package org.xwiki.crypto.x509.internal;

import java.security.GeneralSecurityException;
import java.security.cert.CertStore;
import java.security.cert.Certificate;
import java.security.cert.CollectionCertStoreParameters;
import java.security.cert.X509Certificate;
import java.util.Collections;
import org.bouncycastle.cms.CMSException;
import org.bouncycastle.cms.CMSProcessable;
import org.bouncycastle.cms.CMSProcessableByteArray;
import org.bouncycastle.cms.CMSSignedData;
import org.bouncycastle.cms.CMSSignedDataGenerator;
import org.bouncycastle.cms.CMSSignedGenerator;
import org.bouncycastle.cms.SignerInformation;
import org.bouncycastle.cms.SignerInformationStore;
import org.xwiki.crypto.internal.Convert;
import org.xwiki.crypto.x509.XWikiX509Certificate;
import org.xwiki.crypto.x509.XWikiX509KeyPair;

/* loaded from: input_file:WEB-INF/lib/xwiki-platform-crypto-4.5.1.jar:org/xwiki/crypto/x509/internal/X509SignatureService.class */
public class X509SignatureService {
    private static final String DIGEST_OID = CMSSignedGenerator.DIGEST_SHA1;
    private static final String PROVIDER = "BC";
    private static final String CERT_STORE_TYPE = "Collection";

    public String signText(String str, XWikiX509KeyPair xWikiX509KeyPair, String str2) throws GeneralSecurityException {
        XWikiX509Certificate certificate = xWikiX509KeyPair.getCertificate();
        CMSSignedDataGenerator cMSSignedDataGenerator = new CMSSignedDataGenerator();
        try {
            cMSSignedDataGenerator.addCertificatesAndCRLs(CertStore.getInstance(CERT_STORE_TYPE, new CollectionCertStoreParameters(Collections.singleton(certificate))));
            cMSSignedDataGenerator.addSigner(xWikiX509KeyPair.getPrivateKey(str2), certificate, DIGEST_OID);
            return Convert.toBase64String(cMSSignedDataGenerator.generate((CMSProcessable) new CMSProcessableByteArray(str.getBytes()), false, PROVIDER).getEncoded());
        } catch (GeneralSecurityException e) {
            throw e;
        } catch (Exception e2) {
            throw new GeneralSecurityException(e2);
        }
    }

    public XWikiX509Certificate verifyText(String str, String str2) throws GeneralSecurityException {
        try {
            CMSSignedData cMSSignedData = new CMSSignedData(new CMSProcessableByteArray(str.getBytes()), Convert.fromBase64String(str2));
            CertStore certificatesAndCRLs = cMSSignedData.getCertificatesAndCRLs(CERT_STORE_TYPE, PROVIDER);
            SignerInformationStore signerInfos = cMSSignedData.getSignerInfos();
            int size = signerInfos.getSigners().size();
            if (size != 1) {
                throw new GeneralSecurityException("Only one signature is supported, found " + size);
            }
            XWikiX509Certificate xWikiX509Certificate = null;
            for (SignerInformation signerInformation : signerInfos.getSigners()) {
                if (xWikiX509Certificate != null) {
                    throw new GeneralSecurityException("Only one certificate is supported");
                }
                for (Certificate certificate : certificatesAndCRLs.getCertificates(signerInformation.getSID())) {
                    if (!signerInformation.verify(certificate.getPublicKey(), PROVIDER)) {
                        return null;
                    }
                    if (certificate instanceof X509Certificate) {
                        xWikiX509Certificate = new XWikiX509Certificate((X509Certificate) certificate, null);
                    }
                }
            }
            return xWikiX509Certificate;
        } catch (CMSException e) {
            if ("message-digest attribute value does not match calculated value".equals(e.getMessage())) {
                return null;
            }
            throw new GeneralSecurityException(e);
        } catch (Exception e2) {
            throw new GeneralSecurityException(e2);
        }
    }
}
