package net.jsign;

import java.io.Closeable;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.Provider;
import java.security.Security;
import java.security.UnrecoverableKeyException;
import java.security.cert.Certificate;
import java.security.cert.CertificateEncodingException;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Iterator;
import java.util.List;
import net.jsign.asn1.authenticode.AuthenticodeDigestCalculatorProvider;
import net.jsign.asn1.authenticode.AuthenticodeObjectIdentifiers;
import net.jsign.asn1.authenticode.AuthenticodeSignedDataGenerator;
import net.jsign.asn1.authenticode.FilteredAttributeTableGenerator;
import net.jsign.asn1.authenticode.SpcSpOpusInfo;
import net.jsign.asn1.authenticode.SpcStatementType;
import net.jsign.msi.MSIFile;
import net.jsign.pe.DataDirectory;
import net.jsign.pe.DataDirectoryType;
import net.jsign.pe.PEFile;
import net.jsign.timestamp.Timestamper;
import net.jsign.timestamp.TimestampingMode;
import org.bouncycastle.asn1.ASN1Encodable;
import org.bouncycastle.asn1.ASN1EncodableVector;
import org.bouncycastle.asn1.DERNull;
import org.bouncycastle.asn1.DERSet;
import org.bouncycastle.asn1.cms.Attribute;
import org.bouncycastle.asn1.cms.AttributeTable;
import org.bouncycastle.asn1.cms.CMSAttributes;
import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers;
import org.bouncycastle.asn1.x509.AlgorithmIdentifier;
import org.bouncycastle.cert.jcajce.JcaCertStore;
import org.bouncycastle.cert.jcajce.JcaX509CertificateHolder;
import org.bouncycastle.cms.CMSException;
import org.bouncycastle.cms.CMSSignedData;
import org.bouncycastle.cms.DefaultCMSSignatureEncryptionAlgorithmFinder;
import org.bouncycastle.cms.DefaultSignedAttributeTableGenerator;
import org.bouncycastle.cms.SignerInfoGenerator;
import org.bouncycastle.cms.SignerInfoGeneratorBuilder;
import org.bouncycastle.cms.SignerInformation;
import org.bouncycastle.cms.SignerInformationStore;
import org.bouncycastle.cms.jcajce.JcaSignerInfoVerifierBuilder;
import org.bouncycastle.operator.ContentSigner;
import org.bouncycastle.operator.OperatorCreationException;
import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder;

/* loaded from: input_file:net/jsign/AuthenticodeSigner.class */
public class AuthenticodeSigner {
    protected Certificate[] chain;
    protected PrivateKey privateKey;
    protected String signatureAlgorithm;
    protected Provider signatureProvider;
    protected String programName;
    protected String programURL;
    protected boolean replace;
    protected String[] tsaurlOverride;
    protected Timestamper timestamper;
    protected DigestAlgorithm digestAlgorithm = DigestAlgorithm.getDefault();
    protected boolean timestamping = true;
    protected TimestampingMode tsmode = TimestampingMode.AUTHENTICODE;
    protected int timestampingRetries = -1;
    protected int timestampingRetryWait = -1;

    public AuthenticodeSigner(Certificate[] certificateArr, PrivateKey privateKey) {
        this.chain = certificateArr;
        this.privateKey = privateKey;
        if (certificateArr == null || certificateArr.length == 0) {
            throw new IllegalArgumentException("The certificate chain is empty");
        }
    }

    public AuthenticodeSigner(KeyStore keyStore, String str, String str2) throws NoSuchAlgorithmException, KeyStoreException, UnrecoverableKeyException {
        Certificate[] certificateChain = keyStore.getCertificateChain(str);
        if (certificateChain == null) {
            throw new IllegalArgumentException("No certificate found in the keystore with the alias '" + str + "'");
        }
        this.chain = certificateChain;
        this.privateKey = (PrivateKey) keyStore.getKey(str, str2 != null ? str2.toCharArray() : null);
    }

    public AuthenticodeSigner withProgramName(String str) {
        this.programName = str;
        return this;
    }

    public AuthenticodeSigner withProgramURL(String str) {
        this.programURL = str;
        return this;
    }

    public AuthenticodeSigner withSignaturesReplaced(boolean z) {
        this.replace = z;
        return this;
    }

    public AuthenticodeSigner withTimestamping(boolean z) {
        this.timestamping = z;
        return this;
    }

    public AuthenticodeSigner withTimestampingMode(TimestampingMode timestampingMode) {
        this.tsmode = timestampingMode;
        return this;
    }

    public AuthenticodeSigner withTimestampingAuthority(String str) {
        return withTimestampingAuthority(str);
    }

    public AuthenticodeSigner withTimestampingAuthority(String... strArr) {
        this.tsaurlOverride = strArr;
        return this;
    }

    public AuthenticodeSigner withTimestamper(Timestamper timestamper) {
        this.timestamper = timestamper;
        return this;
    }

    public AuthenticodeSigner withTimestampingRetries(int i) {
        this.timestampingRetries = i;
        return this;
    }

    public AuthenticodeSigner withTimestampingRetryWait(int i) {
        this.timestampingRetryWait = i;
        return this;
    }

    public AuthenticodeSigner withDigestAlgorithm(DigestAlgorithm digestAlgorithm) {
        if (digestAlgorithm != null) {
            this.digestAlgorithm = digestAlgorithm;
        }
        return this;
    }

    public AuthenticodeSigner withSignatureAlgorithm(String str) {
        this.signatureAlgorithm = str;
        return this;
    }

    public AuthenticodeSigner withSignatureAlgorithm(String str, String str2) {
        return withSignatureAlgorithm(str, Security.getProvider(str2));
    }

    public AuthenticodeSigner withSignatureAlgorithm(String str, Provider provider) {
        this.signatureAlgorithm = str;
        this.signatureProvider = provider;
        return this;
    }

    public AuthenticodeSigner withSignatureProvider(Provider provider) {
        this.signatureProvider = provider;
        return this;
    }

    public void sign(Signable signable) throws Exception {
        DataDirectory dataDirectory;
        if (signable instanceof PEFile) {
            PEFile pEFile = (PEFile) signable;
            pEFile.pad(8);
            if (this.replace && (dataDirectory = pEFile.getDataDirectory(DataDirectoryType.CERTIFICATE_TABLE)) != null && !dataDirectory.isTrailing()) {
                dataDirectory.erase();
                dataDirectory.write(0L, 0);
            }
        } else if (signable instanceof MSIFile) {
            MSIFile mSIFile = (MSIFile) signable;
            if (!this.replace && mSIFile.hasExtendedSignature()) {
                throw new UnsupportedOperationException("The file has an extended signature which isn't supported by Jsign, it can't be signed without replacing the existing signature");
            }
        }
        CMSSignedData createSignedData = createSignedData(signable);
        if (!this.replace) {
            List<CMSSignedData> signatures = signable.getSignatures();
            if (!signatures.isEmpty()) {
                createSignedData = addNestedSignature(signatures.get(0), createSignedData);
            }
        }
        signable.setSignature(createSignedData);
        signable.save();
        if (signable instanceof Closeable) {
            ((Closeable) signable).close();
        }
    }

    protected CMSSignedData createSignedData(Signable signable) throws Exception {
        CMSSignedData generate = createSignedDataGenerator().generate(AuthenticodeObjectIdentifiers.SPC_INDIRECT_DATA_OBJID, signable.createIndirectData(this.digestAlgorithm));
        ((SignerInformation) generate.getSignerInfos().iterator().next()).verify(new JcaSignerInfoVerifierBuilder(new AuthenticodeDigestCalculatorProvider()).build(this.chain[0].getPublicKey()));
        if (this.timestamping) {
            Timestamper timestamper = this.timestamper;
            if (timestamper == null) {
                timestamper = Timestamper.create(this.tsmode);
            }
            if (this.tsaurlOverride != null) {
                timestamper.setURLs(this.tsaurlOverride);
            }
            if (this.timestampingRetries != -1) {
                timestamper.setRetries(this.timestampingRetries);
            }
            if (this.timestampingRetryWait != -1) {
                timestamper.setRetryWait(this.timestampingRetryWait);
            }
            generate = timestamper.timestamp(this.digestAlgorithm, generate);
        }
        return generate;
    }

    private AuthenticodeSignedDataGenerator createSignedDataGenerator() throws CMSException, OperatorCreationException, CertificateEncodingException {
        JcaContentSignerBuilder jcaContentSignerBuilder = new JcaContentSignerBuilder(this.signatureAlgorithm == null ? this.digestAlgorithm + "with" + this.privateKey.getAlgorithm() : this.signatureAlgorithm);
        if (this.signatureProvider != null) {
            jcaContentSignerBuilder.setProvider(this.signatureProvider);
        }
        ContentSigner build = jcaContentSignerBuilder.build(this.privateKey);
        AuthenticodeDigestCalculatorProvider authenticodeDigestCalculatorProvider = new AuthenticodeDigestCalculatorProvider();
        FilteredAttributeTableGenerator filteredAttributeTableGenerator = new FilteredAttributeTableGenerator(new DefaultSignedAttributeTableGenerator(createAuthenticatedAttributes()), CMSAttributes.signingTime, CMSAttributes.cmsAlgorithmProtect);
        JcaX509CertificateHolder jcaX509CertificateHolder = new JcaX509CertificateHolder((X509Certificate) this.chain[0]);
        SignerInfoGeneratorBuilder signerInfoGeneratorBuilder = new SignerInfoGeneratorBuilder(authenticodeDigestCalculatorProvider, new DefaultCMSSignatureEncryptionAlgorithmFinder() { // from class: net.jsign.AuthenticodeSigner.1
            public AlgorithmIdentifier findEncryptionAlgorithm(AlgorithmIdentifier algorithmIdentifier) {
                return (algorithmIdentifier.getAlgorithm().equals(PKCSObjectIdentifiers.sha256WithRSAEncryption) || algorithmIdentifier.getAlgorithm().equals(PKCSObjectIdentifiers.sha384WithRSAEncryption) || algorithmIdentifier.getAlgorithm().equals(PKCSObjectIdentifiers.sha512WithRSAEncryption)) ? new AlgorithmIdentifier(PKCSObjectIdentifiers.rsaEncryption, DERNull.INSTANCE) : super.findEncryptionAlgorithm(algorithmIdentifier);
            }
        });
        signerInfoGeneratorBuilder.setSignedAttributeGenerator(filteredAttributeTableGenerator);
        SignerInfoGenerator build2 = signerInfoGeneratorBuilder.build(build, jcaX509CertificateHolder);
        AuthenticodeSignedDataGenerator authenticodeSignedDataGenerator = new AuthenticodeSignedDataGenerator();
        authenticodeSignedDataGenerator.addCertificates(new JcaCertStore(removeRoot(this.chain)));
        authenticodeSignedDataGenerator.addSignerInfoGenerator(build2);
        return authenticodeSignedDataGenerator;
    }

    private List<Certificate> removeRoot(Certificate[] certificateArr) {
        ArrayList arrayList = new ArrayList();
        if (certificateArr.length == 1) {
            arrayList.add(certificateArr[0]);
        } else {
            for (Certificate certificate : certificateArr) {
                if (!isSelfSigned((X509Certificate) certificate)) {
                    arrayList.add(certificate);
                }
            }
        }
        return arrayList;
    }

    private boolean isSelfSigned(X509Certificate x509Certificate) {
        return x509Certificate.getSubjectDN().equals(x509Certificate.getIssuerDN());
    }

    private AttributeTable createAuthenticatedAttributes() {
        ArrayList arrayList = new ArrayList();
        arrayList.add(new Attribute(AuthenticodeObjectIdentifiers.SPC_STATEMENT_TYPE_OBJID, new DERSet(new SpcStatementType(AuthenticodeObjectIdentifiers.SPC_INDIVIDUAL_SP_KEY_PURPOSE_OBJID))));
        arrayList.add(new Attribute(AuthenticodeObjectIdentifiers.SPC_SP_OPUS_INFO_OBJID, new DERSet(new SpcSpOpusInfo(this.programName, this.programURL))));
        return new AttributeTable(new DERSet((ASN1Encodable[]) arrayList.toArray(new ASN1Encodable[0])));
    }

    protected CMSSignedData addNestedSignature(CMSSignedData cMSSignedData, CMSSignedData cMSSignedData2) {
        AttributeTable attributeTable;
        SignerInformation signerInformation = (SignerInformation) cMSSignedData.getSignerInfos().getSigners().iterator().next();
        AttributeTable unsignedAttributes = signerInformation.getUnsignedAttributes();
        if (unsignedAttributes == null) {
            unsignedAttributes = new AttributeTable(new DERSet());
        }
        Attribute attribute = unsignedAttributes.get(AuthenticodeObjectIdentifiers.SPC_NESTED_SIGNATURE_OBJID);
        if (attribute == null) {
            attributeTable = unsignedAttributes.add(AuthenticodeObjectIdentifiers.SPC_NESTED_SIGNATURE_OBJID, cMSSignedData2.toASN1Structure());
        } else {
            ASN1EncodableVector aSN1EncodableVector = new ASN1EncodableVector();
            Iterator it = attribute.getAttrValues().iterator();
            while (it.hasNext()) {
                aSN1EncodableVector.add((ASN1Encodable) it.next());
            }
            aSN1EncodableVector.add(cMSSignedData2.toASN1Structure());
            ASN1EncodableVector aSN1EncodableVector2 = unsignedAttributes.remove(AuthenticodeObjectIdentifiers.SPC_NESTED_SIGNATURE_OBJID).toASN1EncodableVector();
            aSN1EncodableVector2.add(new Attribute(AuthenticodeObjectIdentifiers.SPC_NESTED_SIGNATURE_OBJID, new DERSet(aSN1EncodableVector)));
            attributeTable = new AttributeTable(aSN1EncodableVector2);
        }
        return CMSSignedData.replaceSigners(cMSSignedData, new SignerInformationStore(SignerInformation.replaceUnsignedAttributes(signerInformation, attributeTable)));
    }
}
