package ee.sk.digidoc.factory;

import ee.sk.digidoc.Base64Util;
import ee.sk.digidoc.CertID;
import ee.sk.digidoc.CertValue;
import ee.sk.digidoc.DataFile;
import ee.sk.digidoc.DataObjectFormat;
import ee.sk.digidoc.DigiDocException;
import ee.sk.digidoc.Identifier;
import ee.sk.digidoc.ManifestFileEntry;
import ee.sk.digidoc.Notary;
import ee.sk.digidoc.OcspRef;
import ee.sk.digidoc.Rdn;
import ee.sk.digidoc.Reference;
import ee.sk.digidoc.SigPolicyQualifier;
import ee.sk.digidoc.Signature;
import ee.sk.digidoc.SignedDoc;
import ee.sk.digidoc.SignedProperties;
import ee.sk.digidoc.SpUri;
import ee.sk.utils.ConfigManager;
import ee.sk.utils.ConvertUtils;
import ee.sk.xmlenc.EncryptedData;
import java.io.File;
import java.math.BigInteger;
import java.security.Provider;
import java.security.Security;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Date;
import java.util.List;
import javax.crypto.Cipher;
import org.apache.log4j.Logger;

/* loaded from: input_file:ee/sk/digidoc/factory/DigiDocVerifyFactory.class */
public class DigiDocVerifyFactory {
    private static Logger m_logger = Logger.getLogger(DigiDocVerifyFactory.class);
    private static boolean m_prvInited = false;
    private static final String DIG_TYPE_WARNING = "The current BDoc container uses weaker encryption method than officialy accepted in Estonia. We do not recommend you to add signature to this document. There is an option to re-sign this document in a new container.";
    private static final String DIGIDOC_VERIFY_ALGORITHM = "RSA/NONE/PKCS1Padding";

    public static void initProvider() {
        try {
            if (!m_prvInited) {
                Security.addProvider((Provider) Class.forName(ConfigManager.instance().getProperty("DIGIDOC_SECURITY_PROVIDER")).newInstance());
                m_prvInited = true;
            }
        } catch (Exception e) {
            m_logger.error("Error initting provider: " + e);
        }
    }

    public static boolean compareDigests(byte[] bArr, byte[] bArr2) {
        boolean z = (bArr == null || bArr2 == null || bArr.length != bArr2.length) ? false : true;
        for (int i = 0; z && i < bArr.length; i++) {
            if (bArr[i] != bArr2[i]) {
                z = false;
            }
        }
        return z;
    }

    public static boolean verifyManifestEntries(SignedDoc signedDoc, List list) throws DigiDocException {
        DataObjectFormat dataObjectFormatForReference;
        boolean z = true;
        if (m_logger.isDebugEnabled()) {
            m_logger.debug("Verifying manifest entries");
        }
        if (signedDoc != null && signedDoc.getFormat() != null && signedDoc.getFormat().equals(SignedDoc.FORMAT_BDOC)) {
            for (int i = 0; i < signedDoc.countDataFiles(); i++) {
                DataFile dataFile = signedDoc.getDataFile(i);
                boolean z2 = false;
                dataFile.getFileName();
                String name = new File(dataFile.getFileName()).getName();
                if (signedDoc.getManifest() != null) {
                    for (int i2 = 0; i2 < signedDoc.getManifest().getNumFileEntries(); i2++) {
                        ManifestFileEntry fileEntry = signedDoc.getManifest().getFileEntry(i2);
                        if (fileEntry != null) {
                            if (m_logger.isDebugEnabled()) {
                                m_logger.debug("Manifest entry: " + fileEntry.getFullPath() + " mime: " + fileEntry.getMediaType() + " df: " + dataFile.getId() + " df-mime: " + dataFile.getMimeType());
                            }
                            if (fileEntry.getFullPath() != null && fileEntry.getFullPath().equals(name)) {
                                if (z2) {
                                    list.add(new DigiDocException(DigiDocException.ERR_MANIFEST_ENTRY, "Duplicate ManifestFileEntry for: " + dataFile.getFileName(), null));
                                    if (m_logger.isDebugEnabled()) {
                                        m_logger.error("Duplicate ManifestFileEntry for: " + dataFile.getFileName());
                                    }
                                    z = false;
                                } else {
                                    z2 = true;
                                }
                                if (fileEntry.getMediaType() == null || dataFile.getMimeType() == null || !fileEntry.getMediaType().equals(dataFile.getMimeType())) {
                                    list.add(new DigiDocException(DigiDocException.ERR_MANIFEST_MIME_TYPE, "DataFile " + dataFile.getFileName() + " mime-type: " + dataFile.getMimeType() + " does not match manifest mime type: " + fileEntry.getMediaType(), null));
                                    if (m_logger.isDebugEnabled()) {
                                        m_logger.error("DataFile " + dataFile.getFileName() + " mime-type: " + dataFile.getMimeType() + " does not match manifest mime type: " + fileEntry.getMediaType());
                                    }
                                    z = false;
                                }
                            }
                        }
                    }
                    for (int i3 = 0; i3 < signedDoc.countSignatures(); i3++) {
                        Signature signature = signedDoc.getSignature(i3);
                        Reference referenceForDataFile = signature.getSignedInfo().getReferenceForDataFile(dataFile);
                        if (referenceForDataFile != null && (dataObjectFormatForReference = signature.getSignedInfo().getDataObjectFormatForReference(referenceForDataFile)) != null && dataFile.getMimeType() != null && dataObjectFormatForReference.getMimeType() != null && !dataObjectFormatForReference.getMimeType().equals(dataFile.getMimeType())) {
                            list.add(new DigiDocException(DigiDocException.ERR_MANIFEST_MIME_TYPE, "DataFile " + dataFile.getFileName() + " mime-type: " + dataFile.getMimeType() + " does not match signature: " + signature.getId() + " mime type: " + dataObjectFormatForReference.getMimeType(), null));
                            if (m_logger.isDebugEnabled()) {
                                m_logger.error("DataFile " + dataFile.getFileName() + " mime-type: " + dataFile.getMimeType() + " does not match signature: " + signature.getId() + " mime type: " + dataObjectFormatForReference.getMimeType());
                            }
                            z = false;
                        }
                    }
                }
                if (!z2) {
                    list.add(new DigiDocException(DigiDocException.ERR_MANIFEST_ENTRY, "Missing ManifestFileEntry for: " + dataFile.getFileName(), null));
                    if (m_logger.isDebugEnabled()) {
                        m_logger.error("Missing ManifestFileEntry1 for: " + name);
                    }
                }
            }
            for (int i4 = 0; i4 < signedDoc.getManifest().getNumFileEntries(); i4++) {
                ManifestFileEntry fileEntry2 = signedDoc.getManifest().getFileEntry(i4);
                if (fileEntry2 == null) {
                    m_logger.error("Invalid manifest entry");
                } else {
                    if (m_logger.isDebugEnabled()) {
                        m_logger.debug("Check manifest entry: " + fileEntry2.getFullPath() + " mime: " + fileEntry2.getMediaType());
                    }
                    if (fileEntry2.getFullPath() == null || !fileEntry2.getFullPath().equals("/")) {
                        boolean z3 = false;
                        for (int i5 = 0; i5 < signedDoc.countDataFiles(); i5++) {
                            DataFile dataFile2 = signedDoc.getDataFile(i5);
                            dataFile2.getFileName();
                            String name2 = new File(dataFile2.getFileName()).getName();
                            if (m_logger.isDebugEnabled()) {
                                m_logger.debug("Manifest entry: " + fileEntry2.getFullPath() + " mime: " + fileEntry2.getMediaType() + " found df: " + dataFile2.getId() + " df-mime: " + dataFile2.getMimeType());
                            }
                            if (fileEntry2.getFullPath() != null && fileEntry2.getFullPath().equals(name2)) {
                                if (z3) {
                                    list.add(new DigiDocException(DigiDocException.ERR_MANIFEST_ENTRY, "Duplicate DataFile: " + dataFile2.getId() + " with name: " + dataFile2.getFileName(), null));
                                    if (m_logger.isDebugEnabled()) {
                                        m_logger.error("Duplicate DataFile: " + dataFile2.getId() + " with name: " + dataFile2.getFileName());
                                    }
                                    z = false;
                                } else {
                                    z3 = true;
                                }
                            }
                        }
                        if (!z3) {
                            list.add(new DigiDocException(DigiDocException.ERR_MANIFEST_ENTRY, "Missing DataFile for ManifestFileEntry: " + fileEntry2.getFullPath(), null));
                            if (m_logger.isDebugEnabled()) {
                                m_logger.error("Missing DataFile for ManifestFileEntry: " + fileEntry2.getFullPath());
                            }
                        }
                    }
                }
            }
        }
        return z;
    }

    private static boolean verifyDataFileHash(SignedDoc signedDoc, DataFile dataFile, Reference reference, List list) {
        boolean z = true;
        if (dataFile != null) {
            if (m_logger.isDebugEnabled()) {
                m_logger.debug("Check digest for DF: " + dataFile.getId() + " ref: " + (reference != null ? reference.getUri() : "NULL"));
            }
            String str = null;
            if (reference != null) {
                str = ConfigManager.digAlg2Type(reference.getDigestAlgorithm());
            }
            if (m_logger.isDebugEnabled()) {
                m_logger.debug("Check digest for DF: " + dataFile.getId() + " type: " + str);
            }
            byte[] bArr = null;
            if (str != null) {
                try {
                    bArr = dataFile.getDigestValueOfType(str);
                } catch (DigiDocException e) {
                    list.add(e);
                    z = false;
                    m_logger.error("Error calculating hash for df: " + dataFile.getId() + " - " + e);
                    e.printStackTrace();
                    if (e.getNestedException() != null) {
                        e.getNestedException().printStackTrace();
                    }
                }
            }
            if (reference != null) {
                if (m_logger.isDebugEnabled()) {
                    m_logger.debug("Compare digest: " + (bArr != null ? Base64Util.encode(bArr, 0) : "NONE") + " hex: " + (bArr != null ? ConvertUtils.bin2hex(bArr) : "NONE") + " alt digest: " + (dataFile.getAltDigest() != null ? Base64Util.encode(dataFile.getAltDigest(), 0) : "NONE") + " to: " + (reference.getDigestValue() != null ? Base64Util.encode(reference.getDigestValue()) : "NONE") + " hex: " + (reference.getDigestValue() != null ? ConvertUtils.bin2hex(reference.getDigestValue()) : "NONE"));
                }
                DigiDocException digiDocException = null;
                if (!SignedDoc.compareDigests(reference.getDigestValue(), bArr)) {
                    DigiDocException digiDocException2 = new DigiDocException(79, "Bad digest for DataFile: " + dataFile.getId(), null);
                    digiDocException = digiDocException2;
                    list.add(digiDocException2);
                    if (m_logger.isDebugEnabled()) {
                        m_logger.debug("BAD DIGEST for DF: " + dataFile.getId());
                    }
                    z = false;
                }
                if (z || dataFile.getAltDigest() == null) {
                    if (m_logger.isDebugEnabled()) {
                        m_logger.debug("GOOD DIGEST");
                    }
                } else if (SignedDoc.compareDigests(reference.getDigestValue(), dataFile.getAltDigest())) {
                    if (m_logger.isDebugEnabled()) {
                        m_logger.debug("DF: " + dataFile.getId() + " alternate digest matches!");
                        m_logger.debug("GOOD ALT DIGEST for DF: " + dataFile.getId());
                    }
                    if (digiDocException != null) {
                        list.remove(digiDocException);
                    }
                    reference.getSignedInfo().getSignature().setAltDigestMatch(true);
                    if (!reference.getSignedInfo().getSignature().getSignedDoc().getFormat().equals(SignedDoc.FORMAT_SK_XML)) {
                        list.add(new DigiDocException(DigiDocException.ERR_DF_INV_HASH_GOOD_ALT_HASH, "Bad digest for DataFile: " + dataFile.getId() + " alternate digest matches!", null));
                    }
                    z = false;
                }
            } else {
                if (m_logger.isDebugEnabled()) {
                    m_logger.debug("No Reference");
                }
                list.add(new DigiDocException(78, "No Reference element for DataFile: " + dataFile.getId(), null));
                z = false;
            }
            if (signedDoc.getFormat().equals(SignedDoc.FORMAT_BDOC)) {
                String fileName = dataFile.getFileName();
                if (fileName != null && (fileName.indexOf(47) != -1 || fileName.indexOf(92) != -1)) {
                    fileName = new File(fileName).getName();
                }
                ManifestFileEntry findFileEntryByPath = signedDoc.getManifest().findFileEntryByPath(fileName);
                if (m_logger.isDebugEnabled()) {
                    m_logger.debug("DF: " + dataFile.getId() + " file: " + fileName + " manifest-entry: " + (findFileEntryByPath != null ? "OK" : "NULL"));
                    if (findFileEntryByPath == null) {
                        if (m_logger.isDebugEnabled()) {
                            m_logger.debug("No manifest.xml entry for: " + dataFile.getFileName());
                        }
                        list.add(new DigiDocException(28, "No manifest.xml entry for: " + dataFile.getFileName(), null));
                        z = false;
                    }
                }
            }
        } else {
            if (m_logger.isDebugEnabled()) {
                m_logger.debug("Invalid data-file");
            }
            z = false;
        }
        return z;
    }

    private static boolean verifySignedPropretiesHash(Signature signature, List list) {
        boolean z = true;
        if (m_logger.isDebugEnabled()) {
            m_logger.debug("Verifying signed-props of: " + signature.getId());
        }
        SignedProperties signedProperties = signature.getSignedProperties();
        ConfigManager.instance().getBooleanProperty("BDOC_SHA1_CHECK", true);
        if (signedProperties != null) {
            Reference referenceForSignedProperties = signature.getSignedInfo().getReferenceForSignedProperties(signedProperties);
            if (referenceForSignedProperties != null && signature.getSignedDoc().getFormat().equals(SignedDoc.FORMAT_BDOC) && referenceForSignedProperties.getDigestAlgorithm().equals(SignedDoc.SHA1_DIGEST_ALGORITHM) && ConfigManager.instance().getBooleanProperty("BDOC_SHA1_CHECK", true)) {
                list.add(new DigiDocException(DigiDocException.WARN_WEAK_DIGEST, DIG_TYPE_WARNING, null));
                if (m_logger.isInfoEnabled()) {
                    m_logger.info("SignedProperties for signature: " + signature.getId() + " has weak digest type: " + referenceForSignedProperties.getDigestAlgorithm());
                }
            }
            if (referenceForSignedProperties != null) {
                byte[] bArr = null;
                try {
                    bArr = signedProperties.calculateDigest();
                    if (m_logger.isDebugEnabled()) {
                        m_logger.debug("SignedProp real digest: " + Base64Util.encode(bArr, 0));
                    }
                } catch (DigiDocException e) {
                    list.add(e);
                    z = false;
                }
                if (m_logger.isDebugEnabled()) {
                    m_logger.debug("Compare it to: " + Base64Util.encode(referenceForSignedProperties.getDigestValue(), 0));
                }
                if (!SignedDoc.compareDigests(referenceForSignedProperties.getDigestValue(), bArr)) {
                    list.add(new DigiDocException(79, "Bad digest for SignedProperties: " + signedProperties.getId(), null));
                    if (m_logger.isDebugEnabled()) {
                        m_logger.debug("BAD DIGEST for sig-prop");
                    }
                    z = false;
                } else if (m_logger.isDebugEnabled()) {
                    m_logger.debug("GOOD DIGEST");
                }
            } else {
                if (m_logger.isDebugEnabled()) {
                    m_logger.debug("No Reference element for SignedProperties: " + signedProperties.getId());
                }
                list.add(new DigiDocException(80, "No Reference element for SignedProperties: " + signedProperties.getId(), null));
                z = false;
            }
        } else {
            if (m_logger.isDebugEnabled()) {
                m_logger.debug("No Reference element for SignedProperties of sig: " + signature.getId());
            }
            list.add(new DigiDocException(80, "No Reference element for SignedProperties sig: " + signature.getId(), null));
            z = false;
        }
        return z;
    }

    public static boolean verify(byte[] bArr, byte[] bArr2, X509Certificate x509Certificate, boolean z, String str) throws DigiDocException {
        boolean z2 = false;
        try {
        } catch (DigiDocException e) {
            throw e;
        } catch (Exception e2) {
            DigiDocException.handleException(e2, 81);
        }
        if (x509Certificate == null) {
            throw new DigiDocException(81, "Invalid or missing signers cert!", null);
        }
        if (z) {
            ConfigManager.instance();
            String sigMeth2SigType = ConfigManager.sigMeth2SigType(str, true);
            if (m_logger.isDebugEnabled()) {
                m_logger.debug("Verify xml:\n---\n" + new String(bArr) + "\n---\n len: " + bArr.length + " method: " + str + " sig-type: " + sigMeth2SigType + "\n---\n" + ConvertUtils.bin2hex(bArr2) + " sig-len: " + bArr2.length);
            }
            if (sigMeth2SigType == null) {
                throw new DigiDocException(81, "Signature method: " + str + " not provided!", null);
            }
            java.security.Signature signature = java.security.Signature.getInstance(sigMeth2SigType, ConfigManager.addProvider());
            signature.initVerify(x509Certificate.getPublicKey());
            signature.update(bArr);
            z2 = signature.verify(bArr2);
        } else {
            if (m_logger.isDebugEnabled()) {
                m_logger.debug("Verify sig: " + bArr2.length + " bytes, alg: RSA/NONE/PKCS1Padding sig-alg: " + str);
            }
            Cipher cipher = Cipher.getInstance("RSA/NONE/PKCS1Padding", EncryptedData.DIGIDOC_SECURITY_PROVIDER_NAME);
            cipher.init(2, x509Certificate);
            try {
                byte[] doFinal = cipher.doFinal(bArr2);
                String sigMeth2Type = ConfigManager.sigMeth2Type(str);
                String findDigType = ConvertUtils.findDigType(doFinal);
                if (m_logger.isDebugEnabled()) {
                    m_logger.debug("Decrypted digest: '" + SignedDoc.bin2hex(doFinal) + "' len: " + doFinal.length + " has-pref: " + findDigType + " must-have: " + sigMeth2Type + " alg: " + str);
                }
                if (findDigType != null && findDigType.equals(SignedDoc.SHA1_DIGEST_TYPE_BAD)) {
                    if (m_logger.isDebugEnabled()) {
                        m_logger.debug("Invalid signature asn.1 prefix with 0x00 byte");
                    }
                    throw new DigiDocException(DigiDocException.ERR_SIGVAL_00, "Invalid signature asn.1 prefix with 0x00 byte", null);
                }
                if (findDigType == null || !(sigMeth2Type == null || findDigType == null || sigMeth2Type.equals(findDigType))) {
                    if (m_logger.isDebugEnabled()) {
                        m_logger.debug("Signature asn.1 prefix: " + findDigType + " does not match: " + sigMeth2Type);
                    }
                    throw new DigiDocException(DigiDocException.ERR_SIGVAL_ASN1, "Signature asn.1 prefix: " + findDigType + " does not match: " + sigMeth2Type, null);
                }
                byte[] removePrefix = ConvertUtils.removePrefix(doFinal);
                if (m_logger.isDebugEnabled()) {
                    m_logger.debug("Signed digest: '" + (removePrefix != null ? SignedDoc.bin2hex(removePrefix) : "NULL") + "' calc-digest: '" + SignedDoc.bin2hex(bArr) + "'");
                }
                if (doFinal != null && removePrefix != null && doFinal.length == removePrefix.length) {
                    if (m_logger.isDebugEnabled()) {
                        m_logger.debug("Signature value decrypted len: " + doFinal.length + " missing ASN.1 structure prefix");
                    }
                    throw new DigiDocException(81, "Invalid signature value! Signature value decrypted len: " + doFinal.length + " missing ASN.1 structure prefix", null);
                }
                z2 = compareDigests(bArr, removePrefix);
            } catch (ArrayIndexOutOfBoundsException e3) {
                if (m_logger.isDebugEnabled()) {
                    m_logger.debug("Invalid signature value. Signers cert and signature value don't match! - " + e3);
                }
                throw new DigiDocException(81, "Invalid signature value! Signers cert and signature value don't match!", e3);
            }
        }
        if (m_logger.isDebugEnabled()) {
            m_logger.debug("Result: " + z2);
        }
        if (z2) {
            return z2;
        }
        throw new DigiDocException(81, "Invalid signature value!", null);
    }

    public static boolean verifySignatureValue(SignedDoc signedDoc, Signature signature, List list) {
        boolean z;
        if (signedDoc == null) {
            m_logger.error("SignedDoc is null");
            return false;
        }
        if (signature == null) {
            m_logger.error("Signature is null");
            return false;
        }
        if (m_logger.isDebugEnabled()) {
            m_logger.debug("Verifying signature value of: " + signature.getId());
        }
        try {
            byte[] calculateDigest = signature.getSignedInfo().calculateDigest();
            if (m_logger.isDebugEnabled()) {
                m_logger.debug("SignedInfo real digest: " + Base64Util.encode(calculateDigest, 0) + " hex: " + SignedDoc.bin2hex(calculateDigest) + " sig: " + ConvertUtils.bin2hex(signature.getSignatureValue().getValue()) + " len: " + signature.getSignatureValue().getValue().length);
            }
            if (signedDoc.getFormat().equals(SignedDoc.FORMAT_BDOC) && ((signature.getSignedInfo().getSignatureMethod().equals(SignedDoc.RSA_SHA1_SIGNATURE_METHOD) || signature.getSignedInfo().getSignatureMethod().equals(SignedDoc.ECDSA_SHA1_SIGNATURE_METHOD)) && ConfigManager.instance().getBooleanProperty("BDOC_SHA1_CHECK", true))) {
                list.add(new DigiDocException(DigiDocException.WARN_WEAK_DIGEST, DIG_TYPE_WARNING, null));
                if (m_logger.isInfoEnabled()) {
                    m_logger.info("Signature: " + signature.getId() + " has weak signature method: " + signature.getSignedInfo().getSignatureMethod());
                }
            }
            if (signature.getSignatureValue() == null || signature.getSignatureValue().getValue() == null || calculateDigest == null) {
                if (m_logger.isDebugEnabled()) {
                    m_logger.debug("Missing signature value!");
                }
                list.add(new DigiDocException(38, "Missing signature value!", null));
                z = false;
            } else {
                if (signedDoc.getFormat().equals(SignedDoc.FORMAT_BDOC) && signature.isEllipticCurveSiganture()) {
                    if (m_logger.isDebugEnabled()) {
                        m_logger.debug("Verify sdoc: " + signedDoc.getFormat() + "/" + signedDoc.getVersion() + " prefs: " + signedDoc.getXmlDsigNs() + "/" + signedDoc.getAsicNs() + "/" + signedDoc.getXadesNs());
                    }
                    byte[] origXml = signature.getSignedInfo().getOrigXml();
                    if (m_logger.isDebugEnabled()) {
                        m_logger.debug("Verify xml:\n---\n" + new String(origXml) + "\n---\n");
                    }
                    z = verify(origXml, signature.getSignatureValue().getValue(), signature.getKeyInfo().getSignersCertificate(), true, signature.getSignedInfo().getSignatureMethod());
                } else {
                    if (m_logger.isDebugEnabled()) {
                        m_logger.debug("Verify sig: " + ConvertUtils.bin2hex(signature.getSignatureValue().getValue()) + " len: " + signature.getSignatureValue().getValue().length + " hlen: " + ConvertUtils.bin2hex(signature.getSignatureValue().getValue()).length());
                    }
                    z = verify(calculateDigest, signature.getSignatureValue().getValue(), signature.getKeyInfo().getSignersCertificate(), false, signature.getSignedInfo().getSignatureMethod());
                }
                if (m_logger.isDebugEnabled()) {
                    m_logger.debug("GOOD DIGEST");
                }
            }
        } catch (DigiDocException e) {
            list.add(e);
            if (m_logger.isDebugEnabled()) {
                m_logger.debug("BAD DIGEST for sig-inf: " + signature.getId() + " - " + e.toString());
                m_logger.debug("TRACE: " + ConvertUtils.getTrace(e));
                m_logger.debug("sig-val-len: " + ((signature.getSignatureValue() == null || signature.getSignatureValue().getValue() == null) ? 0 : signature.getSignatureValue().getValue().length));
                m_logger.debug("signer: " + ((signature.getKeyInfo() == null || signature.getKeyInfo().getSignersCertificate() == null) ? "NULL" : signature.getKeyInfo().getSignersCertificate().getSubjectDN().getName()));
            }
            z = false;
        }
        return z;
    }

    public static boolean verifyCertificate(X509Certificate x509Certificate, X509Certificate x509Certificate2) throws DigiDocException {
        boolean z = false;
        if (x509Certificate2 != null) {
            try {
                x509Certificate.verify(x509Certificate2.getPublicKey());
                z = true;
            } catch (Exception e) {
                DigiDocException.handleException(e, 94);
            }
        }
        return z;
    }

    public static boolean verifySignersCerificate(Signature signature, List list) {
        boolean z;
        TrustServiceFactory tslFactory;
        try {
            if (m_logger.isDebugEnabled()) {
                m_logger.debug("Verifying CA of signature: " + signature.getId() + " signed-at: " + ConvertUtils.date2string(signature.getSignedProperties().getSigningTime(), signature.getSignedDoc()) + " produced: " + ConvertUtils.date2string(signature.getSignatureProducedAtTime(), signature.getSignedDoc()));
            }
            tslFactory = ConfigManager.instance().getTslFactory();
        } catch (DigiDocException e) {
            if (m_logger.isDebugEnabled()) {
                m_logger.debug("Signers certificate not trusted for: " + signature.getId());
            }
            list.add(e);
            z = false;
        }
        if (signature.getKeyInfo().getSignersCertificate() == null) {
            list.add(new DigiDocException(39, "Signers cert missing!", null));
            return false;
        }
        X509Certificate findCaForCert = tslFactory.findCaForCert(signature.getKeyInfo().getSignersCertificate(), true, signature.getSignatureProducedAtTime());
        X509Certificate signersCertificate = signature.getKeyInfo().getSignersCertificate();
        if (m_logger.isDebugEnabled()) {
            m_logger.debug("Check signer: " + signersCertificate.getSubjectDN().getName() + " issued by: " + signersCertificate.getIssuerDN().getName() + " SUB from: " + ConvertUtils.date2string(signersCertificate.getNotBefore(), signature.getSignedDoc()) + " to: " + ConvertUtils.date2string(signersCertificate.getNotAfter(), signature.getSignedDoc()) + " by CA: " + (findCaForCert != null ? findCaForCert.getSubjectDN().getName() : "NOT FOUND") + " CA from: " + (findCaForCert != null ? ConvertUtils.date2string(findCaForCert.getNotBefore(), signature.getSignedDoc()) : "?") + " to: " + (findCaForCert != null ? ConvertUtils.date2string(findCaForCert.getNotAfter(), signature.getSignedDoc()) : "?") + " ca-ahel: " + (DigiDocGenFactory.isTestCard(signersCertificate) ? "TEST" : "LIVE"));
        }
        if (findCaForCert != null) {
            z = verifyCertificate(signersCertificate, findCaForCert);
            if (m_logger.isDebugEnabled()) {
                m_logger.debug("Signer: " + ConvertUtils.getCommonName(signature.getKeyInfo().getSignersCertificate().getSubjectDN().getName()) + " is issued by trusted CA: " + ConvertUtils.getCommonName(findCaForCert.getSubjectDN().getName()));
            }
        } else {
            if (m_logger.isDebugEnabled()) {
                m_logger.debug("CA not found for: " + ConvertUtils.getCommonName(signersCertificate.getSubjectDN().getName()));
            }
            list.add(new DigiDocException(39, "Signers cert not trusted, missing CA cert!", null));
            z = false;
        }
        if (!ConfigManager.isSignatureKey(signersCertificate)) {
            if (m_logger.isDebugEnabled()) {
                m_logger.debug("Signers cert does not have non-repudiation bit set!");
            }
            list.add(new DigiDocException(DigiDocException.ERR_SIGNERS_CERT_NONREPUD, "Signers cert does not have non-repudiation bit set!", null));
            z = false;
        }
        CertID certIdOfType = signature.getCertIdOfType(1);
        if (signersCertificate != null && certIdOfType != null) {
            boolean z2 = true;
            List parseDN = parseDN(ConvertUtils.convX509Name(signersCertificate.getIssuerX500Principal()));
            List parseDN2 = parseDN(certIdOfType.getIssuer());
            if (m_logger.isDebugEnabled()) {
                m_logger.debug("Signed: " + certIdOfType.getIssuer() + " cert: " + ConvertUtils.convX509Name(signersCertificate.getIssuerX500Principal()) + " cert rdn-s: " + parseDN.size() + " signed rdn-s: " + parseDN2.size());
            }
            for (int i = 0; i < parseDN2.size(); i++) {
                Rdn rdn = (Rdn) parseDN2.get(i);
                if (m_logger.isDebugEnabled()) {
                    m_logger.debug("Signed RDN: " + rdn.getId() + "/" + rdn.getValue());
                }
                boolean z3 = false;
                for (int i2 = 0; i2 < parseDN.size(); i2++) {
                    Rdn rdn2 = (Rdn) parseDN.get(i2);
                    if (rdn.getId() != null && rdn2.getId() != null && rdn.getId().equalsIgnoreCase(rdn2.getId()) && rdn.getValue() != null && rdn2.getValue() != null && rdn.getValue().equalsIgnoreCase(rdn2.getValue())) {
                        z3 = true;
                    }
                }
                if (!z3 && m_logger.isDebugEnabled()) {
                    m_logger.debug("Different for signed: " + rdn.getId() + "/" + rdn.getValue());
                }
                if (!z3 && rdn.getId() != null && (rdn.getId().equals("CN") || rdn.getId().equals("LT") || rdn.getId().equals("ST") || rdn.getId().equals("O") || rdn.getId().equals("OU") || rdn.getId().equals("C") || rdn.getId().equals("STREET") || rdn.getId().equals("DC") || rdn.getId().equals("UID"))) {
                    m_logger.error("No match for signed: " + rdn.getId() + "/" + rdn.getValue());
                    z2 = false;
                }
            }
            if (!z2) {
                m_logger.error("Signers cert issuer DN: " + ConvertUtils.convX509Name(signersCertificate.getIssuerX500Principal()) + " and signed Issuername: " + certIdOfType.getIssuer() + " don't match");
                list.add(new DigiDocException(81, "Signing certificate issuer information does not match", null));
            }
            if (certIdOfType.getSerial() != null) {
                if (m_logger.isDebugEnabled()) {
                    m_logger.debug("Signed IssuerSerial: " + certIdOfType.getSerial().toString() + " cert serial: " + signersCertificate.getSerialNumber().toString());
                }
                if (!certIdOfType.getSerial().equals(signersCertificate.getSerialNumber())) {
                    m_logger.error("Signers cert issuer serial: " + signersCertificate.getSerialNumber().toString() + " and signed IssuerSerial: " + certIdOfType.getSerial().toString() + " don't match");
                    list.add(new DigiDocException(81, "Signing certificate issuer information does not match", null));
                }
            }
        }
        return z;
    }

    public static boolean verifySigningTime(Signature signature, List list) {
        boolean z = true;
        if (m_logger.isDebugEnabled()) {
            m_logger.debug("Verifying signing time signature: " + signature.getId());
        }
        Date date = null;
        if (signature != null) {
            try {
                if (signature.getUnsignedProperties() != null && signature.getUnsignedProperties().getNotary() != null) {
                    date = signature.getUnsignedProperties().getNotary().getProducedAt();
                }
            } catch (Exception e) {
                m_logger.error("Signers certificate has expired for: " + signature.getId());
                list.add(new DigiDocException(82, "Signers certificate has expired!", null));
                z = false;
            }
        }
        if (date != null) {
            signature.getKeyInfo().getSignersCertificate().checkValidity(date);
        }
        if (m_logger.isDebugEnabled()) {
            m_logger.debug("Signers cert: " + ConvertUtils.getCommonName(signature.getKeyInfo().getSignersCertificate().getSubjectDN().getName()) + " was valid on: " + ConvertUtils.date2string(date, signature.getSignedDoc()));
        }
        return z;
    }

    public static boolean verifySignatureFromLiveAndOcspFromTest(Signature signature, List list) {
        boolean z = true;
        if (m_logger.isDebugEnabled()) {
            m_logger.debug("Verifying live/test for signature: " + signature.getId());
        }
        if (signature != null) {
            CertValue certValueOfType = signature.getCertValueOfType(2);
            if (signature.getKeyInfo() != null && certValueOfType != null) {
                X509Certificate signersCertificate = signature.getKeyInfo().getSignersCertificate();
                X509Certificate cert = certValueOfType.getCert();
                if (signersCertificate != null && cert != null && DigiDocGenFactory.isTestCard(cert) && !DigiDocGenFactory.isTestCard(signersCertificate)) {
                    if (m_logger.isDebugEnabled()) {
                        m_logger.debug("Signer from LIVE CA-chain but OCSP from TEST CA-chain!");
                    }
                    list.add(new DigiDocException(DigiDocException.ERR_TEST_SIGNATURE, "Signer from LIVE CA-chain but OCSP from TEST CA-chain!", null));
                    z = false;
                }
            }
        }
        return z;
    }

    public static boolean verifySignatureOCSP(Signature signature, List list) {
        boolean z = true;
        if (m_logger.isDebugEnabled()) {
            m_logger.debug("Verifying OCSP for signature: " + signature.getId());
        }
        try {
            if (signature.getUnsignedProperties() == null || signature.getUnsignedProperties().countNotaries() <= 0) {
                z = false;
                if (m_logger.isDebugEnabled()) {
                    m_logger.debug("Signature has no OCSP confirmation!");
                }
                list.add(new DigiDocException(90, "Signature has no OCSP confirmation!", null));
            } else {
                CertValue certValueOfType = signature.getCertValueOfType(2);
                CertID certIdOfType = signature.getCertIdOfType(2);
                String str = null;
                BigInteger bigInteger = null;
                X509Certificate cert = certValueOfType != null ? certValueOfType.getCert() : null;
                if (certIdOfType != null) {
                    str = certIdOfType.getIssuer();
                    bigInteger = certIdOfType.getSerial();
                    certIdOfType.getDigestValue();
                }
                signature.getKeyInfo().getSignersCertificate();
                if (m_logger.isDebugEnabled()) {
                    m_logger.debug("Responders cert: " + (cert != null ? cert.getSerialNumber().toString() : "NULL") + " - " + (cert != null ? cert.getSubjectDN().getName() : "NULL") + " complete cert refs nr: " + bigInteger + " - " + str + " ca-ahel: " + (cert != null ? DigiDocGenFactory.isTestCard(cert) ? "TEST" : "LIVE" : "?"));
                }
                if (cert != null && !cert.getSerialNumber().equals(bigInteger) && !signature.getSignedDoc().getFormat().equals(SignedDoc.FORMAT_BDOC)) {
                    if (m_logger.isDebugEnabled()) {
                        m_logger.debug("Wrong notarys certificate: " + cert.getSerialNumber() + " ref: " + bigInteger);
                    }
                    list.add(new DigiDocException(53, "Wrong notarys certificate: " + cert.getSerialNumber() + " ref: " + bigInteger, null));
                    z = false;
                }
                try {
                    if (!signature.getSignedDoc().getFormat().equals(SignedDoc.FORMAT_BDOC)) {
                        byte[] digestOfType = SignedDoc.digestOfType(cert.getEncoded(), signature.getSignedDoc().getFormat().equals(SignedDoc.FORMAT_BDOC) ? SignedDoc.SHA256_DIGEST_TYPE : SignedDoc.SHA1_DIGEST_TYPE);
                        if (m_logger.isDebugEnabled()) {
                            m_logger.debug("Not cert calc hash: " + Base64Util.encode(digestOfType, 0) + " cert-ref hash: " + Base64Util.encode(signature.getUnsignedProperties().getCompleteCertificateRefs().getCertDigestValue(), 0));
                        }
                        if (!compareDigests(digestOfType, signature.getUnsignedProperties().getCompleteCertificateRefs().getCertDigestValue())) {
                            list.add(new DigiDocException(53, "Notary certificates digest doesn't match!", null));
                            if (m_logger.isDebugEnabled()) {
                                m_logger.debug("Notary certificates digest doesn't match!");
                            }
                            z = false;
                        }
                        if (signature.getSignedDoc().getFormat().equals(SignedDoc.FORMAT_BDOC) && signature.getUnsignedProperties().getCompleteCertificateRefs().getCertDigestAlgorithm().equals(SignedDoc.SHA1_DIGEST_ALGORITHM) && ConfigManager.instance().getBooleanProperty("BDOC_SHA1_CHECK", true)) {
                            list.add(new DigiDocException(DigiDocException.WARN_WEAK_DIGEST, DIG_TYPE_WARNING, null));
                            if (m_logger.isInfoEnabled()) {
                                m_logger.info("CompleteCertificateRefs for signature: " + signature.getId() + " has weak digest type: " + signature.getUnsignedProperties().getCompleteCertificateRefs().getCertDigestAlgorithm());
                            }
                        }
                    }
                } catch (DigiDocException e) {
                    list.add(e);
                    z = false;
                } catch (Exception e2) {
                    z = false;
                    list.add(new DigiDocException(53, "Error calculating notary certificate digest!", null));
                }
                if (signature.getUnsignedProperties().countNotaries() > 1) {
                    if (m_logger.isDebugEnabled()) {
                        m_logger.debug("Currently supports only one OCSP");
                    }
                    list.add(new DigiDocException(70, "Currently supports only one OCSP", null));
                    z = false;
                }
                if (!signature.getSignedDoc().getFormat().equals(SignedDoc.FORMAT_BDOC)) {
                    for (int i = 0; i < signature.getUnsignedProperties().countNotaries(); i++) {
                        try {
                            if (m_logger.isDebugEnabled()) {
                                m_logger.debug("Signature: " + signature.getId() + " not: " + i + " notaries: " + signature.getUnsignedProperties().countNotaries());
                            }
                            Notary notaryById = signature.getUnsignedProperties().getNotaryById(i);
                            byte[] ocspResponseData = notaryById.getOcspResponseData();
                            if (m_logger.isDebugEnabled()) {
                                m_logger.debug("OCSP value: " + notaryById.getId() + " data: " + (ocspResponseData != null ? ocspResponseData.length : 0) + " bytes");
                            }
                            if (ocspResponseData == null || ocspResponseData.length == 0) {
                                list.add(new DigiDocException(83, "OCSP value is empty!", null));
                                z = false;
                            } else {
                                OcspRef ocspRefByUri = signature.getUnsignedProperties().getCompleteRevocationRefs().getOcspRefByUri("#" + notaryById.getId());
                                if (m_logger.isDebugEnabled()) {
                                    m_logger.debug("OCSP ref: " + (ocspRefByUri != null ? ocspRefByUri.getUri() : "NULL"));
                                }
                                if (ocspRefByUri == null) {
                                    list.add(new DigiDocException(83, "No OCSP ref for uri: #" + notaryById.getId(), null));
                                    z = false;
                                } else {
                                    if (m_logger.isDebugEnabled()) {
                                        m_logger.debug("OCSP data len: " + ocspResponseData.length);
                                    }
                                    byte[] digestOfType2 = SignedDoc.digestOfType(ocspResponseData, (signature.getSignedDoc().getFormat().equals(SignedDoc.FORMAT_BDOC) && (ocspRefByUri.getDigestAlgorithm().equals("http://www.w3.org/2001/04/xmlenc#sha256") || ocspRefByUri.getDigestAlgorithm().equals(SignedDoc.SHA256_DIGEST_ALGORITHM_2))) ? SignedDoc.SHA256_DIGEST_TYPE : SignedDoc.SHA1_DIGEST_TYPE);
                                    byte[] digestValue = ocspRefByUri.getDigestValue();
                                    if (m_logger.isDebugEnabled()) {
                                        m_logger.debug("Check ocsp: " + notaryById.getId() + " calc hash: " + Base64Util.encode(digestOfType2, 0) + " refs-hash: " + Base64Util.encode(digestValue, 0));
                                    }
                                    if (!signature.getSignedDoc().getFormat().equals(SignedDoc.FORMAT_SK_XML) && !compareDigests(digestOfType2, digestValue)) {
                                        list.add(new DigiDocException(83, "Notarys digest doesn't match!", null));
                                        if (m_logger.isDebugEnabled()) {
                                            m_logger.debug("Notarys digest doesn't match!");
                                        }
                                        z = false;
                                    }
                                    if (signature.getSignedDoc().getFormat().equals(SignedDoc.FORMAT_BDOC) && ocspRefByUri.getDigestAlgorithm().equals(SignedDoc.SHA1_DIGEST_ALGORITHM) && ConfigManager.instance().getBooleanProperty("BDOC_SHA1_CHECK", true)) {
                                        list.add(new DigiDocException(DigiDocException.WARN_WEAK_DIGEST, DIG_TYPE_WARNING, null));
                                        if (m_logger.isInfoEnabled()) {
                                            m_logger.info("CompleteRevocationRefs for signature: " + signature.getId() + " has weak digest type: " + ocspRefByUri.getDigestAlgorithm());
                                        }
                                    }
                                    if (m_logger.isDebugEnabled()) {
                                        m_logger.debug("Check ocsp: " + notaryById.getId() + " prodAt: " + (notaryById.getProducedAt() != null ? ConvertUtils.date2string(notaryById.getProducedAt(), signature.getSignedDoc()) : "NULL") + " orf prodAt: " + (ocspRefByUri.getProducedAt() != null ? ConvertUtils.date2string(ocspRefByUri.getProducedAt(), signature.getSignedDoc()) : "NULL"));
                                    }
                                    if (notaryById.getProducedAt() != null && ocspRefByUri.getProducedAt() != null && !ConvertUtils.date2string(notaryById.getProducedAt(), signature.getSignedDoc()).equals(ConvertUtils.date2string(ocspRefByUri.getProducedAt(), signature.getSignedDoc()))) {
                                        if (m_logger.isDebugEnabled()) {
                                            m_logger.debug("Notary: " + notaryById.getId() + " producedAt: " + (notaryById.getProducedAt() != null ? ConvertUtils.date2string(notaryById.getProducedAt(), signature.getSignedDoc()) : "NULL") + " does not match OcpsRef-s producedAt: " + (ocspRefByUri.getProducedAt() != null ? ConvertUtils.date2string(ocspRefByUri.getProducedAt(), signature.getSignedDoc()) : "NULL"));
                                        }
                                        list.add(new DigiDocException(70, "Notary: " + notaryById.getId() + " producedAt: " + (notaryById.getProducedAt() != null ? ConvertUtils.date2string(notaryById.getProducedAt(), signature.getSignedDoc()) : "NULL") + " does not match OcpsRef-s producedAt: " + (ocspRefByUri.getProducedAt() != null ? ConvertUtils.date2string(ocspRefByUri.getProducedAt(), signature.getSignedDoc()) : "NULL"), null));
                                    }
                                }
                            }
                        } catch (DigiDocException e3) {
                            list.add(e3);
                            z = false;
                        }
                    }
                }
                try {
                    NotaryFactory notaryFactory = ConfigManager.instance().getNotaryFactory();
                    for (int i2 = 0; i2 < signature.getUnsignedProperties().countNotaries(); i2++) {
                        Notary notaryById2 = signature.getUnsignedProperties().getNotaryById(i2);
                        if (m_logger.isDebugEnabled()) {
                            m_logger.debug("Verify notary: " + notaryById2.getId() + " ocsp: " + (notaryById2.getOcspResponseData() != null ? notaryById2.getOcspResponseData().length : 0) + " responder: " + notaryById2.getResponderId());
                        }
                        notaryFactory.parseAndVerifyResponse(signature, notaryById2);
                    }
                } catch (DigiDocException e4) {
                    list.add(e4);
                    z = false;
                }
            }
        } catch (Exception e5) {
            if (m_logger.isDebugEnabled()) {
                m_logger.debug("Failed to verify OCSP for: " + signature.getId());
            }
            list.add(new DigiDocException(82, "Failed to verify OCSP for: " + signature.getId(), null));
            z = false;
        }
        return z;
    }

    public static boolean verifySignature(SignedDoc signedDoc, Signature signature, List list) {
        boolean z = true;
        boolean z2 = false;
        initProvider();
        if (m_logger.isDebugEnabled()) {
            m_logger.debug("Verifying signature: " + signature.getId() + " profile: " + signature.getProfile());
        }
        if (signature.getProfile() != null && (signature.getProfile().equals(SignedDoc.BDOC_PROFILE_T) || signature.getProfile().equals(SignedDoc.BDOC_PROFILE_TS) || signature.getProfile().equals(SignedDoc.BDOC_PROFILE_TSA))) {
            if (m_logger.isDebugEnabled()) {
                m_logger.debug("T, TS and TSA profiles are currently not supported!");
            }
            list.add(new DigiDocException(81, "T, TS and TSA profiles are currently not supported!", null));
        }
        for (int i = 0; i < signedDoc.countDataFiles(); i++) {
            DataFile dataFile = signedDoc.getDataFile(i);
            if (m_logger.isDebugEnabled()) {
                m_logger.debug("Verifying DF: " + dataFile.getId() + " file: " + dataFile.getFileName());
            }
            Reference referenceForDataFile = signature.getSignedInfo().getReferenceForDataFile(dataFile);
            if (referenceForDataFile != null && referenceForDataFile.getDigestAlgorithm() != null && signedDoc.getFormat().equals(SignedDoc.FORMAT_BDOC) && referenceForDataFile.getDigestAlgorithm().equals(SignedDoc.SHA1_DIGEST_ALGORITHM) && ConfigManager.instance().getBooleanProperty("BDOC_SHA1_CHECK", true)) {
                list.add(new DigiDocException(DigiDocException.WARN_WEAK_DIGEST, DIG_TYPE_WARNING, null));
                if (m_logger.isInfoEnabled()) {
                    m_logger.info("DataFile: " + dataFile.getId() + " has weak digest type: " + referenceForDataFile.getDigestAlgorithm());
                }
            }
            if (referenceForDataFile != null) {
                z2 = verifyDataFileHash(signedDoc, dataFile, referenceForDataFile, list);
            } else {
                z2 = false;
                list.add(new DigiDocException(81, "Missing Reference for file: " + dataFile.getFileName(), null));
            }
            if (!z2) {
                z = false;
            }
        }
        for (int i2 = 0; i2 < signedDoc.countSignatures(); i2++) {
            signedDoc.getSignature(i2);
            for (int i3 = 0; i3 < signature.getSignedInfo().countReferences(); i3++) {
                Reference reference = signature.getSignedInfo().getReference(i3);
                if (reference.getType() == null && ((!signedDoc.getFormat().equals(SignedDoc.FORMAT_BDOC) || reference.getUri().indexOf("META-INF/manifest.xml") == -1) && ((!signedDoc.getFormat().equals(SignedDoc.FORMAT_DIGIDOC_XML) && !signedDoc.getFormat().equals(SignedDoc.FORMAT_SK_XML)) || (reference.getUri().indexOf("-MIME") == -1 && reference.getUri().indexOf("-SignedProperties") == -1)))) {
                    boolean z3 = false;
                    for (int i4 = 0; i4 < signedDoc.countDataFiles(); i4++) {
                        DataFile dataFile2 = signedDoc.getDataFile(i4);
                        String fileName = dataFile2.getFileName();
                        if ((fileName != null && fileName.indexOf(47) != -1) || fileName.indexOf(92) != -1) {
                            fileName = new File(fileName).getName();
                        }
                        if (reference.getUri() != null) {
                            if ((signedDoc.getFormat().equals(SignedDoc.FORMAT_DIGIDOC_XML) || signedDoc.getFormat().equals(SignedDoc.FORMAT_SK_XML)) && reference.getUri().startsWith("#") && dataFile2.getId().equals(reference.getUri().substring(1))) {
                                z3 = true;
                            }
                            if (signedDoc.getFormat().equals(SignedDoc.FORMAT_BDOC) && reference.getUri().indexOf(fileName) != -1) {
                                z3 = true;
                            }
                        }
                    }
                    if (!z3) {
                        if (m_logger.isInfoEnabled()) {
                            m_logger.info("Missing DataFile for signature: " + signature.getId() + " reference " + reference.getUri());
                        }
                        list.add(new DigiDocException(81, "Missing DataFile for signature: " + signature.getId() + " reference " + reference.getUri(), null));
                    }
                }
            }
        }
        if (signedDoc.getFormat().equals(SignedDoc.FORMAT_BDOC)) {
            for (int i5 = 0; i5 < signature.getSignedInfo().countReferences(); i5++) {
                Reference reference2 = signature.getSignedInfo().getReference(i5);
                if (!reference2.getUri().startsWith("#") && signature.getSignedInfo().getDataObjectFormatForReference(reference2) == null) {
                    if (m_logger.isDebugEnabled()) {
                        m_logger.debug("No DataObjectFormat element for Reference: " + reference2.getId());
                    }
                    list.add(new DigiDocException(30, "No DataObjectFormat element for Reference: " + reference2.getId(), null));
                }
            }
        }
        if (!signedDoc.getFormat().equals(SignedDoc.FORMAT_SK_XML)) {
            z2 = verifySignedPropretiesHash(signature, list);
        }
        if (!z2) {
            z = false;
        }
        if (!verifySignatureValue(signedDoc, signature, list)) {
            z = false;
        }
        if (!verifySigningTime(signature, list)) {
            z = false;
        }
        if (!verifySignersCerificate(signature, list)) {
            z = false;
        }
        if (signedDoc.getFormat().equals(SignedDoc.FORMAT_BDOC) && !verifySignaturePolicies(signedDoc, signature, list)) {
            z = false;
        }
        if ((signedDoc.getFormat().equals(SignedDoc.FORMAT_SK_XML) || signedDoc.getFormat().equals(SignedDoc.FORMAT_DIGIDOC_XML) || (signature.getProfile() != null && (signature.getProfile().equals(SignedDoc.BDOC_PROFILE_TM) || signature.getProfile().equals(SignedDoc.BDOC_PROFILE_TMA) || signature.getProfile().equals(SignedDoc.BDOC_PROFILE_TS) || signature.getProfile().equals(SignedDoc.BDOC_PROFILE_TSA)))) && !verifySignatureOCSP(signature, list)) {
            z = false;
        }
        return z;
    }

    public static boolean verifySignaturePolicies(SignedDoc signedDoc, Signature signature, List list) {
        boolean z = false;
        if (m_logger.isInfoEnabled()) {
            m_logger.debug("Check signature: " + signature.getId() + " profile: " + signature.getProfile() + " format: " + signedDoc.getFormat() + " policies");
        }
        try {
            if (signature.getSignedProperties() == null || signature.getSignedProperties().getSignaturePolicyIdentifier() == null || signature.getSignedProperties().getSignaturePolicyIdentifier().getSignaturePolicyId() == null || signature.getSignedProperties().getSignaturePolicyIdentifier().getSignaturePolicyId().getSigPolicyId() == null || signature.getSignedProperties().getSignaturePolicyIdentifier().getSignaturePolicyId().getSigPolicyId().getIdentifier() == null) {
                if (m_logger.isDebugEnabled()) {
                    m_logger.debug("No signature policy for sig: " + signature.getId());
                }
                list.add(new DigiDocException(DigiDocException.ERR_POLICY_NONE, "Signature: " + signature.getId() + " has no policy!", null));
            } else {
                Identifier identifier = signature.getSignedProperties().getSignaturePolicyIdentifier().getSignaturePolicyId().getSigPolicyId().getIdentifier();
                if (m_logger.isInfoEnabled()) {
                    m_logger.debug("Signature: " + signature.getId() + " has policy: " + identifier.getQualifier() + " uri: " + identifier.getUri() + " hash: " + Base64Util.encode(signature.getSignedProperties().getSignaturePolicyIdentifier().getSignaturePolicyId().getDigestValue()));
                }
                if (identifier.getQualifier().equals(Identifier.OIDAsURN) && identifier.getUri().equals(DigiDocGenFactory.BDOC_210_OID)) {
                    z = true;
                    if (signature.getSignedProperties().getSignaturePolicyIdentifier().getSignaturePolicyId().getDigestValue() == null || signature.getSignedProperties().getSignaturePolicyIdentifier().getSignaturePolicyId().getDigestValue().length == 0) {
                        if (m_logger.isDebugEnabled()) {
                            m_logger.debug("Signature: " + signature.getId() + " has no signature policy hash");
                        }
                        list.add(new DigiDocException(DigiDocException.ERR_NONCE_POLICY_HASH, "Signature: " + signature.getId() + " has invalid signature policy hash", null));
                    }
                    boolean z2 = false;
                    for (int i = 0; i < signature.getSignedProperties().getSignaturePolicyIdentifier().getSignaturePolicyId().countSigPolicyQualifiers(); i++) {
                        SigPolicyQualifier sigPolicyQualifier = signature.getSignedProperties().getSignaturePolicyIdentifier().getSignaturePolicyId().getSigPolicyQualifier(i);
                        if (sigPolicyQualifier instanceof SpUri) {
                            SpUri spUri = (SpUri) sigPolicyQualifier;
                            if (spUri.getUri() != null && spUri.getUri().trim().length() > 0) {
                                z2 = true;
                            }
                        }
                    }
                    if (!z2) {
                        z = false;
                        if (m_logger.isDebugEnabled()) {
                            m_logger.debug("Signature: " + signature.getId() + " has no signature policy uri!");
                        }
                        list.add(new DigiDocException(DigiDocException.ERR_NONCE_POLICY_URL, "Signature: " + signature.getId() + " has no nonce policy uri!", null));
                    }
                } else {
                    if (m_logger.isDebugEnabled()) {
                        m_logger.debug("Signature: " + signature.getId() + " has unknown policy: " + identifier.getQualifier() + " uri: " + identifier.getUri());
                    }
                    list.add(new DigiDocException(DigiDocException.ERR_NONCE_POLICY_OID, "Signature: " + signature.getId() + " has unknown policy: " + identifier.getQualifier() + " uri: " + identifier.getUri(), null));
                }
            }
        } catch (Exception e) {
            if (m_logger.isDebugEnabled()) {
                m_logger.debug("Failed to verify sig policies: " + signature.getId() + " - " + e);
            }
            list.add(new DigiDocException(DigiDocException.ERR_POLICY_NONE, "Failed to verify sig policies: " + signature.getId() + " - " + e, null));
            z = false;
        }
        return z;
    }

    private static List findRdns(String str, char c) {
        ArrayList arrayList = new ArrayList();
        StringBuffer stringBuffer = new StringBuffer();
        StringBuffer stringBuffer2 = new StringBuffer();
        boolean z = true;
        for (int i = 0; str != null && i < str.length(); i++) {
            char charAt = str.charAt(i);
            if ((charAt == c && (i == 0 || str.charAt(i - 1) != '\\')) || i == str.length() - 1) {
                if (i == str.length() - 1 && !z) {
                    stringBuffer2.append(charAt);
                }
                if (stringBuffer.length() > 0 && stringBuffer2.length() > 0) {
                    arrayList.add(new Rdn(stringBuffer.toString().trim(), null, stringBuffer2.toString().trim()));
                }
                stringBuffer = new StringBuffer();
                stringBuffer2 = new StringBuffer();
                z = true;
            } else if (charAt == '=' && (i == 0 || str.charAt(i - 1) != '\\')) {
                z = false;
            } else if (z) {
                stringBuffer.append(charAt);
            } else {
                stringBuffer2.append(charAt);
            }
        }
        return arrayList;
    }

    public static List parseDN(String str) {
        List findRdns = findRdns(str, ',');
        if (findRdns.size() < 3) {
            findRdns = findRdns(str, '/');
        }
        return findRdns;
    }
}
