package at.gv.egovernment.moa.id.auth.validator;

import at.gv.egiz.eaaf.core.api.idp.auth.data.IIdentityLink;
import at.gv.egovernment.moa.id.auth.exception.ValidateException;
import at.gv.egovernment.moa.id.commons.MOAIDAuthConstants;
import at.gv.egovernment.moa.id.commons.api.AuthConfiguration;
import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters;
import at.gv.egovernment.moa.id.commons.api.data.IVerifiyXMLSignatureResponse;
import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException;
import at.gv.egovernment.moa.id.commons.utils.MOAIDMessageProvider;
import at.gv.egovernment.moa.logging.Logger;
import iaik.utils.RFC2253NameParserException;
import iaik.x509.X509Certificate;
import iaik.x509.X509ExtensionInitException;
import java.security.InvalidKeyException;
import java.security.PublicKey;
import java.security.interfaces.ECPublicKey;
import java.security.interfaces.RSAPublicKey;
import java.util.ArrayList;
import java.util.Iterator;
import java.util.List;
import java.util.Set;

/* loaded from: input_file:at/gv/egovernment/moa/id/auth/validator/VerifyXMLSignatureResponseValidator.class */
public class VerifyXMLSignatureResponseValidator {
    public static final String CHECK_IDENTITY_LINK = "IdentityLink";
    public static final String CHECK_AUTH_BLOCK = "AuthBlock";
    private static VerifyXMLSignatureResponseValidator instance;

    public static synchronized VerifyXMLSignatureResponseValidator getInstance() throws ValidateException {
        if (instance == null) {
            instance = new VerifyXMLSignatureResponseValidator();
        }
        return instance;
    }

    public void validate(IVerifiyXMLSignatureResponse iVerifiyXMLSignatureResponse, List<String> list, String str, IOAAuthParameters iOAAuthParameters, AuthConfiguration authConfiguration) throws ValidateException, ConfigurationException {
        if (iVerifiyXMLSignatureResponse.getSignatureCheckCode() != 0) {
            throw new ValidateException("validator.06", new Object[]{str});
        }
        if (iVerifiyXMLSignatureResponse.getCertificateCheckCode() != 0) {
            String message = iVerifiyXMLSignatureResponse.getCertificateCheckCode() == 1 ? MOAIDMessageProvider.getInstance().getMessage("validator.21", (Object[]) null) : "";
            if (iVerifiyXMLSignatureResponse.getCertificateCheckCode() == 2) {
                message = MOAIDMessageProvider.getInstance().getMessage("validator.22", (Object[]) null);
            }
            if (iVerifiyXMLSignatureResponse.getCertificateCheckCode() == 3) {
                message = MOAIDMessageProvider.getInstance().getMessage("validator.23", (Object[]) null);
            }
            if (iVerifiyXMLSignatureResponse.getCertificateCheckCode() == 4) {
                message = MOAIDMessageProvider.getInstance().getMessage("validator.24", (Object[]) null);
            }
            if (iVerifiyXMLSignatureResponse.getCertificateCheckCode() == 5) {
                message = MOAIDMessageProvider.getInstance().getMessage("validator.25", (Object[]) null);
            }
            if (!str.equals(CHECK_IDENTITY_LINK)) {
                throw new ValidateException("validator.19", new Object[]{message});
            }
            throw new ValidateException("validator.07", new Object[]{message});
        }
        if (authConfiguration.isCertifiacteQCActive() && !str.equals(CHECK_IDENTITY_LINK) && !iVerifiyXMLSignatureResponse.isQualifiedCertificate()) {
            if (!iOAAuthParameters.isTestCredentialEnabled()) {
                throw new ValidateException("validator.71", null);
            }
            boolean z = false;
            try {
                X509Certificate x509certificate = iVerifiyXMLSignatureResponse.getX509certificate();
                ArrayList arrayList = new ArrayList();
                if (iOAAuthParameters.getTestCredentialOIDs() != null) {
                    arrayList.addAll(iOAAuthParameters.getTestCredentialOIDs());
                } else {
                    arrayList.add("1.2.40.0.10.2.4.1");
                }
                Set<String> criticalExtensionOIDs = x509certificate.getCriticalExtensionOIDs();
                criticalExtensionOIDs.addAll(x509certificate.getNonCriticalExtensionOIDs());
                for (String str2 : criticalExtensionOIDs) {
                    Iterator it = arrayList.iterator();
                    while (it.hasNext()) {
                        if (str2.startsWith((String) it.next())) {
                            z = true;
                        }
                    }
                }
            } catch (Exception e) {
                Logger.warn("Test credential OID extraction FAILED.", e);
            }
            if (!z) {
                throw new ValidateException("validator.72", null);
            }
        }
        if (str.equals(CHECK_IDENTITY_LINK) ? iOAAuthParameters.hasBaseIdInternalProcessingRestriction() : false) {
            Logger.debug("OA type is business service, thus ignoring DSIG manifest validation result");
        } else if (iVerifiyXMLSignatureResponse.isXmlDSIGManigest() && iVerifiyXMLSignatureResponse.getXmlDSIGManifestCheckCode() != 0) {
            throw new ValidateException("validator.08", null);
        }
        if (str.equals(CHECK_AUTH_BLOCK) && iVerifiyXMLSignatureResponse.getSignatureManifestCheckCode() > 0) {
            throw new ValidateException("validator.50", null);
        }
        if (list != null) {
            X509Certificate x509certificate2 = iVerifiyXMLSignatureResponse.getX509certificate();
            try {
                String rFC2253String = x509certificate2.getSubjectDN().getRFC2253String();
                if (list.contains(rFC2253String)) {
                    Logger.debug("Identity link signer cert accepted for signing identity link: subjectDN check successfully passed.");
                    return;
                }
                try {
                    if (x509certificate2.getExtension(MOAIDAuthConstants.IDENTITY_LINK_SIGNER_OID) == null) {
                        throw new ValidateException("validator.18", new Object[]{rFC2253String});
                    }
                    Logger.debug("Identity link signer cert accepted for signing identity link: subjectDN check failed, but OID check successfully passed.");
                } catch (X509ExtensionInitException e2) {
                    throw new ValidateException("validator.49", null);
                }
            } catch (RFC2253NameParserException e3) {
                throw new ValidateException("validator.17", null);
            }
        }
    }

    public void validateCertificate(IVerifiyXMLSignatureResponse iVerifiyXMLSignatureResponse, IIdentityLink iIdentityLink) throws ValidateException {
        checkIDLAgainstSignatureCertificate(iIdentityLink.getPublicKey(), iVerifiyXMLSignatureResponse.getX509certificate().getPublicKey());
    }

    public void checkIDLAgainstSignatureCertificate(PublicKey[] publicKeyArr, PublicKey publicKey) throws ValidateException {
        boolean z = false;
        for (PublicKey publicKey2 : publicKeyArr) {
            if ((publicKey2 instanceof RSAPublicKey) && (publicKey instanceof RSAPublicKey)) {
                RSAPublicKey rSAPublicKey = (RSAPublicKey) publicKey;
                RSAPublicKey rSAPublicKey2 = (RSAPublicKey) publicKey2;
                if (rSAPublicKey2.getModulus().equals(rSAPublicKey.getModulus()) && rSAPublicKey2.getPublicExponent().equals(rSAPublicKey.getPublicExponent())) {
                    z = true;
                }
            }
            if (((publicKey2 instanceof ECPublicKey) || (publicKey2 instanceof iaik.security.ec.common.ECPublicKey)) && ((publicKey instanceof ECPublicKey) || (publicKey instanceof iaik.security.ec.common.ECPublicKey))) {
                try {
                    if (new iaik.security.ec.common.ECPublicKey(publicKey2.getEncoded()).equals(new iaik.security.ec.common.ECPublicKey(publicKey.getEncoded()))) {
                        z = true;
                    }
                } catch (InvalidKeyException e) {
                    Logger.warn("ECPublicKey can not parsed into a iaik.ECPublicKey", e);
                    throw new ValidateException("validator.09", null);
                }
            }
        }
        if (!z) {
            throw new ValidateException("validator.09", null);
        }
    }
}
