package net.savignano.cryptography.util;

import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.math.BigInteger;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.UnrecoverableKeyException;
import java.security.cert.CertificateEncodingException;
import java.security.cert.CertificateException;
import java.security.cert.CertificateExpiredException;
import java.security.cert.CertificateFactory;
import java.security.cert.CertificateNotYetValidException;
import java.security.cert.CertificateParsingException;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.Collection;
import java.util.Comparator;
import java.util.Date;
import java.util.LinkedHashSet;
import java.util.List;
import java.util.Optional;
import java.util.Set;
import java.util.function.Predicate;
import net.savignano.cryptography.Constants;
import net.savignano.cryptography.enums.EKeyPurpose;
import net.savignano.cryptography.version.FullVersion;
import net.savignano.thirdparty.org.bouncycastle.asn1.ASN1ObjectIdentifier;
import net.savignano.thirdparty.org.bouncycastle.asn1.ASN1Primitive;
import net.savignano.thirdparty.org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers;
import net.savignano.thirdparty.org.bouncycastle.asn1.x500.RDN;
import net.savignano.thirdparty.org.bouncycastle.asn1.x500.X500Name;
import net.savignano.thirdparty.org.bouncycastle.asn1.x500.style.BCStyle;
import net.savignano.thirdparty.org.bouncycastle.cert.X509CertificateHolder;
import net.savignano.thirdparty.org.bouncycastle.cert.jcajce.JcaCertStore;
import net.savignano.thirdparty.org.bouncycastle.cert.jcajce.JcaX509CertificateConverter;
import net.savignano.thirdparty.org.bouncycastle.cms.CMSAbsentContent;
import net.savignano.thirdparty.org.bouncycastle.cms.CMSAlgorithm;
import net.savignano.thirdparty.org.bouncycastle.cms.CMSException;
import net.savignano.thirdparty.org.bouncycastle.cms.CMSSignedData;
import net.savignano.thirdparty.org.bouncycastle.cms.CMSSignedDataGenerator;
import net.savignano.thirdparty.org.bouncycastle.util.Store;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:net/savignano/cryptography/util/SmimeUtil.class */
public class SmimeUtil {
    public static final String X509_FACTORY_KEY = "X.509";
    private static final Logger log = LoggerFactory.getLogger(SmimeUtil.class);

    public static final Predicate<X509Certificate> createPredicateForEmail(String str) {
        return x509Certificate -> {
            try {
                return Arrays.asList(getEmails(x509Certificate)).contains(str);
            } catch (CertificateEncodingException | CertificateParsingException e) {
                log.error(e.getMessage(), e);
                return false;
            }
        };
    }

    public static final Comparator<X509Certificate> getCertificateComparator() {
        return Comparator.nullsLast((x509Certificate, x509Certificate2) -> {
            Date date = new Date();
            Date notBefore = x509Certificate.getNotBefore();
            Date notBefore2 = x509Certificate2.getNotBefore();
            Date notAfter = x509Certificate.getNotAfter();
            Date notAfter2 = x509Certificate2.getNotAfter();
            boolean z = notBefore.before(date) && notAfter.after(date);
            boolean z2 = notBefore2.before(date) && notAfter2.after(date);
            if (z == z2) {
                int compareTo = notBefore2.compareTo(notBefore);
                return compareTo != 0 ? compareTo : notAfter2.compareTo(notAfter);
            }
            if (z) {
                return -1;
            }
            return z2 ? 1 : 0;
        });
    }

    public static final String getSerialNumber(X509Certificate x509Certificate) {
        if (x509Certificate == null) {
            log.debug("Null value given for certificate.");
            return FullVersion.UNKNOWN_VERSION;
        }
        BigInteger serialNumber = x509Certificate.getSerialNumber();
        if (serialNumber != null) {
            return getSerialNumber(serialNumber);
        }
        log.warn("No serial number in certificate. Might be corrupt. Certificate: {}", x509Certificate);
        return FullVersion.UNKNOWN_VERSION;
    }

    public static final String getSerialNumber(BigInteger bigInteger) {
        if (bigInteger != null) {
            return bigInteger.toString(10) + " (0x" + bigInteger.toString(16) + ")";
        }
        log.debug("Null value given for serial number.");
        return FullVersion.UNKNOWN_VERSION;
    }

    public static final boolean isSupportedSymmetricKeyAlgorithm(ASN1ObjectIdentifier aSN1ObjectIdentifier) {
        return (aSN1ObjectIdentifier == null || aSN1ObjectIdentifier.equals((ASN1Primitive) CMSAlgorithm.DES_CBC)) ? false : true;
    }

    public static final boolean isSupportedAsymmetricKeyAlgorithm(ASN1ObjectIdentifier aSN1ObjectIdentifier) {
        return aSN1ObjectIdentifier != null;
    }

    public static final X509Certificate createCertificate(byte[] bArr) throws CertificateException {
        return (X509Certificate) CertificateFactory.getInstance("X.509").generateCertificate(new ByteArrayInputStream(bArr));
    }

    public static final X509Certificate getValidCertForEmail(KeyStore keyStore, String str) throws KeyStoreException, CertificateException {
        return getValidCertForEmail(keyStore, str, EKeyPurpose.UNDEFINED);
    }

    public static final X509Certificate getValidCertForEmail(KeyStore keyStore, String str, EKeyPurpose eKeyPurpose) throws KeyStoreException, CertificateException {
        if (keyStore == null || str == null || eKeyPurpose == null) {
            return null;
        }
        log.debug("Looking for valid certificate for email <{}> and purpose {}.", str, eKeyPurpose);
        Predicate<X509Certificate> createPredicateForEmail = createPredicateForEmail(str);
        Predicate<? super X509Certificate> predicate = x509Certificate -> {
            return eKeyPurpose == EKeyPurpose.UNDEFINED || isCertForPurpose(x509Certificate, eKeyPurpose);
        };
        Predicate<? super X509Certificate> predicate2 = x509Certificate2 -> {
            try {
                x509Certificate2.checkValidity();
                log.trace("Found valid certificate for email <{}>. Serial number: {}", str, getSerialNumber(x509Certificate2));
                return true;
            } catch (CertificateExpiredException | CertificateNotYetValidException e) {
                log.trace("Found invalid certificate for email <{}>: {}", str, getSerialNumber(x509Certificate2));
                return false;
            }
        };
        KeyStoreContentFetcher keyStoreContentFetcher = new KeyStoreContentFetcher(keyStore);
        Set<X509Certificate> certsFor = keyStoreContentFetcher.getCertsFor(createPredicateForEmail.and(predicate).and(predicate2));
        keyStoreContentFetcher.destroy();
        Optional<X509Certificate> reduce = certsFor.stream().reduce((x509Certificate3, x509Certificate4) -> {
            return x509Certificate3.getNotAfter().after(x509Certificate4.getNotAfter()) ? x509Certificate3 : x509Certificate4;
        });
        if (!reduce.isPresent()) {
            log.debug("Found no valid certificate for email <{}>.", str);
            return null;
        }
        log.debug("Found valid certificate for email <{}>: ", str, getSerialNumber(reduce.get()));
        log.trace("Certificate: {}", reduce);
        return reduce.get();
    }

    public static final PrivateKey getPrivateKeyForCert(KeyStore keyStore, X509Certificate x509Certificate, char[] cArr) throws KeyStoreException, UnrecoverableKeyException, NoSuchAlgorithmException {
        if (keyStore == null || x509Certificate == null) {
            return null;
        }
        String serialNumber = getSerialNumber(x509Certificate);
        log.debug("Getting private key for certificate with serial number: {}", serialNumber);
        KeyStoreContentFetcher keyStoreContentFetcher = new KeyStoreContentFetcher(keyStore);
        keyStoreContentFetcher.keyPassword(cArr);
        Optional<PrivateKey> privateKeyFor = keyStoreContentFetcher.getPrivateKeyFor(x509Certificate2 -> {
            return x509Certificate.equals(x509Certificate2);
        });
        keyStoreContentFetcher.destroy();
        if (privateKeyFor.isPresent()) {
            log.trace("Found private key: {}", privateKeyFor);
            return privateKeyFor.get();
        }
        log.debug("No private key found for certificate with serial number {} in key store.", serialNumber);
        return null;
    }

    public static final String[] getEmails(X509Certificate x509Certificate) throws CertificateEncodingException, CertificateParsingException {
        if (x509Certificate == null) {
            return new String[0];
        }
        String[] emails = getEmails(getSubject(x509Certificate), x509Certificate.getSubjectAlternativeNames());
        log.trace("Emails of subject from certificate with serial number {}: {}", getSerialNumber(x509Certificate), emails);
        return emails;
    }

    public static final String[] getIssuerEmails(X509Certificate x509Certificate) throws CertificateEncodingException, CertificateParsingException {
        if (x509Certificate == null) {
            return new String[0];
        }
        String[] emails = getEmails(getIssuer(x509Certificate), x509Certificate.getIssuerAlternativeNames());
        log.trace("Emails of issuer from certificate with serial number {}: {}", getSerialNumber(x509Certificate), emails);
        return emails;
    }

    private static final String[] getEmails(X500Name x500Name, Collection<List<?>> collection) {
        String rDNValue;
        LinkedHashSet linkedHashSet = new LinkedHashSet();
        if (x500Name != null && (rDNValue = getRDNValue(x500Name, BCStyle.E)) != null) {
            linkedHashSet.add(rDNValue);
        }
        if (collection != null) {
            for (List<?> list : collection) {
                int intValue = ((Integer) list.get(0)).intValue();
                Object obj = list.get(1);
                if (intValue == 1 && obj != null) {
                    linkedHashSet.add(obj.toString());
                }
            }
        }
        return (String[]) linkedHashSet.toArray(new String[linkedHashSet.size()]);
    }

    public static final boolean isCertForPurpose(X509Certificate x509Certificate, EKeyPurpose eKeyPurpose) {
        boolean z;
        if (x509Certificate == null || eKeyPurpose == null) {
            return false;
        }
        log.debug("Checking purpose {} for certificate with serial number: {}", eKeyPurpose, getSerialNumber(x509Certificate));
        Set<String> criticalExtensionOIDs = x509Certificate.getCriticalExtensionOIDs();
        if (criticalExtensionOIDs != null && criticalExtensionOIDs.contains(Constants.OID_EXTENDED_KEY_USAGE)) {
            try {
                List<String> extendedKeyUsage = x509Certificate.getExtendedKeyUsage();
                if (extendedKeyUsage == null || !extendedKeyUsage.contains(Constants.OID_EXTENDED_KEY_USAGE_EMAIL)) {
                    log.debug("Extended Key Usage for certificate is critical, but does not contain 'Email'.");
                    return false;
                }
            } catch (CertificateParsingException e) {
                log.error("Could not parse 'Extended Key Usage' extension of certificate " + getSerialNumber(x509Certificate) + ". Error message: " + e.getMessage(), e);
                return false;
            }
        }
        if (criticalExtensionOIDs == null || !criticalExtensionOIDs.contains(Constants.OID_KEY_USAGE)) {
            log.debug("Key usage is not critical.");
            return true;
        }
        boolean[] keyUsage = x509Certificate.getKeyUsage();
        switch (eKeyPurpose) {
            case DECRYPTION:
            case ENCRYPTION:
                z = keyUsage[2];
                break;
            case SIGNING:
                z = keyUsage[0];
                break;
            case UNDEFINED:
                z = false;
                break;
            default:
                throw new IllegalStateException("Handling of key purpose " + eKeyPurpose + " not yet implemented.");
        }
        log.debug("Certificate is usable: {}", Boolean.valueOf(z));
        return z;
    }

    public static final boolean isCertForEmail(X509Certificate x509Certificate, String str) throws CertificateEncodingException, CertificateParsingException {
        if (str == null) {
            return false;
        }
        for (String str2 : getEmails(x509Certificate)) {
            if (str.equalsIgnoreCase(str2)) {
                return true;
            }
        }
        return false;
    }

    public static final X500Name getIssuer(X509Certificate x509Certificate) {
        return new X500Name(x509Certificate.getIssuerX500Principal().getName());
    }

    public static final X500Name getSubject(X509Certificate x509Certificate) {
        return new X500Name(x509Certificate.getSubjectX500Principal().getName());
    }

    public static final String getRDNValue(X500Name x500Name, ASN1ObjectIdentifier aSN1ObjectIdentifier) {
        RDN[] rDNs = x500Name.getRDNs(aSN1ObjectIdentifier);
        if (rDNs.length == 0) {
            return null;
        }
        return rDNs[0].getFirst().getValue().toString();
    }

    public static final KeyStore convertToKeyStore(Store<X509CertificateHolder> store, String str, char[] cArr) throws KeyStoreException, CertificateException {
        KeyStore keyStore = KeyStore.getInstance(str, SecurityUtil.getProvider());
        try {
            keyStore.load(null, cArr);
        } catch (IOException | NoSuchAlgorithmException e) {
            log.error("Failed to create key store. Error message: " + e.getMessage(), e);
        }
        JcaX509CertificateConverter provider = new JcaX509CertificateConverter().setProvider(SecurityUtil.getProvider());
        Collection<X509CertificateHolder> matches = store.getMatches(null);
        log.debug("Converting {} certificates.", Integer.valueOf(matches.size()));
        for (X509CertificateHolder x509CertificateHolder : matches) {
            String str2 = x509CertificateHolder.getIssuer().toString() + x509CertificateHolder.getSerialNumber().toString();
            log.trace("Adding certificate with alias \"{}\" to key store.", str2);
            keyStore.setCertificateEntry(str2, provider.getCertificate(x509CertificateHolder));
        }
        log.debug("Added all certificates to key store.");
        return keyStore;
    }

    public static final CMSSignedData convertToP7b(KeyStore keyStore) throws CertificateEncodingException, KeyStoreException, CMSException {
        Set<X509Certificate> certsFor = new KeyStoreContentFetcher(keyStore).getCertsFor(x509Certificate -> {
            return true;
        });
        log.debug("Converting {} certificates.", Integer.valueOf(certsFor.size()));
        JcaCertStore jcaCertStore = new JcaCertStore(certsFor);
        CMSSignedDataGenerator cMSSignedDataGenerator = new CMSSignedDataGenerator();
        cMSSignedDataGenerator.addCertificates(jcaCertStore);
        CMSSignedData generate = cMSSignedDataGenerator.generate(new CMSAbsentContent());
        log.debug("Added all certificates to P7B.");
        return generate;
    }

    public static final String getCmsName(ASN1ObjectIdentifier aSN1ObjectIdentifier) {
        return aSN1ObjectIdentifier == null ? "null" : aSN1ObjectIdentifier.equals((ASN1Primitive) CMSAlgorithm.AES128_CBC) ? "AES128-CBC" : aSN1ObjectIdentifier.equals((ASN1Primitive) CMSAlgorithm.AES192_CBC) ? "AES192-CBC" : aSN1ObjectIdentifier.equals((ASN1Primitive) CMSAlgorithm.AES256_CBC) ? "AES256-CBC" : aSN1ObjectIdentifier.equals((ASN1Primitive) CMSAlgorithm.AES128_GCM) ? "AES128-GCM" : aSN1ObjectIdentifier.equals((ASN1Primitive) CMSAlgorithm.AES192_GCM) ? "AES192-GCM" : aSN1ObjectIdentifier.equals((ASN1Primitive) CMSAlgorithm.AES256_GCM) ? "AES256-GCM" : aSN1ObjectIdentifier.equals((ASN1Primitive) CMSAlgorithm.DES_CBC) ? "DES-CBC" : aSN1ObjectIdentifier.equals((ASN1Primitive) CMSAlgorithm.DES_EDE3_CBC) ? "DES-EDE3-CBC" : aSN1ObjectIdentifier.equals((ASN1Primitive) CMSAlgorithm.CAST5_CBC) ? "CAST5-CBC" : aSN1ObjectIdentifier.equals((ASN1Primitive) PKCSObjectIdentifiers.rsaEncryption) ? "RSA" : "Unknown (" + aSN1ObjectIdentifier.getId() + ")";
    }
}
