package net.netca.pki.impl.jce;

import java.util.ArrayList;
import java.util.Date;
import net.netca.pki.PkiException;
import net.netca.pki.encoding.asn1.ASN1Object;
import net.netca.pki.encoding.asn1.ASN1TypeManager;
import net.netca.pki.encoding.asn1.Sequence;
import net.netca.pki.encoding.asn1.SetOf;
import net.netca.pki.encoding.asn1.Unknown;
import net.netca.pki.encoding.asn1.pki.AlgorithmIdentifier;
import net.netca.pki.encoding.asn1.pki.Attribute;
import net.netca.pki.encoding.asn1.pki.Attributes;
import net.netca.pki.encoding.asn1.pki.JCEHasher;
import net.netca.pki.encoding.asn1.pki.JCEVerifier;
import net.netca.pki.encoding.asn1.pki.X509Certificate;
import net.netca.pki.encoding.asn1.pki.cms.SignedData;
import net.netca.pki.encoding.asn1.pki.cms.SignerInfo;
import net.netca.pki.encoding.asn1.pki.cms.SigningCertificateV2;
import net.netca.pki.global.ISignedDataVerify;

/* loaded from: classes3.dex */
public class JCESignedDataVerify implements ISignedDataVerify {
    private SignedDataVerifyInfo info;
    private JCEPki pki;
    private SignedData signedData;
    private ArrayList<X509Certificate> certs = new ArrayList<>();
    private Date tsaTime = null;

    public JCESignedDataVerify(JCEPki jCEPki, SignedDataVerifyInfo signedDataVerifyInfo) {
        this.info = signedDataVerifyInfo;
        this.pki = jCEPki;
    }

    private void checkValidity(Date date) throws PkiException {
        Date date2 = new Date();
        if (date == null) {
            date = date2;
        }
        int signerInfoCount = this.signedData.getSignerInfoCount();
        if (!isInValidity(this.signedData.getSignCert(0), date)) {
            throw new PkiException("sign cert not in validity");
        }
        for (int i2 = 1; i2 < signerInfoCount; i2++) {
            if (!isInValidity(this.signedData.getSignCert(i2), date2)) {
                throw new PkiException("sign cert not in validity");
            }
        }
    }

    public static int getCryptoHashAlgo(AlgorithmIdentifier algorithmIdentifier) throws PkiException {
        String oid = algorithmIdentifier.getOid();
        if (oid.equals(AlgorithmIdentifier.SHA1_OID) || oid.equals(AlgorithmIdentifier.SHA224_OID)) {
            return 8192;
        }
        if (oid.equals(AlgorithmIdentifier.SHA256_OID)) {
            return 16384;
        }
        if (oid.equals(AlgorithmIdentifier.SHA384_OID)) {
            return 20480;
        }
        if (oid.equals(AlgorithmIdentifier.SHA512_OID)) {
            return 24576;
        }
        if (oid.equals(AlgorithmIdentifier.SHA512_224_OID)) {
            return 32768;
        }
        if (oid.equals(AlgorithmIdentifier.SHA512_256_OID)) {
            return 36864;
        }
        if (oid.equals(AlgorithmIdentifier.SHA3_224_OID)) {
            return 40960;
        }
        if (oid.equals(AlgorithmIdentifier.SHA3_256_OID)) {
            return 45056;
        }
        if (oid.equals(AlgorithmIdentifier.SHA3_384_OID)) {
            return 49152;
        }
        if (oid.equals(AlgorithmIdentifier.SHA3_512_OID)) {
            return 53248;
        }
        return oid.equals(AlgorithmIdentifier.SM3_OID) ? 28672 : -1;
    }

    public static int getSigningCertV2HashAlgo(SignerInfo signerInfo) throws PkiException {
        Attributes signedAttrs = signerInfo.getSignedAttrs();
        if (signedAttrs == null) {
            return -1;
        }
        for (int i2 = 0; i2 < signedAttrs.size(); i2++) {
            Attribute attribute = signedAttrs.get(i2);
            if (attribute.getType().equals(Attribute.SIGNING_CERTIFICATE_V2)) {
                SetOf value = attribute.getValue();
                if (value.size() != 1) {
                    return -1;
                }
                ASN1Object aSN1Object = value.get(0);
                if (aSN1Object instanceof Unknown) {
                    aSN1Object = ((Unknown) aSN1Object).to(ASN1TypeManager.getInstance().get("SigningCertificateV2"));
                } else if (!(aSN1Object instanceof Sequence)) {
                    return -1;
                }
                return getCryptoHashAlgo(new SigningCertificateV2((Sequence) aSN1Object).getCerts().get(0).getHashAlgorithm());
            }
        }
        return -1;
    }

    public static boolean hasSigningCertAttribute(SignerInfo signerInfo) throws PkiException {
        Attributes signedAttrs = signerInfo.getSignedAttrs();
        if (signedAttrs == null) {
            return false;
        }
        for (int i2 = 0; i2 < signedAttrs.size(); i2++) {
            if (signedAttrs.get(i2).getType().equals(Attribute.SIGNING_CERTIFICATE)) {
                return true;
            }
        }
        return false;
    }

    public static boolean hasSigningCertAttributeV2(SignerInfo signerInfo) throws PkiException {
        Attributes signedAttrs = signerInfo.getSignedAttrs();
        if (signedAttrs == null) {
            return false;
        }
        for (int i2 = 0; i2 < signedAttrs.size(); i2++) {
            if (signedAttrs.get(i2).getType().equals(Attribute.SIGNING_CERTIFICATE_V2)) {
                return true;
            }
        }
        return false;
    }

    private boolean isInValidity(X509Certificate x509Certificate, Date date) throws PkiException {
        return (date.before(x509Certificate.getNotBefore()) || date.after(x509Certificate.getNotAfter())) ? false : true;
    }

    public static boolean matchSignatureAlgo(AlgorithmIdentifier algorithmIdentifier, int[] iArr) throws PkiException {
        int cryptoSignatureAlgo = JCEPki.getCryptoSignatureAlgo(algorithmIdentifier);
        if (cryptoSignatureAlgo == -1) {
            return false;
        }
        for (int i2 : iArr) {
            if (i2 == cryptoSignatureAlgo) {
                return true;
            }
        }
        return false;
    }

    public static void matchSignerInfo(SignerInfo signerInfo, SignedDataVerifyInfo signedDataVerifyInfo) throws PkiException {
        int[] iArr = signedDataVerifyInfo.acceptableAlgos;
        if (iArr != null && iArr.length > 0) {
            AlgorithmIdentifier trueSignatureAlgorithm = signerInfo.getTrueSignatureAlgorithm();
            if (!matchSignatureAlgo(trueSignatureAlgorithm, signedDataVerifyInfo.acceptableAlgos)) {
                throw new PkiException("unsupport sign algo " + trueSignatureAlgorithm.getOid());
            }
        }
        Boolean bool = signedDataVerifyInfo.hasSigningCertAttribute;
        if (bool == null || bool.booleanValue()) {
            int[] iArr2 = signedDataVerifyInfo.acceptableSigningCertHashAlgo;
            if (iArr2 != null && iArr2.length > 0) {
                if (hasSigningCertAttribute(signerInfo) && !matchSigningCertHashAlgo(8192, signedDataVerifyInfo.acceptableSigningCertHashAlgo)) {
                    throw new PkiException("signingcert attribute unacceptable");
                }
                hasSigningCertAttributeV2(signerInfo);
            }
        } else {
            if (hasSigningCertAttribute(signerInfo)) {
                throw new PkiException("has signingcert attribute");
            }
            if (hasSigningCertAttributeV2(signerInfo)) {
                throw new PkiException("has signingcertv2 attribute");
            }
        }
        Boolean bool2 = signedDataVerifyInfo.hasSigningCertAttribute;
        if (bool2 != null && bool2.booleanValue() && !hasSigningCertAttribute(signerInfo) && !hasSigningCertAttributeV2(signerInfo)) {
            throw new PkiException("no signingcert attribute and signingcertv2 attribute");
        }
    }

    public static boolean matchSigningCertHashAlgo(int i2, int[] iArr) throws PkiException {
        if (i2 == -1) {
            return false;
        }
        for (int i3 : iArr) {
            if (i3 == i2) {
                return true;
            }
        }
        return false;
    }

    @Override // net.netca.pki.global.ISignedDataVerify
    public void addCert(net.netca.pki.global.X509Certificate x509Certificate) throws PkiException {
        this.certs.add(new X509Certificate(x509Certificate.derEncode()));
    }

    @Override // net.netca.pki.global.ISignedDataVerify
    public byte[] attachSignatureTimeStamp() throws PkiException {
        SignedData signedData = this.signedData;
        if (signedData == null) {
            throw new PkiException("must verify first");
        }
        this.tsaTime = JCESignedDataDetachedSign.attachSignatureTimeStamp(this.pki, signedData);
        SignedData signedData2 = this.signedData;
        return signedData2.encode(signedData2.isContentInfo());
    }

    @Override // net.netca.pki.global.ISignedDataVerify
    public net.netca.pki.global.X509Certificate getSignCert() throws PkiException {
        X509Certificate signCert;
        SignedData signedData = this.signedData;
        if (signedData == null || (signCert = signedData.getSignCert(0)) == null) {
            return null;
        }
        return new JCEX509Certificate(this.pki, signCert.derEncode());
    }

    @Override // net.netca.pki.global.ISignedDataVerify
    public Date getSignatureTimeStampTime() throws PkiException {
        return this.tsaTime;
    }

    public int getSignerCount() throws PkiException {
        SignedData signedData = this.signedData;
        if (signedData == null) {
            return -1;
        }
        return signedData.getSignerInfoCount();
    }

    @Override // net.netca.pki.global.ISignedDataVerify
    public byte[] verify(byte[] bArr, int i2, int i3) throws PkiException {
        SignedData signedData = new SignedData(bArr, i2, i3);
        this.signedData = signedData;
        if (signedData.isDetached()) {
            throw new PkiException("signeddata is detached");
        }
        int signerInfoCount = this.signedData.getSignerInfoCount();
        if (signerInfoCount == 0) {
            throw new PkiException("no signerinfo");
        }
        if (this.info.isContentInfo != null) {
            if (this.signedData.isContentInfo()) {
                if (!this.info.isContentInfo.booleanValue()) {
                    throw new PkiException("signeddata break contentinfo constraint");
                }
            } else if (this.info.isContentInfo.booleanValue()) {
                throw new PkiException("signeddata break contentinfo constraint");
            }
        }
        JCEHasher jCEHasher = new JCEHasher();
        JCEVerifier jCEVerifier = new JCEVerifier();
        for (int i4 = 0; i4 < signerInfoCount; i4++) {
            if (!this.signedData.verify(i4, jCEVerifier, jCEHasher, this.certs.iterator())) {
                throw new PkiException("verify signerinfo #" + i4 + " fail");
            }
        }
        ArrayList<SignerInfo> signerInfos = this.signedData.getSignerInfos();
        for (int i5 = 0; i5 < signerInfos.size(); i5++) {
            matchSignerInfo(signerInfos.get(i5), this.info);
        }
        Date verifySignatureTimeStamp = JCESignedDataDetachedVerify.verifySignatureTimeStamp(this.pki, this.signedData.getSignerInfos().get(0));
        this.tsaTime = verifySignatureTimeStamp;
        checkValidity(verifySignatureTimeStamp);
        return this.signedData.getEncapContentInfo().getTbs();
    }
}
