package be.fedict.eid.applet.service.impl.handler;

import be.fedict.eid.applet.service.Address;
import be.fedict.eid.applet.service.EIdCertsData;
import be.fedict.eid.applet.service.EIdData;
import be.fedict.eid.applet.service.Identity;
import be.fedict.eid.applet.service.impl.AuthenticationChallenge;
import be.fedict.eid.applet.service.impl.AuthenticationSignatureContextImpl;
import be.fedict.eid.applet.service.impl.RequestContext;
import be.fedict.eid.applet.service.impl.ServiceLocator;
import be.fedict.eid.applet.service.impl.UserIdentifierUtil;
import be.fedict.eid.applet.service.impl.tlv.TlvParser;
import be.fedict.eid.applet.service.spi.AuditService;
import be.fedict.eid.applet.service.spi.AuthenticationService;
import be.fedict.eid.applet.service.spi.AuthenticationSignatureService;
import be.fedict.eid.applet.service.spi.CertificateSecurityException;
import be.fedict.eid.applet.service.spi.ChannelBindingService;
import be.fedict.eid.applet.service.spi.ExpiredCertificateSecurityException;
import be.fedict.eid.applet.service.spi.IdentityIntegrityService;
import be.fedict.eid.applet.service.spi.PreSignResult;
import be.fedict.eid.applet.service.spi.RevokedCertificateSecurityException;
import be.fedict.eid.applet.service.spi.TrustCertificateSecurityException;
import be.fedict.eid.applet.shared.AuthSignRequestMessage;
import be.fedict.eid.applet.shared.AuthenticationContract;
import be.fedict.eid.applet.shared.AuthenticationDataMessage;
import be.fedict.eid.applet.shared.ErrorCode;
import be.fedict.eid.applet.shared.FinishedMessage;
import java.io.ByteArrayInputStream;
import java.io.File;
import java.io.IOException;
import java.net.InetAddress;
import java.security.InvalidKeyException;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.PublicKey;
import java.security.Signature;
import java.security.SignatureException;
import java.security.cert.CertificateEncodingException;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.LinkedList;
import java.util.Map;
import javax.crypto.Cipher;
import javax.servlet.ServletConfig;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpSession;
import org.apache.commons.io.FileUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.xml.security.keys.content.x509.XMLX509Certificate;
import org.bouncycastle.asn1.ASN1InputStream;
import org.bouncycastle.asn1.ASN1Sequence;
import org.bouncycastle.asn1.x509.DigestInfo;
import org.bouncycastle.util.encoders.Hex;

@HandlesMessage(AuthenticationDataMessage.class)
/* loaded from: input_file:be/fedict/eid/applet/service/impl/handler/AuthenticationDataMessageHandler.class */
public class AuthenticationDataMessageHandler implements MessageHandler<AuthenticationDataMessage> {
    public static final String AUTHENTICATED_USER_IDENTIFIER_SESSION_ATTRIBUTE = "eid.identifier";
    public static String PLAIN_TEXT_DIGEST_ALGO_OID = "2.16.56.1.2.1.3.1";
    private static final Log LOG = LogFactory.getLog(AuthenticationDataMessageHandler.class);

    @InitParam(AUTHN_SERVICE_INIT_PARAM_NAME)
    private ServiceLocator<AuthenticationService> authenticationServiceLocator;

    @InitParam(AUDIT_SERVICE_INIT_PARAM_NAME)
    private ServiceLocator<AuditService> auditServiceLocator;

    @InitParam(HelloMessageHandler.CHANNEL_BINDING_SERVICE)
    private ServiceLocator<ChannelBindingService> channelBindingServiceLocator;

    @InitParam(HelloMessageHandler.HOSTNAME_INIT_PARAM_NAME)
    private String hostname;

    @InitParam(HelloMessageHandler.INET_ADDRESS_INIT_PARAM_NAME)
    private InetAddress inetAddress;

    @InitParam(CHALLENGE_MAX_MATURITY_INIT_PARAM_NAME)
    private Long maxMaturity;
    private X509Certificate serverCertificate;

    @InitParam(HelloMessageHandler.SESSION_ID_CHANNEL_BINDING_INIT_PARAM_NAME)
    private boolean sessionIdChannelBinding;
    public static final String AUTHN_SERVICE_INIT_PARAM_NAME = "AuthenticationService";
    public static final String AUTHN_SIGNATURE_SERVICE_INIT_PARAM_NAME = "AuthenticationSignatureService";
    public static final String AUDIT_SERVICE_INIT_PARAM_NAME = "AuditService";
    public static final String CHALLENGE_MAX_MATURITY_INIT_PARAM_NAME = "ChallengeMaxMaturity";
    public static final String NRCID_SECRET_INIT_PARAM_NAME = "NRCIDSecret";
    public static final String NRCID_ORG_ID_INIT_PARAM_NAME = "NRCIDOrgId";
    public static final String NRCID_APP_ID_INIT_PARAM_NAME = "NRCIDAppId";

    @InitParam(NRCID_SECRET_INIT_PARAM_NAME)
    private String nrcidSecret;

    @InitParam(NRCID_ORG_ID_INIT_PARAM_NAME)
    private String nrcidOrgId;

    @InitParam(NRCID_APP_ID_INIT_PARAM_NAME)
    private String nrcidAppId;

    @InitParam(HelloMessageHandler.IDENTITY_INTEGRITY_SERVICE_INIT_PARAM_NAME)
    private ServiceLocator<IdentityIntegrityService> identityIntegrityServiceLocator;

    @InitParam(IdentityDataMessageHandler.INCLUDE_DATA_FILES)
    private boolean includeDataFiles;

    @InitParam(AUTHN_SIGNATURE_SERVICE_INIT_PARAM_NAME)
    private ServiceLocator<AuthenticationSignatureService> authenticationSignatureServiceLocator;

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r5v4, types: [byte[], byte[][]] */
    /* JADX WARN: Type inference failed for: r5v6, types: [byte[], byte[][]] */
    /* renamed from: handleMessage, reason: avoid collision after fix types in other method */
    public Object handleMessage2(AuthenticationDataMessage authenticationDataMessage, Map<String, String> map, HttpServletRequest httpServletRequest, HttpSession httpSession) throws ServletException {
        LinkedList linkedList;
        LOG.debug("authentication data message received");
        if (null == authenticationDataMessage.authnCert) {
            LOG.warn("authentication certificate not present");
            throw new ServletException("authentication certificate not present");
        }
        byte[] bArr = authenticationDataMessage.signatureValue;
        LOG.debug("authn signing certificate subject: " + authenticationDataMessage.authnCert.getSubjectX500Principal());
        PublicKey publicKey = authenticationDataMessage.authnCert.getPublicKey();
        if (this.sessionIdChannelBinding) {
            checkSessionIdChannelBinding(authenticationDataMessage, httpServletRequest);
            if (null == this.serverCertificate) {
                LOG.warn("adviced to use in combination with server certificate channel binding");
            }
        }
        ChannelBindingService locateService = this.channelBindingServiceLocator.locateService();
        if (null != this.serverCertificate || null != locateService) {
            LOG.debug("using server certificate channel binding");
        }
        if (false == this.sessionIdChannelBinding && null == this.serverCertificate && null == locateService) {
            LOG.warn("not using any secure channel binding");
        }
        try {
            byte[] authnChallenge = AuthenticationChallenge.getAuthnChallenge(httpSession, this.maxMaturity);
            byte[] bArr2 = null;
            try {
                if (null != authenticationDataMessage.serverCertificate) {
                    bArr2 = authenticationDataMessage.serverCertificate.getEncoded();
                }
                try {
                    byte[] calculateToBeSigned = new AuthenticationContract(authenticationDataMessage.saltValue, this.hostname, this.inetAddress, authenticationDataMessage.sessionId, bArr2, authnChallenge).calculateToBeSigned();
                    try {
                        Signature signature = Signature.getInstance("SHA1withRSA");
                        signature.initVerify(publicKey);
                        signature.update(calculateToBeSigned);
                        if (false == signature.verify(bArr)) {
                            AuditService locateService2 = this.auditServiceLocator.locateService();
                            if (null != locateService2) {
                                locateService2.authenticationError(httpServletRequest.getRemoteAddr(), authenticationDataMessage.authnCert);
                            }
                            throw new SecurityException("authn signature incorrect");
                        }
                        RequestContext requestContext = new RequestContext(httpSession);
                        String transactionMessage = requestContext.getTransactionMessage();
                        if (null != transactionMessage) {
                            LOG.debug("verifying TransactionMessage signature");
                            byte[] bArr3 = authenticationDataMessage.transactionMessageSignature;
                            if (null == bArr3) {
                                throw new SecurityException("missing TransactionMessage signature");
                            }
                            try {
                                Cipher cipher = Cipher.getInstance("RSA/ECB/PKCS1Padding");
                                cipher.init(2, publicKey);
                                DigestInfo digestInfo = new DigestInfo((ASN1Sequence) new ASN1InputStream(cipher.doFinal(bArr3)).readObject());
                                if (false == PLAIN_TEXT_DIGEST_ALGO_OID.equals(digestInfo.getAlgorithmId().getObjectId().getId())) {
                                    throw new SecurityException("TransactionMessage signature algo OID incorrect");
                                }
                                if (false == Arrays.equals(transactionMessage.getBytes(), digestInfo.getDigest())) {
                                    throw new SecurityException("signed TransactionMessage incorrect");
                                }
                                LOG.debug("TransactionMessage signature validated");
                            } catch (Exception e) {
                                LOG.error("error verifying TransactionMessage signature", e);
                                AuditService locateService3 = this.auditServiceLocator.locateService();
                                if (null != locateService3) {
                                    locateService3.authenticationError(httpServletRequest.getRemoteAddr(), authenticationDataMessage.authnCert);
                                }
                                throw new SecurityException("error verifying TransactionMessage signature: " + e.getMessage());
                            }
                        }
                        if (null != locateService) {
                            X509Certificate serverCertificate = locateService.getServerCertificate();
                            if (null == serverCertificate) {
                                LOG.warn("could not verify secure channel binding as the server does not know its identity yet");
                            } else {
                                if (false == serverCertificate.equals(authenticationDataMessage.serverCertificate)) {
                                    AuditService locateService4 = this.auditServiceLocator.locateService();
                                    if (null != locateService4) {
                                        locateService4.authenticationError(httpServletRequest.getRemoteAddr(), authenticationDataMessage.authnCert);
                                    }
                                    throw new SecurityException("secure channel binding identity mismatch");
                                }
                                LOG.debug("secure channel binding verified");
                            }
                        } else if (null != this.serverCertificate) {
                            if (false == this.serverCertificate.equals(authenticationDataMessage.serverCertificate)) {
                                AuditService locateService5 = this.auditServiceLocator.locateService();
                                if (null != locateService5) {
                                    locateService5.authenticationError(httpServletRequest.getRemoteAddr(), authenticationDataMessage.authnCert);
                                }
                                throw new SecurityException("secure channel binding identity mismatch");
                            }
                            LOG.debug("secure channel binding verified");
                        }
                        AuthenticationService locateService6 = this.authenticationServiceLocator.locateService();
                        LinkedList linkedList2 = new LinkedList();
                        linkedList2.add(authenticationDataMessage.authnCert);
                        linkedList2.add(authenticationDataMessage.citizenCaCert);
                        linkedList2.add(authenticationDataMessage.rootCaCert);
                        try {
                            locateService6.validateCertificateChain(linkedList2);
                            String userId = UserIdentifierUtil.getUserId(authenticationDataMessage.authnCert);
                            LOG.info("authenticated: " + userId + " @ " + httpServletRequest.getRemoteAddr());
                            if (null != this.nrcidSecret) {
                                userId = UserIdentifierUtil.getNonReversibleCitizenIdentifier(userId, this.nrcidOrgId, this.nrcidAppId, this.nrcidSecret);
                            }
                            httpSession.setAttribute(AUTHENTICATED_USER_IDENTIFIER_SESSION_ATTRIBUTE, userId);
                            EIdData eIdData = (EIdData) httpSession.getAttribute(IdentityDataMessageHandler.EID_SESSION_ATTRIBUTE);
                            if (null == eIdData) {
                                eIdData = new EIdData();
                                httpSession.setAttribute(IdentityDataMessageHandler.EID_SESSION_ATTRIBUTE, eIdData);
                            }
                            eIdData.identifier = userId;
                            AuditService locateService7 = this.auditServiceLocator.locateService();
                            if (null != locateService7) {
                                locateService7.authenticated(userId);
                            }
                            boolean includeIdentity = requestContext.includeIdentity();
                            boolean includeAddress = requestContext.includeAddress();
                            boolean includeCertificates = requestContext.includeCertificates();
                            boolean includePhoto = requestContext.includePhoto();
                            if (includeIdentity && null == authenticationDataMessage.identityData) {
                                throw new ServletException("identity data not included while requested");
                            }
                            if (includeAddress && null == authenticationDataMessage.addressData) {
                                throw new ServletException("address data not included while requested");
                            }
                            if (includePhoto && null == authenticationDataMessage.photoData) {
                                throw new ServletException("photo data not included while requested");
                            }
                            IdentityIntegrityService locateService8 = this.identityIntegrityServiceLocator.locateService();
                            if (null != locateService8) {
                                if (null == authenticationDataMessage.rrnCertificate) {
                                    throw new ServletException("national registry certificate not included while requested");
                                }
                                LinkedList linkedList3 = new LinkedList();
                                linkedList3.add(authenticationDataMessage.rrnCertificate);
                                linkedList3.add(authenticationDataMessage.rootCaCert);
                                try {
                                    locateService8.checkNationalRegistrationCertificate(linkedList3);
                                    PublicKey publicKey2 = authenticationDataMessage.rrnCertificate.getPublicKey();
                                    if (includeIdentity) {
                                        if (null == authenticationDataMessage.identitySignatureData) {
                                            throw new ServletException("identity signature data not included while requested");
                                        }
                                        verifySignature(authenticationDataMessage.rrnCertificate.getSigAlgName(), authenticationDataMessage.identitySignatureData, publicKey2, httpServletRequest, new byte[]{authenticationDataMessage.identityData});
                                    }
                                    if (includeAddress) {
                                        if (null == authenticationDataMessage.addressSignatureData) {
                                            throw new ServletException("address signature data not included while requested");
                                        }
                                        verifySignature(authenticationDataMessage.rrnCertificate.getSigAlgName(), authenticationDataMessage.addressSignatureData, publicKey2, httpServletRequest, new byte[]{trimRight(authenticationDataMessage.addressData), authenticationDataMessage.identitySignatureData});
                                    }
                                } catch (ExpiredCertificateSecurityException e2) {
                                    return new FinishedMessage(ErrorCode.CERTIFICATE_EXPIRED);
                                } catch (RevokedCertificateSecurityException e3) {
                                    return new FinishedMessage(ErrorCode.CERTIFICATE_REVOKED);
                                } catch (TrustCertificateSecurityException e4) {
                                    return new FinishedMessage(ErrorCode.CERTIFICATE_NOT_TRUSTED);
                                } catch (CertificateSecurityException e5) {
                                    return new FinishedMessage(ErrorCode.CERTIFICATE);
                                } catch (Exception e6) {
                                    if ("javax.ejb.EJBException".equals(e6.getClass().getName())) {
                                        try {
                                            Exception exc = (Exception) e6.getClass().getMethod("getCausedByException", new Class[0]).invoke(e6, new Object[0]);
                                            if (exc instanceof ExpiredCertificateSecurityException) {
                                                return new FinishedMessage(ErrorCode.CERTIFICATE_EXPIRED);
                                            }
                                            if (exc instanceof RevokedCertificateSecurityException) {
                                                return new FinishedMessage(ErrorCode.CERTIFICATE_REVOKED);
                                            }
                                            if (exc instanceof TrustCertificateSecurityException) {
                                                return new FinishedMessage(ErrorCode.CERTIFICATE_NOT_TRUSTED);
                                            }
                                            if (exc instanceof CertificateSecurityException) {
                                                return new FinishedMessage(ErrorCode.CERTIFICATE);
                                            }
                                        } catch (Exception e7) {
                                            LOG.debug("error: " + e6.getMessage(), e6);
                                            throw new SecurityException("error retrieving the root cause: " + e7.getMessage());
                                        }
                                    }
                                    throw new SecurityException("error checking the NRN certificate: " + e6.getMessage(), e6);
                                }
                            }
                            if (includeIdentity) {
                                Identity identity = (Identity) TlvParser.parse(authenticationDataMessage.identityData, Identity.class);
                                if (false == UserIdentifierUtil.getUserId(authenticationDataMessage.authnCert).equals(identity.nationalNumber)) {
                                    throw new ServletException("national number mismatch");
                                }
                                httpSession.setAttribute(IdentityDataMessageHandler.IDENTITY_SESSION_ATTRIBUTE, identity);
                                eIdData.identity = identity;
                                AuditService locateService9 = this.auditServiceLocator.locateService();
                                if (null != locateService9) {
                                    locateService9.identified(identity.nationalNumber);
                                }
                            }
                            if (includeAddress) {
                                Address address = (Address) TlvParser.parse(authenticationDataMessage.addressData, Address.class);
                                httpSession.setAttribute(IdentityDataMessageHandler.ADDRESS_SESSION_ATTRIBUTE, address);
                                eIdData.address = address;
                            }
                            if (includePhoto) {
                                if (includeIdentity) {
                                    byte[] bArr4 = eIdData.identity.photoDigest;
                                    if (false == Arrays.equals(bArr4, digestPhoto(getDigestAlgo(bArr4.length), authenticationDataMessage.photoData))) {
                                        throw new ServletException("photo digest incorrect");
                                    }
                                }
                                httpSession.setAttribute(IdentityDataMessageHandler.PHOTO_SESSION_ATTRIBUTE, authenticationDataMessage.photoData);
                                eIdData.photo = authenticationDataMessage.photoData;
                            }
                            if (includeCertificates) {
                                if (includeIdentity) {
                                    eIdData.certs = new EIdCertsData();
                                    eIdData.certs.authn = authenticationDataMessage.authnCert;
                                    eIdData.certs.ca = authenticationDataMessage.citizenCaCert;
                                    eIdData.certs.root = authenticationDataMessage.rootCaCert;
                                    eIdData.certs.sign = authenticationDataMessage.signCert;
                                }
                                httpSession.setAttribute(IdentityDataMessageHandler.AUTHN_CERT_SESSION_ATTRIBUTE, authenticationDataMessage.authnCert);
                                httpSession.setAttribute(IdentityDataMessageHandler.CA_CERT_SESSION_ATTRIBUTE, authenticationDataMessage.citizenCaCert);
                                httpSession.setAttribute("eid.certs.root", authenticationDataMessage.rootCaCert);
                                httpSession.setAttribute(IdentityDataMessageHandler.SIGN_CERT_SESSION_ATTRIBUTE, authenticationDataMessage.signCert);
                            }
                            if (this.includeDataFiles) {
                                httpSession.setAttribute(IdentityDataMessageHandler.EID_DATA_IDENTITY_SESSION_ATTRIBUTE, authenticationDataMessage.identityData);
                                httpSession.setAttribute(IdentityDataMessageHandler.EID_DATA_ADDRESS_SESSION_ATTRIBUTE, authenticationDataMessage.addressData);
                            }
                            AuthenticationSignatureService locateService10 = this.authenticationSignatureServiceLocator.locateService();
                            if (null == locateService10) {
                                return new FinishedMessage();
                            }
                            if (null != authenticationDataMessage.authnCert) {
                                linkedList = new LinkedList();
                                linkedList.add(authenticationDataMessage.authnCert);
                                linkedList.add(authenticationDataMessage.citizenCaCert);
                                linkedList.add(authenticationDataMessage.rootCaCert);
                            } else {
                                linkedList = null;
                            }
                            PreSignResult preSign = locateService10.preSign(linkedList, new AuthenticationSignatureContextImpl(httpSession));
                            return null == preSign ? new FinishedMessage() : new AuthSignRequestMessage(preSign.getDigestInfo().digestValue, preSign.getDigestInfo().digestAlgo, preSign.getDigestInfo().description, preSign.getLogoff());
                        } catch (ExpiredCertificateSecurityException e8) {
                            return new FinishedMessage(ErrorCode.CERTIFICATE_EXPIRED);
                        } catch (RevokedCertificateSecurityException e9) {
                            return new FinishedMessage(ErrorCode.CERTIFICATE_REVOKED);
                        } catch (TrustCertificateSecurityException e10) {
                            return new FinishedMessage(ErrorCode.CERTIFICATE_NOT_TRUSTED);
                        } catch (CertificateSecurityException e11) {
                            return new FinishedMessage(ErrorCode.CERTIFICATE);
                        } catch (Exception e12) {
                            if ("javax.ejb.EJBException".equals(e12.getClass().getName())) {
                                try {
                                    Exception exc2 = (Exception) e12.getClass().getMethod("getCausedByException", new Class[0]).invoke(e12, new Object[0]);
                                    if (exc2 instanceof ExpiredCertificateSecurityException) {
                                        return new FinishedMessage(ErrorCode.CERTIFICATE_EXPIRED);
                                    }
                                    if (exc2 instanceof RevokedCertificateSecurityException) {
                                        return new FinishedMessage(ErrorCode.CERTIFICATE_REVOKED);
                                    }
                                    if (exc2 instanceof TrustCertificateSecurityException) {
                                        return new FinishedMessage(ErrorCode.CERTIFICATE_NOT_TRUSTED);
                                    }
                                    if (exc2 instanceof CertificateSecurityException) {
                                        return new FinishedMessage(ErrorCode.CERTIFICATE);
                                    }
                                } catch (Exception e13) {
                                    LOG.debug("error: " + e12.getMessage(), e12);
                                    throw new SecurityException("error retrieving the root cause: " + e13.getMessage());
                                }
                            }
                            throw new SecurityException("authn service error: " + e12.getMessage());
                        }
                    } catch (InvalidKeyException e14) {
                        throw new SecurityException("authn key error");
                    } catch (NoSuchAlgorithmException e15) {
                        throw new SecurityException("algo error");
                    } catch (SignatureException e16) {
                        throw new SecurityException("signature error");
                    }
                } catch (IOException e17) {
                    throw new ServletException("IO error: " + e17.getMessage(), e17);
                }
            } catch (CertificateEncodingException e18) {
                throw new ServletException("server cert decoding error: " + e18.getMessage(), e18);
            }
        } catch (SecurityException e19) {
            AuditService locateService11 = this.auditServiceLocator.locateService();
            if (null != locateService11) {
                locateService11.authenticationError(httpServletRequest.getRemoteAddr(), authenticationDataMessage.authnCert);
            }
            throw new ServletException("security error: " + e19.getMessage(), e19);
        }
    }

    private byte[] trimRight(byte[] bArr) {
        int i = 0;
        while (i < bArr.length && 0 != bArr[i]) {
            i++;
        }
        byte[] bArr2 = new byte[i];
        System.arraycopy(bArr, 0, bArr2, 0, i);
        return bArr2;
    }

    private byte[] digestPhoto(String str, byte[] bArr) {
        try {
            return MessageDigest.getInstance(str).digest(bArr);
        } catch (NoSuchAlgorithmException e) {
            throw new RuntimeException("SHA error: " + e.getMessage(), e);
        }
    }

    private String getDigestAlgo(int i) throws RuntimeException {
        switch (i) {
            case 20:
                return "SHA-1";
            case 28:
                return "SHA-224";
            case 32:
                return "SHA-256";
            case 48:
                return "SHA-384";
            case 64:
                return "SHA-512";
            default:
                throw new RuntimeException("Failed to find guess algorithm for hash size of " + i + " bytes");
        }
    }

    private void verifySignature(String str, byte[] bArr, PublicKey publicKey, HttpServletRequest httpServletRequest, byte[]... bArr2) throws ServletException {
        try {
            Signature signature = Signature.getInstance(str);
            try {
                signature.initVerify(publicKey);
                try {
                    for (byte[] bArr3 : bArr2) {
                        signature.update(bArr3);
                    }
                    if (false == signature.verify(bArr)) {
                        AuditService locateService = this.auditServiceLocator.locateService();
                        if (null != locateService) {
                            locateService.identityIntegrityError(httpServletRequest.getRemoteAddr());
                        }
                        throw new ServletException("signature incorrect");
                    }
                } catch (SignatureException e) {
                    throw new ServletException("signature error: " + e.getMessage(), e);
                }
            } catch (InvalidKeyException e2) {
                throw new ServletException("key error: " + e2.getMessage(), e2);
            }
        } catch (NoSuchAlgorithmException e3) {
            throw new ServletException("algo error: " + e3.getMessage(), e3);
        }
    }

    private void checkSessionIdChannelBinding(AuthenticationDataMessage authenticationDataMessage, HttpServletRequest httpServletRequest) {
        LOG.debug("using TLS session Id channel binding");
        byte[] bArr = authenticationDataMessage.sessionId;
        String str = (String) httpServletRequest.getAttribute("javax.servlet.request.ssl_session");
        if (null == str) {
            str = (String) httpServletRequest.getAttribute("javax.servlet.request.ssl_session_id");
        }
        if (null == str) {
            LOG.warn("could not verify the SSL session identifier");
        } else {
            if (false != Arrays.equals(bArr, Hex.decode(str))) {
                LOG.debug("SSL session identifier checked");
                return;
            }
            LOG.warn("SSL session Id mismatch");
            LOG.debug("signed SSL session Id: " + new String(Hex.encode(bArr)));
            LOG.debug("actual SSL session Id: " + str);
            throw new SecurityException("SSL session Id mismatch");
        }
    }

    @Override // be.fedict.eid.applet.service.impl.handler.MessageHandler
    public void init(ServletConfig servletConfig) throws ServletException {
        String initParameter = servletConfig.getInitParameter(HelloMessageHandler.CHANNEL_BINDING_SERVER_CERTIFICATE);
        if (null != initParameter) {
            File file = new File(initParameter);
            if (false == file.exists()) {
                throw new ServletException("server certificate not found: " + file);
            }
            try {
                this.serverCertificate = getCertificate(FileUtils.readFileToByteArray(file));
            } catch (IOException e) {
                throw new ServletException("error reading server certificate: " + e.getMessage(), e);
            }
        }
    }

    private X509Certificate getCertificate(byte[] bArr) {
        try {
            try {
                return (X509Certificate) CertificateFactory.getInstance(XMLX509Certificate.JCA_CERT_ID).generateCertificate(new ByteArrayInputStream(bArr));
            } catch (CertificateException e) {
                throw new RuntimeException("certificate decoding error: " + e.getMessage(), e);
            }
        } catch (CertificateException e2) {
            throw new RuntimeException("cert factory error: " + e2.getMessage(), e2);
        }
    }

    @Override // be.fedict.eid.applet.service.impl.handler.MessageHandler
    public /* bridge */ /* synthetic */ Object handleMessage(AuthenticationDataMessage authenticationDataMessage, Map map, HttpServletRequest httpServletRequest, HttpSession httpSession) throws ServletException {
        return handleMessage2(authenticationDataMessage, (Map<String, String>) map, httpServletRequest, httpSession);
    }
}
