package be.fgov.ehealth.technicalconnector.signature.impl.xades.impl;

import be.ehealth.technicalconnector.exception.TechnicalConnectorException;
import be.ehealth.technicalconnector.service.sts.security.Credential;
import be.fgov.ehealth.technicalconnector.signature.domain.SignatureVerificationError;
import be.fgov.ehealth.technicalconnector.signature.domain.SignatureVerificationResult;
import be.fgov.ehealth.technicalconnector.signature.impl.DomUtils;
import be.fgov.ehealth.technicalconnector.signature.impl.SignatureUtils;
import be.fgov.ehealth.technicalconnector.signature.impl.XmlSignatureBuilder;
import be.fgov.ehealth.technicalconnector.signature.impl.xades.domain.SignedPropertiesBuilder;
import be.fgov.ehealth.technicalconnector.signature.impl.xades.domain.UnsignedPropertiesBuilder;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.cert.CertificateEncodingException;
import java.security.cert.X509Certificate;
import java.util.Map;
import javax.security.auth.x500.X500Principal;
import org.apache.xml.security.signature.XMLSignature;
import org.bouncycastle.util.encoders.Base64;
import org.joda.time.DateTime;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.w3c.dom.Element;
import org.w3c.dom.NodeList;

/* loaded from: input_file:be/fgov/ehealth/technicalconnector/signature/impl/xades/impl/XadesSpecification.class */
public class XadesSpecification implements be.fgov.ehealth.technicalconnector.signature.impl.xades.XadesSpecification {
    private static final Logger LOG = LoggerFactory.getLogger(XadesSpecification.class);

    @Override // be.fgov.ehealth.technicalconnector.signature.impl.xades.XadesSpecification
    public void addOptionalBeforeSignatureParts(SignedPropertiesBuilder signedPropertiesBuilder, XMLSignature xMLSignature, Credential credential, String str, Map<String, Object> map) throws TechnicalConnectorException {
        signedPropertiesBuilder.setId(str);
        signedPropertiesBuilder.setSigningCert(credential.getCertificate());
        signedPropertiesBuilder.setSigningTime(new DateTime());
    }

    @Override // be.fgov.ehealth.technicalconnector.signature.impl.xades.XadesSpecification
    public void addOptionalAfterSignatureParts(UnsignedPropertiesBuilder unsignedPropertiesBuilder, XMLSignature xMLSignature, String str, Map<String, Object> map) throws TechnicalConnectorException {
    }

    @Override // be.fgov.ehealth.technicalconnector.signature.impl.xades.XadesSpecification
    public void verify(SignatureVerificationResult signatureVerificationResult, Element element) {
        verifySigningTime(signatureVerificationResult, element);
        verifySigningCertificate(signatureVerificationResult, element);
    }

    private void verifySigningTime(SignatureVerificationResult signatureVerificationResult, Element element) {
        NodeList matchingChilds = DomUtils.getMatchingChilds(element, be.fgov.ehealth.technicalconnector.signature.impl.xades.XadesSpecification.XMLNS_XADES_1_3_2, "SigningTime");
        if (matchingChilds == null || matchingChilds.getLength() != 1) {
            signatureVerificationResult.getErrors().add(SignatureVerificationError.XADES_SIGNEDPROPS_DONT_HAVE_SIGNINGTIME);
            return;
        }
        try {
            signatureVerificationResult.setSigningTime(new DateTime(((Element) matchingChilds.item(0)).getTextContent()));
        } catch (IllegalArgumentException e) {
            LOG.error("Invalid signing time", e);
            signatureVerificationResult.getErrors().add(SignatureVerificationError.XADES_SIGNEDPROPS_INVALID_SIGNINGTIME);
        }
    }

    private void verifySigningCertificate(SignatureVerificationResult signatureVerificationResult, Element element) {
        if (signatureVerificationResult.getSigningCert() == null) {
            LOG.debug("Unable to obtain signing certificate.");
            signatureVerificationResult.getErrors().add(SignatureVerificationError.XADES_SIGNEDPROPS_COULD_NOT_BE_VERIFIED);
            return;
        }
        NodeList matchingChilds = DomUtils.getMatchingChilds(element, be.fgov.ehealth.technicalconnector.signature.impl.xades.XadesSpecification.XMLNS_XADES_1_3_2, "SigningCertificate");
        if (matchingChilds == null || matchingChilds.getLength() != 1) {
            signatureVerificationResult.getErrors().add(SignatureVerificationError.XADES_SIGNEDPROPS_NOT_VALID);
            return;
        }
        Element element2 = (Element) matchingChilds.item(0);
        verifyDigest(signatureVerificationResult, element2);
        verifyIssuerName(signatureVerificationResult, element2);
        verifySerialNumber(signatureVerificationResult, element2);
        XadesVerificationHelper.verifyValiditySigningCert(signatureVerificationResult.getSigningTime(), signatureVerificationResult);
    }

    private void verifyDigest(SignatureVerificationResult signatureVerificationResult, Element element) {
        X509Certificate signingCert = signatureVerificationResult.getSigningCert();
        String attribute = ((Element) element.getElementsByTagNameNS(XmlSignatureBuilder.XMLNS_DS, "DigestMethod").item(0)).getAttribute("Algorithm");
        String textContent = element.getElementsByTagNameNS(XmlSignatureBuilder.XMLNS_DS, "DigestValue").item(0).getTextContent();
        try {
            MessageDigest digestInstance = SignatureUtils.getDigestInstance(attribute);
            digestInstance.reset();
            if (!MessageDigest.isEqual(digestInstance.digest(signingCert.getEncoded()), Base64.decode(textContent))) {
                signatureVerificationResult.getErrors().add(SignatureVerificationError.XADES_SIGNEDPROPS_NOT_VALID);
            }
        } catch (NoSuchAlgorithmException e) {
            LOG.error("Invalid digest method [{}]", attribute, e);
            signatureVerificationResult.getErrors().add(SignatureVerificationError.XADES_SIGNEDPROPS_NOT_VALID);
        } catch (CertificateEncodingException e2) {
            LOG.warn("Unable to encode certificate with CN [{}] Reason: {}", new Object[]{signingCert.getSubjectX500Principal().getName("RFC1779"), e2.getMessage(), e2});
            signatureVerificationResult.getErrors().add(SignatureVerificationError.XADES_SIGNEDPROPS_COULD_NOT_BE_VERIFIED);
        }
    }

    private void verifyIssuerName(SignatureVerificationResult signatureVerificationResult, Element element) {
        try {
            if (!new X500Principal(((Element) element.getElementsByTagNameNS(XmlSignatureBuilder.XMLNS_DS, "X509IssuerName").item(0)).getTextContent()).getName("RFC1779").equalsIgnoreCase(signatureVerificationResult.getSigningCert().getIssuerX500Principal().getName("RFC1779"))) {
                signatureVerificationResult.getErrors().add(SignatureVerificationError.XADES_SIGNEDPROPS_NOT_VALID);
            }
        } catch (Exception e) {
            LOG.error("Unable to verify issuer name", e);
            signatureVerificationResult.getErrors().add(SignatureVerificationError.XADES_SIGNEDPROPS_NOT_VALID);
        }
    }

    private void verifySerialNumber(SignatureVerificationResult signatureVerificationResult, Element element) {
        try {
            if (!((Element) element.getElementsByTagNameNS(XmlSignatureBuilder.XMLNS_DS, "X509SerialNumber").item(0)).getTextContent().equals(signatureVerificationResult.getSigningCert().getSerialNumber().toString())) {
                signatureVerificationResult.getErrors().add(SignatureVerificationError.XADES_SIGNEDPROPS_NOT_VALID);
            }
        } catch (Exception e) {
            LOG.error("Unable to verify serial number", e);
            signatureVerificationResult.getErrors().add(SignatureVerificationError.XADES_SIGNEDPROPS_NOT_VALID);
        }
    }
}
