package cn.com.syan.jcee.common.impl.pkcs7;

import cn.com.syan.jcee.common.impl.SparkSignature;
import cn.com.syan.jcee.common.impl.identifier.SparkAlgorithmIdentifier;
import cn.com.syan.jcee.common.impl.utils.CertificateConverter;
import cn.com.syan.jcee.exception.JCEEException;
import cn.com.syan.jcee.utils.MessageDigestUtil;
import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.io.OutputStream;
import java.security.InvalidParameterException;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.Security;
import java.security.Signature;
import java.security.SignatureException;
import java.security.cert.CertificateEncodingException;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Date;
import java.util.Iterator;
import java.util.List;
import javax.crypto.Cipher;
import org.apache.commons.codec.digest.MessageDigestAlgorithms;
import org.spongycastle.asn1.ASN1EncodableVector;
import org.spongycastle.asn1.ASN1ObjectIdentifier;
import org.spongycastle.asn1.ASN1Sequence;
import org.spongycastle.asn1.ASN1Set;
import org.spongycastle.asn1.ASN1UTCTime;
import org.spongycastle.asn1.BEROctetString;
import org.spongycastle.asn1.BERSet;
import org.spongycastle.asn1.DERNull;
import org.spongycastle.asn1.DEROctetString;
import org.spongycastle.asn1.DEROutputStream;
import org.spongycastle.asn1.DERSequence;
import org.spongycastle.asn1.DERSet;
import org.spongycastle.asn1.cms.AttributeTable;
import org.spongycastle.asn1.cms.CMSObjectIdentifiers;
import org.spongycastle.asn1.cms.ContentInfo;
import org.spongycastle.asn1.cms.IssuerAndSerialNumber;
import org.spongycastle.asn1.cms.SignedData;
import org.spongycastle.asn1.cms.SignerIdentifier;
import org.spongycastle.asn1.cms.SignerInfo;
import org.spongycastle.asn1.pkcs.PKCSObjectIdentifiers;
import org.spongycastle.asn1.x509.AlgorithmIdentifier;
import org.spongycastle.cert.X509CertificateHolder;
import org.spongycastle.cert.jcajce.JcaCertStore;
import org.spongycastle.cert.jcajce.JcaX509CertificateHolder;
import org.spongycastle.cms.CMSException;
import org.spongycastle.cms.CMSProcessableByteArray;
import org.spongycastle.cms.CMSSignedData;
import org.spongycastle.cms.CMSSignedDataStreamGenerator;
import org.spongycastle.cms.CMSTypedData;
import org.spongycastle.cms.SignerInformation;
import org.spongycastle.cms.jcajce.JcaSignerInfoGeneratorBuilder;
import org.spongycastle.crypto.digests.SM3Digest;
import org.spongycastle.jce.interfaces.ECPublicKey;
import org.spongycastle.jce.provider.BouncyCastleProvider;
import org.spongycastle.operator.ContentSigner;
import org.spongycastle.operator.jcajce.JcaContentSignerBuilder;
import org.spongycastle.operator.jcajce.JcaDigestCalculatorProviderBuilder;
import org.spongycastle.util.Store;
import org.spongycastle.util.encoders.Base64;

/* loaded from: classes.dex */
public class PKCS7Signature {
    private List<X509Certificate> certChain;
    private PrivateKey privateKey;
    private X509Certificate signCert;
    private byte[] tobeSignedData;

    public PKCS7Signature() {
        Security.insertProviderAt(new BouncyCastleProvider(), 1);
        this.certChain = new ArrayList();
    }

    private ASN1EncodableVector buildAuthenticatedAttributes(byte[] bArr, AlgorithmIdentifier algorithmIdentifier) {
        ASN1EncodableVector aSN1EncodableVector = new ASN1EncodableVector();
        aSN1EncodableVector.add(PKCSObjectIdentifiers.pkcs_9_at_contentType);
        ASN1EncodableVector aSN1EncodableVector2 = new ASN1EncodableVector();
        aSN1EncodableVector2.add(PKCSObjectIdentifiers.data);
        aSN1EncodableVector.add(new DERSet(aSN1EncodableVector2));
        DERSequence dERSequence = new DERSequence(aSN1EncodableVector);
        ASN1EncodableVector aSN1EncodableVector3 = new ASN1EncodableVector();
        aSN1EncodableVector3.add(PKCSObjectIdentifiers.pkcs_9_at_signingTime);
        ASN1EncodableVector aSN1EncodableVector4 = new ASN1EncodableVector();
        aSN1EncodableVector4.add(new ASN1UTCTime(new Date()));
        aSN1EncodableVector3.add(new DERSet(aSN1EncodableVector4));
        DERSequence dERSequence2 = new DERSequence(aSN1EncodableVector3);
        ASN1EncodableVector aSN1EncodableVector5 = new ASN1EncodableVector();
        aSN1EncodableVector5.add(PKCSObjectIdentifiers.pkcs_9_at_messageDigest);
        ASN1EncodableVector aSN1EncodableVector6 = new ASN1EncodableVector();
        aSN1EncodableVector6.add(new DEROctetString(makeDigest(bArr, algorithmIdentifier.getAlgorithm().getId())));
        aSN1EncodableVector5.add(new DERSet(aSN1EncodableVector6));
        DERSequence dERSequence3 = new DERSequence(aSN1EncodableVector5);
        ASN1EncodableVector aSN1EncodableVector7 = new ASN1EncodableVector();
        aSN1EncodableVector7.add(dERSequence);
        aSN1EncodableVector7.add(dERSequence2);
        aSN1EncodableVector7.add(dERSequence3);
        return aSN1EncodableVector7;
    }

    private SignerInfo buildSignerInfo() throws SignatureException {
        byte[] sign;
        try {
            String algorithm = getSignerCert().getPublicKey().getAlgorithm();
            SignerIdentifier signerIdentifier = new SignerIdentifier(new IssuerAndSerialNumber(new JcaX509CertificateHolder(this.signCert).toASN1Structure()));
            AlgorithmIdentifier algorithmIdentifier = algorithm.equals("RSA") ? new AlgorithmIdentifier(new ASN1ObjectIdentifier("1.3.14.3.2.26"), DERNull.INSTANCE) : new AlgorithmIdentifier(new ASN1ObjectIdentifier("1.2.156.10197.1.401"), DERNull.INSTANCE);
            DERSet dERSet = new DERSet(buildAuthenticatedAttributes(this.tobeSignedData, algorithmIdentifier));
            AlgorithmIdentifier algorithmIdentifier2 = algorithm.equals("RSA") ? new AlgorithmIdentifier(PKCSObjectIdentifiers.sha1WithRSAEncryption, DERNull.INSTANCE) : new AlgorithmIdentifier(new ASN1ObjectIdentifier("1.2.156.10197.1.301.1"), DERNull.INSTANCE);
            if (algorithm.equals("RSA")) {
                Signature signature = Signature.getInstance("SHA1WITHRSA");
                signature.initSign(this.privateKey);
                signature.update(this.tobeSignedData);
                sign = signature.sign();
            } else {
                SparkSignature sparkSignature = SparkSignature.getInstance("ECDSASM2withSM3");
                sparkSignature.initSign(this.privateKey);
                sparkSignature.update(dERSet.getEncoded());
                sign = sparkSignature.sign((ECPublicKey) this.signCert.getPublicKey());
            }
            return new SignerInfo(signerIdentifier, algorithmIdentifier, dERSet, algorithmIdentifier2, new DEROctetString(sign), (ASN1Set) null);
        } catch (Exception e) {
            throw new SignatureException("failed to build signer info", e);
        }
    }

    private String getRSASignatureAlgorithm(String str) {
        return "2.16.840.1.101.3.4.2.1".equals(str) ? "SHA256withRSA" : "1.3.14.3.2.26".equals(str) ? "SHA1withRSA" : str;
    }

    private boolean innerRSAVerify(byte[] bArr, byte[] bArr2, X509Certificate x509Certificate) throws JCEEException {
        byte[] digestToBinary;
        byte[] bArr3;
        try {
            Cipher cipher = Cipher.getInstance("RSA/ECB/PKCS1Padding");
            cipher.init(2, x509Certificate);
            byte[] doFinal = cipher.doFinal(bArr);
            switch (doFinal.length) {
                case 16:
                    digestToBinary = MessageDigestUtil.digestToBinary(bArr2, MessageDigestAlgorithms.MD5);
                    bArr3 = doFinal;
                    break;
                case 20:
                    digestToBinary = MessageDigestUtil.digestToBinary(bArr2, "SHA1");
                    bArr3 = doFinal;
                    break;
                case 35:
                case 51:
                    ASN1Sequence aSN1Sequence = ASN1Sequence.getInstance(doFinal);
                    ASN1Sequence aSN1Sequence2 = (ASN1Sequence) aSN1Sequence.getObjectAt(0);
                    bArr3 = ((DEROctetString) aSN1Sequence.getObjectAt(1)).getOctets();
                    digestToBinary = MessageDigestUtil.digestToBinary(bArr2, ((ASN1ObjectIdentifier) aSN1Sequence2.getObjectAt(0)).getId());
                    break;
                default:
                    throw new JCEEException("signature with length " + doFinal.length + " is not supported.");
            }
            return Arrays.equals(digestToBinary, bArr3);
        } catch (Exception e) {
            throw new JCEEException("Inner RSA verify failed. cause:" + e.getMessage());
        }
    }

    private boolean innerSignatureVerify(byte[] bArr, byte[] bArr2, X509Certificate x509Certificate, String str) throws JCEEException {
        try {
            Signature signature = Signature.getInstance(str);
            signature.initVerify(x509Certificate);
            signature.update(bArr2);
            return signature.verify(bArr);
        } catch (Exception e) {
            throw new JCEEException("Inner RSA Signature verify failed. cause:" + e.getMessage());
        }
    }

    private byte[] makeDigest(byte[] bArr, String str) {
        if (!str.equals("1.3.14.3.2.26") && !str.equals("2.16.840.1.101.3.4.2.1")) {
            if (str.equals("1.2.156.10197.1.401")) {
                return makeSM3DigestWithoutPublicKey(bArr);
            }
            throw new InvalidParameterException("invalid digest algorithm: " + str);
        }
        try {
            MessageDigest messageDigest = MessageDigest.getInstance(str);
            messageDigest.update(bArr);
            return messageDigest.digest();
        } catch (NoSuchAlgorithmException e) {
            e.printStackTrace();
            return null;
        }
    }

    private byte[] makeSM3DigestWithoutPublicKey(byte[] bArr) {
        if (bArr == null) {
            throw new InvalidParameterException("data to be verified must be set first");
        }
        SM3Digest sM3Digest = new SM3Digest();
        sM3Digest.update(bArr, 0, bArr.length);
        byte[] bArr2 = new byte[32];
        sM3Digest.doFinal(bArr2, 0);
        return bArr2;
    }

    public void addCertificates(List<X509Certificate> list) {
        if (list != null) {
            this.certChain.addAll(list);
        }
    }

    public void addSigner(X509Certificate x509Certificate) {
        if (x509Certificate != null) {
            this.signCert = x509Certificate;
            this.certChain.add(this.signCert);
        }
    }

    public CMSSignedData buildCMSSignedData(SignerInfo signerInfo) throws SignatureException, CertificateEncodingException {
        return buildCMSSignedData(signerInfo, true);
    }

    public CMSSignedData buildCMSSignedData(SignerInfo signerInfo, boolean z) throws SignatureException, CertificateEncodingException {
        return buildCMSSignedData(z ? this.tobeSignedData : null, signerInfo, this.certChain);
    }

    public CMSSignedData buildCMSSignedData(byte[] bArr, SignerInfo signerInfo, List<X509Certificate> list) throws SignatureException, CertificateEncodingException {
        ASN1EncodableVector aSN1EncodableVector = new ASN1EncodableVector();
        ASN1EncodableVector aSN1EncodableVector2 = new ASN1EncodableVector();
        boolean equals = getSignerCert().getPublicKey().getAlgorithm().equals("RSA");
        ContentInfo contentInfo = new ContentInfo(equals ? CMSObjectIdentifiers.data : new ASN1ObjectIdentifier(SparkAlgorithmIdentifier.PKCS7_SM2_DATA_OID), bArr == null ? null : new BEROctetString(bArr));
        aSN1EncodableVector.add(signerInfo.getDigestAlgorithm());
        aSN1EncodableVector2.add(signerInfo);
        BERSet bERSet = null;
        if (list.size() != 0) {
            ASN1EncodableVector aSN1EncodableVector3 = new ASN1EncodableVector();
            try {
                Iterator<X509Certificate> it = list.iterator();
                while (it.hasNext()) {
                    aSN1EncodableVector3.add(ASN1Sequence.fromByteArray(it.next().getEncoded()));
                }
                bERSet = new BERSet(aSN1EncodableVector3);
            } catch (IOException e) {
                e.printStackTrace();
            }
        }
        try {
            return new CMSSignedData(new CMSProcessableByteArray(bArr), new ContentInfo(equals ? CMSObjectIdentifiers.signedData : new ASN1ObjectIdentifier(SparkAlgorithmIdentifier.PKCS7_SM2_SIGNED_DATA_OID), new SignedData(new DERSet(aSN1EncodableVector), contentInfo, bERSet, null, new DERSet(aSN1EncodableVector2))));
        } catch (CMSException e2) {
            throw new SignatureException("pkcs7 sign failed", e2);
        }
    }

    public byte[] getPrimaryContent() {
        return this.tobeSignedData;
    }

    public X509Certificate getSignerCert() {
        return this.signCert;
    }

    public void initSign(PrivateKey privateKey) {
        this.privateKey = privateKey;
    }

    public CMSSignedData pkcs7Sign() throws SignatureException, CertificateEncodingException {
        return buildCMSSignedData(buildSignerInfo(), true);
    }

    public CMSSignedData pkcs7Sign(ContentSigner contentSigner, boolean z) throws SignatureException, CertificateEncodingException {
        try {
            String algorithm = getSignerCert().getPublicKey().getAlgorithm();
            SignerIdentifier signerIdentifier = new SignerIdentifier(new IssuerAndSerialNumber(new JcaX509CertificateHolder(this.signCert).toASN1Structure()));
            AlgorithmIdentifier algorithmIdentifier = algorithm.equals("RSA") ? new AlgorithmIdentifier(new ASN1ObjectIdentifier("1.3.14.3.2.26"), DERNull.INSTANCE) : new AlgorithmIdentifier(new ASN1ObjectIdentifier("1.2.156.10197.1.401"), DERNull.INSTANCE);
            DERSet dERSet = new DERSet(buildAuthenticatedAttributes(this.tobeSignedData, algorithmIdentifier));
            AlgorithmIdentifier algorithmIdentifier2 = algorithm.equals("RSA") ? new AlgorithmIdentifier(PKCSObjectIdentifiers.sha1WithRSAEncryption, DERNull.INSTANCE) : new AlgorithmIdentifier(new ASN1ObjectIdentifier("1.2.156.10197.1.301.1"), DERNull.INSTANCE);
            OutputStream outputStream = contentSigner.getOutputStream();
            new DEROutputStream(outputStream).writeObject(dERSet);
            outputStream.close();
            return buildCMSSignedData(new SignerInfo(signerIdentifier, algorithmIdentifier, dERSet, algorithmIdentifier2, new DEROctetString(contentSigner.getSignature()), (ASN1Set) null), z);
        } catch (Exception e) {
            throw new SignatureException("failed to build signer info", e);
        }
    }

    public CMSSignedData pkcs7Sign(boolean z) throws SignatureException {
        try {
            return new CMSSignedData(sign(z));
        } catch (CMSException e) {
            throw new SignatureException(e);
        }
    }

    public byte[] sign() throws SignatureException {
        return sign(true);
    }

    public byte[] sign(boolean z) throws SignatureException {
        if (this.signCert == null || this.privateKey == null) {
            throw new NullPointerException("signer cert or private key is null");
        }
        ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
        try {
            if (!this.signCert.getPublicKey().getAlgorithm().equals("RSA")) {
                return buildCMSSignedData(buildSignerInfo(), z).getEncoded();
            }
            CMSSignedDataStreamGenerator cMSSignedDataStreamGenerator = new CMSSignedDataStreamGenerator();
            cMSSignedDataStreamGenerator.addCertificates(new JcaCertStore(this.certChain));
            cMSSignedDataStreamGenerator.addSignerInfoGenerator(new JcaSignerInfoGeneratorBuilder(new JcaDigestCalculatorProviderBuilder().setProvider(BouncyCastleProvider.PROVIDER_NAME).build()).build(new JcaContentSignerBuilder("SHA1withRSA").build(this.privateKey), this.signCert));
            OutputStream open = cMSSignedDataStreamGenerator.open(byteArrayOutputStream, z);
            open.write(this.tobeSignedData);
            open.flush();
            open.close();
            return byteArrayOutputStream.toByteArray();
        } catch (Exception e) {
            throw new SignatureException("sign pkcs7 failed. cause: " + e.getMessage(), e);
        }
    }

    public void update(byte[] bArr) {
        this.tobeSignedData = bArr;
    }

    public boolean verify(String str) throws SignatureException {
        return verify(str, true);
    }

    public boolean verify(String str, boolean z) throws SignatureException {
        boolean z2;
        byte[] bArr;
        byte[] bArr2;
        ByteArrayOutputStream byteArrayOutputStream = null;
        try {
            try {
                ByteArrayOutputStream byteArrayOutputStream2 = new ByteArrayOutputStream();
                if (!z) {
                    try {
                        if (this.tobeSignedData == null) {
                            throw new SignatureException("非Attach模式下,必须先update待验证数据");
                        }
                    } catch (Exception e) {
                        e = e;
                        throw new SignatureException("验证PKCS7签名异常. cause: " + e.getMessage(), e);
                    } catch (Throwable th) {
                        th = th;
                        byteArrayOutputStream = byteArrayOutputStream2;
                        if (byteArrayOutputStream != null) {
                            try {
                                byteArrayOutputStream.close();
                            } catch (IOException e2) {
                                e2.printStackTrace();
                            }
                        }
                        throw th;
                    }
                }
                String signedContentTypeOID = new CMSSignedData(Base64.decode(str)).getSignedContentTypeOID();
                CMSSignedData cMSSignedData = signedContentTypeOID.equals(CMSObjectIdentifiers.data.getId()) ? z ? new CMSSignedData(Base64.decode(str)) : new CMSSignedData(new CMSProcessableByteArray(PKCSObjectIdentifiers.data, this.tobeSignedData), Base64.decode(str)) : z ? new CMSSignedData(Base64.decode(str)) : new CMSSignedData(new CMSProcessableByteArray(new ASN1ObjectIdentifier(SparkAlgorithmIdentifier.PKCS7_SM2_DATA_OID), this.tobeSignedData), Base64.decode(str));
                CMSTypedData signedContent = cMSSignedData.getSignedContent();
                if (z) {
                    if (signedContent == null) {
                        throw new IOException("PKCS7签名中没有包含签名数据");
                    }
                    signedContent.write(byteArrayOutputStream2);
                    this.tobeSignedData = byteArrayOutputStream2.toByteArray();
                }
                Store certificates = cMSSignedData.getCertificates();
                Collection<SignerInformation> signers = cMSSignedData.getSignerInfos().getSigners();
                Iterator<SignerInformation> it = signers.iterator();
                int i = 0;
                while (true) {
                    if (it.hasNext()) {
                        cn.com.syan.jcee.common.impl.cms.SignerInformation signerInformation = cn.com.syan.jcee.common.impl.cms.SignerInformation.getInstance(it.next(), signedContent);
                        X509CertificateHolder x509CertificateHolder = (X509CertificateHolder) certificates.getMatches(signerInformation.getSID()).iterator().next();
                        if (signedContentTypeOID.equals(CMSObjectIdentifiers.data.getId())) {
                            this.signCert = CertificateConverter.fromBinary(x509CertificateHolder.getEncoded());
                            byte[] signature = signerInformation.getSignature();
                            AttributeTable signedAttributes = signerInformation.getSignedAttributes();
                            if (signedAttributes != null) {
                                bArr = signerInformation.getEncodedSignedAttributes();
                                byte[] octets = ((DEROctetString) signedAttributes.get(PKCSObjectIdentifiers.pkcs_9_at_messageDigest).getAttrValues().getObjectAt(0)).getOctets();
                                String id = signerInformation.getDigestAlgorithmID().getAlgorithm().getId();
                                if (!"1.3.14.3.2.26".equals(id) && !"2.16.840.1.101.3.4.2.1".equals(id)) {
                                    throw new SignatureException("unsupported digest algorithm:" + signerInformation.getDigestAlgorithmID().getAlgorithm().getId() + " in RSA P7");
                                }
                                if (!Arrays.equals(octets, makeDigest((byte[]) signedContent.getContent(), signerInformation.getDigestAlgorithmID().getAlgorithm().getId()))) {
                                    z2 = false;
                                    if (byteArrayOutputStream2 != null) {
                                        try {
                                            byteArrayOutputStream2.close();
                                        } catch (IOException e3) {
                                            e3.printStackTrace();
                                        }
                                    }
                                }
                            } else {
                                bArr = this.tobeSignedData;
                            }
                            getRSASignatureAlgorithm(signerInformation.getDigestAlgOID());
                            if (innerRSAVerify(signature, bArr, this.signCert)) {
                                i++;
                            }
                        } else {
                            this.signCert = CertificateConverter.fromBinary(x509CertificateHolder.toASN1Structure().getEncoded());
                            byte[] signature2 = signerInformation.getSignature();
                            AttributeTable signedAttributes2 = signerInformation.getSignedAttributes();
                            if (signedAttributes2 != null) {
                                bArr2 = signerInformation.getEncodedSignedAttributes();
                                byte[] octets2 = ((DEROctetString) signedAttributes2.get(PKCSObjectIdentifiers.pkcs_9_at_messageDigest).getAttrValues().getObjectAt(0)).getOctets();
                                if (!"1.2.156.10197.1.401".equals(signerInformation.getDigestAlgorithmID().getAlgorithm().getId())) {
                                    throw new SignatureException("invalid digest algorithm:" + signerInformation.getDigestAlgorithmID().getAlgorithm().getId() + " in SM2 Q7");
                                }
                                if (!Arrays.equals(octets2, makeSM3DigestWithoutPublicKey((byte[]) signedContent.getContent()))) {
                                    z2 = false;
                                    if (byteArrayOutputStream2 != null) {
                                        try {
                                            byteArrayOutputStream2.close();
                                        } catch (IOException e4) {
                                            e4.printStackTrace();
                                        }
                                    }
                                }
                            } else {
                                bArr2 = this.tobeSignedData;
                            }
                            SparkSignature sparkSignature = SparkSignature.getInstance("ECDSASM2withSM3");
                            sparkSignature.initVerify(this.signCert);
                            sparkSignature.update(bArr2);
                            if (sparkSignature.verify(signature2)) {
                                i++;
                            }
                        }
                    } else {
                        z2 = i == signers.size();
                        if (byteArrayOutputStream2 != null) {
                            try {
                                byteArrayOutputStream2.close();
                            } catch (IOException e5) {
                                e5.printStackTrace();
                            }
                        }
                    }
                }
                return z2;
            } catch (Throwable th2) {
                th = th2;
            }
        } catch (Exception e6) {
            e = e6;
        }
    }
}
