package be.fedict.eid.applet.service.impl.handler;

import be.fedict.eid.applet.service.impl.ServiceLocator;
import be.fedict.eid.applet.service.impl.UserIdentifierUtil;
import be.fedict.eid.applet.service.spi.AuditService;
import be.fedict.eid.applet.service.spi.CertificateSecurityException;
import be.fedict.eid.applet.service.spi.ExpiredCertificateSecurityException;
import be.fedict.eid.applet.service.spi.RevokedCertificateSecurityException;
import be.fedict.eid.applet.service.spi.SignatureService;
import be.fedict.eid.applet.service.spi.TrustCertificateSecurityException;
import be.fedict.eid.applet.shared.ErrorCode;
import be.fedict.eid.applet.shared.FinishedMessage;
import be.fedict.eid.applet.shared.SignatureDataMessage;
import java.io.ByteArrayOutputStream;
import java.security.PublicKey;
import java.security.Signature;
import java.security.cert.X509Certificate;
import java.security.spec.MGF1ParameterSpec;
import java.security.spec.PSSParameterSpec;
import java.util.List;
import java.util.Map;
import javax.servlet.ServletConfig;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpSession;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.bouncycastle.jce.provider.BouncyCastleProvider;

@HandlesMessage(SignatureDataMessage.class)
/* loaded from: input_file:be/fedict/eid/applet/service/impl/handler/SignatureDataMessageHandler.class */
public class SignatureDataMessageHandler implements MessageHandler<SignatureDataMessage> {

    @InitParam(HelloMessageHandler.SIGNATURE_SERVICE_INIT_PARAM_NAME)
    private ServiceLocator<SignatureService> signatureServiceLocator;

    @InitParam(AuthenticationDataMessageHandler.AUDIT_SERVICE_INIT_PARAM_NAME)
    private ServiceLocator<AuditService> auditServiceLocator;
    private static final Log LOG = LogFactory.getLog(SignatureDataMessageHandler.class);
    public static final byte[] SHA1_DIGEST_INFO_PREFIX = {48, 33, 48, 9, 6, 5, 43, 14, 3, 2, 26, 5, 0, 4, 20};
    public static final byte[] SHA224_DIGEST_INFO_PREFIX = {48, 45, 48, 13, 6, 9, 96, -122, 72, 1, 101, 3, 4, 2, 4, 5, 0, 4, 28};
    public static final byte[] SHA256_DIGEST_INFO_PREFIX = {48, 49, 48, 13, 6, 9, 96, -122, 72, 1, 101, 3, 4, 2, 1, 5, 0, 4, 32};
    public static final byte[] SHA384_DIGEST_INFO_PREFIX = {48, 65, 48, 13, 6, 9, 96, -122, 72, 1, 101, 3, 4, 2, 2, 5, 0, 4, 48};
    public static final byte[] SHA512_DIGEST_INFO_PREFIX = {48, 81, 48, 13, 6, 9, 96, -122, 72, 1, 101, 3, 4, 2, 3, 5, 0, 4, 64};
    public static final byte[] RIPEMD160_DIGEST_INFO_PREFIX = {48, 33, 48, 9, 6, 5, 43, 36, 3, 2, 1, 5, 0, 4, 20};
    public static final byte[] RIPEMD128_DIGEST_INFO_PREFIX = {48, 29, 48, 9, 6, 5, 43, 36, 3, 2, 2, 5, 0, 4, 16};
    public static final byte[] RIPEMD256_DIGEST_INFO_PREFIX = {48, 45, 48, 9, 6, 5, 43, 36, 3, 2, 3, 5, 0, 4, 32};
    public static final String DIGEST_VALUE_SESSION_ATTRIBUTE = SignatureDataMessageHandler.class.getName() + ".digestValue";
    public static final String DIGEST_ALGO_SESSION_ATTRIBUTE = SignatureDataMessageHandler.class.getName() + ".digestAlgo";

    /* renamed from: handleMessage, reason: avoid collision after fix types in other method */
    public Object handleMessage2(SignatureDataMessage signatureDataMessage, Map<String, String> map, HttpServletRequest httpServletRequest, HttpSession httpSession) throws ServletException {
        LOG.debug("signature data message received");
        byte[] bArr = signatureDataMessage.signatureValue;
        List<X509Certificate> list = signatureDataMessage.certificateChain;
        if (list.isEmpty()) {
            throw new ServletException("certificate chain is empty");
        }
        X509Certificate x509Certificate = list.get(0);
        if (null == x509Certificate) {
            throw new ServletException("non-repudiation certificate missing");
        }
        LOG.debug("non-repudiation signing certificate: " + x509Certificate.getSubjectX500Principal());
        PublicKey publicKey = x509Certificate.getPublicKey();
        String digestAlgo = getDigestAlgo(httpSession);
        byte[] digestValue = getDigestValue(httpSession);
        if (digestAlgo.endsWith("-PSS")) {
            LOG.debug("verifying RSA/PSS signature");
            try {
                Signature signature = Signature.getInstance("RAWRSASSA-PSS", BouncyCastleProvider.PROVIDER_NAME);
                if ("SHA-256-PSS".equals(digestAlgo)) {
                    LOG.debug("RSA/PSS SHA256");
                    signature.setParameter(new PSSParameterSpec("SHA-256", "MGF1", new MGF1ParameterSpec("SHA-256"), 32, 1));
                }
                signature.initVerify(publicKey);
                signature.update(digestValue);
                if (false == signature.verify(bArr)) {
                    throw new SecurityException("signature incorrect");
                }
            } catch (Exception e) {
                LOG.debug("signature verification error: " + e.getMessage(), e);
                throw new ServletException("signature verification error: " + e.getMessage(), e);
            }
        } else {
            try {
                Signature signature2 = Signature.getInstance("RawRSA", BouncyCastleProvider.PROVIDER_NAME);
                signature2.initVerify(publicKey);
                ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
                if ("SHA-1".equals(digestAlgo) || "SHA1".equals(digestAlgo)) {
                    byteArrayOutputStream.write(SHA1_DIGEST_INFO_PREFIX);
                } else if ("SHA-224".equals(digestAlgo)) {
                    byteArrayOutputStream.write(SHA224_DIGEST_INFO_PREFIX);
                } else if ("SHA-256".equals(digestAlgo)) {
                    byteArrayOutputStream.write(SHA256_DIGEST_INFO_PREFIX);
                } else if ("SHA-384".equals(digestAlgo)) {
                    byteArrayOutputStream.write(SHA384_DIGEST_INFO_PREFIX);
                } else if ("SHA-512".equals(digestAlgo)) {
                    byteArrayOutputStream.write(SHA512_DIGEST_INFO_PREFIX);
                } else if ("RIPEMD160".equals(digestAlgo)) {
                    byteArrayOutputStream.write(RIPEMD160_DIGEST_INFO_PREFIX);
                } else if ("RIPEMD128".equals(digestAlgo)) {
                    byteArrayOutputStream.write(RIPEMD128_DIGEST_INFO_PREFIX);
                } else if ("RIPEMD256".equals(digestAlgo)) {
                    byteArrayOutputStream.write(RIPEMD256_DIGEST_INFO_PREFIX);
                }
                byteArrayOutputStream.write(digestValue);
                signature2.update(byteArrayOutputStream.toByteArray());
                if (false == signature2.verify(bArr)) {
                    AuditService locateService = this.auditServiceLocator.locateService();
                    if (null != locateService) {
                        locateService.signatureError(httpServletRequest.getRemoteAddr(), x509Certificate);
                    }
                    throw new SecurityException("signature incorrect");
                }
            } catch (Exception e2) {
                LOG.debug("signature verification error: " + e2.getMessage());
                throw new ServletException("signature verification error: " + e2.getMessage(), e2);
            }
        }
        AuditService locateService2 = this.auditServiceLocator.locateService();
        if (null != locateService2) {
            locateService2.signed(UserIdentifierUtil.getUserId(x509Certificate));
        }
        try {
            this.signatureServiceLocator.locateService().postSign(bArr, list);
            return new FinishedMessage();
        } catch (ExpiredCertificateSecurityException e3) {
            return new FinishedMessage(ErrorCode.CERTIFICATE_EXPIRED);
        } catch (RevokedCertificateSecurityException e4) {
            return new FinishedMessage(ErrorCode.CERTIFICATE_REVOKED);
        } catch (TrustCertificateSecurityException e5) {
            return new FinishedMessage(ErrorCode.CERTIFICATE_NOT_TRUSTED);
        } catch (CertificateSecurityException e6) {
            return new FinishedMessage(ErrorCode.CERTIFICATE);
        } catch (Exception e7) {
            if ("javax.ejb.EJBException".equals(e7.getClass().getName())) {
                try {
                    Exception exc = (Exception) e7.getClass().getMethod("getCausedByException", new Class[0]).invoke(e7, new Object[0]);
                    if (exc instanceof ExpiredCertificateSecurityException) {
                        return new FinishedMessage(ErrorCode.CERTIFICATE_EXPIRED);
                    }
                    if (exc instanceof RevokedCertificateSecurityException) {
                        return new FinishedMessage(ErrorCode.CERTIFICATE_REVOKED);
                    }
                    if (exc instanceof TrustCertificateSecurityException) {
                        return new FinishedMessage(ErrorCode.CERTIFICATE_NOT_TRUSTED);
                    }
                    if (exc instanceof CertificateSecurityException) {
                        return new FinishedMessage(ErrorCode.CERTIFICATE);
                    }
                } catch (Exception e8) {
                    LOG.debug("error: " + e7.getMessage(), e7);
                    throw new SecurityException("error retrieving the root cause: " + e8.getMessage());
                }
            }
            throw new SecurityException("signature service error: " + e7.getMessage(), e7);
        }
    }

    @Override // be.fedict.eid.applet.service.impl.handler.MessageHandler
    public void init(ServletConfig servletConfig) throws ServletException {
    }

    public static byte[] getDigestValue(HttpSession httpSession) {
        return (byte[]) httpSession.getAttribute(DIGEST_VALUE_SESSION_ATTRIBUTE);
    }

    public static void setDigestValue(byte[] bArr, String str, HttpSession httpSession) {
        httpSession.setAttribute(DIGEST_VALUE_SESSION_ATTRIBUTE, bArr);
        httpSession.setAttribute(DIGEST_ALGO_SESSION_ATTRIBUTE, str);
    }

    public static String getDigestAlgo(HttpSession httpSession) {
        return (String) httpSession.getAttribute(DIGEST_ALGO_SESSION_ATTRIBUTE);
    }

    @Override // be.fedict.eid.applet.service.impl.handler.MessageHandler
    public /* bridge */ /* synthetic */ Object handleMessage(SignatureDataMessage signatureDataMessage, Map map, HttpServletRequest httpServletRequest, HttpSession httpSession) throws ServletException {
        return handleMessage2(signatureDataMessage, (Map<String, String>) map, httpServletRequest, httpSession);
    }
}
