package be.fedict.trust;

import be.fedict.trust.constraints.CertificatePoliciesCertificateConstraint;
import be.fedict.trust.constraints.DistinguishedNameCertificateConstraint;
import be.fedict.trust.constraints.KeyUsageCertificateConstraint;
import be.fedict.trust.constraints.QCStatementsCertificateConstraint;
import be.fedict.trust.constraints.TSACertificateConstraint;
import be.fedict.trust.crl.CachedCrlRepository;
import be.fedict.trust.crl.CrlTrustLinker;
import be.fedict.trust.crl.OnlineCrlRepository;
import be.fedict.trust.ocsp.OcspTrustLinker;
import be.fedict.trust.ocsp.OnlineOcspRepository;
import java.io.InputStream;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.xml.security.keys.content.x509.XMLX509Certificate;

/* loaded from: input_file:be/fedict/trust/BelgianTrustValidatorFactory.class */
public class BelgianTrustValidatorFactory {
    private static final Log LOG = LogFactory.getLog(BelgianTrustValidatorFactory.class);

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:be/fedict/trust/BelgianTrustValidatorFactory$CertificateType.class */
    public enum CertificateType {
        AUTHN,
        SIGN,
        NATIONAL_REGISTRY
    }

    public static TrustValidator createTrustValidator() {
        return createTrustValidator(null);
    }

    public static TrustValidator createTrustValidator(NetworkConfig networkConfig) {
        return createTrustValidator(networkConfig, null);
    }

    public static TrustValidator createTrustValidator(NetworkConfig networkConfig, TrustLinker trustLinker) {
        return createTrustValidator(CertificateType.AUTHN, networkConfig, trustLinker, null);
    }

    public static TrustValidator createNonRepudiationTrustValidator(NetworkConfig networkConfig, TrustLinker trustLinker) {
        return createTrustValidator(CertificateType.SIGN, networkConfig, trustLinker, null);
    }

    public static TrustValidator createNonRepudiationTrustValidator(NetworkConfig networkConfig) {
        return createTrustValidator(CertificateType.SIGN, networkConfig, null, null);
    }

    public static TrustValidator createNationalRegistryTrustValidator(NetworkConfig networkConfig) {
        return createTrustValidator(CertificateType.NATIONAL_REGISTRY, networkConfig, null, null);
    }

    public static TrustValidator createTSATrustValidator(NetworkConfig networkConfig, TrustLinker trustLinker) {
        MemoryCertificateRepository memoryCertificateRepository = new MemoryCertificateRepository();
        memoryCertificateRepository.addTrustPoint(loadCertificate("be/fedict/trust/belgiumtsa.crt"));
        TrustValidator trustValidator = new TrustValidator(memoryCertificateRepository);
        trustValidator.addTrustLinker(new PublicKeyTrustLinker());
        OnlineOcspRepository onlineOcspRepository = new OnlineOcspRepository(networkConfig);
        CachedCrlRepository cachedCrlRepository = new CachedCrlRepository(new OnlineCrlRepository(networkConfig));
        FallbackTrustLinker fallbackTrustLinker = new FallbackTrustLinker();
        if (null != trustLinker) {
            fallbackTrustLinker.addTrustLinker(trustLinker);
        }
        fallbackTrustLinker.addTrustLinker(new OcspTrustLinker(onlineOcspRepository));
        fallbackTrustLinker.addTrustLinker(new CrlTrustLinker(cachedCrlRepository));
        trustValidator.addTrustLinker(fallbackTrustLinker);
        trustValidator.addCertificateConstrain(new TSACertificateConstraint());
        return trustValidator;
    }

    public static TrustValidator createTrustValidator(NetworkConfig networkConfig, TrustLinker trustLinker, CertificateRepository certificateRepository) {
        return createTrustValidator(CertificateType.AUTHN, networkConfig, trustLinker, certificateRepository);
    }

    private static TrustValidator createTrustValidator(CertificateType certificateType, NetworkConfig networkConfig, TrustLinker trustLinker, CertificateRepository certificateRepository) {
        TrustValidator trustValidator;
        if (null == certificateRepository) {
            MemoryCertificateRepository memoryCertificateRepository = new MemoryCertificateRepository();
            memoryCertificateRepository.addTrustPoint(loadCertificate("be/fedict/trust/belgiumrca.crt"));
            memoryCertificateRepository.addTrustPoint(loadCertificate("be/fedict/trust/belgiumrca2.crt"));
            trustValidator = new TrustValidator(memoryCertificateRepository);
        } else {
            trustValidator = new TrustValidator(certificateRepository);
        }
        trustValidator.addTrustLinker(new PublicKeyTrustLinker());
        OnlineOcspRepository onlineOcspRepository = new OnlineOcspRepository(networkConfig);
        CachedCrlRepository cachedCrlRepository = new CachedCrlRepository(new OnlineCrlRepository(networkConfig));
        FallbackTrustLinker fallbackTrustLinker = new FallbackTrustLinker();
        if (null != trustLinker) {
            fallbackTrustLinker.addTrustLinker(trustLinker);
        }
        fallbackTrustLinker.addTrustLinker(new OcspTrustLinker(onlineOcspRepository));
        fallbackTrustLinker.addTrustLinker(new CrlTrustLinker(cachedCrlRepository));
        trustValidator.addTrustLinker(fallbackTrustLinker);
        KeyUsageCertificateConstraint keyUsageCertificateConstraint = new KeyUsageCertificateConstraint();
        switch (certificateType) {
            case AUTHN:
                keyUsageCertificateConstraint.setDigitalSignatureFilter(true);
                keyUsageCertificateConstraint.setNonRepudiationFilter(false);
                break;
            case SIGN:
                keyUsageCertificateConstraint.setDigitalSignatureFilter(false);
                keyUsageCertificateConstraint.setNonRepudiationFilter(true);
                break;
            case NATIONAL_REGISTRY:
                keyUsageCertificateConstraint.setDigitalSignatureFilter(true);
                keyUsageCertificateConstraint.setNonRepudiationFilter(true);
                break;
        }
        trustValidator.addCertificateConstrain(keyUsageCertificateConstraint);
        CertificatePoliciesCertificateConstraint certificatePoliciesCertificateConstraint = new CertificatePoliciesCertificateConstraint();
        switch (certificateType) {
            case AUTHN:
                certificatePoliciesCertificateConstraint.addCertificatePolicy("2.16.56.1.1.1.2.2");
                certificatePoliciesCertificateConstraint.addCertificatePolicy("2.16.56.1.1.1.7.2");
                certificatePoliciesCertificateConstraint.addCertificatePolicy("2.16.56.9.1.1.2.2");
                certificatePoliciesCertificateConstraint.addCertificatePolicy("2.16.56.9.1.1.7.2");
                break;
            case SIGN:
                certificatePoliciesCertificateConstraint.addCertificatePolicy("2.16.56.1.1.1.2.1");
                certificatePoliciesCertificateConstraint.addCertificatePolicy("2.16.56.1.1.1.7.1");
                certificatePoliciesCertificateConstraint.addCertificatePolicy("2.16.56.9.1.1.2.1");
                certificatePoliciesCertificateConstraint.addCertificatePolicy("2.16.56.9.1.1.7.1");
                break;
            case NATIONAL_REGISTRY:
                certificatePoliciesCertificateConstraint.addCertificatePolicy("2.16.56.1.1.1.4");
                certificatePoliciesCertificateConstraint.addCertificatePolicy("2.16.56.9.1.1.4");
                break;
        }
        trustValidator.addCertificateConstrain(certificatePoliciesCertificateConstraint);
        if (CertificateType.NATIONAL_REGISTRY == certificateType) {
            trustValidator.addCertificateConstrain(new DistinguishedNameCertificateConstraint("CN=RRN, O=RRN, C=BE"));
        }
        if (CertificateType.SIGN == certificateType) {
            trustValidator.addCertificateConstrain(new QCStatementsCertificateConstraint(true));
        }
        return trustValidator;
    }

    private static X509Certificate loadCertificate(String str) {
        LOG.debug("loading certificate: " + str);
        InputStream resourceAsStream = Thread.currentThread().getContextClassLoader().getResourceAsStream(str);
        if (null == resourceAsStream) {
            throw new IllegalArgumentException("resource not found: " + str);
        }
        try {
            return (X509Certificate) CertificateFactory.getInstance(XMLX509Certificate.JCA_CERT_ID).generateCertificate(resourceAsStream);
        } catch (CertificateException e) {
            throw new RuntimeException("X509 error: " + e.getMessage(), e);
        }
    }
}
