package com.huawei.signclient.hap.ext;

import com.huawei.signclient.hap.sign.SignatureAlgorithm;
import java.io.IOException;
import java.security.CryptoPrimitive;
import java.security.InvalidAlgorithmParameterException;
import java.security.InvalidKeyException;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.PublicKey;
import java.security.Signature;
import java.security.SignatureException;
import java.security.Timestamp;
import java.security.cert.CertPathValidatorException;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
import java.util.EnumSet;
import java.util.Iterator;
import java.util.List;
import java.util.Objects;
import java.util.Set;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import sun.security.pkcs.ContentInfo;
import sun.security.pkcs.PKCS7;
import sun.security.pkcs.PKCS9Attribute;
import sun.security.pkcs.ParsingException;
import sun.security.pkcs.SignerInfo;
import sun.security.util.ConstraintsParameters;
import sun.security.util.DerInputStream;
import sun.security.util.DisabledAlgorithmConstraints;
import sun.security.util.KeyUtil;
import sun.security.util.ObjectIdentifier;
import sun.security.x509.AlgorithmId;
import sun.security.x509.KeyUsageExtension;

/* loaded from: input_file:com/huawei/signclient/hap/ext/SignerInfoExt.class */
public class SignerInfoExt extends SignerInfo {
    private static final Logger LOGGER = LogManager.getLogger((Class<?>) SignerInfoExt.class);
    private static final DisabledAlgorithmConstraints JAR_DISABLED_CHECK = new DisabledAlgorithmConstraints("jdk.jar.disabledAlgorithms");
    private static final Set<CryptoPrimitive> SIG_PRIMITIVE_SET = Collections.unmodifiableSet(EnumSet.of(CryptoPrimitive.SIGNATURE));
    private static final List<ObjectIdentifier> VALID_ALGORITHM_IDS = new ArrayList();

    public SignerInfoExt(DerInputStream derInputStream) throws IOException, ParsingException {
        super(derInputStream);
    }

    public SignerInfoExt(SignerInfo signerInfo) {
        super(signerInfo.getIssuerName(), signerInfo.getCertificateSerialNumber(), signerInfo.getDigestAlgorithmId(), signerInfo.getAuthenticatedAttributes(), signerInfo.getDigestEncryptionAlgorithmId(), signerInfo.getEncryptedDigest(), signerInfo.getUnauthenticatedAttributes());
    }

    public SignerInfoExt(SignerInfo signerInfo, AlgorithmId algorithmId) {
        super(signerInfo.getIssuerName(), signerInfo.getCertificateSerialNumber(), signerInfo.getDigestAlgorithmId(), signerInfo.getAuthenticatedAttributes(), algorithmId, signerInfo.getEncryptedDigest(), signerInfo.getUnauthenticatedAttributes());
    }

    public SignerInfoExt verifyPss(PKCS7 pkcs7, byte[] bArr, ObjectIdentifier objectIdentifier) throws NoSuchAlgorithmException, SignatureException {
        try {
            try {
                ContentInfo contentInfo = pkcs7.getContentInfo();
                byte[] bArr2 = bArr;
                if (bArr2 == null) {
                    bArr2 = contentInfo.getContentBytes();
                }
                ConstraintsParameters constraintsParameters = new ConstraintsParameters(getSignerInfoTimestamp());
                String name = getDigestAlgorithmId().getName();
                byte[] bArr3 = bArr2;
                if (getAuthenticatedAttributes() != null) {
                    if (!checkAuthenticatedAttributes(objectIdentifier, name, constraintsParameters, bArr2)) {
                        LOGGER.error("checkAuthenticatedAttributes failed");
                        return null;
                    }
                    bArr3 = getAuthenticatedAttributes().getDerEncoding();
                }
                String permitSignAlgorithmName = getPermitSignAlgorithmName(name, constraintsParameters);
                X509Certificate certificate = getCertificate(pkcs7);
                if (certificate == null) {
                    LOGGER.error("getCertificate failed");
                    return null;
                }
                PublicKey publicKey = certificate.getPublicKey();
                checkCertAndPublickeyPermits(publicKey, certificate);
                checkKeyUsage(certificate);
                Signature signatureProvider = getSignatureProvider(permitSignAlgorithmName);
                if (signatureProvider == null) {
                    LOGGER.error("getSignatureProvider failed");
                    return null;
                }
                signatureProvider.initVerify(publicKey);
                signatureProvider.update(bArr3);
                if (signatureProvider.verify(super.getEncryptedDigest())) {
                    return this;
                }
                return null;
            } catch (InvalidAlgorithmParameterException | InvalidKeyException e) {
                throw new SignatureException("InvalidKey: " + e.toString());
            }
        } catch (IOException e2) {
            throw new SignatureException("IO error verifying signature:\n" + e2.toString());
        }
    }

    private Timestamp getSignerInfoTimestamp() throws SignatureException {
        try {
            return getTimestamp();
        } catch (IOException | NoSuchAlgorithmException | SignatureException | CertificateException e) {
            throw new SignatureException("getTimestamp failed: " + e.toString());
        }
    }

    private boolean checkAuthenticatedAttributes(ObjectIdentifier objectIdentifier, String str, ConstraintsParameters constraintsParameters, byte[] bArr) throws SignatureException, NoSuchAlgorithmException {
        try {
            Object attributeValue = getAuthenticatedAttributes().getAttributeValue(PKCS9Attribute.CONTENT_TYPE_OID);
            if (attributeValue == null || !attributeValue.equals(objectIdentifier)) {
                LOGGER.error("singerInfo has no CONTENT_TYPE_OID in AuthenticatedAttributes");
                return false;
            }
            Object attributeValue2 = getAuthenticatedAttributes().getAttributeValue(PKCS9Attribute.MESSAGE_DIGEST_OID);
            if (!(attributeValue2 instanceof byte[])) {
                LOGGER.error("objectDigest is not byte[]");
                return false;
            }
            byte[] bArr2 = (byte[]) attributeValue2;
            JAR_DISABLED_CHECK.permits(str, constraintsParameters);
            return checkContentInfoDigest(str, bArr, bArr2);
        } catch (IOException e) {
            throw new SignatureException("checkAuthenticatedAttributes failed: " + e.toString());
        } catch (CertPathValidatorException e2) {
            throw new SignatureException("checkAuthenticatedAttributes JAR_DISABLED_CHECK failed: " + e2.toString());
        }
    }

    private boolean checkContentInfoDigest(String str, byte[] bArr, byte[] bArr2) throws NoSuchAlgorithmException {
        return Arrays.equals(bArr2, MessageDigest.getInstance(str).digest(bArr));
    }

    private String getPermitSignAlgorithmName(String str, ConstraintsParameters constraintsParameters) throws SignatureException {
        String name = getDigestEncryptionAlgorithmId().getName();
        String encAlgFromSigAlg = AlgorithmId.getEncAlgFromSigAlg(name);
        if (encAlgFromSigAlg == null) {
            encAlgFromSigAlg = name;
        }
        String makeSigAlg = AlgorithmId.makeSigAlg(str, encAlgFromSigAlg);
        try {
            JAR_DISABLED_CHECK.permits(makeSigAlg, constraintsParameters);
            return makeSigAlg;
        } catch (CertPathValidatorException e) {
            throw new SignatureException("getPermitSignAlgorithmName failed: " + e.toString());
        }
    }

    private void checkCertAndPublickeyPermits(PublicKey publicKey, X509Certificate x509Certificate) throws SignatureException {
        if (!JAR_DISABLED_CHECK.permits(SIG_PRIMITIVE_SET, publicKey)) {
            throw new SignatureException("Public key check failed. Disabled key used: " + KeyUtil.getKeySize(publicKey) + " bit " + publicKey.getAlgorithm());
        }
        if (x509Certificate.hasUnsupportedCriticalExtension()) {
            throw new SignatureException("Certificate has unsupported critical extension(s)");
        }
    }

    private void checkKeyUsage(X509Certificate x509Certificate) throws SignatureException {
        boolean[] keyUsage = x509Certificate.getKeyUsage();
        if (keyUsage == null) {
            throw new SignatureException("has no keyUsage in certificate");
        }
        try {
            KeyUsageExtension keyUsageExtension = new KeyUsageExtension(keyUsage);
            try {
                boolean booleanValue = keyUsageExtension.get("digital_signature").booleanValue();
                boolean booleanValue2 = keyUsageExtension.get("non_repudiation").booleanValue();
                if (booleanValue || booleanValue2) {
                } else {
                    throw new SignatureException("Key usage restricted: cannot be used for digital signatures");
                }
            } catch (IOException e) {
                throw new SignatureException("Failed to get digital_signature or non_repudiation. " + e.toString());
            }
        } catch (IOException e2) {
            throw new SignatureException("Failed to parse keyUsage extension. " + e2.toString());
        }
    }

    private Signature getSignatureProvider(String str) throws InvalidAlgorithmParameterException, NoSuchAlgorithmException {
        AlgorithmId digestEncryptionAlgorithmId = getDigestEncryptionAlgorithmId();
        ObjectIdentifier oid = digestEncryptionAlgorithmId == null ? null : digestEncryptionAlgorithmId.getOID();
        if (!checkSignatureAlgorithmIsValid(oid)) {
            LOGGER.error("checkSignatureAlgorithmIsValid failed, signAlgorithmName: " + str);
            return null;
        }
        Signature signature = Signature.getInstance(((AlgorithmId) Objects.requireNonNull(digestEncryptionAlgorithmId)).getName(), new BouncyCastleProvider());
        if (AlgorithmIdExt.SHA_WITH_RSA_ENCRYPTION_PSS_OID.equals(oid)) {
            String name = getDigestAlgorithmId().getName();
            if (Objects.equals(name, "SHA-256")) {
                signature.setParameter(SignatureAlgorithm.RSA_PSS_WITH_SHA256.getSignatureAlgAndParams().getSecond());
            }
            if (Objects.equals(name, "SHA-384")) {
                signature.setParameter(SignatureAlgorithm.RSA_PSS_WITH_SHA384.getSignatureAlgAndParams().getSecond());
            }
            if (Objects.equals(name, "SHA-512")) {
                signature.setParameter(SignatureAlgorithm.RSA_PSS_WITH_SHA512.getSignatureAlgAndParams().getSecond());
            }
        }
        return signature;
    }

    private boolean checkSignatureAlgorithmIsValid(ObjectIdentifier objectIdentifier) {
        if (objectIdentifier == null) {
            LOGGER.error("oid is not an Object.");
            return false;
        }
        Iterator<ObjectIdentifier> it = VALID_ALGORITHM_IDS.iterator();
        while (it.hasNext()) {
            if (it.next().equals(objectIdentifier)) {
                return true;
            }
        }
        LOGGER.error("Unsupported signature algorithm.");
        return false;
    }

    static {
        VALID_ALGORITHM_IDS.add(AlgorithmId.sha256WithECDSA_oid);
        VALID_ALGORITHM_IDS.add(AlgorithmId.sha384WithECDSA_oid);
        VALID_ALGORITHM_IDS.add(AlgorithmId.sha512WithECDSA_oid);
        VALID_ALGORITHM_IDS.add(AlgorithmIdExt.SHA_WITH_RSA_ENCRYPTION_PSS_OID);
        VALID_ALGORITHM_IDS.add(AlgorithmId.sha512WithRSAEncryption_oid);
    }
}
