package nl.innovalor.mrtd.verifier;

import java.io.IOException;
import java.math.BigInteger;
import java.security.GeneralSecurityException;
import java.security.InvalidAlgorithmParameterException;
import java.security.InvalidKeyException;
import java.security.KeyPair;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.Provider;
import java.security.PublicKey;
import java.security.Security;
import java.security.Signature;
import java.security.SignatureException;
import java.security.cert.CertPath;
import java.security.cert.CertPathBuilder;
import java.security.cert.CertPathBuilderException;
import java.security.cert.CertStore;
import java.security.cert.Certificate;
import java.security.cert.CollectionCertStoreParameters;
import java.security.cert.PKIXBuilderParameters;
import java.security.cert.PKIXCertPathBuilderResult;
import java.security.cert.TrustAnchor;
import java.security.cert.X509CertSelector;
import java.security.cert.X509Certificate;
import java.security.interfaces.ECPublicKey;
import java.security.interfaces.RSAPublicKey;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.Date;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.TreeMap;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.crypto.Cipher;
import javax.crypto.KeyAgreement;
import javax.crypto.NoSuchPaddingException;
import javax.crypto.SecretKey;
import javax.security.auth.x500.X500Principal;
import net.sf.scuba.smartcards.APDUWrapper;
import net.sf.scuba.smartcards.ResponseAPDU;
import nl.innovalor.cert.CertStoreProvider;
import nl.innovalor.cert.CertUtil;
import nl.innovalor.logging.JavaUtilLogger;
import nl.innovalor.logging.Loggable;
import nl.innovalor.logging.data.Action;
import nl.innovalor.mrtd.MRTDVerifier;
import nl.innovalor.mrtd.model.ActiveAuthenticationResult;
import nl.innovalor.mrtd.model.DocumentType;
import nl.innovalor.mrtd.model.HashMatchResult;
import nl.innovalor.mrtd.model.VerificationStatus;
import org.jmrtd.JMRTDSecurityProvider;
import org.jmrtd.PassportService;
import org.jmrtd.Util;
import org.jmrtd.lds.SODFile;
import org.jmrtd.protocol.AESSecureMessagingWrapper;
import org.jmrtd.protocol.CAResult;
import org.jmrtd.protocol.DESedeSecureMessagingWrapper;
import org.spongycastle.asn1.ASN1Encodable;
import org.spongycastle.asn1.ASN1Integer;
import org.spongycastle.asn1.DERSequence;
import org.spongycastle.pqc.jcajce.spec.McElieceCCA2ParameterSpec;

/* loaded from: classes.dex */
public class MRTDVerifierImpl implements MRTDVerifier {
    static final /* synthetic */ boolean $assertionsDisabled;
    private static final Provider BC_PROVIDER;
    private static final Provider CERT_STORE_PROVIDER;
    private static final boolean IS_PKIX_REVOCATION_CHECKING_ENABLED = false;
    private static final Logger LOGGER;
    private static final String LOGGER_CATEGORY = "NFC";
    private List<CertStore> cscaStores;
    private Set<TrustAnchor> cscaTrustAnchors;
    private MessageDigest digest;
    private MessageDigest ecdsaAADigest;
    private Signature ecdsaAASignature;
    private Loggable innovalorLogger;
    private Cipher rsaAACipher;
    private MessageDigest rsaAADigest;
    private Signature rsaAASignature;

    static {
        $assertionsDisabled = !MRTDVerifierImpl.class.desiredAssertionStatus();
        LOGGER = Logger.getLogger("nl.innovalor");
        CERT_STORE_PROVIDER = CertStoreProvider.getInstance();
        BC_PROVIDER = JMRTDSecurityProvider.getBouncyCastleProvider();
        Security.addProvider(CERT_STORE_PROVIDER);
    }

    public MRTDVerifierImpl(Collection<CertStore> collection) throws NoSuchAlgorithmException, NoSuchPaddingException {
        this(collection, null);
    }

    public MRTDVerifierImpl(Collection<CertStore> collection, Loggable loggable) throws NoSuchAlgorithmException, NoSuchPaddingException {
        this.innovalorLogger = loggable == null ? new JavaUtilLogger(LOGGER) : loggable;
        this.cscaStores = collection == null ? new ArrayList() : new ArrayList(collection);
        this.cscaTrustAnchors = CertUtil.getSelfSignedCertificatesAsTrustAnchors(this.cscaStores);
        this.digest = null;
        this.rsaAADigest = MessageDigest.getInstance("SHA1");
        this.rsaAASignature = Signature.getInstance("SHA1WithRSA/ISO9796-2", BC_PROVIDER);
        this.rsaAACipher = Cipher.getInstance("RSA/NONE/NoPadding");
        this.ecdsaAASignature = Signature.getInstance("SHA256withECDSA", BC_PROVIDER);
        this.ecdsaAADigest = MessageDigest.getInstance("SHA-256");
    }

    private static PKIXCertPathBuilderResult buildCertPath(CertPathBuilder certPathBuilder, PKIXBuilderParameters pKIXBuilderParameters) throws InvalidAlgorithmParameterException {
        try {
            return (PKIXCertPathBuilderResult) certPathBuilder.build(pKIXBuilderParameters);
        } catch (CertPathBuilderException e) {
            LOGGER.log(Level.INFO, "Exception during PKIX path building", (Throwable) e);
            return null;
        }
    }

    private static List<Certificate> getCertificateChain(X509Certificate x509Certificate, Date date, X500Principal x500Principal, BigInteger bigInteger, List<CertStore> list, Set<TrustAnchor> set) {
        X509Certificate trustedCert;
        CertPath certPath;
        ArrayList arrayList = new ArrayList();
        X509CertSelector x509CertSelector = new X509CertSelector();
        try {
            if (x509Certificate != null) {
                x509CertSelector.setCertificate(x509Certificate);
            } else {
                x509CertSelector.setIssuer(x500Principal);
                x509CertSelector.setSerialNumber(bigInteger);
            }
            CertStore certStore = CertStore.getInstance("Collection", new CollectionCertStoreParameters(Collections.singleton(x509Certificate)));
            CertPathBuilder certPathBuilder = CertPathBuilder.getInstance("PKIX", BC_PROVIDER);
            PKIXBuilderParameters pKIXBuilderParameters = new PKIXBuilderParameters(set, x509CertSelector);
            pKIXBuilderParameters.addCertStore(certStore);
            Iterator<CertStore> it = list.iterator();
            while (it.hasNext()) {
                pKIXBuilderParameters.addCertStore(it.next());
            }
            pKIXBuilderParameters.setDate(date);
            pKIXBuilderParameters.setRevocationEnabled(false);
            Security.addProvider(BC_PROVIDER);
            PKIXCertPathBuilderResult buildCertPath = buildCertPath(certPathBuilder, pKIXBuilderParameters);
            if (buildCertPath != null && (certPath = buildCertPath.getCertPath()) != null) {
                arrayList.addAll(certPath.getCertificates());
            }
            if (x509Certificate != null && !arrayList.contains(x509Certificate)) {
                LOGGER.warning("Adding doc signing certificate after PKIXBuilder finished");
                arrayList.add(0, x509Certificate);
            }
            if (buildCertPath != null && (trustedCert = buildCertPath.getTrustAnchor().getTrustedCert()) != null && !arrayList.contains(trustedCert)) {
                LOGGER.warning("Adding trust anchor certificate after PKIXBuilder finished");
                arrayList.add(trustedCert);
            }
        } catch (Exception e) {
            LOGGER.log(Level.WARNING, "Building a chain failed with exception", (Throwable) e);
        }
        return arrayList;
    }

    private static MessageDigest getDigest(String str, MessageDigest messageDigest) throws NoSuchAlgorithmException {
        if (messageDigest == null || !str.equals(messageDigest.getAlgorithm())) {
            LOGGER.info("Setting digest to algorithm " + str);
            return Security.getAlgorithms("MessageDigest").contains(str) ? MessageDigest.getInstance(str) : MessageDigest.getInstance(str, BC_PROVIDER);
        }
        messageDigest.reset();
        return messageDigest;
    }

    private static Signature getSignature(String str) throws NoSuchAlgorithmException {
        Signature signature;
        int beginPreferBouncyCastleProvider = JMRTDSecurityProvider.beginPreferBouncyCastleProvider();
        try {
            signature = Signature.getInstance(str);
        } catch (Exception e) {
            LOGGER.log(Level.INFO, "Default JCE provider could not provide " + str + ", retrying with BC", (Throwable) e);
            signature = Signature.getInstance(str, BC_PROVIDER);
        } finally {
            JMRTDSecurityProvider.endPreferBouncyCastleProvider(beginPreferBouncyCastleProvider);
        }
        return signature;
    }

    private boolean setAAVerificationStatus(ActiveAuthenticationResult activeAuthenticationResult, VerificationStatus verificationStatus, BigInteger bigInteger, BigInteger bigInteger2) throws SignatureException {
        try {
            boolean verify = this.ecdsaAASignature.verify(new DERSequence(new ASN1Encodable[]{new ASN1Integer(bigInteger), new ASN1Integer(bigInteger2)}).getEncoded());
            if (verify) {
                verificationStatus.setAA(VerificationStatus.Verdict.PRESENT_SUCCEEDED, VerificationStatus.ReasonCode.SUCCEEDED, activeAuthenticationResult);
            } else {
                verificationStatus.setAA(VerificationStatus.Verdict.PRESENT_FAILED, VerificationStatus.ReasonCode.SIGNATURE_FAILURE, activeAuthenticationResult);
            }
            return verify;
        } catch (IOException e) {
            LOGGER.log(Level.SEVERE, "Unexpected exception during AA signature verification with ECDSA", (Throwable) e);
            verificationStatus.setAA(VerificationStatus.Verdict.PRESENT_FAILED, VerificationStatus.ReasonCode.UNEXPECTED_EXCEPTION_FAILURE, activeAuthenticationResult);
            return false;
        }
    }

    private boolean verifyAAEDL(ActiveAuthenticationResult activeAuthenticationResult, VerificationStatus verificationStatus) {
        try {
            PublicKey publicKey = activeAuthenticationResult.getAAConfig().getPublicKey();
            String digestAlgorithm = activeAuthenticationResult.getAAConfig().getDigestAlgorithm();
            String signatureAlgorithm = activeAuthenticationResult.getAAConfig().getSignatureAlgorithm();
            byte[] challenge = activeAuthenticationResult.getChallenge();
            byte[] response = activeAuthenticationResult.getResponse();
            String algorithm = publicKey.getAlgorithm();
            if (!"RSA".equals(algorithm)) {
                if (!"EC".equals(algorithm) && !"ECDSA".equals(algorithm)) {
                    LOGGER.severe("Unsupported AA public key type " + publicKey.getClass().getSimpleName());
                    verificationStatus.setAA(VerificationStatus.Verdict.PRESENT_FAILED, VerificationStatus.ReasonCode.UNSUPPORTED_KEY_TYPE_FAILURE, activeAuthenticationResult);
                    return false;
                }
                ECPublicKey eCPublicKey = (ECPublicKey) publicKey;
                if (this.ecdsaAASignature == null || (signatureAlgorithm != null && !signatureAlgorithm.equals(this.ecdsaAASignature.getAlgorithm()))) {
                    LOGGER.warning("Re-initializing ecdsaAASignature with algorithm " + signatureAlgorithm);
                    this.ecdsaAASignature = Signature.getInstance(signatureAlgorithm);
                }
                if (this.ecdsaAADigest == null || (digestAlgorithm != null && !digestAlgorithm.equals(this.ecdsaAADigest.getAlgorithm()))) {
                    LOGGER.warning("Re-initializing ecdsaAADigest with algorithm " + digestAlgorithm);
                    this.ecdsaAADigest = MessageDigest.getInstance(digestAlgorithm);
                }
                this.ecdsaAASignature.initVerify(eCPublicKey);
                if (response.length % 2 != 0) {
                    LOGGER.warning("Active Authentication response is not of even length");
                }
                int length = response.length / 2;
                BigInteger os2i = Util.os2i(response, 0, length);
                BigInteger os2i2 = Util.os2i(response, length, length);
                this.ecdsaAASignature.update(challenge);
                return setAAVerificationStatus(activeAuthenticationResult, verificationStatus, os2i, os2i2);
            }
            this.rsaAACipher.init(2, (RSAPublicKey) publicKey);
            byte[] doFinal = this.rsaAACipher.doFinal(response);
            int i = 0;
            if (doFinal[doFinal.length - 1] == -68) {
                if (digestAlgorithm != null && (!"SHA1".equalsIgnoreCase(digestAlgorithm) || !"SHA-1".equalsIgnoreCase(digestAlgorithm))) {
                    LOGGER.warning("Message format suggest different AA digest algorithm (SHA1) than the DG14 reports (" + digestAlgorithm + ").");
                }
                i = 1;
                digestAlgorithm = "SHA1";
            } else if (doFinal[doFinal.length - 1] == -52 && doFinal[doFinal.length - 2] == 52) {
                i = 2;
                digestAlgorithm = McElieceCCA2ParameterSpec.DEFAULT_MD;
                signatureAlgorithm = "SHA256WithRSA/ISO9796-2";
            } else if (!$assertionsDisabled) {
                throw new AssertionError("Unrecognized Active Authentication signature algorithm");
            }
            if (this.rsaAADigest == null || !this.rsaAADigest.getAlgorithm().equals(digestAlgorithm)) {
                LOGGER.warning("Re-initializing rsaAADigest with algorithm " + signatureAlgorithm);
                this.rsaAADigest = MessageDigest.getInstance(digestAlgorithm);
            }
            int digestLength = this.rsaAADigest.getDigestLength();
            int i2 = 0;
            int i3 = 0;
            while (true) {
                if (i3 >= doFinal.length) {
                    break;
                }
                if (((doFinal[i3] & PassportService.SF_DG15) ^ 10) == 0) {
                    i2 = i3 + 1;
                    break;
                }
                i3++;
            }
            int length2 = ((doFinal.length - i) - digestLength) - i2;
            byte[] bArr = new byte[length2];
            System.arraycopy(doFinal, i2, bArr, 0, bArr.length);
            byte[] bArr2 = new byte[digestLength];
            System.arraycopy(doFinal, i2 + length2, bArr2, 0, bArr2.length);
            this.rsaAADigest.reset();
            this.rsaAADigest.update(bArr);
            this.rsaAADigest.update(challenge);
            boolean equals = Arrays.equals(bArr2, this.rsaAADigest.digest());
            if (equals) {
                verificationStatus.setAA(VerificationStatus.Verdict.PRESENT_SUCCEEDED, VerificationStatus.ReasonCode.SIGNATURE_CHECKED, activeAuthenticationResult);
                return equals;
            }
            verificationStatus.setAA(VerificationStatus.Verdict.PRESENT_FAILED, VerificationStatus.ReasonCode.SIGNATURE_FAILURE, activeAuthenticationResult);
            return equals;
        } catch (Exception e) {
            verificationStatus.setAA(VerificationStatus.Verdict.PRESENT_FAILED, VerificationStatus.ReasonCode.UNEXPECTED_EXCEPTION_FAILURE, activeAuthenticationResult);
            LOGGER.log(Level.SEVERE, "Unexpected Exception", (Throwable) e);
            return false;
        }
    }

    private boolean verifyAAICAO(ActiveAuthenticationResult activeAuthenticationResult, VerificationStatus verificationStatus) {
        boolean z = false;
        if (activeAuthenticationResult != null) {
            try {
                if (activeAuthenticationResult.getChallenge() == null) {
                    LOGGER.severe("Challenge is null");
                    verificationStatus.setAA(VerificationStatus.Verdict.PRESENT_FAILED, VerificationStatus.ReasonCode.UNEXPECTED_EXCEPTION_FAILURE, activeAuthenticationResult);
                } else if (activeAuthenticationResult.getResponse() == null) {
                    LOGGER.severe("Response is null");
                    verificationStatus.setAA(VerificationStatus.Verdict.PRESENT_FAILED, VerificationStatus.ReasonCode.UNEXPECTED_EXCEPTION_FAILURE, activeAuthenticationResult);
                } else {
                    PublicKey publicKey = activeAuthenticationResult.getAAConfig().getPublicKey();
                    String algorithm = publicKey.getAlgorithm();
                    if ("RSA".equals(algorithm)) {
                        z = verifyAAWithRSA(activeAuthenticationResult, verificationStatus);
                    } else if ("EC".equals(algorithm) || "ECDSA".equals(algorithm)) {
                        z = verifyAAWithECDSA(activeAuthenticationResult, verificationStatus);
                    } else {
                        LOGGER.severe("Unsupported AA public key type " + publicKey.getClass().getSimpleName());
                        verificationStatus.setAA(VerificationStatus.Verdict.PRESENT_FAILED, VerificationStatus.ReasonCode.UNSUPPORTED_KEY_TYPE_FAILURE, activeAuthenticationResult);
                    }
                }
            } catch (Exception e) {
                LOGGER.log(Level.WARNING, "Exception during AA verification", (Throwable) e);
                verificationStatus.setAA(VerificationStatus.Verdict.PRESENT_FAILED, VerificationStatus.ReasonCode.UNEXPECTED_EXCEPTION_FAILURE, activeAuthenticationResult);
            }
        }
        return z;
    }

    private boolean verifyAAWithECDSA(ActiveAuthenticationResult activeAuthenticationResult, VerificationStatus verificationStatus) throws GeneralSecurityException {
        if (activeAuthenticationResult == null) {
            throw new IllegalArgumentException("Cannot verify AA with null argument");
        }
        PublicKey publicKey = activeAuthenticationResult.getAAConfig().getPublicKey();
        String digestAlgorithm = activeAuthenticationResult.getAAConfig().getDigestAlgorithm();
        String signatureAlgorithm = activeAuthenticationResult.getAAConfig().getSignatureAlgorithm();
        byte[] challenge = activeAuthenticationResult.getChallenge();
        byte[] response = activeAuthenticationResult.getResponse();
        String algorithm = publicKey.getAlgorithm();
        if (!"EC".equals(algorithm) && !"ECDSA".equals(algorithm)) {
            throw new IllegalArgumentException("Was expecting EC public key");
        }
        ECPublicKey eCPublicKey = (ECPublicKey) publicKey;
        if (this.ecdsaAASignature == null || (signatureAlgorithm != null && !signatureAlgorithm.equals(this.ecdsaAASignature.getAlgorithm()))) {
            LOGGER.warning("Re-initializing ecdsaAASignature with algorithm " + signatureAlgorithm);
            this.ecdsaAASignature = Signature.getInstance(signatureAlgorithm);
        }
        if (this.ecdsaAADigest == null || (digestAlgorithm != null && !digestAlgorithm.equals(this.ecdsaAADigest.getAlgorithm()))) {
            LOGGER.warning("Re-initializing ecdsaAADigest with algorithm " + digestAlgorithm);
            this.ecdsaAADigest = MessageDigest.getInstance(digestAlgorithm);
        }
        this.ecdsaAASignature.initVerify(eCPublicKey);
        if (response.length % 2 != 0) {
            LOGGER.warning("Active Authentication response is not of even length");
        }
        int length = response.length / 2;
        BigInteger os2i = Util.os2i(response, 0, length);
        BigInteger os2i2 = Util.os2i(response, length, length);
        this.ecdsaAASignature.update(challenge);
        try {
            boolean verify = this.ecdsaAASignature.verify(new DERSequence(new ASN1Encodable[]{new ASN1Integer(os2i), new ASN1Integer(os2i2)}).getEncoded());
            if (verify) {
                verificationStatus.setAA(VerificationStatus.Verdict.PRESENT_SUCCEEDED, VerificationStatus.ReasonCode.SUCCEEDED, activeAuthenticationResult);
            } else {
                verificationStatus.setAA(VerificationStatus.Verdict.PRESENT_FAILED, VerificationStatus.ReasonCode.SIGNATURE_FAILURE, activeAuthenticationResult);
            }
            return verify;
        } catch (IOException e) {
            LOGGER.log(Level.SEVERE, "Unexpected exception during AA signature verification with ECDSA", (Throwable) e);
            verificationStatus.setAA(VerificationStatus.Verdict.PRESENT_FAILED, VerificationStatus.ReasonCode.UNEXPECTED_EXCEPTION_FAILURE, activeAuthenticationResult);
            return false;
        }
    }

    private boolean verifyAAWithRSA(ActiveAuthenticationResult activeAuthenticationResult, VerificationStatus verificationStatus) throws GeneralSecurityException {
        if (activeAuthenticationResult == null) {
            throw new IllegalArgumentException("Cannot verify AA with null argument");
        }
        PublicKey publicKey = activeAuthenticationResult.getAAConfig().getPublicKey();
        String digestAlgorithm = activeAuthenticationResult.getAAConfig().getDigestAlgorithm();
        String signatureAlgorithm = activeAuthenticationResult.getAAConfig().getSignatureAlgorithm();
        byte[] challenge = activeAuthenticationResult.getChallenge();
        byte[] response = activeAuthenticationResult.getResponse();
        if (!"RSA".equals(publicKey.getAlgorithm())) {
            throw new IllegalArgumentException("Was expecting RSA");
        }
        if ((!"SHA1".equalsIgnoreCase(digestAlgorithm) && !"SHA-1".equalsIgnoreCase(digestAlgorithm)) || !"SHA1WithRSA/ISO9796-2".equalsIgnoreCase(signatureAlgorithm)) {
            LOGGER.warning("Unexpected algorithms for RSA AA: digest algorithm = " + (digestAlgorithm == null ? "null" : digestAlgorithm) + ", signature algorithm = " + (signatureAlgorithm == null ? "null" : signatureAlgorithm));
            if (digestAlgorithm == null) {
                this.rsaAADigest = null;
            } else {
                this.rsaAADigest = MessageDigest.getInstance(digestAlgorithm);
            }
            if (signatureAlgorithm == null) {
                LOGGER.warning("Signature algorithm is null");
            } else {
                this.rsaAASignature = Signature.getInstance(signatureAlgorithm, BC_PROVIDER);
            }
        }
        if (this.rsaAADigest == null || (digestAlgorithm != null && !this.rsaAADigest.getAlgorithm().equals(digestAlgorithm))) {
            LOGGER.warning("Re-initializing rsaAADigest with algorithm " + signatureAlgorithm);
            this.rsaAADigest = MessageDigest.getInstance(digestAlgorithm);
        }
        if (this.rsaAASignature == null || !this.rsaAASignature.getAlgorithm().equals(signatureAlgorithm)) {
            LOGGER.warning("Re-initializing rsaAASignature with algorithm " + signatureAlgorithm);
            this.rsaAASignature = Signature.getInstance(signatureAlgorithm, BC_PROVIDER);
        }
        RSAPublicKey rSAPublicKey = (RSAPublicKey) publicKey;
        this.rsaAACipher.init(2, rSAPublicKey);
        this.rsaAASignature.initVerify(rSAPublicKey);
        int digestLength = this.rsaAADigest != null ? this.rsaAADigest.getDigestLength() : 20;
        if (!$assertionsDisabled && digestLength != 20) {
            throw new AssertionError();
        }
        this.rsaAASignature.update(Util.recoverMessage(digestLength, this.rsaAACipher.doFinal(response)));
        this.rsaAASignature.update(challenge);
        boolean verify = this.rsaAASignature.verify(response);
        if (verify) {
            verificationStatus.setAA(VerificationStatus.Verdict.PRESENT_SUCCEEDED, VerificationStatus.ReasonCode.SIGNATURE_CHECKED, activeAuthenticationResult);
        } else {
            verificationStatus.setAA(VerificationStatus.Verdict.PRESENT_FAILED, VerificationStatus.ReasonCode.SIGNATURE_FAILURE, activeAuthenticationResult);
        }
        return verify;
    }

    private static boolean verifyDocSignature(SODFile sODFile) throws GeneralSecurityException {
        String str;
        MessageDigest messageDigest;
        X509Certificate docSigningCertificate = sODFile.getDocSigningCertificate();
        if (docSigningCertificate == null) {
            LOGGER.warning("Could not get document signer certificate from security object");
        }
        byte[] eContent = sODFile.getEContent();
        byte[] encryptedDigest = sODFile.getEncryptedDigest();
        try {
            str = sODFile.getDigestEncryptionAlgorithm();
        } catch (Exception e) {
            LOGGER.log(Level.INFO, "Could not get digest encryption algorithm from security object", (Throwable) e);
            str = null;
        }
        if (str == null) {
            LOGGER.info("Trying to infer digest encryption algorithm from signer info digest algorithm");
            String signerInfoDigestAlgorithm = sODFile.getSignerInfoDigestAlgorithm();
            try {
                messageDigest = MessageDigest.getInstance(signerInfoDigestAlgorithm);
            } catch (Exception e2) {
                LOGGER.log(Level.INFO, "Default JCE provider could not provide digest algorithm" + signerInfoDigestAlgorithm, (Throwable) e2);
                messageDigest = MessageDigest.getInstance(signerInfoDigestAlgorithm, BC_PROVIDER);
            }
            messageDigest.update(eContent);
            return Arrays.equals(messageDigest.digest(), encryptedDigest);
        }
        if ("SSAwithRSA/PSS".equals(str)) {
            str = sODFile.getSignerInfoDigestAlgorithm().replace("-", "") + "withRSA/PSS";
        }
        if ("RSA".equals(str)) {
            str = sODFile.getSignerInfoDigestAlgorithm().replace("-", "") + "withRSA";
        }
        LOGGER.info("digestEncryptionAlgorithm = " + str);
        int beginPreferBouncyCastleProvider = JMRTDSecurityProvider.beginPreferBouncyCastleProvider();
        try {
            Signature signature = getSignature(str);
            signature.initVerify(docSigningCertificate);
            signature.update(eContent);
            return signature.verify(encryptedDigest);
        } finally {
            JMRTDSecurityProvider.endPreferBouncyCastleProvider(beginPreferBouncyCastleProvider);
        }
    }

    private HashMatchResult verifyHash(int i, byte[] bArr, SODFile sODFile, Map<Integer, HashMatchResult> map, VerificationStatus verificationStatus) {
        try {
            byte[] bArr2 = sODFile.getDataGroupHashes().get(Integer.valueOf(i));
            if (bArr2 == null) {
                verificationStatus.setHT(VerificationStatus.Verdict.PRESENT_FAILED, VerificationStatus.ReasonCode.STORED_HASH_NOT_FOUND_FAILURE, map);
                return null;
            }
            if (bArr == null) {
                HashMatchResult hashMatchResult = new HashMatchResult(bArr2, null);
                map.put(Integer.valueOf(i), hashMatchResult);
                return hashMatchResult;
            }
            try {
                this.digest = getDigest(sODFile.getDigestAlgorithm(), this.digest);
                try {
                    byte[] digest = this.digest.digest(bArr);
                    HashMatchResult hashMatchResult2 = new HashMatchResult(bArr2, digest);
                    map.put(Integer.valueOf(i), hashMatchResult2);
                    if (Arrays.equals(bArr2, digest)) {
                        return hashMatchResult2;
                    }
                    verificationStatus.setHT(VerificationStatus.Verdict.PRESENT_FAILED, VerificationStatus.ReasonCode.HASH_MISMATCH_FAILURE, map);
                    return hashMatchResult2;
                } catch (Exception e) {
                    LOGGER.log(Level.INFO, "Unexpected exception during hash match verification", (Throwable) e);
                    HashMatchResult hashMatchResult3 = new HashMatchResult(bArr2, null);
                    map.put(Integer.valueOf(i), hashMatchResult3);
                    verificationStatus.setHT(VerificationStatus.Verdict.PRESENT_FAILED, VerificationStatus.ReasonCode.UNEXPECTED_EXCEPTION_FAILURE, map);
                    return hashMatchResult3;
                }
            } catch (NoSuchAlgorithmException e2) {
                LOGGER.log(Level.WARNING, "Unsupported digest algorithm exception during hash match verification", (Throwable) e2);
                verificationStatus.setHT(VerificationStatus.Verdict.PRESENT_FAILED, VerificationStatus.ReasonCode.UNSUPPORTED_DIGEST_ALGORITHM_FAILURE, null);
                return null;
            }
        } catch (Exception e3) {
            LOGGER.log(Level.WARNING, "Could not get stored hash from security object", (Throwable) e3);
            verificationStatus.setHT(VerificationStatus.Verdict.PRESENT_FAILED, VerificationStatus.ReasonCode.STORED_HASH_NOT_FOUND_FAILURE, map);
            return null;
        }
    }

    @Override // nl.innovalor.mrtd.MRTDVerifier
    public Set<TrustAnchor> getTrustAnchors() {
        return this.cscaTrustAnchors;
    }

    @Override // nl.innovalor.mrtd.MRTDVerifier
    public boolean verifyAA(DocumentType documentType, ActiveAuthenticationResult activeAuthenticationResult, VerificationStatus verificationStatus) {
        switch (documentType) {
            case ICAO_MRTD:
                return verifyAAICAO(activeAuthenticationResult, verificationStatus);
            case EU_EDL:
                return verifyAAEDL(activeAuthenticationResult, verificationStatus);
            default:
                throw new IllegalArgumentException("Unsupported document type " + documentType);
        }
    }

    @Override // nl.innovalor.mrtd.MRTDVerifier
    public void verifyCS(SODFile sODFile, VerificationStatus verificationStatus) {
        Action createAction = this.innovalorLogger.createAction(LOGGER_CATEGORY, "CS", null);
        try {
            ArrayList arrayList = new ArrayList();
            if (sODFile == null) {
                verificationStatus.setCS(VerificationStatus.Verdict.PRESENT_FAILED, VerificationStatus.ReasonCode.COULD_NOT_BUILD_CHAIN_FAILURE, arrayList);
                return;
            }
            X509Certificate x509Certificate = null;
            X500Principal issuerX500Principal = sODFile.getIssuerX500Principal();
            BigInteger serialNumber = sODFile.getSerialNumber();
            try {
                x509Certificate = sODFile.getDocSigningCertificate();
            } catch (Exception e) {
                LOGGER.log(Level.WARNING, "Error getting document signing certificate", (Throwable) e);
            }
            if (x509Certificate != null) {
                arrayList.add(x509Certificate);
            } else {
                LOGGER.warning("Error getting document signing certificate from security object");
            }
            if (this.cscaStores == null || this.cscaStores.isEmpty()) {
                LOGGER.warning("No CSCA certificate stores found.");
                verificationStatus.setCS(VerificationStatus.Verdict.PRESENT_FAILED, VerificationStatus.ReasonCode.NO_CSCA_TRUST_ANCHORS_FOUND_FAILURE, arrayList);
            }
            if (this.cscaTrustAnchors == null || this.cscaTrustAnchors.isEmpty()) {
                LOGGER.warning("No CSCA trust anchors found.");
                verificationStatus.setCS(VerificationStatus.Verdict.PRESENT_FAILED, VerificationStatus.ReasonCode.NO_CSCA_TRUST_ANCHORS_FOUND_FAILURE, arrayList);
            }
            if (x509Certificate != null) {
                X500Principal issuerX500Principal2 = x509Certificate.getIssuerX500Principal();
                if (issuerX500Principal != null && !issuerX500Principal.equals(issuerX500Principal2)) {
                    LOGGER.severe("Security object issuer principal is different from embedded DS certificate issuer!");
                }
                BigInteger serialNumber2 = x509Certificate.getSerialNumber();
                if (serialNumber != null && !serialNumber.equals(serialNumber2)) {
                    LOGGER.warning("Security object serial number is different from embedded DS certificate serial number!");
                }
            }
            List<Certificate> certificateChain = getCertificateChain(x509Certificate, x509Certificate == null ? null : x509Certificate.getNotBefore(), issuerX500Principal, serialNumber, this.cscaStores, this.cscaTrustAnchors);
            if (certificateChain == null) {
                verificationStatus.setCS(VerificationStatus.Verdict.PRESENT_FAILED, VerificationStatus.ReasonCode.SIGNATURE_FAILURE, arrayList);
                return;
            }
            for (Certificate certificate : certificateChain) {
                if (!certificate.equals(x509Certificate)) {
                    arrayList.add(certificate);
                }
            }
            this.innovalorLogger.logSuccessAction(arrayList, createAction);
            int size = arrayList.size();
            if (size <= 1) {
                verificationStatus.setCS(VerificationStatus.Verdict.PRESENT_FAILED, VerificationStatus.ReasonCode.COULD_NOT_BUILD_CHAIN_FAILURE, arrayList);
                return;
            }
            if (size <= 1 || !verificationStatus.getCS().equals(VerificationStatus.Verdict.UNKNOWN)) {
                return;
            }
            Date date = new Date();
            if (x509Certificate == null || !date.after(x509Certificate.getNotAfter())) {
                verificationStatus.setCS(VerificationStatus.Verdict.PRESENT_SUCCEEDED, VerificationStatus.ReasonCode.FOUND_A_CHAIN_SUCCEEDED, arrayList);
            } else {
                verificationStatus.setCS(VerificationStatus.Verdict.PRESENT_FAILED, VerificationStatus.ReasonCode.CERTIFICATE_EXPIRED, arrayList);
            }
        } catch (Exception e2) {
            LOGGER.log(Level.SEVERE, "Exception", (Throwable) e2);
            verificationStatus.setCS(VerificationStatus.Verdict.PRESENT_FAILED, VerificationStatus.ReasonCode.SIGNATURE_FAILURE, CertUtil.getEmptyCertificateList());
        }
    }

    @Override // nl.innovalor.mrtd.MRTDVerifier
    public void verifyDS(SODFile sODFile, VerificationStatus verificationStatus) {
        Action createAction = this.innovalorLogger.createAction(LOGGER_CATEGORY, "DS", null);
        try {
            verificationStatus.setDS(VerificationStatus.Verdict.UNKNOWN, VerificationStatus.ReasonCode.UNKNOWN);
            boolean verifyDocSignature = verifyDocSignature(sODFile);
            this.innovalorLogger.logSuccessAction(Boolean.valueOf(verifyDocSignature), createAction);
            if (verifyDocSignature) {
                verificationStatus.setDS(VerificationStatus.Verdict.PRESENT_SUCCEEDED, VerificationStatus.ReasonCode.SIGNATURE_CHECKED);
            } else {
                verificationStatus.setDS(VerificationStatus.Verdict.PRESENT_FAILED, VerificationStatus.ReasonCode.SIGNATURE_FAILURE);
            }
        } catch (NoSuchAlgorithmException e) {
            LOGGER.log(Level.INFO, "Unsupported signature algorithm ", (Throwable) e);
            verificationStatus.setDS(VerificationStatus.Verdict.PRESENT_FAILED, VerificationStatus.ReasonCode.UNSUPPORTED_SIGNATURE_ALGORITHM_FAILURE);
            this.innovalorLogger.logFailedAction(createAction);
        } catch (Exception e2) {
            LOGGER.log(Level.SEVERE, "Unexpected exception", (Throwable) e2);
            verificationStatus.setDS(VerificationStatus.Verdict.PRESENT_FAILED, VerificationStatus.ReasonCode.UNEXPECTED_EXCEPTION_FAILURE);
            this.innovalorLogger.logFailedAction(createAction);
        } finally {
            this.innovalorLogger.stopAction(createAction);
        }
    }

    @Override // nl.innovalor.mrtd.MRTDVerifier
    public boolean verifyEACCA(DocumentType documentType, CAResult cAResult, ResponseAPDU responseAPDU, ResponseAPDU responseAPDU2, VerificationStatus verificationStatus) {
        APDUWrapper aESSecureMessagingWrapper;
        LOGGER.info("Started validation of the EAC-CA exchange");
        if (cAResult == null) {
            verificationStatus.setEACCA(VerificationStatus.Verdict.PRESENT_FAILED, verificationStatus.getEACCAReason(), cAResult);
            return false;
        }
        if (cAResult.getWrapper() == null || responseAPDU == null || responseAPDU2 == null) {
            verificationStatus.setEACCA(VerificationStatus.Verdict.PRESENT_FAILED, VerificationStatus.ReasonCode.SIGNATURE_FAILURE, cAResult);
        }
        KeyPair keyPair = cAResult.getKeyPair();
        PublicKey publicKey = cAResult.getPublicKey();
        SecretKey encryptionKey = cAResult.getWrapper().getEncryptionKey();
        SecretKey mACKey = cAResult.getWrapper().getMACKey();
        try {
            KeyAgreement keyAgreement = KeyAgreement.getInstance(keyPair.getPublic().getAlgorithm());
            keyAgreement.init(keyPair.getPrivate());
            keyAgreement.doPhase(publicKey, true);
            byte[] generateSecret = keyAgreement.generateSecret();
            try {
                SecretKey deriveKey = Util.deriveKey(generateSecret, encryptionKey.getAlgorithm(), encryptionKey.getEncoded().length * 8, 1);
                SecretKey deriveKey2 = Util.deriveKey(generateSecret, mACKey.getAlgorithm(), mACKey.getEncoded().length * 8, 2);
                if (!encryptionKey.equals(deriveKey) || !mACKey.equals(deriveKey2)) {
                    verificationStatus.setEACCA(VerificationStatus.Verdict.PRESENT_FAILED, VerificationStatus.ReasonCode.SIGNATURE_FAILURE, cAResult);
                    return false;
                }
                if (cAResult.getWrapper() instanceof AESSecureMessagingWrapper) {
                    try {
                        aESSecureMessagingWrapper = new AESSecureMessagingWrapper(encryptionKey, mACKey, 1L);
                    } catch (GeneralSecurityException e) {
                        LOGGER.log(Level.WARNING, "Some error occurred during reconstruciton of wrapper. Cannot verify EAC-CA", (Throwable) e);
                        verificationStatus.setEACCA(VerificationStatus.Verdict.PRESENT_NOT_CHECKED, VerificationStatus.ReasonCode.UNEXPECTED_EXCEPTION_FAILURE, cAResult);
                        return false;
                    }
                } else {
                    if (!(cAResult.getWrapper() instanceof DESedeSecureMessagingWrapper)) {
                        LOGGER.warning("Unsupported wrapper type. Cannot verify EAC-CA");
                        verificationStatus.setEACCA(VerificationStatus.Verdict.PRESENT_NOT_CHECKED, VerificationStatus.ReasonCode.NOT_SUPPORTED, cAResult);
                        return false;
                    }
                    try {
                        aESSecureMessagingWrapper = new DESedeSecureMessagingWrapper(encryptionKey, mACKey);
                    } catch (GeneralSecurityException e2) {
                        LOGGER.log(Level.WARNING, "Some error occurred during reconstruciton of wrapper. Cannot verify EAC-CA", (Throwable) e2);
                        verificationStatus.setEACCA(VerificationStatus.Verdict.PRESENT_NOT_CHECKED, VerificationStatus.ReasonCode.UNEXPECTED_EXCEPTION_FAILURE, cAResult);
                        return false;
                    }
                }
                if (!responseAPDU2.equals(aESSecureMessagingWrapper.unwrap(responseAPDU))) {
                    verificationStatus.setEACCA(VerificationStatus.Verdict.PRESENT_FAILED, VerificationStatus.ReasonCode.SIGNATURE_FAILURE, cAResult);
                    return false;
                }
                LOGGER.info("Successfully validated the EAC-CA exchange");
                verificationStatus.setEACCA(VerificationStatus.Verdict.PRESENT_SUCCEEDED, VerificationStatus.ReasonCode.SUCCEEDED, cAResult);
                return true;
            } catch (IllegalArgumentException e3) {
                LOGGER.log(Level.WARNING, "Could derive encryption and/or mac keys", (Throwable) e3);
                verificationStatus.setEACCA(VerificationStatus.Verdict.PRESENT_NOT_CHECKED, VerificationStatus.ReasonCode.UNEXPECTED_EXCEPTION_FAILURE, cAResult);
                return false;
            } catch (GeneralSecurityException e4) {
                LOGGER.log(Level.WARNING, "Could derive encryption and/or mac keys", (Throwable) e4);
                verificationStatus.setEACCA(VerificationStatus.Verdict.PRESENT_NOT_CHECKED, VerificationStatus.ReasonCode.UNEXPECTED_EXCEPTION_FAILURE, cAResult);
                return false;
            }
        } catch (InvalidKeyException e5) {
            LOGGER.log(Level.WARNING, "Could not perform key agreement. Cannot verify EAC-CA", (Throwable) e5);
            verificationStatus.setEACCA(VerificationStatus.Verdict.PRESENT_NOT_CHECKED, VerificationStatus.ReasonCode.UNEXPECTED_EXCEPTION_FAILURE, cAResult);
            return false;
        } catch (NoSuchAlgorithmException e6) {
            LOGGER.log(Level.WARNING, "Could not perform key agreement. Cannot verify EAC-CA", (Throwable) e6);
            verificationStatus.setEACCA(VerificationStatus.Verdict.PRESENT_NOT_CHECKED, VerificationStatus.ReasonCode.UNEXPECTED_EXCEPTION_FAILURE, cAResult);
            return false;
        }
    }

    @Override // nl.innovalor.mrtd.MRTDVerifier
    public void verifyHT(Map<Integer, byte[]> map, SODFile sODFile, VerificationStatus verificationStatus) {
        Action createAction = this.innovalorLogger.createAction(LOGGER_CATEGORY, "HT", null);
        try {
            Map<Integer, HashMatchResult> hashResults = verificationStatus.getHashResults();
            if (hashResults == null) {
                hashResults = new TreeMap<>();
                verificationStatus.setHT(VerificationStatus.Verdict.UNKNOWN, VerificationStatus.ReasonCode.UNKNOWN, hashResults);
            }
            if (sODFile == null) {
                verificationStatus.setHT(VerificationStatus.Verdict.PRESENT_FAILED, VerificationStatus.ReasonCode.READ_ERROR_SOD_FAILURE, hashResults);
                return;
            }
            Iterator<Integer> it = sODFile.getDataGroupHashes().keySet().iterator();
            while (it.hasNext()) {
                int intValue = it.next().intValue();
                verifyHash(intValue, map.get(Integer.valueOf(intValue)), sODFile, hashResults, verificationStatus);
            }
            this.innovalorLogger.logSuccessAction(hashResults, createAction);
            if (verificationStatus.getHT().equals(VerificationStatus.Verdict.UNKNOWN)) {
                verificationStatus.setHT(VerificationStatus.Verdict.PRESENT_SUCCEEDED, VerificationStatus.ReasonCode.ALL_HASHES_MATCH, hashResults);
            } else {
                verificationStatus.setHT(verificationStatus.getHT(), verificationStatus.getHTReason(), hashResults);
            }
        } catch (Exception e) {
            LOGGER.log(Level.SEVERE, "Exception", (Throwable) e);
            this.innovalorLogger.logFailedAction(createAction);
            this.innovalorLogger.log(Level.SEVERE, e);
        } finally {
            this.innovalorLogger.stopAction(createAction);
        }
    }
}
