package de.bos_bremen.vii.doctype.cades;

import de.bos_bremen.ci.asn1.OBJECTIDENTIFIER;
import de.bos_bremen.ci.asn1.ParseException;
import de.bos_bremen.ci.asn1.cms.CMSSignedData;
import de.bos_bremen.ci.asn1.cms.CertificateSet;
import de.bos_bremen.ci.asn1.cms.ContentType;
import de.bos_bremen.ci.asn1.cms.SignedAttribute;
import de.bos_bremen.ci.asn1.cms.SignedAttributes;
import de.bos_bremen.ci.asn1.cms.SignedData;
import de.bos_bremen.ci.asn1.cms.SignerIdentifier;
import de.bos_bremen.ci.asn1.cms.SignerInfo;
import de.bos_bremen.ci.asn1.cms.UnsignedAttributes;
import de.bos_bremen.ci.asn1.crl.OtherRevocationInfoFormat;
import de.bos_bremen.ci.asn1.crl.RevocationInfoChoices;
import de.bos_bremen.ci.asn1.ocsp.BasicOCSPResponse;
import de.bos_bremen.ci.asn1.ocsp.OCSPResponse;
import de.bos_bremen.ci.asn1.ocsp.RevocationValues;
import de.bos_bremen.ci.asn1.tsp.SignatureTimeStampToken;
import de.bos_bremen.ci.asn1.tsp.SigningCertificate;
import de.bos_bremen.ci.asn1.tsp.TimeStampResp;
import de.bos_bremen.ci.asn1.tsp.TimeStampToken;
import de.bos_bremen.ci.asn1.x509.Certificate;
import de.bos_bremen.ci.asn1.x509.FlatCertificate;
import de.bos_bremen.ci.asn1.x509.KeyPurposeId;
import de.bos_bremen.ci.asn1.x509.ext.ExtendedKeyUsageExtension;
import de.bos_bremen.vii.util.ades.AdESComplianceLevel;
import java.security.GeneralSecurityException;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.logging.Logger;

/* loaded from: input_file:de/bos_bremen/vii/doctype/cades/CAdESComplianceLevelChecker.class */
public class CAdESComplianceLevelChecker {
    private static final Logger LOGGER = Logger.getLogger(CAdESComplianceLevelChecker.class.getName());
    public static final String OID_attribute_certificate_references = "1.2.840.113549.1.9.16.2.44";
    public static final String OID_attribute_revocation_references = "1.2.840.113549.1.9.16.2.45";
    public static final String OID_complete_certificate_references = "1.2.840.113549.1.9.16.2.21";
    public static final String OID_certificate_values = "1.2.840.113549.1.9.16.2.23";
    public static final String OID_complete_revocation_references = "1.2.840.113549.1.9.16.2.22";
    public static final String OID_revocation_values = "1.2.840.113549.1.9.16.2.24";
    public static final String OID_time_stamped_certs_crls_references = "1.2.840.113549.1.9.16.2.26";
    public static final String OID_CAdES_C_timestamp = "1.2.840.113549.1.9.16.2.25";
    public static final List<OBJECTIDENTIFIER> LT_notToBeIncorparatedSignedAttributeIdentifiers = Collections.unmodifiableList(Arrays.asList(OBJECTIDENTIFIER.valueOf(OID_attribute_certificate_references), OBJECTIDENTIFIER.valueOf(OID_attribute_revocation_references), OBJECTIDENTIFIER.valueOf(OID_complete_certificate_references), OBJECTIDENTIFIER.valueOf(OID_certificate_values), OBJECTIDENTIFIER.valueOf(OID_complete_revocation_references), OBJECTIDENTIFIER.valueOf(OID_revocation_values), OBJECTIDENTIFIER.valueOf(OID_time_stamped_certs_crls_references), OBJECTIDENTIFIER.valueOf(OID_CAdES_C_timestamp)));

    private CAdESComplianceLevelChecker() {
    }

    public static AdESComplianceLevel isComplianceLevel_B(CMSSignedData cMSSignedData) throws ComplianceLevelException {
        SignedData signedData = cMSSignedData.getSignedData();
        if (signedData == null) {
            throw new ComplianceLevelException("ComplianceLevel_B 6.3.1 is not met, because SignedData is not present.");
        }
        CertificateSet certificates = signedData.getCertificates();
        if (certificates == null) {
            throw new ComplianceLevelException("ComplianceLevel_B 6.3.1 is not met, because no signing certificate present.");
        }
        for (SignerInfo signerInfo : signedData.getSignerInfoList()) {
            SignedAttributes signedAttributes = signerInfo.getSignedAttributes();
            if (signedAttributes == null) {
                throw new ComplianceLevelException("ComplianceLevel_B 6.3.1 is not met, because no signed attributes are present.");
            }
            if (!ContentType.id_pkcs7_data.equals(signedAttributes.getValue(SignedAttribute.contentType))) {
                throw new ComplianceLevelException("ComplianceLevel_B 6.3.1 is not met, because contentType shall be id-data (" + ContentType.id_pkcs7_data.getOID() + ").");
            }
            if (signedAttributes.getValue(SignedAttribute.messageDigest) == null) {
                throw new ComplianceLevelException("ComplianceLevel_B 6.3.1 is not met, because no messageDigest signed attribute is present.");
            }
            getSigningCertificate(signedAttributes);
            if (certificates.getMatchingCertificates(signerInfo.getSid()).size() == 0) {
                throw new ComplianceLevelException("ComplianceLevel_B 6.3.1 is not met, because no signing certificate is present.");
            }
            if (signedAttributes.getValue(SignedAttribute.signingTime) == null) {
                throw new ComplianceLevelException("ComplianceLevel_B 6.3.1 is not met, because no signing time is present.");
            }
        }
        LOGGER.fine("Meet ComplianceLevel.B");
        return AdESComplianceLevel.B;
    }

    public static AdESComplianceLevel isComplianceLevel_T(CMSSignedData cMSSignedData) throws ComplianceLevelException {
        SignedData signedData = cMSSignedData.getSignedData();
        if (signedData == null) {
            throw new ComplianceLevelException("ComplianceLevel_T 6.3.1 is not met, because SignedData is not present.");
        }
        Iterator it = signedData.getSignerInfoList().iterator();
        while (it.hasNext()) {
            UnsignedAttributes unsignedAttributes = ((SignerInfo) it.next()).getUnsignedAttributes();
            if (unsignedAttributes == null) {
                throw new ComplianceLevelException("ComplianceLevel_T 6.4 is not met, because no unsigned attributes are present.");
            }
            if (unsignedAttributes.getValues(ContentType.id_aa_timeStampToken).isEmpty()) {
                throw new ComplianceLevelException("ComplianceLevel_T 6.4 is not met, because no signing timestamp is present.");
            }
        }
        LOGGER.fine("Meet ComplianceLevel.T");
        return AdESComplianceLevel.T;
    }

    public static AdESComplianceLevel isComplianceLevel_LT(CMSSignedData cMSSignedData) throws ComplianceLevelException {
        try {
            RevocationValues revocationValues = new RevocationValues();
            ArrayList arrayList = new ArrayList();
            ArrayList arrayList2 = new ArrayList();
            if (cMSSignedData == null) {
                throw new ComplianceLevelException("ComplianceLevel_LT 6.5 is not met, failure: no CMSSignedData.");
            }
            SignedData signedData = cMSSignedData.getSignedData();
            isComplianceLevel_LT("CAdES", signedData, arrayList, arrayList2, revocationValues, true, true);
            ltRemoveCertififcatesForSpecialPurpose(arrayList, arrayList2, KeyPurposeId.id_kp_OCSPSigning);
            ltCheckComplete(arrayList, arrayList2, revocationValues, signedData.getCertificates());
            LOGGER.fine("Meet ComplianceLevel.LT");
            return AdESComplianceLevel.LT;
        } catch (ParseException e) {
            throw new ComplianceLevelException("ComplianceLevel_LT 6.5, table 5, clause f) is not met, internal error on creation of RevocationValues to check for every certificate a OCSP value is set.");
        }
    }

    private static void ltRemoveCertififcatesForSpecialPurpose(List<FlatCertificate> list, List<FlatCertificate> list2, KeyPurposeId keyPurposeId) {
        ArrayList arrayList = new ArrayList();
        if (list != null) {
            for (FlatCertificate flatCertificate : list) {
                if (flatCertificate instanceof Certificate) {
                    ExtendedKeyUsageExtension extendedKeyUsageExtension = ((Certificate) flatCertificate).getExtensions().get("2.5.29.37");
                    if ((extendedKeyUsageExtension instanceof ExtendedKeyUsageExtension) && extendedKeyUsageExtension.getKeyPurposeIDs().contains(keyPurposeId)) {
                        arrayList.add(flatCertificate);
                    }
                }
            }
        }
        list2.addAll(arrayList);
        list.removeAll(arrayList);
    }

    private static void isComplianceLevel_LT(String str, SignedData signedData, List<FlatCertificate> list, List<FlatCertificate> list2, RevocationValues revocationValues, boolean z, boolean z2) throws ComplianceLevelException {
        if (signedData == null) {
            throw new ComplianceLevelException("ComplianceLevel_LT 6.5 is not met, failure: no SignedData" + str + ".");
        }
        List<SignerInfo> signerInfoList = signedData.getSignerInfoList();
        if (signerInfoList == null || signerInfoList.isEmpty()) {
            throw new ComplianceLevelException("ComplianceLevel_LT 6.5 is not met, failure: no SignedInfo (" + str + ").");
        }
        CertificateSet certificates = signedData.getCertificates();
        if (certificates == null) {
            throw new ComplianceLevelException("ComplianceLevel_LT 6.5 is not met, missing mandatory certificates.");
        }
        if (certificates.getMatchingCertificates(SignerIdentifier.ALL).isEmpty()) {
            throw new ComplianceLevelException("ComplianceLevel_LT 6.5, table 5, clause a) is not met, missing mandatory certificates (empty list).");
        }
        ltCheckRevocationInfoChoices(str, signedData, certificates, list, revocationValues, z2);
        for (SignerInfo signerInfo : signerInfoList) {
            ltCheckChain(str + "signer", certificates, list, signerInfo);
            if (z) {
                Map attributes = signerInfo.getUnsignedAttributes().getAttributes();
                for (OBJECTIDENTIFIER objectidentifier : LT_notToBeIncorparatedSignedAttributeIdentifiers) {
                    if (attributes.get(objectidentifier) != null) {
                        throw new ComplianceLevelException("ComplianceLevel_LT 6.5, table 5 is not met, because at least one forbidden attribute exists, that shall be not incorporated: " + objectidentifier.getOID() + ".");
                    }
                }
                for (TimeStampResp timeStampResp : ((SignedAttribute) ((List) attributes.get(ContentType.id_aa_timeStampToken)).get(0)).getValues()) {
                    TimeStampToken timeStampToken = timeStampResp instanceof TimeStampResp ? timeStampResp.getTimeStampToken() : null;
                    if (timeStampResp instanceof TimeStampToken) {
                        timeStampToken = (TimeStampToken) timeStampResp;
                    }
                    if (timeStampToken instanceof SignatureTimeStampToken) {
                        isComplianceLevel_LT(str + "-tsa", ((SignatureTimeStampToken) timeStampToken).getSignedData(), list2, null, revocationValues, false, false);
                    }
                }
            }
        }
    }

    private static void ltCheckRevocationInfoChoices(String str, SignedData signedData, CertificateSet certificateSet, List<FlatCertificate> list, RevocationValues revocationValues, boolean z) throws ComplianceLevelException {
        RevocationInfoChoices cRLs = signedData.getCRLs();
        if (z && cRLs == null) {
            throw new ComplianceLevelException("ComplianceLevel_LT 6.5, table 5 is not met, missing mandatory RevocationInformationChoices (" + str + ")");
        }
        if (z || cRLs != null) {
            Iterator it = cRLs.getOtherRevocationInfoFormats(OCSPResponse.OID_OCSP_RESPONSE).iterator();
            while (it.hasNext()) {
                ltCheckOCSPSignerChain(str, certificateSet, list, revocationValues, ((OtherRevocationInfoFormat) it.next()).getOtherRevInfo().getBasicOCSPResponse());
            }
            Iterator it2 = cRLs.getOtherRevocationInfoFormats(BasicOCSPResponse.OID_BASIC_OCSP_RESPONSE).iterator();
            while (it2.hasNext()) {
                ltCheckOCSPSignerChain(str, certificateSet, list, revocationValues, ((OtherRevocationInfoFormat) it2.next()).getOtherRevInfo());
            }
        }
    }

    private static void ltCheckComplete(List<FlatCertificate> list, List<FlatCertificate> list2, RevocationValues revocationValues, CertificateSet certificateSet) throws ComplianceLevelException {
        List ocspVals;
        if (revocationValues == null || revocationValues.getOcspVals() == null || revocationValues.getOcspVals().isEmpty()) {
            throw new ComplianceLevelException("ComplianceLevel_LT 6.5, table 5, clause f) is not met, SignedData.crls.other does not contain any OCSP values.");
        }
        for (FlatCertificate flatCertificate : list) {
            if (!isRootCertificate(flatCertificate) && ((ocspVals = revocationValues.getOcspVals(flatCertificate)) == null || ocspVals.isEmpty())) {
                throw new ComplianceLevelException("ComplianceLevel_LT 6.5, table 5, clause f) is not met, at least for one certificate no OCSP value is available - subject: " + flatCertificate.getSubject().getDisplayName() + " , issuer: " + flatCertificate.getIssuer().getDisplayName() + ", SN:" + flatCertificate.getSerialNumber().getValue() + ".");
            }
        }
        ArrayList arrayList = new ArrayList();
        for (FlatCertificate flatCertificate2 : certificateSet.getCertificateChoices()) {
            String str = flatCertificate2.getSubject().getAsString() + flatCertificate2.getIssuer().getAsString() + flatCertificate2.getSerialNumber().getValue();
            if (arrayList.contains(str)) {
                throw new ComplianceLevelException("ComplianceLevel_LT 6.5, table 5, clause b) is not met, double certificates are to be avoided: - subject: " + flatCertificate2.getSubject().getDisplayName() + " , issuer: " + flatCertificate2.getIssuer().getDisplayName() + ", SN:" + flatCertificate2.getSerialNumber().getValue() + ".");
            }
            arrayList.add(str);
        }
    }

    private static void ltCheckOCSPSignerChain(String str, CertificateSet certificateSet, List<FlatCertificate> list, RevocationValues revocationValues, BasicOCSPResponse basicOCSPResponse) throws ComplianceLevelException {
        ltAdd(revocationValues.getOcspVals(), basicOCSPResponse);
        try {
            Certificate signerCertificate = basicOCSPResponse.getSignerCertificate((String) null);
            ltAdd(list, signerCertificate);
            ltCheckChain(str + "-ocsp", certificateSet, list, (FlatCertificate) signerCertificate);
            List certificateChain = basicOCSPResponse.getCertificateChain(signerCertificate);
            ltCheckRoot(str + "-ocsp", (FlatCertificate) certificateChain.get(certificateChain.size() - 1));
        } catch (GeneralSecurityException e) {
            throw new ComplianceLevelException("ComplianceLevel_LT 6.5, table 5, clause a) is not met, failure to get OCSP signer certificate from basic response (" + str + ").");
        }
    }

    private static void ltCheckChain(String str, CertificateSet certificateSet, List<FlatCertificate> list, SignerInfo signerInfo) throws ComplianceLevelException {
        List matchingCertificates = certificateSet.getMatchingCertificates(signerInfo.getSignerIdentifier());
        if (matchingCertificates.size() != 1) {
            throw new ComplianceLevelException("ComplianceLevel_LT 6.5, table 5, clause b) is not met, double certificates are to be avoided.");
        }
        ltCheckChain(str, certificateSet, list, (FlatCertificate) matchingCertificates.get(0));
    }

    private static void ltCheckChain(String str, CertificateSet certificateSet, List<FlatCertificate> list, FlatCertificate flatCertificate) throws ComplianceLevelException {
        FlatCertificate flatCertificate2;
        FlatCertificate flatCertificate3 = flatCertificate;
        ltAdd(list, flatCertificate3);
        list.add(flatCertificate3);
        FlatCertificate flatCertificate4 = null;
        while (true) {
            flatCertificate2 = flatCertificate4;
            FlatCertificate issuer = certificateSet.getIssuer(flatCertificate3);
            flatCertificate3 = issuer;
            if (issuer == null) {
                break;
            }
            ltAdd(list, flatCertificate3);
            flatCertificate4 = flatCertificate3;
        }
        if (flatCertificate2 == null) {
            flatCertificate2 = flatCertificate;
        }
        ltCheckRoot(str, flatCertificate2);
    }

    private static <E> void ltAdd(List<E> list, E e) {
        if (list == null || list.contains(e)) {
            return;
        }
        list.add(e);
    }

    private static void ltCheckRoot(String str, FlatCertificate flatCertificate) throws ComplianceLevelException {
        if (!isRootCertificate(flatCertificate)) {
            throw new ComplianceLevelException("ComplianceLevel_LT 6.5, table 5, clause a) is not met, missing mandatory root certificate (" + str + "), certificate chain incomplete.");
        }
    }

    private static boolean isRootCertificate(FlatCertificate flatCertificate) {
        if (flatCertificate == null) {
            return false;
        }
        return flatCertificate.getSubject().equals(flatCertificate.getIssuer());
    }

    public static AdESComplianceLevel isComplianceLevel_LTV(CMSSignedData cMSSignedData) throws ComplianceLevelException {
        throw new ComplianceLevelException("ComplianceLevel_LTV check not implemented");
    }

    public static AdESComplianceLevel getComplianceLevel(CMSSignedData cMSSignedData) {
        AdESComplianceLevel adESComplianceLevel = AdESComplianceLevel.NONE;
        try {
            isComplianceLevel_B(cMSSignedData);
            isComplianceLevel_T(cMSSignedData);
            isComplianceLevel_LT(cMSSignedData);
            adESComplianceLevel = isComplianceLevel_LTV(cMSSignedData);
        } catch (ComplianceLevelException e) {
            LOGGER.warning(e.getMessage());
        } catch (NullPointerException e2) {
            LOGGER.warning(e2.getMessage());
        }
        return adESComplianceLevel;
    }

    private static SigningCertificate getSigningCertificate(SignedAttributes signedAttributes) throws ComplianceLevelException {
        SigningCertificate value = signedAttributes.getValue(SignedAttribute.signingCertificate);
        SigningCertificate value2 = signedAttributes.getValue(SignedAttribute.SIGNING_CERTIFICATE_V2);
        if (value != null && value2 != null) {
            throw new ComplianceLevelException("ComplianceLevel_B 6.3.1 is not met, because both signing certificate versions are used at the same time.");
        }
        if (value == null && value2 == null) {
            throw new ComplianceLevelException("ComplianceLevel_B 6.3.1 is not met, because no signing certificate hash is present.");
        }
        return value == null ? value2 : value;
    }
}
