package sun1.security.pkcs;

import java.io.IOException;
import java.io.OutputStream;
import java.math.BigInteger;
import java.security.InvalidKeyException;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.Principal;
import java.security.PublicKey;
import java.security.Signature;
import java.security.SignatureException;
import java.security.Timestamp;
import java.security.cert.CertPath;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
import java.util.EnumSet;
import java.util.Set;
import org.apache.commons.io.IOUtils;
import sun1.misc.HexDumpEncoder;
import sun1.security.timestamp.TimestampToken;
import sun1.security.util.CryptoPrimitive;
import sun1.security.util.Debug;
import sun1.security.util.DerEncoder;
import sun1.security.util.DerInputStream;
import sun1.security.util.DerOutputStream;
import sun1.security.util.DerValue;
import sun1.security.util.DisabledAlgorithmConstraints;
import sun1.security.util.KeyUtil;
import sun1.security.util.ObjectIdentifier;
import sun1.security.x509.AlgorithmId;
import sun1.security.x509.KeyUsageExtension;
import sun1.security.x509.X500Name;

/* loaded from: classes.dex */
public class SignerInfo implements DerEncoder {
    PKCS9Attributes authenticatedAttributes;
    BigInteger certificateSerialNumber;
    AlgorithmId digestAlgorithmId;
    AlgorithmId digestEncryptionAlgorithmId;
    byte[] encryptedDigest;
    private boolean hasTimestamp;
    X500Name issuerName;
    Timestamp timestamp;
    PKCS9Attributes unauthenticatedAttributes;
    BigInteger version;
    private static final Set<CryptoPrimitive> DIGEST_PRIMITIVE_SET = Collections.unmodifiableSet(EnumSet.of(CryptoPrimitive.MESSAGE_DIGEST));
    private static final Set<CryptoPrimitive> SIG_PRIMITIVE_SET = Collections.unmodifiableSet(EnumSet.of(CryptoPrimitive.SIGNATURE));
    private static final DisabledAlgorithmConstraints JAR_DISABLED_CHECK = new DisabledAlgorithmConstraints(DisabledAlgorithmConstraints.PROPERTY_JAR_DISABLED_ALGS);
    private static final Debug debug = Debug.getInstance("jar");

    public SignerInfo(DerInputStream derInputStream) throws IOException, ParsingException {
        this(derInputStream, false);
    }

    public SignerInfo(DerInputStream derInputStream, boolean z) throws IOException, ParsingException {
        this.hasTimestamp = true;
        this.version = derInputStream.getBigInteger();
        DerValue[] sequence = derInputStream.getSequence(2);
        this.issuerName = new X500Name(new DerValue((byte) 48, sequence[0].toByteArray()));
        this.certificateSerialNumber = sequence[1].getBigInteger();
        this.digestAlgorithmId = AlgorithmId.parse(derInputStream.getDerValue());
        if (z) {
            derInputStream.getSet(0);
        } else if (((byte) derInputStream.peekByte()) == -96) {
            this.authenticatedAttributes = new PKCS9Attributes(derInputStream);
        }
        this.digestEncryptionAlgorithmId = AlgorithmId.parse(derInputStream.getDerValue());
        this.encryptedDigest = derInputStream.getOctetString();
        if (z) {
            derInputStream.getSet(0);
        } else if (derInputStream.available() != 0 && ((byte) derInputStream.peekByte()) == -95) {
            this.unauthenticatedAttributes = new PKCS9Attributes(derInputStream, true);
        }
        if (derInputStream.available() != 0) {
            throw new ParsingException("extra data at the end");
        }
    }

    public SignerInfo(X500Name x500Name, BigInteger bigInteger, AlgorithmId algorithmId, PKCS9Attributes pKCS9Attributes, AlgorithmId algorithmId2, byte[] bArr, PKCS9Attributes pKCS9Attributes2) {
        this.hasTimestamp = true;
        this.version = BigInteger.ONE;
        this.issuerName = x500Name;
        this.certificateSerialNumber = bigInteger;
        this.digestAlgorithmId = algorithmId;
        this.authenticatedAttributes = pKCS9Attributes;
        this.digestEncryptionAlgorithmId = algorithmId2;
        this.encryptedDigest = bArr;
        this.unauthenticatedAttributes = pKCS9Attributes2;
    }

    public SignerInfo(X500Name x500Name, BigInteger bigInteger, AlgorithmId algorithmId, AlgorithmId algorithmId2, byte[] bArr) {
        this.hasTimestamp = true;
        this.version = BigInteger.ONE;
        this.issuerName = x500Name;
        this.certificateSerialNumber = bigInteger;
        this.digestAlgorithmId = algorithmId;
        this.digestEncryptionAlgorithmId = algorithmId2;
        this.encryptedDigest = bArr;
    }

    private void verifyTimestamp(TimestampToken timestampToken) throws NoSuchAlgorithmException, SignatureException {
        String standardDigestName = AlgorithmId.getStandardDigestName(timestampToken.getHashAlgorithm().getName());
        if (!JAR_DISABLED_CHECK.permits(DIGEST_PRIMITIVE_SET, standardDigestName, null)) {
            throw new SignatureException("Timestamp token digest check failed. Disabled algorithm used: " + standardDigestName);
        }
        if (!Arrays.equals(timestampToken.getHashedMessage(), MessageDigest.getInstance(standardDigestName).digest(this.encryptedDigest))) {
            throw new SignatureException("Signature timestamp (#" + timestampToken.getSerialNumber() + ") generated on " + timestampToken.getDate() + " is inapplicable");
        }
        Debug debug2 = debug;
        if (debug2 != null) {
            debug2.println();
            debug.println("Detected signature timestamp (#" + timestampToken.getSerialNumber() + ") generated on " + timestampToken.getDate());
            debug.println();
        }
    }

    @Override // sun1.security.util.DerEncoder
    public void derEncode(OutputStream outputStream) throws IOException {
        DerOutputStream derOutputStream = new DerOutputStream();
        derOutputStream.putInteger(this.version);
        DerOutputStream derOutputStream2 = new DerOutputStream();
        this.issuerName.encode(derOutputStream2);
        derOutputStream2.putInteger(this.certificateSerialNumber);
        derOutputStream.write((byte) 48, derOutputStream2);
        this.digestAlgorithmId.encode(derOutputStream);
        PKCS9Attributes pKCS9Attributes = this.authenticatedAttributes;
        if (pKCS9Attributes != null) {
            pKCS9Attributes.encode((byte) -96, derOutputStream);
        }
        this.digestEncryptionAlgorithmId.encode(derOutputStream);
        derOutputStream.putOctetString(this.encryptedDigest);
        PKCS9Attributes pKCS9Attributes2 = this.unauthenticatedAttributes;
        if (pKCS9Attributes2 != null) {
            pKCS9Attributes2.encode((byte) -95, derOutputStream);
        }
        DerOutputStream derOutputStream3 = new DerOutputStream();
        derOutputStream3.write((byte) 48, derOutputStream);
        outputStream.write(derOutputStream3.toByteArray());
    }

    public void encode(DerOutputStream derOutputStream) throws IOException {
        derEncode(derOutputStream);
    }

    public PKCS9Attributes getAuthenticatedAttributes() {
        return this.authenticatedAttributes;
    }

    public X509Certificate getCertificate(PKCS7 pkcs7) throws IOException {
        return pkcs7.getCertificate(this.certificateSerialNumber, this.issuerName);
    }

    public ArrayList<X509Certificate> getCertificateChain(PKCS7 pkcs7) throws IOException {
        boolean z;
        X509Certificate certificate = pkcs7.getCertificate(this.certificateSerialNumber, this.issuerName);
        if (certificate == null) {
            return null;
        }
        ArrayList<X509Certificate> arrayList = new ArrayList<>();
        arrayList.add(certificate);
        X509Certificate[] certificates = pkcs7.getCertificates();
        if (certificates == null || certificate.getSubjectDN().equals(certificate.getIssuerDN())) {
            return arrayList;
        }
        Principal issuerDN = certificate.getIssuerDN();
        int i = 0;
        do {
            int i2 = i;
            while (true) {
                if (i2 >= certificates.length) {
                    z = false;
                    break;
                }
                if (issuerDN.equals(certificates[i2].getSubjectDN())) {
                    arrayList.add(certificates[i2]);
                    if (certificates[i2].getSubjectDN().equals(certificates[i2].getIssuerDN())) {
                        i = certificates.length;
                    } else {
                        issuerDN = certificates[i2].getIssuerDN();
                        X509Certificate x509Certificate = certificates[i];
                        certificates[i] = certificates[i2];
                        certificates[i2] = x509Certificate;
                        i++;
                    }
                    z = true;
                } else {
                    i2++;
                }
            }
        } while (z);
        return arrayList;
    }

    public BigInteger getCertificateSerialNumber() {
        return this.certificateSerialNumber;
    }

    public AlgorithmId getDigestAlgorithmId() {
        return this.digestAlgorithmId;
    }

    public AlgorithmId getDigestEncryptionAlgorithmId() {
        return this.digestEncryptionAlgorithmId;
    }

    public byte[] getEncryptedDigest() {
        return this.encryptedDigest;
    }

    public X500Name getIssuerName() {
        return this.issuerName;
    }

    public Timestamp getTimestamp() throws IOException, NoSuchAlgorithmException, SignatureException, CertificateException {
        if (this.timestamp != null || !this.hasTimestamp) {
            return this.timestamp;
        }
        PKCS7 tsToken = getTsToken();
        if (tsToken == null) {
            this.hasTimestamp = false;
            return null;
        }
        byte[] data = tsToken.getContentInfo().getData();
        CertPath generateCertPath = CertificateFactory.getInstance("X.509").generateCertPath(tsToken.verify(data)[0].getCertificateChain(tsToken));
        TimestampToken timestampToken = new TimestampToken(data);
        verifyTimestamp(timestampToken);
        Timestamp timestamp = new Timestamp(timestampToken.getDate(), generateCertPath);
        this.timestamp = timestamp;
        return timestamp;
    }

    public PKCS7 getTsToken() throws IOException {
        PKCS9Attribute attribute;
        PKCS9Attributes pKCS9Attributes = this.unauthenticatedAttributes;
        if (pKCS9Attributes == null || (attribute = pKCS9Attributes.getAttribute(PKCS9Attribute.SIGNATURE_TIMESTAMP_TOKEN_OID)) == null) {
            return null;
        }
        return new PKCS7((byte[]) attribute.getValue());
    }

    public PKCS9Attributes getUnauthenticatedAttributes() {
        return this.unauthenticatedAttributes;
    }

    public BigInteger getVersion() {
        return this.version;
    }

    public String toString() {
        HexDumpEncoder hexDumpEncoder = new HexDumpEncoder();
        StringBuilder sb = new StringBuilder(String.valueOf("Signer Info for (issuer): " + this.issuerName + IOUtils.LINE_SEPARATOR_UNIX));
        sb.append("\tversion: ");
        sb.append(Debug.toHexString(this.version));
        sb.append(IOUtils.LINE_SEPARATOR_UNIX);
        StringBuilder sb2 = new StringBuilder(String.valueOf(String.valueOf(sb.toString()) + "\tcertificateSerialNumber: " + Debug.toHexString(this.certificateSerialNumber) + IOUtils.LINE_SEPARATOR_UNIX));
        sb2.append("\tdigestAlgorithmId: ");
        sb2.append(this.digestAlgorithmId);
        sb2.append(IOUtils.LINE_SEPARATOR_UNIX);
        String sb3 = sb2.toString();
        if (this.authenticatedAttributes != null) {
            sb3 = String.valueOf(sb3) + "\tauthenticatedAttributes: " + this.authenticatedAttributes + IOUtils.LINE_SEPARATOR_UNIX;
        }
        StringBuilder sb4 = new StringBuilder(String.valueOf(String.valueOf(sb3) + "\tdigestEncryptionAlgorithmId: " + this.digestEncryptionAlgorithmId + IOUtils.LINE_SEPARATOR_UNIX));
        sb4.append("\tencryptedDigest: \n");
        sb4.append(hexDumpEncoder.encodeBuffer(this.encryptedDigest));
        sb4.append(IOUtils.LINE_SEPARATOR_UNIX);
        String sb5 = sb4.toString();
        if (this.unauthenticatedAttributes == null) {
            return sb5;
        }
        return String.valueOf(sb5) + "\tunauthenticatedAttributes: " + this.unauthenticatedAttributes + IOUtils.LINE_SEPARATOR_UNIX;
    }

    SignerInfo verify(PKCS7 pkcs7) throws NoSuchAlgorithmException, SignatureException {
        return verify(pkcs7, null);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public SignerInfo verify(PKCS7 pkcs7, byte[] bArr) throws NoSuchAlgorithmException, SignatureException {
        byte[] bArr2;
        try {
            try {
                ContentInfo contentInfo = pkcs7.getContentInfo();
                if (bArr == null) {
                    bArr = contentInfo.getContentBytes();
                }
                String name = getDigestAlgorithmId().getName();
                if (this.authenticatedAttributes != null) {
                    ObjectIdentifier objectIdentifier = (ObjectIdentifier) this.authenticatedAttributes.getAttributeValue(PKCS9Attribute.CONTENT_TYPE_OID);
                    if (objectIdentifier == null || !objectIdentifier.equals(contentInfo.contentType) || (bArr2 = (byte[]) this.authenticatedAttributes.getAttributeValue(PKCS9Attribute.MESSAGE_DIGEST_OID)) == null) {
                        return null;
                    }
                    if (!JAR_DISABLED_CHECK.permits(DIGEST_PRIMITIVE_SET, name, null)) {
                        throw new SignatureException("Digest check failed. Disabled algorithm used: " + name);
                    }
                    byte[] digest = MessageDigest.getInstance(AlgorithmId.getStandardDigestName(name)).digest(bArr);
                    if (bArr2.length != digest.length) {
                        return null;
                    }
                    for (int i = 0; i < bArr2.length; i++) {
                        if (bArr2[i] != digest[i]) {
                            return null;
                        }
                    }
                    bArr = this.authenticatedAttributes.getDerEncoding();
                }
                String name2 = getDigestEncryptionAlgorithmId().getName();
                String encAlgFromSigAlg = AlgorithmId.getEncAlgFromSigAlg(name2);
                if (encAlgFromSigAlg != null) {
                    name2 = encAlgFromSigAlg;
                }
                String makeSigAlg = AlgorithmId.makeSigAlg(name, name2);
                if (!JAR_DISABLED_CHECK.permits(SIG_PRIMITIVE_SET, makeSigAlg, null)) {
                    throw new SignatureException("Signature check failed. Disabled algorithm used: " + makeSigAlg);
                }
                X509Certificate certificate = getCertificate(pkcs7);
                PublicKey publicKey = certificate.getPublicKey();
                if (certificate == null) {
                    return null;
                }
                if (!JAR_DISABLED_CHECK.permits(SIG_PRIMITIVE_SET, publicKey)) {
                    throw new SignatureException("Public key check failed. Disabled key used: " + KeyUtil.getKeySize(publicKey) + " bit " + publicKey.getAlgorithm());
                }
                if (certificate.hasUnsupportedCriticalExtension()) {
                    throw new SignatureException("Certificate has unsupported critical extension(s)");
                }
                boolean[] keyUsage = certificate.getKeyUsage();
                if (keyUsage != null) {
                    try {
                        KeyUsageExtension keyUsageExtension = new KeyUsageExtension(keyUsage);
                        boolean booleanValue = keyUsageExtension.get(KeyUsageExtension.DIGITAL_SIGNATURE).booleanValue();
                        boolean booleanValue2 = keyUsageExtension.get(KeyUsageExtension.NON_REPUDIATION).booleanValue();
                        if (!booleanValue && !booleanValue2) {
                            throw new SignatureException("Key usage restricted: cannot be used for digital signatures");
                        }
                    } catch (IOException unused) {
                        throw new SignatureException("Failed to parse keyUsage extension");
                    }
                }
                Signature signature = Signature.getInstance(makeSigAlg);
                signature.initVerify(publicKey);
                signature.update(bArr);
                if (signature.verify(this.encryptedDigest)) {
                    return this;
                }
                return null;
            } catch (IOException e) {
                throw new SignatureException("IO error verifying signature:\n" + e.getMessage());
            }
        } catch (InvalidKeyException e2) {
            throw new SignatureException("InvalidKey: " + e2.getMessage());
        }
    }
}
