package ch.swisscom.mid.client.impl;

import ch.swisscom.mid.client.SignatureValidator;
import ch.swisscom.mid.client.config.ConfigurationException;
import ch.swisscom.mid.client.config.SignatureValidationConfiguration;
import ch.swisscom.mid.client.model.SignatureValidationFailureReason;
import ch.swisscom.mid.client.model.SignatureValidationResult;
import ch.swisscom.mid.client.model.Traceable;
import ch.swisscom.mid.client.utils.Utils;
import java.io.ByteArrayInputStream;
import java.io.FileInputStream;
import java.io.InputStream;
import java.nio.charset.StandardCharsets;
import java.security.KeyStore;
import java.security.Security;
import java.security.cert.CertPathValidator;
import java.security.cert.CertificateExpiredException;
import java.security.cert.CertificateFactory;
import java.security.cert.CertificateNotYetValidException;
import java.security.cert.PKIXParameters;
import java.security.cert.X509Certificate;
import java.util.Base64;
import java.util.LinkedList;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import org.bouncycastle.cert.X509CertificateHolder;
import org.bouncycastle.cert.jcajce.JcaX509CertificateConverter;
import org.bouncycastle.cms.CMSException;
import org.bouncycastle.cms.CMSSignedData;
import org.bouncycastle.cms.SignerInformation;
import org.bouncycastle.cms.jcajce.JcaSimpleSignerInfoVerifierBuilder;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.bouncycastle.operator.OperatorCreationException;
import org.bouncycastle.util.Selector;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:ch/swisscom/mid/client/impl/SignatureValidatorImpl.class */
public class SignatureValidatorImpl implements SignatureValidator {
    private final KeyStore validationTrustStore;
    private static final Logger log = LoggerFactory.getLogger(Loggers.SIGNATURE_VALIDATOR);
    private static final Pattern SERIAL_NUMBER_PATTERN = Pattern.compile(".*SERIALNUMBER=(.{16}).*");

    public SignatureValidatorImpl(SignatureValidationConfiguration signatureValidationConfiguration) {
        Security.addProvider(new BouncyCastleProvider());
        this.validationTrustStore = loadValidationTruststore(signatureValidationConfiguration);
    }

    public SignatureValidatorImpl(KeyStore keyStore) {
        Security.addProvider(new BouncyCastleProvider());
        this.validationTrustStore = keyStore;
    }

    @Override // ch.swisscom.mid.client.SignatureValidator
    public SignatureValidationResult validateSignature(String str, String str2, Traceable traceable) {
        Utils.assertNotEmpty(str, "The base64SignatureContent parameter cannot be NULL" + Utils.printTrace(traceable));
        Utils.assertNotEmpty(str2, "The requestedDtbs parameter cannot be NULL" + Utils.printTrace(traceable));
        SignatureValidationResult signatureValidationResult = new SignatureValidationResult();
        signatureValidationResult.setSignatureValid(false);
        signatureValidationResult.setSignerCertificateValid(false);
        signatureValidationResult.setSignerCertificatePathValid(false);
        signatureValidationResult.setDtbsMatching(false);
        X509Certificate x509Certificate = null;
        try {
            JcaX509CertificateConverter jcaX509CertificateConverter = new JcaX509CertificateConverter();
            CMSSignedData cMSSignedData = new CMSSignedData(Base64.getDecoder().decode(str));
            SignerInformation signerInformation = (SignerInformation) cMSSignedData.getSignerInfos().getSigners().iterator().next();
            LinkedList linkedList = new LinkedList();
            for (X509CertificateHolder x509CertificateHolder : cMSSignedData.getCertificates().getMatches((Selector) null)) {
                X509Certificate certificate = jcaX509CertificateConverter.getCertificate(x509CertificateHolder);
                linkedList.add(certificate);
                if (signerInformation.getSID().match(x509CertificateHolder)) {
                    x509Certificate = certificate;
                }
            }
            if (x509Certificate == null) {
                log.warn("Failed to extract the signing certificate from the Base64 CMS content{}", Utils.printTrace(traceable));
                signatureValidationResult.setValidationFailureReason(SignatureValidationFailureReason.FAILED_TO_EXTRACT_SIGNING_CERTIFICATE);
                return signatureValidationResult;
            }
            signatureValidationResult.setMobileIdSerialNumber(getMIDSerialNumber(x509Certificate));
            signatureValidationResult.setSignedDtbs(getSignedDtbs(cMSSignedData));
            try {
                x509Certificate.checkValidity();
                signatureValidationResult.setSignerCertificateValid(true);
                try {
                    PKIXParameters pKIXParameters = new PKIXParameters(this.validationTrustStore);
                    pKIXParameters.setRevocationEnabled(false);
                    Security.setProperty("ocsp.enable", "false");
                    System.setProperty("com.sun.security.enableCRLDP", "false");
                    CertPathValidator.getInstance(CertPathValidator.getDefaultType()).validate(CertificateFactory.getInstance("X.509").generateCertPath(linkedList), pKIXParameters);
                    signatureValidationResult.setSignerCertificatePathValid(true);
                    try {
                        signatureValidationResult.setSignatureValid(signerInformation.verify(new JcaSimpleSignerInfoVerifierBuilder().setProvider("BC").build(x509Certificate)));
                        if (!signatureValidationResult.isSignatureValid()) {
                            signatureValidationResult.setValidationFailureReason(SignatureValidationFailureReason.SIGNATURE_VALIDATION_FAILED);
                        }
                        if (str2.equals(signatureValidationResult.getSignedDtbs())) {
                            signatureValidationResult.setDtbsMatching(true);
                        } else {
                            log.info("Failed to match the DTBS texts, requested=[{}] vs signed=[{}]{}", new Object[]{str2, signatureValidationResult.getSignedDtbs(), Utils.printTrace(traceable)});
                            signatureValidationResult.setValidationFailureReason(SignatureValidationFailureReason.DATA_TO_BE_SIGNED_NOT_MATCHING);
                        }
                        return signatureValidationResult;
                    } catch (OperatorCreationException | CMSException e) {
                        log.warn("Failed to validate the signature against the signer info during the signature CMS content validation{}", Utils.printTrace(traceable), e);
                        signatureValidationResult.setValidationException(e);
                        signatureValidationResult.setValidationFailureReason(SignatureValidationFailureReason.SIGNATURE_VALIDATION_FAILED);
                        return signatureValidationResult;
                    }
                } catch (Exception e2) {
                    log.warn("Failed to validate the certificate path during the signature CMS content validation{}", Utils.printTrace(traceable), e2);
                    signatureValidationResult.setValidationException(e2);
                    signatureValidationResult.setValidationFailureReason(SignatureValidationFailureReason.SIGNING_CERTIFICATE_PATH_NOT_VALID);
                    return signatureValidationResult;
                }
            } catch (CertificateExpiredException | CertificateNotYetValidException e3) {
                log.warn("Failed to validate the certificate during the signature CMS content validation{}", Utils.printTrace(traceable), e3);
                signatureValidationResult.setValidationException(e3);
                signatureValidationResult.setValidationFailureReason(SignatureValidationFailureReason.SIGNING_CERTIFICATE_NOT_VALID);
                return signatureValidationResult;
            }
        } catch (Exception e4) {
            log.warn("Failed to extract the signing certificate from the Base64 CMS content{}", Utils.printTrace(traceable), e4);
            signatureValidationResult.setValidationException(e4);
            signatureValidationResult.setValidationFailureReason(SignatureValidationFailureReason.FAILED_TO_EXTRACT_SIGNING_CERTIFICATE);
            return signatureValidationResult;
        }
    }

    private String getMIDSerialNumber(X509Certificate x509Certificate) {
        Matcher matcher = SERIAL_NUMBER_PATTERN.matcher(x509Certificate.getSubjectX500Principal().toString().toUpperCase());
        if (matcher.find()) {
            return matcher.group(1);
        }
        return null;
    }

    private String getSignedDtbs(CMSSignedData cMSSignedData) {
        return new String((byte[]) cMSSignedData.getSignedContent().getContent(), StandardCharsets.UTF_8);
    }

    private KeyStore loadValidationTruststore(SignatureValidationConfiguration signatureValidationConfiguration) {
        try {
            KeyStore keyStore = KeyStore.getInstance(signatureValidationConfiguration.getTrustStoreType());
            if (signatureValidationConfiguration.getTrustStoreFile() != null) {
                FileInputStream fileInputStream = new FileInputStream(signatureValidationConfiguration.getTrustStoreFile());
                try {
                    keyStore.load(fileInputStream, signatureValidationConfiguration.getTrustStorePassword() == null ? null : signatureValidationConfiguration.getTrustStorePassword().toCharArray());
                    fileInputStream.close();
                } finally {
                }
            } else if (signatureValidationConfiguration.getTrustStoreClasspathFile() != null) {
                InputStream resourceAsStream = getClass().getResourceAsStream(signatureValidationConfiguration.getTrustStoreClasspathFile());
                try {
                    keyStore.load(resourceAsStream, signatureValidationConfiguration.getTrustStorePassword() == null ? null : signatureValidationConfiguration.getTrustStorePassword().toCharArray());
                    if (resourceAsStream != null) {
                        resourceAsStream.close();
                    }
                } finally {
                }
            } else {
                ByteArrayInputStream byteArrayInputStream = new ByteArrayInputStream(signatureValidationConfiguration.getTrustStoreBytes());
                try {
                    keyStore.load(byteArrayInputStream, signatureValidationConfiguration.getTrustStorePassword() == null ? null : signatureValidationConfiguration.getTrustStorePassword().toCharArray());
                    byteArrayInputStream.close();
                } finally {
                }
            }
            return keyStore;
        } catch (Exception e) {
            throw new ConfigurationException("Failed to initialize the digital signature validation truststore (Mobile ID CMS signature validator)", e);
        }
    }
}
