package be.fgov.ehealth.technicalconnector.signature.impl;

import be.ehealth.technicalconnector.exception.TechnicalConnectorException;
import be.ehealth.technicalconnector.exception.TechnicalConnectorExceptionValues;
import be.ehealth.technicalconnector.service.etee.CertificateChecker;
import be.ehealth.technicalconnector.service.etee.CertificateCheckerFactory;
import be.ehealth.technicalconnector.service.sts.security.Credential;
import be.fgov.ehealth.etee.crypto.utils.SecurityConfiguration;
import be.fgov.ehealth.technicalconnector.signature.domain.SignatureVerificationError;
import be.fgov.ehealth.technicalconnector.signature.domain.SignatureVerificationResult;
import be.fgov.ehealth.technicalconnector.signature.domain.XadesOption;
import java.security.NoSuchProviderException;
import java.security.cert.CertificateException;
import java.security.cert.CertificateExpiredException;
import java.security.cert.CertificateFactory;
import java.security.cert.CertificateNotYetValidException;
import java.security.cert.X509Certificate;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.concurrent.TimeUnit;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:be/fgov/ehealth/technicalconnector/signature/impl/AbstractSignatureBuilder.class */
public class AbstractSignatureBuilder {
    private static final Logger LOG = LoggerFactory.getLogger(AbstractSignatureBuilder.class);
    private static final CertificateFactory CF;

    /* JADX INFO: Access modifiers changed from: protected */
    public void validateInput(Credential credential, byte[] bArr) throws TechnicalConnectorException {
        if (bArr == null || bArr.length == 0) {
            throw new TechnicalConnectorException(TechnicalConnectorExceptionValues.ERROR_SIGNATURE, new Object[]{"invalid parameter : byteArrayToSign was null or empty"});
        }
        if (credential == null) {
            throw new TechnicalConnectorException(TechnicalConnectorExceptionValues.ERROR_SIGNATURE, new Object[]{"invalid parameter : signatureCredential was null"});
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void validateChain(SignatureVerificationResult signatureVerificationResult, Map<String, Object> map) throws TechnicalConnectorException {
        Integer num = (Integer) SignatureUtils.getOption(XadesOption.SIGNINGTIME_CLOCK_SKEW_DURATION, map, 5);
        TimeUnit timeUnit = (TimeUnit) SignatureUtils.getOption(XadesOption.SIGNINGTIME_CLOCK_SKEW_TIMEUNIT, map, TimeUnit.MINUTES);
        CertificateChecker certificateChecker = CertificateCheckerFactory.getCertificateChecker();
        Iterator<X509Certificate> it = signatureVerificationResult.getCertChain().iterator();
        while (it.hasNext()) {
            try {
                it.next().checkValidity(signatureVerificationResult.getVerifiedSigningTime(num.intValue(), timeUnit).toDate());
            } catch (CertificateExpiredException e) {
                signatureVerificationResult.getErrors().add(SignatureVerificationError.CERTIFICATE_EXPIRED);
            } catch (CertificateNotYetValidException e2) {
                signatureVerificationResult.getErrors().add(SignatureVerificationError.CERTIFICATE_NOT_YET_VALID);
            }
        }
        try {
            if (!certificateChecker.isValidCertificateChain(signatureVerificationResult.getCertChain())) {
                signatureVerificationResult.getErrors().add(SignatureVerificationError.CERTIFICATE_CHAIN_NOT_TRUSTED);
            }
            validateEndCertificate(signatureVerificationResult, certificateChecker, num, timeUnit);
        } catch (TechnicalConnectorException e3) {
            signatureVerificationResult.getErrors().add(SignatureVerificationError.CERTIFICATE_CHAIN_COULD_NOT_BE_VERIFIED);
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public X509Certificate extractEndCertificate(List<X509Certificate> list) throws CertificateException {
        return (X509Certificate) CF.generateCertPath(list).getCertificates().get(0);
    }

    private void validateEndCertificate(SignatureVerificationResult signatureVerificationResult, CertificateChecker certificateChecker, Integer num, TimeUnit timeUnit) throws TechnicalConnectorException {
        try {
            X509Certificate extractEndCertificate = extractEndCertificate(signatureVerificationResult.getCertChain());
            if (certificateChecker.isCertificateRevoked(extractEndCertificate, signatureVerificationResult.getVerifiedSigningTime(num.intValue(), timeUnit))) {
                signatureVerificationResult.getErrors().add(SignatureVerificationError.CERTIFICATE_REVOKED);
            }
            signatureVerificationResult.setSigningCert(extractEndCertificate);
        } catch (CertificateException e) {
            LOG.error("EndCertificate invalid.", e);
            signatureVerificationResult.getErrors().add(SignatureVerificationError.CERTIFICATE_COULD_NOT_BE_VERIFIED);
        }
    }

    static {
        try {
            SecurityConfiguration.configure();
            CF = CertificateFactory.getInstance("X.509", "BC");
        } catch (NoSuchProviderException e) {
            throw new IllegalArgumentException(e);
        } catch (CertificateException e2) {
            throw new IllegalArgumentException(e2);
        }
    }
}
