package be.fgov.ehealth.technicalconnector.bootstrap.tsl.signature;

import be.ehealth.technicalconnector.config.ConfigFactory;
import be.ehealth.technicalconnector.config.ConfigValidator;
import be.ehealth.technicalconnector.exception.ConfigurationException;
import be.ehealth.technicalconnector.exception.TechnicalConnectorException;
import be.ehealth.technicalconnector.exception.TechnicalConnectorExceptionValues;
import be.ehealth.technicalconnector.utils.ConnectorIOUtils;
import be.fgov.ehealth.technicalconnector.signature.AdvancedElectronicSignatureEnumeration;
import be.fgov.ehealth.technicalconnector.signature.SignatureBuilderFactory;
import be.fgov.ehealth.technicalconnector.signature.domain.SignatureVerificationResult;
import java.security.KeyStore;
import java.security.cert.CertStore;
import java.security.cert.CertStoreException;
import java.security.cert.Certificate;
import java.security.cert.CollectionCertStoreParameters;
import java.security.cert.X509CertSelector;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Enumeration;
import java.util.HashMap;
import java.util.Iterator;
import org.apache.commons.lang3.ArrayUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:be/fgov/ehealth/technicalconnector/bootstrap/tsl/signature/TrustServiceStatusListSignatureVerifier.class */
public final class TrustServiceStatusListSignatureVerifier {
    public static final String PROP_TSL_STOREPWD = "be.fgov.ehealth.technicalconnector.bootstrap.tsl.keystore.pwd";
    public static final String PROP_TSL_STORELOCATION = "be.fgov.ehealth.technicalconnector.bootstrap.tsl.keystore.location";
    public static final String PROP_TSL_STORETYPE = "be.fgov.ehealth.technicalconnector.bootstrap.tsl.keystore.type";
    private static final Logger LOG = LoggerFactory.getLogger(TrustServiceStatusListSignatureVerifier.class);
    private static CertStore tsloStore;
    private static final String OID_TSL_SIGNING = "0.4.0.2231.3.0";

    private TrustServiceStatusListSignatureVerifier() {
        throw new UnsupportedOperationException();
    }

    public static boolean isValid(String str) {
        try {
            SignatureVerificationResult verify = SignatureBuilderFactory.getSignatureBuilder(AdvancedElectronicSignatureEnumeration.XAdES).verify(str.getBytes("UTF-8"), new HashMap());
            if (!verify.isValid()) {
                throw new TechnicalConnectorException(TechnicalConnectorExceptionValues.ERROR_SIGNATURE_VALIDATION, new Object[]{ArrayUtils.toString(verify.getErrors().toArray())});
            }
            X509Certificate signingCert = verify.getSigningCert();
            if (!signingCert.getExtendedKeyUsage().contains(OID_TSL_SIGNING)) {
                return false;
            }
            LOG.debug("ExtendedKeyUsage correct. OID 0.4.0.2231.3.0 found.");
            dumpTsloStore();
            return match(baseOnCert(signingCert)) || match(basedOnPublicKey(signingCert));
        } catch (Exception e) {
            LOG.error("Unable to verify signature Reason:" + e.getMessage(), e);
            return false;
        }
    }

    private static void dumpTsloStore() {
        if (LOG.isDebugEnabled()) {
            try {
                LOG.debug("Content of TSLO store");
                Iterator<? extends Certificate> it = tsloStore.getCertificates(new X509CertSelector()).iterator();
                while (it.hasNext()) {
                    LOG.debug(" - " + ((X509Certificate) it.next()).getSubjectX500Principal().getName("RFC1779"));
                }
            } catch (Exception e) {
                LOG.debug("Unable to print content of TSLO Store", e);
            }
        }
    }

    private static boolean match(X509CertSelector x509CertSelector) throws TechnicalConnectorException {
        try {
            return !tsloStore.getCertificates(x509CertSelector).isEmpty();
        } catch (CertStoreException e) {
            throw new TechnicalConnectorException(TechnicalConnectorExceptionValues.ERROR_GENERAL, e, new Object[]{"Unable to select certificates."});
        }
    }

    private static X509CertSelector baseOnCert(X509Certificate x509Certificate) {
        LOG.debug("Matching based on cert [" + x509Certificate.getSubjectX500Principal().getName("RFC1779") + "]");
        X509CertSelector x509CertSelector = new X509CertSelector();
        x509CertSelector.setCertificate(x509Certificate);
        return x509CertSelector;
    }

    private static X509CertSelector basedOnPublicKey(X509Certificate x509Certificate) {
        LOG.debug("Matching based on PublicKey [" + x509Certificate.getSubjectX500Principal().getName("RFC1779") + "]");
        X509CertSelector x509CertSelector = new X509CertSelector();
        x509CertSelector.setSubjectPublicKey(x509Certificate.getPublicKey());
        return x509CertSelector;
    }

    private static CertStore getCertStore() throws Exception {
        ArrayList arrayList = new ArrayList();
        try {
            ConfigValidator configValidator = ConfigFactory.getConfigValidator();
            KeyStore keyStore = KeyStore.getInstance(configValidator.getProperty(PROP_TSL_STORETYPE, "JKS"));
            keyStore.load(ConnectorIOUtils.getResourceAsStream(configValidator.getProperty(PROP_TSL_STORELOCATION)), configValidator.getProperty(PROP_TSL_STOREPWD, "").toCharArray());
            Enumeration<String> aliases = keyStore.aliases();
            while (aliases.hasMoreElements()) {
                X509Certificate x509Certificate = (X509Certificate) keyStore.getCertificate(aliases.nextElement());
                LOG.debug("Adding " + x509Certificate.getSubjectX500Principal().getName("RFC1779"));
                arrayList.add(x509Certificate);
            }
        } catch (Exception e) {
            LOG.error("Error while loading keystore", e);
        }
        return CertStore.getInstance("Collection", new CollectionCertStoreParameters(arrayList));
    }

    public static void reloadCertStore() {
        try {
            tsloStore = getCertStore();
        } catch (Exception e) {
            throw new ConfigurationException(e);
        }
    }

    static {
        reloadCertStore();
    }
}
