package com.bfo.box;

import com.bfo.box.C2PAStatus;
import com.bfo.json.COSE;
import com.bfo.json.JWK;
import com.bfo.json.Json;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.nio.ByteBuffer;
import java.security.AlgorithmParameters;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import java.security.interfaces.ECPublicKey;
import java.security.interfaces.RSAKey;
import java.security.interfaces.RSAPublicKey;
import java.security.spec.MGF1ParameterSpec;
import java.security.spec.PSSParameterSpec;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Enumeration;
import java.util.Iterator;
import java.util.List;

/* loaded from: input_file:com/bfo/box/C2PASignature.class */
public class C2PASignature extends CborContainerBox {
    private PrivateKey privateKey;
    private List<X509Certificate> privateKeyCerts;
    private long timestamp;

    protected C2PASignature() {
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public C2PASignature(Json json) {
        super("c2cs", "c2pa.signature", json);
    }

    @Override // com.bfo.box.Box
    public String toString() {
        if (getMinSize() <= 0) {
            return super.toString();
        }
        StringBuilder sb = new StringBuilder();
        sb.append(super.toString());
        sb.setCharAt(sb.length() - 1, ',');
        sb.append("\"padto\":");
        sb.append(getMinSize());
        sb.append("}");
        return sb.toString();
    }

    private int getMinSize() {
        return 0;
    }

    public COSE cose() {
        if (!(cbor() instanceof COSE)) {
            getBox().setCbor(new COSE(cbor()));
        }
        return cbor();
    }

    public void setSigner(PrivateKey privateKey, List<X509Certificate> list) {
        this.privateKey = privateKey;
        this.privateKeyCerts = list;
    }

    public boolean hasSigner() {
        return (this.privateKey == null || this.privateKeyCerts == null || this.privateKeyCerts.isEmpty()) ? false : true;
    }

    public List<C2PAStatus> sign() throws IOException {
        List<C2PAStatus> arrayList = new ArrayList<>();
        COSE cose = cose();
        C2PAManifest c2PAManifest = (C2PAManifest) parent();
        C2PAClaim claim = c2PAManifest.getClaim();
        List<C2PA_Assertion> assertions = claim.getAssertions();
        if (!hasSigner()) {
            throw new IllegalStateException("signer not set");
        }
        if (claim.getFormat() == null) {
            throw new IllegalStateException("claim has no format");
        }
        if (claim.getInstanceID() == null) {
            throw new IllegalStateException("claim has no instanceID");
        }
        if (assertions.isEmpty()) {
            assertions.addAll(c2PAManifest.getAssertions());
        }
        C2PA_AssertionHashData c2PA_AssertionHashData = null;
        C2PA_AssertionHashBMFF c2PA_AssertionHashBMFF = null;
        for (C2PA_Assertion c2PA_Assertion : assertions) {
            if (c2PA_Assertion == null) {
                throw new NullPointerException("assertion in claim is null");
            }
            if (c2PA_Assertion instanceof C2PA_AssertionUnknown) {
                arrayList.add(new C2PAStatus(C2PAStatus.Code.assertion_missing, "assertion \"" + ((C2PA_AssertionUnknown) c2PA_Assertion).url() + "\" not found", find(c2PAManifest), null));
                return arrayList;
            }
            if (c2PA_Assertion instanceof C2PA_AssertionHashData) {
                if (c2PA_AssertionHashData != null || c2PA_AssertionHashBMFF != null) {
                    arrayList.add(new C2PAStatus(C2PAStatus.Code.assertion_multipleHardBindings, "manifest has multiple hard-binding", find(c2PAManifest), null));
                    return arrayList;
                }
                c2PA_AssertionHashData = (C2PA_AssertionHashData) c2PA_Assertion;
            } else if (!(c2PA_Assertion instanceof C2PA_AssertionHashBMFF)) {
                continue;
            } else {
                if (c2PA_AssertionHashData != null || c2PA_AssertionHashBMFF != null) {
                    arrayList.add(new C2PAStatus(C2PAStatus.Code.assertion_multipleHardBindings, "manifest has multiple hard-binding", find(c2PAManifest), null));
                    return arrayList;
                }
                c2PA_AssertionHashBMFF = (C2PA_AssertionHashBMFF) c2PA_Assertion;
            }
        }
        for (int i = 0; i < claim.cbor().get("assertions").size(); i++) {
            claim.cbor().get("assertions").get(Integer.valueOf(i)).remove("hash");
        }
        if (c2PA_AssertionHashData != null) {
            arrayList.addAll(c2PA_AssertionHashData.sign());
        } else {
            if (c2PA_AssertionHashBMFF == null) {
                arrayList.add(new C2PAStatus(C2PAStatus.Code.claim_hardBindings_missing, "manifest has no hard-binding", find(c2PAManifest), null));
                return arrayList;
            }
            arrayList.addAll(c2PA_AssertionHashBMFF.sign());
        }
        if (getMinSize() > 0) {
            Json unprotectedAttributes = cose.getUnprotectedAttributes();
            if (unprotectedAttributes == null) {
                unprotectedAttributes = Json.read("{}");
            }
            unprotectedAttributes.put("pad", new byte[getMinSize()]);
        }
        if (claim.getGenerator() == null) {
            claim.setGenerator("BFO Json library", null);
        }
        claim.cbor().put("signature", c2PAManifest.find(this));
        cose.setPayload(generatePayload(getMinSize(), true, arrayList), true);
        cose.setCertificates(this.privateKeyCerts);
        arrayList.addAll(verifyCertificates(this.privateKeyCerts, "signing", System.currentTimeMillis(), null));
        cose.sign(this.privateKey, (String) null);
        arrayList.add(0, new C2PAStatus(C2PAStatus.Code.claimSignature_validated, "signing succeeded", find(c2PAManifest), null));
        int i2 = 0;
        while (i2 < arrayList.size()) {
            if (arrayList.get(i2) == null) {
                int i3 = i2;
                i2--;
                arrayList.remove(i3);
            }
            i2++;
        }
        return arrayList;
    }

    private ByteBuffer generatePayload(int i, boolean z, List<C2PAStatus> list) {
        C2PAManifest c2PAManifest = (C2PAManifest) parent();
        C2PAClaim claim = c2PAManifest.getClaim();
        Json json = claim.cbor().get("assertions");
        for (int i2 = 0; i2 < json.size(); i2++) {
            list.add(digestHashedURL(json.get(Integer.valueOf(i2)), c2PAManifest, false, z));
        }
        byte[] array = claim.cbor().toCbor().array();
        if (i > array.length) {
            byte[] bArr = new byte[i];
            System.arraycopy(array, 0, bArr, 0, array.length);
            array = bArr;
        }
        return ByteBuffer.wrap(array);
    }

    public void setTimestamp(long j) {
        this.timestamp = j;
    }

    public long getTimestamp() {
        return this.timestamp;
    }

    public List<C2PAStatus> verify(KeyStore keyStore) throws IOException {
        List<C2PAStatus> verify;
        ArrayList arrayList = new ArrayList();
        COSE cose = cose();
        C2PAManifest c2PAManifest = (C2PAManifest) parent();
        C2PAClaim claim = c2PAManifest.getClaim();
        if (!cose.isInitialized()) {
            throw new IllegalStateException("not signed");
        }
        if (!cose.isDetached()) {
            throw new IllegalStateException("not detached");
        }
        if (cose.getTag() != 18) {
            throw new IllegalStateException("not Signature1");
        }
        Box first = c2PAManifest.first();
        while (true) {
            C2PAClaim c2PAClaim = first;
            if (c2PAClaim == null) {
                if (!claim.cbor().isString("signature") || c2PAManifest.find(claim.cbor().stringValue("signature")) != this) {
                    arrayList.add(new C2PAStatus(C2PAStatus.Code.claimSignature_missing, "signature not in claim", claim.cbor().stringValue("signature"), null));
                    return arrayList;
                }
                PublicKey publicKey = null;
                if (0 == 0 && cose.getCertificates() != null && !cose.getCertificates().isEmpty()) {
                    publicKey = ((X509Certificate) cose.getCertificates().get(0)).getPublicKey();
                } else if (0 == 0) {
                    throw new IllegalArgumentException("no key supplied and no certificates included in the signature");
                }
                for (C2PA_Assertion c2PA_Assertion : c2PAManifest.getClaim().getAssertions()) {
                    if (c2PA_Assertion != null && (verify = c2PA_Assertion.verify()) != null) {
                        arrayList.addAll(verify);
                    }
                }
                arrayList.addAll(verifyCertificates(cose.getCertificates(), "signing", this.timestamp != 0 ? this.timestamp : System.currentTimeMillis(), keyStore));
                cose.setPayload(generatePayload(getMinSize(), false, arrayList), true);
                arrayList.add(0, new C2PAStatus(cose.verify(publicKey) >= 0 ? C2PAStatus.Code.claimSignature_validated : C2PAStatus.Code.claimSignature_mismatch, null, c2PAManifest.find(this), null));
                int i = 0;
                while (i < arrayList.size()) {
                    if (arrayList.get(i) == null) {
                        int i2 = i;
                        i--;
                        arrayList.remove(i2);
                    }
                    i++;
                }
                return arrayList;
            }
            if ((c2PAClaim instanceof C2PAClaim) && c2PAClaim != claim) {
                arrayList.add(new C2PAStatus(C2PAStatus.Code.claim_multiple, "too many claim boxes", c2PAManifest.find(c2PAClaim), null));
                return arrayList;
            }
            first = c2PAClaim.next();
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static C2PAStatus digestHashedURL(Json json, C2PAManifest c2PAManifest, boolean z, boolean z2) {
        String stringValue = json.stringValue("url");
        JUMBox find = c2PAManifest.find(stringValue);
        if (find == null) {
            return new C2PAStatus(C2PAStatus.Code.assertion_missing, "\"" + stringValue + "\" not in manifest", c2PAManifest.find(c2PAManifest), null);
        }
        try {
            MessageDigest messageDigest = c2PAManifest.getMessageDigest(json, z2);
            Box first = find.first();
            while (true) {
                Box box = first;
                if (box == null) {
                    break;
                }
                messageDigest.update(box.getEncoded());
                first = box.next();
            }
            byte[] digest = messageDigest.digest();
            if (!json.isBuffer("hash") || Arrays.equals(digest, json.bufferValue("hash").array())) {
                json.put("hash", digest);
                return new C2PAStatus(C2PAStatus.Code.assertion_hashedURI_match, "hash match for \"" + find.label() + "\"", c2PAManifest.find(find), null);
            }
            debugMismatch(find);
            return new C2PAStatus(z ? C2PAStatus.Code.ingredient_hashedURI_mismatch : C2PAStatus.Code.assertion_hashedURI_mismatch, "hash mismatch for \"" + find.label() + "\"", c2PAManifest.find(find), null);
        } catch (NoSuchAlgorithmException e) {
            return new C2PAStatus(e, c2PAManifest.find(find));
        }
    }

    private static boolean debugMismatch(Box box) {
        try {
            for (Box first = box.first(); first != null; first = first.next()) {
                if (debugMismatch(first)) {
                    return true;
                }
            }
            byte[] bArr = box.debugReadBytes;
            byte[] encoded = box.getEncoded();
            if (bArr == null || Arrays.equals(bArr, encoded)) {
                return false;
            }
            Box load = new BoxFactory().load(new ByteArrayInputStream(bArr));
            Box load2 = new BoxFactory().load(new ByteArrayInputStream(encoded));
            String box2 = load.toString();
            String box3 = load2.toString();
            if (load2.equals(load)) {
                box2 = load.dump(null, null).toString();
                box3 = load2.dump(null, null).toString();
                if (load2.equals(load)) {
                    box2 = hex(bArr);
                    box3 = hex(encoded);
                }
            }
            System.out.println("MISMATCH old=" + box2);
            System.out.println("MISMATCH new=" + box3);
            return true;
        } catch (IOException e) {
            throw new RuntimeException(e);
        }
    }

    private static List<C2PAStatus> verifyCertificates(List<X509Certificate> list, String str, long j, KeyStore keyStore) {
        int bitLength;
        ArrayList arrayList = new ArrayList();
        if (!"timestamp".equals(str) && !"ocsp".equals(str)) {
            str = "signing";
        }
        String str2 = str;
        for (int i = 0; i < list.size(); i++) {
            ArrayList arrayList2 = new ArrayList();
            X509Certificate x509Certificate = list.get(i);
            if (j > 0) {
                try {
                    if (j < x509Certificate.getNotBefore().getTime() || j > x509Certificate.getNotAfter().getTime()) {
                        if (str2.equals("timestamp")) {
                            arrayList.add(new C2PAStatus(C2PAStatus.Code.timeStamp_outsideValidity, null, "Cose_Sign1.x5chain[" + i + "]", null));
                        } else {
                            arrayList.add(new C2PAStatus(C2PAStatus.Code.signingCredential_expired, null, "Cose_Sign1.x5chain[" + i + "]", null));
                        }
                    }
                } catch (Exception e) {
                    arrayList.add(new C2PAStatus(C2PAStatus.Code.signingCredential_invalid, "parsing exception", "Cose_Sign1.x5chain[" + i + "]", e));
                }
            }
            if (!Arrays.asList("1.2.840.10045.4.3.2", "1.2.840.10045.4.3.3", "1.2.840.10045.4.3.4", "1.2.840.113549.1.1.11", "1.2.840.113549.1.1.12", "1.2.840.113549.1.1.13", "1.2.840.113549.1.1.10", "1.3.101.112").contains(x509Certificate.getSigAlgOID())) {
                arrayList2.add("algorithm " + x509Certificate.getSigAlgOID());
            } else if (x509Certificate.getSigAlgOID().equals("1.2.840.113549.1.1.10")) {
                AlgorithmParameters algorithmParameters = AlgorithmParameters.getInstance(x509Certificate.getSigAlgName());
                algorithmParameters.init(x509Certificate.getSigAlgParams());
                PSSParameterSpec pSSParameterSpec = (PSSParameterSpec) algorithmParameters.getParameterSpec(PSSParameterSpec.class);
                if (!Arrays.asList("SHA-256", "SHA-384", "SHA-512").contains(pSSParameterSpec.getDigestAlgorithm())) {
                    arrayList2.add("RSASSA-PSS-params algorithm " + pSSParameterSpec.getDigestAlgorithm());
                } else if (!(pSSParameterSpec.getMGFParameters() instanceof MGF1ParameterSpec) || !pSSParameterSpec.getDigestAlgorithm().equals(((MGF1ParameterSpec) pSSParameterSpec.getMGFParameters()).getDigestAlgorithm())) {
                    arrayList2.add("RSASSA-PSS-params algorithm != mfg algorithm");
                }
            }
            if (x509Certificate.getPublicKey() instanceof ECPublicKey) {
                if (!Arrays.asList("P-256", "P-384", "P-521").contains(new JWK(x509Certificate.getPublicKey()).stringValue("crv"))) {
                    arrayList2.add("public-key EC curve");
                }
            } else if ((x509Certificate.getPublicKey() instanceof RSAPublicKey) && (bitLength = ((RSAKey) x509Certificate.getPublicKey()).getModulus().bitLength()) < 2048) {
                arrayList2.add("public-key RSA bits=" + bitLength);
            }
            if (x509Certificate.getVersion() != 3) {
                arrayList2.add("version " + x509Certificate.getVersion());
            }
            if (x509Certificate.getSubjectUniqueID() != null || x509Certificate.getIssuerUniqueID() != null) {
                arrayList2.add("has issuerUniqueID or subjectUniqueID");
            }
            if ("ca".equals(str) && x509Certificate.getBasicConstraints() < 0) {
                arrayList2.add("no basic constraints");
            } else if (!"ca".equals(str) && x509Certificate.getBasicConstraints() >= 0) {
                arrayList2.add("basic constraints set");
            }
            if (x509Certificate.getExtensionValue("2.5.29.35") == null) {
                if (i == 0) {
                    arrayList2.add("Authority Key Identifier (2.5.29.35) missing on " + str + " certificate, which can't be self-signed");
                } else if (x509Certificate.getSubjectX500Principal() != null && !x509Certificate.getSubjectX500Principal().equals(x509Certificate.getIssuerX500Principal())) {
                    arrayList2.add("Authority Key Identifier (2.5.29.35) missing and not self-signed");
                }
            }
            if (x509Certificate.getSubjectX500Principal() == null) {
                arrayList2.add("no subject");
            }
            if (x509Certificate.getCriticalExtensionOIDs().contains("2.5.29.15")) {
                boolean[] keyUsage = x509Certificate.getKeyUsage();
                if ("signing".equals(str) && (keyUsage == null || !keyUsage[0])) {
                    arrayList2.add("keyUsage missing digitalSignature");
                }
                if (keyUsage != null && keyUsage[5] && x509Certificate.getBasicConstraints() < 0) {
                    arrayList2.add("keyUsage contains keyCertSign");
                }
            } else {
                arrayList2.add("keyUsage not marked as critical");
            }
            if (x509Certificate.getBasicConstraints() < 0) {
                if (!x509Certificate.getCriticalExtensionOIDs().contains("2.5.29.37")) {
                }
                List<String> extendedKeyUsage = x509Certificate.getExtendedKeyUsage();
                if (extendedKeyUsage == null) {
                    arrayList2.add("extendedKeyUsage not present");
                } else {
                    if (extendedKeyUsage.contains("2.5.29.37.0")) {
                        arrayList2.add("extendedKeyUsage contains 2.5.29.37.0");
                    }
                    if ("signing".equals(str) && !extendedKeyUsage.contains("1.3.6.1.5.5.7.3.4")) {
                        arrayList2.add("extendedKeyUsage missing 1.3.6.1.5.5.7.3.4");
                    } else if ("timestamp".equals(str) && !extendedKeyUsage.contains("1.3.6.1.5.5.7.3.8")) {
                        arrayList2.add("extendedKeyUsage missing 1.3.6.1.5.5.7.3.8");
                    } else if ("timestamp".equals(str) && extendedKeyUsage.contains("1.3.6.1.5.5.7.3.8")) {
                        if (extendedKeyUsage.size() > 1) {
                            arrayList2.add("extendedKeyUsage contains not only 1.3.6.1.5.5.7.3.8");
                        }
                    } else if ("ocsp".equals(str) && !extendedKeyUsage.contains("1.3.6.1.5.5.7.3.9")) {
                        arrayList2.add("extendedKeyUsage missing 1.3.6.1.5.5.7.3.9");
                    } else if ("ocsp".equals(str) && !extendedKeyUsage.contains("1.3.6.1.5.5.7.3.9") && extendedKeyUsage.size() > 1) {
                        arrayList2.add("extendedKeyUsage contains not only 1.3.6.1.5.5.7.3.9");
                    }
                }
            }
            Iterator it = arrayList2.iterator();
            while (it.hasNext()) {
                arrayList.add(new C2PAStatus(C2PAStatus.Code.signingCredential_invalid, (String) it.next(), "Cose_Sign1.x5chain[" + i + "]", null));
            }
            arrayList2.clear();
            str = "ca";
        }
        if (keyStore != null) {
            boolean z = false;
            int size = list.size() - 1;
            try {
                X509Certificate x509Certificate2 = list.get(size);
                Enumeration<String> aliases = keyStore.aliases();
                while (true) {
                    if (!aliases.hasMoreElements()) {
                        break;
                    }
                    String nextElement = aliases.nextElement();
                    if (keyStore.isCertificateEntry(nextElement)) {
                        Certificate certificate = keyStore.getCertificate(nextElement);
                        if (certificate instanceof X509Certificate) {
                            try {
                                X509Certificate x509Certificate3 = (X509Certificate) certificate;
                                if (x509Certificate2.getIssuerX500Principal().equals(x509Certificate3.getSubjectX500Principal())) {
                                    x509Certificate3.verify(x509Certificate3.getPublicKey());
                                    if (j <= 0 || (j >= x509Certificate3.getNotBefore().getTime() && j <= x509Certificate3.getNotAfter().getTime())) {
                                        arrayList.add(new C2PAStatus(str2.equals("timestamp") ? C2PAStatus.Code.timeStamp_trusted : C2PAStatus.Code.signingCredential_trusted, null, "Cose_Sign1.x5chain[" + size + "]", null));
                                    } else if (str2.equals("timestamp")) {
                                        arrayList.add(new C2PAStatus(C2PAStatus.Code.timeStamp_outsideValidity, null, "Cose_Sign1.x5chain[" + size + "]", null));
                                    } else {
                                        arrayList.add(new C2PAStatus(C2PAStatus.Code.signingCredential_expired, null, "Cose_Sign1.x5chain[" + size + "]", null));
                                    }
                                    z = true;
                                }
                            } catch (Exception e2) {
                            }
                        } else {
                            continue;
                        }
                    }
                }
                if (!z) {
                    arrayList.add(new C2PAStatus(str2.equals("timestamp") ? C2PAStatus.Code.timeStamp_untrusted : C2PAStatus.Code.signingCredential_untrusted, null, "Cose_Sign1.x5chain[" + size + "]", null));
                }
            } catch (KeyStoreException e3) {
                throw new RuntimeException(e3);
            }
        }
        return arrayList;
    }
}
