package be.fgov.ehealth.technicalconnector.signature.impl;

import be.ehealth.technicalconnector.exception.TechnicalConnectorException;
import be.ehealth.technicalconnector.exception.TechnicalConnectorExceptionValues;
import be.ehealth.technicalconnector.service.sts.security.Credential;
import be.fgov.ehealth.technicalconnector.signature.AdvancedElectronicSignatureEnumeration;
import be.fgov.ehealth.technicalconnector.signature.SignatureBuilder;
import be.fgov.ehealth.technicalconnector.signature.domain.CadesOption;
import be.fgov.ehealth.technicalconnector.signature.domain.SignatureVerificationError;
import be.fgov.ehealth.technicalconnector.signature.domain.SignatureVerificationResult;
import java.io.IOException;
import java.security.Security;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.util.Arrays;
import java.util.HashMap;
import java.util.Iterator;
import java.util.Map;
import org.apache.commons.lang3.ArrayUtils;
import org.bouncycastle.cert.X509CertificateHolder;
import org.bouncycastle.cert.jcajce.JcaCertStore;
import org.bouncycastle.cert.jcajce.JcaX509CertificateConverter;
import org.bouncycastle.cms.CMSAttributeTableGenerator;
import org.bouncycastle.cms.CMSException;
import org.bouncycastle.cms.CMSProcessableByteArray;
import org.bouncycastle.cms.CMSSignedData;
import org.bouncycastle.cms.CMSSignedDataGenerator;
import org.bouncycastle.cms.DefaultSignedAttributeTableGenerator;
import org.bouncycastle.cms.SignerInformation;
import org.bouncycastle.cms.jcajce.JcaSignerInfoGeneratorBuilder;
import org.bouncycastle.cms.jcajce.JcaSimpleSignerInfoVerifierBuilder;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.bouncycastle.operator.ContentSigner;
import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder;
import org.bouncycastle.operator.jcajce.JcaDigestCalculatorProviderBuilder;
import org.bouncycastle.util.Selector;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.w3c.dom.Document;
import org.w3c.dom.Element;

/* loaded from: input_file:be/fgov/ehealth/technicalconnector/signature/impl/CmsSignatureBuilder.class */
public class CmsSignatureBuilder extends AbstractSignatureBuilder implements SignatureBuilder {
    private static final String MSG_VERIFY_FAILED = "Unable to verify signature";
    private static final Logger LOG = LoggerFactory.getLogger(CmsSignatureBuilder.class);
    private static JcaX509CertificateConverter converter = new JcaX509CertificateConverter();
    private static JcaSimpleSignerInfoVerifierBuilder verifierBuilder = new JcaSimpleSignerInfoVerifierBuilder();
    private AdvancedElectronicSignatureEnumeration aes;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:be/fgov/ehealth/technicalconnector/signature/impl/CmsSignatureBuilder$X509CertifcateSelector.class */
    public static class X509CertifcateSelector implements Selector<X509CertificateHolder> {
        private X509CertifcateSelector() {
        }

        public boolean match(X509CertificateHolder x509CertificateHolder) {
            return true;
        }

        public Object clone() {
            return new X509CertifcateSelector();
        }
    }

    public CmsSignatureBuilder(AdvancedElectronicSignatureEnumeration advancedElectronicSignatureEnumeration) {
        this.aes = advancedElectronicSignatureEnumeration;
    }

    @Override // be.fgov.ehealth.technicalconnector.signature.SignatureBuilder
    public AdvancedElectronicSignatureEnumeration getSupportedAES() {
        return this.aes;
    }

    @Override // be.fgov.ehealth.technicalconnector.signature.SignatureBuilder
    public SignatureVerificationResult verify(byte[] bArr, byte[] bArr2, Map<String, Object> map) throws TechnicalConnectorException {
        byte[] clone;
        SignatureVerificationResult signatureVerificationResult = new SignatureVerificationResult();
        try {
            if (new CMSSignedData(bArr2).getSignedContent() == null) {
                LOG.info("Signature has no ecapsulated signature. Adding content.");
                clone = new CMSSignedData(new CMSProcessableByteArray(bArr), bArr2).getEncoded();
            } else {
                clone = ArrayUtils.clone(bArr2);
            }
            return verify(clone, map);
        } catch (CMSException e) {
            LOG.error(MSG_VERIFY_FAILED, e);
            signatureVerificationResult.addError(SignatureVerificationError.SIGNATURE_COULD_NOT_BE_VERIFIED);
            return signatureVerificationResult;
        } catch (IOException e2) {
            LOG.error(MSG_VERIFY_FAILED, e2);
            signatureVerificationResult.addError(SignatureVerificationError.SIGNATURE_COULD_NOT_BE_VERIFIED);
            return signatureVerificationResult;
        }
    }

    @Override // be.fgov.ehealth.technicalconnector.signature.SignatureBuilder
    public SignatureVerificationResult verify(Document document, Element element, Map<String, Object> map) throws TechnicalConnectorException {
        throw new UnsupportedOperationException();
    }

    @Override // be.fgov.ehealth.technicalconnector.signature.SignatureBuilder
    public SignatureVerificationResult verify(byte[] bArr, Map<String, Object> map) throws TechnicalConnectorException {
        SignatureVerificationResult signatureVerificationResult = new SignatureVerificationResult();
        try {
            CMSSignedData cMSSignedData = new CMSSignedData(bArr);
            extractChain(signatureVerificationResult, cMSSignedData);
            validateChain(signatureVerificationResult, map);
            Iterator it = cMSSignedData.getSignerInfos().iterator();
            while (it.hasNext()) {
                if (!((SignerInformation) it.next()).verify(verifierBuilder.build(signatureVerificationResult.getSigningCert().getPublicKey()))) {
                    signatureVerificationResult.addError(SignatureVerificationError.SIGNATURE_COULD_NOT_BE_VERIFIED);
                }
            }
        } catch (Exception e) {
            LOG.error(MSG_VERIFY_FAILED, e);
            signatureVerificationResult.addError(SignatureVerificationError.SIGNATURE_COULD_NOT_BE_VERIFIED);
        }
        return signatureVerificationResult;
    }

    @Override // be.fgov.ehealth.technicalconnector.signature.SignatureBuilder
    public byte[] sign(Credential credential, byte[] bArr) throws TechnicalConnectorException {
        return sign(credential, bArr, null);
    }

    @Override // be.fgov.ehealth.technicalconnector.signature.SignatureBuilder
    public byte[] sign(Credential credential, byte[] bArr, Map<String, Object> map) throws TechnicalConnectorException {
        byte[] clone = ArrayUtils.clone(bArr);
        HashMap hashMap = new HashMap();
        if (map != null) {
            hashMap.putAll(map);
        }
        validateInput(credential, clone);
        try {
            CMSProcessableByteArray cMSProcessableByteArray = new CMSProcessableByteArray(clone);
            CMSSignedDataGenerator cMSSignedDataGenerator = new CMSSignedDataGenerator();
            String str = (String) SignatureUtils.getOption(CadesOption.SIGNATUREALGORITHM, hashMap, determineDefaultAlgo(credential));
            JcaSignerInfoGeneratorBuilder jcaSignerInfoGeneratorBuilder = new JcaSignerInfoGeneratorBuilder(new JcaDigestCalculatorProviderBuilder().build());
            ContentSigner build = new JcaContentSignerBuilder(str).build(credential.getPrivateKey());
            jcaSignerInfoGeneratorBuilder.setSignedAttributeGenerator((CMSAttributeTableGenerator) SignatureUtils.getOption(CadesOption.SIGNEDATTRIBUTEGENERATOR, hashMap, new DefaultSignedAttributeTableGenerator()));
            cMSSignedDataGenerator.addSignerInfoGenerator(jcaSignerInfoGeneratorBuilder.build(build, credential.getCertificate()));
            Certificate[] certificateChain = credential.getCertificateChain();
            if (certificateChain != null && certificateChain.length > 0) {
                cMSSignedDataGenerator.addCertificates(new JcaCertStore(Arrays.asList(certificateChain)));
            }
            return cMSSignedDataGenerator.generate(cMSProcessableByteArray, ((Boolean) SignatureUtils.getOption("encapsulate", hashMap, Boolean.FALSE)).booleanValue()).getEncoded();
        } catch (Exception e) {
            LOG.error(e.getMessage(), e);
            throw new TechnicalConnectorException(TechnicalConnectorExceptionValues.ERROR_SIGNATURE, e, new Object[]{e.getClass().getSimpleName() + " : " + e.getMessage()});
        }
    }

    private void extractChain(SignatureVerificationResult signatureVerificationResult, CMSSignedData cMSSignedData) throws CertificateException {
        Iterator it = cMSSignedData.getCertificates().getMatches(new X509CertifcateSelector()).iterator();
        while (it.hasNext()) {
            signatureVerificationResult.getCertChain().add(converter.getCertificate((X509CertificateHolder) it.next()));
        }
    }

    static {
        Security.addProvider(new BouncyCastleProvider());
    }
}
