package eu.europa.esig.dss.cades.signature;

import eu.europa.esig.dss.cades.CMSUtils;
import eu.europa.esig.dss.cades.validation.CAdESSignature;
import eu.europa.esig.dss.cades.validation.CMSDocumentValidator;
import eu.europa.esig.dss.exception.IllegalInputException;
import eu.europa.esig.dss.model.DSSDocument;
import eu.europa.esig.dss.model.Digest;
import eu.europa.esig.dss.model.SignaturePolicyStore;
import eu.europa.esig.dss.spi.DSSASN1Utils;
import eu.europa.esig.dss.spi.DSSUtils;
import eu.europa.esig.dss.spi.OID;
import eu.europa.esig.dss.utils.Utils;
import eu.europa.esig.dss.validation.AdvancedSignature;
import eu.europa.esig.dss.validation.SignaturePolicy;
import eu.europa.esig.dss.validation.policy.DefaultSignaturePolicyValidatorLoader;
import java.util.ArrayList;
import java.util.Iterator;
import java.util.List;
import java.util.Objects;
import org.bouncycastle.asn1.ASN1EncodableVector;
import org.bouncycastle.asn1.ASN1Sequence;
import org.bouncycastle.asn1.DERIA5String;
import org.bouncycastle.asn1.DEROctetString;
import org.bouncycastle.asn1.DERSequence;
import org.bouncycastle.cms.CMSSignedData;
import org.bouncycastle.cms.SignerInformation;
import org.bouncycastle.cms.SignerInformationStore;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:eu/europa/esig/dss/cades/signature/CAdESSignaturePolicyStoreBuilder.class */
public class CAdESSignaturePolicyStoreBuilder {
    private static final Logger LOG = LoggerFactory.getLogger((Class<?>) CAdESSignaturePolicyStoreBuilder.class);

    public DSSDocument addSignaturePolicyStore(DSSDocument dSSDocument, SignaturePolicyStore signaturePolicyStore) {
        Objects.requireNonNull(dSSDocument, "Signature document must be provided!");
        CMSSignedData cMSSignedData = DSSUtils.toCMSSignedData(dSSDocument);
        return new CMSSignedDocument(CMSUtils.populateDigestAlgorithmSet(extendCMSSignedData(cMSSignedData, signaturePolicyStore), cMSSignedData));
    }

    public CMSSignedData extendCMSSignedData(CMSSignedData cMSSignedData, SignaturePolicyStore signaturePolicyStore) {
        Objects.requireNonNull(cMSSignedData, "CMSSignedData must be provided!");
        assertConfigurationValid(signaturePolicyStore);
        List<AdvancedSignature> signatures = new CMSDocumentValidator(cMSSignedData).getSignatures();
        if (Utils.isCollectionEmpty(signatures)) {
            throw new IllegalInputException("Unable to extend the document! No signatures found.");
        }
        ArrayList arrayList = new ArrayList();
        boolean z = false;
        Iterator<AdvancedSignature> it = signatures.iterator();
        while (it.hasNext()) {
            CAdESSignature cAdESSignature = (CAdESSignature) it.next();
            SignerInformation addSignaturePolicyStoreIfDigestMatch = addSignaturePolicyStoreIfDigestMatch(cAdESSignature, signaturePolicyStore);
            if (cAdESSignature.getSignerInformation() != addSignaturePolicyStoreIfDigestMatch) {
                z = true;
            }
            arrayList.add(addSignaturePolicyStoreIfDigestMatch);
        }
        if (z) {
            return CMSSignedData.replaceSigners(cMSSignedData, new SignerInformationStore(arrayList));
        }
        throw new IllegalInputException("The process did not find a signature to add SignaturePolicyStore!");
    }

    public DSSDocument addSignaturePolicyStore(DSSDocument dSSDocument, SignaturePolicyStore signaturePolicyStore, String str) {
        Objects.requireNonNull(dSSDocument, "Signature document must be provided!");
        CMSSignedData cMSSignedData = DSSUtils.toCMSSignedData(dSSDocument);
        return new CMSSignedDocument(CMSUtils.populateDigestAlgorithmSet(extendCMSSignedData(cMSSignedData, signaturePolicyStore, str), cMSSignedData));
    }

    public CMSSignedData extendCMSSignedData(CMSSignedData cMSSignedData, SignaturePolicyStore signaturePolicyStore, String str) {
        Objects.requireNonNull(cMSSignedData, "CMSSignedData must be provided!");
        assertConfigurationValid(signaturePolicyStore);
        CMSDocumentValidator cMSDocumentValidator = new CMSDocumentValidator(cMSSignedData);
        AdvancedSignature signatureById = cMSDocumentValidator.getSignatureById(str);
        if (signatureById == null) {
            throw new IllegalInputException(String.format("Unable to find a signature with Id : %s!", str));
        }
        ArrayList arrayList = new ArrayList();
        Iterator<AdvancedSignature> it = cMSDocumentValidator.getSignatures().iterator();
        while (it.hasNext()) {
            CAdESSignature cAdESSignature = (CAdESSignature) it.next();
            if (signatureById.equals(cAdESSignature)) {
                SignerInformation addSignaturePolicyStoreIfDigestMatch = addSignaturePolicyStoreIfDigestMatch(cAdESSignature, signaturePolicyStore);
                if (cAdESSignature.getSignerInformation() == addSignaturePolicyStoreIfDigestMatch) {
                    throw new IllegalInputException(String.format("The process was not able to add SignaturePolicyStore to a signature with Id : %s!", str));
                }
                arrayList.add(addSignaturePolicyStoreIfDigestMatch);
            } else {
                arrayList.add(cAdESSignature.getSignerInformation());
            }
        }
        return CMSSignedData.replaceSigners(cMSSignedData, new SignerInformationStore(arrayList));
    }

    protected SignerInformation addSignaturePolicyStoreIfDigestMatch(CAdESSignature cAdESSignature, SignaturePolicyStore signaturePolicyStore) {
        SignerInformation signerInformation = cAdESSignature.getSignerInformation();
        assertSignaturePolicyStoreExtensionPossible(signerInformation);
        SignerInformation signerInformation2 = signerInformation;
        if (checkDigest(cAdESSignature, signaturePolicyStore)) {
            signerInformation2 = addSignaturePolicyStore(signerInformation, signaturePolicyStore);
        }
        return signerInformation2;
    }

    protected boolean checkDigest(CAdESSignature cAdESSignature, SignaturePolicyStore signaturePolicyStore) {
        SignaturePolicy signaturePolicy = cAdESSignature.getSignaturePolicy();
        if (signaturePolicy == null) {
            LOG.warn("signature-policy-identifier is not defined for a signature with Id : {}", cAdESSignature.getId());
            return false;
        }
        Digest digest = signaturePolicy.getDigest();
        if (digest == null) {
            LOG.warn("signature-policy-identifier digest is not found for a signature with Id : {}", cAdESSignature.getId());
            return false;
        }
        DSSDocument signaturePolicyContent = signaturePolicyStore.getSignaturePolicyContent();
        if (signaturePolicyContent == null) {
            LOG.info("No policy document has been provided. Digests are not checked!");
            return true;
        }
        signaturePolicy.setPolicyContent(signaturePolicyContent);
        Digest computedDigest = new DefaultSignaturePolicyValidatorLoader().loadValidator(signaturePolicy).getComputedDigest(signaturePolicyContent, digest.getAlgorithm());
        boolean equals = digest.equals(computedDigest);
        if (!equals) {
            LOG.warn("Signature policy's digest {} doesn't match the digest extracted from document {} for signature with Id : {}", computedDigest, digest, cAdESSignature.getId());
        }
        return equals;
    }

    private SignerInformation addSignaturePolicyStore(SignerInformation signerInformation, SignaturePolicyStore signaturePolicyStore) {
        return SignerInformation.replaceUnsignedAttributes(signerInformation, CMSUtils.getUnsignedAttributes(signerInformation).add(OID.id_aa_ets_sigPolicyStore, getSignaturePolicyStore(signaturePolicyStore)));
    }

    private ASN1Sequence getSignaturePolicyStore(SignaturePolicyStore signaturePolicyStore) {
        ASN1EncodableVector aSN1EncodableVector = new ASN1EncodableVector();
        aSN1EncodableVector.add(DSSASN1Utils.buildSPDocSpecificationId(signaturePolicyStore.getSpDocSpecification().getId()));
        if (signaturePolicyStore.getSignaturePolicyContent() != null) {
            aSN1EncodableVector.add(new DEROctetString(DSSUtils.toByteArray(signaturePolicyStore.getSignaturePolicyContent())));
        }
        String sigPolDocLocalURI = signaturePolicyStore.getSigPolDocLocalURI();
        if (sigPolDocLocalURI != null) {
            aSN1EncodableVector.add(new DERIA5String(sigPolDocLocalURI));
        }
        return new DERSequence(aSN1EncodableVector);
    }

    private void assertConfigurationValid(SignaturePolicyStore signaturePolicyStore) {
        Objects.requireNonNull(signaturePolicyStore, "SignaturePolicyStore must be provided");
        Objects.requireNonNull(signaturePolicyStore.getSpDocSpecification(), "SpDocSpecification must be provided");
        Objects.requireNonNull(signaturePolicyStore.getSpDocSpecification().getId(), "ID (OID or URI) for SpDocSpecification must be provided");
        if (!((signaturePolicyStore.getSignaturePolicyContent() != null) ^ (signaturePolicyStore.getSigPolDocLocalURI() != null))) {
            throw new IllegalArgumentException("SignaturePolicyStore shall contain either SignaturePolicyContent document or sigPolDocLocalURI!");
        }
    }

    private void assertSignaturePolicyStoreExtensionPossible(SignerInformation signerInformation) {
        if (CMSUtils.containsATSTv2(signerInformation)) {
            throw new IllegalInputException("Cannot add signature policy store to a CAdES containing an archiveTimestampV2");
        }
    }
}
