package org.bouncycastle.mail.smime.validator;

import java.io.IOException;
import java.security.GeneralSecurityException;
import java.security.PublicKey;
import java.security.cert.CertPath;
import java.security.cert.CertPathBuilder;
import java.security.cert.CertStore;
import java.security.cert.CertStoreException;
import java.security.cert.CertificateExpiredException;
import java.security.cert.CertificateFactory;
import java.security.cert.CertificateNotYetValidException;
import java.security.cert.PKIXBuilderParameters;
import java.security.cert.PKIXParameters;
import java.security.cert.TrustAnchor;
import java.security.cert.X509CertSelector;
import java.security.cert.X509Certificate;
import java.security.interfaces.DSAPublicKey;
import java.security.interfaces.RSAPublicKey;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Date;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.Vector;
import javax.mail.Address;
import javax.mail.Part;
import javax.mail.internet.MimeMessage;
import javax.mail.internet.MimeMultipart;
import org.bouncycastle.asn1.ASN1InputStream;
import org.bouncycastle.asn1.ASN1TaggedObject;
import org.bouncycastle.asn1.DERIA5String;
import org.bouncycastle.asn1.DERObject;
import org.bouncycastle.asn1.DERSequence;
import org.bouncycastle.asn1.cms.Attribute;
import org.bouncycastle.asn1.cms.AttributeTable;
import org.bouncycastle.asn1.cms.CMSAttributes;
import org.bouncycastle.asn1.cms.Time;
import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers;
import org.bouncycastle.asn1.x509.ExtendedKeyUsage;
import org.bouncycastle.asn1.x509.KeyPurposeId;
import org.bouncycastle.asn1.x509.X509Extensions;
import org.bouncycastle.cms.SignerInformation;
import org.bouncycastle.cms.SignerInformationStore;
import org.bouncycastle.i18n.ErrorBundle;
import org.bouncycastle.i18n.filter.UntrustedInput;
import org.bouncycastle.jce.PrincipalUtil;
import org.bouncycastle.jce.X509Principal;
import org.bouncycastle.mail.smime.SMIMESigned;
import org.bouncycastle.x509.CertPathReviewerException;
import org.bouncycastle.x509.PKIXCertPathReviewer;

/* loaded from: input_file:org/bouncycastle/mail/smime/validator/SignedMailValidator.class */
public class SignedMailValidator {
    private static final String RESOURCE_NAME = "org.bouncycastle.mail.smime.validator.SignedMailValidatorMessages";
    private static final String EXT_KEY_USAGE = X509Extensions.ExtendedKeyUsage.getId();
    private static final String SUBJECT_ALTERNATIVE_NAME = X509Extensions.SubjectAlternativeName.getId();
    private static final int shortKeyLength = 512;
    private static final long THIRTY_YEARS_IN_MILLI_SEC = 946728000000L;
    private CertStore certs;
    private SignerInformationStore signers;
    private Map results;
    private String[] fromAddresses;

    /* loaded from: input_file:org/bouncycastle/mail/smime/validator/SignedMailValidator$ValidationResult.class */
    public class ValidationResult {
        private PKIXCertPathReviewer review;
        private List errors;
        private List notifications;
        private boolean signVerified;

        ValidationResult(PKIXCertPathReviewer pKIXCertPathReviewer, boolean z, List list, List list2) {
            this.review = pKIXCertPathReviewer;
            this.errors = list;
            this.notifications = list2;
            this.signVerified = z;
        }

        public List getErrors() {
            return this.errors;
        }

        public List getNotifications() {
            return this.notifications;
        }

        public PKIXCertPathReviewer getCertPathReview() {
            return this.review;
        }

        public boolean isVerifiedSignature() {
            return this.signVerified;
        }

        public boolean isValidSignature() {
            return this.review != null && this.signVerified && this.review.isValidCertPath() && this.errors.isEmpty();
        }
    }

    public SignedMailValidator(MimeMessage mimeMessage, PKIXParameters pKIXParameters) throws SignedMailValidatorException {
        SMIMESigned sMIMESigned;
        int indexOf;
        try {
            if (mimeMessage.isMimeType("multipart/signed")) {
                sMIMESigned = new SMIMESigned((MimeMultipart) mimeMessage.getContent());
            } else {
                if (!mimeMessage.isMimeType("application/pkcs7-mime") && !mimeMessage.isMimeType("application/x-pkcs7-mime")) {
                    throw new SignedMailValidatorException(new ErrorBundle(RESOURCE_NAME, "SignedMailValidator.noSignedMessage"));
                }
                sMIMESigned = new SMIMESigned((Part) mimeMessage);
            }
            this.certs = sMIMESigned.getCertificatesAndCRLs("Collection", "BC");
            this.signers = sMIMESigned.getSignerInfos();
            Address[] from = mimeMessage.getFrom();
            this.fromAddresses = new String[from.length];
            for (int i = 0; i < from.length; i++) {
                String address = from[i].toString();
                int indexOf2 = address.indexOf(60);
                if (indexOf2 != -1 && (indexOf = address.indexOf(62, indexOf2)) != -1) {
                    address = address.substring(indexOf2 + 1, indexOf);
                }
                this.fromAddresses[i] = address;
            }
            this.results = new HashMap();
            validateSignatures(pKIXParameters);
        } catch (Exception e) {
            if (!(e instanceof SignedMailValidatorException)) {
                throw new SignedMailValidatorException(new ErrorBundle(RESOURCE_NAME, "SignedMailValidator.exceptionReadingMessage", new Object[]{e.getMessage(), e}), e);
            }
            throw ((SignedMailValidatorException) e);
        }
    }

    protected void validateSignatures(PKIXParameters pKIXParameters) {
        CertPath createCertPath;
        PKIXParameters pKIXParameters2 = (PKIXParameters) pKIXParameters.clone();
        pKIXParameters2.addCertStore(this.certs);
        for (SignerInformation signerInformation : this.signers.getSigners()) {
            ArrayList arrayList = new ArrayList();
            ArrayList arrayList2 = new ArrayList();
            try {
                Iterator it = findCerts(pKIXParameters2.getCertStores(), signerInformation.getSID()).iterator();
                r18 = it.hasNext() ? (X509Certificate) it.next() : null;
            } catch (CertStoreException e) {
                arrayList.add(new ErrorBundle(RESOURCE_NAME, "SignedMailValidator.exceptionRetrievingSignerCert", new Object[]{e.getMessage(), e}));
            }
            if (r18 != null) {
                boolean z = false;
                try {
                    z = signerInformation.verify(r18.getPublicKey(), "BC");
                    if (!z) {
                        arrayList.add(new ErrorBundle(RESOURCE_NAME, "SignedMailValidator.signatureNotVerified"));
                    }
                } catch (Exception e2) {
                    arrayList.add(new ErrorBundle(RESOURCE_NAME, "SignedMailValidator.exceptionVerifyingSignature", new Object[]{e2.getMessage(), e2}));
                }
                checkSignerCert(r18, arrayList, arrayList2);
                AttributeTable signedAttributes = signerInformation.getSignedAttributes();
                if (signedAttributes != null && signedAttributes.get(PKCSObjectIdentifiers.id_aa_receiptRequest) != null) {
                    arrayList2.add(new ErrorBundle(RESOURCE_NAME, "SignedMailValidator.signedReceiptRequest"));
                }
                Date signatureTime = getSignatureTime(signerInformation);
                if (signatureTime == null) {
                    arrayList.add(new ErrorBundle(RESOURCE_NAME, "SignedMailValidator.noSigningTime"));
                    signatureTime = new Date();
                } else {
                    try {
                        r18.checkValidity(signatureTime);
                    } catch (CertificateExpiredException e3) {
                        arrayList.add(new ErrorBundle(RESOURCE_NAME, "SignedMailValidator.certExpired", new Object[]{signatureTime, r18.getNotAfter()}));
                    } catch (CertificateNotYetValidException e4) {
                        arrayList.add(new ErrorBundle(RESOURCE_NAME, "SignedMailValidator.certNotYetValid", new Object[]{signatureTime, r18.getNotBefore()}));
                    }
                }
                pKIXParameters2.setDate(signatureTime);
                try {
                    try {
                        CertPathBuilder certPathBuilder = CertPathBuilder.getInstance("PKIX", "BC");
                        X509CertSelector x509CertSelector = new X509CertSelector();
                        x509CertSelector.setCertificate(r18);
                        PKIXBuilderParameters pKIXBuilderParameters = new PKIXBuilderParameters(pKIXParameters2.getTrustAnchors(), x509CertSelector);
                        pKIXBuilderParameters.setDate(pKIXParameters2.getDate());
                        createCertPath = certPathBuilder.build(pKIXBuilderParameters).getCertPath();
                    } catch (Exception e5) {
                        createCertPath = createCertPath(r18, pKIXParameters2.getTrustAnchors(), pKIXParameters2.getCertStores());
                    }
                    PKIXCertPathReviewer pKIXCertPathReviewer = new PKIXCertPathReviewer(createCertPath, pKIXParameters2);
                    if (!pKIXCertPathReviewer.isValidCertPath()) {
                        arrayList.add(new ErrorBundle(RESOURCE_NAME, "SignedMailValidator.certPathInvalid"));
                    }
                    this.results.put(signerInformation, new ValidationResult(pKIXCertPathReviewer, z, arrayList, arrayList2));
                } catch (CertPathReviewerException e6) {
                    arrayList.add(e6.getErrorMessage());
                    this.results.put(signerInformation, new ValidationResult(null, z, arrayList, arrayList2));
                } catch (GeneralSecurityException e7) {
                    arrayList.add(new ErrorBundle(RESOURCE_NAME, "SignedMailValidator.exceptionCreateCertPath", new Object[]{e7.getMessage(), e7}));
                    this.results.put(signerInformation, new ValidationResult(null, z, arrayList, arrayList2));
                }
            } else {
                arrayList.add(new ErrorBundle(RESOURCE_NAME, "SignedMailValidator.noSignerCert"));
                this.results.put(signerInformation, new ValidationResult(null, false, arrayList, arrayList2));
            }
        }
    }

    protected Vector getEmailAddresses(X509Certificate x509Certificate) {
        Vector vector = new Vector();
        try {
            X509Principal subjectX509Principal = PrincipalUtil.getSubjectX509Principal(x509Certificate);
            Vector oIDs = subjectX509Principal.getOIDs();
            Vector values = subjectX509Principal.getValues();
            int i = 0;
            while (true) {
                if (i >= oIDs.size()) {
                    break;
                }
                if (oIDs.get(i).equals(X509Principal.EmailAddress)) {
                    vector.add((String) values.get(i));
                    break;
                }
                i++;
            }
            byte[] extensionValue = x509Certificate.getExtensionValue(SUBJECT_ALTERNATIVE_NAME);
            if (extensionValue != null) {
                DERSequence object = getObject(extensionValue);
                for (int i2 = 0; i2 < object.size(); i2++) {
                    ASN1TaggedObject objectAt = object.getObjectAt(i2);
                    if (objectAt.getTagNo() == 1) {
                        vector.add(DERIA5String.getInstance(objectAt, true).getString());
                    }
                }
            }
        } catch (Exception e) {
            new ErrorBundle(RESOURCE_NAME, "SignedMailValidator.certGetEmailError", new Object[]{e.getMessage(), e});
        }
        return vector;
    }

    private DERObject getObject(byte[] bArr) throws IOException {
        return new ASN1InputStream(new ASN1InputStream(bArr).readObject().getOctets()).readObject();
    }

    protected void checkSignerCert(X509Certificate x509Certificate, List list, List list2) {
        PublicKey publicKey = x509Certificate.getPublicKey();
        int i = -1;
        if (publicKey instanceof RSAPublicKey) {
            i = ((RSAPublicKey) publicKey).getModulus().bitLength();
        } else if (publicKey instanceof DSAPublicKey) {
            i = ((DSAPublicKey) publicKey).getParams().getP().bitLength();
        }
        if (i != -1 && i <= shortKeyLength) {
            list2.add(new ErrorBundle(RESOURCE_NAME, "SignedMailValidator.shortSigningKey", new Object[]{new Integer(i)}));
        }
        if (x509Certificate.getNotAfter().getTime() - x509Certificate.getNotBefore().getTime() > THIRTY_YEARS_IN_MILLI_SEC) {
            list2.add(new ErrorBundle(RESOURCE_NAME, "SignedMailValidator.longValidity", new Object[]{x509Certificate.getNotBefore(), x509Certificate.getNotAfter()}));
        }
        boolean[] keyUsage = x509Certificate.getKeyUsage();
        if (keyUsage != null && !keyUsage[0] && !keyUsage[1]) {
            list.add(new ErrorBundle(RESOURCE_NAME, "SignedMailValidator.signingNotPermitted"));
        }
        try {
            byte[] extensionValue = x509Certificate.getExtensionValue(EXT_KEY_USAGE);
            if (extensionValue != null) {
                ExtendedKeyUsage extendedKeyUsage = ExtendedKeyUsage.getInstance(getObject(extensionValue));
                if (!extendedKeyUsage.hasKeyPurposeId(KeyPurposeId.anyExtendedKeyUsage) && !extendedKeyUsage.hasKeyPurposeId(KeyPurposeId.id_kp_emailProtection)) {
                    list.add(new ErrorBundle(RESOURCE_NAME, "SignedMailValidator.extKeyUsageNotPermitted"));
                }
            }
        } catch (Exception e) {
            new ErrorBundle(RESOURCE_NAME, "SignedMailValidator.extKeyUsageError", new Object[]{e.getMessage(), e});
        }
        Vector emailAddresses = getEmailAddresses(x509Certificate);
        if (emailAddresses.isEmpty()) {
            list.add(new ErrorBundle(RESOURCE_NAME, "SignedMailValidator.noEmailInCert"));
            return;
        }
        boolean z = false;
        for (int i2 = 0; i2 < this.fromAddresses.length; i2++) {
            int i3 = 0;
            while (true) {
                if (i3 >= emailAddresses.size()) {
                    break;
                }
                if (this.fromAddresses[i2].equals(emailAddresses.get(i3))) {
                    z = true;
                    break;
                }
                i3++;
            }
            if (z) {
                break;
            }
        }
        if (z) {
            return;
        }
        list.add(new ErrorBundle(RESOURCE_NAME, "SignedMailValidator.emailFromCertMismatch", new Object[]{new UntrustedInput(Arrays.toString(this.fromAddresses)), new UntrustedInput(emailAddresses)}));
    }

    protected Date getSignatureTime(SignerInformation signerInformation) {
        Attribute attribute;
        AttributeTable signedAttributes = signerInformation.getSignedAttributes();
        Date date = null;
        if (signedAttributes != null && (attribute = signedAttributes.get(CMSAttributes.signingTime)) != null) {
            date = Time.getInstance(attribute.getAttrValues().getObjectAt(0).getDERObject()).getDate();
        }
        return date;
    }

    private List findCerts(List list, X509CertSelector x509CertSelector) throws CertStoreException {
        ArrayList arrayList = new ArrayList();
        Iterator it = list.iterator();
        while (it.hasNext()) {
            arrayList.addAll(((CertStore) it.next()).getCertificates(x509CertSelector));
        }
        return arrayList;
    }

    protected CertPath createCertPath(X509Certificate x509Certificate, Set set, List list) throws GeneralSecurityException {
        ArrayList arrayList = new ArrayList();
        X509Certificate x509Certificate2 = x509Certificate;
        arrayList.add(x509Certificate2);
        boolean z = false;
        while (x509Certificate2 != null && !z) {
            Iterator it = set.iterator();
            while (it.hasNext()) {
                TrustAnchor trustAnchor = (TrustAnchor) it.next();
                X509Certificate trustedCert = trustAnchor.getTrustedCert();
                if (trustedCert != null) {
                    if (trustedCert.getSubjectX500Principal().equals(x509Certificate2.getIssuerX500Principal())) {
                        try {
                            x509Certificate2.verify(trustedCert.getPublicKey(), "BC");
                            z = true;
                            break;
                        } catch (Exception e) {
                        }
                    } else {
                        continue;
                    }
                } else if (trustAnchor.getCAName().equals(x509Certificate2.getIssuerX500Principal().getName())) {
                    try {
                        x509Certificate2.verify(trustAnchor.getCAPublicKey(), "BC");
                        z = true;
                        break;
                    } catch (Exception e2) {
                    }
                } else {
                    continue;
                }
            }
            if (!z) {
                X509CertSelector x509CertSelector = new X509CertSelector();
                x509CertSelector.setSubject(x509Certificate2.getIssuerX500Principal());
                Iterator it2 = findCerts(list, x509CertSelector).iterator();
                boolean z2 = false;
                X509Certificate x509Certificate3 = null;
                while (true) {
                    if (!it2.hasNext()) {
                        break;
                    }
                    x509Certificate3 = (X509Certificate) it2.next();
                    if (!x509Certificate3.equals(x509Certificate2)) {
                        z2 = true;
                        break;
                    }
                }
                if (z2) {
                    x509Certificate2 = x509Certificate3;
                    arrayList.add(x509Certificate2);
                } else {
                    x509Certificate2 = null;
                }
            }
        }
        if (z) {
            X509CertSelector x509CertSelector2 = new X509CertSelector();
            x509CertSelector2.setSubject(x509Certificate2.getIssuerX500Principal());
            x509CertSelector2.setIssuer(x509Certificate2.getIssuerX500Principal());
            for (X509Certificate x509Certificate4 : findCerts(list, x509CertSelector2)) {
                try {
                    x509Certificate2.verify(x509Certificate4.getPublicKey(), "BC");
                    arrayList.add(x509Certificate4);
                    break;
                } catch (GeneralSecurityException e3) {
                }
            }
        }
        return CertificateFactory.getInstance("X.509", "BC").generateCertPath(arrayList);
    }

    public CertStore getCertsAndCRLs() {
        return this.certs;
    }

    public SignerInformationStore getSignerInformationStore() {
        return this.signers;
    }

    public ValidationResult getValidationResult(SignerInformation signerInformation) throws SignedMailValidatorException {
        if (this.signers.getSigners(signerInformation.getSID()).isEmpty()) {
            throw new SignedMailValidatorException(new ErrorBundle(RESOURCE_NAME, "SignedMailValidator.wrongSigner"));
        }
        return (ValidationResult) this.results.get(signerInformation);
    }
}
