package de.gematik.rbellogger.util.email_crypto;

import de.gematik.rbellogger.util.CryptoLoader;
import de.gematik.rbellogger.util.RbelException;
import eu.europa.esig.dss.cades.validation.CAdESSignature;
import eu.europa.esig.dss.enumerations.Indication;
import eu.europa.esig.dss.model.DSSDocument;
import eu.europa.esig.dss.model.InMemoryDocument;
import eu.europa.esig.dss.model.x509.CertificateToken;
import eu.europa.esig.dss.simplereport.SimpleReport;
import eu.europa.esig.dss.spi.x509.CommonTrustedCertificateSource;
import eu.europa.esig.dss.validation.CommonCertificateVerifier;
import eu.europa.esig.dss.validation.SignedDocumentValidator;
import eu.europa.esig.dss.validation.executor.ValidationLevel;
import eu.europa.esig.dss.validation.reports.Reports;
import java.io.ByteArrayOutputStream;
import java.io.IOException;
import org.bouncycastle.asn1.ASN1ObjectIdentifier;
import org.bouncycastle.cert.X509CertificateHolder;
import org.bouncycastle.util.CollectionStore;

/* loaded from: input_file:BOOT-INF/lib/tiger-rbel-3.1.3.jar:de/gematik/rbellogger/util/email_crypto/SignatureVerification.class */
public class SignatureVerification {
    private static final String OID_KOMLE_RECIPIENT_EMAILS = "1.2.276.0.76.4.173";

    private SignatureVerification() {
    }

    public static VerificationResult validate(byte[] bArr) throws IOException {
        SignedDocumentValidator fromDocument = SignedDocumentValidator.fromDocument(new InMemoryDocument(bArr));
        CAdESSignature cAdESSignature = (CAdESSignature) fromDocument.getSignatures().get(0);
        X509CertificateHolder x509CertificateHolder = (X509CertificateHolder) ((CollectionStore) cAdESSignature.getCmsSignedData().getCertificates()).iterator().next();
        fromDocument.setValidationLevel(ValidationLevel.BASIC_SIGNATURES);
        fromDocument.setCertificateVerifier(generateVerifierFromCertificate(x509CertificateHolder));
        Reports validateDocument = fromDocument.validateDocument(SignatureVerificationParameters.SIGNATURE_CONSTRAINTS_PARAMETERS);
        checkSignedKimMessageForRecipientEmails(cAdESSignature, validateDocument);
        DSSDocument dSSDocument = fromDocument.getOriginalDocuments(fromDocument.getSignatures().get(0).getId()).get(0);
        ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
        try {
            dSSDocument.writeTo(byteArrayOutputStream);
            VerificationResult verificationResult = new VerificationResult(byteArrayOutputStream.toByteArray(), validateDocument);
            byteArrayOutputStream.close();
            return verificationResult;
        } catch (Throwable th) {
            try {
                byteArrayOutputStream.close();
            } catch (Throwable th2) {
                th.addSuppressed(th2);
            }
            throw th;
        }
    }

    private static CommonCertificateVerifier generateVerifierFromCertificate(X509CertificateHolder x509CertificateHolder) throws IOException {
        CommonTrustedCertificateSource commonTrustedCertificateSource = new CommonTrustedCertificateSource();
        commonTrustedCertificateSource.addCertificate(new CertificateToken(CryptoLoader.getCertificateFromPem(x509CertificateHolder.getEncoded())));
        CommonCertificateVerifier commonCertificateVerifier = new CommonCertificateVerifier();
        commonCertificateVerifier.setTrustedCertSources(commonTrustedCertificateSource);
        return commonCertificateVerifier;
    }

    private static void checkSignedKimMessageForRecipientEmails(CAdESSignature cAdESSignature, Reports reports) {
        if (cAdESSignature.getSignerInformation().getSignedAttributes().get(new ASN1ObjectIdentifier(OID_KOMLE_RECIPIENT_EMAILS)) == null) {
            SimpleReport simpleReport = reports.getSimpleReport();
            if (simpleReport.getSignaturesCount() > 1) {
                throw new RbelException("There are too many signature informations.");
            }
            if (simpleReport.getSignaturesCount() < 1) {
                throw new RbelException("There are too little signature informations.");
            }
            reports.getSimpleReportJaxb().getSignatureOrTimestampOrEvidenceRecord().get(0).setIndication(Indication.FAILED);
            reports.getSimpleReportJaxb().setValidSignaturesCount(0);
        }
    }
}
