package de.intarsys.tools.functor;

import java.io.ByteArrayInputStream;
import java.security.GeneralSecurityException;
import java.security.Signature;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.List;

/* loaded from: input_file:de/intarsys/tools/functor/ArgsValidator.class */
public class ArgsValidator extends ArgsCryptoBase {
    private List<Certificate> loadCertificates(IArgs iArgs) throws ArgsValidationException {
        ArrayList arrayList = new ArrayList();
        IArgs args = ArgTools.getArgs(iArgs, "signer.certificates", Args.create());
        for (int i = 0; i < args.size(); i++) {
            IArgs args2 = ArgTools.getArgs(args, String.valueOf(i), Args.create());
            byte[] byteArray = ArgTools.getByteArray(args2, "value", null);
            if (byteArray == null) {
                throw new ArgsValidationException("certificates." + i + ".value is missing");
            }
            try {
                arrayList.add(CertificateFactory.getInstance(ArgTools.getString(args2, "type", ArgsCryptoBase.DEFAULT_CERTIFICATE_TYPE)).generateCertificate(new ByteArrayInputStream(byteArray)));
            } catch (CertificateException e) {
                throw new ArgsValidationException(e.getLocalizedMessage(), e);
            }
        }
        if (arrayList.isEmpty()) {
            throw new ArgsValidationException("signature.content.signer.certificates is missing");
        }
        return arrayList;
    }

    public List<Certificate> validate(IArgs iArgs, IArgs iArgs2) throws ArgsValidationException {
        String string = ArgTools.getString(iArgs2, "type", ArgsCryptoBase.TYPE_ARGDSIG);
        String string2 = ArgTools.getString(iArgs2, "version", ArgsCryptoBase.VERSION_1_0);
        if (!ArgsCryptoBase.TYPE_ARGDSIG.equals(string) || !ArgsCryptoBase.VERSION_1_0.equals(string2)) {
            throw new ArgsValidationException("Unsupported signature type or version");
        }
        List<Certificate> validateSignature = validateSignature(iArgs2);
        validateSignedArgsHash(iArgs, iArgs2);
        return validateSignature;
    }

    private List<Certificate> validateSignature(IArgs iArgs) throws ArgsValidationException {
        IArgs args = ArgTools.getArgs(iArgs, ArgsCryptoBase.ARG_CONTENT, Args.create());
        byte[] byteArray = ArgTools.getByteArray(args, "value", null);
        if (byteArray == null) {
            throw new ArgsValidationException("signature.content.value is missing");
        }
        IArgs args2 = ArgTools.getArgs(args, ArgsCryptoBase.ARG_SIGNED, Args.create());
        String string = ArgTools.getString(args2, "algorithm", ArgsCryptoBase.DEFAULT_SIGNATURE_ALGORITHM);
        List<Certificate> loadCertificates = loadCertificates(args);
        try {
            Signature signature = Signature.getInstance(string);
            signature.initVerify(loadCertificates.get(0));
            updateSignature(signature, args2);
            if (signature.verify(byteArray)) {
                return loadCertificates;
            }
            throw new ArgsValidationException("signature could not be verified");
        } catch (GeneralSecurityException e) {
            throw new ArgsValidationException(e.getLocalizedMessage(), e);
        }
    }

    private void validateSignedArgsHash(IArgs iArgs, IArgs iArgs2) throws ArgsValidationException {
        IArgs args = ArgTools.getArgs(iArgs2, "content.signed", Args.create());
        byte[] byteArray = ArgTools.getByteArray(args, "hash.raw", null);
        if (byteArray == null) {
            byteArray = ArgTools.getByteArray(args, "hash.value", null);
        }
        if (byteArray == null) {
            throw new ArgsValidationException("signature.content.signed.hash.raw is missing");
        }
        try {
            if (Arrays.equals(byteArray, hash(ArgTools.getString(args, "hash.algorithm", ArgsCryptoBase.DEFAULT_DIGEST_ALGORITHM), createSignedContentArgs(iArgs, ArgTools.getList(args, ArgsCryptoBase.ARG_SELECT, DEFAULT_SELECT))))) {
            } else {
                throw new ArgsValidationException("args hash doesn't match the signed hash");
            }
        } catch (GeneralSecurityException e) {
            throw new ArgsValidationException(e.getLocalizedMessage(), e);
        }
    }
}
