package com.ntko.app.pdf.signature;

import com.ntko.app.pdf.signature.cert.CertificateVerificationException;
import com.ntko.app.pdf.signature.cert.CertificateVerifier;
import java.io.ByteArrayInputStream;
import java.io.FileInputStream;
import java.io.IOException;
import java.security.GeneralSecurityException;
import java.security.MessageDigest;
import java.security.Security;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.CertificateExpiredException;
import java.security.cert.CertificateFactory;
import java.security.cert.CertificateNotYetValidException;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.Collection;
import java.util.Date;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Set;
import org.spongycastle.asn1.ASN1Object;
import org.spongycastle.asn1.cms.Attribute;
import org.spongycastle.asn1.cms.CMSAttributes;
import org.spongycastle.asn1.pkcs.PKCSObjectIdentifiers;
import org.spongycastle.asn1.x509.Time;
import org.spongycastle.cert.X509CertificateHolder;
import org.spongycastle.cert.jcajce.JcaX509CertificateConverter;
import org.spongycastle.cms.CMSException;
import org.spongycastle.cms.CMSProcessableByteArray;
import org.spongycastle.cms.CMSSignedData;
import org.spongycastle.cms.SignerInformation;
import org.spongycastle.cms.jcajce.JcaSimpleSignerInfoVerifierBuilder;
import org.spongycastle.operator.OperatorCreationException;
import org.spongycastle.tsp.TSPException;
import org.spongycastle.tsp.TimeStampToken;
import org.spongycastle.util.CollectionStore;
import org.spongycastle.util.Store;

/* loaded from: classes2.dex */
public final class ShowSignature {
    static {
        try {
            Security.addProvider(SecurityProvider.getProvider());
        } catch (IOException e) {
            e.printStackTrace();
        }
    }

    private ShowSignature() {
    }

    private TimeStampToken extractTimeStampTokenFromSignerInformation(SignerInformation signerInformation) throws CMSException, IOException, TSPException {
        Attribute attribute;
        if (signerInformation.getUnsignedAttributes() == null || (attribute = signerInformation.getUnsignedAttributes().get(PKCSObjectIdentifiers.id_aa_signatureTimeStampToken)) == null) {
            return null;
        }
        return new TimeStampToken(new CMSSignedData(((ASN1Object) attribute.getAttrValues().getObjectAt(0)).getEncoded()));
    }

    private void showSignature(PDFSignature pDFSignature, FileInputStream fileInputStream) throws IOException, GeneralSecurityException, TSPException, CertificateVerificationException, CMSException, OperatorCreationException {
        byte[] signedContent = pDFSignature.getSignedContent(fileInputStream);
        byte[] contents = pDFSignature.getContents(fileInputStream);
        Date time = pDFSignature.getSignDate().getTime();
        String subFilter = pDFSignature.getSubFilter();
        if (subFilter == null) {
            throw new IOException("Missing subfilter for cert dictionary");
        }
        char c = 65535;
        int hashCode = subFilter.hashCode();
        if (hashCode != -2014161137) {
            if (hashCode != 1939488501) {
                if (hashCode == 2015163516 && subFilter.equals("adbe.pkcs7.detached")) {
                    c = 0;
                }
            } else if (subFilter.equals("ETSI.CAdES.detached")) {
                c = 1;
            }
        } else if (subFilter.equals("adbe.pkcs7.sha1")) {
            c = 2;
        }
        if (c == 0 || c == 1) {
            verifyPKCS7(signedContent, contents, time);
            return;
        }
        if (c != 2) {
            System.err.println("Unknown certificate type: " + subFilter);
            return;
        }
        Collection<? extends Certificate> generateCertificates = CertificateFactory.getInstance("X.509").generateCertificates(new ByteArrayInputStream(contents));
        System.out.println("certs=" + Arrays.toString(generateCertificates.toArray()));
        verifyPKCS7(MessageDigest.getInstance("SHA1").digest(signedContent), contents, time);
    }

    private void validateTimestampToken(TimeStampToken timeStampToken) throws TSPException, CertificateException, OperatorCreationException, IOException {
        timeStampToken.validate(new JcaSimpleSignerInfoVerifierBuilder().setProvider(SecurityProvider.getProvider()).build(new JcaX509CertificateConverter().getCertificate((X509CertificateHolder) timeStampToken.getCertificates().getMatches(timeStampToken.getSID()).iterator().next())));
        System.out.println("TimeStampToken validated");
    }

    private void verifyCertificateChain(Store<X509CertificateHolder> store, X509Certificate x509Certificate, Date date) throws CertificateVerificationException, CertificateException {
        Collection<X509CertificateHolder> matches = store.getMatches(null);
        HashSet hashSet = new HashSet();
        JcaX509CertificateConverter jcaX509CertificateConverter = new JcaX509CertificateConverter();
        Iterator<X509CertificateHolder> it = matches.iterator();
        while (it.hasNext()) {
            X509Certificate certificate = jcaX509CertificateConverter.getCertificate(it.next());
            if (!certificate.equals(x509Certificate)) {
                hashSet.add(certificate);
            }
        }
        CertificateVerifier.verifyCertificate(x509Certificate, (Set<X509Certificate>) hashSet, true, date);
    }

    private void verifyPKCS7(byte[] bArr, byte[] bArr2, Date date) throws CMSException, OperatorCreationException, CertificateVerificationException, GeneralSecurityException, TSPException, IOException {
        Attribute attribute;
        CMSSignedData cMSSignedData = new CMSSignedData(new CMSProcessableByteArray(bArr), bArr2);
        Store certificates = cMSSignedData.getCertificates();
        if (certificates.getMatches(null).isEmpty()) {
            throw new IOException("No certificates in signature");
        }
        Collection<SignerInformation> signers = cMSSignedData.getSignerInfos().getSigners();
        if (signers.isEmpty()) {
            throw new IOException("No signers in signature");
        }
        SignerInformation next = signers.iterator().next();
        Collection<X509CertificateHolder> matches = certificates.getMatches(next.getSID());
        if (matches.isEmpty()) {
            throw new IOException("Signer '" + next.getSID().getIssuer() + ", serial# " + next.getSID().getSerialNumber() + " does not match any certificates");
        }
        X509Certificate certificate = new JcaX509CertificateConverter().getCertificate(matches.iterator().next());
        System.out.println("certFromSignedData: " + certificate);
        SigUtils.checkCertificateUsage(certificate);
        TimeStampToken extractTimeStampTokenFromSignerInformation = extractTimeStampTokenFromSignerInformation(next);
        if (extractTimeStampTokenFromSignerInformation != null) {
            validateTimestampToken(extractTimeStampTokenFromSignerInformation);
            X509Certificate certificate2 = new JcaX509CertificateConverter().getCertificate((X509CertificateHolder) extractTimeStampTokenFromSignerInformation.getCertificates().getMatches(extractTimeStampTokenFromSignerInformation.getSID()).iterator().next());
            HashSet hashSet = new HashSet();
            hashSet.addAll(certificates.getMatches(null));
            hashSet.addAll(extractTimeStampTokenFromSignerInformation.getCertificates().getMatches(null));
            verifyCertificateChain(new CollectionStore(hashSet), certificate2, extractTimeStampTokenFromSignerInformation.getTimeStampInfo().getGenTime());
            SigUtils.checkTimeStampCertificateUsage(certificate2);
        }
        try {
            if (date != null) {
                certificate.checkValidity(date);
                System.out.println("Certificate valid at signing time");
            } else {
                System.err.println("Certificate cannot be verified without signing time");
            }
        } catch (CertificateExpiredException unused) {
            System.err.println("Certificate expired at signing time");
        } catch (CertificateNotYetValidException unused2) {
            System.err.println("Certificate not yet valid at signing time");
        }
        if (next.getSignedAttributes() != null && (attribute = next.getSignedAttributes().get(CMSAttributes.signingTime)) != null) {
            Time time = Time.getInstance(attribute.getAttrValues().getObjectAt(0));
            try {
                certificate.checkValidity(time.getDate());
                System.out.println("Certificate valid at signing time: " + time.getDate());
            } catch (CertificateExpiredException unused3) {
                System.err.println("Certificate expired at signing time");
            } catch (CertificateNotYetValidException unused4) {
                System.err.println("Certificate not yet valid at signing time");
            }
        }
        if (next.verify(new JcaSimpleSignerInfoVerifierBuilder().setProvider(SecurityProvider.getProvider()).build(certificate))) {
            System.out.println("Signature verified");
        } else {
            System.out.println("Signature verification failed");
        }
        if (CertificateVerifier.isSelfSigned(certificate)) {
            System.err.println("Certificate is self-signed, LOL!");
            return;
        }
        System.out.println("Certificate is not self-signed");
        if (date != null) {
            verifyCertificateChain(certificates, certificate, date);
        } else {
            System.err.println("Certificate cannot be verified without signing time");
        }
    }
}
