package at.gv.egiz.pdfas.web.sl20;

import at.gv.egiz.pdfas.web.config.WebConfiguration;
import at.gv.egiz.sl20.data.VerificationResult;
import at.gv.egiz.sl20.exceptions.SL20Exception;
import at.gv.egiz.sl20.exceptions.SL20SecurityException;
import at.gv.egiz.sl20.exceptions.SLCommandoBuildException;
import at.gv.egiz.sl20.exceptions.SLCommandoParserException;
import at.gv.egiz.sl20.utils.IJOSETools;
import at.gv.egiz.sl20.utils.SL20Constants;
import com.google.gson.JsonElement;
import com.google.gson.JsonParser;
import com.google.gson.JsonSyntaxException;
import java.security.Key;
import java.security.KeyStore;
import java.security.PrivateKey;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Collections;
import java.util.Enumeration;
import java.util.List;
import org.apache.commons.lang3.StringUtils;
import org.jose4j.jwa.AlgorithmConstraints;
import org.jose4j.jwe.JsonWebEncryption;
import org.jose4j.jws.JsonWebSignature;
import org.jose4j.keys.X509Util;
import org.jose4j.keys.resolvers.X509VerificationKeyResolver;
import org.jose4j.lang.JoseException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:at/gv/egiz/pdfas/web/sl20/JsonSecurityUtils.class */
public class JsonSecurityUtils implements IJOSETools {
    private Key signPrivKey = null;
    private X509Certificate[] signCertChain = null;
    private Key encPrivKey = null;
    private X509Certificate[] encCertChain = null;
    private List<X509Certificate> trustedCerts = new ArrayList();
    private boolean isInitialized = false;
    private static final Logger logger = LoggerFactory.getLogger(JsonSecurityUtils.class);
    private static JsonSecurityUtils instance = null;

    public static JsonSecurityUtils getInstance() {
        if (instance == null) {
            instance = new JsonSecurityUtils();
            instance.initalize();
        }
        return instance;
    }

    private JsonSecurityUtils() {
    }

    protected synchronized void initalize() {
        logger.info("Initialize SL2.0 authentication security constrains ... ");
        try {
            if (StringUtils.isNotEmpty(getKeyStoreFilePath())) {
                KeyStore loadKeyStore = KeyStoreUtils.loadKeyStore(getKeyStoreFilePath(), getKeyStorePassword());
                this.signPrivKey = loadKeyStore.getKey(getSigningKeyAlias(), getSigningKeyPassword().toCharArray());
                Certificate[] certificateChain = loadKeyStore.getCertificateChain(getSigningKeyAlias());
                this.signCertChain = new X509Certificate[certificateChain.length];
                for (int i = 0; i < certificateChain.length; i++) {
                    if (certificateChain[i] instanceof X509Certificate) {
                        this.signCertChain[i] = (X509Certificate) certificateChain[i];
                    } else {
                        logger.warn("NO X509 certificate for signing: ");
                    }
                }
                try {
                    this.encPrivKey = loadKeyStore.getKey(getEncryptionKeyAlias(), getEncryptionKeyPassword().toCharArray());
                    if (this.encPrivKey != null) {
                        Certificate[] certificateChain2 = loadKeyStore.getCertificateChain(getEncryptionKeyAlias());
                        this.encCertChain = new X509Certificate[certificateChain2.length];
                        for (int i2 = 0; i2 < certificateChain2.length; i2++) {
                            if (certificateChain2[i2] instanceof X509Certificate) {
                                this.encCertChain[i2] = (X509Certificate) certificateChain2[i2];
                            } else {
                                logger.warn("NO X509 certificate for encryption: ");
                            }
                        }
                    } else {
                        logger.info("No encryption key for SL2.0 found. End-to-End encryption is not used.");
                    }
                } catch (Exception e) {
                    logger.warn("No encryption key for SL2.0 found. End-to-End encryption is not used. Reason: " + e.getMessage(), e);
                }
                Enumeration<String> aliases = loadKeyStore.aliases();
                while (aliases.hasMoreElements()) {
                    String nextElement = aliases.nextElement();
                    logger.trace("Process TrustStoreEntry: " + nextElement);
                    if (loadKeyStore.isCertificateEntry(nextElement)) {
                        Certificate certificate = loadKeyStore.getCertificate(nextElement);
                        if (certificate == null || !(certificate instanceof X509Certificate)) {
                            logger.info("Can not process entry: " + nextElement + ". Reason: ");
                        } else {
                            this.trustedCerts.add((X509Certificate) certificate);
                        }
                    }
                }
                if (this.signPrivKey == null || !(this.signPrivKey instanceof PrivateKey)) {
                    logger.info("Can NOT open privateKey for SL2.0 signing. KeyStore=");
                    throw new SL20Exception("sl20.03");
                }
                if (this.signCertChain == null || this.signCertChain.length == 0) {
                    logger.info("NO certificate for SL2.0 signing. KeyStore=");
                    throw new SL20Exception("sl20.03");
                }
                this.isInitialized = true;
                logger.info("SL2.0 authentication security constrains initialized.");
            } else {
                logger.info("SL2.0 security constrains not configurated!");
            }
        } catch (Exception e2) {
            logger.error("SL2.0 security constrains initialization FAILED.", e2);
        }
    }

    public String createSignature(String str) throws SLCommandoBuildException {
        try {
            JsonWebSignature jsonWebSignature = new JsonWebSignature();
            jsonWebSignature.setPayload(str);
            jsonWebSignature.setContentTypeHeaderValue("application/sl2.0;command");
            jsonWebSignature.setAlgorithmHeaderValue("RS256");
            jsonWebSignature.setKey(this.signPrivKey);
            jsonWebSignature.setCertificateChainHeaderValue(this.signCertChain);
            jsonWebSignature.setX509CertSha256ThumbprintHeaderValue(this.signCertChain[0]);
            return jsonWebSignature.getCompactSerialization();
        } catch (JoseException e) {
            logger.warn("Can NOT sign SL2.0 command.", e);
            throw new SLCommandoBuildException(e);
        }
    }

    public VerificationResult validateSignature(String str) throws SL20Exception {
        try {
            JsonWebSignature jsonWebSignature = new JsonWebSignature();
            jsonWebSignature.setCompactSerialization(str);
            jsonWebSignature.setAlgorithmConstraints(new AlgorithmConstraints(AlgorithmConstraints.ConstraintType.WHITELIST, (String[]) SL20Constants.SL20_ALGORITHM_WHITELIST_SIGNING.toArray(new String[SL20Constants.SL20_ALGORITHM_WHITELIST_SIGNING.size()])));
            Key key = null;
            List certificateChainHeaderValue = jsonWebSignature.getCertificateChainHeaderValue();
            String x509CertSha256ThumbprintHeaderValue = jsonWebSignature.getX509CertSha256ThumbprintHeaderValue();
            if (certificateChainHeaderValue != null) {
                logger.debug("Found x509 certificate in JOSE header ... ");
                logger.trace("Sorting received X509 certificates ... ");
                List<X509Certificate> sortCertificates = X509Utils.sortCertificates(certificateChainHeaderValue);
                if (this.trustedCerts.contains(sortCertificates.get(0))) {
                    key = sortCertificates.get(0).getPublicKey();
                } else {
                    logger.info("Can NOT find JOSE certificate in truststore.");
                }
            } else {
                if (!StringUtils.isNotEmpty(x509CertSha256ThumbprintHeaderValue)) {
                    logger.info("Signed SL2.0 response contains NO signature certificate or NO certificate fingerprint");
                    throw new SLCommandoParserException();
                }
                logger.debug("Found x5t256 fingerprint in JOSE header .... ");
                key = new X509VerificationKeyResolver(this.trustedCerts).resolveKey(jsonWebSignature, Collections.emptyList());
            }
            if (key == null) {
                logger.info("Can NOT select verification key for JWS. Signature verification FAILED.");
                throw new SLCommandoParserException();
            }
            jsonWebSignature.setKey(key);
            boolean verifySignature = jsonWebSignature.verifySignature();
            if (verifySignature) {
                logger.debug("SL2.0 commando signature validation sucessfull");
                return new VerificationResult(new JsonParser().parse(jsonWebSignature.getPayload()).getAsJsonObject(), (List) null, verifySignature);
            }
            logger.info("JWS signature invalide. Stopping authentication process ...");
            logger.debug("Received JWS msg: " + str);
            throw new SL20SecurityException();
        } catch (JoseException e) {
            logger.warn("SL2.0 commando signature validation FAILED", e);
            throw new SL20SecurityException(e);
        }
    }

    public JsonElement decryptPayload(String str) throws SL20Exception {
        try {
            JsonWebEncryption jsonWebEncryption = new JsonWebEncryption();
            jsonWebEncryption.setAlgorithmConstraints(new AlgorithmConstraints(AlgorithmConstraints.ConstraintType.WHITELIST, (String[]) SL20Constants.SL20_ALGORITHM_WHITELIST_KEYENCRYPTION.toArray(new String[SL20Constants.SL20_ALGORITHM_WHITELIST_KEYENCRYPTION.size()])));
            jsonWebEncryption.setContentEncryptionAlgorithmConstraints(new AlgorithmConstraints(AlgorithmConstraints.ConstraintType.WHITELIST, (String[]) SL20Constants.SL20_ALGORITHM_WHITELIST_ENCRYPTION.toArray(new String[SL20Constants.SL20_ALGORITHM_WHITELIST_ENCRYPTION.size()])));
            jsonWebEncryption.setCompactSerialization(str);
            List certificateChainHeaderValue = jsonWebEncryption.getCertificateChainHeaderValue();
            String x509CertSha256ThumbprintHeaderValue = jsonWebEncryption.getX509CertSha256ThumbprintHeaderValue();
            if (certificateChainHeaderValue != null) {
                logger.debug("Found x509 certificate in JOSE header ... ");
                logger.trace("Sorting received X509 certificates ... ");
                List<X509Certificate> sortCertificates = X509Utils.sortCertificates(certificateChainHeaderValue);
                if (!sortCertificates.get(0).equals(this.encCertChain[0])) {
                    logger.info("Certificate from JOSE header does NOT match encryption certificate");
                    logger.debug("JOSE certificate: " + sortCertificates.get(0).toString());
                    throw new SL20Exception("sl20.05");
                }
            } else {
                if (!StringUtils.isNotEmpty(x509CertSha256ThumbprintHeaderValue)) {
                    logger.info("Signed SL2.0 response contains NO signature certificate or NO certificate fingerprint");
                    throw new SLCommandoParserException();
                }
                logger.debug("Found x5t256 fingerprint in JOSE header .... ");
                if (!X509Util.x5tS256(this.encCertChain[0]).equals(x509CertSha256ThumbprintHeaderValue)) {
                    logger.info("X5t256 from JOSE header does NOT match encryption certificate");
                    throw new SL20Exception("sl20.05");
                }
            }
            jsonWebEncryption.setKey(this.encPrivKey);
            return new JsonParser().parse(jsonWebEncryption.getPlaintextString());
        } catch (JsonSyntaxException e) {
            logger.warn("Decrypted SL2.0 result is NOT a valid JSON.", e);
            throw new SLCommandoParserException(e);
        } catch (JoseException e2) {
            logger.warn("SL2.0 result decryption FAILED", e2);
            throw new SL20SecurityException(e2);
        }
    }

    public X509Certificate getEncryptionCertificate() {
        if (this.encCertChain == null || this.encCertChain.length <= 0) {
            return null;
        }
        return this.encCertChain[0];
    }

    public boolean isInitialized() {
        return this.isInitialized;
    }

    private String getKeyStoreFilePath() {
        return WebConfiguration.getSL20KeyStorePath();
    }

    private String getKeyStorePassword() {
        return WebConfiguration.getSL20KeyStorePassword();
    }

    private String getSigningKeyAlias() {
        return WebConfiguration.getSL20KeySigningAlias();
    }

    private String getSigningKeyPassword() {
        return WebConfiguration.getSL20KeySigningPassword();
    }

    private String getEncryptionKeyAlias() {
        return WebConfiguration.getSL20KeyEncryptionAlias();
    }

    private String getEncryptionKeyPassword() {
        return WebConfiguration.getSL20KeyEncryptionPassword();
    }
}
