package com.guardtime.ksi.trust;

import java.security.Security;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.Collection;
import java.util.Iterator;
import org.bouncycastle.cert.X509CertificateHolder;
import org.bouncycastle.cert.jcajce.JcaX509CertificateConverter;
import org.bouncycastle.cms.CMSException;
import org.bouncycastle.cms.SignerInformation;
import org.bouncycastle.cms.jcajce.JcaSimpleSignerInfoVerifierBuilder;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.bouncycastle.operator.OperatorCreationException;
import org.bouncycastle.util.Store;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/guardtime/ksi/trust/CMSSignatureVerifier.class */
public class CMSSignatureVerifier {
    private static final Logger LOGGER = LoggerFactory.getLogger(CMSSignatureVerifier.class);
    private PKITrustStore trustStore;

    public CMSSignatureVerifier(PKITrustStore pKITrustStore) {
        this.trustStore = pKITrustStore;
    }

    public void verify(CMSSignature cMSSignature) throws CryptoException {
        Store signedDataCertificates = cMSSignature.getSignedDataCertificates();
        Collection signers = cMSSignature.getSignerInformationStore().getSigners();
        if (signers.isEmpty()) {
            throw new InvalidCmsSignatureException("Invalid CMS signature. Signature does not contain SignerInformation element.");
        }
        if (signers.size() != 1) {
            throw new InvalidCmsSignatureException("Invalid CMS signature. Signature contains multiple SingerInformation elements.");
        }
        SignerInformation signerInformation = (SignerInformation) signers.iterator().next();
        Collection matches = signedDataCertificates.getMatches(signerInformation.getSID());
        Iterator it = matches.iterator();
        if (matches.isEmpty()) {
            throw new InvalidCmsSignatureException("Invalid CMS signature. Signer certificate collection is empty.");
        }
        X509CertificateHolder x509CertificateHolder = (X509CertificateHolder) it.next();
        verifyCmsSignerInfo(signerInformation, x509CertificateHolder);
        if (!this.trustStore.isTrusted(getCertificate(x509CertificateHolder), signedDataCertificates)) {
            throw new InvalidCmsSignatureException("Certificate that was used for singing isn't trusted");
        }
    }

    private void verifyCmsSignerInfo(SignerInformation signerInformation, X509CertificateHolder x509CertificateHolder) throws InvalidCmsSignatureException {
        try {
            if (signerInformation.verify(new JcaSimpleSignerInfoVerifierBuilder().setProvider("BC").build(x509CertificateHolder))) {
                return;
            }
            LOGGER.warn("Signer certificate verification failure. Signer info is {}, and certificate subjectDN is {}", signerInformation, x509CertificateHolder.getSubject());
            throw new InvalidCmsSignatureException("Signature verification failure");
        } catch (CertificateException e) {
            throw new InvalidCmsSignatureException("CMS signature validation failed. " + e.getMessage(), e);
        } catch (OperatorCreationException e2) {
            throw new InvalidCmsSignatureException("CMS signature validation failed. " + e2.getMessage(), e2);
        } catch (CMSException e3) {
            throw new InvalidCmsSignatureException("Invalid CMS signature. " + e3.getMessage(), e3);
        }
    }

    private X509Certificate getCertificate(X509CertificateHolder x509CertificateHolder) throws InvalidCmsSignatureException {
        try {
            return new JcaX509CertificateConverter().setProvider("BC").getCertificate(x509CertificateHolder);
        } catch (CertificateException e) {
            throw new InvalidCmsSignatureException("Invalid certificate in CMS signature. " + e.getMessage(), e);
        }
    }

    static {
        if (Security.getProvider("BC") == null) {
            Security.addProvider(new BouncyCastleProvider());
        }
    }
}
