package se.digg.dgc.signatures.impl;

import com.upokecenter.cbor.CBORException;
import java.security.SignatureException;
import java.security.cert.CertificateExpiredException;
import java.security.cert.X509Certificate;
import java.time.Instant;
import java.util.List;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import se.digg.dgc.signatures.CertificateProvider;
import se.digg.dgc.signatures.DGCSignatureVerifier;
import se.digg.dgc.signatures.cose.CoseSign1_Object;
import se.digg.dgc.signatures.cwt.Cwt;

/* loaded from: input_file:se/digg/dgc/signatures/impl/DefaultDGCSignatureVerifier.class */
public class DefaultDGCSignatureVerifier implements DGCSignatureVerifier {
    private static final Logger log = LoggerFactory.getLogger(DefaultDGCSignatureVerifier.class);
    private Instant testValidationTime;

    @Override // se.digg.dgc.signatures.DGCSignatureVerifier
    public DGCSignatureVerifier.Result verify(byte[] bArr, CertificateProvider certificateProvider) throws SignatureException, CertificateExpiredException {
        if (certificateProvider == null) {
            throw new IllegalArgumentException("certificateProvider must be supplied");
        }
        try {
            CoseSign1_Object decode = CoseSign1_Object.decode(bArr);
            byte[] keyIdentifier = decode.getKeyIdentifier();
            String issuer = decode.getCwt().getIssuer();
            if (keyIdentifier == null && issuer == null) {
                throw new SignatureException("Signed object does not contain key identifier or country - cannot find certificate");
            }
            List<X509Certificate> certificates = certificateProvider.getCertificates(issuer, keyIdentifier);
            for (X509Certificate x509Certificate : certificates) {
                log.trace("Attempting DCC signature verification using certificate '{}'", x509Certificate.getSubjectX500Principal().getName());
                try {
                    decode.verifySignature(x509Certificate.getPublicKey());
                    log.debug("DCC signature verification succeeded using certificate '{}'", x509Certificate.getSubjectX500Principal().getName());
                    Cwt cwt = decode.getCwt();
                    Instant expiration = cwt.getExpiration();
                    if (expiration == null) {
                        log.warn("Signed HCERT did not contain an expiration time - assuming it is valid");
                    } else if (getNow().isAfter(expiration)) {
                        throw new CertificateExpiredException("Signed DCC has expired");
                    }
                    byte[] dgcV1 = cwt.getDgcV1();
                    if (dgcV1 == null) {
                        throw new SignatureException("No DCC payload available in CWT");
                    }
                    return new DGCSignatureVerifier.Result(dgcV1, x509Certificate, keyIdentifier, issuer, cwt.getIssuedAt(), cwt.getExpiration());
                } catch (CBORException | SignatureException e) {
                    log.info("DGC signature verification failed using certificate '{}' - {}", new Object[]{x509Certificate.getSubjectX500Principal().getName(), e.getMessage(), e});
                }
            }
            if (certificates.isEmpty()) {
                throw new SignatureException("No signer certificates could be found");
            }
            throw new SignatureException("Signature verification failed for all attempted certificates");
        } catch (CBORException e2) {
            throw new SignatureException("Invalid signature - " + e2.getMessage(), e2);
        }
    }

    private Instant getNow() {
        if (this.testValidationTime == null) {
            return Instant.now();
        }
        log.warn("{} is in test mode - using simulated time for now: {}", getClass().getSimpleName(), this.testValidationTime);
        return this.testValidationTime;
    }

    public void setTestValidationTime(Instant instant) {
        this.testValidationTime = instant;
    }
}
