package at.gv.egovernment.moa.id.auth.modules.sl20_auth.sl20.verifier;

import at.gv.egiz.eaaf.core.api.idp.auth.data.IIdentityLink;
import at.gv.egiz.eaaf.core.impl.utils.DOMUtils;
import at.gv.egiz.eaaf.core.impl.utils.KeyValueUtils;
import at.gv.egiz.eaaf.modules.pvp2.impl.utils.SAML2Utils;
import at.gv.egiz.eaaf.modules.pvp2.sp.impl.utils.AssertionAttributeExtractor;
import at.gv.egovernment.moa.id.auth.builder.SignatureVerificationUtils;
import at.gv.egovernment.moa.id.auth.exception.ValidateException;
import at.gv.egovernment.moa.id.auth.invoke.SignatureVerificationInvoker;
import at.gv.egovernment.moa.id.auth.modules.sl20_auth.Constants;
import at.gv.egovernment.moa.id.auth.modules.sl20_auth.exceptions.SL20eIDDataValidationException;
import at.gv.egovernment.moa.id.auth.modules.sl20_auth.sl20.SL20Constants;
import at.gv.egovernment.moa.id.auth.parser.VerifyXMLSignatureResponseParser;
import at.gv.egovernment.moa.id.auth.validator.IdentityLinkValidator;
import at.gv.egovernment.moa.id.auth.validator.VerifyXMLSignatureRequestBuilder;
import at.gv.egovernment.moa.id.auth.validator.VerifyXMLSignatureResponseValidator;
import at.gv.egovernment.moa.id.commons.api.AuthConfiguration;
import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters;
import at.gv.egovernment.moa.id.commons.api.data.IVerifiyXMLSignatureResponse;
import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException;
import at.gv.egovernment.moa.logging.Logger;
import at.gv.egovernment.moa.sig.tsl.utils.MiscUtil;
import at.gv.egovernment.moa.util.Base64Utils;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.util.Date;
import java.util.List;
import org.opensaml.Configuration;
import org.opensaml.saml2.core.Assertion;
import org.w3c.dom.Element;
import org.xml.sax.SAXException;

/* loaded from: input_file:at/gv/egovernment/moa/id/auth/modules/sl20_auth/sl20/verifier/QualifiedeIDVerifier.class */
public class QualifiedeIDVerifier {
    public static void verifyIdentityLink(IIdentityLink iIdentityLink, IOAAuthParameters iOAAuthParameters, AuthConfiguration authConfiguration) throws MOAIDException {
        IdentityLinkValidator.getInstance().validate(iIdentityLink);
        VerifyXMLSignatureResponseValidator.getInstance().validate(new VerifyXMLSignatureResponseParser(SignatureVerificationInvoker.getInstance().verifyXMLSignature(new VerifyXMLSignatureRequestBuilder().build(iIdentityLink, authConfiguration.getMoaSpIdentityLinkTrustProfileID(iOAAuthParameters.isUseIDLTestTrustStore())))).parseData(), authConfiguration.getIdentityLinkX509SubjectNames(), "IdentityLink", iOAAuthParameters, authConfiguration);
    }

    public static IVerifiyXMLSignatureResponse verifyAuthBlock(String str, IOAAuthParameters iOAAuthParameters, AuthConfiguration authConfiguration) throws MOAIDException, IOException {
        IVerifiyXMLSignatureResponse verify = new SignatureVerificationUtils().verify(Base64Utils.decode(str, false), authConfiguration.getMoaSpAuthBlockTrustProfileID(iOAAuthParameters.isUseAuthBlockTestTestStore()), KeyValueUtils.getListOfCSVValues(KeyValueUtils.normalizeCSVValueString(authConfiguration.getBasicConfiguration(Constants.CONFIG_PROP_VDA_AUTHBLOCK_TRANSFORMATION_ID))));
        VerifyXMLSignatureResponseValidator.getInstance().validate(verify, (List) null, "AuthBlock", iOAAuthParameters, authConfiguration);
        return verify;
    }

    public static boolean checkConsistencyOfeIDData(String str, IIdentityLink iIdentityLink, AssertionAttributeExtractor assertionAttributeExtractor, IVerifiyXMLSignatureResponse iVerifiyXMLSignatureResponse) throws SL20eIDDataValidationException {
        try {
            VerifyXMLSignatureResponseValidator.getInstance().validateCertificate(iVerifiyXMLSignatureResponse, iIdentityLink);
            String assertionID = assertionAttributeExtractor.getAssertionID();
            if (MiscUtil.isEmpty(assertionID)) {
                Logger.info("AuthBlock containts no ID, but ID MUST be included");
                throw new SL20eIDDataValidationException(new Object[]{SL20Constants.SL20_COMMAND_PARAM_EID_RESULT_AUTHBLOCK, "AuthBlock containts no ID, but ID MUST be included"});
            }
            if (assertionID.equals(str)) {
                validateSigningDateTime(iVerifiyXMLSignatureResponse, assertionAttributeExtractor);
                return false;
            }
            Logger.info("SL20 'requestId' does NOT match to AuthBlock Id. Expected : " + str + " Authblock: " + assertionID);
            throw new SL20eIDDataValidationException(new Object[]{SL20Constants.SL20_COMMAND_PARAM_EID_RESULT_AUTHBLOCK, "SL20 'requestId' does NOT match to AuthBlock Id."});
        } catch (ValidateException e) {
            Logger.warn("Validation of eID information FAILED. ", e);
            throw new SL20eIDDataValidationException(new Object[]{SL20Constants.SL20_COMMAND_PARAM_EID_RESULT_IDL, e.getMessage()});
        }
    }

    public static Assertion parseAuthBlockToSaml2Assertion(String str) throws SL20eIDDataValidationException {
        try {
            Element parseXmlValidating = DOMUtils.parseXmlValidating(new ByteArrayInputStream(Base64Utils.decode(str, false)));
            Assertion unmarshall = Configuration.getUnmarshallerFactory().getUnmarshaller(parseXmlValidating).unmarshall(parseXmlValidating);
            SAML2Utils.schemeValidation(unmarshall);
            if (unmarshall instanceof Assertion) {
                return unmarshall;
            }
            throw new SL20eIDDataValidationException(new Object[]{SL20Constants.SL20_COMMAND_PARAM_EID_RESULT_AUTHBLOCK, "AuthBlock is NOT of type SAML2 Assertion"});
        } catch (SL20eIDDataValidationException e) {
            throw e;
        } catch (SAXException e2) {
            Logger.info("Scheme validation of SAML2 AuthBlock FAILED. Reason: " + e2.getMessage());
            throw new SL20eIDDataValidationException(new Object[]{SL20Constants.SL20_COMMAND_PARAM_EID_RESULT_AUTHBLOCK, e2.getMessage()}, e2);
        } catch (Exception e3) {
            Logger.info("Can not parse AuthBlock. Reason: " + e3.getMessage());
            Logger.trace("FullAuthBlock: " + str);
            throw new SL20eIDDataValidationException(new Object[]{SL20Constants.SL20_COMMAND_PARAM_EID_RESULT_AUTHBLOCK, e3.getMessage()}, e3);
        }
    }

    private static void validateSigningDateTime(IVerifiyXMLSignatureResponse iVerifiyXMLSignatureResponse, AssertionAttributeExtractor assertionAttributeExtractor) throws SL20eIDDataValidationException {
        Date signingDateTime = iVerifiyXMLSignatureResponse.getSigningDateTime();
        Date assertionNotBefore = assertionAttributeExtractor.getAssertionNotBefore();
        Date assertionNotOnOrAfter = assertionAttributeExtractor.getAssertionNotOnOrAfter();
        if (signingDateTime == null) {
            Logger.info("AuthBlock signature contains NO signing data");
            throw new SL20eIDDataValidationException(new Object[]{SL20Constants.SL20_COMMAND_PARAM_EID_RESULT_AUTHBLOCK, "AuthBlock signature contains NO signing data"});
        }
        Logger.debug("AuthBlock signing data: " + signingDateTime.toString());
        if (assertionNotBefore == null || assertionNotOnOrAfter == null) {
            Logger.info("AuthBlock contains NO 'notBefore' or 'notOrNotAfter' dates");
            throw new SL20eIDDataValidationException(new Object[]{SL20Constants.SL20_COMMAND_PARAM_EID_RESULT_AUTHBLOCK, "AuthBlock contains NO 'notBefore' or 'notOrNotAfter' dates"});
        }
        Logger.debug("AuthBlock valid period. NotBefore:" + assertionNotBefore.toString() + " NotOrNotAfter:" + assertionNotOnOrAfter.toString());
        if ((signingDateTime.after(assertionNotBefore) || signingDateTime.equals(assertionNotBefore)) && signingDateTime.before(assertionNotOnOrAfter)) {
            Logger.debug("Signing date validation successfull");
        } else {
            Logger.info("AuthBlock signing date does NOT match to AuthBlock constrains");
            throw new SL20eIDDataValidationException(new Object[]{SL20Constants.SL20_COMMAND_PARAM_EID_RESULT_AUTHBLOCK, "AuthBlock signing date does NOT match to AuthBlock constrains"});
        }
    }
}
