package eu.cec.digit.ecas.util.httpclient.protocol.bouncycastle;

import eu.cec.digit.ecas.client.DesktopUtil;
import eu.cec.digit.ecas.org.bouncycastle.asn1.x500.X500Name;
import eu.cec.digit.ecas.org.bouncycastle.asn1.x509.Certificate;
import eu.cec.digit.ecas.org.bouncycastle.crypto.params.AsymmetricKeyParameter;
import eu.cec.digit.ecas.org.bouncycastle.crypto.params.DSAParameters;
import eu.cec.digit.ecas.org.bouncycastle.crypto.params.DSAPrivateKeyParameters;
import eu.cec.digit.ecas.org.bouncycastle.crypto.params.ECDomainParameters;
import eu.cec.digit.ecas.org.bouncycastle.crypto.params.ECPrivateKeyParameters;
import eu.cec.digit.ecas.org.bouncycastle.crypto.params.RSAKeyParameters;
import eu.cec.digit.ecas.org.bouncycastle.crypto.tls.CertificateRequest;
import eu.cec.digit.ecas.org.bouncycastle.crypto.tls.DefaultTlsSignerCredentials;
import eu.cec.digit.ecas.org.bouncycastle.crypto.tls.SignatureAndHashAlgorithm;
import eu.cec.digit.ecas.org.bouncycastle.crypto.tls.TlsAuthentication;
import eu.cec.digit.ecas.org.bouncycastle.crypto.tls.TlsContext;
import eu.cec.digit.ecas.org.bouncycastle.crypto.tls.TlsCredentials;
import eu.cec.digit.ecas.org.bouncycastle.crypto.tls.TlsFatalAlert;
import eu.cec.digit.ecas.org.bouncycastle.jcajce.provider.asymmetric.util.EC5Util;
import eu.cec.digit.ecas.org.bouncycastle.jce.spec.ECParameterSpec;
import eu.cec.digit.ecas.util.commons.lang.CommonUtils;
import java.io.IOException;
import java.security.PrivateKey;
import java.security.cert.CertPathValidatorException;
import java.security.cert.CertificateEncodingException;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.security.interfaces.DSAParams;
import java.security.interfaces.DSAPrivateKey;
import java.security.interfaces.ECPrivateKey;
import java.security.interfaces.RSAPrivateKey;
import java.util.Arrays;
import java.util.Iterator;
import java.util.Vector;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: input_file:eu/cec/digit/ecas/util/httpclient/protocol/bouncycastle/IdentityAndTrustTlsAuthentication.class */
public final class IdentityAndTrustTlsAuthentication implements TlsAuthentication {
    private final ExposedTlsClientProtocol tlsClientProtocol;
    private final IdentityAndTrust identityAndTrust;
    private X509Certificate[] serverCertificateChain;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:eu/cec/digit/ecas/util/httpclient/protocol/bouncycastle/IdentityAndTrustTlsAuthentication$PrivateKeyConverter.class */
    public static abstract class PrivateKeyConverter<T extends PrivateKey> {
        PrivateKeyConverter() {
        }

        abstract AsymmetricKeyParameter convert(T t);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public IdentityAndTrustTlsAuthentication(ExposedTlsClientProtocol exposedTlsClientProtocol, IdentityAndTrust identityAndTrust) {
        CommonUtils.checkNotNull(exposedTlsClientProtocol, "tlsClientProtocol");
        CommonUtils.checkNotNull(identityAndTrust, "identityAndTrust");
        this.tlsClientProtocol = exposedTlsClientProtocol;
        this.identityAndTrust = identityAndTrust;
    }

    @Override // eu.cec.digit.ecas.org.bouncycastle.crypto.tls.TlsAuthentication
    public TlsCredentials getClientCredentials(CertificateRequest certificateRequest) throws IOException {
        short[] certificateTypes = certificateRequest.getCertificateTypes();
        Vector supportedSignatureAlgorithms = certificateRequest.getSupportedSignatureAlgorithms();
        Vector certificateAuthorities = certificateRequest.getCertificateAuthorities();
        if (JsseUtil.isJsseDebugEnabled()) {
            System.out.println("TLS client received certificate request for mutual authentication: ");
            if (null != certificateTypes) {
                System.out.println("\t-TLS server accepts client certificate of types: " + Arrays.toString(JsseClientCertificateType.MAPPER.arrayMap(JsseMapper.box(certificateTypes))));
            } else {
                System.out.println("\t-TLS server does not accept client certificate from any type.");
            }
            if (null != supportedSignatureAlgorithms) {
                System.out.println("\t-TLS server accepts client certificate signature algorithms: " + JsseSignatureAndHashAlgorithm.MAPPER.mapValues(supportedSignatureAlgorithms));
            } else {
                System.out.println("\t-TLS server does not support any signature algorithm extension.");
            }
            if (null == certificateAuthorities || certificateAuthorities.isEmpty()) {
                System.out.println("\t-TLS server does not accept client certificate from any Certificate Authority.");
            } else {
                Iterator it = certificateAuthorities.iterator();
                while (it.hasNext()) {
                    System.out.println("\t-TLS server accepts client certificate from Certificate Authority: " + ((X500Name) it.next()));
                }
            }
        }
        if (null == certificateTypes) {
            return null;
        }
        X509Certificate[] identityCertificateChain = this.identityAndTrust.getIdentityCertificateChain();
        if (null == identityCertificateChain || identityCertificateChain.length == 0) {
            if (!JsseUtil.isJsseDebugEnabled()) {
                return null;
            }
            System.out.println("\t-TLS client does not possess any client certificate, unable to comply with the certificate request.");
            return null;
        }
        try {
            Certificate[] convert = CertificateUtil.convert(identityCertificateChain);
            eu.cec.digit.ecas.org.bouncycastle.crypto.tls.Certificate certificate = new eu.cec.digit.ecas.org.bouncycastle.crypto.tls.Certificate(convert);
            X500Name issuer = convert[0].getIssuer();
            boolean z = false;
            if (null != certificateAuthorities) {
                Iterator it2 = certificateAuthorities.iterator();
                while (true) {
                    if (!it2.hasNext()) {
                        break;
                    }
                    if (((X500Name) it2.next()).equals(issuer)) {
                        if (JsseUtil.isJsseDebugEnabled()) {
                            StringBuilder sb = new StringBuilder("\t-TLS client possesses a client certificate issued by an accepted Certificate Authority: " + issuer + " - client certificate:\n");
                            CertificateUtil.appendCertificateDetails(identityCertificateChain[0], sb, "\t", "\n");
                            System.out.println(sb.toString());
                        }
                        z = true;
                    }
                }
            }
            if (!z && JsseUtil.isJsseDebugEnabled()) {
                StringBuilder sb2 = new StringBuilder("\t-TLS client possesses a client certificate issued by a Certificate Authority which is not advertised as acceptable: " + issuer + " - subject:\n");
                CertificateUtil.appendCertificateDetails(identityCertificateChain[0], sb2, "\t", "\n");
                System.out.println(sb2.toString());
            }
            TlsContext tlsContext = this.tlsClientProtocol.getTlsContext();
            PrivateKey identityPrivateKey = this.identityAndTrust.getIdentityPrivateKey();
            if (identityPrivateKey instanceof RSAPrivateKey) {
                return getRsaTlsCredentials(certificateTypes, supportedSignatureAlgorithms, certificate, (RSAPrivateKey) identityPrivateKey, tlsContext);
            }
            if (identityPrivateKey instanceof DSAPrivateKey) {
                return getDsaTlsCredentials(certificateTypes, supportedSignatureAlgorithms, certificate, (DSAPrivateKey) identityPrivateKey, tlsContext);
            }
            if (identityPrivateKey instanceof ECPrivateKey) {
                return getEcTlsCredentials(certificateTypes, supportedSignatureAlgorithms, certificate, (ECPrivateKey) identityPrivateKey, tlsContext);
            }
            if (!JsseUtil.isJsseDebugEnabled()) {
                return null;
            }
            System.out.println("\t-TLS client possesses an unknown private key algorithm: " + identityPrivateKey.getAlgorithm());
            return null;
        } catch (CertificateEncodingException e) {
            IOException iOException = new IOException(e.getMessage());
            iOException.initCause(e);
            throw iOException;
        }
    }

    private TlsCredentials getDsaTlsCredentials(short[] sArr, Vector<SignatureAndHashAlgorithm> vector, eu.cec.digit.ecas.org.bouncycastle.crypto.tls.Certificate certificate, DSAPrivateKey dSAPrivateKey, TlsContext tlsContext) {
        return getTlsCredentialsForType(JsseClientCertificateType.DSS_SIGN, sArr, vector, JsseSignatureAlgorithm.DSA, certificate, new PrivateKeyConverter<DSAPrivateKey>() { // from class: eu.cec.digit.ecas.util.httpclient.protocol.bouncycastle.IdentityAndTrustTlsAuthentication.1
            /* JADX INFO: Access modifiers changed from: package-private */
            @Override // eu.cec.digit.ecas.util.httpclient.protocol.bouncycastle.IdentityAndTrustTlsAuthentication.PrivateKeyConverter
            public AsymmetricKeyParameter convert(DSAPrivateKey dSAPrivateKey2) {
                DSAParams params = dSAPrivateKey2.getParams();
                return new DSAPrivateKeyParameters(dSAPrivateKey2.getX(), new DSAParameters(params.getP(), params.getQ(), params.getG()));
            }
        }, dSAPrivateKey, tlsContext);
    }

    private TlsCredentials getEcTlsCredentials(short[] sArr, Vector<SignatureAndHashAlgorithm> vector, eu.cec.digit.ecas.org.bouncycastle.crypto.tls.Certificate certificate, ECPrivateKey eCPrivateKey, TlsContext tlsContext) {
        return getTlsCredentialsForType(JsseClientCertificateType.ECDSA_SIGN, sArr, vector, JsseSignatureAlgorithm.ECDSA, certificate, new PrivateKeyConverter<ECPrivateKey>() { // from class: eu.cec.digit.ecas.util.httpclient.protocol.bouncycastle.IdentityAndTrustTlsAuthentication.2
            /* JADX INFO: Access modifiers changed from: package-private */
            @Override // eu.cec.digit.ecas.util.httpclient.protocol.bouncycastle.IdentityAndTrustTlsAuthentication.PrivateKeyConverter
            public AsymmetricKeyParameter convert(ECPrivateKey eCPrivateKey2) {
                ECParameterSpec convertSpec = EC5Util.convertSpec(eCPrivateKey2.getParams(), false);
                return new ECPrivateKeyParameters(eCPrivateKey2.getS(), new ECDomainParameters(convertSpec.getCurve(), convertSpec.getG(), convertSpec.getN(), convertSpec.getH(), convertSpec.getSeed()));
            }
        }, eCPrivateKey, tlsContext);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public X509Certificate getLocalCertificate() {
        X509Certificate[] identityCertificateChain = this.identityAndTrust.getIdentityCertificateChain();
        if (null == identityCertificateChain || identityCertificateChain.length == 0) {
            return null;
        }
        return identityCertificateChain[0];
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public X509Certificate[] getLocalCertificateChain() {
        return this.identityAndTrust.getIdentityCertificateChain();
    }

    private TlsCredentials getRsaTlsCredentials(short[] sArr, Vector<SignatureAndHashAlgorithm> vector, eu.cec.digit.ecas.org.bouncycastle.crypto.tls.Certificate certificate, RSAPrivateKey rSAPrivateKey, TlsContext tlsContext) {
        return getTlsCredentialsForType(JsseClientCertificateType.RSA_SIGN, sArr, vector, JsseSignatureAlgorithm.RSA, certificate, new PrivateKeyConverter<RSAPrivateKey>() { // from class: eu.cec.digit.ecas.util.httpclient.protocol.bouncycastle.IdentityAndTrustTlsAuthentication.3
            /* JADX INFO: Access modifiers changed from: package-private */
            @Override // eu.cec.digit.ecas.util.httpclient.protocol.bouncycastle.IdentityAndTrustTlsAuthentication.PrivateKeyConverter
            public AsymmetricKeyParameter convert(RSAPrivateKey rSAPrivateKey2) {
                return new RSAKeyParameters(true, rSAPrivateKey2.getModulus(), rSAPrivateKey2.getPrivateExponent());
            }
        }, rSAPrivateKey, tlsContext);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public X509Certificate[] getServerCertificateChain() {
        return this.serverCertificateChain;
    }

    private <T extends PrivateKey> TlsCredentials getTlsCredentialsForType(JsseClientCertificateType jsseClientCertificateType, short[] sArr, Vector<SignatureAndHashAlgorithm> vector, JsseSignatureAlgorithm jsseSignatureAlgorithm, eu.cec.digit.ecas.org.bouncycastle.crypto.tls.Certificate certificate, PrivateKeyConverter<T> privateKeyConverter, T t, TlsContext tlsContext) {
        if (!eu.cec.digit.ecas.org.bouncycastle.util.Arrays.contains(sArr, jsseClientCertificateType.getValue().shortValue())) {
            if (!JsseUtil.isJsseDebugEnabled()) {
                return null;
            }
            System.out.println("\t-TLS server does not accept " + jsseClientCertificateType.getJsseName() + " which is the type of our client certificate: " + certificate.getCertificateAt(0).getSubject());
            return null;
        }
        SignatureAndHashAlgorithm signatureAndHashAlgorithm = null;
        if (null != vector) {
            int i = 0;
            while (true) {
                if (i >= vector.size()) {
                    break;
                }
                SignatureAndHashAlgorithm elementAt = vector.elementAt(i);
                if (elementAt.getSignature() == jsseSignatureAlgorithm.getValue().shortValue()) {
                    signatureAndHashAlgorithm = elementAt;
                    break;
                }
                i++;
            }
            if (null == signatureAndHashAlgorithm) {
                if (!JsseUtil.isJsseDebugEnabled()) {
                    return null;
                }
                System.out.println("\t-TLS server explicitly does not accept the " + jsseSignatureAlgorithm.getJsseName() + " signature algorithm (only accepted algorithms: " + JsseSignatureAndHashAlgorithm.MAPPER.mapValues(vector) + ").");
                return null;
            }
        }
        AsymmetricKeyParameter convert = privateKeyConverter.convert(t);
        if (JsseUtil.isJsseDebugEnabled()) {
            System.out.println("\t-TLS client using client certificate with private key: " + t.getAlgorithm());
        }
        return new DefaultTlsSignerCredentials(tlsContext, certificate, convert, signatureAndHashAlgorithm);
    }

    @Override // eu.cec.digit.ecas.org.bouncycastle.crypto.tls.TlsAuthentication
    public void notifyServerCertificate(eu.cec.digit.ecas.org.bouncycastle.crypto.tls.Certificate certificate) throws IOException {
        if (certificate == null || certificate.isEmpty()) {
            if (JsseUtil.isJsseDebugEnabled()) {
                System.out.println("TLS client did not receive any server certificate!");
            }
            throw new TlsFatalAlert((short) 42);
        }
        Certificate[] certificateList = certificate.getCertificateList();
        X509Certificate x509Certificate = null;
        try {
            X509Certificate[] convert = CertificateUtil.convert(certificateList);
            if (JsseUtil.isJsseDebugEnabled()) {
                System.out.println("TLS client received server certificate chain of length " + certificateList.length);
                for (int i = 0; i < convert.length; i++) {
                    System.out.println("Server Certificate no" + (i + 1) + ": " + convert[i]);
                    try {
                        System.out.println("Server Certificate no" + (i + 1) + " Dump: " + convert[i].getSubjectX500Principal().getName() + "\n" + DesktopUtil.certificateToStringWithHeaders(convert[i]));
                    } catch (CertificateException e) {
                        e.printStackTrace();
                    }
                }
            }
            x509Certificate = convert[0];
            if (null == this.identityAndTrust.isDirectlyTrusted(convert)) {
                X509Certificate isIssuedByTrustedCA = this.identityAndTrust.isIssuedByTrustedCA(convert);
                if (JsseUtil.isJsseDebugEnabled()) {
                    StringBuilder sb = new StringBuilder("TLS client is trusting server certificate:\n");
                    CertificateUtil.appendCertificateDetails(x509Certificate, sb, "\t", "\n");
                    sb.append("\nissued by trusted Certificate Authority: \n");
                    CertificateUtil.appendCertificateDetails(isIssuedByTrustedCA, sb, "\t", "\n");
                    System.out.println(sb.toString());
                }
            }
            this.serverCertificateChain = convert;
        } catch (IOException e2) {
            throw e2;
        } catch (CertPathValidatorException e3) {
            StringBuilder sb2 = new StringBuilder(100);
            sb2.append("TLS client is not trusting server certificate:\n");
            CertificateUtil.appendCertificateDetails(x509Certificate, sb2, "\t", "\n");
            sb2.append("\nwhich is unknown");
            String sb3 = sb2.toString();
            if (JsseUtil.isJsseDebugEnabled()) {
                System.out.println(sb3);
            }
            IOException iOException = new IOException(sb3);
            iOException.initCause(e3);
            throw new TlsFatalAlert((short) 42, iOException);
        } catch (Exception e4) {
            StringBuilder sb4 = new StringBuilder(100);
            if (null != x509Certificate) {
                sb4.append("TLS client is not trusting server certificate:\n");
                CertificateUtil.appendCertificateDetails(x509Certificate, sb4, "\t", "\n");
                sb4.append("\nbecause: ");
            }
            String sb5 = sb4.append(e4).toString();
            if (JsseUtil.isJsseDebugEnabled()) {
                System.out.println(sb5);
                e4.printStackTrace();
            }
            IOException iOException2 = new IOException(sb5);
            iOException2.initCause(e4);
            throw iOException2;
        }
    }
}
