package eu.europa.esig.dss.spi.x509;

import eu.europa.esig.dss.model.DSSException;
import java.security.PublicKey;
import java.util.ArrayList;
import java.util.List;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:BOOT-INF/lib/dss-spi-6.1.jar:eu/europa/esig/dss/spi/x509/SignatureIntegrityValidator.class */
public abstract class SignatureIntegrityValidator {
    private static final Logger LOG = LoggerFactory.getLogger((Class<?>) SignatureIntegrityValidator.class);
    private List<String> errorMessages = null;

    public CertificateValidity validate(CandidatesForSigningCertificate candidatesForSigningCertificate) {
        this.errorMessages = new ArrayList();
        if (candidatesForSigningCertificate.isEmpty()) {
            this.errorMessages.add("There is no signing certificate within the signature or certificate pool.");
        }
        LOG.debug("Determining signing certificate from certificate candidates list...");
        CertificateValidity theBestCandidate = candidatesForSigningCertificate.getTheBestCandidate();
        if (theBestCandidate != null) {
            try {
                if (isSignatureIntact(theBestCandidate)) {
                    return theBestCandidate;
                }
                this.errorMessages.add("Signature verification failed against the best candidate.");
            } catch (DSSException e) {
                LOG.debug("Exception while probing the best candidate certificate as signing certificate: {}", e.getMessage());
                this.errorMessages.add("Best candidate validation failed : " + e.getMessage());
            }
        }
        CertificateValidity certificateValidity = null;
        int i = 0;
        for (CertificateValidity certificateValidity2 : candidatesForSigningCertificate.getCertificateValidityList()) {
            if (certificateValidity2 != theBestCandidate) {
                String str = "Certificate #" + (i + 1) + ": ";
                try {
                    if (isSignatureIntact(certificateValidity2)) {
                        certificateValidity = certificateValidity2;
                        if (certificateValidity2.isValid()) {
                            LOG.info("Determining signing certificate from certificate candidates list succeeded : {}", certificateValidity2.getCertificateToken().getDSSIdAsString());
                            break;
                        }
                        if (certificateValidity2.getCertificateToken() != null) {
                            LOG.warn("The signing certificate candidate '{}' does not match a signing certificate reference!", certificateValidity2.getCertificateToken().getDSSIdAsString());
                        }
                    } else {
                        this.errorMessages.add(str + "Signature verification failed");
                    }
                } catch (DSSException e2) {
                    LOG.debug("Exception while probing candidate certificate as signing certificate: {}", e2.getMessage());
                    this.errorMessages.add(str + e2.getMessage());
                }
                i++;
            }
        }
        if (0 == 0) {
            LOG.warn("Determining signing certificate from certificate candidates list failed: {}", this.errorMessages);
        }
        return certificateValidity;
    }

    private boolean isSignatureIntact(CertificateValidity certificateValidity) {
        if (!verify(certificateValidity.getPublicKey())) {
            return false;
        }
        LOG.debug("Public key matching the signature value found.");
        return true;
    }

    protected abstract boolean verify(PublicKey publicKey) throws DSSException;

    public List<String> getErrorMessages() {
        if (this.errorMessages == null) {
            throw new IllegalStateException("The validate(candiates) method shall be proceeded before!");
        }
        return this.errorMessages;
    }
}
