package badpenguin.dkim;

import java.io.IOException;
import java.io.InputStream;
import java.security.InvalidKeyException;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.Signature;
import java.security.SignatureException;
import java.util.Date;
import java.util.Stack;
import java.util.Vector;
import sun.misc.BASE64Decoder;
import sun.misc.BASE64Encoder;

/* loaded from: input_file:badpenguin/dkim/Verifier.class */
public class Verifier {
    private String sigPref = null;
    private boolean leniency = false;
    private NSKeyStore keyStore = null;
    private boolean tryBoth = false;
    private Vector<String> badDomains = null;
    private int maxSigs;

    public Verifier(NSKeyStore nSKeyStore, String str, boolean z) {
        _Verifier(nSKeyStore, str, z);
    }

    public Verifier(NSKeyStore nSKeyStore, String str) {
        _Verifier(nSKeyStore, str, true);
    }

    public Verifier(NSKeyStore nSKeyStore) {
        _Verifier(nSKeyStore, "DKIM", true);
    }

    private void _Verifier(NSKeyStore nSKeyStore, String str, boolean z) {
        this.tryBoth = z;
        this.sigPref = str;
        this.keyStore = nSKeyStore;
        this.leniency = false;
        this.badDomains = new Vector<>();
        this.maxSigs = 1;
    }

    public void setleniency(boolean z) {
        this.leniency = z;
    }

    public void tryBoth(boolean z) {
        this.tryBoth = z;
    }

    public void setBadDomains(String[] strArr) {
        for (String str : strArr) {
            this.badDomains.add(str);
        }
    }

    public void addBadDomain(String str) {
        this.badDomains.add(str);
    }

    public void setMaximumSigs(int i) {
        if (i < 1) {
            i = 1;
        }
        this.maxSigs = i;
    }

    public int getMaximumSigs() {
        return this.maxSigs;
    }

    private void checkBadDomains(DkimSignature dkimSignature, boolean z) throws DkimException {
        if (this.badDomains.contains(dkimSignature.getDtag())) {
            if (!z) {
                throw new DkimException(DkimError.bad, "The message is signed by an untrusted/Bad domain");
            }
            throw new DkimException(DkimError.SIGFAIL, "The message is signed by an untrusted/Bad domain");
        }
    }

    private void checkBodyHash(DkimSignature dkimSignature, String str) throws DkimException {
        try {
            MessageDigest messageDigest = dkimSignature.getJavaAlg().equals("SHA256withRSA") ? MessageDigest.getInstance("SHA-256") : MessageDigest.getInstance("SHA-1");
            messageDigest.update(str.getBytes());
            if (!new BASE64Encoder().encode(messageDigest.digest()).equals(dkimSignature.getBodyHash())) {
                throw new DkimException(DkimError.BODYHASH, "The body hash did not verify");
            }
        } catch (NoSuchAlgorithmException e) {
            throw new DkimException(DkimError.LIBERROR, "Java couldn't find the required hash algorithm", e);
        }
    }

    private void checkExpireTime(DkimSignature dkimSignature, long j) throws DkimException {
        String xtag = dkimSignature.getXtag();
        if (xtag.equals("��")) {
            return;
        }
        if (xtag.length() > 12) {
            throw new DkimException(DkimError.SIGSYNTAX, "The expires tag is > 12 chars");
        }
        Long valueOf = Long.valueOf(Long.parseLong(xtag));
        String ttag = dkimSignature.getTtag();
        if (!ttag.equals("��") && Long.valueOf(Long.parseLong(ttag)).longValue() > valueOf.longValue()) {
            throw new DkimException(DkimError.SIGFAIL, "The timestamp tag is newer than the expire tag");
        }
        if (valueOf.longValue() - (j == 0 ? new Date().getTime() / 1000 : j) < 0) {
            throw new DkimException(DkimError.SIGEXPIRED, "The Signature has expired");
        }
    }

    private void checkGranularity(DkimSignature dkimSignature, NSKey nSKey) throws DkimException {
        int indexOf;
        String granularity = nSKey.getGranularity();
        if (granularity.equals("*")) {
            return;
        }
        if (this.leniency && granularity.isEmpty()) {
            return;
        }
        String itag = dkimSignature.getItag();
        if (itag.equals("��") || (indexOf = itag.indexOf("@")) <= 0) {
            return;
        }
        if (!itag.substring(0, indexOf).matches(granularity.replaceAll("\\*", ".*"))) {
            throw new DkimException(DkimError.KEYFAIL, "Key Granularity is not applicable for Signature");
        }
    }

    private void checkSubdomains(DkimSignature dkimSignature, NSKey nSKey) throws DkimException {
        if (nSKey.noSubdomains()) {
            String itag = dkimSignature.getItag();
            if (!itag.equals("��") && !itag.substring(itag.indexOf(64) + 1).equals(dkimSignature.getDtag())) {
                throw new DkimException(DkimError.KEYFAIL, "Key can not be used for sub-domains");
            }
        }
    }

    private void checkHashAlgorithm(DkimSignature dkimSignature, NSKey nSKey) throws DkimException {
        String atag = dkimSignature.getAtag();
        for (String str : nSKey.getHashAlgorithm().split(":")) {
            if (atag.endsWith(str)) {
                return;
            }
        }
        throw new DkimException(DkimError.KEYHASH, "The key algorithm does not match the Signature.");
    }

    public void verifyMail(InputStream inputStream) throws IOException, DkimException {
        verifyMail(inputStream, 0L);
    }

    public void verifyMail(InputStream inputStream, long j) throws IOException, DkimException {
        Canonicaliser canonicaliser = new Canonicaliser(this.sigPref);
        MailMessage mailMessage = new MailMessage();
        mailMessage.processMail(inputStream);
        int dkimHeaderCount = mailMessage.dkimHeaderCount();
        int domkeyHeaderCount = mailMessage.domkeyHeaderCount();
        if (dkimHeaderCount == 0 && domkeyHeaderCount == 0) {
            throw new DkimException(DkimError.NOSIG, "There are no Signatures in this message");
        }
        if (dkimHeaderCount == 0 && this.sigPref.equalsIgnoreCase("DKIM") && !this.tryBoth) {
            throw new DkimException(DkimError.NOSIG, "There are no DKIM Signatures in this message");
        }
        if (domkeyHeaderCount == 0 && this.sigPref.equalsIgnoreCase("DomainKey") && !this.tryBoth) {
            throw new DkimException(DkimError.NOSIG, "There are no DomainKey Signatures in this message");
        }
        if (this.maxSigs == 1) {
            processSignature(new DkimSignature(canonicaliser.initVerify(mailMessage.getHeaders(), this.tryBoth), this.leniency), canonicaliser, mailMessage, j);
            return;
        }
        int i = 0;
        DkimException dkimException = null;
        DkimException dkimException2 = null;
        canonicaliser.initVerify(mailMessage.getHeaders());
        Stack<String> dkimHeaders = canonicaliser.getDkimHeaders();
        Stack<String> domKeyHeaders = canonicaliser.getDomKeyHeaders();
        if (this.sigPref.equalsIgnoreCase("DKIM")) {
            while (!dkimHeaders.isEmpty() && i < this.maxSigs) {
                i++;
                try {
                    processSignature(new DkimSignature(dkimHeaders.pop(), this.leniency), canonicaliser, mailMessage, j);
                    return;
                } catch (DkimException e) {
                    if (e.getErrorType().equals(ErrorType.TEMPFAIL)) {
                        dkimException = e;
                    } else {
                        dkimException2 = e;
                    }
                    e.printStackTrace();
                }
            }
            while (this.tryBoth && !domKeyHeaders.isEmpty() && i < this.maxSigs) {
                i++;
                try {
                    processSignature(new DkimSignature(domKeyHeaders.pop(), this.leniency), canonicaliser, mailMessage, j);
                    return;
                } catch (DkimException e2) {
                    if (e2.getErrorType().equals(ErrorType.TEMPFAIL)) {
                        dkimException = e2;
                    } else {
                        dkimException2 = e2;
                    }
                }
            }
        } else {
            while (!domKeyHeaders.isEmpty() && i < this.maxSigs) {
                i++;
                try {
                    processSignature(new DkimSignature(domKeyHeaders.pop(), this.leniency), canonicaliser, mailMessage, j);
                    return;
                } catch (DkimException e3) {
                    if (e3.getErrorType().equals(ErrorType.TEMPFAIL)) {
                        dkimException = e3;
                    } else {
                        dkimException2 = e3;
                    }
                }
            }
            while (this.tryBoth && !dkimHeaders.isEmpty() && i < this.maxSigs) {
                i++;
                try {
                    processSignature(new DkimSignature(dkimHeaders.pop(), this.leniency), canonicaliser, mailMessage, j);
                    return;
                } catch (DkimException e4) {
                    if (e4.getErrorType().equals(ErrorType.TEMPFAIL)) {
                        dkimException = e4;
                    } else {
                        dkimException2 = e4;
                    }
                }
            }
        }
        if (dkimException == null) {
            throw dkimException2;
        }
        throw dkimException;
    }

    private void processSignature(DkimSignature dkimSignature, Canonicaliser canonicaliser, MailMessage mailMessage, long j) throws IOException, DkimException {
        String processHeaders = canonicaliser.processHeaders(dkimSignature);
        dkimSignature.checkValidity();
        boolean isDKIM = dkimSignature.isDKIM();
        checkExpireTime(dkimSignature, j);
        checkBadDomains(dkimSignature, isDKIM);
        String processBody = canonicaliser.processBody(mailMessage.getBody(), dkimSignature.getLtag(), dkimSignature.getBodyMethod());
        NSKey[] retrieveKeys = this.keyStore.retrieveKeys(dkimSignature.getDnsRecord());
        NSKey nSKey = null;
        String str = null;
        DkimException dkimException = null;
        for (int i = 0; i < retrieveKeys.length; i++) {
            try {
                retrieveKeys[i].getKey();
                checkGranularity(dkimSignature, retrieveKeys[i]);
                checkSubdomains(dkimSignature, retrieveKeys[i]);
                checkHashAlgorithm(dkimSignature, retrieveKeys[i]);
                nSKey = retrieveKeys[i];
                break;
            } catch (DkimException e) {
                if (str == null) {
                    dkimException = e;
                    str = "Key " + i + ": " + e.getMessage();
                } else {
                    str = str.concat(", Key " + i + ": " + e.getMessage());
                    dkimException = new DkimException(e.getError(), str);
                }
            }
        }
        if (nSKey == null) {
            throw dkimException;
        }
        if (isDKIM) {
            checkBodyHash(dkimSignature, processBody);
        }
        byte[] decodeBuffer = new BASE64Decoder().decodeBuffer(dkimSignature.getBtag());
        try {
            Signature signature = Signature.getInstance(dkimSignature.getJavaAlg());
            signature.initVerify(nSKey.getKey());
            signature.update(processHeaders.getBytes());
            if (!isDKIM) {
                signature.update("\r\n".getBytes());
                signature.update(processBody.getBytes());
            }
            if (signature.verify(decodeBuffer)) {
                return;
            }
            if (!isDKIM) {
                throw new DkimException(DkimError.bad, "Message Verification Failed.");
            }
            throw new DkimException(DkimError.SIGFAIL, "Message Verification Failed.");
        } catch (InvalidKeyException e2) {
            if (!isDKIM) {
                throw new DkimException(DkimError.badformat, "The Key found was invalid", e2);
            }
            throw new DkimException(DkimError.KEYSYNTAX, "The Key found was invalid", e2);
        } catch (NoSuchAlgorithmException e3) {
            e3.printStackTrace();
        } catch (SignatureException e4) {
            if (!isDKIM) {
                throw new DkimException(DkimError.badformat, "The Key found was invalid", e4);
            }
            throw new DkimException(DkimError.SIGFAIL, "Could not process the signature data", e4);
        }
    }
}
