package ee.sk.smartid;

import ee.sk.smartid.SmartIdAuthenticationResult;
import ee.sk.smartid.exception.TechnicalErrorException;
import java.io.ByteArrayInputStream;
import java.io.File;
import java.io.IOException;
import java.io.InputStream;
import java.nio.file.Files;
import java.security.GeneralSecurityException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.PublicKey;
import java.security.Signature;
import java.security.SignatureException;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Date;
import java.util.Enumeration;
import java.util.List;
import javax.naming.InvalidNameException;
import javax.naming.ldap.LdapName;
import javax.naming.ldap.Rdn;
import org.apache.commons.codec.binary.Base64;
import org.apache.commons.lang3.ArrayUtils;
import org.apache.commons.lang3.StringUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:ee/sk/smartid/AuthenticationResponseValidator.class */
public class AuthenticationResponseValidator {
    private static final Logger logger = LoggerFactory.getLogger(AuthenticationResponseValidator.class);
    private List<X509Certificate> trustedCACertificates = new ArrayList();

    public AuthenticationResponseValidator() {
        initializeTrustedCACertificatesFromKeyStore();
    }

    public SmartIdAuthenticationResult validate(SmartIdAuthenticationResponse smartIdAuthenticationResponse) {
        validateAuthenticationResponse(smartIdAuthenticationResponse);
        SmartIdAuthenticationResult smartIdAuthenticationResult = new SmartIdAuthenticationResult();
        smartIdAuthenticationResult.setAuthenticationIdentity(constructAuthenticationIdentity(smartIdAuthenticationResponse.getCertificate()));
        if (!verifyResponseEndResult(smartIdAuthenticationResponse)) {
            smartIdAuthenticationResult.setValid(false);
            smartIdAuthenticationResult.addError(SmartIdAuthenticationResult.Error.INVALID_END_RESULT);
        }
        if (!verifySignature(smartIdAuthenticationResponse)) {
            smartIdAuthenticationResult.setValid(false);
            smartIdAuthenticationResult.addError(SmartIdAuthenticationResult.Error.SIGNATURE_VERIFICATION_FAILURE);
        }
        if (!verifyCertificateExpiry(smartIdAuthenticationResponse.getCertificate())) {
            smartIdAuthenticationResult.setValid(false);
            smartIdAuthenticationResult.addError(SmartIdAuthenticationResult.Error.CERTIFICATE_EXPIRED);
        }
        if (!isCertificateTrusted(smartIdAuthenticationResponse.getCertificate())) {
            smartIdAuthenticationResult.setValid(false);
            smartIdAuthenticationResult.addError(SmartIdAuthenticationResult.Error.CERTIFICATE_NOT_TRUSTED);
        }
        if (!verifyCertificateLevel(smartIdAuthenticationResponse)) {
            smartIdAuthenticationResult.setValid(false);
            smartIdAuthenticationResult.addError(SmartIdAuthenticationResult.Error.CERTIFICATE_LEVEL_MISMATCH);
        }
        return smartIdAuthenticationResult;
    }

    public List<X509Certificate> getTrustedCACertificates() {
        return this.trustedCACertificates;
    }

    public void addTrustedCACertificate(X509Certificate x509Certificate) {
        this.trustedCACertificates.add(x509Certificate);
    }

    public void addTrustedCACertificate(byte[] bArr) throws CertificateException {
        addTrustedCACertificate((X509Certificate) CertificateFactory.getInstance("X.509").generateCertificate(new ByteArrayInputStream(bArr)));
    }

    public void addTrustedCACertificate(File file) throws IOException, CertificateException {
        addTrustedCACertificate(Files.readAllBytes(file.toPath()));
    }

    public void clearTrustedCACertificates() {
        this.trustedCACertificates.clear();
    }

    private void initializeTrustedCACertificatesFromKeyStore() {
        try {
            InputStream resourceAsStream = AuthenticationResponseValidator.class.getResourceAsStream("/trusted_certificates.jks");
            KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
            keyStore.load(resourceAsStream, "changeit".toCharArray());
            Enumeration<String> aliases = keyStore.aliases();
            while (aliases.hasMoreElements()) {
                addTrustedCACertificate((X509Certificate) keyStore.getCertificate(aliases.nextElement()));
            }
        } catch (IOException | KeyStoreException | NoSuchAlgorithmException | CertificateException e) {
            logger.error("Error initializing trusted CA certificates", e);
            throw new TechnicalErrorException("Error initializing trusted CA certificates", e);
        }
    }

    private void validateAuthenticationResponse(SmartIdAuthenticationResponse smartIdAuthenticationResponse) {
        if (smartIdAuthenticationResponse.getCertificate() == null) {
            logger.error("Certificate is not present in the authentication response");
            throw new TechnicalErrorException("Certificate is not present in the authentication response");
        }
        if (StringUtils.isEmpty(smartIdAuthenticationResponse.getSignatureValueInBase64())) {
            logger.error("Signature is not present in the authentication response");
            throw new TechnicalErrorException("Signature is not present in the authentication response");
        }
        if (smartIdAuthenticationResponse.getHashType() == null) {
            logger.error("Hash type is not present in the authentication response");
            throw new TechnicalErrorException("Hash type is not present in the authentication response");
        }
    }

    private boolean verifyResponseEndResult(SmartIdAuthenticationResponse smartIdAuthenticationResponse) {
        return "OK".equalsIgnoreCase(smartIdAuthenticationResponse.getEndResult());
    }

    private boolean verifySignature(SmartIdAuthenticationResponse smartIdAuthenticationResponse) {
        try {
            PublicKey publicKey = smartIdAuthenticationResponse.getCertificate().getPublicKey();
            Signature signature = Signature.getInstance("NONEwith" + publicKey.getAlgorithm());
            signature.initVerify(publicKey);
            signature.update(addPadding(smartIdAuthenticationResponse.getHashType().getDigestInfoPrefix(), Base64.decodeBase64(smartIdAuthenticationResponse.getSignedHashInBase64())));
            return signature.verify(smartIdAuthenticationResponse.getSignatureValue());
        } catch (GeneralSecurityException e) {
            logger.error("Signature verification failed");
            throw new TechnicalErrorException("Signature verification failed", e);
        }
    }

    private boolean verifyCertificateExpiry(X509Certificate x509Certificate) {
        return !x509Certificate.getNotAfter().before(new Date());
    }

    private boolean isCertificateTrusted(X509Certificate x509Certificate) {
        for (X509Certificate x509Certificate2 : this.trustedCACertificates) {
            try {
                x509Certificate.verify(x509Certificate2.getPublicKey());
                return true;
            } catch (SignatureException e) {
            } catch (GeneralSecurityException e2) {
                logger.warn("Error verifying signer's certificate: " + x509Certificate.getSubjectDN() + " against CA certificate: " + x509Certificate2.getSubjectDN(), e2);
            }
        }
        return false;
    }

    private boolean verifyCertificateLevel(SmartIdAuthenticationResponse smartIdAuthenticationResponse) {
        CertificateLevel certificateLevel = new CertificateLevel(smartIdAuthenticationResponse.getCertificateLevel());
        String requestedCertificateLevel = smartIdAuthenticationResponse.getRequestedCertificateLevel();
        return StringUtils.isEmpty(requestedCertificateLevel) || certificateLevel.isEqualOrAbove(requestedCertificateLevel);
    }

    private static byte[] addPadding(byte[] bArr, byte[] bArr2) {
        return ArrayUtils.addAll(bArr, bArr2);
    }

    AuthenticationIdentity constructAuthenticationIdentity(X509Certificate x509Certificate) {
        AuthenticationIdentity authenticationIdentity = new AuthenticationIdentity();
        try {
            for (Rdn rdn : new LdapName(x509Certificate.getSubjectDN().getName()).getRdns()) {
                if (rdn.getType().equalsIgnoreCase("GIVENNAME")) {
                    authenticationIdentity.setGivenName(rdn.getValue().toString());
                } else if (rdn.getType().equalsIgnoreCase("SURNAME")) {
                    authenticationIdentity.setSurName(rdn.getValue().toString());
                } else if (rdn.getType().equalsIgnoreCase("SERIALNUMBER")) {
                    authenticationIdentity.setIdentityCode(rdn.getValue().toString().split("-", 2)[1]);
                } else if (rdn.getType().equalsIgnoreCase("C")) {
                    authenticationIdentity.setCountry(rdn.getValue().toString());
                }
            }
            return authenticationIdentity;
        } catch (InvalidNameException e) {
            logger.error("Error getting authentication identity from the certificate", e);
            throw new TechnicalErrorException("Error getting authentication identity from the certificate", e);
        }
    }
}
