package at.gv.egovernment.moa.sig.tsl.utils;

import at.gv.egovernment.moa.sig.tsl.TslConstants;
import at.gv.egovernment.moa.sig.tsl.database.dao.DigitalIdContext;
import at.gv.egovernment.moa.sig.tsl.exception.TSLSecurityException;
import at.gv.egovernment.moa.sig.tsl.exception.TslVerificationException;
import iaik.utils.Util;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.cert.CertificateEncodingException;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.ListIterator;
import javax.xml.crypto.KeySelectorException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:at/gv/egovernment/moa/sig/tsl/utils/SecurityCheckUtils.class */
public class SecurityCheckUtils {
    private static final Logger log = LoggerFactory.getLogger(SecurityCheckUtils.class);

    /* JADX INFO: Access modifiers changed from: package-private */
    /* renamed from: at.gv.egovernment.moa.sig.tsl.utils.SecurityCheckUtils$1, reason: invalid class name */
    /* loaded from: input_file:at/gv/egovernment/moa/sig/tsl/utils/SecurityCheckUtils$1.class */
    public static /* synthetic */ class AnonymousClass1 {
        static final /* synthetic */ int[] $SwitchMap$at$gv$egovernment$moa$sig$tsl$exception$TSLSecurityException$Type = new int[TSLSecurityException.Type.values().length];

        static {
            try {
                $SwitchMap$at$gv$egovernment$moa$sig$tsl$exception$TSLSecurityException$Type[TSLSecurityException.Type.UNTRUSTED_TSL_SIGNER.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
        }
    }

    public static void securityCheck(TSLSecurityException.Type type, X509Certificate[] x509CertificateArr, ListIterator<X509Certificate> listIterator) throws TslVerificationException {
        securityCheck(type, x509CertificateArr[0], listIterator);
    }

    public static void securityCheck(TSLSecurityException.Type type, X509Certificate x509Certificate, ListIterator<X509Certificate> listIterator) throws TslVerificationException {
        switch (AnonymousClass1.$SwitchMap$at$gv$egovernment$moa$sig$tsl$exception$TSLSecurityException$Type[type.ordinal()]) {
            case DigitalIdContext.EVALUATE_CERT_PARAM_FINGERPRINT /* 1 */:
                byte[] fingerPrint = getFingerPrint(x509Certificate, new byte[20]);
                boolean z = false;
                while (true) {
                    if (listIterator.hasNext()) {
                        if (listIterator.next().equals(x509Certificate)) {
                            z = true;
                        }
                    }
                }
                if (z) {
                    return;
                }
                while (listIterator.hasPrevious()) {
                    listIterator.previous();
                }
                ArrayList arrayList = new ArrayList();
                while (listIterator.hasNext()) {
                    X509Certificate next = listIterator.next();
                    arrayList.add((next.getSubjectDN().getName() + " fingerPrint=") + Util.toString(getFingerPrint(next, new byte[20]), ":"));
                }
                while (listIterator.hasPrevious()) {
                    listIterator.previous();
                }
                throw new TSLSecurityException(type, (Throwable) new KeySelectorException("Could not select a certificate, that matches one of the expected certificates\n" + arrayList + ", but was.\n" + Util.toString(fingerPrint, ":") + "\n" + x509Certificate));
            default:
                return;
        }
    }

    public static byte[] getFingerPrint(X509Certificate x509Certificate, byte[] bArr) throws TslVerificationException {
        byte[] digest;
        if (x509Certificate == null) {
            return null;
        }
        try {
            if (x509Certificate instanceof iaik.x509.X509Certificate) {
                digest = ((iaik.x509.X509Certificate) x509Certificate).getFingerprint(TslConstants.CERT_HASH_NAME);
            } else {
                MessageDigest messageDigest = MessageDigest.getInstance(TslConstants.CERT_HASH_NAME);
                messageDigest.update(x509Certificate.getEncoded());
                digest = messageDigest.digest();
            }
            if (digest.length != bArr.length) {
                log.warn("Digest lenghth does not match.");
            }
            System.arraycopy(digest, 0, bArr, 0, bArr.length);
            return bArr;
        } catch (NoSuchAlgorithmException e) {
            log.error("Hash algorithm: {} NOT availabe.", new Object[]{TslConstants.CERT_HASH_NAME, null, e});
            throw new TslVerificationException("Hash algorithm:SHA-1 NOT availabe.", e);
        } catch (CertificateEncodingException e2) {
            log.error("X509 certificate processing error.", e2);
            throw new TslVerificationException("X509 certificate processing error.", e2);
        }
    }
}
