package sun.security.tools;

import com.sun.jarsigner.ContentSigner;
import com.sun.jarsigner.ContentSignerParameters;
import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.math.BigInteger;
import java.net.URI;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.Principal;
import java.security.SecureRandom;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.HashSet;
import sun.security.pkcs.ContentInfo;
import sun.security.pkcs.PKCS7;
import sun.security.pkcs.PKCS9Attribute;
import sun.security.pkcs.PKCS9Attributes;
import sun.security.pkcs.SignerInfo;
import sun.security.timestamp.HttpTimestamper;
import sun.security.timestamp.TSRequest;
import sun.security.timestamp.TSResponse;
import sun.security.util.DerInputStream;
import sun.security.util.DerValue;
import sun.security.util.ObjectIdentifier;
import sun.security.x509.AccessDescription;
import sun.security.x509.AlgorithmId;
import sun.security.x509.GeneralName;
import sun.security.x509.URIName;
import sun.security.x509.X500Name;
import sun.security.x509.X509CertInfo;

/* loaded from: input_file:lib/jdk.tools-1.6.jar:sun/security/tools/TimestampedSigner.class */
public final class TimestampedSigner extends ContentSigner {
    private static final SecureRandom RANDOM;
    private static final String SUBJECT_INFO_ACCESS_OID = "1.3.6.1.5.5.7.1.11";
    private static final String KP_TIMESTAMPING_OID = "1.3.6.1.5.5.7.3.8";
    private static final ObjectIdentifier AD_TIMESTAMPING_Id;
    private String tsaUrl = null;
    private X509Certificate tsaCertificate = null;
    private MessageDigest messageDigest = null;
    private boolean tsRequestCertificate = true;

    @Override // com.sun.jarsigner.ContentSigner
    public byte[] generateSignedData(ContentSignerParameters contentSignerParameters, boolean z, boolean z2) throws NoSuchAlgorithmException, CertificateException, IOException {
        SignerInfo signerInfo;
        if (contentSignerParameters == null) {
            throw new NullPointerException();
        }
        String signatureAlgorithm = contentSignerParameters.getSignatureAlgorithm();
        String str = null;
        String str2 = null;
        int indexOf = signatureAlgorithm.indexOf("with");
        if (indexOf > 0) {
            str = signatureAlgorithm.substring(0, indexOf);
            int indexOf2 = signatureAlgorithm.indexOf("and", indexOf + 4);
            str2 = indexOf2 > 0 ? signatureAlgorithm.substring(indexOf + 4, indexOf2) : signatureAlgorithm.substring(indexOf + 4);
        }
        AlgorithmId algorithmId = AlgorithmId.get(str);
        X509Certificate[] signerCertificateChain = contentSignerParameters.getSignerCertificateChain();
        Principal issuerDN = signerCertificateChain[0].getIssuerDN();
        if (!(issuerDN instanceof X500Name)) {
            issuerDN = (Principal) new X509CertInfo(signerCertificateChain[0].getTBSCertificate()).get("issuer.dname");
        }
        BigInteger serialNumber = signerCertificateChain[0].getSerialNumber();
        ContentInfo contentInfo = z ? new ContentInfo(ContentInfo.DATA_OID, (DerValue) null) : new ContentInfo(contentSignerParameters.getContent());
        byte[] signature = contentSignerParameters.getSignature();
        if (z2) {
            this.tsaCertificate = contentSignerParameters.getTimestampingAuthorityCertificate();
            URI timestampingAuthority = contentSignerParameters.getTimestampingAuthority();
            if (timestampingAuthority != null) {
                this.tsaUrl = timestampingAuthority.toString();
            } else {
                String timestampingUrl = getTimestampingUrl(this.tsaCertificate);
                if (timestampingUrl == null) {
                    throw new CertificateException("Subject Information Access extension not found");
                }
                this.tsaUrl = timestampingUrl;
            }
            signerInfo = new SignerInfo((X500Name) issuerDN, serialNumber, algorithmId, (PKCS9Attributes) null, AlgorithmId.get(str2), signature, new PKCS9Attributes(new PKCS9Attribute[]{new PKCS9Attribute("SignatureTimestampToken", generateTimestampToken(signature))}));
        } else {
            signerInfo = new SignerInfo((X500Name) issuerDN, serialNumber, algorithmId, AlgorithmId.get(str2), signature);
        }
        PKCS7 pkcs7 = new PKCS7(new AlgorithmId[]{algorithmId}, contentInfo, signerCertificateChain, new SignerInfo[]{signerInfo});
        ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
        pkcs7.encodeSignedData(byteArrayOutputStream);
        return byteArrayOutputStream.toByteArray();
    }

    public static String getTimestampingUrl(X509Certificate x509Certificate) {
        if (x509Certificate == null) {
            return null;
        }
        try {
            byte[] extensionValue = x509Certificate.getExtensionValue(SUBJECT_INFO_ACCESS_OID);
            if (extensionValue == null) {
                return null;
            }
            DerValue[] sequence = new DerInputStream(new DerInputStream(extensionValue).getOctetString()).getSequence(5);
            new HashSet(sequence.length);
            for (DerValue derValue : sequence) {
                AccessDescription accessDescription = new AccessDescription(derValue);
                if (accessDescription.getAccessMethod().equals(AD_TIMESTAMPING_Id)) {
                    GeneralName accessLocation = accessDescription.getAccessLocation();
                    if (accessLocation.getType() == 6) {
                        URIName name = accessLocation.getName();
                        if (name.getScheme().equalsIgnoreCase("http")) {
                            return name.getName();
                        }
                    } else {
                        continue;
                    }
                }
            }
            return null;
        } catch (IOException e) {
            return null;
        }
    }

    private byte[] generateTimestampToken(byte[] bArr) throws CertificateException, IOException {
        if (this.messageDigest == null) {
            try {
                this.messageDigest = MessageDigest.getInstance("SHA-1");
            } catch (NoSuchAlgorithmException e) {
            }
        }
        TSRequest tSRequest = new TSRequest(this.messageDigest.digest(bArr), "SHA-1");
        if (RANDOM != null) {
            tSRequest.setNonce(new BigInteger(64, RANDOM));
        }
        tSRequest.requestCertificate(this.tsRequestCertificate);
        TSResponse generateTimestamp = new HttpTimestamper(this.tsaUrl).generateTimestamp(tSRequest);
        int statusCode = generateTimestamp.getStatusCode();
        if (statusCode != 0 && statusCode != 1) {
            if (generateTimestamp.getFailureCode() == -1) {
                throw new IOException("Error generating timestamp: " + generateTimestamp.getStatusCodeAsText());
            }
            throw new IOException("Error generating timestamp: " + generateTimestamp.getStatusCodeAsText() + " " + generateTimestamp.getFailureCodeAsText());
        }
        X509Certificate[] certificates = generateTimestamp.getToken().getCertificates();
        if (certificates == null || certificates.length <= 0 || certificates[0].getExtendedKeyUsage().contains(KP_TIMESTAMPING_OID)) {
            return generateTimestamp.getEncodedToken();
        }
        throw new CertificateException("Certificate is not valid for timestamping");
    }

    static {
        SecureRandom secureRandom = null;
        try {
            secureRandom = SecureRandom.getInstance("SHA1PRNG");
        } catch (NoSuchAlgorithmException e) {
        }
        RANDOM = secureRandom;
        ObjectIdentifier objectIdentifier = null;
        try {
            objectIdentifier = new ObjectIdentifier("1.3.6.1.5.5.7.48.3");
        } catch (IOException e2) {
        }
        AD_TIMESTAMPING_Id = objectIdentifier;
    }
}
