package at.gv.egovernment.moa.id.auth.modules.bkamobileauthtests.tasks;

import at.gv.egiz.eaaf.core.api.IRequest;
import at.gv.egiz.eaaf.core.api.idp.auth.data.IIdentityLink;
import at.gv.egiz.eaaf.core.api.idp.process.ExecutionContext;
import at.gv.egiz.eaaf.core.exceptions.TaskExecutionException;
import at.gv.egiz.eaaf.core.impl.idp.auth.modules.AbstractAuthServletTask;
import at.gv.egovernment.moa.id.auth.data.AuthenticationSessionWrapper;
import at.gv.egovernment.moa.id.auth.invoke.SignatureVerificationInvoker;
import at.gv.egovernment.moa.id.auth.parser.IdentityLinkAssertionParser;
import at.gv.egovernment.moa.id.commons.api.AuthConfiguration;
import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException;
import at.gv.egovernment.moa.logging.Logger;
import at.gv.egovernment.moa.spss.api.cmsverify.VerifyCMSSignatureRequest;
import at.gv.egovernment.moa.spss.api.cmsverify.VerifyCMSSignatureResponse;
import at.gv.egovernment.moa.spss.api.cmsverify.VerifyCMSSignatureResponseElement;
import at.gv.egovernment.moa.spss.api.impl.VerifyCMSSignatureRequestImpl;
import at.gv.egovernment.moa.util.Base64Utils;
import at.gv.egovernment.moa.util.MiscUtil;
import com.google.gson.JsonObject;
import com.google.gson.JsonParseException;
import com.google.gson.JsonParser;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.security.InvalidAlgorithmParameterException;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.security.spec.InvalidKeySpecException;
import javax.crypto.BadPaddingException;
import javax.crypto.Cipher;
import javax.crypto.IllegalBlockSizeException;
import javax.crypto.NoSuchPaddingException;
import javax.crypto.SecretKey;
import javax.crypto.SecretKeyFactory;
import javax.crypto.spec.IvParameterSpec;
import javax.crypto.spec.PBEKeySpec;
import javax.crypto.spec.SecretKeySpec;
import javax.security.cert.CertificateException;
import javax.security.cert.X509Certificate;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.bouncycastle.asn1.cms.CMSObjectIdentifiers;
import org.bouncycastle.cms.CMSException;
import org.bouncycastle.cms.CMSSignedData;
import org.joda.time.DateTime;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Component;

@Component("FirstBKAMobileAuthTask")
/* loaded from: input_file:at/gv/egovernment/moa/id/auth/modules/bkamobileauthtests/tasks/FirstBKAMobileAuthTask.class */
public class FirstBKAMobileAuthTask extends AbstractAuthServletTask {
    private static final String CONF_MOASPSS_TRUSTPROFILE = "modules.bkamobileAuth.verify.trustprofile";
    private static final String CONF_SIGNING_TIME_JITTER = "modules.bkamobileAuth.verify.time.jitter";
    private static final String CONF_EID_TOKEN_ENCRYPTION_KEY = "modules.bkamobileAuth.eIDtoken.encryption.pass";
    private static final String EIDCONTAINER_KEY_SALT = "salt";
    private static final String EIDCONTAINER_KEY_IV = "iv";
    private static final String EIDCONTAINER_EID = "eid";
    private static final String EIDCONTAINER_KEY_IDL = "idl";
    private static final String EIDCONTAINER_KEY_BINDINGCERT = "cert";
    public static final String REQ_PARAM_eID_BLOW = "eidToken";

    @Autowired(required = true)
    private AuthConfiguration authConfig;

    public void execute(ExecutionContext executionContext, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws TaskExecutionException {
        try {
            String parameter = httpServletRequest.getParameter(REQ_PARAM_eID_BLOW);
            if (MiscUtil.isEmpty(parameter)) {
                Logger.warn("NO eID data blob included!");
                throw new MOAIDException("NO eID data blob included!", (Object[]) null);
            }
            parseDemoValuesIntoMOASession(this.pendingReq, parameter);
        } catch (Exception e) {
            throw new TaskExecutionException(this.pendingReq, e.getMessage(), e);
        } catch (MOAIDException e2) {
            throw new TaskExecutionException(this.pendingReq, e2.getMessage(), e2);
        }
    }

    private void parseDemoValuesIntoMOASession(IRequest iRequest, String str) throws MOAIDException, IOException {
        Logger.debug("Check eID blob signature  ... ");
        byte[] decode = Base64Utils.decode(str.trim(), false);
        VerifyCMSSignatureResponse verifyCMSSignature = SignatureVerificationInvoker.getInstance().verifyCMSSignature(createCMSVerificationReq(decode));
        if (verifyCMSSignature.getResponseElements().isEmpty()) {
            Logger.warn("No CMS signature-verification response");
            throw new MOAIDException("Signature verification FAILED: No response", (Object[]) null);
        }
        VerifyCMSSignatureResponseElement verifyCMSSignatureResponseElement = (VerifyCMSSignatureResponseElement) verifyCMSSignature.getResponseElements().get(0);
        analyseCMSSignatureVerificationResponse(verifyCMSSignatureResponseElement);
        Logger.info("eID blob signature is VALID!");
        try {
            try {
                Logger.debug("Starting eID information extraction ... ");
                CMSSignedData cMSSignedData = new CMSSignedData(decode);
                byte[] bArr = (byte[]) cMSSignedData.getSignedContent().getContent();
                if (!cMSSignedData.getSignedContent().getContentType().equals(CMSObjectIdentifiers.data)) {
                    Logger.warn("Signature contains NO 'data' OID 1.2.840.113549.1.7.1");
                    throw new MOAIDException("Signature contains NO 'data' OID 1.2.840.113549.1.7.1", (Object[]) null);
                }
                if (bArr == null) {
                    Logger.warn("CMS SignedData is empty or null");
                    throw new MOAIDException("CMS SignedData is empty or null", (Object[]) null);
                }
                Logger.info("Signed content extracted");
                Logger.debug("Starting  signed content decryption ... ");
                JsonParser jsonParser = new JsonParser();
                JsonObject parse = jsonParser.parse(new String(bArr, "UTF-8"));
                byte[] decode2 = Base64Utils.decode(parse.get(EIDCONTAINER_KEY_SALT).getAsString(), false);
                byte[] decode3 = Base64Utils.decode(parse.get(EIDCONTAINER_KEY_IV).getAsString(), false);
                byte[] decode4 = Base64Utils.decode(parse.get(EIDCONTAINER_EID).getAsString(), false);
                SecretKey generateDecryptionKey = generateDecryptionKey(decode2);
                IvParameterSpec ivParameterSpec = new IvParameterSpec(decode3);
                Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5Padding");
                cipher.init(2, generateDecryptionKey, ivParameterSpec);
                byte[] doFinal = cipher.doFinal(decode4);
                Logger.info("eID data decryption completed");
                Logger.debug("Starting eID-blob parsing ...");
                JsonObject parse2 = jsonParser.parse(new String(doFinal, "UTF-8"));
                String asString = parse2.get(EIDCONTAINER_KEY_IDL).getAsString();
                X509Certificate x509Certificate = X509Certificate.getInstance(Base64Utils.decode(parse2.get(EIDCONTAINER_KEY_BINDINGCERT).getAsString(), false));
                if (!verifyCMSSignatureResponseElement.getSignerInfo().getSignerCertificate().equals(x509Certificate)) {
                    Logger.error("eID-blob signing certificate DOES NOT match to binding certificate included in eID blob!");
                    Logger.info("BindingCert: " + x509Certificate.toString());
                    Logger.info("SigningCert: " + verifyCMSSignatureResponseElement.getSignerInfo().getSignerCertificate().toString());
                    throw new MOAIDException("eID-blob signing certificate DOES NOT match to binding certificate included in eID blob!", (Object[]) null);
                }
                Logger.info("eID-blob parsing completed");
                Logger.debug("Parse eID information into MOA-Session ...");
                IIdentityLink parseIdentityLink = new IdentityLinkAssertionParser(new ByteArrayInputStream(Base64Utils.decode(asString, false))).parseIdentityLink();
                AuthenticationSessionWrapper authenticationSessionWrapper = (AuthenticationSessionWrapper) iRequest.getSessionData(AuthenticationSessionWrapper.class);
                authenticationSessionWrapper.setIdentityLink(parseIdentityLink);
                authenticationSessionWrapper.setUseMandates(false);
                authenticationSessionWrapper.setForeigner(false);
                authenticationSessionWrapper.setBkuURL("http://egiz.gv.at/BKA_MobileAuthTest");
                authenticationSessionWrapper.setQAALevel("http://eidas.europa.eu/LoA/substantial");
                Logger.info("Session Restore completed");
            } catch (InvalidAlgorithmParameterException | InvalidKeyException | NoSuchAlgorithmException | BadPaddingException | IllegalBlockSizeException | NoSuchPaddingException e) {
                Logger.error("Can not decrypte eID data.", e);
                throw new MOAIDException("Can not decrypte eID data", (Object[]) null, e);
            } catch (MOAIDException e2) {
                throw e2;
            }
        } catch (JsonParseException e3) {
            if (0 != 0) {
                Logger.error("eID-blob parse error! blob: " + new String((byte[]) null, "UTF-8"), e3);
            }
            if (0 != 0) {
                Logger.error("eID-blob parse error! blob: " + new String((byte[]) null, "UTF-8"), e3);
            }
            if (0 == 0 && 0 == 0) {
                Logger.error("eID-blob parse error!", e3);
            }
            throw new MOAIDException("eID-blob parse error!", (Object[]) null);
        } catch (CMSException e4) {
            Logger.error("Can not parse CMS signature.", e4);
            throw new MOAIDException("Can not parse CMS signature.", (Object[]) null, e4);
        } catch (CertificateException e5) {
            Logger.error("Can not extract mobile-app binding-certificate from eID blob.", e5);
            throw new MOAIDException("Can not extract mobile-app binding-certificate from eID blob.", (Object[]) null, e5);
        }
    }

    private SecretKey generateDecryptionKey(byte[] bArr) throws MOAIDException {
        try {
            return new SecretKeySpec(SecretKeyFactory.getInstance("PBKDF2WithHmacSHA256").generateSecret(new PBEKeySpec(this.authConfig.getBasicConfiguration(CONF_EID_TOKEN_ENCRYPTION_KEY, "DEFAULTPASSWORD").toCharArray(), bArr, 2000, 128)).getEncoded(), "AES");
        } catch (NoSuchAlgorithmException | InvalidKeySpecException e) {
            Logger.error("Mobile-Auth Module has an internal errror.", e);
            throw new MOAIDException("Mobile-Auth Module has an internal errror.", (Object[]) null, e);
        }
    }

    private void analyseCMSSignatureVerificationResponse(VerifyCMSSignatureResponseElement verifyCMSSignatureResponseElement) throws MOAIDException {
        if (verifyCMSSignatureResponseElement.getSignatureCheck().getCode() != 0) {
            Logger.warn("CMS signature verification FAILED with StatusCode: " + verifyCMSSignatureResponseElement.getSignatureCheck().getCode());
            throw new MOAIDException("CMS signature verification FAILED with StatusCode: " + verifyCMSSignatureResponseElement.getSignatureCheck().getCode(), (Object[]) null);
        }
        if (verifyCMSSignatureResponseElement.getCertificateCheck().getCode() != 0) {
            Logger.warn("CMS certificate verification FAILED with StatusCode: " + verifyCMSSignatureResponseElement.getCertificateCheck().getCode());
            throw new MOAIDException("CMS certificate verification FAILED with StatusCode: " + verifyCMSSignatureResponseElement.getCertificateCheck().getCode(), (Object[]) null);
        }
        DateTime dateTime = new DateTime(verifyCMSSignatureResponseElement.getSignerInfo().getSigningTime().getTime());
        Integer valueOf = Integer.valueOf(this.authConfig.getBasicConfiguration(CONF_SIGNING_TIME_JITTER, "5"));
        if (dateTime.plusMinutes(valueOf.intValue()).isBeforeNow()) {
            Logger.warn("CMS signature-time is before: " + dateTime.plusMinutes(valueOf.intValue()));
            throw new MOAIDException("CMS signature-time is before: " + dateTime.plusMinutes(valueOf.intValue()), (Object[]) null);
        }
    }

    private VerifyCMSSignatureRequest createCMSVerificationReq(byte[] bArr) {
        VerifyCMSSignatureRequestImpl verifyCMSSignatureRequestImpl = new VerifyCMSSignatureRequestImpl();
        verifyCMSSignatureRequestImpl.setSignatories(VerifyCMSSignatureRequestImpl.ALL_SIGNATORIES);
        verifyCMSSignatureRequestImpl.setExtended(false);
        verifyCMSSignatureRequestImpl.setPDF(false);
        verifyCMSSignatureRequestImpl.setTrustProfileId(this.authConfig.getBasicConfiguration(CONF_MOASPSS_TRUSTPROFILE, "!!NOT SET!!!"));
        verifyCMSSignatureRequestImpl.setCMSSignature(new ByteArrayInputStream(bArr));
        return verifyCMSSignatureRequestImpl;
    }
}
