames.VAL);
        if (Utils.isStringNotEmpty(asString2)) {
            try {
                addCertificate(DSSUtils.loadCertificateFromBase64EncodedString(asString2), certificateOrigin);
            } catch (Exception e) {
                LOG.warn("Unable to decode a certificate from '{}'! Reason : {}", new Object[]{asString2, e.getMessage(), e});
            }
        }
    }

    protected CandidatesForSigningCertificate extractCandidatesForSigningCertificate(CertificateSource certificateSource) {
        CandidatesForSigningCertificate candidatesForSigningCertificate = new CandidatesForSigningCertificate();
        Iterator it = getKeyInfoCertificates().iterator();
        while (it.hasNext()) {
            candidatesForSigningCertificate.add(new CertificateValidity((CertificateToken) it.next()));
        }
        if (certificateSource != null) {
            resolveFromSource(certificateSource, candidatesForSigningCertificate);
        }
        PublicKey extractPublicKey = extractPublicKey();
        if (extractPublicKey != null) {
            candidatesForSigningCertificate.add(new CertificateValidity(extractPublicKey));
        }
        checkSigningCertificateRef(candidatesForSigningCertificate);
        return candidatesForSigningCertificate;
    }

    private void resolveFromSource(CertificateSource certificateSource, CandidatesForSigningCertificate candidatesForSigningCertificate) {
        CertificateToken resolveByKid = resolveByKid(certificateSource);
        if (resolveByKid != null) {
            LOG.debug("Resolved certificate by kid");
            super.addCertificate(resolveByKid);
            candidatesForSigningCertificate.add(new CertificateValidity(resolveByKid));
            return;
        }
        Collection<CertificateToken> resolveByUri = resolveByUri(certificateSource);
        if (Utils.isCollectionNotEmpty(resolveByUri)) {
            LOG.debug("Resolved certificates by x5u");
            for (CertificateToken certificateToken : resolveByUri) {
                super.addCertificate(certificateToken);
                candidatesForSigningCertificate.add(new CertificateValidity(certificateToken));
            }
            return;
        }
        Digest signingCertificateDigest = getSigningCertificateDigest();
        if (signingCertificateDigest != null) {
            Set byCertificateDigest = certificateSource.getByCertificateDigest(signingCertificateDigest);
            if (Utils.isCollectionNotEmpty(byCertificateDigest)) {
                LOG.debug("Resolved certificate by digest");
                Iterator it = byCertificateDigest.iterator();
                while (it.hasNext()) {
                    candidatesForSigningCertificate.add(new CertificateValidity((CertificateToken) it.next()));
                }
                return;
            }
            return;
        }
        if (candidatesForSigningCertificate.isEmpty()) {
            List certificates = certificateSource.getCertificates();
            LOG.debug("No signing certificate reference found. Resolve all {} certificates from the provided certificate source as signing candidates.", Integer.valueOf(certificates.size()));
            Iterator it2 = certificates.iterator();
            while (it2.hasNext()) {
                candidatesForSigningCertificate.add(new CertificateValidity((CertificateToken) it2.next()));
            }
        }
    }

    private CertificateToken resolveByKid(CertificateSource certificateSource) {
        String keyIdHeaderValue = this.jws.getKeyIdHeaderValue();
        if (!Utils.isStringNotEmpty(keyIdHeaderValue)) {
            return null;
        }
        if (certificateSource instanceof KidCertificateSource) {
            return ((KidCertificateSource) certificateSource).getCertificateByKid(keyIdHeaderValue);
        }
        LOG.warn("JWS/JAdES contains a 'kid' header (provide a KidCertificateSource to resolve it)");
        return null;
    }

    private Collection<CertificateToken> resolveByUri(CertificateSource certificateSource) {
        String protectedHeaderValueAsString = this.jws.getProtectedHeaderValueAsString("x5u");
        if (Utils.isStringNotEmpty(protectedHeaderValueAsString)) {
            if (certificateSource instanceof X509URLCertificateSource) {
                Collection<CertificateToken> certificatesByUrl = ((X509URLCertificateSource) certificateSource).getCertificatesByUrl(protectedHeaderValueAsString);
                if (Utils.isCollectionNotEmpty(certificatesByUrl)) {
                    this.x509UrlMap.put(protectedHeaderValueAsString, certificatesByUrl);
                }
                return certificatesByUrl;
            }
            LOG.warn("JWS/JAdES contains a 'x5u' header (provide a X509URLCertificateSource to resolve it)");
        }
        return Collections.emptyList();
    }

    private PublicKey extractPublicKey() {
        try {
            PublicJsonWebKey jwkHeader = this.jws.getJwkHeader();
            if (jwkHeader != null) {
                return jwkHeader.getPublicKey();
            }
            return null;
        } catch (Exception e) {
            LOG.warn("Unable to extract the public key", e);
            return null;
        }
    }

    private void checkSigningCertificateRef(CandidatesForSigningCertificate candidatesForSigningCertificate) {
        List signingCertificateRefs = getSigningCertificateRefs();
        CertificateRef certificateRef = Utils.isCollectionNotEmpty(signingCertificateRefs) ? (CertificateRef) signingCertificateRefs.get(0) : null;
        List<CertificateRef> keyIdentifierCertificateRefs = getKeyIdentifierCertificateRefs();
        CertificateRef certificateRef2 = Utils.isCollectionNotEmpty(keyIdentifierCertificateRefs) ? keyIdentifierCertificateRefs.get(0) : null;
        if (certificateRef != null) {
            CertificateValidity certificateValidity = null;
            for (CertificateValidity certificateValidity2 : candidatesForSigningCertificate.getCertificateValidityList()) {
                if (isValid(certificateValidity2, certificateRef, certificateRef2)) {
                    certificateValidity = certificateValidity2;
                }
            }
            if (certificateValidity != null) {
                candidatesForSigningCertificate.setTheCertificateValidity(certificateValidity);
            }
        }
    }

    private boolean isValid(CertificateValidity certificateValidity, CertificateRef certificateRef, CertificateRef certificateRef2) {
        certificateValidity.setDigestPresent((certificateRef == null || certificateRef.getCertDigest() == null) ? false : true);
        certificateValidity.setIssuerSerialPresent((certificateRef2 == null || certificateRef2.getCertificateIdentifier() == null) ? false : true);
        CertificateToken certificateToken = certificateValidity.getCertificateToken();
        if (certificateToken != null) {
            if (certificateRef != null) {
                certificateValidity.setDigestEqual(this.certificateMatcher.matchByDigest(certificateToken, certificateRef));
            }
            if (certificateRef2 != null) {
                certificateValidity.setSerialNumberEqual(this.certificateMatcher.matchBySerialNumber(certificateToken, certificateRef2));
                certificateValidity.setDistinguishedNameEqual(this.certificateMatcher.matchByIssuerName(certificateToken, certificateRef2));
            }
        }
        return certificateValidity.isValid();
    }

    private Digest getSigningCertificateDigest() {
        List signingCertificateRefs = getSigningCertificateRefs();
        if (Utils.isCollectionNotEmpty(signingCertificateRefs)) {
            return ((CertificateRef) signingCertificateRefs.get(0)).getCertDigest();
        }
        return null;
    }

    private IssuerSerial getKidIssuerSerial() {
        return DSSJsonUtils.getIssuerSerial(this.jws.getKeyIdHeaderValue());
    }

    public List<CertificateRef> getOrphanCertificateRefs() {
        List<CertificateRef> orphanCertificateRefs = super.getOrphanCertificateRefs();
        List<CertificateRef> certificateRefsByOrigin = getCertificateRefsByOrigin(CertificateRefOrigin.X509_URL);
        if (Utils.isCollectionNotEmpty(certificateRefsByOrigin)) {
            for (CertificateRef certificateRef : certificateRefsByOrigin) {
                if (!orphanCertificateRefs.contains(certificateRef)) {
                    orphanCertificateRefs.add(certificateRef);
                }
            }
        }
        return orphanCertificateRefs;
    }

    public List<CertificateRef> getReferencesForCertificateToken(CertificateToken certificateToken) {
        List<CertificateRef> referencesForCertificateToken = super.getReferencesForCertificateToken(certificateToken);
        for (Map.Entry<String, Collection<CertificateToken>> entry : this.x509UrlMap.entrySet()) {
            if (entry.getValue().contains(certificateToken)) {
                for (CertificateRef certificateRef : getCertificateRefsByOrigin(CertificateRefOrigin.X509_URL)) {
                    if (entry.getKey().equals(certificateRef.getX509Url())) {
                        referencesForCertificateToken.add(certificateRef);
                    }
                }
            }
        }
        return referencesForCertificateToken;
    }

    public Set<CertificateToken> findTokensFromCertRef(CertificateRef certificateRef) {
        Set<CertificateToken> findTokensFromCertRef = super.findTokensFromCertRef(certificateRef);
        if (Utils.isStringNotEmpty(certificateRef.getX509Url())) {
            Collection<CertificateToken> collection = this.x509UrlMap.get(certificateRef.getX509Url());
            if (Utils.isCollectionNotEmpty(collection)) {
                findTokensFromCertRef.addAll(collection);
            }
        }
        return findTokensFromCertRef;
    }
}
