package be.ehealth.technicalconnector.validator.impl;

import be.ehealth.technicalconnector.exception.InvalidTimeStampException;
import be.ehealth.technicalconnector.exception.TechnicalConnectorException;
import be.ehealth.technicalconnector.utils.ConfigurableImplementation;
import be.ehealth.technicalconnector.utils.ConnectorCryptoUtils;
import be.ehealth.technicalconnector.validator.TimeStampValidator;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.MessageDigest;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Collections;
import java.util.List;
import java.util.Map;
import org.apache.commons.lang.Validate;
import org.bouncycastle.asn1.cms.Attribute;
import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers;
import org.bouncycastle.cert.X509CertificateHolder;
import org.bouncycastle.cms.DefaultCMSSignatureAlgorithmNameGenerator;
import org.bouncycastle.cms.bc.BcRSASignerInfoVerifierBuilder;
import org.bouncycastle.operator.DefaultDigestAlgorithmIdentifierFinder;
import org.bouncycastle.operator.DefaultSignatureAlgorithmIdentifierFinder;
import org.bouncycastle.operator.bc.BcDigestCalculatorProvider;
import org.bouncycastle.tsp.TimeStampToken;
import org.bouncycastle.tsp.TimeStampTokenInfo;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:be/ehealth/technicalconnector/validator/impl/TimeStampValidatorImpl.class */
public class TimeStampValidatorImpl implements TimeStampValidator, ConfigurableImplementation {
    private static final Logger LOG = LoggerFactory.getLogger(TimeStampValidatorImpl.class);
    private KeyStore keyStore;
    private List<String> aliases;

    @Override // be.ehealth.technicalconnector.validator.TimeStampValidator
    public void validateTimeStampToken(byte[] bArr, TimeStampToken timeStampToken) throws InvalidTimeStampException, TechnicalConnectorException {
        if (!MessageDigest.isEqual(ConnectorCryptoUtils.calculateDigest(timeStampToken.getTimeStampInfo().getMessageImprintAlgOID().getId(), bArr), timeStampToken.getTimeStampInfo().getMessageImprintDigest())) {
            throw new InvalidTimeStampException("Response for different message imprint digest.");
        }
        Attribute attribute = timeStampToken.getSignedAttributes().get(PKCSObjectIdentifiers.id_aa_signingCertificate);
        Attribute attribute2 = timeStampToken.getSignedAttributes().get(PKCSObjectIdentifiers.id_aa_signingCertificateV2);
        if (attribute == null && attribute2 == null) {
            throw new InvalidTimeStampException("no signing certificate attribute present.", null);
        }
        if (attribute != null && attribute2 != null) {
            throw new InvalidTimeStampException("Conflicting signing certificate attributes present.");
        }
        validateTimeStampToken(timeStampToken);
    }

    @Override // be.ehealth.technicalconnector.validator.TimeStampValidator
    public void validateTimeStampToken(TimeStampToken timeStampToken) throws InvalidTimeStampException, TechnicalConnectorException {
        Validate.notNull(this.keyStore, "keyStore is not correctly initialised.");
        Validate.notNull(this.aliases, "aliases is not correctly initialised.");
        Validate.notNull(timeStampToken, "Parameter tsToken value is not nullable.");
        TimeStampTokenInfo timeStampInfo = timeStampToken.getTimeStampInfo();
        if (timeStampInfo != null) {
            LOG.debug("Validating TimeStampToken with SerialNumber [" + timeStampInfo.getSerialNumber() + "]");
            if (timeStampInfo.getTsa() != null) {
                LOG.debug("Validating Timestamp against TrustStore Looking for [" + timeStampInfo.getTsa().getName() + "].");
            }
        }
        boolean z = false;
        Exception exc = null;
        for (String str : this.aliases) {
            try {
                X509Certificate x509Certificate = (X509Certificate) this.keyStore.getCertificate(str);
                LOG.debug("Trying to validate timestamp against certificate with alias [" + str + "] : [" + x509Certificate.getSubjectX500Principal().getName("RFC1779") + "]");
                timeStampToken.validate(new BcRSASignerInfoVerifierBuilder(new DefaultCMSSignatureAlgorithmNameGenerator(), new DefaultSignatureAlgorithmIdentifierFinder(), new DefaultDigestAlgorithmIdentifierFinder(), new BcDigestCalculatorProvider()).build(new X509CertificateHolder(x509Certificate.getEncoded())));
                z = true;
                break;
            } catch (Exception e) {
                exc = e;
                LOG.debug("TimeStampToken not valid with certificate-alias [" + str + "]: " + e.getMessage());
            }
        }
        if (!z) {
            throw new InvalidTimeStampException("timestamp is not valid ", exc);
        }
        LOG.debug("timestampToken is valid");
    }

    private List<String> getAliases() {
        try {
            ArrayList list = Collections.list(this.keyStore.aliases());
            Collections.reverse(list);
            return list;
        } catch (KeyStoreException e) {
            return new ArrayList();
        }
    }

    @Override // be.ehealth.technicalconnector.utils.ConfigurableImplementation
    public void initialize(Map<String, Object> map) throws TechnicalConnectorException {
        setKeyStore((KeyStore) map.get(TimeStampValidator.KEYSTORE));
        this.aliases = new ArrayList();
        List<String> aliases = getAliases();
        if (aliases != null) {
            this.aliases.addAll(aliases);
        }
    }

    @Override // be.ehealth.technicalconnector.validator.TimeStampValidator
    public void setKeyStore(KeyStore keyStore) {
        this.keyStore = keyStore;
    }

    @Override // be.ehealth.technicalconnector.validator.TimeStampValidator
    public void setAliases(List<String> list) {
        this.aliases = list;
    }
}
