package org.pgpainless.signature.consumer;

import java.io.InputStream;
import java.util.ArrayList;
import java.util.Collections;
import java.util.Date;
import java.util.Iterator;
import java.util.List;
import java.util.concurrent.ConcurrentHashMap;
import org.bouncycastle.bcpg.sig.KeyFlags;
import org.bouncycastle.bcpg.sig.SignerUserID;
import org.bouncycastle.openpgp.PGPPublicKey;
import org.bouncycastle.openpgp.PGPPublicKeyRing;
import org.bouncycastle.openpgp.PGPSignature;
import org.pgpainless.algorithm.KeyFlag;
import org.pgpainless.algorithm.SignatureType;
import org.pgpainless.exception.SignatureValidationException;
import org.pgpainless.policy.Policy;
import org.pgpainless.signature.SignatureUtils;
import org.pgpainless.signature.consumer.SignatureCreationDateComparator;
import org.pgpainless.signature.subpackets.SignatureSubpacketsUtil;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/pgpainless/signature/consumer/CertificateValidator.class */
public final class CertificateValidator {
    private static final Logger LOGGER = LoggerFactory.getLogger(CertificateValidator.class);

    private CertificateValidator() {
    }

    public static boolean validateCertificate(PGPSignature pGPSignature, PGPPublicKeyRing pGPPublicKeyRing, Policy policy) throws SignatureValidationException {
        ConcurrentHashMap concurrentHashMap = new ConcurrentHashMap();
        long determineIssuerKeyId = SignatureUtils.determineIssuerKeyId(pGPSignature);
        PGPPublicKey publicKey = pGPPublicKeyRing.getPublicKey(determineIssuerKeyId);
        if (publicKey == null) {
            throw new SignatureValidationException("Provided key ring does not contain a subkey with id " + Long.toHexString(determineIssuerKeyId));
        }
        PGPPublicKey publicKey2 = pGPPublicKeyRing.getPublicKey();
        ArrayList arrayList = new ArrayList();
        Iterator signaturesOfType = publicKey2.getSignaturesOfType(SignatureType.KEY_REVOCATION.getCode());
        while (signaturesOfType.hasNext()) {
            PGPSignature pGPSignature2 = (PGPSignature) signaturesOfType.next();
            if (pGPSignature2.getKeyID() != publicKey2.getKeyID()) {
            }
            try {
                if (SignatureVerifier.verifyKeyRevocationSignature(pGPSignature2, publicKey2, policy, pGPSignature.getCreationTime())) {
                    arrayList.add(pGPSignature2);
                }
            } catch (SignatureValidationException e) {
                concurrentHashMap.put(pGPSignature2, e);
                LOGGER.debug("Rejecting key revocation signature: {}", e.getMessage(), e);
            }
        }
        Iterator signaturesOfType2 = publicKey2.getSignaturesOfType(SignatureType.DIRECT_KEY.getCode());
        while (signaturesOfType2.hasNext()) {
            PGPSignature pGPSignature3 = (PGPSignature) signaturesOfType2.next();
            if (pGPSignature3.getKeyID() == publicKey2.getKeyID()) {
                try {
                    if (SignatureVerifier.verifyDirectKeySignature(pGPSignature3, publicKey2, policy, pGPSignature.getCreationTime())) {
                        arrayList.add(pGPSignature3);
                    }
                } catch (SignatureValidationException e2) {
                    concurrentHashMap.put(pGPSignature3, e2);
                    LOGGER.debug("Rejecting key signature: {}", e2.getMessage(), e2);
                }
            }
        }
        Collections.sort(arrayList, new SignatureValidityComparator(SignatureCreationDateComparator.Order.NEW_TO_OLD));
        if (!arrayList.isEmpty() && ((PGPSignature) arrayList.get(0)).getSignatureType() == SignatureType.KEY_REVOCATION.getCode()) {
            throw new SignatureValidationException("Primary key has been revoked.");
        }
        Iterator userIDs = publicKey2.getUserIDs();
        ConcurrentHashMap concurrentHashMap2 = new ConcurrentHashMap();
        while (userIDs.hasNext()) {
            ArrayList arrayList2 = new ArrayList();
            String str = (String) userIDs.next();
            Iterator signaturesForID = publicKey2.getSignaturesForID(str);
            while (signaturesForID.hasNext()) {
                PGPSignature pGPSignature4 = (PGPSignature) signaturesForID.next();
                if (pGPSignature4.getKeyID() == publicKey2.getKeyID()) {
                    try {
                        if (SignatureVerifier.verifySignatureOverUserId(str, pGPSignature4, publicKey2, policy, pGPSignature.getCreationTime())) {
                            arrayList2.add(pGPSignature4);
                        }
                    } catch (SignatureValidationException e3) {
                        concurrentHashMap.put(pGPSignature4, e3);
                        LOGGER.debug("Rejecting user-id signature: {}", e3.getMessage(), e3);
                    }
                }
            }
            Collections.sort(arrayList2, new SignatureValidityComparator(SignatureCreationDateComparator.Order.NEW_TO_OLD));
            concurrentHashMap2.put(str, arrayList2);
        }
        boolean z = false;
        for (String str2 : concurrentHashMap2.keySet()) {
            if (!((List) concurrentHashMap2.get(str2)).isEmpty()) {
                if (((PGPSignature) ((List) concurrentHashMap2.get(str2)).get(0)).getSignatureType() == SignatureType.CERTIFICATION_REVOCATION.getCode()) {
                    LOGGER.debug("User-ID '{}' is revoked.", str2);
                } else {
                    z = true;
                }
            }
        }
        if (!z) {
            throw new SignatureValidationException("No valid user-id found.", concurrentHashMap);
        }
        SignerUserID signerUserID = SignatureSubpacketsUtil.getSignerUserID(pGPSignature);
        if (signerUserID != null && policy.getSignerUserIdValidationLevel() == Policy.SignerUserIdValidationLevel.STRICT) {
            List list = (List) concurrentHashMap2.get(signerUserID.getID());
            if (list == null || list.isEmpty()) {
                throw new SignatureValidationException("Signature was allegedly made by user-id '" + signerUserID.getID() + "' but we have no valid signatures for that on the certificate.");
            }
            if (((PGPSignature) list.get(0)).getSignatureType() == SignatureType.CERTIFICATION_REVOCATION.getCode()) {
                throw new SignatureValidationException("Signature was made with user-id '" + signerUserID.getID() + "' which is revoked.");
            }
        }
        if (publicKey == publicKey2) {
            return (arrayList.isEmpty() || KeyFlag.hasKeyFlag(SignatureSubpacketsUtil.getKeyFlags((PGPSignature) arrayList.get(0)).getFlags(), KeyFlag.SIGN_DATA)) ? true : true;
        }
        ArrayList arrayList3 = new ArrayList();
        Iterator signaturesOfType3 = publicKey.getSignaturesOfType(SignatureType.SUBKEY_REVOCATION.getCode());
        while (signaturesOfType3.hasNext()) {
            PGPSignature pGPSignature5 = (PGPSignature) signaturesOfType3.next();
            if (pGPSignature5.getKeyID() == publicKey2.getKeyID()) {
                try {
                    if (SignatureVerifier.verifySubkeyBindingRevocation(pGPSignature5, publicKey2, publicKey, policy, pGPSignature.getCreationTime())) {
                        arrayList3.add(pGPSignature5);
                    }
                } catch (SignatureValidationException e4) {
                    concurrentHashMap.put(pGPSignature5, e4);
                    LOGGER.debug("Rejecting subkey revocation signature: {}", e4.getMessage(), e4);
                }
            }
        }
        Iterator signaturesOfType4 = publicKey.getSignaturesOfType(SignatureType.SUBKEY_BINDING.getCode());
        while (signaturesOfType4.hasNext()) {
            PGPSignature pGPSignature6 = (PGPSignature) signaturesOfType4.next();
            try {
                if (SignatureVerifier.verifySubkeyBindingSignature(pGPSignature6, publicKey2, publicKey, policy, pGPSignature.getCreationTime())) {
                    arrayList3.add(pGPSignature6);
                }
            } catch (SignatureValidationException e5) {
                concurrentHashMap.put(pGPSignature6, e5);
                LOGGER.debug("Rejecting subkey binding signature: {}", e5.getMessage(), e5);
            }
        }
        Collections.sort(arrayList3, new SignatureValidityComparator(SignatureCreationDateComparator.Order.NEW_TO_OLD));
        if (arrayList3.isEmpty()) {
            throw new SignatureValidationException("Subkey is not bound.", concurrentHashMap);
        }
        PGPSignature pGPSignature7 = (PGPSignature) arrayList3.get(0);
        if (pGPSignature7.getSignatureType() == SignatureType.SUBKEY_REVOCATION.getCode()) {
            throw new SignatureValidationException("Subkey is revoked.");
        }
        KeyFlags keyFlags = SignatureSubpacketsUtil.getKeyFlags(pGPSignature7);
        if (keyFlags != null) {
            if (KeyFlag.hasKeyFlag(keyFlags.getFlags(), KeyFlag.SIGN_DATA)) {
                return true;
            }
            throw new SignatureValidationException("Signature was made by key which is not capable of signing (no SIGN flag on binding sig).");
        }
        if (arrayList.isEmpty()) {
            throw new SignatureValidationException("Signature was made by key which is not capable of signing (no keyflags on binding sig, no direct-key sig).");
        }
        if (KeyFlag.hasKeyFlag(SignatureSubpacketsUtil.getKeyFlags((PGPSignature) arrayList.get(0)).getFlags(), KeyFlag.SIGN_DATA)) {
            return true;
        }
        throw new SignatureValidationException("Signature was made by key which is not capable of signing (no keyflags on binding sig, no SIGN flag on direct-key sig).");
    }

    public static boolean validateCertificateAndVerifyUninitializedSignature(PGPSignature pGPSignature, InputStream inputStream, PGPPublicKeyRing pGPPublicKeyRing, Policy policy, Date date) throws SignatureValidationException {
        validateCertificate(pGPSignature, pGPPublicKeyRing, policy);
        return SignatureVerifier.verifyUninitializedSignature(pGPSignature, inputStream, pGPPublicKeyRing.getPublicKey(SignatureUtils.determineIssuerKeyId(pGPSignature)), policy, date);
    }

    public static boolean validateCertificateAndVerifyInitializedSignature(PGPSignature pGPSignature, PGPPublicKeyRing pGPPublicKeyRing, Policy policy) throws SignatureValidationException {
        validateCertificate(pGPSignature, pGPPublicKeyRing, policy);
        SignatureVerifier.verifyInitializedSignature(pGPSignature, pGPPublicKeyRing.getPublicKey(SignatureUtils.determineIssuerKeyId(pGPSignature)), policy, pGPSignature.getCreationTime());
        return true;
    }

    public static boolean validateCertificateAndVerifyOnePassSignature(OnePassSignatureCheck onePassSignatureCheck, Policy policy) throws SignatureValidationException {
        PGPSignature signature = onePassSignatureCheck.getSignature();
        validateCertificate(signature, onePassSignatureCheck.getVerificationKeys(), policy);
        SignatureVerifier.verifyOnePassSignature(signature, onePassSignatureCheck.getVerificationKeys().getPublicKey(signature.getKeyID()), onePassSignatureCheck, policy);
        return true;
    }
}
