package org.xipki.scep.message;

import java.security.NoSuchAlgorithmException;
import java.security.cert.CertificateException;
import java.util.Collection;
import java.util.Date;
import java.util.LinkedList;
import java.util.List;
import org.bouncycastle.asn1.ASN1Encodable;
import org.bouncycastle.asn1.ASN1ObjectIdentifier;
import org.bouncycastle.asn1.cms.AttributeTable;
import org.bouncycastle.asn1.cms.CMSAttributes;
import org.bouncycastle.asn1.cms.CMSObjectIdentifiers;
import org.bouncycastle.asn1.cms.ContentInfo;
import org.bouncycastle.asn1.cms.SignedData;
import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers;
import org.bouncycastle.cert.X509CertificateHolder;
import org.bouncycastle.cms.CMSException;
import org.bouncycastle.cms.CMSSignedData;
import org.bouncycastle.cms.CMSTypedData;
import org.bouncycastle.cms.SignerInformation;
import org.bouncycastle.cms.jcajce.JcaSimpleSignerInfoVerifierBuilder;
import org.bouncycastle.operator.OperatorCreationException;
import org.bouncycastle.util.CollectionStore;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.xipki.scep.util.ScepUtil;
import org.xipki.security.HashAlgo;
import org.xipki.security.SignAlgo;
import org.xipki.security.X509Cert;
import org.xipki.util.Args;
import org.xipki.util.CollectionUtil;

/* loaded from: input_file:org/xipki/scep/message/DecodedNextCaMessage.class */
public class DecodedNextCaMessage {
    private static final Logger LOG = LoggerFactory.getLogger(DecodedNextCaMessage.class);
    private AuthorityCertStore authorityCertStore;
    private X509Cert signatureCert;
    private HashAlgo digestAlgorithm;
    private Boolean signatureValid;
    private Date signingTime;
    private String failureMessage;

    public AuthorityCertStore getAuthorityCertStore() {
        return this.authorityCertStore;
    }

    public void setAuthorityCertStore(AuthorityCertStore authorityCertStore) {
        this.authorityCertStore = authorityCertStore;
    }

    public X509Cert getSignatureCert() {
        return this.signatureCert;
    }

    public void setSignatureCert(X509Cert x509Cert) {
        this.signatureCert = x509Cert;
    }

    public HashAlgo getDigestAlgorithm() {
        return this.digestAlgorithm;
    }

    public void setDigestAlgorithm(HashAlgo hashAlgo) {
        this.digestAlgorithm = hashAlgo;
    }

    public Boolean isSignatureValid() {
        return this.signatureValid;
    }

    public void setSignatureValid(Boolean bool) {
        this.signatureValid = bool;
    }

    public String getFailureMessage() {
        return this.failureMessage;
    }

    public void setFailureMessage(String str) {
        this.failureMessage = str;
    }

    public Date getSigningTime() {
        return this.signingTime;
    }

    public void setSigningTime(Date date) {
        this.signingTime = date;
    }

    public static DecodedNextCaMessage decode(CMSSignedData cMSSignedData, CollectionStore<X509CertificateHolder> collectionStore) throws MessageDecodingException {
        Args.notNull(cMSSignedData, "pkiMessage");
        Collection signers = cMSSignedData.getSignerInfos().getSigners();
        if (signers.size() != 1) {
            throw new MessageDecodingException("number of signerInfos is not 1, but " + signers.size());
        }
        SignerInformation signerInformation = (SignerInformation) signers.iterator().next();
        Collection matches = collectionStore != null ? collectionStore.getMatches(signerInformation.getSID()) : null;
        if (CollectionUtil.isEmpty(matches)) {
            matches = cMSSignedData.getCertificates().getMatches(signerInformation.getSID());
        }
        if (matches == null || matches.size() != 1) {
            throw new MessageDecodingException("could not find embedded certificate to verify the signature");
        }
        AttributeTable signedAttributes = signerInformation.getSignedAttributes();
        if (signedAttributes == null) {
            throw new MessageDecodingException("missing signed attributes");
        }
        ASN1Encodable firstAttrValue = ScepUtil.getFirstAttrValue(signedAttributes, CMSAttributes.signingTime);
        Date time = firstAttrValue != null ? ScepUtil.getTime(firstAttrValue) : null;
        DecodedNextCaMessage decodedNextCaMessage = new DecodedNextCaMessage();
        if (time != null) {
            decodedNextCaMessage.setSigningTime(time);
        }
        try {
            HashAlgo hashAlgo = HashAlgo.getInstance(signerInformation.getDigestAlgorithmID());
            decodedNextCaMessage.setDigestAlgorithm(hashAlgo);
            if (!PKCSObjectIdentifiers.rsaEncryption.getId().equals(signerInformation.getEncryptionAlgOID()) && hashAlgo != SignAlgo.getInstance(signerInformation.toASN1Structure().getDigestEncryptionAlgorithm()).getHashAlgo()) {
                decodedNextCaMessage.setFailureMessage("digestAlgorithm and encryptionAlgorithm do not use the same digestAlgorithm");
                return decodedNextCaMessage;
            }
            X509CertificateHolder x509CertificateHolder = (X509CertificateHolder) matches.iterator().next();
            decodedNextCaMessage.setSignatureCert(new X509Cert(x509CertificateHolder));
            try {
                try {
                    boolean verify = signerInformation.verify(new JcaSimpleSignerInfoVerifierBuilder().build(x509CertificateHolder));
                    decodedNextCaMessage.setSignatureValid(Boolean.valueOf(verify));
                    if (!verify) {
                        return decodedNextCaMessage;
                    }
                    CMSTypedData signedContent = cMSSignedData.getSignedContent();
                    ASN1ObjectIdentifier contentType = signedContent.getContentType();
                    if (!CMSObjectIdentifiers.signedData.equals(contentType) && !CMSObjectIdentifiers.data.equals(contentType)) {
                        decodedNextCaMessage.setFailureMessage("either id-signedData or id-data is excepted, but not '" + contentType.getId());
                        return decodedNextCaMessage;
                    }
                    try {
                        List<X509Cert> certsFromSignedData = ScepUtil.getCertsFromSignedData(SignedData.getInstance(ContentInfo.getInstance(signedContent.getContent()).getContent()));
                        X509Cert x509Cert = null;
                        LinkedList linkedList = new LinkedList();
                        for (X509Cert x509Cert2 : certsFromSignedData) {
                            if (x509Cert2.getBasicConstraints() <= -1) {
                                linkedList.add(x509Cert2);
                            } else {
                                if (x509Cert != null) {
                                    LOG.error("multiple CA certificates is returned, but exactly 1 is expected");
                                    decodedNextCaMessage.setFailureMessage("multiple CA certificates is returned, but exactly 1 is expected");
                                    return decodedNextCaMessage;
                                }
                                x509Cert = x509Cert2;
                            }
                        }
                        if (x509Cert != null) {
                            decodedNextCaMessage.setAuthorityCertStore(AuthorityCertStore.getInstance(x509Cert, linkedList.isEmpty() ? null : (X509Cert[]) linkedList.toArray(new X509Cert[0])));
                            return decodedNextCaMessage;
                        }
                        LOG.error("no CA certificate is returned");
                        decodedNextCaMessage.setFailureMessage("no CA certificate is returned");
                        return decodedNextCaMessage;
                    } catch (CertificateException e) {
                        String str = "could not extract Certificates from the message: " + e.getMessage();
                        LOG.error(str);
                        LOG.debug(str, e);
                        decodedNextCaMessage.setFailureMessage(str);
                        return decodedNextCaMessage;
                    }
                } catch (CMSException e2) {
                    String str2 = "could not verify the signature: " + e2.getMessage();
                    LOG.error(str2);
                    LOG.debug(str2, e2);
                    decodedNextCaMessage.setFailureMessage(str2);
                    return decodedNextCaMessage;
                }
            } catch (OperatorCreationException | CertificateException e3) {
                String str3 = "could not build signature verifier: " + e3.getMessage();
                LOG.error(str3);
                LOG.debug(str3, e3);
                decodedNextCaMessage.setFailureMessage(str3);
                return decodedNextCaMessage;
            }
        } catch (NoSuchAlgorithmException e4) {
            String message = e4.getMessage();
            LOG.error(message);
            LOG.debug(message, e4);
            decodedNextCaMessage.setFailureMessage(message);
            return decodedNextCaMessage;
        }
    }
}
