package org.apache.james.transport;

import com.google.common.base.Preconditions;
import java.io.File;
import java.io.FileInputStream;
import java.io.IOException;
import java.lang.reflect.InvocationTargetException;
import java.security.GeneralSecurityException;
import java.security.InvalidAlgorithmParameterException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.cert.CertPath;
import java.security.cert.CertPathBuilder;
import java.security.cert.CertPathBuilderException;
import java.security.cert.CertStore;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.PKIXBuilderParameters;
import java.security.cert.X509CertSelector;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Collection;
import java.util.List;
import javax.mail.MessagingException;
import org.apache.james.util.io.UnsynchronizedBufferedInputStream;
import org.bouncycastle.cert.jcajce.JcaCertStoreBuilder;
import org.bouncycastle.cert.selector.X509CertificateHolderSelector;
import org.bouncycastle.cert.selector.jcajce.JcaX509CertSelectorConverter;
import org.bouncycastle.cms.SignerInformation;
import org.bouncycastle.cms.jcajce.JcaSimpleSignerInfoVerifierBuilder;
import org.bouncycastle.mail.smime.SMIMESigned;

/* loaded from: input_file:org/apache/james/transport/KeyStoreHolder.class */
public class KeyStoreHolder {
    private static final String BC = "BC";
    protected KeyStore keyStore;

    public KeyStoreHolder() throws IOException, GeneralSecurityException {
        this("changeit");
    }

    public KeyStoreHolder(String str) throws IOException, GeneralSecurityException {
        this(System.getProperty("java.home") + "/lib/security/cacerts".replace('/', File.separatorChar), str, KeyStore.getDefaultType());
    }

    public KeyStoreHolder(String str, String str2, String str3) throws KeyStoreException, NoSuchAlgorithmException, CertificateException, NoSuchProviderException, IOException {
        str2 = str2 == null ? "" : str2;
        try {
            InitJCE.init();
            this.keyStore = KeyStore.getInstance(str3 == null ? KeyStore.getDefaultType() : str3);
            this.keyStore.load(new UnsynchronizedBufferedInputStream(new FileInputStream(str)), str2.toCharArray());
            if (this.keyStore.size() == 0) {
                throw new KeyStoreException("The keystore must be not empty");
            }
        } catch (ClassNotFoundException | IllegalAccessException | InstantiationException | NoSuchMethodException | InvocationTargetException e) {
            NoSuchProviderException noSuchProviderException = new NoSuchProviderException("Error during cryptography provider initialization. Has bcprov-jdkxx-yyy.jar been copied in the lib directory or installed in the system?");
            noSuchProviderException.initCause(e);
            throw noSuchProviderException;
        }
    }

    public List<SMIMESignerInfo> verifySignatures(SMIMESigned sMIMESigned) throws Exception {
        CertStore build = new JcaCertStoreBuilder().addCertificates(sMIMESigned.getCertificates()).addCRLs(sMIMESigned.getCRLs()).build();
        Collection<SignerInformation> signers = sMIMESigned.getSignerInfos().getSigners();
        ArrayList arrayList = new ArrayList(signers.size());
        for (SignerInformation signerInformation : signers) {
            Collection<? extends Certificate> certificates = build.getCertificates(new JcaX509CertSelectorConverter().getCertSelector(new X509CertificateHolderSelector(signerInformation.getSID().getSubjectKeyIdentifier())));
            if (!certificates.isEmpty()) {
                X509Certificate x509Certificate = (X509Certificate) certificates.iterator().next();
                CertPath verifyCertificate = verifyCertificate(x509Certificate, build, this.keyStore);
                try {
                    if (signerInformation.verify(new JcaSimpleSignerInfoVerifierBuilder().setProvider("BC").build(x509Certificate))) {
                        arrayList.add(new SMIMESignerInfo(x509Certificate, verifyCertificate, true));
                    }
                } catch (Exception e) {
                    arrayList.add(new SMIMESignerInfo(x509Certificate, verifyCertificate, false));
                }
            }
        }
        return arrayList;
    }

    private static CertPath verifyCertificate(X509Certificate x509Certificate, CertStore certStore, KeyStore keyStore) throws InvalidAlgorithmParameterException, KeyStoreException, MessagingException, CertPathBuilderException {
        Preconditions.checkNotNull(x509Certificate);
        Preconditions.checkNotNull(certStore);
        Preconditions.checkNotNull(keyStore);
        try {
            CertPathBuilder certPathBuilder = CertPathBuilder.getInstance("PKIX", "BC");
            X509CertSelector x509CertSelector = new X509CertSelector();
            x509CertSelector.setCertificate(x509Certificate);
            PKIXBuilderParameters pKIXBuilderParameters = new PKIXBuilderParameters(keyStore, x509CertSelector);
            pKIXBuilderParameters.addCertStore(certStore);
            pKIXBuilderParameters.setRevocationEnabled(false);
            try {
                return certPathBuilder.build(pKIXBuilderParameters).getCertPath();
            } catch (InvalidAlgorithmParameterException e) {
                throw new MessagingException("Error during the certification path search.", e);
            } catch (CertPathBuilderException e2) {
                return null;
            }
        } catch (Exception e3) {
            throw new MessagingException("Error during the creation of the certpathbuilder.", e3);
        }
    }
}
