package be.fedict.trust.client;

import be.fedict.trust.client.exception.RevocationDataCorruptException;
import be.fedict.trust.client.exception.RevocationDataNotFoundException;
import be.fedict.trust.client.exception.TrustDomainNotFoundException;
import be.fedict.trust.client.exception.ValidationFailedException;
import be.fedict.trust.client.jaxb.xades132.CRLValuesType;
import be.fedict.trust.client.jaxb.xades132.CertifiedRolesListType;
import be.fedict.trust.client.jaxb.xades132.EncapsulatedPKIDataType;
import be.fedict.trust.client.jaxb.xades132.OCSPValuesType;
import be.fedict.trust.client.jaxb.xades132.RevocationValuesType;
import be.fedict.trust.client.jaxb.xkms.KeyBindingType;
import be.fedict.trust.client.jaxb.xkms.MessageExtensionAbstractType;
import be.fedict.trust.client.jaxb.xkms.ObjectFactory;
import be.fedict.trust.client.jaxb.xkms.QueryKeyBindingType;
import be.fedict.trust.client.jaxb.xkms.StatusType;
import be.fedict.trust.client.jaxb.xkms.TimeInstantType;
import be.fedict.trust.client.jaxb.xkms.UseKeyWithType;
import be.fedict.trust.client.jaxb.xkms.ValidateRequestType;
import be.fedict.trust.client.jaxb.xkms.ValidateResultType;
import be.fedict.trust.client.jaxb.xmldsig.KeyInfoType;
import be.fedict.trust.client.jaxb.xmldsig.X509DataType;
import be.fedict.trust.client.jaxws.xkms.XKMSPortType;
import be.fedict.trust.xkms.extensions.AttributeCertificateMessageExtensionType;
import be.fedict.trust.xkms.extensions.RevocationDataMessageExtensionType;
import be.fedict.trust.xkms.extensions.TSAMessageExtensionType;
import be.fedict.trust.xkms2.LoggingSoapHandler;
import be.fedict.trust.xkms2.ResultMajorCode;
import be.fedict.trust.xkms2.ResultMinorCode;
import be.fedict.trust.xkms2.XKMSConstants;
import be.fedict.trust.xkms2.XKMSServiceFactory;
import com.sun.xml.ws.developer.JAXWSProperties;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.net.ProxySelector;
import java.security.InvalidKeyException;
import java.security.KeyManagementException;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.PublicKey;
import java.security.SecureRandom;
import java.security.SignatureException;
import java.security.cert.CRLException;
import java.security.cert.CertificateEncodingException;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509CRL;
import java.security.cert.X509Certificate;
import java.util.Date;
import java.util.GregorianCalendar;
import java.util.Iterator;
import java.util.LinkedList;
import java.util.List;
import javax.net.ssl.SSLContext;
import javax.net.ssl.TrustManager;
import javax.net.ssl.X509TrustManager;
import javax.xml.datatype.DatatypeConfigurationException;
import javax.xml.datatype.DatatypeFactory;
import javax.xml.datatype.XMLGregorianCalendar;
import javax.xml.ws.Binding;
import javax.xml.ws.BindingProvider;
import javax.xml.ws.handler.Handler;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.xml.security.keys.content.x509.XMLX509Certificate;
import org.bouncycastle.ocsp.OCSPResp;
import org.bouncycastle.tsp.TimeStampToken;

/* loaded from: input_file:be/fedict/trust/client/XKMS2Client.class */
public class XKMS2Client {
    private RevocationValuesType revocationValues;
    private WSSecurityClientHandler wsSecurityClientHandler;
    private String location;
    private static final Log LOG = LogFactory.getLog(XKMS2Client.class);
    private static XKMS2ProxySelector proxySelector = new XKMS2ProxySelector(ProxySelector.getDefault());
    protected List<String> invalidReasonURIs = new LinkedList();
    private final XKMSPortType port = XKMSServiceFactory.getInstance().getXKMSPort();

    public XKMS2Client(String str) {
        this.location = str;
        registeredWSSecurityHandler(this.port);
        setEndpointAddress(str);
    }

    public void setLogging(boolean z) {
        if (z) {
            registerLoggerHandler(this.port);
        } else {
            removeLoggerHandler(this.port);
        }
    }

    public void setProxy(String str, int i) {
        proxySelector.setProxy(this.location, str, i);
    }

    public void setServerCertificate(X509Certificate x509Certificate) {
        this.wsSecurityClientHandler.setServerCertificate(x509Certificate);
    }

    public void setMaxWSSecurityTimestampOffset(long j) {
        this.wsSecurityClientHandler.setMaxWSSecurityTimestampOffset(j * 1000);
    }

    public void setServicePublicKey(final PublicKey publicKey) {
        TrustManager[] trustManagerArr = {new X509TrustManager() { // from class: be.fedict.trust.client.XKMS2Client.1
            @Override // javax.net.ssl.X509TrustManager
            public X509Certificate[] getAcceptedIssuers() {
                return null;
            }

            @Override // javax.net.ssl.X509TrustManager
            public void checkServerTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
                X509Certificate x509Certificate = x509CertificateArr[0];
                XKMS2Client.LOG.debug("server X509 subject: " + x509Certificate.getSubjectX500Principal().toString());
                XKMS2Client.LOG.debug("authentication type: " + str);
                if (null == publicKey) {
                    return;
                }
                try {
                    x509Certificate.verify(publicKey);
                    XKMS2Client.LOG.debug("valid server certificate");
                } catch (InvalidKeyException e) {
                    throw new CertificateException("Invalid Key");
                } catch (NoSuchAlgorithmException e2) {
                    throw new CertificateException("No such algorithm");
                } catch (NoSuchProviderException e3) {
                    throw new CertificateException("No such provider");
                } catch (SignatureException e4) {
                    throw new CertificateException("Wrong signature");
                }
            }

            @Override // javax.net.ssl.X509TrustManager
            public void checkClientTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
                throw new CertificateException("this trust manager cannot be used as server-side trust manager");
            }
        }};
        try {
            SSLContext sSLContext = SSLContext.getInstance("TLS");
            sSLContext.init(null, trustManagerArr, new SecureRandom());
            LOG.debug("SSL context provider: " + sSLContext.getProvider().getName());
            ((BindingProvider) this.port).getRequestContext().put(JAXWSProperties.SSL_SOCKET_FACTORY, sSLContext.getSocketFactory());
        } catch (KeyManagementException e) {
            String str = "key management error: " + e.getMessage();
            LOG.error(str, e);
            throw new RuntimeException(str, e);
        } catch (NoSuchAlgorithmException e2) {
            String str2 = "TLS algo not present: " + e2.getMessage();
            LOG.error(str2, e2);
            throw new RuntimeException(str2, e2);
        }
    }

    private void setEndpointAddress(String str) {
        LOG.debug("ws location: " + str);
        if (null == str) {
            throw new IllegalArgumentException("XKMS2 location URL cannot be null");
        }
        ((BindingProvider) this.port).getRequestContext().put(BindingProvider.ENDPOINT_ADDRESS_PROPERTY, str);
    }

    protected void registerLoggerHandler(Object obj) {
        Binding binding = ((BindingProvider) obj).getBinding();
        List<Handler> handlerChain = binding.getHandlerChain();
        handlerChain.add(new LoggingSoapHandler());
        binding.setHandlerChain(handlerChain);
    }

    protected void removeLoggerHandler(Object obj) {
        Iterator<Handler> it = ((BindingProvider) obj).getBinding().getHandlerChain().iterator();
        while (it.hasNext()) {
            if (it.next() instanceof LoggingSoapHandler) {
                it.remove();
            }
        }
    }

    protected void registeredWSSecurityHandler(Object obj) {
        Binding binding = ((BindingProvider) obj).getBinding();
        List<Handler> handlerChain = binding.getHandlerChain();
        this.wsSecurityClientHandler = new WSSecurityClientHandler();
        handlerChain.add(this.wsSecurityClientHandler);
        binding.setHandlerChain(handlerChain);
    }

    public void validate(List<X509Certificate> list) throws CertificateEncodingException, TrustDomainNotFoundException, RevocationDataNotFoundException, ValidationFailedException {
        validate((String) null, list);
    }

    public void validate(List<X509Certificate> list, boolean z) throws CertificateEncodingException, TrustDomainNotFoundException, RevocationDataNotFoundException, ValidationFailedException {
        validate((String) null, list, z);
    }

    public void validate(String str, List<X509Certificate> list) throws CertificateEncodingException, TrustDomainNotFoundException, RevocationDataNotFoundException, ValidationFailedException {
        validate(str, list, false);
    }

    public void validate(String str, List<X509Certificate> list, boolean z) throws CertificateEncodingException, TrustDomainNotFoundException, RevocationDataNotFoundException, ValidationFailedException {
        validate(str, list, z, null, null, null, null, null, null);
    }

    public void validate(String str, List<X509Certificate> list, Date date, List<OCSPResp> list2, List<X509CRL> list3) throws CertificateEncodingException, TrustDomainNotFoundException, RevocationDataNotFoundException, ValidationFailedException {
        if ((null == list2 || list2.isEmpty()) && (null == list3 || list3.isEmpty())) {
            LOG.error("No revocation data for historical validation.");
            throw new RevocationDataNotFoundException();
        }
        try {
            LinkedList linkedList = new LinkedList();
            LinkedList linkedList2 = new LinkedList();
            Iterator<OCSPResp> it = list2.iterator();
            while (it.hasNext()) {
                linkedList.add(it.next().getEncoded());
            }
            Iterator<X509CRL> it2 = list3.iterator();
            while (it2.hasNext()) {
                linkedList2.add(it2.next().getEncoded());
            }
            validate(str, list, false, date, linkedList, linkedList2, null, null, null);
        } catch (IOException e) {
            LOG.error("Failed to get encoded OCSPResponse: " + e.getMessage(), e);
            throw new RuntimeException(e);
        } catch (CRLException e2) {
            LOG.error("Failed to get encoded CRL: " + e2.getMessage(), e2);
            throw new RuntimeException(e2);
        }
    }

    public void validateEncoded(String str, List<X509Certificate> list, Date date, List<byte[]> list2, List<byte[]> list3) throws CertificateEncodingException, TrustDomainNotFoundException, RevocationDataNotFoundException, ValidationFailedException, RevocationDataCorruptException {
        if ((null == list2 || list2.isEmpty()) && (null == list3 || list3.isEmpty())) {
            LOG.error("No revocation data for historical validation.");
            throw new RevocationDataNotFoundException();
        }
        try {
            Iterator<byte[]> it = list2.iterator();
            while (it.hasNext()) {
                new OCSPResp(it.next());
            }
            CertificateFactory certificateFactory = CertificateFactory.getInstance(XMLX509Certificate.JCA_CERT_ID);
            Iterator<byte[]> it2 = list3.iterator();
            while (it2.hasNext()) {
                certificateFactory.generateCRL(new ByteArrayInputStream(it2.next()));
            }
            validate(str, list, false, date, list2, list3, null, null, null);
        } catch (IOException e) {
            throw new RevocationDataCorruptException("Invalid OCSP response", e);
        } catch (CRLException e2) {
            throw new RevocationDataCorruptException("Invalid CRL", e2);
        } catch (CertificateException e3) {
            throw new RevocationDataCorruptException(e3);
        }
    }

    public void validate(String str, List<X509Certificate> list, Date date, RevocationValuesType revocationValuesType) throws CertificateEncodingException, TrustDomainNotFoundException, RevocationDataNotFoundException, ValidationFailedException {
        if (null == revocationValuesType) {
            LOG.error("No revocation data for historical validation.");
            throw new RevocationDataNotFoundException();
        }
        validate(str, list, false, date, null, null, revocationValuesType, null, null);
    }

    public void validate(String str, TimeStampToken timeStampToken) throws TrustDomainNotFoundException, CertificateEncodingException, RevocationDataNotFoundException, ValidationFailedException {
        LOG.debug("validate timestamp token");
        validate(str, new LinkedList(), false, null, null, null, this.revocationValues, timeStampToken, null);
    }

    public void validate(String str, List<X509Certificate> list, CertifiedRolesListType certifiedRolesListType) throws CertificateEncodingException, TrustDomainNotFoundException, RevocationDataNotFoundException, ValidationFailedException {
        LOG.debug("validate attribute certificate");
        validate(str, list, false, null, null, null, this.revocationValues, null, certifiedRolesListType);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void validate(String str, List<X509Certificate> list, boolean z, Date date, List<byte[]> list2, List<byte[]> list3, RevocationValuesType revocationValuesType, TimeStampToken timeStampToken, CertifiedRolesListType certifiedRolesListType) throws CertificateEncodingException, TrustDomainNotFoundException, RevocationDataNotFoundException, ValidationFailedException {
        LOG.debug("validate");
        ObjectFactory objectFactory = new ObjectFactory();
        be.fedict.trust.client.jaxb.xmldsig.ObjectFactory objectFactory2 = new be.fedict.trust.client.jaxb.xmldsig.ObjectFactory();
        ValidateRequestType createValidateRequestType = objectFactory.createValidateRequestType();
        QueryKeyBindingType createQueryKeyBindingType = objectFactory.createQueryKeyBindingType();
        KeyInfoType createKeyInfoType = objectFactory2.createKeyInfoType();
        createQueryKeyBindingType.setKeyInfo(createKeyInfoType);
        X509DataType createX509DataType = objectFactory2.createX509DataType();
        Iterator<X509Certificate> it = list.iterator();
        while (it.hasNext()) {
            createX509DataType.getX509IssuerSerialOrX509SKIOrX509SubjectName().add(objectFactory2.createX509DataTypeX509Certificate(it.next().getEncoded()));
        }
        createKeyInfoType.getContent().add(objectFactory2.createX509Data(createX509DataType));
        createValidateRequestType.setQueryKeyBinding(createQueryKeyBindingType);
        if (null != str) {
            UseKeyWithType createUseKeyWithType = objectFactory.createUseKeyWithType();
            createUseKeyWithType.setApplication(XKMSConstants.TRUST_DOMAIN_APPLICATION_URI);
            createUseKeyWithType.setIdentifier(str);
            createQueryKeyBindingType.getUseKeyWith().add(createUseKeyWithType);
        }
        if (null != timeStampToken) {
            addTimeStampToken(createValidateRequestType, timeStampToken);
        }
        if (null != certifiedRolesListType) {
            addAttributeCertificates(createValidateRequestType, certifiedRolesListType);
        }
        if (z) {
            createValidateRequestType.getRespondWith().add(XKMSConstants.RETURN_REVOCATION_DATA_URI);
        }
        if (null != date) {
            TimeInstantType createTimeInstantType = objectFactory.createTimeInstantType();
            createTimeInstantType.setTime(getXmlGregorianCalendar(date));
            createQueryKeyBindingType.setTimeInstant(createTimeInstantType);
            addRevocationData(createValidateRequestType, list2, list3, revocationValuesType);
        }
        ValidateResultType validate = this.port.validate(createValidateRequestType);
        if (null == validate) {
            throw new RuntimeException("missing ValidateResult element");
        }
        checkResponse(validate);
        if (z) {
            for (MessageExtensionAbstractType messageExtensionAbstractType : validate.getMessageExtension()) {
                if (messageExtensionAbstractType instanceof RevocationDataMessageExtensionType) {
                    this.revocationValues = ((RevocationDataMessageExtensionType) messageExtensionAbstractType).getRevocationValues();
                }
            }
            if (null == this.revocationValues) {
                LOG.error("no revocation data found");
                throw new RevocationDataNotFoundException();
            }
        }
        this.invalidReasonURIs.clear();
        Iterator<KeyBindingType> it2 = validate.getKeyBinding().iterator();
        if (it2.hasNext()) {
            StatusType status = it2.next().getStatus();
            String statusValue = status.getStatusValue();
            LOG.debug("status: " + statusValue);
            if (XKMSConstants.KEY_BINDING_STATUS_VALID_URI.equals(statusValue)) {
                return;
            }
            Iterator<String> it3 = status.getInvalidReason().iterator();
            while (it3.hasNext()) {
                this.invalidReasonURIs.add(it3.next());
            }
            throw new ValidationFailedException(this.invalidReasonURIs);
        }
    }

    private void addRevocationData(ValidateRequestType validateRequestType, List<byte[]> list, List<byte[]> list2, RevocationValuesType revocationValuesType) {
        RevocationDataMessageExtensionType createRevocationDataMessageExtensionType = new be.fedict.trust.xkms.extensions.ObjectFactory().createRevocationDataMessageExtensionType();
        if (null != revocationValuesType) {
            createRevocationDataMessageExtensionType.setRevocationValues(revocationValuesType);
        } else {
            be.fedict.trust.client.jaxb.xades132.ObjectFactory objectFactory = new be.fedict.trust.client.jaxb.xades132.ObjectFactory();
            RevocationValuesType createRevocationValuesType = objectFactory.createRevocationValuesType();
            OCSPValuesType createOCSPValuesType = objectFactory.createOCSPValuesType();
            for (byte[] bArr : list) {
                EncapsulatedPKIDataType createEncapsulatedPKIDataType = objectFactory.createEncapsulatedPKIDataType();
                createEncapsulatedPKIDataType.setValue(bArr);
                createOCSPValuesType.getEncapsulatedOCSPValue().add(createEncapsulatedPKIDataType);
            }
            createRevocationValuesType.setOCSPValues(createOCSPValuesType);
            CRLValuesType createCRLValuesType = objectFactory.createCRLValuesType();
            for (byte[] bArr2 : list2) {
                EncapsulatedPKIDataType createEncapsulatedPKIDataType2 = objectFactory.createEncapsulatedPKIDataType();
                createEncapsulatedPKIDataType2.setValue(bArr2);
                createCRLValuesType.getEncapsulatedCRLValue().add(createEncapsulatedPKIDataType2);
            }
            createRevocationValuesType.setCRLValues(createCRLValuesType);
            createRevocationDataMessageExtensionType.setRevocationValues(createRevocationValuesType);
        }
        validateRequestType.getMessageExtension().add(createRevocationDataMessageExtensionType);
    }

    private void addTimeStampToken(ValidateRequestType validateRequestType, TimeStampToken timeStampToken) {
        be.fedict.trust.xkms.extensions.ObjectFactory objectFactory = new be.fedict.trust.xkms.extensions.ObjectFactory();
        be.fedict.trust.client.jaxb.xades132.ObjectFactory objectFactory2 = new be.fedict.trust.client.jaxb.xades132.ObjectFactory();
        TSAMessageExtensionType createTSAMessageExtensionType = objectFactory.createTSAMessageExtensionType();
        EncapsulatedPKIDataType createEncapsulatedPKIDataType = objectFactory2.createEncapsulatedPKIDataType();
        try {
            createEncapsulatedPKIDataType.setValue(timeStampToken.getEncoded());
            createTSAMessageExtensionType.setEncapsulatedTimeStamp(createEncapsulatedPKIDataType);
            validateRequestType.getMessageExtension().add(createTSAMessageExtensionType);
        } catch (IOException e) {
            LOG.error("Failed to get encoded timestamp token", e);
            throw new RuntimeException(e);
        }
    }

    private void addAttributeCertificates(ValidateRequestType validateRequestType, CertifiedRolesListType certifiedRolesListType) {
        AttributeCertificateMessageExtensionType createAttributeCertificateMessageExtensionType = new be.fedict.trust.xkms.extensions.ObjectFactory().createAttributeCertificateMessageExtensionType();
        createAttributeCertificateMessageExtensionType.setCertifiedRoles(certifiedRolesListType);
        validateRequestType.getMessageExtension().add(createAttributeCertificateMessageExtensionType);
    }

    private void checkResponse(ValidateResultType validateResultType) throws TrustDomainNotFoundException {
        if (!validateResultType.getResultMajor().equals(ResultMajorCode.SUCCESS.getErrorCode()) && validateResultType.getResultMinor().equals(ResultMinorCode.TRUST_DOMAIN_NOT_FOUND.getErrorCode())) {
            throw new TrustDomainNotFoundException();
        }
    }

    public RevocationValuesType getRevocationValues() {
        return this.revocationValues;
    }

    public List<String> getInvalidReasons() {
        return this.invalidReasonURIs;
    }

    private XMLGregorianCalendar getXmlGregorianCalendar(Date date) {
        try {
            DatatypeFactory newInstance = DatatypeFactory.newInstance();
            GregorianCalendar gregorianCalendar = new GregorianCalendar();
            gregorianCalendar.setTime(date);
            return newInstance.newXMLGregorianCalendar(gregorianCalendar);
        } catch (DatatypeConfigurationException e) {
            throw new RuntimeException("datatype config error");
        }
    }

    static {
        ProxySelector.setDefault(proxySelector);
    }
}
