package org.openoces.ooapi.certificate;

import java.io.IOException;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.SignatureException;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.List;
import java.util.Vector;
import org.apache.log4j.Logger;
import org.bouncycastle.jce.X509Principal;
import org.openoces.ooapi.config.OOAPIConfiguration;
import org.openoces.ooapi.environment.Environments;
import org.openoces.ooapi.environment.RootCertificates;
import org.openoces.ooapi.exceptions.InvalidCaIssuerUrlException;
import org.openoces.ooapi.exceptions.NonOcesCertificateException;
import org.openoces.ooapi.exceptions.TrustCouldNotBeVerifiedException;
import org.openoces.ooapi.ldap.LDAPFactory;
import org.openoces.ooapi.utils.HttpClient;
import org.openoces.ooapi.utils.X509CertificatePropertyExtrator;
import org.openoces.ooapi.validation.FullCrlRevocationChecker;
import org.openoces.ooapi.validation.LdapCrlDownloader;
import org.openoces.ooapi.validation.OCSPCertificateRevocationChecker;
import org.openoces.ooapi.validation.PartitionedCrlRevocationChecker;
import org.openoces.serviceprovider.ServiceProviderSetup;

/* loaded from: input_file:org/openoces/ooapi/certificate/OcesCertificateFactory.class */
public class OcesCertificateFactory {
    private static final Logger logger = Logger.getLogger(OcesCertificateFactory.class);
    private static final OcesCertificateFactory instance = new OcesCertificateFactory();

    private OcesCertificateFactory() {
    }

    public static OcesCertificateFactory getInstance() {
        return instance;
    }

    public OcesCertificate generate(List<X509Certificate> list) throws TrustCouldNotBeVerifiedException {
        List<X509Certificate> sortCertificatesIssuerLast = sortCertificatesIssuerLast(list);
        addIssuerCertificateIfNeeded(sortCertificatesIssuerLast);
        validateExactlyOneChainInList(sortCertificatesIssuerLast);
        appendRootIfMissing(sortCertificatesIssuerLast);
        OcesCertificate selectCertificateSubclass = selectCertificateSubclass(createCaChain(sortCertificatesIssuerLast), sortCertificatesIssuerLast.get(0));
        if (ChainVerifier.verifyTrust(selectCertificateSubclass)) {
            return selectCertificateSubclass;
        }
        throw new TrustCouldNotBeVerifiedException(selectCertificateSubclass, Environments.getTrustedEnvironments());
    }

    protected void addIssuerCertificateIfNeeded(List<X509Certificate> list) {
        logger.debug("adding issuer certificate if needed");
        if (list.size() == 1) {
            logger.debug("Certificates size is 1");
            X509Certificate x509Certificate = list.get(0);
            X509Certificate x509Certificate2 = null;
            if (x509Certificate.getIssuerDN().getName().toUpperCase().indexOf("TRUST2408") != -1) {
                logger.debug("Certificate issuer is Trust 2408");
                if (Environments.isInternalEnvironment(LDAPFactory.getEnvironmentFromCaCommonName(x509Certificate.getIssuerDN().getName()))) {
                    logger.debug("Certificate issued by internal CA");
                    return;
                }
                String str = null;
                try {
                    str = X509CertificatePropertyExtrator.getCaIssuerUrl(x509Certificate);
                    logger.debug("Certificate CA issuer URL is: " + str);
                    x509Certificate2 = HttpClient.downloadCertificate(str);
                    if (x509Certificate2 != null) {
                        logger.debug("CA certificate retrieved");
                    }
                    list.add(x509Certificate2);
                } catch (IllegalStateException e) {
                    logger.debug("Unable to retrieve CA issuer URL " + str + " : ", e);
                } catch (InvalidCaIssuerUrlException e2) {
                    logger.debug("Invalid CA issuer url, retrieving by DN config name");
                    if ((ServiceProviderSetup.getCurrentChecker() instanceof FullCrlRevocationChecker) || (ServiceProviderSetup.getCurrentChecker() instanceof OCSPCertificateRevocationChecker)) {
                        String property = OOAPIConfiguration.getInstance().getProperty(x509Certificate.getIssuerDN().getName().toUpperCase().replace(" ", "_").replace("=", "+"));
                        logger.debug("CA DN config url is: " + property);
                        x509Certificate2 = HttpClient.downloadCertificate(property);
                        if (x509Certificate2 != null) {
                            logger.debug("CA certificate retrieved");
                        }
                    } else if (ServiceProviderSetup.getCurrentChecker() instanceof PartitionedCrlRevocationChecker) {
                        x509Certificate2 = getICaCertFromLdap(x509Certificate);
                        if (x509Certificate2 != null) {
                            logger.debug("CA certificate retrieved");
                        }
                    }
                    list.add(x509Certificate2);
                }
            }
        }
    }

    private X509Certificate getICaCertFromLdap(X509Certificate x509Certificate) {
        String ldapHostNamefromCaDN = LDAPFactory.getLdapHostNamefromCaDN(x509Certificate.getIssuerDN().getName());
        logger.debug("Retrieving CA from LDAP host with parameters(ldapthostname,issuerDNName)  " + ldapHostNamefromCaDN + "," + x509Certificate.getIssuerDN().getName());
        return new LdapCrlDownloader().downloadCertificate(ldapHostNamefromCaDN, x509Certificate.getIssuerDN().getName());
    }

    private void validateExactlyOneChainInList(List<X509Certificate> list) {
        if (list.isEmpty()) {
            throw new NonOcesCertificateException("Only self-signed certificates found");
        }
        for (int i = 0; i < list.size() - 1; i++) {
            if (!list.get(i).getIssuerX500Principal().equals(list.get(i + 1).getSubjectX500Principal())) {
                throw new IllegalStateException("certificate list holds something that is not a certificate chain");
            }
        }
    }

    private List<X509Certificate> sortCertificatesIssuerLast(List<X509Certificate> list) {
        ArrayList arrayList = new ArrayList(list.size());
        HashMap hashMap = new HashMap();
        for (X509Certificate x509Certificate : list) {
            hashMap.put(x509Certificate.getSubjectX500Principal(), x509Certificate);
            boolean[] keyUsage = x509Certificate.getKeyUsage();
            if (keyUsage != null && !keyUsage[6]) {
                arrayList.add(x509Certificate);
            }
        }
        for (int i = 0; i < arrayList.size(); i++) {
            X509Certificate x509Certificate2 = (X509Certificate) hashMap.get(((X509Certificate) arrayList.get(i)).getIssuerX500Principal());
            if (x509Certificate2 != null && !arrayList.contains(x509Certificate2)) {
                arrayList.add(x509Certificate2);
            }
        }
        return arrayList;
    }

    private OcesCertificate selectCertificateSubclass(CA ca, X509Certificate x509Certificate) {
        OcesCertificate focesCertificate;
        String extractSubjectSerialNumber = extractSubjectSerialNumber(x509Certificate);
        Environments.Environment environmentForRoot = getEnvironmentForRoot(ca);
        logger.debug("Current environment is: " + environmentForRoot + " for signing CA: " + ca.toString());
        if (extractSubjectSerialNumber.startsWith("PID:") && matchPocesPolicy(x509Certificate, environmentForRoot)) {
            focesCertificate = new PocesCertificate(x509Certificate, ca);
        } else if (extractSubjectSerialNumber.startsWith("CVR:") && extractSubjectSerialNumber.substring(12).startsWith("-RID:") && (matchMocesPolicy(x509Certificate, environmentForRoot) || isSplitCertificate(x509Certificate, environmentForRoot))) {
            focesCertificate = new MocesCertificate(x509Certificate, ca);
        } else if (extractSubjectSerialNumber.startsWith("CVR:") && extractSubjectSerialNumber.substring(12).startsWith("-UID:") && matchVocesPolicy(x509Certificate, environmentForRoot)) {
            focesCertificate = new VocesCertificate(x509Certificate, ca);
        } else {
            if (!extractSubjectSerialNumber.startsWith("CVR:") || !extractSubjectSerialNumber.substring(12).startsWith("-FID:") || !matchFocesPolicy(x509Certificate, environmentForRoot)) {
                throw new NonOcesCertificateException("End user certificate is not POCES, MOCES, VOCES og FOCES, dn is " + x509Certificate.getSubjectX500Principal().getName("RFC1779"));
            }
            focesCertificate = new FocesCertificate(x509Certificate, ca);
        }
        if (focesCertificate != null) {
            logger.debug("Certificate: " + focesCertificate.getSerialNumber() + " " + focesCertificate.getDn() + " " + focesCertificate.toString());
        }
        return focesCertificate;
    }

    private boolean matchFocesPolicy(X509Certificate x509Certificate, Environments.Environment environment) {
        return matchPolicy(x509Certificate, OOAPIConfiguration.getInstance().getProperty("foces.policies.prefix.danid." + environment));
    }

    private boolean matchVocesPolicy(X509Certificate x509Certificate, Environments.Environment environment) {
        return matchPolicy(x509Certificate, OOAPIConfiguration.getInstance().getProperty("voces.policies.prefix.danid." + environment));
    }

    private boolean matchMocesPolicy(X509Certificate x509Certificate, Environments.Environment environment) {
        return matchPolicy(x509Certificate, OOAPIConfiguration.getInstance().getProperty("moces.policies.prefix.danid." + environment));
    }

    private boolean isSplitCertificate(X509Certificate x509Certificate, Environments.Environment environment) {
        boolean[] keyUsage = x509Certificate.getKeyUsage();
        return keyUsage != null && !keyUsage[0] && keyUsage[3] && matchVocesPolicy(x509Certificate, environment);
    }

    private boolean matchPocesPolicy(X509Certificate x509Certificate, Environments.Environment environment) {
        if (Environments.Environment.OCESII_DANID_ENV_PREPROD.equals(environment)) {
            return true;
        }
        String str = "poces.policies.prefix.danid." + environment;
        String property = OOAPIConfiguration.getInstance().getProperty(str);
        if (property == null) {
            logger.debug("The property " + str + " was not found.");
        }
        return matchPolicy(x509Certificate, property);
    }

    private boolean matchPolicy(X509Certificate x509Certificate, String str) {
        return X509CertificatePropertyExtrator.getCertificatePolicyOID(x509Certificate).startsWith(str);
    }

    private Environments.Environment getEnvironmentForRoot(CA ca) {
        return !ca.isRoot() ? getEnvironmentForRoot(ca.getSigningCA()) : RootCertificates.getEnvironment(ca);
    }

    private String extractSubjectSerialNumber(X509Certificate x509Certificate) {
        try {
            Vector values = new X509Principal(x509Certificate.getSubjectX500Principal().getEncoded()).getValues(X509Principal.SN);
            if (values.size() != 1) {
                throw new IllegalArgumentException("Missing unique SSN in dn: " + x509Certificate.getSubjectX500Principal().getName("RFC1779"));
            }
            return (String) values.get(0);
        } catch (IOException e) {
            throw new IllegalArgumentException(e);
        }
    }

    private CA createCaChain(List<X509Certificate> list) {
        CA ca = null;
        for (int size = list.size() - 1; size > 0; size--) {
            ca = new CA(list.get(size), ca);
        }
        return ca;
    }

    private void appendRootIfMissing(List<X509Certificate> list) {
        X509Certificate x509Certificate = list.get(list.size() - 1);
        if (isSelfSigned(x509Certificate)) {
            return;
        }
        list.add(RootCertificates.lookupCertificateBySubjectDn(x509Certificate.getIssuerX500Principal()));
    }

    private boolean isSelfSigned(X509Certificate x509Certificate) {
        try {
            x509Certificate.verify(x509Certificate.getPublicKey());
            return true;
        } catch (InvalidKeyException e) {
            logger.trace("Problem verifying signature", e);
            return false;
        } catch (NoSuchAlgorithmException e2) {
            logger.trace("Problem verifying signature", e2);
            return false;
        } catch (NoSuchProviderException e3) {
            logger.trace("Problem verifying signature", e3);
            return false;
        } catch (SignatureException e4) {
            logger.trace("Problem verifying signature", e4);
            return false;
        } catch (CertificateException e5) {
            logger.trace("Problem verifying signature", e5);
            return false;
        }
    }
}
