package eu.europa.esig.dss.validation;

import eu.europa.esig.dss.DSSASN1Utils;
import eu.europa.esig.dss.DSSUtils;
import eu.europa.esig.dss.DigestAlgorithm;
import eu.europa.esig.dss.utils.Utils;
import eu.europa.esig.dss.x509.CertificatePool;
import eu.europa.esig.dss.x509.CertificateToken;
import eu.europa.esig.dss.x509.SignatureCertificateSource;
import java.math.BigInteger;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Iterator;
import java.util.List;
import java.util.Objects;
import org.bouncycastle.asn1.ASN1Sequence;
import org.bouncycastle.asn1.cms.Attribute;
import org.bouncycastle.asn1.cms.AttributeTable;
import org.bouncycastle.asn1.ess.OtherCertID;
import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers;
import org.bouncycastle.asn1.x509.Certificate;
import org.bouncycastle.cert.X509CertificateHolder;
import org.bouncycastle.cms.CMSSignedData;
import org.bouncycastle.cms.SignerInformation;
import org.bouncycastle.util.Selector;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:eu/europa/esig/dss/validation/CAdESCertificateSource.class */
public class CAdESCertificateSource extends SignatureCertificateSource {
    private static final Logger LOG = LoggerFactory.getLogger(CAdESCertificateSource.class);
    private List<CertificateToken> keyInfoCerts;
    private List<CertificateToken> encapsulatedCerts;

    public CAdESCertificateSource(CMSSignedData cMSSignedData, CertificatePool certificatePool) {
        super(certificatePool);
        Objects.requireNonNull(cMSSignedData, "CMS SignedData is null, it must be provided!");
        this.keyInfoCerts = extractIdSignedDataCertificates(cMSSignedData);
        this.encapsulatedCerts = extractEncapsulatedCertificates(cMSSignedData);
    }

    public List<CertificateToken> getEncapsulatedCertificates() {
        return this.encapsulatedCerts;
    }

    private List<CertificateToken> extractEncapsulatedCertificates(CMSSignedData cMSSignedData) {
        ArrayList arrayList = new ArrayList();
        SignerInformation firstSignerInformation = DSSASN1Utils.getFirstSignerInformation(cMSSignedData);
        if (firstSignerInformation != null && firstSignerInformation.getUnsignedAttributes() != null) {
            AttributeTable unsignedAttributes = firstSignerInformation.getUnsignedAttributes();
            extractCertificateFromUnsignedAttribute(arrayList, unsignedAttributes.get(PKCSObjectIdentifiers.id_aa_ets_certValues));
            extractCertificateRefsFromUnsignedAttribute(arrayList, unsignedAttributes.get(PKCSObjectIdentifiers.id_aa_ets_certificateRefs));
        }
        return arrayList;
    }

    private void extractCertificateFromUnsignedAttribute(List<CertificateToken> list, Attribute attribute) {
        if (attribute != null) {
            ASN1Sequence objectAt = attribute.getAttrValues().getObjectAt(0);
            for (int i = 0; i < objectAt.size(); i++) {
                try {
                    CertificateToken addCertificate = addCertificate(DSSUtils.loadCertificate(Certificate.getInstance(objectAt.getObjectAt(i)).getEncoded()));
                    if (!list.contains(addCertificate)) {
                        list.add(addCertificate);
                    }
                } catch (Exception e) {
                    LOG.warn("Unable to parse encapsulated certificate : {}", e.getMessage());
                }
            }
        }
    }

    private void extractCertificateRefsFromUnsignedAttribute(List<CertificateToken> list, Attribute attribute) {
        if (attribute != null) {
            ASN1Sequence objectAt = attribute.getAttrValues().getObjectAt(0);
            for (int i = 0; i < objectAt.size(); i++) {
                try {
                    OtherCertID otherCertID = OtherCertID.getInstance(objectAt.getObjectAt(i));
                    byte[] certHash = otherCertID.getCertHash();
                    DigestAlgorithm forOID = DigestAlgorithm.forOID(otherCertID.getAlgorithmHash().getAlgorithm().getId());
                    BigInteger value = otherCertID.getIssuerSerial() != null ? otherCertID.getIssuerSerial().getSerial().getValue() : null;
                    boolean z = false;
                    for (CertificateToken certificateToken : getCertificates()) {
                        if (Arrays.equals(certHash, certificateToken.getDigest(forOID)) && (value == null || value.equals(certificateToken.getSerialNumber()))) {
                            z = true;
                            break;
                        }
                    }
                    if (!z) {
                        LOG.warn("Certificate Ref (SN:{} / {}:{}) is not known", new Object[]{value, forOID, Utils.toBase64(certHash)});
                    }
                } catch (Exception e) {
                    LOG.warn("Unable to parse encapsulated OtherCertID : {}", e.getMessage());
                }
            }
        }
    }

    public List<CertificateToken> getKeyInfoCertificates() {
        return this.keyInfoCerts;
    }

    private List<CertificateToken> extractIdSignedDataCertificates(CMSSignedData cMSSignedData) {
        ArrayList arrayList = new ArrayList();
        try {
            Iterator it = cMSSignedData.getCertificates().getMatches((Selector) null).iterator();
            while (it.hasNext()) {
                CertificateToken addCertificate = addCertificate(DSSASN1Utils.getCertificate((X509CertificateHolder) it.next()));
                if (!arrayList.contains(addCertificate)) {
                    arrayList.add(addCertificate);
                }
            }
        } catch (Exception e) {
            LOG.warn("Cannot extract certificates from CMS Signed Data : {}", e.getMessage());
        }
        return arrayList;
    }
}
