package be.fedict.eid.applet.service.impl.handler;

import be.fedict.eid.applet.service.Address;
import be.fedict.eid.applet.service.EIdCertsData;
import be.fedict.eid.applet.service.EIdData;
import be.fedict.eid.applet.service.Identity;
import be.fedict.eid.applet.service.impl.RequestContext;
import be.fedict.eid.applet.service.impl.ServiceLocator;
import be.fedict.eid.applet.service.impl.tlv.TlvParser;
import be.fedict.eid.applet.service.spi.AuditService;
import be.fedict.eid.applet.service.spi.CertificateSecurityException;
import be.fedict.eid.applet.service.spi.ExpiredCertificateSecurityException;
import be.fedict.eid.applet.service.spi.IdentityIntegrityService;
import be.fedict.eid.applet.service.spi.RevokedCertificateSecurityException;
import be.fedict.eid.applet.service.spi.TrustCertificateSecurityException;
import be.fedict.eid.applet.shared.ErrorCode;
import be.fedict.eid.applet.shared.FinishedMessage;
import be.fedict.eid.applet.shared.IdentityDataMessage;
import java.io.ByteArrayInputStream;
import java.security.InvalidKeyException;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.PublicKey;
import java.security.Signature;
import java.security.SignatureException;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.Date;
import java.util.GregorianCalendar;
import java.util.LinkedList;
import java.util.Map;
import javax.servlet.ServletConfig;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpSession;
import org.apache.commons.codec.binary.Hex;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;

@HandlesMessage(IdentityDataMessage.class)
/* loaded from: input_file:be/fedict/eid/applet/service/impl/handler/IdentityDataMessageHandler.class */
public class IdentityDataMessageHandler implements MessageHandler<IdentityDataMessage> {
    private static final Log LOG = LogFactory.getLog(IdentityDataMessageHandler.class);
    public static final String IDENTITY_SESSION_ATTRIBUTE = "eid.identity";
    public static final String ADDRESS_SESSION_ATTRIBUTE = "eid.address";
    public static final String PHOTO_SESSION_ATTRIBUTE = "eid.photo";
    public static final String EID_SESSION_ATTRIBUTE = "eid";
    public static final String EID_CERTS_SESSION_ATTRIBUTE = "eid.certs";
    public static final String AUTHN_CERT_SESSION_ATTRIBUTE = "eid.certs.authn";
    public static final String SIGN_CERT_SESSION_ATTRIBUTE = "eid.certs.sign";
    public static final String CA_CERT_SESSION_ATTRIBUTE = "eid.certs.ca";
    public static final String ROOT_CERT_SESSION_ATTRIBTUE = "eid.certs.root";
    public static final String ROOT_CERT_SESSION_ATTRIBUTE = "eid.certs.root";
    public static final String SKIP_NATIONAL_NUMBER_CHECK_INIT_PARAM_NAME = "SkipNationalNumberCheck";
    public static final String INCLUDE_DATA_FILES = "IncludeDataFiles";
    public static final String EID_DATA_IDENTITY_SESSION_ATTRIBUTE = "eid.data.identity";
    public static final String EID_DATA_ADDRESS_SESSION_ATTRIBUTE = "eid.data.address";

    @InitParam(SKIP_NATIONAL_NUMBER_CHECK_INIT_PARAM_NAME)
    private boolean skipNationalNumberCheck;

    @InitParam(HelloMessageHandler.IDENTITY_INTEGRITY_SERVICE_INIT_PARAM_NAME)
    private ServiceLocator<IdentityIntegrityService> identityIntegrityServiceLocator;

    @InitParam(AuthenticationDataMessageHandler.AUDIT_SERVICE_INIT_PARAM_NAME)
    private ServiceLocator<AuditService> auditServiceLocator;

    @InitParam(INCLUDE_DATA_FILES)
    private boolean includeDataFiles;

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r5v1, types: [byte[], byte[][]] */
    /* JADX WARN: Type inference failed for: r5v3, types: [byte[], byte[][]] */
    /* renamed from: handleMessage, reason: avoid collision after fix types in other method */
    public Object handleMessage2(IdentityDataMessage identityDataMessage, Map<String, String> map, HttpServletRequest httpServletRequest, HttpSession httpSession) throws ServletException {
        Address address;
        String str;
        LOG.debug("received identity data");
        LOG.debug("identity file size: " + identityDataMessage.idFile.length);
        Identity identity = (Identity) TlvParser.parse(identityDataMessage.idFile, Identity.class);
        RequestContext requestContext = new RequestContext(httpSession);
        boolean includeAddress = requestContext.includeAddress();
        boolean includeCertificates = requestContext.includeCertificates();
        boolean includePhoto = requestContext.includePhoto();
        if (null != identityDataMessage.addressFile) {
            LOG.debug("address file size: " + identityDataMessage.addressFile.length);
            if (false == includeAddress) {
                throw new ServletException("Address included while not requested");
            }
            address = (Address) TlvParser.parse(identityDataMessage.addressFile, Address.class);
        } else {
            if (true == includeAddress) {
                throw new ServletException("Address not included while requested");
            }
            address = null;
        }
        X509Certificate x509Certificate = null;
        X509Certificate x509Certificate2 = null;
        X509Certificate x509Certificate3 = null;
        X509Certificate x509Certificate4 = null;
        if (includeCertificates) {
            if (null == identityDataMessage.authnCertFile) {
                throw new ServletException("authn cert not included while requested");
            }
            if (null == identityDataMessage.signCertFile) {
                throw new ServletException("sign cert not included while requested");
            }
            if (null == identityDataMessage.caCertFile) {
                throw new ServletException("CA cert not included while requested");
            }
            if (null == identityDataMessage.rootCertFile) {
                throw new ServletException("root cert not included while requested");
            }
            x509Certificate = getCertificate(identityDataMessage.authnCertFile);
            x509Certificate2 = getCertificate(identityDataMessage.signCertFile);
            x509Certificate3 = getCertificate(identityDataMessage.caCertFile);
            x509Certificate4 = getCertificate(identityDataMessage.rootCertFile);
        }
        IdentityIntegrityService locateService = this.identityIntegrityServiceLocator.locateService();
        if (null != locateService) {
            if (null == identityDataMessage.identitySignatureFile) {
                throw new ServletException("identity signature data not included while request");
            }
            LOG.debug("identity signature file size: " + identityDataMessage.identitySignatureFile.length);
            if (includeAddress) {
                if (null == identityDataMessage.addressSignatureFile) {
                    throw new ServletException("address signature data not included while requested");
                }
                LOG.debug("address signature file size: " + identityDataMessage.addressSignatureFile.length);
            }
            if (null == identityDataMessage.rrnCertFile) {
                throw new ServletException("national registry certificate not included while requested");
            }
            LOG.debug("RRN certificate file size: " + identityDataMessage.rrnCertFile.length);
            X509Certificate certificate = getCertificate(identityDataMessage.rrnCertFile);
            PublicKey publicKey = certificate.getPublicKey();
            verifySignature(certificate.getSigAlgName(), identityDataMessage.identitySignatureFile, publicKey, httpServletRequest, new byte[]{identityDataMessage.idFile});
            if (false == this.skipNationalNumberCheck && null != (str = (String) httpSession.getAttribute(AuthenticationDataMessageHandler.AUTHENTICATED_USER_IDENTIFIER_SESSION_ATTRIBUTE)) && false == str.equals(identity.nationalNumber)) {
                throw new ServletException("national number mismatch");
            }
            if (includeAddress) {
                verifySignature(certificate.getSigAlgName(), identityDataMessage.addressSignatureFile, publicKey, httpServletRequest, new byte[]{trimRight(identityDataMessage.addressFile), identityDataMessage.identitySignatureFile});
            }
            LOG.debug("checking national registration certificate: " + certificate.getSubjectX500Principal());
            X509Certificate certificate2 = getCertificate(identityDataMessage.rootCertFile);
            LinkedList linkedList = new LinkedList();
            linkedList.add(certificate);
            linkedList.add(certificate2);
            try {
                locateService.checkNationalRegistrationCertificate(linkedList);
            } catch (ExpiredCertificateSecurityException e) {
                return new FinishedMessage(ErrorCode.CERTIFICATE_EXPIRED);
            } catch (RevokedCertificateSecurityException e2) {
                return new FinishedMessage(ErrorCode.CERTIFICATE_REVOKED);
            } catch (TrustCertificateSecurityException e3) {
                return new FinishedMessage(ErrorCode.CERTIFICATE_NOT_TRUSTED);
            } catch (CertificateSecurityException e4) {
                return new FinishedMessage(ErrorCode.CERTIFICATE);
            } catch (Exception e5) {
                if ("javax.ejb.EJBException".equals(e5.getClass().getName())) {
                    try {
                        Exception exc = (Exception) e5.getClass().getMethod("getCausedByException", new Class[0]).invoke(e5, new Object[0]);
                        if (exc instanceof ExpiredCertificateSecurityException) {
                            return new FinishedMessage(ErrorCode.CERTIFICATE_EXPIRED);
                        }
                        if (exc instanceof RevokedCertificateSecurityException) {
                            return new FinishedMessage(ErrorCode.CERTIFICATE_REVOKED);
                        }
                        if (exc instanceof TrustCertificateSecurityException) {
                            return new FinishedMessage(ErrorCode.CERTIFICATE_NOT_TRUSTED);
                        }
                        if (exc instanceof CertificateSecurityException) {
                            return new FinishedMessage(ErrorCode.CERTIFICATE);
                        }
                    } catch (Exception e6) {
                        LOG.debug("error: " + e5.getMessage(), e5);
                        throw new SecurityException("error retrieving the root cause: " + e6.getMessage());
                    }
                }
                throw new SecurityException("error checking the NRN certificate: " + e5.getMessage(), e5);
            }
        }
        if (null != identityDataMessage.photoFile) {
            LOG.debug("photo file size: " + identityDataMessage.photoFile.length);
            if (false == includePhoto) {
                throw new ServletException("photo include while not requested");
            }
            byte[] bArr = identity.photoDigest;
            if (false == Arrays.equals(bArr, digestPhoto(getDigestAlgo(bArr.length), identityDataMessage.photoFile))) {
                throw new ServletException("photo digest incorrect");
            }
        } else if (true == includePhoto) {
            throw new ServletException("photo not included while requested");
        }
        GregorianCalendar cardValidityDateEnd = identity.getCardValidityDateEnd();
        if (null != cardValidityDateEnd && new Date().after(cardValidityDateEnd.getTime())) {
            throw new SecurityException("eID card has expired");
        }
        httpSession.setAttribute(IDENTITY_SESSION_ATTRIBUTE, identity);
        if (null != address) {
            httpSession.setAttribute(ADDRESS_SESSION_ATTRIBUTE, address);
        }
        if (null != identityDataMessage.photoFile) {
            httpSession.setAttribute(PHOTO_SESSION_ATTRIBUTE, identityDataMessage.photoFile);
        }
        if (includeCertificates) {
            httpSession.setAttribute(AUTHN_CERT_SESSION_ATTRIBUTE, x509Certificate);
            httpSession.setAttribute(SIGN_CERT_SESSION_ATTRIBUTE, x509Certificate2);
            httpSession.setAttribute(CA_CERT_SESSION_ATTRIBUTE, x509Certificate3);
            httpSession.setAttribute("eid.certs.root", x509Certificate4);
        }
        EIdData eIdData = (EIdData) httpSession.getAttribute(EID_SESSION_ATTRIBUTE);
        if (null == eIdData) {
            eIdData = new EIdData();
            httpSession.setAttribute(EID_SESSION_ATTRIBUTE, eIdData);
        }
        eIdData.identity = identity;
        eIdData.address = address;
        eIdData.photo = identityDataMessage.photoFile;
        if (includeCertificates) {
            EIdCertsData eIdCertsData = new EIdCertsData();
            httpSession.setAttribute(EID_CERTS_SESSION_ATTRIBUTE, eIdCertsData);
            eIdData.certs = eIdCertsData;
            eIdCertsData.authn = x509Certificate;
            eIdCertsData.sign = x509Certificate2;
            eIdCertsData.ca = x509Certificate3;
            eIdCertsData.root = x509Certificate4;
            httpSession.setAttribute(AUTHN_CERT_SESSION_ATTRIBUTE, x509Certificate);
            httpSession.setAttribute(SIGN_CERT_SESSION_ATTRIBUTE, x509Certificate2);
            httpSession.setAttribute(CA_CERT_SESSION_ATTRIBUTE, x509Certificate3);
            httpSession.setAttribute("eid.certs.root", x509Certificate4);
        }
        if (this.includeDataFiles) {
            httpSession.setAttribute(EID_DATA_IDENTITY_SESSION_ATTRIBUTE, identityDataMessage.idFile);
            httpSession.setAttribute(EID_DATA_ADDRESS_SESSION_ATTRIBUTE, identityDataMessage.addressFile);
        }
        AuditService locateService2 = this.auditServiceLocator.locateService();
        if (null != locateService2) {
            locateService2.identified(identity.nationalNumber);
        }
        return new FinishedMessage();
    }

    private byte[] trimRight(byte[] bArr) {
        int i = 0;
        while (i < bArr.length && 0 != bArr[i]) {
            i++;
        }
        byte[] bArr2 = new byte[i];
        System.arraycopy(bArr, 0, bArr2, 0, i);
        return bArr2;
    }

    private void verifySignature(String str, byte[] bArr, PublicKey publicKey, HttpServletRequest httpServletRequest, byte[]... bArr2) throws ServletException {
        try {
            Signature signature = Signature.getInstance(str);
            try {
                signature.initVerify(publicKey);
                try {
                    for (byte[] bArr3 : bArr2) {
                        signature.update(bArr3);
                    }
                    if (false == signature.verify(bArr)) {
                        AuditService locateService = this.auditServiceLocator.locateService();
                        if (null != locateService) {
                            locateService.identityIntegrityError(httpServletRequest.getRemoteAddr());
                        }
                        throw new ServletException("signature incorrect");
                    }
                } catch (SignatureException e) {
                    AuditService locateService2 = this.auditServiceLocator.locateService();
                    if (null != locateService2) {
                        locateService2.identityIntegrityError(httpServletRequest.getRemoteAddr());
                    }
                    throw new ServletException("signature error: " + e.getMessage(), e);
                }
            } catch (InvalidKeyException e2) {
                throw new ServletException("key error: " + e2.getMessage(), e2);
            }
        } catch (NoSuchAlgorithmException e3) {
            throw new ServletException("algo error: " + e3.getMessage(), e3);
        }
    }

    private X509Certificate getCertificate(byte[] bArr) {
        try {
            return (X509Certificate) CertificateFactory.getInstance("X509").generateCertificate(new ByteArrayInputStream(bArr));
        } catch (CertificateException e) {
            LOG.warn("certificate error: " + e.getMessage(), e);
            LOG.debug("certificate size: " + bArr.length);
            LOG.debug("certificate file content: " + Hex.encodeHexString(bArr));
            if (1300 != bArr.length) {
                return null;
            }
            boolean z = true;
            for (byte b : bArr) {
                if (0 != b) {
                    z = false;
                }
            }
            if (!z) {
                return null;
            }
            LOG.debug("the certificate data indicates a missing certificate");
            return null;
        }
    }

    private byte[] digestPhoto(String str, byte[] bArr) {
        try {
            return MessageDigest.getInstance(str).digest(bArr);
        } catch (NoSuchAlgorithmException e) {
            throw new RuntimeException("digest error: " + e.getMessage(), e);
        }
    }

    private String getDigestAlgo(int i) throws RuntimeException {
        switch (i) {
            case 20:
                return "SHA-1";
            case 28:
                return "SHA-224";
            case 32:
                return "SHA-256";
            case 48:
                return "SHA-384";
            case 64:
                return "SHA-512";
            default:
                throw new RuntimeException("Failed to find guess algorithm for hash size of " + i + " bytes");
        }
    }

    @Override // be.fedict.eid.applet.service.impl.handler.MessageHandler
    public void init(ServletConfig servletConfig) throws ServletException {
    }

    @Override // be.fedict.eid.applet.service.impl.handler.MessageHandler
    public /* bridge */ /* synthetic */ Object handleMessage(IdentityDataMessage identityDataMessage, Map map, HttpServletRequest httpServletRequest, HttpSession httpSession) throws ServletException {
        return handleMessage2(identityDataMessage, (Map<String, String>) map, httpServletRequest, httpSession);
    }
}
