package org.gephi.org.apache.poi.poifs.crypt.dsig.services;

import java.lang.invoke.MethodHandles;
import java.lang.invoke.MethodType;
import org.bouncycastle.asn1.ASN1IA5String;
import org.bouncycastle.asn1.ASN1ObjectIdentifier;
import org.bouncycastle.asn1.cmp.PKIFailureInfo;
import org.bouncycastle.asn1.nist.NISTObjectIdentifiers;
import org.bouncycastle.asn1.x500.X500Name;
import org.bouncycastle.asn1.x509.CRLDistPoint;
import org.bouncycastle.asn1.x509.DistributionPoint;
import org.bouncycastle.asn1.x509.DistributionPointName;
import org.bouncycastle.asn1.x509.Extension;
import org.bouncycastle.asn1.x509.GeneralName;
import org.bouncycastle.asn1.x509.GeneralNames;
import org.bouncycastle.asn1.x509.X509ObjectIdentifiers;
import org.bouncycastle.cert.X509CertificateHolder;
import org.bouncycastle.cert.jcajce.JcaX509CertificateConverter;
import org.bouncycastle.cert.jcajce.JcaX509ExtensionUtils;
import org.bouncycastle.cms.DefaultCMSSignatureAlgorithmNameGenerator;
import org.bouncycastle.cms.SignerId;
import org.bouncycastle.cms.bc.BcRSASignerInfoVerifierBuilder;
import org.bouncycastle.operator.DefaultDigestAlgorithmIdentifierFinder;
import org.bouncycastle.operator.DefaultSignatureAlgorithmIdentifierFinder;
import org.bouncycastle.operator.bc.BcDigestCalculatorProvider;
import org.bouncycastle.tsp.TimeStampRequest;
import org.bouncycastle.tsp.TimeStampRequestGenerator;
import org.bouncycastle.tsp.TimeStampResponse;
import org.bouncycastle.tsp.TimeStampToken;
import org.bouncycastle.util.Selector;
import org.gephi.java.io.ByteArrayInputStream;
import org.gephi.java.io.IOException;
import org.gephi.java.lang.Class;
import org.gephi.java.lang.Exception;
import org.gephi.java.lang.IllegalArgumentException;
import org.gephi.java.lang.NoSuchFieldError;
import org.gephi.java.lang.Object;
import org.gephi.java.lang.RuntimeException;
import org.gephi.java.lang.String;
import org.gephi.java.lang.StringBuilder;
import org.gephi.java.lang.invoke.LambdaMetafactory;
import org.gephi.java.math.BigInteger;
import org.gephi.java.security.GeneralSecurityException;
import org.gephi.java.security.SecureRandom;
import org.gephi.java.security.cert.CertificateFactory;
import org.gephi.java.security.cert.X509Certificate;
import org.gephi.java.util.Collections;
import org.gephi.java.util.List;
import org.gephi.java.util.Map;
import org.gephi.java.util.Objects;
import org.gephi.java.util.function.Consumer;
import org.gephi.java.util.function.Function;
import org.gephi.java.util.function.Predicate;
import org.gephi.java.util.function.Supplier;
import org.gephi.java.util.stream.Collectors;
import org.gephi.java.util.stream.Stream;
import org.gephi.javax.security.auth.x500.X500Principal;
import org.gephi.org.apache.logging.log4j.LogManager;
import org.gephi.org.apache.logging.log4j.Logger;
import org.gephi.org.apache.logging.log4j.util.Unbox;
import org.gephi.org.apache.poi.poifs.crypt.CryptoFunctions;
import org.gephi.org.apache.poi.poifs.crypt.HashAlgorithm;
import org.gephi.org.apache.poi.poifs.crypt.dsig.SignatureConfig;
import org.gephi.org.apache.poi.poifs.crypt.dsig.SignatureInfo;
import org.gephi.org.apache.poi.poifs.crypt.dsig.services.TimeStampHttpClient;

/* loaded from: input_file:org/gephi/org/apache/poi/poifs/crypt/dsig/services/TSPTimeStampService.class */
public class TSPTimeStampService extends Object implements TimeStampService {
    private static final Logger LOG = LogManager.getLogger((Class<?>) TSPTimeStampService.class);

    /* JADX INFO: Access modifiers changed from: package-private */
    /* renamed from: org.gephi.org.apache.poi.poifs.crypt.dsig.services.TSPTimeStampService$1, reason: invalid class name */
    /* loaded from: input_file:org/gephi/org/apache/poi/poifs/crypt/dsig/services/TSPTimeStampService$1.class */
    public static /* synthetic */ class AnonymousClass1 extends Object {
        static final /* synthetic */ int[] $SwitchMap$org$apache$poi$poifs$crypt$HashAlgorithm = new int[HashAlgorithm.values().length];

        static {
            try {
                $SwitchMap$org$apache$poi$poifs$crypt$HashAlgorithm[HashAlgorithm.sha1.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$org$apache$poi$poifs$crypt$HashAlgorithm[HashAlgorithm.sha256.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
            try {
                $SwitchMap$org$apache$poi$poifs$crypt$HashAlgorithm[HashAlgorithm.sha384.ordinal()] = 3;
            } catch (NoSuchFieldError e3) {
            }
            try {
                $SwitchMap$org$apache$poi$poifs$crypt$HashAlgorithm[HashAlgorithm.sha512.ordinal()] = 4;
            } catch (NoSuchFieldError e4) {
            }
        }
    }

    public ASN1ObjectIdentifier mapDigestAlgoToOID(HashAlgorithm hashAlgorithm) {
        switch (AnonymousClass1.$SwitchMap$org$apache$poi$poifs$crypt$HashAlgorithm[hashAlgorithm.ordinal()]) {
            case 1:
                return X509ObjectIdentifiers.id_SHA1;
            case 2:
                return NISTObjectIdentifiers.id_sha256;
            case 3:
                return NISTObjectIdentifiers.id_sha384;
            case 4:
                return NISTObjectIdentifiers.id_sha512;
            default:
                throw new IllegalArgumentException(new StringBuilder().append("unsupported digest algo: ").append(hashAlgorithm).toString());
        }
    }

    @Override // org.gephi.org.apache.poi.poifs.crypt.dsig.services.TimeStampService
    public byte[] timeStamp(SignatureInfo signatureInfo, byte[] bArr, RevocationData revocationData) throws Exception {
        SignatureConfig signatureConfig = signatureInfo.getSignatureConfig();
        byte[] digest = CryptoFunctions.getMessageDigest(signatureConfig.getTspDigestAlgo()).digest(bArr);
        BigInteger bigInteger = new BigInteger(128, new SecureRandom());
        TimeStampRequestGenerator timeStampRequestGenerator = new TimeStampRequestGenerator();
        timeStampRequestGenerator.setCertReq(true);
        String tspRequestPolicy = signatureConfig.getTspRequestPolicy();
        if (tspRequestPolicy != null) {
            timeStampRequestGenerator.setReqPolicy(new ASN1ObjectIdentifier(tspRequestPolicy));
        }
        TimeStampRequest generate = timeStampRequestGenerator.generate(mapDigestAlgoToOID(signatureConfig.getTspDigestAlgo()), digest, bigInteger);
        TimeStampHttpClient tspHttpClient = signatureConfig.getTspHttpClient();
        tspHttpClient.init(signatureConfig);
        tspHttpClient.setContentTypeIn(signatureConfig.isTspOldProtocol() ? "application/timestamp-request" : "application/timestamp-query");
        TimeStampHttpClient.TimeStampHttpClientResponse post = tspHttpClient.post(signatureConfig.getTspUrl(), generate.getEncoded());
        if (!post.isOK()) {
            throw new IOException("Requesting timestamp data failed");
        }
        byte[] responseBytes = post.getResponseBytes();
        if (responseBytes.length == 0) {
            throw new RuntimeException("Content-Length is zero");
        }
        TimeStampResponse timeStampResponse = new TimeStampResponse(responseBytes);
        timeStampResponse.validate(generate);
        if (0 != timeStampResponse.getStatus()) {
            LOG.atDebug().log("status: {}", (Object) Unbox.box(timeStampResponse.getStatus()));
            LOG.atDebug().log("status string: {}", (Object) timeStampResponse.getStatusString());
            PKIFailureInfo failInfo = timeStampResponse.getFailInfo();
            if (null != failInfo) {
                LOG.atDebug().log("fail info int value: {}", (Object) Unbox.box(failInfo.intValue()));
                if (256 == failInfo.intValue()) {
                    LOG.atDebug().log("unaccepted policy");
                }
            }
            throw new RuntimeException(new StringBuilder().append("timestamp response status != 0: ").append(timeStampResponse.getStatus()).toString());
        }
        TimeStampToken timeStampToken = timeStampResponse.getTimeStampToken();
        SignerId sid = timeStampToken.getSID();
        Object serialNumber = sid.getSerialNumber();
        Object issuer = sid.getIssuer();
        LOG.atDebug().log("signer cert serial number: {}", serialNumber);
        LOG.atDebug().log("signer cert issuer: {}", issuer);
        Map collect = timeStampToken.getCertificates().getMatches((Selector) null).stream().collect(Collectors.toMap((Function) LambdaMetafactory.metafactory(MethodHandles.lookup(), "apply", MethodType.methodType(Function.class), MethodType.methodType(Object.class, Object.class), MethodHandles.lookup().findStatic(TSPTimeStampService.class, "lambda$timeStamp$0", MethodType.methodType(String.class, X509CertificateHolder.class)), MethodType.methodType(String.class, X509CertificateHolder.class)).dynamicInvoker().invoke() /* invoke-custom */, Function.identity()));
        X509CertificateHolder orElseThrow = collect.values().stream().filter((Predicate) LambdaMetafactory.metafactory(MethodHandles.lookup(), "test", MethodType.methodType(Predicate.class, X500Name.class, BigInteger.class), MethodType.methodType(Boolean.TYPE, Object.class), MethodHandles.lookup().findStatic(TSPTimeStampService.class, "lambda$timeStamp$1", MethodType.methodType(Boolean.TYPE, X500Name.class, BigInteger.class, X509CertificateHolder.class)), MethodType.methodType(Boolean.TYPE, X509CertificateHolder.class)).dynamicInvoker().invoke(issuer, serialNumber) /* invoke-custom */).findFirst().orElseThrow((Supplier) LambdaMetafactory.metafactory(MethodHandles.lookup(), "get", MethodType.methodType(Supplier.class), MethodType.methodType(Object.class), MethodHandles.lookup().findStatic(TSPTimeStampService.class, "lambda$timeStamp$2", MethodType.methodType(RuntimeException.class)), MethodType.methodType(RuntimeException.class)).dynamicInvoker().invoke() /* invoke-custom */);
        JcaX509CertificateConverter jcaX509CertificateConverter = new JcaX509CertificateConverter();
        jcaX509CertificateConverter.setProvider("BC");
        X509Certificate certificate = jcaX509CertificateConverter.getCertificate(orElseThrow);
        do {
            revocationData.addCertificate(certificate);
            X500Principal issuerX500Principal = certificate.getIssuerX500Principal();
            if (certificate.getSubjectX500Principal().equals(issuerX500Principal)) {
                break;
            }
            X509CertificateHolder x509CertificateHolder = collect.get(issuerX500Principal.getName());
            certificate = x509CertificateHolder != null ? jcaX509CertificateConverter.getCertificate(x509CertificateHolder) : signatureConfig.getCachedCertificateByPrinicipal(issuerX500Principal.getName());
            if (certificate != null) {
                List<byte[]> retrieveCRL = retrieveCRL(signatureConfig, certificate);
                revocationData.getClass();
                retrieveCRL.forEach((Consumer) LambdaMetafactory.metafactory(MethodHandles.lookup(), "accept", MethodType.methodType(Consumer.class, RevocationData.class), MethodType.methodType(Void.TYPE, Object.class), MethodHandles.lookup().findVirtual(RevocationData.class, "addCRL", MethodType.methodType(Void.TYPE, byte[].class)), MethodType.methodType(Void.TYPE, byte[].class)).dynamicInvoker().invoke(revocationData) /* invoke-custom */);
            }
        } while (certificate != null);
        timeStampToken.validate(new BcRSASignerInfoVerifierBuilder(new DefaultCMSSignatureAlgorithmNameGenerator(), new DefaultSignatureAlgorithmIdentifierFinder(), new DefaultDigestAlgorithmIdentifierFinder(), new BcDigestCalculatorProvider()).build(orElseThrow));
        if (signatureConfig.getTspValidator() != null) {
            signatureConfig.getTspValidator().validate(revocationData.getX509chain(), revocationData);
        }
        LOG.atDebug().log("time-stamp token time: {}", (Object) timeStampToken.getTimeStampInfo().getGenTime());
        return timeStampToken.getEncoded();
    }

    protected List<byte[]> retrieveCRL(SignatureConfig signatureConfig, X509Certificate x509Certificate) throws IOException {
        List<SignatureConfig.CRLEntry> crlEntries = signatureConfig.getCrlEntries();
        byte[] extensionValue = x509Certificate.getExtensionValue(Extension.cRLDistributionPoints.getId());
        return extensionValue == null ? Collections.emptyList() : Stream.of(CRLDistPoint.getInstance(JcaX509ExtensionUtils.parseExtensionValue(extensionValue)).getDistributionPoints()).map((Function) LambdaMetafactory.metafactory(MethodHandles.lookup(), "apply", MethodType.methodType(Function.class), MethodType.methodType(Object.class, Object.class), MethodHandles.lookup().findVirtual(DistributionPoint.class, "getDistributionPoint", MethodType.methodType(DistributionPointName.class)), MethodType.methodType(DistributionPointName.class, DistributionPoint.class)).dynamicInvoker().invoke() /* invoke-custom */).filter((Predicate) LambdaMetafactory.metafactory(MethodHandles.lookup(), "test", MethodType.methodType(Predicate.class), MethodType.methodType(Boolean.TYPE, Object.class), MethodHandles.lookup().findStatic(Objects.class, "nonNull", MethodType.methodType(Boolean.TYPE, Object.class)), MethodType.methodType(Boolean.TYPE, DistributionPointName.class)).dynamicInvoker().invoke() /* invoke-custom */).filter((Predicate) LambdaMetafactory.metafactory(MethodHandles.lookup(), "test", MethodType.methodType(Predicate.class), MethodType.methodType(Boolean.TYPE, Object.class), MethodHandles.lookup().findStatic(TSPTimeStampService.class, "lambda$retrieveCRL$3", MethodType.methodType(Boolean.TYPE, DistributionPointName.class)), MethodType.methodType(Boolean.TYPE, DistributionPointName.class)).dynamicInvoker().invoke() /* invoke-custom */).flatMap((Function) LambdaMetafactory.metafactory(MethodHandles.lookup(), "apply", MethodType.methodType(Function.class), MethodType.methodType(Object.class, Object.class), MethodHandles.lookup().findStatic(TSPTimeStampService.class, "lambda$retrieveCRL$4", MethodType.methodType(Stream.class, DistributionPointName.class)), MethodType.methodType(Stream.class, DistributionPointName.class)).dynamicInvoker().invoke() /* invoke-custom */).filter((Predicate) LambdaMetafactory.metafactory(MethodHandles.lookup(), "test", MethodType.methodType(Predicate.class), MethodType.methodType(Boolean.TYPE, Object.class), MethodHandles.lookup().findStatic(TSPTimeStampService.class, "lambda$retrieveCRL$5", MethodType.methodType(Boolean.TYPE, GeneralName.class)), MethodType.methodType(Boolean.TYPE, GeneralName.class)).dynamicInvoker().invoke() /* invoke-custom */).map((Function) LambdaMetafactory.metafactory(MethodHandles.lookup(), "apply", MethodType.methodType(Function.class), MethodType.methodType(Object.class, Object.class), MethodHandles.lookup().findStatic(TSPTimeStampService.class, "lambda$retrieveCRL$6", MethodType.methodType(String.class, GeneralName.class)), MethodType.methodType(String.class, GeneralName.class)).dynamicInvoker().invoke() /* invoke-custom */).flatMap((Function) LambdaMetafactory.metafactory(MethodHandles.lookup(), "apply", MethodType.methodType(Function.class, TSPTimeStampService.class, List.class, X509Certificate.class, SignatureConfig.class), MethodType.methodType(Object.class, Object.class), MethodHandles.lookup().findVirtual(TSPTimeStampService.class, "lambda$retrieveCRL$9", MethodType.methodType(Stream.class, List.class, X509Certificate.class, SignatureConfig.class, String.class)), MethodType.methodType(Stream.class, String.class)).dynamicInvoker().invoke(this, crlEntries, x509Certificate, signatureConfig) /* invoke-custom */).filter((Predicate) LambdaMetafactory.metafactory(MethodHandles.lookup(), "test", MethodType.methodType(Predicate.class), MethodType.methodType(Boolean.TYPE, Object.class), MethodHandles.lookup().findStatic(Objects.class, "nonNull", MethodType.methodType(Boolean.TYPE, Object.class)), MethodType.methodType(Boolean.TYPE, byte[].class)).dynamicInvoker().invoke() /* invoke-custom */).collect(Collectors.toList());
    }

    /* JADX INFO: Access modifiers changed from: protected */
    /* renamed from: matchCRLbyUrl, reason: merged with bridge method [inline-methods] */
    public boolean lambda$null$7(SignatureConfig.CRLEntry cRLEntry, X509Certificate x509Certificate, String string) {
        return string.equals(cRLEntry.getCrlURL());
    }

    /* JADX INFO: Access modifiers changed from: protected */
    /* renamed from: matchCRLbyCN, reason: merged with bridge method [inline-methods] */
    public boolean lambda$null$8(SignatureConfig.CRLEntry cRLEntry, X509Certificate x509Certificate, String string) {
        return x509Certificate.getSubjectX500Principal().getName().equals(cRLEntry.getCertCN());
    }

    protected SignatureConfig.CRLEntry downloadCRL(SignatureConfig signatureConfig, String string) {
        if (!signatureConfig.isAllowCRLDownload()) {
            return null;
        }
        TimeStampHttpClient tspHttpClient = signatureConfig.getTspHttpClient();
        tspHttpClient.init(signatureConfig);
        tspHttpClient.setBasicAuthentication(null, null);
        try {
            TimeStampHttpClient.TimeStampHttpClientResponse timeStampHttpClientResponse = tspHttpClient.get(string);
            if (!timeStampHttpClientResponse.isOK()) {
                return null;
            }
            try {
                CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509");
                byte[] responseBytes = timeStampHttpClientResponse.getResponseBytes();
                return signatureConfig.addCRL(string, certificateFactory.generateCRL(new ByteArrayInputStream(responseBytes)).getIssuerX500Principal().getName(), responseBytes);
            } catch (GeneralSecurityException e) {
                LOG.atWarn().withThrowable(e).log("CRL download failed from {}", (Object) string);
                return null;
            }
        } catch (IOException e2) {
            return null;
        }
    }

    private /* synthetic */ Stream lambda$retrieveCRL$9(List list, X509Certificate x509Certificate, SignatureConfig signatureConfig, String string) {
        SignatureConfig.CRLEntry downloadCRL;
        List collect = list.stream().filter((Predicate) LambdaMetafactory.metafactory(MethodHandles.lookup(), "test", MethodType.methodType(Predicate.class, TSPTimeStampService.class, X509Certificate.class, String.class), MethodType.methodType(Boolean.TYPE, Object.class), MethodHandles.lookup().findVirtual(TSPTimeStampService.class, "lambda$null$7", MethodType.methodType(Boolean.TYPE, X509Certificate.class, String.class, SignatureConfig.CRLEntry.class)), MethodType.methodType(Boolean.TYPE, SignatureConfig.CRLEntry.class)).dynamicInvoker().invoke(this, x509Certificate, string) /* invoke-custom */).collect(Collectors.toList());
        Stream filter = list.stream().filter((Predicate) LambdaMetafactory.metafactory(MethodHandles.lookup(), "test", MethodType.methodType(Predicate.class, TSPTimeStampService.class, X509Certificate.class, String.class), MethodType.methodType(Boolean.TYPE, Object.class), MethodHandles.lookup().findVirtual(TSPTimeStampService.class, "lambda$null$8", MethodType.methodType(Boolean.TYPE, X509Certificate.class, String.class, SignatureConfig.CRLEntry.class)), MethodType.methodType(Boolean.TYPE, SignatureConfig.CRLEntry.class)).dynamicInvoker().invoke(this, x509Certificate, string) /* invoke-custom */);
        if (collect.isEmpty() && (downloadCRL = downloadCRL(signatureConfig, string)) != null) {
            collect.add(downloadCRL);
        }
        return Stream.concat(collect.stream(), filter).map((Function) LambdaMetafactory.metafactory(MethodHandles.lookup(), "apply", MethodType.methodType(Function.class), MethodType.methodType(Object.class, Object.class), MethodHandles.lookup().findVirtual(SignatureConfig.CRLEntry.class, "getCrlBytes", MethodType.methodType(byte[].class)), MethodType.methodType(byte[].class, SignatureConfig.CRLEntry.class)).dynamicInvoker().invoke() /* invoke-custom */);
    }

    private static /* synthetic */ String lambda$retrieveCRL$6(GeneralName generalName) {
        return ASN1IA5String.getInstance(generalName.getName()).getString();
    }

    private static /* synthetic */ boolean lambda$retrieveCRL$5(GeneralName generalName) {
        return generalName.getTagNo() == 6;
    }

    private static /* synthetic */ Stream lambda$retrieveCRL$4(DistributionPointName distributionPointName) {
        return Stream.of(GeneralNames.getInstance(distributionPointName.getName()).getNames());
    }

    private static /* synthetic */ boolean lambda$retrieveCRL$3(DistributionPointName distributionPointName) {
        return distributionPointName.getType() == 0;
    }

    private static /* synthetic */ RuntimeException lambda$timeStamp$2() {
        return new RuntimeException("TSP response token has no signer certificate");
    }

    private static /* synthetic */ boolean lambda$timeStamp$1(X500Name x500Name, BigInteger bigInteger, X509CertificateHolder x509CertificateHolder) {
        return x500Name.equals(x509CertificateHolder.getIssuer()) && bigInteger.equals(x509CertificateHolder.getSerialNumber());
    }

    private static /* synthetic */ String lambda$timeStamp$0(X509CertificateHolder x509CertificateHolder) {
        return x509CertificateHolder.getSubject().toString();
    }
}
