package org.apache.james.jdkim;

import java.io.IOException;
import java.io.InputStream;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.security.Signature;
import java.security.SignatureException;
import java.util.Arrays;
import java.util.HashMap;
import java.util.Hashtable;
import java.util.Iterator;
import java.util.LinkedList;
import java.util.List;
import java.util.Map;
import org.apache.james.jdkim.api.BodyHasher;
import org.apache.james.jdkim.api.DKIMVerifier;
import org.apache.james.jdkim.api.Headers;
import org.apache.james.jdkim.api.PublicKeyRecord;
import org.apache.james.jdkim.api.PublicKeyRecordRetriever;
import org.apache.james.jdkim.api.SignatureRecord;
import org.apache.james.jdkim.exceptions.FailException;
import org.apache.james.jdkim.exceptions.PermFailException;
import org.apache.james.jdkim.exceptions.TempFailException;
import org.apache.james.jdkim.impl.BodyHasherImpl;
import org.apache.james.jdkim.impl.CompoundBodyHasher;
import org.apache.james.jdkim.impl.DNSPublicKeyRecordRetriever;
import org.apache.james.jdkim.impl.HttpPublicKeyRecordRetriever;
import org.apache.james.jdkim.impl.Message;
import org.apache.james.jdkim.impl.MultiplexingPublicKeyRecordRetriever;
import org.apache.james.jdkim.impl.StoredPublicKeyRecordRetriever;
import org.apache.james.jdkim.tagvalue.PublicKeyRecordImpl;
import org.apache.james.jdkim.tagvalue.SignatureRecordImpl;

/* loaded from: input_file:org/apache/james/jdkim/DKIMVerifierImpl.class */
public class DKIMVerifierImpl extends DKIMCommon implements DKIMVerifier {
    protected int allowableFutureSeconds = 0;
    private PublicKeyRecordRetriever publicKeyRecordRetriever;

    public DKIMVerifierImpl() {
        MultiplexingPublicKeyRecordRetriever multiplexingPublicKeyRecordRetriever = new MultiplexingPublicKeyRecordRetriever();
        multiplexingPublicKeyRecordRetriever.addRetriever("dns", new DNSPublicKeyRecordRetriever());
        multiplexingPublicKeyRecordRetriever.addRetriever("http", new HttpPublicKeyRecordRetriever());
        this.publicKeyRecordRetriever = multiplexingPublicKeyRecordRetriever;
    }

    public DKIMVerifierImpl(PublicKeyRecordRetriever publicKeyRecordRetriever) {
        this.publicKeyRecordRetriever = publicKeyRecordRetriever;
    }

    public static void clearStoredKeys() {
        StoredPublicKeyRecordRetriever.clearKeys();
    }

    public static void addStoredKey(String str, String str2, String str3) {
        StoredPublicKeyRecordRetriever.addKey(str, str2, str3);
    }

    protected PublicKeyRecord newPublicKeyRecord(String str) {
        return new PublicKeyRecordImpl(str);
    }

    public SignatureRecord newSignatureRecord(String str) {
        return new SignatureRecordImpl(str);
    }

    protected BodyHasherImpl newBodyHasher(SignatureRecord signatureRecord) throws PermFailException {
        return new BodyHasherImpl(signatureRecord);
    }

    protected PublicKeyRecordRetriever getPublicKeyRecordRetriever() throws PermFailException {
        return this.publicKeyRecordRetriever;
    }

    public PublicKeyRecord publicKeySelector(List<String> list) throws PermFailException {
        String str = null;
        if (list == null || list.isEmpty()) {
            str = "no key for signature";
        } else {
            Iterator<String> it = list.iterator();
            while (it.hasNext()) {
                try {
                    PublicKeyRecord newPublicKeyRecord = newPublicKeyRecord(it.next());
                    newPublicKeyRecord.validate();
                    return newPublicKeyRecord;
                } catch (IllegalStateException e) {
                    str = "invalid key for signature: " + e.getMessage();
                }
            }
        }
        throw new PermFailException(str);
    }

    public static void apply(PublicKeyRecord publicKeyRecord, SignatureRecord signatureRecord) throws PermFailException {
        try {
            if (!publicKeyRecord.getGranularityPattern().matcher(signatureRecord.getIdentityLocalPart()).matches()) {
                throw new PermFailException("inapplicable key identity local=" + signatureRecord.getIdentityLocalPart() + " Pattern: " + publicKeyRecord.getGranularityPattern().pattern(), signatureRecord.getIdentity().toString());
            }
            if (!publicKeyRecord.isHashMethodSupported(signatureRecord.getHashMethod())) {
                throw new PermFailException("inappropriate hash for a=" + signatureRecord.getHashKeyType() + "/" + signatureRecord.getHashMethod(), signatureRecord.getIdentity().toString());
            }
            if (!publicKeyRecord.isKeyTypeSupported(signatureRecord.getHashKeyType())) {
                throw new PermFailException("inappropriate key type for a=" + signatureRecord.getHashKeyType() + "/" + signatureRecord.getHashMethod(), signatureRecord.getIdentity().toString());
            }
            if (publicKeyRecord.isDenySubdomains() && !signatureRecord.getIdentity().toString().toLowerCase().endsWith(("@" + signatureRecord.getDToken()).toLowerCase())) {
                throw new PermFailException("AUID in subdomain of SDID is not allowed by the public key record.", signatureRecord.getIdentity().toString());
            }
        } catch (IllegalStateException e) {
            throw new PermFailException("Invalid public key: " + e.getMessage(), signatureRecord.getIdentity().toString());
        }
    }

    public PublicKeyRecord publicRecordLookup(SignatureRecord signatureRecord) throws TempFailException, PermFailException {
        PublicKeyRecord publicKeyRecord = null;
        TempFailException tempFailException = null;
        PermFailException permFailException = null;
        Iterator it = signatureRecord.getRecordLookupMethods().iterator();
        while (publicKeyRecord == null && it.hasNext()) {
            try {
                PublicKeyRecord publicKeySelector = publicKeySelector(getPublicKeyRecordRetriever().getRecords((CharSequence) it.next(), signatureRecord.getSelector().toString(), signatureRecord.getDToken().toString()));
                apply(publicKeySelector, signatureRecord);
                publicKeyRecord = publicKeySelector;
            } catch (TempFailException e) {
                tempFailException = e;
            } catch (PermFailException e2) {
                permFailException = e2;
            }
        }
        if (publicKeyRecord != null) {
            return publicKeyRecord;
        }
        if (tempFailException != null) {
            if (signatureRecord != null) {
                tempFailException.setRelatedRecordIdentity(signatureRecord.getIdentity().toString());
            }
            throw tempFailException;
        }
        if (permFailException == null) {
            throw new PermFailException("no key for signature [unexpected condition]", signatureRecord.getIdentity().toString());
        }
        if (signatureRecord != null) {
            permFailException.setRelatedRecordIdentity(signatureRecord.getIdentity().toString());
        }
        throw permFailException;
    }

    public List<SignatureRecord> verify(InputStream inputStream) throws IOException, FailException {
        try {
            try {
                try {
                    try {
                        Message message = new Message(inputStream);
                        try {
                            List<SignatureRecord> verify = verify(message, message.getBodyInputStream());
                            message.dispose();
                            inputStream.close();
                            return verify;
                        } catch (Throwable th) {
                            message.dispose();
                            throw th;
                        }
                    } catch (IOException e) {
                        throw e;
                    }
                } catch (Exception e2) {
                    throw new PermFailException("Mime parsing exception: " + e2.getMessage(), e2);
                }
            } catch (RuntimeException e3) {
                throw e3;
            }
        } catch (Throwable th2) {
            inputStream.close();
            throw th2;
        }
    }

    public BodyHasher newBodyHasher(Headers headers) throws FailException {
        int indexOf;
        List<String> fields = headers.getFields("DKIM-Signature");
        if (fields == null || fields.isEmpty()) {
            return null;
        }
        HashMap hashMap = new HashMap();
        Hashtable hashtable = new Hashtable();
        for (String str : fields) {
            try {
                indexOf = str.indexOf(58);
            } catch (PermFailException e) {
                hashtable.put(str, e);
            } catch (TempFailException e2) {
                hashtable.put(str, e2);
            } catch (RuntimeException e3) {
                hashtable.put(str, new PermFailException("Unexpected exception processing signature", e3));
            }
            if (indexOf <= 0) {
                throw new PermFailException("unexpected bad signature field");
            }
            try {
                SignatureRecord newSignatureRecord = newSignatureRecord(str.substring(indexOf + 1, str.length()));
                newSignatureRecord.validate();
                if (newSignatureRecord.getSignatureTimestamp() != null) {
                    long currentTimeMillis = (System.currentTimeMillis() / 1000) - newSignatureRecord.getSignatureTimestamp().longValue();
                    if (currentTimeMillis < -94608000) {
                        throw new PermFailException("Signature date is more than " + ((-currentTimeMillis) / 31536000) + " years in the future.");
                    }
                    if (currentTimeMillis < -7776000) {
                        throw new PermFailException("Signature date is more than " + ((-currentTimeMillis) / 2592000) + " months in the future.");
                    }
                    if (currentTimeMillis < -259200) {
                        throw new PermFailException("Signature date is more than " + ((-currentTimeMillis) / 86400) + " days in the future.");
                    }
                    if (currentTimeMillis < -10800) {
                        throw new PermFailException("Signature date is more than " + ((-currentTimeMillis) / 3600) + " hours in the future.");
                    }
                    if (currentTimeMillis < -180) {
                        throw new PermFailException("Signature date is more than " + ((-currentTimeMillis) / 60) + " minutes in the future.");
                    }
                    if (currentTimeMillis < (-this.allowableFutureSeconds)) {
                        throw new PermFailException("Signature date is " + currentTimeMillis + " seconds in the future.");
                    }
                }
                signatureVerify(headers, newSignatureRecord, newSignatureRecord.getSignature(), publicRecordLookup(newSignatureRecord), newSignatureRecord.getHeaders());
                hashMap.put(str, newBodyHasher(newSignatureRecord));
            } catch (IllegalStateException e4) {
                throw new PermFailException("Invalid signature record: " + e4.getMessage(), e4);
            }
        }
        if (!hashMap.isEmpty()) {
            return new CompoundBodyHasher(hashMap, hashtable);
        }
        if (hashtable.size() > 0) {
            throw prepareException(hashtable);
        }
        throw new PermFailException("Unexpected condition with " + fields);
    }

    public List<SignatureRecord> verify(Headers headers, InputStream inputStream) throws IOException, FailException {
        BodyHasher newBodyHasher = newBodyHasher(headers);
        if (newBodyHasher == null) {
            return null;
        }
        CompoundBodyHasher validateBodyHasher = validateBodyHasher(newBodyHasher);
        DKIMCommon.streamCopy(inputStream, validateBodyHasher.getOutputStream());
        return verify(validateBodyHasher);
    }

    public List<SignatureRecord> verify(BodyHasher bodyHasher) throws FailException {
        if (bodyHasher == null) {
            return null;
        }
        return verify(validateBodyHasher(bodyHasher));
    }

    private CompoundBodyHasher validateBodyHasher(BodyHasher bodyHasher) throws PermFailException {
        if (bodyHasher instanceof CompoundBodyHasher) {
            return (CompoundBodyHasher) bodyHasher;
        }
        throw new PermFailException("Unexpected BodyHasher type: this is not generated by DKIMVerifier!");
    }

    private List<SignatureRecord> verify(CompoundBodyHasher compoundBodyHasher) throws FailException {
        LinkedList linkedList = new LinkedList();
        for (BodyHasherImpl bodyHasherImpl : compoundBodyHasher.getBodyHashJobs().values()) {
            if (Arrays.equals(bodyHasherImpl.getSignatureRecord().getBodyHash(), bodyHasherImpl.getDigest())) {
                linkedList.add(bodyHasherImpl.getSignatureRecord());
            } else {
                compoundBodyHasher.getSignatureExceptions().put("DKIM-Signature:" + bodyHasherImpl.getSignatureRecord().toString(), new PermFailException("Computed bodyhash is different from the expected one"));
            }
        }
        if (linkedList.isEmpty()) {
            throw prepareException(compoundBodyHasher.getSignatureExceptions());
        }
        return linkedList;
    }

    private FailException prepareException(Map<String, FailException> map) {
        return map.size() == 1 ? map.values().iterator().next() : new PermFailException("found " + map.size() + " invalid signatures");
    }

    private void signatureVerify(Headers headers, SignatureRecord signatureRecord, byte[] bArr, PublicKeyRecord publicKeyRecord, List<CharSequence> list) throws PermFailException {
        try {
            Signature signature = Signature.getInstance(signatureRecord.getHashMethod().toString().toUpperCase() + "with" + signatureRecord.getHashKeyType().toString().toUpperCase());
            try {
                signature.initVerify(publicKeyRecord.getPublicKey());
                signatureCheck(headers, signatureRecord, list, signature);
                if (!signature.verify(bArr)) {
                    throw new PermFailException("Header signature does not verify");
                }
            } catch (IllegalStateException e) {
                throw new PermFailException("Invalid Public Key: " + e.getMessage(), e);
            }
        } catch (InvalidKeyException e2) {
            throw new PermFailException(e2.getMessage(), e2);
        } catch (NoSuchAlgorithmException e3) {
            throw new PermFailException(e3.getMessage(), e3);
        } catch (SignatureException e4) {
            throw new PermFailException(e4.getMessage(), e4);
        }
    }
}
