package at.gv.egovernment.moa.id.protocols.pvp2x.verification;

import at.gv.egiz.eaaf.core.api.idp.ISPConfiguration;
import at.gv.egiz.eaaf.core.exceptions.EAAFConfigurationException;
import at.gv.egiz.eaaf.core.exceptions.EAAFException;
import at.gv.egiz.eaaf.modules.pvp2.exception.CredentialsNotAvailableException;
import at.gv.egiz.eaaf.modules.pvp2.exception.SAMLMetadataSignatureException;
import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException;
import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory;
import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.NoCredentialsException;
import at.gv.egovernment.moa.logging.Logger;
import at.gv.egovernment.moa.util.Base64Utils;
import at.gv.egovernment.moa.util.MiscUtil;
import iaik.x509.X509Certificate;
import java.io.IOException;
import java.security.cert.CertificateException;
import org.opensaml.saml2.metadata.EntitiesDescriptor;
import org.opensaml.saml2.metadata.EntityDescriptor;
import org.opensaml.security.SAMLSignatureProfileValidator;
import org.opensaml.xml.security.credential.Credential;
import org.opensaml.xml.security.credential.UsageType;
import org.opensaml.xml.security.x509.BasicX509Credential;
import org.opensaml.xml.signature.SignatureValidator;
import org.opensaml.xml.validation.ValidationException;

/* loaded from: input_file:at/gv/egovernment/moa/id/protocols/pvp2x/verification/EntityVerifier.class */
public class EntityVerifier {
    public static void verify(EntityDescriptor entityDescriptor) throws EAAFException {
        Credential sPTrustedCredential = getSPTrustedCredential(entityDescriptor.getEntityID());
        if (sPTrustedCredential == null) {
            throw new NoCredentialsException(entityDescriptor.getEntityID());
        }
        verify(entityDescriptor, sPTrustedCredential);
    }

    public static void verify(EntityDescriptor entityDescriptor, Credential credential) throws EAAFException {
        if (entityDescriptor.getSignature() == null) {
            throw new SAMLMetadataSignatureException();
        }
        try {
            new SAMLSignatureProfileValidator().validate(entityDescriptor.getSignature());
            try {
                new SignatureValidator(credential).validate(entityDescriptor.getSignature());
            } catch (ValidationException e) {
                Logger.error("Failed to verfiy Signature", e);
                throw new SAMLMetadataSignatureException(e);
            }
        } catch (ValidationException e2) {
            Logger.error("Failed to validate Signature", e2);
            throw new SAMLMetadataSignatureException(e2);
        }
    }

    public static void verify(EntitiesDescriptor entitiesDescriptor, Credential credential) throws EAAFException {
        if (entitiesDescriptor.getSignature() == null) {
            throw new SAMLMetadataSignatureException();
        }
        try {
            new SAMLSignatureProfileValidator().validate(entitiesDescriptor.getSignature());
            try {
                new SignatureValidator(credential).validate(entitiesDescriptor.getSignature());
            } catch (ValidationException e) {
                Logger.error("Failed to verfiy Signature", e);
                throw new SAMLMetadataSignatureException(e);
            }
        } catch (ValidationException e2) {
            Logger.error("Failed to validate Signature", e2);
            throw new SAMLMetadataSignatureException(e2);
        }
    }

    public static Credential getSPTrustedCredential(String str) throws CredentialsNotAvailableException {
        X509Certificate trustEntityCertificate = getTrustEntityCertificate(str);
        if (trustEntityCertificate == null) {
            throw new CredentialsNotAvailableException("ServiceProvider Certificate can not be loaded from Database", (Object[]) null);
        }
        BasicX509Credential basicX509Credential = new BasicX509Credential();
        basicX509Credential.setEntityId(str);
        basicX509Credential.setUsageType(UsageType.SIGNING);
        basicX509Credential.setPublicKey(trustEntityCertificate.getPublicKey());
        return basicX509Credential;
    }

    private static X509Certificate getTrustEntityCertificate(String str) {
        try {
            Logger.trace("Load metadata signing certificate for online application " + str);
            ISPConfiguration serviceProviderConfiguration = AuthConfigurationProviderFactory.getInstance().getServiceProviderConfiguration(str);
            if (serviceProviderConfiguration == null) {
                Logger.info("Online Application with ID " + str + " not found!");
                return null;
            }
            String configurationValue = serviceProviderConfiguration.getConfigurationValue("protocols.pvp2x.certificate.data");
            if (MiscUtil.isEmpty(configurationValue)) {
                Logger.info("Online Application with ID " + str + " include not PVP2X metadata signing certificate!");
                return null;
            }
            X509Certificate x509Certificate = new X509Certificate(Base64Utils.decode(configurationValue, false));
            Logger.debug("Metadata signing certificate is loaded for (" + str + ") is loaded.");
            return x509Certificate;
        } catch (EAAFConfigurationException e) {
            Logger.error("Configuration is not accessable.", e);
            return null;
        } catch (IOException e2) {
            Logger.warn("Metadata signer certificate is not decodeable.", e2);
            return null;
        } catch (CertificateException e3) {
            Logger.warn("Metadata signer certificate is not parsed.", e3);
            return null;
        } catch (ConfigurationException e4) {
            Logger.error("Configuration is not accessable.", e4);
            return null;
        }
    }
}
