package es.gob.afirma.signvalidation;

import es.gob.afirma.core.AOException;
import es.gob.afirma.core.AOInvalidFormatException;
import es.gob.afirma.core.signers.AOSigner;
import es.gob.afirma.signers.cades.AOCAdESSigner;
import es.gob.afirma.signers.cms.AOCMSSigner;
import es.gob.afirma.signvalidation.SignValidity;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.security.cert.CertificateException;
import java.security.cert.CertificateExpiredException;
import java.security.cert.CertificateFactory;
import java.security.cert.CertificateNotYetValidException;
import java.security.cert.X509Certificate;
import java.util.logging.Logger;
import org.spongycastle.cert.X509CertificateHolder;
import org.spongycastle.cms.CMSException;
import org.spongycastle.cms.CMSProcessableByteArray;
import org.spongycastle.cms.CMSSignedData;
import org.spongycastle.cms.CMSSignerDigestMismatchException;
import org.spongycastle.cms.DefaultCMSSignatureAlgorithmNameGenerator;
import org.spongycastle.cms.SignerInformation;
import org.spongycastle.cms.SignerInformationVerifier;
import org.spongycastle.jce.provider.BouncyCastleProvider;
import org.spongycastle.operator.DefaultSignatureAlgorithmIdentifierFinder;
import org.spongycastle.operator.OperatorCreationException;
import org.spongycastle.operator.bc.BcDigestCalculatorProvider;
import org.spongycastle.operator.jcajce.JcaContentVerifierProviderBuilder;
import org.spongycastle.util.Store;

/* loaded from: input_file:es/gob/afirma/signvalidation/ValidateBinarySignature.class */
public final class ValidateBinarySignature implements SignValider {
    @Override // es.gob.afirma.signvalidation.SignValider
    public SignValidity validate(byte[] bArr) throws IOException {
        return validate(bArr, null, true);
    }

    @Override // es.gob.afirma.signvalidation.SignValider
    public SignValidity validate(byte[] bArr, boolean z) throws IOException {
        return validate(bArr, null, true);
    }

    public static SignValidity validate(byte[] bArr, byte[] bArr2) throws IOException {
        return validate(bArr, bArr2, true);
    }

    public static SignValidity validate(byte[] bArr, byte[] bArr2, boolean z) throws IOException {
        byte[] data;
        if (bArr == null) {
            throw new IllegalArgumentException("La firma a validar no puede ser nula");
        }
        AOSigner aOCAdESSigner = new AOCAdESSigner();
        if (!aOCAdESSigner.isSign(bArr)) {
            aOCAdESSigner = new AOCMSSigner();
            if (!aOCAdESSigner.isSign(bArr)) {
                return new SignValidity(SignValidity.SIGN_DETAIL_TYPE.KO, SignValidity.VALIDITY_ERROR.NO_SIGN);
            }
        }
        if (bArr2 == null) {
            try {
                if (aOCAdESSigner.getData(bArr) == null) {
                    Logger.getLogger("es.gob.afirma").info("Se ha pedido validar una firma explicita sin proporcionar los datos firmados");
                    return new SignValidity(SignValidity.SIGN_DETAIL_TYPE.UNKNOWN, SignValidity.VALIDITY_ERROR.NO_DATA);
                }
            } catch (AOException e) {
                Logger.getLogger("es.gob.afirma").info("Se encontraron datos en la firma y no se pudieron extraer: " + e);
                return new SignValidity(SignValidity.SIGN_DETAIL_TYPE.KO, SignValidity.VALIDITY_ERROR.UNKOWN_ERROR);
            } catch (AOInvalidFormatException e2) {
                Logger.getLogger("es.gob.afirma").info("Se ha pedido validar una firma como CAdES, pero no es CAdES: " + e2);
                return new SignValidity(SignValidity.SIGN_DETAIL_TYPE.KO, SignValidity.VALIDITY_ERROR.NO_SIGN, e2);
            }
        }
        if (bArr2 != null) {
            data = bArr2;
        } else {
            try {
                data = new AOCAdESSigner().getData(bArr);
            } catch (CMSSignerDigestMismatchException e3) {
                return new SignValidity(SignValidity.SIGN_DETAIL_TYPE.KO, SignValidity.VALIDITY_ERROR.NO_MATCH_DATA, e3);
            } catch (CertificateExpiredException e4) {
                return new SignValidity(SignValidity.SIGN_DETAIL_TYPE.KO, SignValidity.VALIDITY_ERROR.CERTIFICATE_EXPIRED, e4);
            } catch (CertificateNotYetValidException e5) {
                return new SignValidity(SignValidity.SIGN_DETAIL_TYPE.KO, SignValidity.VALIDITY_ERROR.CERTIFICATE_NOT_VALID_YET, e5);
            } catch (Exception e6) {
                return new SignValidity(SignValidity.SIGN_DETAIL_TYPE.KO, null, e6);
            }
        }
        verifySignatures(bArr, data, z);
        return new SignValidity(SignValidity.SIGN_DETAIL_TYPE.OK, null);
    }

    private static void verifySignatures(byte[] bArr, byte[] bArr2, boolean z) throws CMSException, CertificateException, IOException, OperatorCreationException {
        CMSSignedData cMSSignedData = bArr2 == null ? new CMSSignedData(bArr) : new CMSSignedData(new CMSProcessableByteArray(bArr2), bArr);
        Store certificates = cMSSignedData.getCertificates();
        CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509");
        for (SignerInformation signerInformation : cMSSignedData.getSignerInfos().getSigners()) {
            X509Certificate x509Certificate = (X509Certificate) certificateFactory.generateCertificate(new ByteArrayInputStream(((X509CertificateHolder) certificates.getMatches(new CertHolderBySignerIdSelector(signerInformation.getSID())).iterator().next()).getEncoded()));
            if (z) {
                x509Certificate.checkValidity();
            }
            if (!signerInformation.verify(new SignerInformationVerifier(new DefaultCMSSignatureAlgorithmNameGenerator(), new DefaultSignatureAlgorithmIdentifierFinder(), new JcaContentVerifierProviderBuilder().setProvider(new BouncyCastleProvider()).build(x509Certificate), new BcDigestCalculatorProvider()))) {
                throw new CMSException("Firma no valida");
            }
        }
    }
}
