package eu.europa.esig.dss.xades.validation;

import eu.europa.esig.dss.DomUtils;
import eu.europa.esig.dss.definition.xmldsig.XMLDSigPaths;
import eu.europa.esig.dss.enumerations.CertificateOrigin;
import eu.europa.esig.dss.enumerations.CertificateRefOrigin;
import eu.europa.esig.dss.model.Digest;
import eu.europa.esig.dss.model.x509.CertificateToken;
import eu.europa.esig.dss.spi.DSSUtils;
import eu.europa.esig.dss.spi.x509.CandidatesForSigningCertificate;
import eu.europa.esig.dss.spi.x509.CertificateRef;
import eu.europa.esig.dss.spi.x509.CertificateSource;
import eu.europa.esig.dss.spi.x509.CertificateTokenRefMatcher;
import eu.europa.esig.dss.spi.x509.CertificateValidity;
import eu.europa.esig.dss.spi.x509.SignerIdentifier;
import eu.europa.esig.dss.utils.Utils;
import eu.europa.esig.dss.validation.SignatureCertificateSource;
import eu.europa.esig.dss.xades.DSSXMLUtils;
import eu.europa.esig.dss.xades.definition.XAdESPaths;
import java.security.PublicKey;
import java.util.Iterator;
import java.util.List;
import java.util.Objects;
import java.util.Set;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.w3c.dom.Element;
import org.w3c.dom.NodeList;

/* loaded from: input_file:eu/europa/esig/dss/xades/validation/XAdESCertificateSource.class */
public class XAdESCertificateSource extends SignatureCertificateSource {
    private static final Logger LOG = LoggerFactory.getLogger(XAdESCertificateSource.class);
    private final Element signatureElement;
    private final XAdESPaths xadesPaths;

    public XAdESCertificateSource(Element element, XAdESPaths xAdESPaths) {
        Objects.requireNonNull(element, "Element signature must not be null");
        Objects.requireNonNull(xAdESPaths, "XAdESPaths must not be null");
        this.signatureElement = element;
        this.xadesPaths = xAdESPaths;
        extractCertificates(XMLDSigPaths.KEY_INFO_X509_CERTIFICATE_PATH, CertificateOrigin.KEY_INFO);
        extractCertificates(xAdESPaths.getEncapsulatedCertificateValuesPath(), CertificateOrigin.CERTIFICATE_VALUES);
        extractCertificates(xAdESPaths.getEncapsulatedAttrAuthoritiesCertValuesPath(), CertificateOrigin.ATTR_AUTHORITIES_CERT_VALUES);
        extractCertificates(xAdESPaths.getEncapsulatedTimeStampValidationDataCertValuesPath(), CertificateOrigin.TIMESTAMP_VALIDATION_DATA);
        extractCertificateRefs(xAdESPaths.getSigningCertificateChildren(), xAdESPaths.getSigningCertificateV2Children(), CertificateRefOrigin.SIGNING_CERTIFICATE);
        extractCertificateRefs(xAdESPaths.getCompleteCertificateRefsCertPath(), xAdESPaths.getCompleteCertificateRefsV2CertPath(), CertificateRefOrigin.COMPLETE_CERTIFICATE_REFS);
        extractCertificateRefs(xAdESPaths.getAttributeCertificateRefsCertPath(), xAdESPaths.getAttributeCertificateRefsV2CertPath(), CertificateRefOrigin.ATTRIBUTE_CERTIFICATE_REFS);
        if (LOG.isInfoEnabled()) {
            LOG.info("+XAdESCertificateSource");
        }
    }

    private void extractCertificates(String str, CertificateOrigin certificateOrigin) {
        if (str == null) {
            return;
        }
        NodeList nodeList = DomUtils.getNodeList(this.signatureElement, str);
        for (int i = 0; i < nodeList.getLength(); i++) {
            Element element = (Element) nodeList.item(i);
            try {
                addCertificate(DSSUtils.loadCertificate(Utils.fromBase64(element.getTextContent())), certificateOrigin);
            } catch (Exception e) {
                LOG.warn("Unable to parse certificate '{}' : {}", element.getTextContent(), e.getMessage());
            }
        }
    }

    private void extractCertificateRefs(String str, String str2, CertificateRefOrigin certificateRefOrigin) {
        NodeList nodeList;
        NodeList nodeList2;
        if (str != null && (nodeList2 = DomUtils.getNodeList(this.signatureElement, str)) != null) {
            extractXAdESCertsV1(nodeList2, certificateRefOrigin);
        }
        if (str2 == null || (nodeList = DomUtils.getNodeList(this.signatureElement, str2)) == null) {
            return;
        }
        extractXAdESCertsV2(nodeList, certificateRefOrigin);
    }

    private void extractXAdESCertsV1(NodeList nodeList, CertificateRefOrigin certificateRefOrigin) {
        for (int i = 0; i < nodeList.getLength(); i++) {
            CertificateRef createCertificateRefFromV1 = XAdESCertificateRefExtractionUtils.createCertificateRefFromV1((Element) nodeList.item(i), this.xadesPaths);
            if (createCertificateRefFromV1 != null) {
                createCertificateRefFromV1.setOrigin(certificateRefOrigin);
                addCertificateRef(createCertificateRefFromV1, certificateRefOrigin);
            }
        }
    }

    private void extractXAdESCertsV2(NodeList nodeList, CertificateRefOrigin certificateRefOrigin) {
        for (int i = 0; i < nodeList.getLength(); i++) {
            CertificateRef createCertificateRefFromV2 = XAdESCertificateRefExtractionUtils.createCertificateRefFromV2((Element) nodeList.item(i), this.xadesPaths);
            if (createCertificateRefFromV2 != null) {
                createCertificateRefFromV2.setOrigin(certificateRefOrigin);
                addCertificateRef(createCertificateRefFromV2, certificateRefOrigin);
            }
        }
    }

    protected CandidatesForSigningCertificate extractCandidatesForSigningCertificate(CertificateSource certificateSource) {
        CandidatesForSigningCertificate candidatesForSigningCertificate = new CandidatesForSigningCertificate();
        Iterator it = getKeyInfoCertificates().iterator();
        while (it.hasNext()) {
            candidatesForSigningCertificate.add(new CertificateValidity((CertificateToken) it.next()));
        }
        if (candidatesForSigningCertificate.isEmpty()) {
            PublicKey keyInfoSigningCertificatePublicKey = DSSXMLUtils.getKeyInfoSigningCertificatePublicKey(this.signatureElement);
            if (keyInfoSigningCertificatePublicKey != null) {
                Set byPublicKey = getByPublicKey(keyInfoSigningCertificatePublicKey);
                if (Utils.isCollectionNotEmpty(byPublicKey)) {
                    Iterator it2 = byPublicKey.iterator();
                    while (it2.hasNext()) {
                        candidatesForSigningCertificate.add(new CertificateValidity((CertificateToken) it2.next()));
                    }
                } else {
                    candidatesForSigningCertificate.add(new CertificateValidity(keyInfoSigningCertificatePublicKey));
                }
            } else {
                Iterator it3 = getCertificates().iterator();
                while (it3.hasNext()) {
                    candidatesForSigningCertificate.add(new CertificateValidity((CertificateToken) it3.next()));
                }
            }
        }
        if (certificateSource != null) {
            resolveFromSource(certificateSource, candidatesForSigningCertificate);
        }
        checkCandidatesAgainstSigningCertificateRef(candidatesForSigningCertificate);
        return candidatesForSigningCertificate;
    }

    private void resolveFromSource(CertificateSource certificateSource, CandidatesForSigningCertificate candidatesForSigningCertificate) {
        List<CertificateRef> signingCertificateRefs = getSigningCertificateRefs();
        if (!Utils.isCollectionNotEmpty(signingCertificateRefs)) {
            if (candidatesForSigningCertificate.isEmpty()) {
                List certificates = certificateSource.getCertificates();
                LOG.debug("No signing certificate reference found. Resolve all {} certificates from the provided certificate source as signing candidates.", Integer.valueOf(certificates.size()));
                Iterator it = certificates.iterator();
                while (it.hasNext()) {
                    candidatesForSigningCertificate.add(new CertificateValidity((CertificateToken) it.next()));
                }
                return;
            }
            return;
        }
        for (CertificateRef certificateRef : signingCertificateRefs) {
            SignerIdentifier certificateIdentifier = certificateRef.getCertificateIdentifier();
            if (certificateIdentifier != null) {
                Set bySignerIdentifier = certificateSource.getBySignerIdentifier(certificateIdentifier);
                if (Utils.isCollectionNotEmpty(bySignerIdentifier)) {
                    LOG.debug("Resolved certificate by certificate identifier");
                    Iterator it2 = bySignerIdentifier.iterator();
                    while (it2.hasNext()) {
                        candidatesForSigningCertificate.add(new CertificateValidity((CertificateToken) it2.next()));
                    }
                    return;
                }
            }
            Digest certDigest = certificateRef.getCertDigest();
            if (certDigest != null) {
                Set byCertificateDigest = certificateSource.getByCertificateDigest(certDigest);
                if (Utils.isCollectionNotEmpty(byCertificateDigest)) {
                    LOG.debug("Resolved certificate by digest");
                    Iterator it3 = byCertificateDigest.iterator();
                    while (it3.hasNext()) {
                        candidatesForSigningCertificate.add(new CertificateValidity((CertificateToken) it3.next()));
                    }
                }
            }
        }
    }

    private void checkCandidatesAgainstSigningCertificateRef(CandidatesForSigningCertificate candidatesForSigningCertificate) {
        List signingCertificateRefs = getSigningCertificateRefs();
        if (Utils.isCollectionNotEmpty(signingCertificateRefs)) {
            CertificateRef certificateRef = (CertificateRef) signingCertificateRefs.get(0);
            CertificateTokenRefMatcher certificateTokenRefMatcher = new CertificateTokenRefMatcher();
            CertificateValidity certificateValidity = null;
            for (CertificateValidity certificateValidity2 : candidatesForSigningCertificate.getCertificateValidityList()) {
                certificateValidity2.setDigestPresent(certificateRef.getCertDigest() != null);
                certificateValidity2.setIssuerSerialPresent(certificateRef.getCertificateIdentifier() != null);
                CertificateToken certificateToken = certificateValidity2.getCertificateToken();
                if (certificateToken != null) {
                    certificateValidity2.setDigestEqual(certificateTokenRefMatcher.matchByDigest(certificateToken, certificateRef));
                    certificateValidity2.setSerialNumberEqual(certificateTokenRefMatcher.matchBySerialNumber(certificateToken, certificateRef));
                    certificateValidity2.setDistinguishedNameEqual(certificateTokenRefMatcher.matchByIssuerName(certificateToken, certificateRef));
                }
                if (certificateValidity2.isValid()) {
                    certificateValidity = certificateValidity2;
                }
            }
            if (certificateValidity != null) {
                candidatesForSigningCertificate.setTheCertificateValidity(certificateValidity);
            }
        }
    }
}
