package com.adobe.internal.pdftoolkit.services.digsig.cryptoprovider.impl;

import com.adobe.internal.pdftoolkit.core.exceptions.PDFInvalidParameterException;
import com.adobe.internal.pdftoolkit.core.exceptions.PDFSignatureException;
import com.adobe.internal.pdftoolkit.services.digsig.SignatureUtils;
import com.adobe.internal.pdftoolkit.services.digsig.cryptoprovider.Verifier;
import java.io.IOException;
import java.io.InputStream;
import java.security.MessageDigest;
import java.security.cert.CertStore;
import java.security.cert.Certificate;
import java.security.cert.CertificateEncodingException;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.Collection;
import java.util.Iterator;
import org.bouncycastle.asn1.ASN1InputStream;
import org.bouncycastle.asn1.ASN1OctetString;
import org.bouncycastle.asn1.ASN1Sequence;
import org.bouncycastle.asn1.cms.Attribute;
import org.bouncycastle.asn1.cms.AttributeTable;
import org.bouncycastle.asn1.cms.CMSAttributes;
import org.bouncycastle.asn1.ess.ESSCertID;
import org.bouncycastle.asn1.ess.ESSCertIDv2;
import org.bouncycastle.asn1.ess.SigningCertificate;
import org.bouncycastle.asn1.ess.SigningCertificateV2;
import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers;
import org.bouncycastle.asn1.x500.X500Name;
import org.bouncycastle.asn1.x509.GeneralName;
import org.bouncycastle.asn1.x509.GeneralNames;
import org.bouncycastle.asn1.x509.IssuerSerial;
import org.bouncycastle.asn1.x509.PolicyInformation;
import org.bouncycastle.asn1.x509.X509Extensions;
import org.bouncycastle.cert.X509CertificateHolder;
import org.bouncycastle.cert.jcajce.JcaCertStoreBuilder;
import org.bouncycastle.cert.selector.X509CertificateHolderSelector;
import org.bouncycastle.cert.selector.jcajce.JcaX509CertSelectorConverter;
import org.bouncycastle.cms.CMSException;
import org.bouncycastle.cms.CMSProcessableByteArray;
import org.bouncycastle.cms.CMSSignedData;
import org.bouncycastle.cms.DefaultCMSSignatureAlgorithmNameGenerator;
import org.bouncycastle.cms.SignerId;
import org.bouncycastle.cms.SignerInformation;
import org.bouncycastle.cms.bc.BcRSASignerInfoVerifierBuilder;
import org.bouncycastle.operator.DefaultDigestAlgorithmIdentifierFinder;
import org.bouncycastle.operator.DefaultSignatureAlgorithmIdentifierFinder;
import org.bouncycastle.operator.bc.BcDigestCalculatorProvider;
import org.bouncycastle.tsp.TimeStampToken;

/* loaded from: input_file:com/adobe/internal/pdftoolkit/services/digsig/cryptoprovider/impl/CADESDetachedVerifier.class */
public class CADESDetachedVerifier extends Verifier {
    private static byte[] CONTENT_TYPE_DATA_VALUE;
    private static final String DEFAULT_CERTIFICATE_HASH_ALGORITHM_NAME = "SHA256";
    private static final String CERTIFICATE_HASH_ALGORITHM_NAME_FOR_OLD_SIGNING_CERTIFICATE_ATTRIBUTE = "SHA";

    @Override // com.adobe.internal.pdftoolkit.services.digsig.cryptoprovider.Verifier
    public boolean verify(InputStream inputStream, byte[] bArr) throws PDFSignatureException {
        try {
            byte[] bArr2 = new byte[inputStream.available()];
            inputStream.read(bArr2);
            CMSSignedData cMSSignedData = new CMSSignedData(new CMSProcessableByteArray(bArr2), bArr);
            JcaCertStoreBuilder jcaCertStoreBuilder = new JcaCertStoreBuilder();
            jcaCertStoreBuilder.addCertificates(cMSSignedData.getCertificates());
            jcaCertStoreBuilder.addCRLs(cMSSignedData.getCRLs());
            CertStore build = jcaCertStoreBuilder.build();
            for (SignerInformation signerInformation : cMSSignedData.getSignerInfos().getSigners()) {
                SignerId sid = signerInformation.getSID();
                Collection<? extends Certificate> certificates = build.getCertificates(new JcaX509CertSelectorConverter().getCertSelector(new X509CertificateHolderSelector(sid.getIssuer(), sid.getSerialNumber())));
                BcRSASignerInfoVerifierBuilder bcRSASignerInfoVerifierBuilder = new BcRSASignerInfoVerifierBuilder(new DefaultCMSSignatureAlgorithmNameGenerator(), new DefaultSignatureAlgorithmIdentifierFinder(), new DefaultDigestAlgorithmIdentifierFinder(), new BcDigestCalculatorProvider());
                Iterator<? extends Certificate> it = certificates.iterator();
                while (it.hasNext()) {
                    X509Certificate x509Certificate = (X509Certificate) it.next();
                    if (signerInformation.verify(bcRSASignerInfoVerifierBuilder.build(new X509CertificateHolder(x509Certificate.getEncoded())))) {
                        if (verifySignedAttributes(signerInformation, x509Certificate) && verifyUnsignedAttributes(signerInformation)) {
                            return true;
                        }
                    }
                }
            }
            return false;
        } catch (CMSException e) {
            return false;
        } catch (Exception e2) {
            throw new PDFSignatureException("Error Verifying CADES Detached Signature", e2);
        }
    }

    private boolean verifySignedAttributes(SignerInformation signerInformation, X509Certificate x509Certificate) throws PDFSignatureException {
        AttributeTable signedAttributes = signerInformation.getSignedAttributes();
        if (signedAttributes == null) {
            return false;
        }
        return verifyContentTypeAttribute(signedAttributes) && verifyMessageDigestAttribute(signedAttributes) && verifySigningCertificateAttribute(signedAttributes, x509Certificate);
    }

    private boolean verifyUnsignedAttributes(SignerInformation signerInformation) throws PDFSignatureException {
        Attribute attribute;
        AttributeTable unsignedAttributes = signerInformation.getUnsignedAttributes();
        if (unsignedAttributes == null || (attribute = unsignedAttributes.get(PKCSObjectIdentifiers.id_aa_signatureTimeStampToken)) == null) {
            return true;
        }
        byte[] aSN1EncodedAttributeValue = BCUtilities.getASN1EncodedAttributeValue(attribute);
        if (aSN1EncodedAttributeValue == null) {
            throw new PDFSignatureException("Time stamp attribute is present in the signature but the value corresponding to it is not.");
        }
        try {
            TimeStampToken timeStampToken = new TimeStampToken(new CMSSignedData(aSN1EncodedAttributeValue));
            if (!BCUtilities.verifyTimestampToken(timeStampToken)) {
                return false;
            }
            byte[] messageImprintDigest = timeStampToken.getTimeStampInfo().getMessageImprintDigest();
            MessageDigest messageDigest = MessageDigest.getInstance(SignatureUtils.getAlgorithmName(timeStampToken.getTimeStampInfo().getMessageImprintAlgOID()), BCUtilities.provider);
            messageDigest.update(signerInformation.getSignature());
            return Arrays.equals(messageDigest.digest(), messageImprintDigest);
        } catch (Exception e) {
            throw new PDFSignatureException("Error validating time stamp token attribute", e);
        }
    }

    private boolean verifyContentTypeAttribute(AttributeTable attributeTable) {
        Attribute attribute = attributeTable.get(CMSAttributes.contentType);
        if (attribute == null) {
            return false;
        }
        return Arrays.equals(BCUtilities.getASN1EncodedAttributeValue(attribute), CONTENT_TYPE_DATA_VALUE);
    }

    private boolean verifyMessageDigestAttribute(AttributeTable attributeTable) {
        Attribute attribute = attributeTable.get(CMSAttributes.messageDigest);
        return (attribute == null || BCUtilities.getASN1EncodedAttributeValue(attribute) == null) ? false : true;
    }

    private boolean verifySigningCertificateAttribute(AttributeTable attributeTable, X509Certificate x509Certificate) throws PDFSignatureException {
        SigningCertificate signingCertificate;
        SigningCertificateV2 signingCertificateV2;
        boolean z = false;
        Attribute attribute = attributeTable.get(PKCSObjectIdentifiers.id_aa_signingCertificateV2);
        if (attribute != null && (signingCertificateV2 = SigningCertificateV2.getInstance(BCUtilities.getASN1EncodableAttributeValue(attribute))) != null) {
            z = true;
            if (!verifySigningCertificateV2Attribute(signingCertificateV2, x509Certificate)) {
                return false;
            }
        }
        Attribute attribute2 = attributeTable.get(PKCSObjectIdentifiers.id_aa_signingCertificate);
        if (attribute2 != null && (signingCertificate = SigningCertificate.getInstance(BCUtilities.getASN1EncodableAttributeValue(attribute2))) != null) {
            z = true;
            if (!verifySigningCertificateOLDAttribute(signingCertificate, x509Certificate)) {
                return false;
            }
        }
        return z;
    }

    private boolean verifySigningCertificateV2Attribute(SigningCertificateV2 signingCertificateV2, X509Certificate x509Certificate) throws PDFSignatureException {
        boolean z;
        ESSCertIDv2[] certs = signingCertificateV2.getCerts();
        if (certs == null || certs.length == 0) {
            return false;
        }
        ESSCertIDv2 eSSCertIDv2 = certs[0];
        try {
            if (verifyCertificateHashValue(x509Certificate, eSSCertIDv2.getCertHash(), eSSCertIDv2.getHashAlgorithm() == null ? null : SignatureUtils.getAlgorithmName(eSSCertIDv2.getHashAlgorithm().getAlgorithm())) && verifyIssuerSerial(x509Certificate, eSSCertIDv2.getIssuerSerial())) {
                if (verifyPolicyInformation(x509Certificate, signingCertificateV2.getPolicies())) {
                    z = true;
                    return z;
                }
            }
            z = false;
            return z;
        } catch (IOException e) {
            throw new PDFSignatureException("Error verifying Certifcate Hash Value in SigningCertificateV2 attribute", e);
        } catch (CertificateEncodingException e2) {
            throw new PDFSignatureException("Error verifying Certifcate Hash Value in SigningCertificateV2 attribute", e2);
        }
    }

    private boolean verifySigningCertificateOLDAttribute(SigningCertificate signingCertificate, X509Certificate x509Certificate) throws PDFSignatureException {
        boolean z;
        ESSCertID[] certs = signingCertificate.getCerts();
        if (certs == null || certs.length == 0) {
            return false;
        }
        ESSCertID eSSCertID = certs[0];
        try {
            if (verifyCertificateHashValue(x509Certificate, eSSCertID.getCertHash(), CERTIFICATE_HASH_ALGORITHM_NAME_FOR_OLD_SIGNING_CERTIFICATE_ATTRIBUTE) && verifyIssuerSerial(x509Certificate, eSSCertID.getIssuerSerial())) {
                if (verifyPolicyInformation(x509Certificate, signingCertificate.getPolicies())) {
                    z = true;
                    return z;
                }
            }
            z = false;
            return z;
        } catch (IOException e) {
            throw new PDFSignatureException("Error verifying Certifcate Hash Value in SigningCertificateV2 attribute", e);
        } catch (CertificateEncodingException e2) {
            throw new PDFSignatureException("Error verifying Certifcate Hash Value in SigningCertificateV2 attribute", e2);
        }
    }

    private boolean verifyCertificateHashValue(X509Certificate x509Certificate, byte[] bArr, String str) throws PDFSignatureException {
        try {
            byte[] encoded = x509Certificate.getEncoded();
            if (str == null) {
                str = DEFAULT_CERTIFICATE_HASH_ALGORITHM_NAME;
            }
            MessageDigest messageDigest = MessageDigest.getInstance(str, BCUtilities.provider);
            messageDigest.update(encoded);
            return Arrays.equals(messageDigest.digest(), bArr);
        } catch (Exception e) {
            throw new PDFSignatureException("Error verifying cert hash value in ESSCertV2", e);
        }
    }

    private boolean verifyIssuerSerial(X509Certificate x509Certificate, IssuerSerial issuerSerial) throws PDFSignatureException, CertificateEncodingException, IOException {
        GeneralName[] names;
        if (issuerSerial == null) {
            return true;
        }
        if (issuerSerial.getSerial() == null || !issuerSerial.getSerial().getValue().equals(x509Certificate.getSerialNumber())) {
            return false;
        }
        String x500Name = new X500Name(new X509CertificateHolder(x509Certificate.getEncoded()).getIssuer().getRDNs()).toString();
        GeneralNames issuer = issuerSerial.getIssuer();
        if (issuer == null || (names = issuer.getNames()) == null || names.length != 1) {
            return false;
        }
        return names[0].getName().toString().equals(x500Name);
    }

    private boolean verifyPolicyInformation(X509Certificate x509Certificate, PolicyInformation[] policyInformationArr) throws PDFSignatureException {
        if (policyInformationArr == null) {
            return true;
        }
        try {
            ASN1Sequence policyListFromCertificate = getPolicyListFromCertificate(x509Certificate);
            if (policyListFromCertificate == null) {
                return false;
            }
            for (int i = 0; i < policyListFromCertificate.size(); i++) {
                PolicyInformation policyInformation = PolicyInformation.getInstance(policyListFromCertificate.getObjectAt(i));
                for (PolicyInformation policyInformation2 : policyInformationArr) {
                    if (policyInformation2.getPolicyIdentifier().getId().equals(policyInformation.getPolicyIdentifier().getId())) {
                        return true;
                    }
                }
            }
            return false;
        } catch (Exception e) {
            throw new PDFSignatureException("Error validating policy information in signingcertificateV2 attribute", e);
        }
    }

    private static ASN1Sequence getPolicyListFromCertificate(X509Certificate x509Certificate) throws IOException, PDFInvalidParameterException {
        byte[] extensionValue = x509Certificate.getExtensionValue(X509Extensions.CertificatePolicies.getId());
        if (extensionValue == null) {
            return null;
        }
        return ASN1Sequence.getInstance(new ASN1InputStream(ASN1OctetString.getInstance(new ASN1InputStream(extensionValue).readObject()).getOctets()).readObject());
    }

    static {
        try {
            CONTENT_TYPE_DATA_VALUE = PKCSObjectIdentifiers.data.getEncoded("DER");
        } catch (IOException e) {
        }
    }
}
