package org.apache.poi.poifs.crypt.dsig.services;

import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.math.BigInteger;
import java.security.GeneralSecurityException;
import java.security.SecureRandom;
import java.security.cert.CertificateFactory;
import java.security.cert.X509CRL;
import java.security.cert.X509Certificate;
import java.util.Collections;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.function.Function;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import javax.security.auth.x500.X500Principal;
import org.apache.logging.log4j.Logger;
import org.apache.logging.log4j.util.Unbox;
import org.apache.poi.logging.PoiLogManager;
import org.apache.poi.poifs.crypt.CryptoFunctions;
import org.apache.poi.poifs.crypt.HashAlgorithm;
import org.apache.poi.poifs.crypt.dsig.SignatureConfig;
import org.apache.poi.poifs.crypt.dsig.SignatureInfo;
import org.apache.poi.poifs.crypt.dsig.services.TimeStampHttpClient;
import org.bouncycastle.asn1.ASN1IA5String;
import org.bouncycastle.asn1.ASN1ObjectIdentifier;
import org.bouncycastle.asn1.cmp.PKIFailureInfo;
import org.bouncycastle.asn1.nist.NISTObjectIdentifiers;
import org.bouncycastle.asn1.x500.X500Name;
import org.bouncycastle.asn1.x509.CRLDistPoint;
import org.bouncycastle.asn1.x509.Extension;
import org.bouncycastle.asn1.x509.GeneralNames;
import org.bouncycastle.asn1.x509.X509ObjectIdentifiers;
import org.bouncycastle.cert.X509CertificateHolder;
import org.bouncycastle.cert.jcajce.JcaX509CertificateConverter;
import org.bouncycastle.cert.jcajce.JcaX509ExtensionUtils;
import org.bouncycastle.cms.DefaultCMSSignatureAlgorithmNameGenerator;
import org.bouncycastle.cms.SignerId;
import org.bouncycastle.cms.bc.BcRSASignerInfoVerifierBuilder;
import org.bouncycastle.operator.DefaultDigestAlgorithmIdentifierFinder;
import org.bouncycastle.operator.DefaultSignatureAlgorithmIdentifierFinder;
import org.bouncycastle.operator.bc.BcDigestCalculatorProvider;
import org.bouncycastle.tsp.TimeStampRequest;
import org.bouncycastle.tsp.TimeStampRequestGenerator;
import org.bouncycastle.tsp.TimeStampResponse;
import org.bouncycastle.tsp.TimeStampToken;
import org.bouncycastle.util.Selector;

/* loaded from: input_file:org/apache/poi/poifs/crypt/dsig/services/TSPTimeStampService.class */
public class TSPTimeStampService implements TimeStampService {
    private static final Logger LOG = PoiLogManager.getLogger(TSPTimeStampService.class);

    /* JADX INFO: Access modifiers changed from: package-private */
    /* renamed from: org.apache.poi.poifs.crypt.dsig.services.TSPTimeStampService$1, reason: invalid class name */
    /* loaded from: input_file:org/apache/poi/poifs/crypt/dsig/services/TSPTimeStampService$1.class */
    public static /* synthetic */ class AnonymousClass1 {
        static final /* synthetic */ int[] $SwitchMap$org$apache$poi$poifs$crypt$HashAlgorithm = new int[HashAlgorithm.values().length];

        static {
            try {
                $SwitchMap$org$apache$poi$poifs$crypt$HashAlgorithm[HashAlgorithm.sha1.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$org$apache$poi$poifs$crypt$HashAlgorithm[HashAlgorithm.sha256.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
            try {
                $SwitchMap$org$apache$poi$poifs$crypt$HashAlgorithm[HashAlgorithm.sha384.ordinal()] = 3;
            } catch (NoSuchFieldError e3) {
            }
            try {
                $SwitchMap$org$apache$poi$poifs$crypt$HashAlgorithm[HashAlgorithm.sha512.ordinal()] = 4;
            } catch (NoSuchFieldError e4) {
            }
        }
    }

    public ASN1ObjectIdentifier mapDigestAlgoToOID(HashAlgorithm hashAlgorithm) {
        switch (AnonymousClass1.$SwitchMap$org$apache$poi$poifs$crypt$HashAlgorithm[hashAlgorithm.ordinal()]) {
            case 1:
                return X509ObjectIdentifiers.id_SHA1;
            case 2:
                return NISTObjectIdentifiers.id_sha256;
            case 3:
                return NISTObjectIdentifiers.id_sha384;
            case 4:
                return NISTObjectIdentifiers.id_sha512;
            default:
                throw new IllegalArgumentException("unsupported digest algo: " + hashAlgorithm);
        }
    }

    @Override // org.apache.poi.poifs.crypt.dsig.services.TimeStampService
    public byte[] timeStamp(SignatureInfo signatureInfo, byte[] bArr, RevocationData revocationData) throws Exception {
        SignatureConfig signatureConfig = signatureInfo.getSignatureConfig();
        byte[] digest = CryptoFunctions.getMessageDigest(signatureConfig.getTspDigestAlgo()).digest(bArr);
        BigInteger bigInteger = new BigInteger(128, new SecureRandom());
        TimeStampRequestGenerator timeStampRequestGenerator = new TimeStampRequestGenerator();
        timeStampRequestGenerator.setCertReq(true);
        String tspRequestPolicy = signatureConfig.getTspRequestPolicy();
        if (tspRequestPolicy != null) {
            timeStampRequestGenerator.setReqPolicy(new ASN1ObjectIdentifier(tspRequestPolicy));
        }
        TimeStampRequest generate = timeStampRequestGenerator.generate(mapDigestAlgoToOID(signatureConfig.getTspDigestAlgo()), digest, bigInteger);
        TimeStampHttpClient tspHttpClient = signatureConfig.getTspHttpClient();
        tspHttpClient.init(signatureConfig);
        tspHttpClient.setContentTypeIn(signatureConfig.isTspOldProtocol() ? "application/timestamp-request" : "application/timestamp-query");
        TimeStampHttpClient.TimeStampHttpClientResponse post = tspHttpClient.post(signatureConfig.getTspUrl(), generate.getEncoded());
        if (!post.isOK()) {
            throw new IOException("Requesting timestamp data failed");
        }
        byte[] responseBytes = post.getResponseBytes();
        if (responseBytes.length == 0) {
            throw new IllegalStateException("Content-Length is zero");
        }
        TimeStampResponse timeStampResponse = new TimeStampResponse(responseBytes);
        timeStampResponse.validate(generate);
        if (0 != timeStampResponse.getStatus()) {
            LOG.atDebug().log("status: {}", Unbox.box(timeStampResponse.getStatus()));
            LOG.atDebug().log("status string: {}", timeStampResponse.getStatusString());
            PKIFailureInfo failInfo = timeStampResponse.getFailInfo();
            if (null != failInfo) {
                LOG.atDebug().log("fail info int value: {}", Unbox.box(failInfo.intValue()));
                if (256 == failInfo.intValue()) {
                    LOG.atDebug().log("unaccepted policy");
                }
            }
            throw new IllegalStateException("timestamp response status != 0: " + timeStampResponse.getStatus());
        }
        TimeStampToken timeStampToken = timeStampResponse.getTimeStampToken();
        SignerId sid = timeStampToken.getSID();
        BigInteger serialNumber = sid.getSerialNumber();
        X500Name issuer = sid.getIssuer();
        LOG.atDebug().log("signer cert serial number: {}", serialNumber);
        LOG.atDebug().log("signer cert issuer: {}", issuer);
        Map map = (Map) timeStampToken.getCertificates().getMatches((Selector) null).stream().collect(Collectors.toMap(x509CertificateHolder -> {
            return x509CertificateHolder.getSubject().toString();
        }, Function.identity()));
        X509CertificateHolder x509CertificateHolder2 = (X509CertificateHolder) map.values().stream().filter(x509CertificateHolder3 -> {
            return issuer.equals(x509CertificateHolder3.getIssuer()) && serialNumber.equals(x509CertificateHolder3.getSerialNumber());
        }).findFirst().orElseThrow(() -> {
            return new IllegalStateException("TSP response token has no signer certificate");
        });
        JcaX509CertificateConverter jcaX509CertificateConverter = new JcaX509CertificateConverter();
        jcaX509CertificateConverter.setProvider("BC");
        X509Certificate certificate = jcaX509CertificateConverter.getCertificate(x509CertificateHolder2);
        do {
            revocationData.addCertificate(certificate);
            X500Principal issuerX500Principal = certificate.getIssuerX500Principal();
            if (certificate.getSubjectX500Principal().equals(issuerX500Principal)) {
                break;
            }
            X509CertificateHolder x509CertificateHolder4 = (X509CertificateHolder) map.get(issuerX500Principal.getName());
            certificate = x509CertificateHolder4 != null ? jcaX509CertificateConverter.getCertificate(x509CertificateHolder4) : signatureConfig.getCachedCertificateByPrinicipal(issuerX500Principal.getName());
            if (certificate != null) {
                List<byte[]> retrieveCRL = retrieveCRL(signatureConfig, certificate);
                revocationData.getClass();
                retrieveCRL.forEach(revocationData::addCRL);
            }
        } while (certificate != null);
        timeStampToken.validate(new BcRSASignerInfoVerifierBuilder(new DefaultCMSSignatureAlgorithmNameGenerator(), new DefaultSignatureAlgorithmIdentifierFinder(), new DefaultDigestAlgorithmIdentifierFinder(), new BcDigestCalculatorProvider()).build(x509CertificateHolder2));
        if (signatureConfig.getTspValidator() != null) {
            signatureConfig.getTspValidator().validate(revocationData.getX509chain(), revocationData);
        }
        LOG.atDebug().log("time-stamp token time: {}", timeStampToken.getTimeStampInfo().getGenTime());
        return timeStampToken.getEncoded();
    }

    protected List<byte[]> retrieveCRL(SignatureConfig signatureConfig, X509Certificate x509Certificate) throws IOException {
        List<SignatureConfig.CRLEntry> crlEntries = signatureConfig.getCrlEntries();
        byte[] extensionValue = x509Certificate.getExtensionValue(Extension.cRLDistributionPoints.getId());
        return extensionValue == null ? Collections.emptyList() : (List) Stream.of((Object[]) CRLDistPoint.getInstance(JcaX509ExtensionUtils.parseExtensionValue(extensionValue)).getDistributionPoints()).map((v0) -> {
            return v0.getDistributionPoint();
        }).filter((v0) -> {
            return Objects.nonNull(v0);
        }).filter(distributionPointName -> {
            return distributionPointName.getType() == 0;
        }).flatMap(distributionPointName2 -> {
            return Stream.of((Object[]) GeneralNames.getInstance(distributionPointName2.getName()).getNames());
        }).filter(generalName -> {
            return generalName.getTagNo() == 6;
        }).map(generalName2 -> {
            return ASN1IA5String.getInstance(generalName2.getName()).getString();
        }).flatMap(str -> {
            SignatureConfig.CRLEntry downloadCRL;
            List list = (List) crlEntries.stream().filter(cRLEntry -> {
                return matchCRLbyUrl(cRLEntry, x509Certificate, str);
            }).collect(Collectors.toList());
            Stream filter = crlEntries.stream().filter(cRLEntry2 -> {
                return matchCRLbyCN(cRLEntry2, x509Certificate, str);
            });
            if (list.isEmpty() && (downloadCRL = downloadCRL(signatureConfig, str)) != null) {
                list.add(downloadCRL);
            }
            return Stream.concat(list.stream(), filter).map((v0) -> {
                return v0.getCrlBytes();
            });
        }).filter((v0) -> {
            return Objects.nonNull(v0);
        }).collect(Collectors.toList());
    }

    protected boolean matchCRLbyUrl(SignatureConfig.CRLEntry cRLEntry, X509Certificate x509Certificate, String str) {
        return str.equals(cRLEntry.getCrlURL());
    }

    protected boolean matchCRLbyCN(SignatureConfig.CRLEntry cRLEntry, X509Certificate x509Certificate, String str) {
        return x509Certificate.getSubjectX500Principal().getName().equals(cRLEntry.getCertCN());
    }

    protected SignatureConfig.CRLEntry downloadCRL(SignatureConfig signatureConfig, String str) {
        if (!signatureConfig.isAllowCRLDownload()) {
            return null;
        }
        TimeStampHttpClient tspHttpClient = signatureConfig.getTspHttpClient();
        tspHttpClient.init(signatureConfig);
        tspHttpClient.setBasicAuthentication(null, null);
        try {
            TimeStampHttpClient.TimeStampHttpClientResponse timeStampHttpClientResponse = tspHttpClient.get(str);
            if (!timeStampHttpClientResponse.isOK()) {
                return null;
            }
            try {
                CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509");
                byte[] responseBytes = timeStampHttpClientResponse.getResponseBytes();
                return signatureConfig.addCRL(str, ((X509CRL) certificateFactory.generateCRL(new ByteArrayInputStream(responseBytes))).getIssuerX500Principal().getName(), responseBytes);
            } catch (GeneralSecurityException e) {
                LOG.atWarn().withThrowable(e).log("CRL download failed from {}", str);
                return null;
            }
        } catch (IOException e2) {
            return null;
        }
    }
}
