package org.apache.poi.poifs.crypt.dsig.services;

import java.io.IOException;
import java.math.BigInteger;
import java.net.HttpURLConnection;
import java.net.InetAddress;
import java.net.InetSocketAddress;
import java.net.Proxy;
import java.net.URL;
import java.nio.charset.StandardCharsets;
import java.security.SecureRandom;
import java.util.ArrayList;
import java.util.Base64;
import java.util.Collection;
import java.util.HashMap;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.apache.logging.log4j.message.ParameterizedMessage;
import org.apache.logging.log4j.message.SimpleMessage;
import org.apache.logging.log4j.util.Unbox;
import org.apache.poi.openxml4j.opc.PackagingURIHelper;
import org.apache.poi.poifs.crypt.CryptoFunctions;
import org.apache.poi.poifs.crypt.HashAlgorithm;
import org.apache.poi.poifs.crypt.dsig.SignatureConfig;
import org.apache.poi.poifs.crypt.dsig.SignatureInfo;
import org.apache.poi.util.HexDump;
import org.apache.poi.util.IOUtils;
import org.bouncycastle.asn1.ASN1ObjectIdentifier;
import org.bouncycastle.asn1.cmp.PKIFailureInfo;
import org.bouncycastle.asn1.nist.NISTObjectIdentifiers;
import org.bouncycastle.asn1.x500.X500Name;
import org.bouncycastle.asn1.x509.X509ObjectIdentifiers;
import org.bouncycastle.cert.X509CertificateHolder;
import org.bouncycastle.cert.jcajce.JcaX509CertificateConverter;
import org.bouncycastle.cms.DefaultCMSSignatureAlgorithmNameGenerator;
import org.bouncycastle.cms.SignerId;
import org.bouncycastle.cms.bc.BcRSASignerInfoVerifierBuilder;
import org.bouncycastle.operator.DefaultDigestAlgorithmIdentifierFinder;
import org.bouncycastle.operator.DefaultSignatureAlgorithmIdentifierFinder;
import org.bouncycastle.operator.bc.BcDigestCalculatorProvider;
import org.bouncycastle.tsp.TimeStampRequest;
import org.bouncycastle.tsp.TimeStampRequestGenerator;
import org.bouncycastle.tsp.TimeStampResponse;
import org.bouncycastle.tsp.TimeStampToken;
import org.bouncycastle.util.Selector;

/* loaded from: input_file:org/apache/poi/poifs/crypt/dsig/services/TSPTimeStampService.class */
public class TSPTimeStampService implements TimeStampService {
    private static final Logger LOG = LogManager.getLogger((Class<?>) TSPTimeStampService.class);

    public ASN1ObjectIdentifier mapDigestAlgoToOID(HashAlgorithm hashAlgorithm) {
        switch (hashAlgorithm) {
            case sha1:
                return X509ObjectIdentifiers.id_SHA1;
            case sha256:
                return NISTObjectIdentifiers.id_sha256;
            case sha384:
                return NISTObjectIdentifiers.id_sha384;
            case sha512:
                return NISTObjectIdentifiers.id_sha512;
            default:
                throw new IllegalArgumentException("unsupported digest algo: " + hashAlgorithm);
        }
    }

    @Override // org.apache.poi.poifs.crypt.dsig.services.TimeStampService
    public byte[] timeStamp(SignatureInfo signatureInfo, byte[] bArr, RevocationData revocationData) throws Exception {
        SignatureConfig signatureConfig = signatureInfo.getSignatureConfig();
        byte[] digest = CryptoFunctions.getMessageDigest(signatureConfig.getTspDigestAlgo()).digest(bArr);
        BigInteger bigInteger = new BigInteger(128, new SecureRandom());
        TimeStampRequestGenerator timeStampRequestGenerator = new TimeStampRequestGenerator();
        timeStampRequestGenerator.setCertReq(true);
        String tspRequestPolicy = signatureConfig.getTspRequestPolicy();
        if (tspRequestPolicy != null) {
            timeStampRequestGenerator.setReqPolicy(new ASN1ObjectIdentifier(tspRequestPolicy));
        }
        TimeStampRequest generate = timeStampRequestGenerator.generate(mapDigestAlgoToOID(signatureConfig.getTspDigestAlgo()), digest, bigInteger);
        byte[] encoded = generate.getEncoded();
        Proxy proxy = Proxy.NO_PROXY;
        if (signatureConfig.getProxyUrl() != null) {
            URL url = new URL(signatureConfig.getProxyUrl());
            String host = url.getHost();
            int port = url.getPort();
            proxy = new Proxy(Proxy.Type.HTTP, new InetSocketAddress(InetAddress.getByName(host), port == -1 ? 80 : port));
        }
        HttpURLConnection httpURLConnection = (HttpURLConnection) new URL(signatureConfig.getTspUrl()).openConnection(proxy);
        try {
            if (signatureConfig.getTspUser() != null) {
                httpURLConnection.setRequestProperty("Authorization", "Basic " + Base64.getEncoder().encodeToString((signatureConfig.getTspUser() + ParameterizedMessage.ERROR_MSG_SEPARATOR + signatureConfig.getTspPass()).getBytes(StandardCharsets.ISO_8859_1)));
            }
            httpURLConnection.setRequestMethod("POST");
            httpURLConnection.setConnectTimeout(20000);
            httpURLConnection.setReadTimeout(20000);
            httpURLConnection.setDoOutput(true);
            httpURLConnection.setRequestProperty("User-Agent", signatureConfig.getUserAgent());
            httpURLConnection.setRequestProperty("Content-Type", signatureConfig.isTspOldProtocol() ? "application/timestamp-request" : "application/timestamp-query");
            httpURLConnection.getOutputStream().write(encoded);
            httpURLConnection.connect();
            int responseCode = httpURLConnection.getResponseCode();
            if (responseCode != 200) {
                String str = "Error contacting TSP server " + signatureConfig.getTspUrl() + ", had status code " + responseCode + PackagingURIHelper.FORWARD_SLASH_STRING + httpURLConnection.getResponseMessage();
                LOG.atError().log(str);
                throw new IOException(str);
            }
            String headerField = httpURLConnection.getHeaderField("Content-Type");
            if (null == headerField) {
                throw new RuntimeException("missing Content-Type header");
            }
            byte[] byteArray = IOUtils.toByteArray(httpURLConnection.getInputStream());
            LOG.atDebug().log(() -> {
                return new SimpleMessage("response content: " + HexDump.dump(byteArray, 0L, 0));
            });
            httpURLConnection.disconnect();
            if (!headerField.startsWith(signatureConfig.isTspOldProtocol() ? "application/timestamp-response" : "application/timestamp-reply")) {
                throw new RuntimeException("invalid Content-Type: " + headerField + ": " + HexDump.dump(byteArray, 0L, 0, 200));
            }
            if (byteArray.length == 0) {
                throw new RuntimeException("Content-Length is zero");
            }
            TimeStampResponse timeStampResponse = new TimeStampResponse(byteArray);
            timeStampResponse.validate(generate);
            if (0 != timeStampResponse.getStatus()) {
                LOG.atDebug().log("status: {}", Unbox.box(timeStampResponse.getStatus()));
                LOG.atDebug().log("status string: {}", timeStampResponse.getStatusString());
                PKIFailureInfo failInfo = timeStampResponse.getFailInfo();
                if (null != failInfo) {
                    LOG.atDebug().log("fail info int value: {}", Unbox.box(failInfo.intValue()));
                    if (256 == failInfo.intValue()) {
                        LOG.atDebug().log("unaccepted policy");
                    }
                }
                throw new RuntimeException("timestamp response status != 0: " + timeStampResponse.getStatus());
            }
            TimeStampToken timeStampToken = timeStampResponse.getTimeStampToken();
            SignerId sid = timeStampToken.getSID();
            BigInteger serialNumber = sid.getSerialNumber();
            X500Name issuer = sid.getIssuer();
            LOG.atDebug().log("signer cert serial number: {}", serialNumber);
            LOG.atDebug().log("signer cert issuer: {}", issuer);
            Collection<X509CertificateHolder> matches = timeStampToken.getCertificates().getMatches((Selector) null);
            X509CertificateHolder x509CertificateHolder = null;
            HashMap hashMap = new HashMap();
            for (X509CertificateHolder x509CertificateHolder2 : matches) {
                if (issuer.equals(x509CertificateHolder2.getIssuer()) && serialNumber.equals(x509CertificateHolder2.getSerialNumber())) {
                    x509CertificateHolder = x509CertificateHolder2;
                }
                hashMap.put(x509CertificateHolder2.getSubject(), x509CertificateHolder2);
            }
            if (x509CertificateHolder == null) {
                throw new RuntimeException("TSP response token has no signer certificate");
            }
            ArrayList arrayList = new ArrayList();
            JcaX509CertificateConverter jcaX509CertificateConverter = new JcaX509CertificateConverter();
            jcaX509CertificateConverter.setProvider("BC");
            X509CertificateHolder x509CertificateHolder3 = x509CertificateHolder;
            do {
                LOG.atDebug().log("adding to certificate chain: {}", x509CertificateHolder3.getSubject());
                arrayList.add(jcaX509CertificateConverter.getCertificate(x509CertificateHolder3));
                if (x509CertificateHolder3.getSubject().equals(x509CertificateHolder3.getIssuer())) {
                    break;
                }
                x509CertificateHolder3 = (X509CertificateHolder) hashMap.get(x509CertificateHolder3.getIssuer());
            } while (null != x509CertificateHolder3);
            timeStampToken.validate(new BcRSASignerInfoVerifierBuilder(new DefaultCMSSignatureAlgorithmNameGenerator(), new DefaultSignatureAlgorithmIdentifierFinder(), new DefaultDigestAlgorithmIdentifierFinder(), new BcDigestCalculatorProvider()).build(new X509CertificateHolder(arrayList.get(0).getEncoded())));
            if (signatureConfig.getTspValidator() != null) {
                signatureConfig.getTspValidator().validate(arrayList, revocationData);
            }
            LOG.atDebug().log("time-stamp token time: {}", timeStampToken.getTimeStampInfo().getGenTime());
            return timeStampToken.getEncoded();
        } catch (Throwable th) {
            httpURLConnection.disconnect();
            throw th;
        }
    }
}
