package no.difi.oxalis.as2.util;

import com.google.common.io.ByteStreams;
import com.sun.mail.util.LineOutputStream;
import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.io.InputStream;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.Enumeration;
import java.util.Iterator;
import javax.mail.MessagingException;
import javax.mail.Session;
import javax.mail.internet.ContentType;
import javax.mail.internet.MimeMessage;
import javax.mail.internet.MimeMultipart;
import no.difi.oxalis.api.lang.OxalisSecurityException;
import no.difi.oxalis.as2.lang.OxalisAs2Exception;
import no.difi.oxalis.commons.bouncycastle.BCHelper;
import no.difi.oxalis.commons.security.CertificateUtils;
import no.difi.vefa.peppol.common.code.Service;
import no.difi.vefa.peppol.security.api.CertificateValidator;
import no.difi.vefa.peppol.security.lang.PeppolSecurityException;
import org.bouncycastle.cert.X509CertificateHolder;
import org.bouncycastle.cms.CMSException;
import org.bouncycastle.cms.SignerInformation;
import org.bouncycastle.cms.SignerInformationVerifier;
import org.bouncycastle.cms.jcajce.JcaSimpleSignerInfoVerifierBuilder;
import org.bouncycastle.mail.smime.SMIMESigned;
import org.bouncycastle.operator.OperatorCreationException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:no/difi/oxalis/as2/util/SignedMessage.class */
public class SignedMessage {
    private static final Logger log = LoggerFactory.getLogger(SignedMessage.class);
    private static final Session SESSION = Session.getDefaultInstance(System.getProperties());
    private MimeMultipart mimeMultipart;
    private SMIMESigned smimeSigned;
    private byte[] signature;
    private String micalg;
    private X509Certificate signer;
    private byte[] digest;

    public static SignedMessage load(InputStream inputStream) throws IOException, MessagingException, OxalisAs2Exception {
        return new SignedMessage(new MimeMessage(SESSION, inputStream));
    }

    public static SignedMessage load(MimeMessage mimeMessage) throws IOException, OxalisAs2Exception {
        return new SignedMessage(mimeMessage);
    }

    private SignedMessage(MimeMessage mimeMessage) throws IOException, OxalisAs2Exception {
        try {
            if (!mimeMessage.isMimeType("multipart/signed")) {
                throw new OxalisAs2Exception("Received content is not 'multipart/signed'.");
            }
            this.micalg = extractMicalg(mimeMessage);
            this.mimeMultipart = (MimeMultipart) mimeMessage.getContent();
            this.signature = ByteStreams.toByteArray(this.mimeMultipart.getBodyPart(1).getInputStream());
            this.smimeSigned = new SMIMESigned(this.mimeMultipart);
        } catch (CMSException | MessagingException e) {
            throw new OxalisAs2Exception("Unable to parse received content.", e);
        }
    }

    public InputStream getContent() throws IOException, OxalisSecurityException, OxalisAs2Exception {
        try {
            if (this.signer == null) {
                throw new OxalisSecurityException("Content is not validated.");
            }
            return this.smimeSigned.getContent().getInputStream();
        } catch (MessagingException e) {
            throw new OxalisAs2Exception("Unable to fetch content.", e);
        }
    }

    public byte[] getContentBytes() throws IOException, OxalisSecurityException, OxalisAs2Exception {
        return ByteStreams.toByteArray(getContent());
    }

    public String getMicalg() {
        return this.micalg;
    }

    public X509Certificate getSigner() {
        return this.signer;
    }

    public byte[] getDigest() {
        return this.digest;
    }

    public byte[] getSignature() {
        return this.signature;
    }

    public byte[] getBodyHeader() throws IOException, OxalisAs2Exception {
        try {
            ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
            LineOutputStream lineOutputStream = new LineOutputStream(byteArrayOutputStream);
            Enumeration nonMatchingHeaderLines = this.mimeMultipart.getBodyPart(0).getNonMatchingHeaderLines(new String[0]);
            while (nonMatchingHeaderLines.hasMoreElements()) {
                lineOutputStream.writeln((String) nonMatchingHeaderLines.nextElement());
            }
            lineOutputStream.writeln();
            lineOutputStream.close();
            return byteArrayOutputStream.toByteArray();
        } catch (MessagingException e) {
            throw new OxalisAs2Exception("Unable to fetch body headers.", e);
        }
    }

    public void validate(X509Certificate x509Certificate) throws OxalisSecurityException, PeppolSecurityException {
        try {
            SignerInformationVerifier build = new JcaSimpleSignerInfoVerifierBuilder().setProvider("BC").build(x509Certificate.getPublicKey());
            for (SignerInformation signerInformation : this.smimeSigned.getSignerInfos().getSigners()) {
                if (signerInformation.verify(build)) {
                    this.signer = x509Certificate;
                    this.digest = signerInformation.getContentDigest();
                    return;
                }
            }
            throw new PeppolSecurityException("Unable to verify signature.");
        } catch (OperatorCreationException e) {
            throw new OxalisSecurityException("Unable to create SignerInformationVerifier.", e);
        } catch (CMSException e2) {
            throw new OxalisSecurityException(e2.getMessage(), e2);
        }
    }

    public void validate(Service service, CertificateValidator certificateValidator) throws IOException, OxalisSecurityException, PeppolSecurityException {
        validate(service, certificateValidator, null);
    }

    public void validate(Service service, CertificateValidator certificateValidator, String str) throws IOException, OxalisSecurityException, PeppolSecurityException {
        Iterator it = this.smimeSigned.getCertificates().iterator();
        while (it.hasNext()) {
            X509CertificateHolder x509CertificateHolder = (X509CertificateHolder) it.next();
            if (CertificateUtils.containsCommonName(x509CertificateHolder.getSubject(), str)) {
                try {
                    X509Certificate parseCertificate = CertificateUtils.parseCertificate(x509CertificateHolder.getEncoded());
                    if (isValid(service, certificateValidator, parseCertificate)) {
                        validate(parseCertificate);
                        return;
                    }
                    continue;
                } catch (CertificateException e) {
                    log.debug("Unable to initiate certificate object.");
                }
            }
        }
        throw new OxalisSecurityException(str == null ? "Unable to find valid certificate for validation of content." : String.format("Unable to find valid certificate with CN '%s' for validation of content.", str));
    }

    private boolean isValid(Service service, CertificateValidator certificateValidator, X509Certificate x509Certificate) {
        try {
            certificateValidator.validate(service, x509Certificate);
            return true;
        } catch (PeppolSecurityException e) {
            return false;
        }
    }

    public static String extractMicalg(MimeMessage mimeMessage) throws OxalisAs2Exception {
        try {
            String parameter = new ContentType(mimeMessage.getContentType()).getParameter("micalg");
            if (parameter == null) {
                throw new OxalisAs2Exception("Parameter 'micalg' is not provided.");
            }
            return parameter;
        } catch (MessagingException e) {
            throw new OxalisAs2Exception("Unable to fetch content type.", e);
        }
    }

    static {
        BCHelper.registerProvider();
    }
}
