package net.netca.pki.impl.jce;

import java.util.ArrayList;
import java.util.Date;
import net.netca.pki.Hash;
import net.netca.pki.PkiException;
import net.netca.pki.encoding.asn1.ASN1Object;
import net.netca.pki.encoding.asn1.ASN1TypeManager;
import net.netca.pki.encoding.asn1.Sequence;
import net.netca.pki.encoding.asn1.SetOf;
import net.netca.pki.encoding.asn1.Unknown;
import net.netca.pki.encoding.asn1.pki.AlgorithmIdentifier;
import net.netca.pki.encoding.asn1.pki.Attribute;
import net.netca.pki.encoding.asn1.pki.Attributes;
import net.netca.pki.encoding.asn1.pki.JCEHasher;
import net.netca.pki.encoding.asn1.pki.JCEVerifier;
import net.netca.pki.encoding.asn1.pki.X509Certificate;
import net.netca.pki.encoding.asn1.pki.cms.SignedData;
import net.netca.pki.encoding.asn1.pki.cms.SignerInfo;
import net.netca.pki.encoding.asn1.pki.cms.SigningCertificateV2;
import net.netca.pki.global.ISignedDataVerify;

/* loaded from: classes3.dex */
public class JCESignedDataVerify implements ISignedDataVerify {
    private SignedDataVerifyInfo info;
    private JCEPki pki;
    private SignedData signedData;
    private ArrayList<X509Certificate> certs = new ArrayList<>();
    private Date tsaTime = null;

    /* JADX INFO: Access modifiers changed from: package-private */
    public JCESignedDataVerify(JCEPki jCEPki, SignedDataVerifyInfo signedDataVerifyInfo) {
        this.info = signedDataVerifyInfo;
        this.pki = jCEPki;
    }

    private void checkValidity(Date date) throws PkiException {
        Date date2 = new Date();
        if (date == null) {
            date = date2;
        }
        int signerInfoCount = this.signedData.getSignerInfoCount();
        if (!isInValidity(this.signedData.getSignCert(0), date)) {
            throw new PkiException("sign cert not in validity");
        }
        for (int i = 1; i < signerInfoCount; i++) {
            if (!isInValidity(this.signedData.getSignCert(i), date2)) {
                throw new PkiException("sign cert not in validity");
            }
        }
    }

    static int getCryptoHashAlgo(AlgorithmIdentifier algorithmIdentifier) throws PkiException {
        String oid = algorithmIdentifier.getOid();
        if (oid.equals(AlgorithmIdentifier.SHA1_OID) || oid.equals(AlgorithmIdentifier.SHA224_OID)) {
            return 8192;
        }
        if (oid.equals(AlgorithmIdentifier.SHA256_OID)) {
            return Hash.SHA256;
        }
        if (oid.equals(AlgorithmIdentifier.SHA384_OID)) {
            return Hash.SHA384;
        }
        if (oid.equals(AlgorithmIdentifier.SHA512_OID)) {
            return Hash.SHA512;
        }
        if (oid.equals(AlgorithmIdentifier.SHA512_224_OID)) {
            return 32768;
        }
        if (oid.equals(AlgorithmIdentifier.SHA512_256_OID)) {
            return Hash.SHA512_256;
        }
        if (oid.equals(AlgorithmIdentifier.SHA3_224_OID)) {
            return Hash.SHA3_224;
        }
        if (oid.equals(AlgorithmIdentifier.SHA3_256_OID)) {
            return Hash.SHA3_256;
        }
        if (oid.equals(AlgorithmIdentifier.SHA3_384_OID)) {
            return Hash.SHA3_384;
        }
        if (oid.equals(AlgorithmIdentifier.SHA3_512_OID)) {
            return Hash.SHA3_512;
        }
        if (oid.equals(AlgorithmIdentifier.SM3_OID)) {
            return Hash.SM3;
        }
        return -1;
    }

    static int getSigningCertV2HashAlgo(SignerInfo signerInfo) throws PkiException {
        Sequence sequence;
        Attributes signedAttrs = signerInfo.getSignedAttrs();
        if (signedAttrs == null) {
            return -1;
        }
        for (int i = 0; i < signedAttrs.size(); i++) {
            Attribute attribute = signedAttrs.get(i);
            if (attribute.getType().equals(Attribute.SIGNING_CERTIFICATE_V2)) {
                SetOf value = attribute.getValue();
                if (value.size() != 1) {
                    return -1;
                }
                ASN1Object aSN1Object = value.get(0);
                if (aSN1Object instanceof Unknown) {
                    sequence = (Sequence) ((Unknown) aSN1Object).to(ASN1TypeManager.getInstance().get("SigningCertificateV2"));
                } else {
                    if (!(aSN1Object instanceof Sequence)) {
                        return -1;
                    }
                    sequence = (Sequence) aSN1Object;
                }
                return getCryptoHashAlgo(new SigningCertificateV2(sequence).getCerts().get(0).getHashAlgorithm());
            }
        }
        return -1;
    }

    static boolean hasSigningCertAttribute(SignerInfo signerInfo) throws PkiException {
        Attributes signedAttrs = signerInfo.getSignedAttrs();
        if (signedAttrs == null) {
            return false;
        }
        for (int i = 0; i < signedAttrs.size(); i++) {
            if (signedAttrs.get(i).getType().equals(Attribute.SIGNING_CERTIFICATE)) {
                return true;
            }
        }
        return false;
    }

    static boolean hasSigningCertAttributeV2(SignerInfo signerInfo) throws PkiException {
        Attributes signedAttrs = signerInfo.getSignedAttrs();
        if (signedAttrs == null) {
            return false;
        }
        for (int i = 0; i < signedAttrs.size(); i++) {
            if (signedAttrs.get(i).getType().equals(Attribute.SIGNING_CERTIFICATE_V2)) {
                return true;
            }
        }
        return false;
    }

    private boolean isInValidity(X509Certificate x509Certificate, Date date) throws PkiException {
        return (date.before(x509Certificate.getNotBefore()) || date.after(x509Certificate.getNotAfter())) ? false : true;
    }

    static boolean matchSignatureAlgo(AlgorithmIdentifier algorithmIdentifier, int[] iArr) throws PkiException {
        int cryptoSignatureAlgo = JCEPki.getCryptoSignatureAlgo(algorithmIdentifier);
        if (cryptoSignatureAlgo == -1) {
            return false;
        }
        for (int i : iArr) {
            if (i == cryptoSignatureAlgo) {
                return true;
            }
        }
        return false;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static void matchSignerInfo(SignerInfo signerInfo, SignedDataVerifyInfo signedDataVerifyInfo) throws PkiException {
        if (signedDataVerifyInfo.acceptableAlgos != null && signedDataVerifyInfo.acceptableAlgos.length > 0) {
            AlgorithmIdentifier trueSignatureAlgorithm = signerInfo.getTrueSignatureAlgorithm();
            if (!matchSignatureAlgo(trueSignatureAlgorithm, signedDataVerifyInfo.acceptableAlgos)) {
                throw new PkiException("unsupport sign algo " + trueSignatureAlgorithm.getOid());
            }
        }
        if (signedDataVerifyInfo.hasSigningCertAttribute == null || signedDataVerifyInfo.hasSigningCertAttribute.booleanValue()) {
            if (signedDataVerifyInfo.acceptableSigningCertHashAlgo != null && signedDataVerifyInfo.acceptableSigningCertHashAlgo.length > 0) {
                if (hasSigningCertAttribute(signerInfo) && !matchSigningCertHashAlgo(8192, signedDataVerifyInfo.acceptableSigningCertHashAlgo)) {
                    throw new PkiException("signingcert attribute unacceptable");
                }
                hasSigningCertAttributeV2(signerInfo);
            }
        } else {
            if (hasSigningCertAttribute(signerInfo)) {
                throw new PkiException("has signingcert attribute");
            }
            if (hasSigningCertAttributeV2(signerInfo)) {
                throw new PkiException("has signingcertv2 attribute");
            }
        }
        if (signedDataVerifyInfo.hasSigningCertAttribute != null && signedDataVerifyInfo.hasSigningCertAttribute.booleanValue() && !hasSigningCertAttribute(signerInfo) && !hasSigningCertAttributeV2(signerInfo)) {
            throw new PkiException("no signingcert attribute and signingcertv2 attribute");
        }
    }

    static boolean matchSigningCertHashAlgo(int i, int[] iArr) throws PkiException {
        if (i == -1) {
            return false;
        }
        for (int i2 : iArr) {
            if (i2 == i) {
                return true;
            }
        }
        return false;
    }

    @Override // net.netca.pki.global.ISignedDataVerify
    public void addCert(net.netca.pki.global.X509Certificate x509Certificate) throws PkiException {
        this.certs.add(new X509Certificate(x509Certificate.derEncode()));
    }

    @Override // net.netca.pki.global.ISignedDataVerify
    public byte[] attachSignatureTimeStamp() throws PkiException {
        if (this.signedData == null) {
            throw new PkiException("must verify first");
        }
        this.tsaTime = JCESignedDataDetachedSign.attachSignatureTimeStamp(this.pki, this.signedData);
        return this.signedData.encode(this.signedData.isContentInfo());
    }

    @Override // net.netca.pki.global.ISignedDataVerify
    public net.netca.pki.global.X509Certificate getSignCert() throws PkiException {
        X509Certificate signCert;
        if (this.signedData == null || (signCert = this.signedData.getSignCert(0)) == null) {
            return null;
        }
        return new JCEX509Certificate(this.pki, signCert.derEncode());
    }

    @Override // net.netca.pki.global.ISignedDataVerify
    public Date getSignatureTimeStampTime() throws PkiException {
        return this.tsaTime;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public int getSignerCount() throws PkiException {
        if (this.signedData == null) {
            return -1;
        }
        return this.signedData.getSignerInfoCount();
    }

    @Override // net.netca.pki.global.ISignedDataVerify
    public byte[] verify(byte[] bArr, int i, int i2) throws PkiException {
        this.signedData = new SignedData(bArr, i, i2);
        if (this.signedData.isDetached()) {
            throw new PkiException("signeddata is detached");
        }
        int signerInfoCount = this.signedData.getSignerInfoCount();
        if (signerInfoCount == 0) {
            throw new PkiException("no signerinfo");
        }
        if (this.info.isContentInfo != null) {
            if (this.signedData.isContentInfo()) {
                if (!this.info.isContentInfo.booleanValue()) {
                    throw new PkiException("signeddata break contentinfo constraint");
                }
            } else if (this.info.isContentInfo.booleanValue()) {
                throw new PkiException("signeddata break contentinfo constraint");
            }
        }
        JCEHasher jCEHasher = new JCEHasher();
        JCEVerifier jCEVerifier = new JCEVerifier();
        for (int i3 = 0; i3 < signerInfoCount; i3++) {
            if (!this.signedData.verify(i3, jCEVerifier, jCEHasher, this.certs.iterator())) {
                throw new PkiException("verify signerinfo #" + i3 + " fail");
            }
        }
        ArrayList<SignerInfo> signerInfos = this.signedData.getSignerInfos();
        for (int i4 = 0; i4 < signerInfos.size(); i4++) {
            matchSignerInfo(signerInfos.get(i4), this.info);
        }
        this.tsaTime = JCESignedDataDetachedVerify.verifySignatureTimeStamp(this.pki, this.signedData.getSignerInfos().get(0));
        checkValidity(this.tsaTime);
        return this.signedData.getEncapContentInfo().getTbs();
    }
}
