package eu.europa.esig.dss.pades.validation;

import eu.europa.esig.dss.cades.CMSUtils;
import eu.europa.esig.dss.cades.validation.CAdESBaselineRequirementsChecker;
import eu.europa.esig.dss.enumerations.ArchiveTimestampType;
import eu.europa.esig.dss.enumerations.SignatureForm;
import eu.europa.esig.dss.model.x509.Token;
import eu.europa.esig.dss.pades.validation.timestamp.PdfTimestampToken;
import eu.europa.esig.dss.pdf.PAdESConstants;
import eu.europa.esig.dss.pdf.PdfDocTimestampRevision;
import eu.europa.esig.dss.spi.DSSUtils;
import eu.europa.esig.dss.spi.x509.revocation.RevocationToken;
import eu.europa.esig.dss.spi.x509.revocation.crl.CRLToken;
import eu.europa.esig.dss.spi.x509.revocation.ocsp.OCSPToken;
import eu.europa.esig.dss.utils.Utils;
import eu.europa.esig.dss.validation.CertificateVerifier;
import eu.europa.esig.dss.validation.ValidationData;
import eu.europa.esig.dss.validation.timestamp.TimestampToken;
import eu.europa.esig.dss.validation.timestamp.TimestampedReference;
import java.util.Collection;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Map;
import org.bouncycastle.cms.CMSTypedData;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:eu/europa/esig/dss/pades/validation/PAdESBaselineRequirementsChecker.class */
public class PAdESBaselineRequirementsChecker extends CAdESBaselineRequirementsChecker {
    private static final Logger LOG = LoggerFactory.getLogger(PAdESBaselineRequirementsChecker.class);
    private static final String CONTENT_TYPE_ID_DATA = "1.2.840.113549.1.7.1";

    public PAdESBaselineRequirementsChecker(PAdESSignature pAdESSignature, CertificateVerifier certificateVerifier) {
        super(pAdESSignature, certificateVerifier);
    }

    protected SignatureForm getBaselineSignatureForm() {
        return SignatureForm.PAdES;
    }

    public boolean hasBaselineBProfile() {
        if (!cmsBaselineBRequirements()) {
            return false;
        }
        PAdESSignature pAdESSignature = this.signature;
        PdfSignatureDictionary pdfSignatureDictionary = pAdESSignature.getPdfSignatureDictionary();
        if (pdfSignatureDictionary.getSigningDate() == null) {
            LOG.warn("Entry with the key M in the Signature Dictionary shall be present for PAdES-BASELINE-B signature (cardinality == 1)!");
            return false;
        }
        if (Utils.isArrayEmpty(pdfSignatureDictionary.getContents())) {
            LOG.warn("Entry with the key Contents in the Signature Dictionary shall be present for PAdES-BASELINE-B signature (cardinality == 1)!");
            return false;
        }
        if (Utils.isStringEmpty(pdfSignatureDictionary.getFilter())) {
            LOG.warn("Entry with the key Filter in the Signature Dictionary shall be present for PAdES-BASELINE-B signature (cardinality == 1)!");
            return false;
        }
        if (pdfSignatureDictionary.getByteRange() == null) {
            LOG.warn("Entry with the key ByteRange in the Signature Dictionary shall be present for PAdES-BASELINE-B signature (cardinality == 1)!");
            return false;
        }
        if (Utils.isStringEmpty(pdfSignatureDictionary.getSubFilter())) {
            LOG.warn("Entry with the key SubFilter in the Signature Dictionary shall be present for PAdES-BASELINE-B signature (cardinality == 1)!");
            return false;
        }
        if (!CONTENT_TYPE_ID_DATA.equals(pAdESSignature.getContentType())) {
            LOG.warn("content-type attribute shall have value id-data for PAdES-BASELINE-B signature! (requirement (c))");
            return false;
        }
        if (Utils.isStringNotEmpty(pdfSignatureDictionary.getReason()) && Utils.isCollectionNotEmpty(pAdESSignature.getCommitmentTypeIndications())) {
            LOG.warn("commitment-type-indication attribute shall not be incorporated in the CMS signature when entry with a key Reason is used for PAdES-BASELINE-B signature! (requirement (d))");
            return false;
        }
        if (!PAdESConstants.SIGNATURE_DEFAULT_SUBFILTER.equals(pdfSignatureDictionary.getSubFilter())) {
            LOG.warn("Entry with a key SubFilter shall contain a value ETSI.CAdES.detached for PAdES-BASELINE-B signature! (requirement (l))");
            return false;
        }
        if ((Utils.isCollectionNotEmpty(pAdESSignature.getCommitmentTypeIndications()) || pAdESSignature.getSignaturePolicy() != null) && Utils.isStringNotEmpty(pdfSignatureDictionary.getReason())) {
            LOG.warn("Entry with a key Reason shall not be used when commitment-type-attribute or signature-policy-identifier is present in the CMS signature for PAdES-BASELINE-B signature! (requirement (m))");
            return false;
        }
        if (pAdESSignature.getCmsSignedData().isDetachedSignature()) {
            return true;
        }
        LOG.warn("No data shall be encapsulated in the PKCS#7 SignedData field for PAdES-BASELINE-B signature!");
        return false;
    }

    public boolean hasBaselineTProfile() {
        if (!Utils.isCollectionEmpty(this.signature.getSignatureTimestamps()) || !Utils.isCollectionEmpty(this.signature.getDocumentTimestamps())) {
            return true;
        }
        LOG.trace("SignatureTimeStamp shall be present for BASELINE-T signature (cardinality >= 1)!");
        return false;
    }

    public boolean hasBaselineLTProfile() {
        if (!minimalLTRequirement()) {
            return false;
        }
        PAdESSignature pAdESSignature = this.signature;
        if (pAdESSignature.getCertificateSource().isAllSelfSigned() || pAdESSignature.getDssDictionary() != null) {
            return true;
        }
        LOG.warn("DSS dictionary shall be present for PAdES-BASELINE-LT signature! (cardinality >= 1)");
        return false;
    }

    public boolean hasBaselineLTAProfile() {
        boolean z = false;
        Iterator it = this.signature.getDocumentTimestamps().iterator();
        while (true) {
            if (!it.hasNext()) {
                break;
            }
            if (isBaselineLTATimestamp((TimestampToken) it.next())) {
                z = true;
                break;
            }
        }
        if (z) {
            return true;
        }
        LOG.debug("document-time-stamp covering LT-level and containing a key SubFilter with value ETSI.RFC3161 shall be present for PAdES-BASELINE-LTA signature! (cardinality >= 1, requirement (y))");
        return false;
    }

    private boolean isBaselineLTATimestamp(TimestampToken timestampToken) {
        return coversLTLevelData(timestampToken) && containsRFC3161SubFilter(timestampToken);
    }

    private boolean coversLTLevelData(TimestampToken timestampToken) {
        if (!ArchiveTimestampType.PAdES.equals(timestampToken.getArchiveTimestampType())) {
            return false;
        }
        ValidationData validationData = getValidationContext().getValidationData(this.signature);
        return coversRevocationTokens(timestampToken, validationData.getCrlTokens(), validationData.getOcspTokens());
    }

    private boolean coversRevocationTokens(TimestampToken timestampToken, Collection<CRLToken> collection, Collection<OCSPToken> collection2) {
        Iterator<Collection<RevocationToken<?>>> it = getRevocationsByCertificate(collection, collection2).values().iterator();
        while (it.hasNext()) {
            boolean z = false;
            Iterator<RevocationToken<?>> it2 = it.next().iterator();
            while (true) {
                if (!it2.hasNext()) {
                    break;
                }
                if (coversToken(timestampToken, it2.next())) {
                    z = true;
                    break;
                }
            }
            if (!z) {
                return false;
            }
        }
        return true;
    }

    private Map<String, Collection<RevocationToken<?>>> getRevocationsByCertificate(Collection<CRLToken> collection, Collection<OCSPToken> collection2) {
        HashMap hashMap = new HashMap();
        enrichRevocationDataMap(hashMap, collection);
        enrichRevocationDataMap(hashMap, collection2);
        return hashMap;
    }

    private <R extends RevocationToken<?>> void enrichRevocationDataMap(Map<String, Collection<RevocationToken<?>>> map, Collection<R> collection) {
        for (R r : collection) {
            String relatedCertificateId = r.getRelatedCertificateId();
            Collection<RevocationToken<?>> collection2 = map.get(relatedCertificateId);
            if (Utils.isCollectionEmpty(collection2)) {
                collection2 = new HashSet();
                map.put(relatedCertificateId, collection2);
            }
            collection2.add(r);
        }
    }

    private boolean coversToken(TimestampToken timestampToken, Token token) {
        Iterator it = timestampToken.getTimestampedReferences().iterator();
        while (it.hasNext()) {
            if (token.getDSSIdAsString().equals(((TimestampedReference) it.next()).getObjectId())) {
                return true;
            }
        }
        return false;
    }

    private boolean containsRFC3161SubFilter(TimestampToken timestampToken) {
        PdfDocTimestampRevision pdfRevision;
        PdfSignatureDictionary pdfSigDictInfo;
        return (timestampToken instanceof PdfTimestampToken) && (pdfRevision = ((PdfTimestampToken) timestampToken).getPdfRevision()) != null && (pdfSigDictInfo = pdfRevision.getPdfSigDictInfo()) != null && PAdESConstants.TIMESTAMP_DEFAULT_SUBFILTER.equals(pdfSigDictInfo.getSubFilter());
    }

    public boolean hasPKCS7Profile() {
        PAdESSignature pAdESSignature = this.signature;
        PdfSignatureDictionary pdfSignatureDictionary = pAdESSignature.getPdfSignatureDictionary();
        if (!PAdESConstants.SIGNATURE_PKCS7_SUBFILTER.equals(pdfSignatureDictionary.getSubFilter()) && !PAdESConstants.SIGNATURE_PKCS7_SHA1_SUBFILTER.equals(pdfSignatureDictionary.getSubFilter())) {
            LOG.debug("Entry with a key SubFilter shall have a value adbe.pkcs7.detached or adbe.pkcs7.sha1 for PKCS#7 signature!");
            return false;
        }
        if (!containsSigningCertificate(pAdESSignature.getCertificateSource().getCertificates())) {
            LOG.warn("PKCS#7 signature shall include signing certificate!");
            return false;
        }
        if (PAdESConstants.SIGNATURE_PKCS7_SUBFILTER.equals(pdfSignatureDictionary.getSubFilter())) {
            if (Utils.isArrayEmpty(pAdESSignature.getMessageDigestValue())) {
                LOG.warn("PKCS#7 signature shall include message digest!");
                return false;
            }
            if (!pAdESSignature.getCmsSignedData().isDetachedSignature()) {
                LOG.warn("No data shall be encapsulated in the CMS SignedData field for PKCS#7 signature!");
                return false;
            }
        }
        if (!PAdESConstants.SIGNATURE_PKCS7_SHA1_SUBFILTER.equals(pdfSignatureDictionary.getSubFilter())) {
            return true;
        }
        CMSTypedData signedContent = pAdESSignature.getCmsSignedData().getSignedContent();
        if (signedContent == null) {
            LOG.warn("ContentInfo of type Data shall be encapsulated in the CMS SignedData field for PKCS#7 signature with SHA-1 SubFilter!");
            return false;
        }
        if (DSSUtils.isSHA1Digest(Utils.toHex(CMSUtils.getSignedContent(signedContent)))) {
            return true;
        }
        LOG.warn("The SHA-1 digest of the document’s byte range shall be encapsulated in the CMS SignedData field with ContentInfo of type Data for PKCS#7 signature with SHA-1 SubFilter!");
        return false;
    }

    public boolean hasPKCS7TProfile() {
        return hasBaselineTProfile();
    }

    public boolean hasPKCS7LTProfile() {
        return minimalLTRequirement();
    }

    public boolean hasPKCS7LTAProfile() {
        boolean z = false;
        Iterator it = this.signature.getDocumentTimestamps().iterator();
        while (true) {
            if (!it.hasNext()) {
                break;
            }
            if (coversLTLevelData((TimestampToken) it.next())) {
                z = true;
                break;
            }
        }
        if (z) {
            return true;
        }
        LOG.debug("document-time-stamp covering LT-level shall be present for PKCS#7-LTA signature!");
        return false;
    }
}
