package be.fedict.eid.applet.service.impl.handler;

import be.fedict.eid.applet.service.Address;
import be.fedict.eid.applet.service.Identity;
import be.fedict.eid.applet.service.dto.DTOMapper;
import be.fedict.eid.applet.service.impl.RequestContext;
import be.fedict.eid.applet.service.impl.ServiceLocator;
import be.fedict.eid.applet.service.impl.tlv.TlvParser;
import be.fedict.eid.applet.service.spi.AddressDTO;
import be.fedict.eid.applet.service.spi.AuditService;
import be.fedict.eid.applet.service.spi.AuthorizationException;
import be.fedict.eid.applet.service.spi.DigestInfo;
import be.fedict.eid.applet.service.spi.IdentityDTO;
import be.fedict.eid.applet.service.spi.IdentityIntegrityService;
import be.fedict.eid.applet.service.spi.IdentityService;
import be.fedict.eid.applet.service.spi.SignatureService;
import be.fedict.eid.applet.shared.ErrorCode;
import be.fedict.eid.applet.shared.FinishedMessage;
import be.fedict.eid.applet.shared.SignCertificatesDataMessage;
import be.fedict.eid.applet.shared.SignRequestMessage;
import java.security.InvalidKeyException;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.PublicKey;
import java.security.Signature;
import java.security.SignatureException;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.LinkedList;
import java.util.List;
import java.util.Map;
import javax.servlet.ServletConfig;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpSession;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;

@HandlesMessage(SignCertificatesDataMessage.class)
/* loaded from: input_file:be/fedict/eid/applet/service/impl/handler/SignCertificatesDataMessageHandler.class */
public class SignCertificatesDataMessageHandler implements MessageHandler<SignCertificatesDataMessage> {
    private static final Log LOG = LogFactory.getLog(SignCertificatesDataMessageHandler.class);

    @InitParam(HelloMessageHandler.SIGNATURE_SERVICE_INIT_PARAM_NAME)
    private ServiceLocator<SignatureService> signatureServiceLocator;

    @InitParam(HelloMessageHandler.REMOVE_CARD_INIT_PARAM_NAME)
    private boolean removeCard;

    @InitParam(HelloMessageHandler.LOGOFF_INIT_PARAM_NAME)
    private boolean logoff;

    @InitParam(HelloMessageHandler.REQUIRE_SECURE_READER_INIT_PARAM_NAME)
    private boolean requireSecureReader;

    @InitParam(HelloMessageHandler.IDENTITY_INTEGRITY_SERVICE_INIT_PARAM_NAME)
    private ServiceLocator<IdentityIntegrityService> identityIntegrityServiceLocator;

    @InitParam(AuthenticationDataMessageHandler.AUDIT_SERVICE_INIT_PARAM_NAME)
    private ServiceLocator<AuditService> auditServiceLocator;

    @InitParam(HelloMessageHandler.IDENTITY_SERVICE_INIT_PARAM_NAME)
    private ServiceLocator<IdentityService> identityServiceLocator;

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r5v1, types: [byte[], byte[][]] */
    /* JADX WARN: Type inference failed for: r5v3, types: [byte[], byte[][]] */
    /* renamed from: handleMessage, reason: avoid collision after fix types in other method */
    public Object handleMessage2(SignCertificatesDataMessage signCertificatesDataMessage, Map<String, String> map, HttpServletRequest httpServletRequest, HttpSession httpSession) throws ServletException {
        SignatureService locateService = this.signatureServiceLocator.locateService();
        List<X509Certificate> list = signCertificatesDataMessage.certificateChain;
        if (null == list.get(0)) {
            throw new ServletException("missing non-repudiation certificate");
        }
        LOG.debug("signing certificate: " + list.get(0).getSubjectX500Principal());
        RequestContext requestContext = new RequestContext(httpSession);
        boolean includeIdentity = requestContext.includeIdentity();
        boolean includeAddress = requestContext.includeAddress();
        boolean includePhoto = requestContext.includePhoto();
        Identity identity = null;
        Address address = null;
        if (includeIdentity || includeAddress || includePhoto) {
            if (includeIdentity) {
                if (null == signCertificatesDataMessage.identityData) {
                    throw new ServletException("identity data missing");
                }
                identity = (Identity) TlvParser.parse(signCertificatesDataMessage.identityData, Identity.class);
            }
            if (includeAddress) {
                if (null == signCertificatesDataMessage.addressData) {
                    throw new ServletException("address data missing");
                }
                address = (Address) TlvParser.parse(signCertificatesDataMessage.addressData, Address.class);
            }
            if (includePhoto) {
                if (null == signCertificatesDataMessage.photoData) {
                    throw new ServletException("photo data missing");
                }
                if (null != identity) {
                    byte[] bArr = identity.photoDigest;
                    try {
                        if (false == Arrays.equals(bArr, digestPhoto(getDigestAlgo(bArr.length), signCertificatesDataMessage.photoData))) {
                            throw new ServletException("photo digest incorrect");
                        }
                    } catch (NoSuchAlgorithmException e) {
                        throw new ServletException("photo signed with unsupported algorithm");
                    }
                }
            }
            IdentityIntegrityService locateService2 = this.identityIntegrityServiceLocator.locateService();
            if (null != locateService2) {
                if (null == signCertificatesDataMessage.rrnCertificate) {
                    throw new ServletException("national registry certificate not included while requested");
                }
                PublicKey publicKey = signCertificatesDataMessage.rrnCertificate.getPublicKey();
                if (null != signCertificatesDataMessage.identityData) {
                    if (null == signCertificatesDataMessage.identitySignatureData) {
                        throw new ServletException("missing identity data signature");
                    }
                    verifySignature(signCertificatesDataMessage.rrnCertificate.getSigAlgName(), signCertificatesDataMessage.identitySignatureData, publicKey, httpServletRequest, new byte[]{signCertificatesDataMessage.identityData});
                    if (null != signCertificatesDataMessage.addressData) {
                        if (null == signCertificatesDataMessage.addressSignatureData) {
                            throw new ServletException("missing address data signature");
                        }
                        verifySignature(signCertificatesDataMessage.rrnCertificate.getSigAlgName(), signCertificatesDataMessage.addressSignatureData, publicKey, httpServletRequest, new byte[]{trimRight(signCertificatesDataMessage.addressData), signCertificatesDataMessage.identitySignatureData});
                    }
                }
                LOG.debug("checking national registration certificate: " + signCertificatesDataMessage.rrnCertificate.getSubjectX500Principal());
                LinkedList linkedList = new LinkedList();
                linkedList.add(signCertificatesDataMessage.rrnCertificate);
                linkedList.add(signCertificatesDataMessage.rootCertificate);
                locateService2.checkNationalRegistrationCertificate(linkedList);
            }
        }
        DTOMapper dTOMapper = new DTOMapper();
        try {
            DigestInfo preSign = locateService.preSign(null, list, (IdentityDTO) dTOMapper.map(identity, IdentityDTO.class), (AddressDTO) dTOMapper.map(address, AddressDTO.class), signCertificatesDataMessage.photoData);
            SignatureDataMessageHandler.setDigestValue(preSign.digestValue, preSign.digestAlgo, httpSession);
            IdentityService locateService3 = this.identityServiceLocator.locateService();
            return new SignRequestMessage(preSign.digestValue, preSign.digestAlgo, preSign.description, this.logoff, null != locateService3 ? locateService3.getIdentityRequest().removeCard() : this.removeCard, this.requireSecureReader);
        } catch (AuthorizationException e2) {
            return new FinishedMessage(ErrorCode.AUTHORIZATION);
        } catch (NoSuchAlgorithmException e3) {
            throw new ServletException("no such algo: " + e3.getMessage(), e3);
        }
    }

    @Override // be.fedict.eid.applet.service.impl.handler.MessageHandler
    public void init(ServletConfig servletConfig) throws ServletException {
    }

    private byte[] digestPhoto(String str, byte[] bArr) {
        try {
            return MessageDigest.getInstance(str).digest(bArr);
        } catch (NoSuchAlgorithmException e) {
            throw new RuntimeException("digest error: " + e.getMessage(), e);
        }
    }

    private void verifySignature(String str, byte[] bArr, PublicKey publicKey, HttpServletRequest httpServletRequest, byte[]... bArr2) throws ServletException {
        try {
            Signature signature = Signature.getInstance(str);
            try {
                signature.initVerify(publicKey);
                try {
                    for (byte[] bArr3 : bArr2) {
                        signature.update(bArr3);
                    }
                    if (false == signature.verify(bArr)) {
                        AuditService locateService = this.auditServiceLocator.locateService();
                        if (null != locateService) {
                            locateService.identityIntegrityError(httpServletRequest.getRemoteAddr());
                        }
                        throw new ServletException("signature incorrect");
                    }
                } catch (SignatureException e) {
                    throw new ServletException("signature error: " + e.getMessage(), e);
                }
            } catch (InvalidKeyException e2) {
                throw new ServletException("key error: " + e2.getMessage(), e2);
            }
        } catch (NoSuchAlgorithmException e3) {
            throw new ServletException("algo error: " + e3.getMessage(), e3);
        }
    }

    private byte[] trimRight(byte[] bArr) {
        int i = 0;
        while (i < bArr.length && 0 != bArr[i]) {
            i++;
        }
        byte[] bArr2 = new byte[i];
        System.arraycopy(bArr, 0, bArr2, 0, i);
        return bArr2;
    }

    private String getDigestAlgo(int i) throws NoSuchAlgorithmException {
        switch (i) {
            case 20:
                return "SHA-1";
            case 28:
                return "SHA-224";
            case 32:
                return "SHA-256";
            case 48:
                return "SHA-384";
            case 64:
                return "SHA-512";
            default:
                throw new NoSuchAlgorithmException("Failed to find guess algorithm for hash size of " + i + " bytes");
        }
    }

    @Override // be.fedict.eid.applet.service.impl.handler.MessageHandler
    public /* bridge */ /* synthetic */ Object handleMessage(SignCertificatesDataMessage signCertificatesDataMessage, Map map, HttpServletRequest httpServletRequest, HttpSession httpSession) throws ServletException {
        return handleMessage2(signCertificatesDataMessage, (Map<String, String>) map, httpServletRequest, httpSession);
    }
}
