package be.ehealth.technicalconnector.service.etee.impl;

import be.ehealth.technicalconnector.config.ConfigFactory;
import be.ehealth.technicalconnector.config.Configuration;
import be.ehealth.technicalconnector.exception.TechnicalConnectorException;
import be.ehealth.technicalconnector.exception.TechnicalConnectorExceptionValues;
import be.ehealth.technicalconnector.exception.UnsealConnectorException;
import be.ehealth.technicalconnector.exception.UnsealConnectorExceptionValues;
import be.ehealth.technicalconnector.handler.SchemaValidatorHandler;
import be.ehealth.technicalconnector.service.etee.Crypto;
import be.ehealth.technicalconnector.service.etee.domain.EncryptionToken;
import be.ehealth.technicalconnector.service.etee.domain.UnsealedData;
import be.ehealth.technicalconnector.service.kgss.domain.KeyResult;
import be.ehealth.technicalconnector.service.sts.security.Credential;
import be.ehealth.technicalconnector.service.sts.security.impl.BeIDCredential;
import be.fgov.ehealth.etee.crypto.decrypt.DataUnsealer;
import be.fgov.ehealth.etee.crypto.decrypt.DataUnsealerBuilder;
import be.fgov.ehealth.etee.crypto.encrypt.DataSealer;
import be.fgov.ehealth.etee.crypto.encrypt.DataSealerBuilder;
import be.fgov.ehealth.etee.crypto.policies.EncryptionCredential;
import be.fgov.ehealth.etee.crypto.policies.EncryptionCredentials;
import be.fgov.ehealth.etee.crypto.policies.EncryptionPolicy;
import be.fgov.ehealth.etee.crypto.policies.OCSPOption;
import be.fgov.ehealth.etee.crypto.policies.OCSPPolicy;
import be.fgov.ehealth.etee.crypto.policies.SigningCredential;
import be.fgov.ehealth.etee.crypto.policies.SigningOption;
import be.fgov.ehealth.etee.crypto.policies.SigningPolicy;
import be.fgov.ehealth.etee.crypto.status.CryptoResult;
import be.fgov.ehealth.etee.crypto.status.NotificationWarning;
import be.fgov.ehealth.etee.crypto.utils.Iterables;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.UnrecoverableKeyException;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import java.text.MessageFormat;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.EnumMap;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import org.apache.commons.lang3.ArrayUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:be/ehealth/technicalconnector/service/etee/impl/CryptoImpl.class */
public class CryptoImpl extends AbstractEndToEndCrypto {
    public static final String PROP_LIST_IGNORED_NOTIFICATION_ERRORS_ROOTKEY = "be.ehealth.technicalconnector.service.etee.cryptoimpl.ignored_notification_errors";
    private final Map<Crypto.SigningPolicySelector, DataSealer> dataSealer = new EnumMap(Crypto.SigningPolicySelector.class);
    private final Map<Crypto.SigningPolicySelector, DataUnsealer> dataUnsealer = new EnumMap(Crypto.SigningPolicySelector.class);
    private static final Logger LOG = LoggerFactory.getLogger(CryptoImpl.class);
    private static final String PROP_CAKEYSTORE_PASSWORD = "CAKEYSTORE_PASSWORD";
    private static final String PROP_KEYSTORE_DIR = "KEYSTORE_DIR";
    private static final String PROP_CAKEYSTORE_PATH = "CAKEYSTORE_LOCATION";
    private static final Configuration config = ConfigFactory.getConfigValidatorFor(PROP_CAKEYSTORE_PASSWORD, PROP_KEYSTORE_DIR, PROP_CAKEYSTORE_PATH);

    /* JADX INFO: Access modifiers changed from: package-private */
    /* renamed from: be.ehealth.technicalconnector.service.etee.impl.CryptoImpl$1, reason: invalid class name */
    /* loaded from: input_file:be/ehealth/technicalconnector/service/etee/impl/CryptoImpl$1.class */
    public static /* synthetic */ class AnonymousClass1 {
        static final /* synthetic */ int[] $SwitchMap$be$ehealth$technicalconnector$service$etee$Crypto$SigningPolicySelector = new int[Crypto.SigningPolicySelector.values().length];

        static {
            try {
                $SwitchMap$be$ehealth$technicalconnector$service$etee$Crypto$SigningPolicySelector[Crypto.SigningPolicySelector.WITH_NON_REPUDIATION.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$be$ehealth$technicalconnector$service$etee$Crypto$SigningPolicySelector[Crypto.SigningPolicySelector.WITHOUT_NON_REPUDIATION.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
        }
    }

    public CryptoImpl() {
    }

    @Deprecated
    public CryptoImpl(Credential credential, Map<String, PrivateKey> map) throws TechnicalConnectorException {
        initSealing(Crypto.SigningPolicySelector.WITH_NON_REPUDIATION, credential, OCSPPolicy.NONE, new EnumMap(OCSPOption.class));
        initSealing(Crypto.SigningPolicySelector.WITHOUT_NON_REPUDIATION, credential, OCSPPolicy.NONE, new EnumMap(OCSPOption.class));
        initUnsealing(Crypto.SigningPolicySelector.WITH_NON_REPUDIATION, map, OCSPPolicy.NONE, new EnumMap(OCSPOption.class), new EnumMap(SigningOption.class), SigningPolicy.EHEALTH_CERT, SigningPolicy.EID);
        initUnsealing(Crypto.SigningPolicySelector.WITHOUT_NON_REPUDIATION, map, OCSPPolicy.NONE, new EnumMap(OCSPOption.class), new EnumMap(SigningOption.class), SigningPolicy.EHEALTH_CERT, SigningPolicy.EID);
    }

    @Override // be.ehealth.technicalconnector.service.etee.Crypto
    public byte[] seal(Crypto.SigningPolicySelector signingPolicySelector, Set<EncryptionToken> set, KeyResult keyResult, byte[] bArr) throws TechnicalConnectorException {
        try {
            dumpMessage(bArr, "Message to seal:");
            EncryptionCredential[] encryptionCredentialArr = new EncryptionCredential[0];
            if (set != null && set.size() > 0) {
                encryptionCredentialArr = (EncryptionCredential[]) ArrayUtils.addAll(encryptionCredentialArr, convertToEncryptionCredential(set));
            }
            if (keyResult != null) {
                encryptionCredentialArr = (EncryptionCredential[]) ArrayUtils.add(encryptionCredentialArr, EncryptionCredential.create(keyResult.getSecretKey(), keyResult.getKeyId()));
            }
            return getDataSealer(signingPolicySelector).seal(bArr, encryptionCredentialArr);
        } catch (Exception e) {
            e.printStackTrace();
            LOG.error("Error while sealing message : {}", e.getMessage());
            throw new TechnicalConnectorException(TechnicalConnectorExceptionValues.ERROR_CRYPTO, e, "Data can't be sealed.");
        }
    }

    private static EncryptionCredential[] convertToEncryptionCredential(Set<EncryptionToken> set) {
        HashSet hashSet = null;
        if (set != null) {
            hashSet = new HashSet();
            Iterator<EncryptionToken> it = set.iterator();
            while (it.hasNext()) {
                hashSet.add(EncryptionCredential.create(it.next().getEtk().getCertificate()));
            }
        }
        return (EncryptionCredential[]) hashSet.toArray(new EncryptionCredential[0]);
    }

    @Override // be.ehealth.technicalconnector.service.etee.Crypto
    public UnsealedData unseal(Crypto.SigningPolicySelector signingPolicySelector, byte[] bArr) throws TechnicalConnectorException {
        return processUnsealResult(getDataUnsealer(signingPolicySelector).unseal(bArr));
    }

    @Override // be.ehealth.technicalconnector.service.etee.Crypto
    public UnsealedData unseal(Crypto.SigningPolicySelector signingPolicySelector, KeyResult keyResult, byte[] bArr) throws TechnicalConnectorException {
        return processUnsealResult(getDataUnsealer(signingPolicySelector).unseal(bArr, keyResult.getSecretKey()));
    }

    private static UnsealedData processUnsealResult(CryptoResult<be.fgov.ehealth.etee.crypto.decrypt.UnsealedData> cryptoResult) throws TechnicalConnectorException {
        if (cryptoResult.hasErrors()) {
            LOG.error("Unsealed message is invalid.");
            throw new UnsealConnectorException(UnsealConnectorExceptionValues.ERROR_CRYPTO, (CryptoResult<?>) cryptoResult, "Data can't be unsealed.");
        }
        if (ignoreWarnings(cryptoResult)) {
            return map((be.fgov.ehealth.etee.crypto.decrypt.UnsealedData) cryptoResult.getData());
        }
        throw new UnsealConnectorException(UnsealConnectorExceptionValues.ERROR_CRYPTO, (CryptoResult<?>) cryptoResult, "Data can't be unsealed.");
    }

    private static boolean ignoreWarnings(CryptoResult<be.fgov.ehealth.etee.crypto.decrypt.UnsealedData> cryptoResult) {
        HashSet hashSet = new HashSet();
        hashSet.addAll(cryptoResult.getWarnings());
        List<String> matchingProperties = config.getMatchingProperties(PROP_LIST_IGNORED_NOTIFICATION_ERRORS_ROOTKEY);
        if (matchingProperties == null) {
            matchingProperties = new ArrayList();
        }
        Iterator<String> it = matchingProperties.iterator();
        while (it.hasNext()) {
            hashSet.remove(NotificationWarning.valueOf(it.next().toUpperCase()));
        }
        boolean z = false;
        if (hashSet == null || hashSet.size() == 0) {
            z = true;
        } else if ((matchingProperties == null || matchingProperties.size() == 0) && hashSet.size() > 0) {
            Iterator it2 = hashSet.iterator();
            while (it2.hasNext()) {
                LOG.info("Ignored warnings: {}", (NotificationWarning) it2.next());
            }
            z = true;
        }
        return z;
    }

    public static UnsealedData map(be.fgov.ehealth.etee.crypto.decrypt.UnsealedData unsealedData) {
        UnsealedData unsealedData2 = new UnsealedData();
        unsealedData2.setContent(unsealedData.getContent());
        unsealedData2.setAuthenticationCert(unsealedData.getAuthenticationCert());
        unsealedData2.setSignature(unsealedData.getSignature());
        unsealedData2.setSigningTime(unsealedData.getSigningTime());
        unsealedData2.setSignatureCert(unsealedData.getSignatureCert());
        return unsealedData2;
    }

    private DataSealer getDataSealer(Crypto.SigningPolicySelector signingPolicySelector) throws TechnicalConnectorException {
        if (this.dataSealer != null) {
            return this.dataSealer.get(signingPolicySelector);
        }
        TechnicalConnectorExceptionValues technicalConnectorExceptionValues = TechnicalConnectorExceptionValues.ERROR_CRYPTO;
        if (LOG.isDebugEnabled()) {
            LOG.debug(MessageFormat.format(technicalConnectorExceptionValues.getMessage(), "Data Sealer not loaded"));
        }
        throw new TechnicalConnectorException(technicalConnectorExceptionValues, "Data Sealer not loaded");
    }

    private DataUnsealer getDataUnsealer(Crypto.SigningPolicySelector signingPolicySelector) throws TechnicalConnectorException {
        if (this.dataUnsealer != null) {
            return this.dataUnsealer.get(signingPolicySelector);
        }
        TechnicalConnectorExceptionValues technicalConnectorExceptionValues = TechnicalConnectorExceptionValues.ERROR_CRYPTO;
        if (LOG.isDebugEnabled()) {
            LOG.debug(MessageFormat.format(technicalConnectorExceptionValues.getMessage(), "Data Sealer not loaded"));
        }
        throw new TechnicalConnectorException(technicalConnectorExceptionValues, "Data Sealer not loaded");
    }

    @Override // be.ehealth.technicalconnector.utils.ConfigurableImplementation
    public void initialize(Map<String, Object> map) throws TechnicalConnectorException {
        Credential credential = (Credential) extract(Crypto.DATASEALER_CREDENTIAL, map, null, Credential.class);
        Map<String, PrivateKey> map2 = (Map) extract(Crypto.DATAUNSEALER_PKMAP, map, null, Map.class);
        Map<OCSPOption, Object> map3 = (Map) extract(Crypto.OCSP_OPTIONMAP, map, new HashMap(), Map.class);
        Map<SigningOption, Object> map4 = (Map) extract(Crypto.SIGNING_OPTIONMAP, map, new HashMap(), Map.class);
        OCSPPolicy oCSPPolicy = (OCSPPolicy) extract(Crypto.OCSP_POLICY, map, OCSPPolicy.RECEIVER_MANDATORY, OCSPPolicy.class);
        initSealing(Crypto.SigningPolicySelector.WITH_NON_REPUDIATION, credential, oCSPPolicy, map3);
        initSealing(Crypto.SigningPolicySelector.WITHOUT_NON_REPUDIATION, credential, oCSPPolicy, map3);
        initUnsealing(Crypto.SigningPolicySelector.WITH_NON_REPUDIATION, map2, oCSPPolicy, map3, map4, SigningPolicy.EHEALTH_CERT, SigningPolicy.EID);
        initUnsealing(Crypto.SigningPolicySelector.WITHOUT_NON_REPUDIATION, map2, oCSPPolicy, map3, map4, SigningPolicy.EHEALTH_CERT, SigningPolicy.EID);
    }

    private static <T> T extract(String str, Map<String, Object> map, T t, Class<T> cls) throws TechnicalConnectorException {
        T t2 = (T) map.get(str);
        if (t2 != null) {
            return t2;
        }
        if (t == null) {
            throw new TechnicalConnectorException(TechnicalConnectorExceptionValues.CORE_TECHNICAL, "could not build initialize " + cls + " with initialize, wrong input parameters : expected property " + str + " but got null.");
        }
        return t;
    }

    private void initSealing(Crypto.SigningPolicySelector signingPolicySelector, Credential credential, OCSPPolicy oCSPPolicy, Map<OCSPOption, Object> map) throws TechnicalConnectorException {
        SigningPolicy signingPolicy;
        SigningCredential create;
        SigningCredential signingCredential;
        if (credential instanceof BeIDCredential) {
            signingPolicy = SigningPolicy.EID;
            KeyStore keyStore = credential.getKeyStore();
            create = retrieveSigningCredential(BeIDCredential.EID_AUTH_ALIAS, keyStore);
            switch (AnonymousClass1.$SwitchMap$be$ehealth$technicalconnector$service$etee$Crypto$SigningPolicySelector[signingPolicySelector.ordinal()]) {
                case SchemaValidatorHandler.VERIFY_INBOUND /* 1 */:
                    signingCredential = retrieveSigningCredential(BeIDCredential.EID_SIGN_ALIAS, keyStore);
                    break;
                case SchemaValidatorHandler.VERIFY_OUTBOUND /* 2 */:
                    signingCredential = create;
                    break;
                default:
                    throw new IllegalArgumentException("Unsupported SigningPolicyType [ " + signingPolicySelector + "]");
            }
        } else {
            signingPolicy = SigningPolicy.EHEALTH_CERT;
            create = SigningCredential.create(credential.getPrivateKey(), (X509Certificate[]) Arrays.copyOf(credential.getCertificateChain(), credential.getCertificateChain().length, X509Certificate[].class));
            signingCredential = create;
        }
        this.dataSealer.put(signingPolicySelector, DataSealerBuilder.newBuilder().addOCSPPolicy(oCSPPolicy, map).addSigningPolicy(signingPolicy, create, signingCredential).addPublicKeyPolicy(EncryptionPolicy.KNOWN_RECIPIENT).addSecretKeyPolicy(EncryptionPolicy.UNKNOWN_RECIPIENT).build());
    }

    private SigningCredential retrieveSigningCredential(String str, KeyStore keyStore) {
        try {
            Certificate[] certificateChain = keyStore.getCertificateChain(str);
            if (ArrayUtils.isEmpty(certificateChain)) {
                throw new IllegalArgumentException("The KeyStore doesn't contain the required key with alias [" + str + "]");
            }
            return SigningCredential.create((PrivateKey) keyStore.getKey(str, null), Iterables.newList((X509Certificate[]) Arrays.copyOf(certificateChain, certificateChain.length, X509Certificate[].class)));
        } catch (KeyStoreException e) {
            throw new IllegalArgumentException("Given keystore hasn't been initialized", e);
        } catch (NoSuchAlgorithmException e2) {
            throw new IllegalStateException("There is a problem with the Security configuration... Check if all the required security providers are correctly registered", e2);
        } catch (UnrecoverableKeyException e3) {
            throw new IllegalStateException("The private key with alias [" + str + "] could not be recovered from the given keystore", e3);
        }
    }

    private void initUnsealing(Crypto.SigningPolicySelector signingPolicySelector, Map<String, PrivateKey> map, OCSPPolicy oCSPPolicy, Map<OCSPOption, Object> map2, Map<SigningOption, Object> map3, SigningPolicy... signingPolicyArr) throws TechnicalConnectorException {
        if (LOG.isDebugEnabled()) {
            Iterator<String> it = map.keySet().iterator();
            while (it.hasNext()) {
                LOG.debug("Key Available for decryption : {}", it.next());
            }
        }
        EnumMap enumMap = new EnumMap(SigningOption.class);
        enumMap.putAll(map3);
        switch (AnonymousClass1.$SwitchMap$be$ehealth$technicalconnector$service$etee$Crypto$SigningPolicySelector[signingPolicySelector.ordinal()]) {
            case SchemaValidatorHandler.VERIFY_INBOUND /* 1 */:
                enumMap.put((EnumMap) SigningOption.NON_REPUDIATION, (SigningOption) Boolean.TRUE);
                break;
            case SchemaValidatorHandler.VERIFY_OUTBOUND /* 2 */:
                enumMap.put((EnumMap) SigningOption.NON_REPUDIATION, (SigningOption) Boolean.FALSE);
                break;
            default:
                throw new IllegalArgumentException("Unsupported SigningPolicyType [ " + signingPolicySelector + "]");
        }
        this.dataUnsealer.put(signingPolicySelector, DataUnsealerBuilder.newBuilder().addOCSPPolicy(oCSPPolicy, map2).addSigningPolicy((KeyStore) map2.get(OCSPOption.TRUST_STORE), enumMap, signingPolicyArr).addPublicKeyPolicy(EncryptionPolicy.KNOWN_RECIPIENT, EncryptionCredentials.from(map)).addSecretKeyPolicy(EncryptionPolicy.UNKNOWN_RECIPIENT).build());
    }
}
