package org.openoces.securitypackage;

import org.openoces.ooapi.certificate.CertificateStatus;
import org.openoces.ooapi.certificate.OcesCertificate;
import org.openoces.ooapi.certificate.PocesCertificate;
import org.openoces.ooapi.exceptions.AppletException;
import org.openoces.ooapi.exceptions.InternalException;
import org.openoces.ooapi.exceptions.NonOcesCertificateException;
import org.openoces.ooapi.exceptions.NonOpensignSignatureException;
import org.openoces.ooapi.signatures.OpenlogonSignature;
import org.openoces.ooapi.signatures.OpensignAbstractSignature;
import org.openoces.ooapi.signatures.OpensignSignatureFactory;
import org.openoces.ooapi.signatures.SignatureProperty;
import org.openoces.ooapi.validation.ErrorCodeChecker;
import org.openoces.serviceprovider.CertificateAndStatus;
import org.openoces.serviceprovider.ServiceProviderException;
import org.openoces.serviceprovider.ServiceProviderSetup;

/* loaded from: input_file:org/openoces/securitypackage/LogonHandler.class */
public class LogonHandler {
    public static PersonID validateAndExtractPID(String str, String str2, String str3) throws ServiceProviderException, AppletException {
        CertificateAndStatus validateAndExtractCertificateAndStatus = validateAndExtractCertificateAndStatus(str, str2, str3);
        if (validateAndExtractCertificateAndStatus.getCertificateStatus() == CertificateStatus.VALID) {
            return new PersonID(((PocesCertificate) validateAndExtractCertificateAndStatus.getCertificate()).getPid());
        }
        throw new NonOcesCertificateException("certificate is invalid. Status: " + validateAndExtractCertificateAndStatus.getCertificateStatus());
    }

    public static OcesCertificate validateSignatureAndExtractCertificate(String str, String str2, String str3) throws ServiceProviderException, AppletException {
        try {
            OpenlogonSignature createOpenlogonSignature = createOpenlogonSignature(str);
            validateSignatureParameters(str2, str3, createOpenlogonSignature);
            if (createOpenlogonSignature.verify()) {
                return createOpenlogonSignature.getSigningCertificate();
            }
            throw new NonOcesCertificateException("the signature of the login data is invalid, data is " + str);
        } catch (InternalException e) {
            throw new ServiceProviderException(e);
        } catch (NonOpensignSignatureException e2) {
            throw new ServiceProviderException("Invalid signature " + str, e2);
        }
    }

    public static CertificateAndStatus validateAndExtractCertificateAndStatus(String str, String str2, String str3) throws ServiceProviderException, AppletException {
        try {
            OpenlogonSignature createOpenlogonSignature = createOpenlogonSignature(str);
            validateSignatureParameters(str2, str3, createOpenlogonSignature);
            if (!createOpenlogonSignature.verify()) {
                throw new NonOcesCertificateException("the signature of the login data is invalid. Data is " + str);
            }
            OcesCertificate signingCertificate = createOpenlogonSignature.getSigningCertificate();
            CertificateStatus validityStatus = signingCertificate.validityStatus();
            if (validityStatus == CertificateStatus.VALID && ServiceProviderSetup.getCurrentChecker().isRevoked(signingCertificate)) {
                validityStatus = CertificateStatus.REVOKED;
            }
            SignatureProperty signatureProperty = createOpenlogonSignature.getSignatureProperties().get("rememberUseridToken");
            return new CertificateAndStatus(signingCertificate, validityStatus, signatureProperty == null ? null : signatureProperty.getValue());
        } catch (InternalException e) {
            throw new ServiceProviderException(e);
        } catch (NonOpensignSignatureException e2) {
            throw new ServiceProviderException(e2);
        }
    }

    private static OpenlogonSignature createOpenlogonSignature(String str) throws NonOpensignSignatureException, InternalException, AppletException {
        if (ErrorCodeChecker.isError(str)) {
            throw new AppletException(ErrorCodeChecker.extractError(str));
        }
        OpensignAbstractSignature generateOpensignSignature = OpensignSignatureFactory.getInstance().generateOpensignSignature(str);
        if (generateOpensignSignature instanceof OpenlogonSignature) {
            return (OpenlogonSignature) generateOpensignSignature;
        }
        throw new IllegalArgumentException("argument of type " + generateOpensignSignature.getClass() + " is not valid output from the logon applet");
    }

    private static void validateSignatureParameters(String str, String str2, OpenlogonSignature openlogonSignature) throws InternalException, ServiceProviderException {
        validateChallenge(str, openlogonSignature);
        if (str2 != null) {
            validateLogonTo(openlogonSignature, str2);
        }
    }

    private static void validateChallenge(String str, OpenlogonSignature openlogonSignature) throws InternalException {
        ChallengeVerifier.verifyChallenge(openlogonSignature, str);
    }

    private static void validateLogonTo(OpenlogonSignature openlogonSignature, String str) throws ServiceProviderException, InternalException {
        SignatureProperty signatureProperty = openlogonSignature.getSignatureProperties().get("logonto");
        SignatureProperty signatureProperty2 = openlogonSignature.getSignatureProperties().get("RequestIssuer");
        if (signatureProperty != null && signatureProperty2 != null) {
            throw new IllegalStateException("Invalid signature logonto and RequestIssuer parameters cannot both be set");
        }
        if (signatureProperty == null && signatureProperty2 == null) {
            throw new IllegalStateException("Invalid signature either logonto or RequestIssuer parameters must be set");
        }
        if (signatureProperty != null) {
            verifyLogontoOrRequestIssuer(signatureProperty.getValue(), str);
        }
        if (signatureProperty2 != null) {
            verifyLogontoOrRequestIssuer(signatureProperty2.getValue(), str);
        }
    }

    private static void verifyLogontoOrRequestIssuer(String str, String str2) throws ServiceProviderException {
        boolean z = false;
        for (String str3 : extractValidLogontos(str2)) {
            if (str.equals(str3)) {
                z = true;
            }
        }
        if (!z) {
            throw new ServiceProviderException("Invalid signature logonto or RequestIssuer parameter does not match expected value. Expected: " + str2 + " actual: " + str);
        }
    }

    public static String[] extractValidLogontos(String str) {
        return str.split(";");
    }
}
