package at.gv.egiz.eaaf.modules.auth.sl20.utils;

import at.gv.egiz.eaaf.core.api.idp.IConfiguration;
import at.gv.egiz.eaaf.core.exceptions.EAAFConfigurationException;
import at.gv.egiz.eaaf.core.impl.utils.FileUtils;
import at.gv.egiz.eaaf.core.impl.utils.KeyStoreUtils;
import at.gv.egiz.eaaf.core.impl.utils.X509Utils;
import at.gv.egiz.eaaf.modules.auth.sl20.Constants;
import at.gv.egiz.eaaf.modules.auth.sl20.data.VerificationResult;
import at.gv.egiz.eaaf.modules.auth.sl20.exceptions.SL20Exception;
import at.gv.egiz.eaaf.modules.auth.sl20.exceptions.SL20SecurityException;
import at.gv.egiz.eaaf.modules.auth.sl20.exceptions.SLCommandoBuildException;
import at.gv.egiz.eaaf.modules.auth.sl20.exceptions.SLCommandoParserException;
import com.fasterxml.jackson.core.JsonParseException;
import com.fasterxml.jackson.databind.JsonNode;
import java.io.IOException;
import java.net.MalformedURLException;
import java.security.Key;
import java.security.KeyStore;
import java.security.PrivateKey;
import java.security.cert.Certificate;
import java.security.cert.CertificateEncodingException;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Collections;
import java.util.Enumeration;
import java.util.List;
import javax.annotation.PostConstruct;
import org.apache.commons.lang3.StringUtils;
import org.jose4j.jwa.AlgorithmConstraints;
import org.jose4j.jwe.JsonWebEncryption;
import org.jose4j.jws.JsonWebSignature;
import org.jose4j.keys.X509Util;
import org.jose4j.keys.resolvers.X509VerificationKeyResolver;
import org.jose4j.lang.JoseException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Service;
import org.springframework.util.Base64Utils;

@Service
/* loaded from: input_file:at/gv/egiz/eaaf/modules/auth/sl20/utils/JsonSecurityUtils.class */
public class JsonSecurityUtils implements IJOSETools {

    @Autowired(required = true)
    IConfiguration authConfig;
    private Key signPrivKey = null;
    private X509Certificate[] signCertChain = null;
    private Key encPrivKey = null;
    private X509Certificate[] encCertChain = null;
    private final List<X509Certificate> trustedCerts = new ArrayList();
    private static final Logger log = LoggerFactory.getLogger(JsonSecurityUtils.class);
    private static JsonMapper mapper = new JsonMapper();

    @PostConstruct
    protected void initalize() {
        log.info("Initialize SL2.0 authentication security constrains ... ");
        try {
            if (getKeyStoreFilePath() != null) {
                KeyStore loadKeyStore = KeyStoreUtils.loadKeyStore(getKeyStoreFilePath(), getKeyStorePassword());
                this.signPrivKey = loadKeyStore.getKey(getSigningKeyAlias(), getSigningKeyPassword().toCharArray());
                Certificate[] certificateChain = loadKeyStore.getCertificateChain(getSigningKeyAlias());
                this.signCertChain = new X509Certificate[certificateChain.length];
                for (int i = 0; i < certificateChain.length; i++) {
                    if (certificateChain[i] instanceof X509Certificate) {
                        this.signCertChain[i] = (X509Certificate) certificateChain[i];
                    } else {
                        log.warn("NO X509 certificate for signing: " + certificateChain[i].getType());
                    }
                }
                try {
                    this.encPrivKey = loadKeyStore.getKey(getEncryptionKeyAlias(), getEncryptionKeyPassword().toCharArray());
                    if (this.encPrivKey != null) {
                        Certificate[] certificateChain2 = loadKeyStore.getCertificateChain(getEncryptionKeyAlias());
                        this.encCertChain = new X509Certificate[certificateChain2.length];
                        for (int i2 = 0; i2 < certificateChain2.length; i2++) {
                            if (certificateChain2[i2] instanceof X509Certificate) {
                                this.encCertChain[i2] = (X509Certificate) certificateChain2[i2];
                            } else {
                                log.warn("NO X509 certificate for encryption: " + certificateChain2[i2].getType());
                            }
                        }
                    } else {
                        log.info("No encryption key for SL2.0 found. End-to-End encryption is not used.");
                    }
                } catch (Exception e) {
                    log.warn("No encryption key for SL2.0 found. End-to-End encryption is not used. Reason: " + e.getMessage(), e);
                }
                Enumeration<String> aliases = loadKeyStore.aliases();
                while (aliases.hasMoreElements()) {
                    String nextElement = aliases.nextElement();
                    log.trace("Process TrustStoreEntry: " + nextElement);
                    if (loadKeyStore.isCertificateEntry(nextElement)) {
                        Certificate certificate = loadKeyStore.getCertificate(nextElement);
                        if (certificate == null || !(certificate instanceof X509Certificate)) {
                            log.info("Can not process entry: " + nextElement + ". Reason: " + certificate.toString());
                        } else {
                            this.trustedCerts.add((X509Certificate) certificate);
                        }
                    }
                }
                if (this.signPrivKey == null || !(this.signPrivKey instanceof PrivateKey)) {
                    log.info("Can NOT open privateKey for SL2.0 signing. KeyStore=" + getKeyStoreFilePath());
                    throw new SL20Exception("sl20.03", new Object[]{"Can NOT open private key for signing"});
                }
                if (this.signCertChain == null || this.signCertChain.length == 0) {
                    log.info("NO certificate for SL2.0 signing. KeyStore=" + getKeyStoreFilePath());
                    throw new SL20Exception("sl20.03", new Object[]{"NO certificate for SL2.0 signing"});
                }
                log.info("SL2.0 authentication security constrains initialized.");
            } else {
                log.info("NO SL2.0 authentication security configuration. Initialization was skipped");
            }
        } catch (Exception e2) {
            log.error("SL2.0 security constrains initialization FAILED.", e2);
        }
    }

    @Override // at.gv.egiz.eaaf.modules.auth.sl20.utils.IJOSETools
    public String createSignature(String str) throws SLCommandoBuildException {
        try {
            JsonWebSignature jsonWebSignature = new JsonWebSignature();
            jsonWebSignature.setPayload(str);
            jsonWebSignature.setContentTypeHeaderValue(SL20Constants.SL20_CONTENTTYPE_SIGNED_COMMAND);
            jsonWebSignature.setAlgorithmHeaderValue(SL20Constants.JSON_ALGORITHM_SIGNING_RS256);
            jsonWebSignature.setKey(this.signPrivKey);
            jsonWebSignature.setCertificateChainHeaderValue(this.signCertChain);
            jsonWebSignature.setX509CertSha256ThumbprintHeaderValue(this.signCertChain[0]);
            return jsonWebSignature.getCompactSerialization();
        } catch (JoseException e) {
            log.warn("Can NOT sign SL2.0 command.", e);
            throw new SLCommandoBuildException("Can NOT sign SL2.0 command.", e);
        }
    }

    @Override // at.gv.egiz.eaaf.modules.auth.sl20.utils.IJOSETools
    public VerificationResult validateSignature(String str) throws SL20Exception {
        try {
            JsonWebSignature jsonWebSignature = new JsonWebSignature();
            jsonWebSignature.setCompactSerialization(str);
            jsonWebSignature.setAlgorithmConstraints(new AlgorithmConstraints(AlgorithmConstraints.ConstraintType.WHITELIST, (String[]) SL20Constants.SL20_ALGORITHM_WHITELIST_SIGNING.toArray(new String[SL20Constants.SL20_ALGORITHM_WHITELIST_SIGNING.size()])));
            Key key = null;
            List certificateChainHeaderValue = jsonWebSignature.getCertificateChainHeaderValue();
            String x509CertSha256ThumbprintHeaderValue = jsonWebSignature.getX509CertSha256ThumbprintHeaderValue();
            if (certificateChainHeaderValue != null) {
                log.debug("Found x509 certificate in JOSE header ... ");
                log.trace("Sorting received X509 certificates ... ");
                List sortCertificates = X509Utils.sortCertificates(certificateChainHeaderValue);
                if (this.trustedCerts.contains(sortCertificates.get(0))) {
                    key = ((X509Certificate) sortCertificates.get(0)).getPublicKey();
                } else {
                    log.info("Can NOT find JOSE certificate in truststore.");
                    log.debug("JOSE certificate: " + ((X509Certificate) sortCertificates.get(0)).toString());
                    try {
                        log.debug("Cert: " + Base64Utils.encodeToString(((X509Certificate) sortCertificates.get(0)).getEncoded()));
                    } catch (CertificateEncodingException e) {
                        e.printStackTrace();
                    }
                }
            } else {
                if (!StringUtils.isNotEmpty(x509CertSha256ThumbprintHeaderValue)) {
                    log.info("Signed SL2.0 response contains NO signature certificate or NO certificate fingerprint");
                    throw new SLCommandoParserException("Signed SL2.0 response contains NO signature certificate or NO certificate fingerprint");
                }
                log.debug("Found x5t256 fingerprint in JOSE header .... ");
                key = new X509VerificationKeyResolver(this.trustedCerts).resolveKey(jsonWebSignature, Collections.emptyList());
            }
            if (key == null) {
                log.info("Can NOT select verification key for JWS. Signature verification FAILED.");
                throw new SLCommandoParserException("Can NOT select verification key for JWS. Signature verification FAILED");
            }
            jsonWebSignature.setKey(key);
            boolean verifySignature = jsonWebSignature.verifySignature();
            if (verifySignature) {
                log.debug("SL2.0 commando signature validation sucessfull");
                return new VerificationResult(mapper.getMapper().readTree(jsonWebSignature.getPayload()), null, verifySignature);
            }
            log.info("JWS signature invalide. Stopping authentication process ...");
            log.debug("Received JWS msg: " + str);
            throw new SL20SecurityException("JWS signature invalide.");
        } catch (JoseException | JsonParseException e2) {
            log.warn("SL2.0 commando signature validation FAILED", e2);
            throw new SL20SecurityException(new Object[]{e2.getMessage()}, e2);
        } catch (IOException e3) {
            log.warn("Decrypted SL2.0 result can not be parsed.", e3);
            throw new SLCommandoParserException("Decrypted SL2.0 result can not be parsed", e3);
        }
    }

    @Override // at.gv.egiz.eaaf.modules.auth.sl20.utils.IJOSETools
    public JsonNode decryptPayload(String str) throws SL20Exception {
        try {
            JsonWebEncryption jsonWebEncryption = new JsonWebEncryption();
            jsonWebEncryption.setAlgorithmConstraints(new AlgorithmConstraints(AlgorithmConstraints.ConstraintType.WHITELIST, (String[]) SL20Constants.SL20_ALGORITHM_WHITELIST_KEYENCRYPTION.toArray(new String[SL20Constants.SL20_ALGORITHM_WHITELIST_KEYENCRYPTION.size()])));
            jsonWebEncryption.setContentEncryptionAlgorithmConstraints(new AlgorithmConstraints(AlgorithmConstraints.ConstraintType.WHITELIST, (String[]) SL20Constants.SL20_ALGORITHM_WHITELIST_ENCRYPTION.toArray(new String[SL20Constants.SL20_ALGORITHM_WHITELIST_ENCRYPTION.size()])));
            jsonWebEncryption.setCompactSerialization(str);
            List certificateChainHeaderValue = jsonWebEncryption.getCertificateChainHeaderValue();
            String x509CertSha256ThumbprintHeaderValue = jsonWebEncryption.getX509CertSha256ThumbprintHeaderValue();
            if (certificateChainHeaderValue != null) {
                log.debug("Found x509 certificate in JOSE header ... ");
                log.trace("Sorting received X509 certificates ... ");
                List sortCertificates = X509Utils.sortCertificates(certificateChainHeaderValue);
                if (!((X509Certificate) sortCertificates.get(0)).equals(this.encCertChain[0])) {
                    log.info("Certificate from JOSE header does NOT match encryption certificate");
                    log.debug("JOSE certificate: " + ((X509Certificate) sortCertificates.get(0)).toString());
                    try {
                        log.debug("Cert: " + Base64Utils.encode(((X509Certificate) sortCertificates.get(0)).getEncoded()));
                    } catch (CertificateEncodingException e) {
                        e.printStackTrace();
                    }
                    throw new SL20Exception("sl20.05", new Object[]{"Certificate from JOSE header does NOT match encryption certificate"});
                }
            } else {
                if (!StringUtils.isNotEmpty(x509CertSha256ThumbprintHeaderValue)) {
                    log.info("Signed SL2.0 response contains NO signature certificate or NO certificate fingerprint");
                    throw new SLCommandoParserException("Signed SL2.0 response contains NO signature certificate or NO certificate fingerprint");
                }
                log.debug("Found x5t256 fingerprint in JOSE header .... ");
                String x5tS256 = X509Util.x5tS256(this.encCertChain[0]);
                if (!x5tS256.equals(x509CertSha256ThumbprintHeaderValue)) {
                    log.info("X5t256 from JOSE header does NOT match encryption certificate");
                    log.debug("X5t256 from JOSE header: " + x509CertSha256ThumbprintHeaderValue + " Encrytption cert: " + x5tS256);
                    throw new SL20Exception("sl20.05", new Object[]{"X5t256 from JOSE header does NOT match encryption certificate"});
                }
            }
            jsonWebEncryption.setKey(this.encPrivKey);
            return mapper.getMapper().readTree(jsonWebEncryption.getPlaintextString());
        } catch (JsonParseException e2) {
            log.warn("Decrypted SL2.0 result is NOT a valid JSON.", e2);
            throw new SLCommandoParserException("Decrypted SL2.0 result is NOT a valid JSON.", e2);
        } catch (JoseException e3) {
            log.warn("SL2.0 result decryption FAILED", e3);
            throw new SL20SecurityException(new Object[]{e3.getMessage()}, e3);
        } catch (IOException e4) {
            log.warn("Decrypted SL2.0 result can not be parsed.", e4);
            throw new SLCommandoParserException("Decrypted SL2.0 result can not be parsed", e4);
        }
    }

    @Override // at.gv.egiz.eaaf.modules.auth.sl20.utils.IJOSETools
    public X509Certificate getEncryptionCertificate() {
        if (this.encCertChain == null || this.encCertChain.length <= 0) {
            return null;
        }
        return this.encCertChain[0];
    }

    private String getKeyStoreFilePath() throws EAAFConfigurationException, MalformedURLException {
        return FileUtils.makeAbsoluteURL(this.authConfig.getBasicConfiguration(Constants.CONFIG_PROP_SECURITY_KEYSTORE_PATH), this.authConfig.getConfigurationRootDirectory());
    }

    private String getKeyStorePassword() {
        String basicConfiguration = this.authConfig.getBasicConfiguration(Constants.CONFIG_PROP_SECURITY_KEYSTORE_PASSWORD);
        if (basicConfiguration != null) {
            basicConfiguration = basicConfiguration.trim();
        }
        return basicConfiguration;
    }

    private String getSigningKeyAlias() {
        String trim = this.authConfig.getBasicConfiguration(Constants.CONFIG_PROP_SECURITY_KEYSTORE_KEY_SIGN_ALIAS).trim();
        if (trim != null) {
            trim = trim.trim();
        }
        return trim;
    }

    private String getSigningKeyPassword() {
        String trim = this.authConfig.getBasicConfiguration(Constants.CONFIG_PROP_SECURITY_KEYSTORE_KEY_SIGN_PASSWORD).trim();
        if (trim != null) {
            trim = trim.trim();
        }
        return trim;
    }

    private String getEncryptionKeyAlias() {
        String trim = this.authConfig.getBasicConfiguration(Constants.CONFIG_PROP_SECURITY_KEYSTORE_KEY_ENCRYPTION_ALIAS).trim();
        if (trim != null) {
            trim = trim.trim();
        }
        return trim;
    }

    private String getEncryptionKeyPassword() {
        String trim = this.authConfig.getBasicConfiguration(Constants.CONFIG_PROP_SECURITY_KEYSTORE_KEY_ENCRYPTION_PASSWORD).trim();
        if (trim != null) {
            trim = trim.trim();
        }
        return trim;
    }
}
