package at.gv.egiz.eaaf.modules.auth.sl20.utils;

import at.gv.egiz.eaaf.core.api.idp.IConfiguration;
import at.gv.egiz.eaaf.core.exception.EaafKeyAccessException;
import at.gv.egiz.eaaf.core.exceptions.EaafConfigurationException;
import at.gv.egiz.eaaf.core.exceptions.EaafException;
import at.gv.egiz.eaaf.core.impl.credential.EaafKeyStoreFactory;
import at.gv.egiz.eaaf.core.impl.credential.EaafKeyStoreUtils;
import at.gv.egiz.eaaf.core.impl.credential.KeyStoreConfiguration;
import at.gv.egiz.eaaf.core.impl.data.Pair;
import at.gv.egiz.eaaf.core.impl.utils.JoseUtils;
import at.gv.egiz.eaaf.core.impl.utils.X509Utils;
import at.gv.egiz.eaaf.modules.auth.sl20.Constants;
import at.gv.egiz.eaaf.modules.auth.sl20.data.VerificationResult;
import at.gv.egiz.eaaf.modules.auth.sl20.exceptions.SL20Exception;
import at.gv.egiz.eaaf.modules.auth.sl20.exceptions.SL20SecurityException;
import at.gv.egiz.eaaf.modules.auth.sl20.exceptions.SlCommandoBuildException;
import at.gv.egiz.eaaf.modules.auth.sl20.exceptions.SlCommandoParserException;
import com.fasterxml.jackson.core.JsonParseException;
import com.fasterxml.jackson.databind.JsonNode;
import jakarta.annotation.PostConstruct;
import java.io.IOException;
import java.security.Key;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.Provider;
import java.security.cert.CertificateEncodingException;
import java.security.cert.X509Certificate;
import java.util.Base64;
import java.util.Collections;
import java.util.List;
import javax.annotation.Nonnull;
import lombok.Generated;
import org.apache.commons.lang3.StringUtils;
import org.jose4j.jca.ProviderContext;
import org.jose4j.jwa.AlgorithmConstraints;
import org.jose4j.jwe.JsonWebEncryption;
import org.jose4j.keys.X509Util;
import org.jose4j.lang.JoseException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.lang.NonNull;
import org.springframework.stereotype.Service;

@Service
/* loaded from: input_file:at/gv/egiz/eaaf/modules/auth/sl20/utils/JsonSecurityUtils.class */
public class JsonSecurityUtils implements IJoseTools {

    @Generated
    private static final Logger log = LoggerFactory.getLogger(JsonSecurityUtils.class);
    private static final String FRIENDLYNAME_KEYSTORE = "SL2.0 KeyStore";
    private static final String FRIENDLYNAME_TRUSTSTORE = "SL2.0 TrustStore";

    @Autowired(required = true)
    IConfiguration authConfig;

    @Autowired(required = true)
    EaafKeyStoreFactory keystoreFactory;
    private Pair<KeyStore, Provider> keyStore;
    private Pair<KeyStore, Provider> trustStore;

    @PostConstruct
    protected void initalize() throws SL20Exception {
        log.info("Initialize SL2.0 authentication security constrains ... ");
        try {
            this.keyStore = this.keystoreFactory.buildNewKeyStore(buildKeyStoreConfiguration());
            this.trustStore = this.keystoreFactory.buildNewKeyStore(buildTrustStoreConfiguration());
            EaafKeyStoreUtils.getPrivateKeyAndCertificates((KeyStore) this.keyStore.getFirst(), getSigningKeyAlias(), getSigningKeyPassword(), true, FRIENDLYNAME_KEYSTORE);
            if (EaafKeyStoreUtils.getPrivateKeyAndCertificates((KeyStore) this.keyStore.getFirst(), getEncryptionKeyAlias(), getEncryptionKeyPassword(), false, FRIENDLYNAME_TRUSTSTORE) == null) {
                log.info("No encryption key for SL2.0 found. End-to-End encryption is not used.");
            }
            List readCertsFromKeyStore = EaafKeyStoreUtils.readCertsFromKeyStore((KeyStore) this.trustStore.getFirst());
            if (readCertsFromKeyStore.isEmpty()) {
                log.info("No certificates in TrustStore: {}. Signature validation will FAIL!", FRIENDLYNAME_TRUSTSTORE);
            } else {
                log.info("Find #{} certificates in TrustStore: {}", Integer.valueOf(readCertsFromKeyStore.size()), FRIENDLYNAME_TRUSTSTORE);
            }
            log.info("SL2.0 authentication security constrains initialized.");
        } catch (RuntimeException e) {
            throw e;
        } catch (Exception e2) {
            log.error("SL2.0 security constrains initialization FAILED.");
            throw new SL20Exception("sl20.11", new Object[]{e2.getMessage()}, e2);
        }
    }

    @Override // at.gv.egiz.eaaf.modules.auth.sl20.utils.IJoseTools
    public String createSignature(String str) throws SlCommandoBuildException {
        return createSignature(str, true);
    }

    @Override // at.gv.egiz.eaaf.modules.auth.sl20.utils.IJoseTools
    public String createSignature(String str, boolean z) throws SlCommandoBuildException {
        try {
            return JoseUtils.createSignature(this.keyStore, getSigningKeyAlias(), getSigningKeyPassword(), str, z, Collections.singletonMap(SL20Constants.JSON_CONTENTTYPE, SL20Constants.SL20_CONTENTTYPE_SIGNED_COMMAND), getRsaSigningAlgorithm(), getEccSigningAlgorithm(), FRIENDLYNAME_KEYSTORE);
        } catch (JoseException | EaafException e) {
            log.warn("Can NOT sign SL2.0 command.", e);
            throw new SlCommandoBuildException("Can NOT sign SL2.0 command.", e);
        }
    }

    @Override // at.gv.egiz.eaaf.modules.auth.sl20.utils.IJoseTools
    public VerificationResult validateSignature(String str, KeyStore keyStore, AlgorithmConstraints algorithmConstraints) throws JoseException, IOException, KeyStoreException {
        return validateSignature(str, EaafKeyStoreUtils.readCertsFromKeyStore(keyStore), algorithmConstraints);
    }

    @Override // at.gv.egiz.eaaf.modules.auth.sl20.utils.IJoseTools
    @NonNull
    public VerificationResult validateSignature(@Nonnull String str, @Nonnull List<X509Certificate> list, @Nonnull AlgorithmConstraints algorithmConstraints) throws JoseException, IOException {
        JoseUtils.JwsResult validateSignature = JoseUtils.validateSignature(str, list, algorithmConstraints, isValidCertificateNeeded());
        return new VerificationResult(JsonMapper.getMapper().readTree(validateSignature.getFullJoseHeader().getFullHeaderAsJsonString()), JsonMapper.getMapper().readTree(validateSignature.getPayLoad()), validateSignature.getX5cCerts(), validateSignature.isValid());
    }

    @Override // at.gv.egiz.eaaf.modules.auth.sl20.utils.IJoseTools
    @Nonnull
    public VerificationResult validateSignature(@Nonnull String str) throws SL20Exception {
        try {
            VerificationResult validateSignature = validateSignature(str, EaafKeyStoreUtils.readCertsFromKeyStore((KeyStore) this.trustStore.getFirst()), new AlgorithmConstraints(AlgorithmConstraints.ConstraintType.PERMIT, (String[]) SL20Constants.SL20_ALGORITHM_WHITELIST_SIGNING.toArray(new String[SL20Constants.SL20_ALGORITHM_WHITELIST_SIGNING.size()])));
            if (validateSignature.isValidSigned().booleanValue()) {
                log.debug("SL2.0 commando signature validation sucessfull");
                return validateSignature;
            }
            log.info("JWS signature invalide. Stopping authentication process ...");
            log.debug("Received JWS msg: {}", str);
            throw new SL20SecurityException("JWS signature invalide.");
        } catch (JoseException | JsonParseException | KeyStoreException e) {
            log.warn("SL2.0 commando signature validation FAILED", e);
            throw new SL20SecurityException(new Object[]{e.getMessage()}, e);
        } catch (IOException e2) {
            log.warn("Decrypted SL2.0 result can not be parsed.", e2);
            throw new SlCommandoParserException("Decrypted SL2.0 result can not be parsed", e2);
        }
    }

    @Override // at.gv.egiz.eaaf.modules.auth.sl20.utils.IJoseTools
    public JsonNode decryptPayload(String str) throws SL20Exception {
        try {
            JsonWebEncryption jsonWebEncryption = new JsonWebEncryption();
            jsonWebEncryption.setAlgorithmConstraints(new AlgorithmConstraints(AlgorithmConstraints.ConstraintType.PERMIT, (String[]) SL20Constants.SL20_ALGORITHM_WHITELIST_KEYENCRYPTION.toArray(new String[SL20Constants.SL20_ALGORITHM_WHITELIST_KEYENCRYPTION.size()])));
            jsonWebEncryption.setContentEncryptionAlgorithmConstraints(new AlgorithmConstraints(AlgorithmConstraints.ConstraintType.PERMIT, (String[]) SL20Constants.SL20_ALGORITHM_WHITELIST_ENCRYPTION.toArray(new String[SL20Constants.SL20_ALGORITHM_WHITELIST_ENCRYPTION.size()])));
            jsonWebEncryption.setCompactSerialization(str);
            Pair privateKeyAndCertificates = EaafKeyStoreUtils.getPrivateKeyAndCertificates((KeyStore) this.keyStore.getFirst(), getEncryptionKeyAlias(), getEncryptionKeyPassword(), true, FRIENDLYNAME_KEYSTORE);
            if (this.keyStore.getSecond() != null) {
                log.trace("Injecting special Java Security Provider: {}", ((Provider) this.keyStore.getSecond()).getName());
                ProviderContext providerContext = new ProviderContext();
                providerContext.getSuppliedKeyProviderContext().setGeneralProvider(((Provider) this.keyStore.getSecond()).getName());
                providerContext.getGeneralProviderContext().setGeneralProvider("BC");
                jsonWebEncryption.setProviderContext(providerContext);
            } else {
                ProviderContext providerContext2 = new ProviderContext();
                providerContext2.getGeneralProviderContext().setGeneralProvider("BC");
                jsonWebEncryption.setProviderContext(providerContext2);
            }
            List certificateChainHeaderValue = jsonWebEncryption.getCertificateChainHeaderValue();
            String x509CertSha256ThumbprintHeaderValue = jsonWebEncryption.getX509CertSha256ThumbprintHeaderValue();
            if (certificateChainHeaderValue != null) {
                log.debug("Found x509 certificate in JOSE header ... ");
                log.trace("Sorting received X509 certificates ... ");
                List sortCertificates = X509Utils.sortCertificates(certificateChainHeaderValue);
                if (!((X509Certificate) sortCertificates.get(0)).equals(((X509Certificate[]) privateKeyAndCertificates.getSecond())[0])) {
                    log.info("Certificate from JOSE header does NOT match encryption certificate");
                    try {
                        log.debug("JOSE certificate: {}", Base64.getEncoder().encodeToString(((X509Certificate) sortCertificates.get(0)).getEncoded()));
                    } catch (CertificateEncodingException e) {
                        e.printStackTrace();
                    }
                    throw new SL20Exception("sl20.05", new Object[]{"Certificate from JOSE header does NOT match encryption certificate"});
                }
            } else {
                if (!StringUtils.isNotEmpty(x509CertSha256ThumbprintHeaderValue)) {
                    log.info("Signed SL2.0 response contains NO signature certificate or NO certificate fingerprint");
                    throw new SlCommandoParserException("Signed SL2.0 response contains NO signature certificate or NO certificate fingerprint");
                }
                log.debug("Found x5t256 fingerprint in JOSE header .... ");
                String x5tS256 = X509Util.x5tS256(((X509Certificate[]) privateKeyAndCertificates.getSecond())[0]);
                if (!x5tS256.equals(x509CertSha256ThumbprintHeaderValue)) {
                    log.info("X5t256 from JOSE header does NOT match encryption certificate");
                    log.debug("X5t256 from JOSE header: {} Encrytption cert: {}", x509CertSha256ThumbprintHeaderValue, x5tS256);
                    throw new SL20Exception("sl20.05", new Object[]{"X5t256 from JOSE header does NOT match encryption certificate"});
                }
            }
            jsonWebEncryption.setKey(JoseUtils.convertToBcKeyIfRequired((Key) privateKeyAndCertificates.getFirst()));
            return JsonMapper.getMapper().readTree(jsonWebEncryption.getPlaintextString());
        } catch (JoseException | EaafKeyAccessException e2) {
            log.warn("SL2.0 result decryption FAILED", e2);
            throw new SL20SecurityException(new Object[]{e2.getMessage()}, e2);
        } catch (IOException e3) {
            log.warn("Decrypted SL2.0 result can not be parsed.", e3);
            throw new SlCommandoParserException("Decrypted SL2.0 result can not be parsed", e3);
        } catch (JsonParseException e4) {
            log.warn("Decrypted SL2.0 result is NOT a valid JSON.", e4);
            throw new SlCommandoParserException("Decrypted SL2.0 result is NOT a valid JSON.", e4);
        }
    }

    @Override // at.gv.egiz.eaaf.modules.auth.sl20.utils.IJoseTools
    public X509Certificate getEncryptionCertificate() {
        try {
            Pair privateKeyAndCertificates = EaafKeyStoreUtils.getPrivateKeyAndCertificates((KeyStore) this.keyStore.getFirst(), getEncryptionKeyAlias(), getEncryptionKeyPassword(), false, FRIENDLYNAME_KEYSTORE);
            if (privateKeyAndCertificates == null || ((X509Certificate[]) privateKeyAndCertificates.getSecond()).length <= 0) {
                return null;
            }
            return ((X509Certificate[]) privateKeyAndCertificates.getSecond())[0];
        } catch (EaafKeyAccessException e) {
            log.trace("Exception is skipped because Encryption is not mandatory on this level", e);
            return null;
        }
    }

    private KeyStoreConfiguration buildKeyStoreConfiguration() throws EaafConfigurationException {
        KeyStoreConfiguration keyStoreConfiguration = new KeyStoreConfiguration();
        keyStoreConfiguration.setFriendlyName(FRIENDLYNAME_KEYSTORE);
        keyStoreConfiguration.setKeyStoreType(this.authConfig.getBasicConfiguration(Constants.CONFIG_PROP_SECURITY_KEYSTORE_TYPE, KeyStoreConfiguration.KeyStoreType.JKS.getKeyStoreType()));
        keyStoreConfiguration.setKeyStoreName(this.authConfig.getBasicConfiguration(Constants.CONFIG_PROP_SECURITY_KEYSTORE_NAME));
        keyStoreConfiguration.setSoftKeyStoreFilePath(this.authConfig.getBasicConfiguration(Constants.CONFIG_PROP_SECURITY_KEYSTORE_PATH));
        keyStoreConfiguration.setSoftKeyStorePassword(this.authConfig.getBasicConfiguration(Constants.CONFIG_PROP_SECURITY_KEYSTORE_PASSWORD));
        keyStoreConfiguration.validate();
        return keyStoreConfiguration;
    }

    private KeyStoreConfiguration buildTrustStoreConfiguration() throws EaafConfigurationException {
        KeyStoreConfiguration keyStoreConfiguration = new KeyStoreConfiguration();
        keyStoreConfiguration.setFriendlyName(FRIENDLYNAME_TRUSTSTORE);
        keyStoreConfiguration.setKeyStoreType(this.authConfig.getBasicConfiguration(Constants.CONFIG_PROP_SECURITY_TRUSTSTORE_TYPE, KeyStoreConfiguration.KeyStoreType.JKS.getKeyStoreType()));
        keyStoreConfiguration.setKeyStoreName(this.authConfig.getBasicConfiguration(Constants.CONFIG_PROP_SECURITY_TRUSTSTORE_NAME));
        keyStoreConfiguration.setSoftKeyStoreFilePath(this.authConfig.getBasicConfiguration(Constants.CONFIG_PROP_SECURITY_TRUSTSTORE_PATH));
        keyStoreConfiguration.setSoftKeyStorePassword(this.authConfig.getBasicConfiguration(Constants.CONFIG_PROP_SECURITY_TRUSTSTORE_PASSWORD));
        keyStoreConfiguration.validate();
        return keyStoreConfiguration;
    }

    private String getSigningKeyAlias() {
        String basicConfiguration = this.authConfig.getBasicConfiguration(Constants.CONFIG_PROP_SECURITY_KEYSTORE_KEY_SIGN_ALIAS);
        if (basicConfiguration != null) {
            basicConfiguration = basicConfiguration.trim();
        }
        return basicConfiguration;
    }

    private char[] getSigningKeyPassword() {
        String basicConfiguration = this.authConfig.getBasicConfiguration(Constants.CONFIG_PROP_SECURITY_KEYSTORE_KEY_SIGN_PASSWORD);
        if (basicConfiguration != null) {
            return basicConfiguration.trim().toCharArray();
        }
        return null;
    }

    private String getEncryptionKeyAlias() {
        String basicConfiguration = this.authConfig.getBasicConfiguration(Constants.CONFIG_PROP_SECURITY_KEYSTORE_KEY_ENCRYPTION_ALIAS);
        if (basicConfiguration != null) {
            basicConfiguration = basicConfiguration.trim();
        }
        return basicConfiguration;
    }

    private char[] getEncryptionKeyPassword() {
        String basicConfiguration = this.authConfig.getBasicConfiguration(Constants.CONFIG_PROP_SECURITY_KEYSTORE_KEY_ENCRYPTION_PASSWORD);
        if (basicConfiguration != null) {
            return basicConfiguration.trim().toCharArray();
        }
        return null;
    }

    private String getRsaSigningAlgorithm() {
        String basicConfiguration = this.authConfig.getBasicConfiguration(Constants.CONFIG_PROP_SECURITY_SIG_ALG_RSA, SL20Constants.JSON_ALGORITHM_SIGNING_PS256);
        if (basicConfiguration != null) {
            basicConfiguration = basicConfiguration.trim();
        }
        return basicConfiguration;
    }

    private String getEccSigningAlgorithm() {
        String basicConfiguration = this.authConfig.getBasicConfiguration(Constants.CONFIG_PROP_SECURITY_SIG_ALG_ECC, SL20Constants.JSON_ALGORITHM_SIGNING_ES256);
        if (basicConfiguration != null) {
            basicConfiguration = basicConfiguration.trim();
        }
        return basicConfiguration;
    }

    private boolean isValidCertificateNeeded() {
        return this.authConfig.getBasicConfigurationBoolean(Constants.CONFIG_PROP_SECURITY_TRUSTSTORE_NEED_VALID_CERTIFICATE, true);
    }
}
