package es.gob.afirma.signers.tsp.pkcs7;

import es.gob.afirma.core.AOException;
import es.gob.afirma.core.misc.AOUtil;
import es.gob.afirma.core.misc.Base64;
import es.gob.afirma.core.misc.MimeHelper;
import es.gob.afirma.signers.pkcs7.AOAlgorithmID;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.io.OutputStream;
import java.math.BigInteger;
import java.net.URL;
import java.net.URLConnection;
import java.security.NoSuchAlgorithmException;
import java.util.ArrayList;
import java.util.Hashtable;
import org.bouncycastle.asn1.ASN1InputStream;
import org.bouncycastle.asn1.ASN1ObjectIdentifier;
import org.bouncycastle.asn1.DERSet;
import org.bouncycastle.asn1.cmp.PKIFailureInfo;
import org.bouncycastle.asn1.cms.Attribute;
import org.bouncycastle.asn1.cms.AttributeTable;
import org.bouncycastle.asn1.x509.X509ObjectIdentifiers;
import org.bouncycastle.cms.CMSSignedData;
import org.bouncycastle.cms.SignerInformation;
import org.bouncycastle.cms.SignerInformationStore;
import org.bouncycastle.tsp.TimeStampRequest;
import org.bouncycastle.tsp.TimeStampRequestGenerator;
import org.bouncycastle.tsp.TimeStampResponse;
import org.bouncycastle.tsp.TimeStampToken;

/* loaded from: input_file:es/gob/afirma/signers/tsp/pkcs7/CMSTimestamper.class */
public final class CMSTimestamper {
    public static final String CATCERT_TSP = "http://psis.catcert.net/psis/catcert/tsp";
    public static final String CATCERT_POLICY = "0.4.0.2023.1.1";
    public static final Boolean CATCERT_REQUIRECERT = Boolean.TRUE;
    private static final String SIGNATURE_TIMESTAMP_TOKEN_OID = "1.2.840.113549.1.9.16.2.14";
    private final TimeStampRequestGenerator tsqGenerator = new TimeStampRequestGenerator();
    private final URL tsaURL;
    private final String tsaUsername;
    private final String tsaPassword;

    public CMSTimestamper(boolean z, String str, URL url, String str2, String str3) {
        this.tsqGenerator.setCertReq(z);
        this.tsqGenerator.setReqPolicy(str);
        this.tsaURL = url;
        this.tsaPassword = str3;
        this.tsaUsername = str2;
    }

    public byte[] addTimestamp(byte[] bArr, String str) throws NoSuchAlgorithmException, AOException, IOException {
        try {
            CMSSignedData cMSSignedData = new CMSSignedData(bArr);
            SignerInformationStore signerInfos = cMSSignedData.getSignerInfos();
            ArrayList arrayList = new ArrayList();
            for (SignerInformation signerInformation : signerInfos.getSigners()) {
                Attribute attribute = new Attribute(new ASN1ObjectIdentifier(SIGNATURE_TIMESTAMP_TOKEN_OID), new DERSet(new ASN1InputStream(new ByteArrayInputStream(getTimeStampToken(signerInformation.getSignature(), str))).readObject()));
                Hashtable hashtable = new Hashtable();
                hashtable.put(new ASN1ObjectIdentifier(SIGNATURE_TIMESTAMP_TOKEN_OID), attribute);
                arrayList.add(SignerInformation.replaceUnsignedAttributes(signerInformation, new AttributeTable(hashtable)));
            }
            return CMSSignedData.replaceSigners(cMSSignedData, new SignerInformationStore(arrayList)).getEncoded();
        } catch (Exception e) {
            throw new IllegalArgumentException("Los datos de entrada no son un SignedData de CMS: " + e);
        }
    }

    private byte[] getTSAResponse(byte[] bArr) throws IOException {
        URLConnection openConnection = this.tsaURL.openConnection();
        openConnection.setDoInput(true);
        openConnection.setDoOutput(true);
        openConnection.setUseCaches(false);
        openConnection.setRequestProperty("Content-Type", "application/timestamp-query");
        openConnection.setRequestProperty("Content-Transfer-Encoding", MimeHelper.DEFAULT_CONTENT_DESCRIPTION);
        if (this.tsaUsername != null && !"".equals(this.tsaUsername)) {
            openConnection.setRequestProperty("Authorization", "Basic " + new String(Base64.encode((String.valueOf(this.tsaUsername) + ":" + this.tsaPassword).getBytes())));
        }
        OutputStream outputStream = openConnection.getOutputStream();
        outputStream.write(bArr);
        outputStream.flush();
        outputStream.close();
        byte[] dataFromInputStream = AOUtil.getDataFromInputStream(openConnection.getInputStream());
        String contentEncoding = openConnection.getContentEncoding();
        return (contentEncoding == null || !contentEncoding.equalsIgnoreCase("base64")) ? dataFromInputStream : Base64.decode(new String(dataFromInputStream));
    }

    private byte[] getTimeStampToken(byte[] bArr, String str) throws AOException, IOException {
        TimeStampRequest generate = this.tsqGenerator.generate(str != null ? AOAlgorithmID.getOID(str) : X509ObjectIdentifiers.id_SHA1.getId(), bArr, BigInteger.valueOf(System.currentTimeMillis()));
        try {
            TimeStampResponse timeStampResponse = new TimeStampResponse(getTSAResponse(generate.getEncoded()));
            try {
                timeStampResponse.validate(generate);
                PKIFailureInfo failInfo = timeStampResponse.getFailInfo();
                int intValue = failInfo == null ? 0 : failInfo.intValue();
                if (intValue != 0) {
                    throw new AOException("Respuesta invalida de la TSA ('" + this.tsaURL + "') con el codigo " + intValue);
                }
                TimeStampToken timeStampToken = timeStampResponse.getTimeStampToken();
                if (timeStampToken == null) {
                    throw new AOException("La respuesta de la TSA ('" + this.tsaURL + "') no es un sello de tiempo valido");
                }
                return timeStampToken.getEncoded();
            } catch (Exception e) {
                throw new AOException("Error validando la respuesta de la TSA", e);
            }
        } catch (Exception e2) {
            throw new AOException("Error obteniendo la respuesta de la TSA", e2);
        }
    }
}
