package eu.unicore.security.etd;

import eu.emi.security.authn.x509.X509CertChainValidator;
import eu.emi.security.authn.x509.impl.X500NameUtils;
import eu.unicore.samly2.SAMLConstants;
import eu.unicore.samly2.elements.SAMLAttribute;
import eu.unicore.samly2.exceptions.SAMLValidationException;
import eu.unicore.samly2.validators.AssertionValidator;
import eu.unicore.security.ValidationResult;
import eu.unicore.security.dsig.DSigException;
import java.security.PrivateKey;
import java.security.cert.CertificateEncodingException;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Calendar;
import java.util.Collection;
import java.util.Date;
import java.util.Iterator;
import java.util.List;
import org.apache.xmlbeans.XmlObject;
import xmlbeans.org.oasis.saml2.assertion.NameIDType;

/* loaded from: input_file:eu/unicore/security/etd/ETDImpl.class */
public class ETDImpl implements ETDApi {
    public static final int DEFAULT_VALIDITY_DAYS = 14;

    @Override // eu.unicore.security.etd.ETDApi
    public TrustDelegation generateTD(String str, X509Certificate[] x509CertificateArr, PrivateKey privateKey, String str2, DelegationRestrictions delegationRestrictions) throws DSigException {
        TrustDelegation trustDelegation = new TrustDelegation(str);
        trustDelegation.setX509Issuer(x509CertificateArr[0].getSubjectX500Principal().getName());
        trustDelegation.setX509Subject(str2);
        return addRestrictionsAndSign(trustDelegation, x509CertificateArr, privateKey, delegationRestrictions);
    }

    @Override // eu.unicore.security.etd.ETDApi
    public TrustDelegation generateBootstrapTD(String str, X509Certificate[] x509CertificateArr, String str2, String str3, PrivateKey privateKey, String str4, DelegationRestrictions delegationRestrictions) throws DSigException {
        TrustDelegation trustDelegation = new TrustDelegation(str);
        trustDelegation.setIssuer(str2, str3);
        trustDelegation.setX509Subject(str4);
        return addRestrictionsAndSign(trustDelegation, x509CertificateArr, privateKey, delegationRestrictions);
    }

    @Override // eu.unicore.security.etd.ETDApi
    public TrustDelegation generateTD(X509Certificate x509Certificate, X509Certificate[] x509CertificateArr, PrivateKey privateKey, X509Certificate[] x509CertificateArr2, DelegationRestrictions delegationRestrictions) throws DSigException, CertificateEncodingException {
        return generateTD(x509Certificate.getSubjectX500Principal().getName(), TrustDelegation.generateSha2Hash(x509Certificate), x509Certificate.hashCode(), x509CertificateArr, privateKey, x509CertificateArr2, delegationRestrictions, new ArrayList());
    }

    @Override // eu.unicore.security.etd.ETDApi
    public TrustDelegation generateTD(X509Certificate x509Certificate, X509Certificate[] x509CertificateArr, PrivateKey privateKey, X509Certificate[] x509CertificateArr2, DelegationRestrictions delegationRestrictions, List<SAMLAttribute> list) throws DSigException, CertificateEncodingException {
        return generateTD(x509Certificate.getSubjectX500Principal().getName(), TrustDelegation.generateSha2Hash(x509Certificate), x509Certificate.hashCode(), x509CertificateArr, privateKey, x509CertificateArr2, delegationRestrictions, list);
    }

    private TrustDelegation generateTD(String str, String str2, int i, X509Certificate[] x509CertificateArr, PrivateKey privateKey, X509Certificate[] x509CertificateArr2, DelegationRestrictions delegationRestrictions, List<SAMLAttribute> list) throws DSigException, CertificateEncodingException {
        TrustDelegation trustDelegation = new TrustDelegation(str, str2, Integer.valueOf(i));
        trustDelegation.setX509Issuer(x509CertificateArr[0].getSubjectX500Principal().getName());
        trustDelegation.setX509Subject(x509CertificateArr2[0].getSubjectX500Principal().getName());
        trustDelegation.setSenderVouchesX509Confirmation(x509CertificateArr2);
        Iterator<SAMLAttribute> it = list.iterator();
        while (it.hasNext()) {
            trustDelegation.addAttribute(it.next());
        }
        return addRestrictionsAndSign(trustDelegation, x509CertificateArr, privateKey, delegationRestrictions);
    }

    private TrustDelegation addRestrictionsAndSign(TrustDelegation trustDelegation, X509Certificate[] x509CertificateArr, PrivateKey privateKey, DelegationRestrictions delegationRestrictions) throws DSigException {
        if (delegationRestrictions == null) {
            Calendar calendar = Calendar.getInstance();
            calendar.add(5, 14);
            delegationRestrictions = new DelegationRestrictions(new Date(), calendar.getTime(), 1);
        }
        trustDelegation.setTimeConditions(delegationRestrictions.getNotBefore(), delegationRestrictions.getNotOnOrAfter());
        trustDelegation.setProxyRestriction(delegationRestrictions.getMaxProxyCount());
        XmlObject[] customConditions = delegationRestrictions.getCustomConditions();
        if (customConditions != null) {
            for (XmlObject xmlObject : customConditions) {
                trustDelegation.addCustomCondition(xmlObject);
            }
        }
        trustDelegation.sign(privateKey, x509CertificateArr);
        return trustDelegation;
    }

    @Override // eu.unicore.security.etd.ETDApi
    public List<TrustDelegation> issueChainedTD(List<TrustDelegation> list, X509Certificate[] x509CertificateArr, PrivateKey privateKey, String str, DelegationRestrictions delegationRestrictions) throws DSigException, InconsistentTDChainException {
        if (list == null || list.size() == 0) {
            throw new IllegalArgumentException("Trust delegation chain cant be empty");
        }
        if (list.get(0).getCustodianCertHash() != null) {
            throw new InconsistentTDChainException();
        }
        list.add(generateTD(list.get(0).getCustodianDN(), x509CertificateArr, privateKey, str, delegationRestrictions));
        return list;
    }

    @Override // eu.unicore.security.etd.ETDApi
    public List<TrustDelegation> issueChainedTD(List<TrustDelegation> list, X509Certificate[] x509CertificateArr, PrivateKey privateKey, X509Certificate[] x509CertificateArr2, DelegationRestrictions delegationRestrictions) throws DSigException, InconsistentTDChainException, CertificateEncodingException {
        if (list == null || list.size() == 0) {
            throw new IllegalArgumentException("Trust delegation chain cant be empty");
        }
        if (list.get(0).getCustodianCertHash() == null) {
            throw new InconsistentTDChainException();
        }
        TrustDelegation trustDelegation = list.get(0);
        list.add(generateTD(trustDelegation.getCustodianDN(), trustDelegation.getCustodianCertHashSha2(), trustDelegation.getCustodianCertHash().intValue(), x509CertificateArr, privateKey, x509CertificateArr2, delegationRestrictions, new ArrayList()));
        return list;
    }

    @Override // eu.unicore.security.etd.ETDApi
    public ValidationResult validateTD(TrustDelegation trustDelegation, String str, String str2, String str3, X509CertChainValidator x509CertChainValidator) {
        NameIDType newInstance = NameIDType.Factory.newInstance();
        newInstance.setFormat(SAMLConstants.NFORMAT_DN);
        newInstance.setStringValue(str2);
        return validateTD(trustDelegation, str, newInstance, str3, x509CertChainValidator);
    }

    public ValidationResult validateTD(TrustDelegation trustDelegation, String str, NameIDType nameIDType, String str2, X509CertChainValidator x509CertChainValidator) {
        NameIDType issuer = trustDelegation.getXMLBean().getIssuer();
        String format = issuer.getFormat();
        if (format == null) {
            format = SAMLConstants.NFORMAT_ENTITY;
        }
        String format2 = nameIDType.getFormat();
        if (format2 == null) {
            format2 = SAMLConstants.NFORMAT_ENTITY;
        }
        if (!format2.equals(format)) {
            return new ValidationResult(false, "Wrong issuer format (is " + format + " and should be " + format2 + ")");
        }
        String stringValue = issuer.getStringValue();
        if (format.equals(SAMLConstants.NFORMAT_DN)) {
            if (!X500NameUtils.equal(stringValue, nameIDType.getStringValue())) {
                return new ValidationResult(false, "Wrong issuer (is " + stringValue + " and should be " + nameIDType.getStringValue() + ")");
            }
        } else if (!stringValue.equals(nameIDType.getStringValue())) {
            return new ValidationResult(false, "Wrong issuer (is " + stringValue + " and should be " + nameIDType.getStringValue() + ")");
        }
        String subjectName = trustDelegation.getSubjectName();
        if (!X500NameUtils.equal(subjectName, str2)) {
            return new ValidationResult(false, "Wrong receiver (is " + subjectName + " and should be " + str2 + ")");
        }
        X509Certificate[] issuerFromSignature = trustDelegation.getIssuerFromSignature();
        return (issuerFromSignature == null || issuerFromSignature.length == 0) ? new ValidationResult(false, "Lack of issuer certificate (neither in KeyInfo element nor in available certificates list)") : validateTDBasic(x509CertChainValidator, trustDelegation, issuerFromSignature, str, null, null);
    }

    @Override // eu.unicore.security.etd.ETDApi
    public ValidationResult validateTD(TrustDelegation trustDelegation, X509Certificate x509Certificate, X509Certificate[] x509CertificateArr, X509Certificate[] x509CertificateArr2, X509CertChainValidator x509CertChainValidator) {
        if (x509CertificateArr == null || x509CertificateArr.length == 0) {
            throw new IllegalArgumentException("Issuer argument must not be null/empty");
        }
        if (x509CertificateArr2 == null || x509CertificateArr2.length == 0) {
            throw new IllegalArgumentException("Receiver argument must not be null/empty");
        }
        X509Certificate[] issuerFromSignature = trustDelegation.getIssuerFromSignature();
        if (issuerFromSignature == null || issuerFromSignature.length == 0) {
            return new ValidationResult(false, "No issuer certificate in trust delegation assertion");
        }
        X509Certificate[] subjectFromConfirmation = trustDelegation.getSubjectFromConfirmation();
        return (subjectFromConfirmation == null || subjectFromConfirmation.length == 0) ? new ValidationResult(false, "No receiver certificate in trust delegation assertion") : !compareChains(x509CertificateArr, issuerFromSignature) ? new ValidationResult(false, "Wrong delegation issuer (TD issuer certificate: [" + issuerFromSignature[0].toString() + "] and should be: [" + x509CertificateArr[0].toString() + "])") : !compareChains(x509CertificateArr2, subjectFromConfirmation) ? new ValidationResult(false, "Wrong delegation receiver (TD receiver certificate: [" + subjectFromConfirmation[0].toString() + "] and should be: [" + x509CertificateArr2[0].toString() + "])") : validateTDBasic(x509CertChainValidator, trustDelegation, x509CertificateArr, x509Certificate.getSubjectX500Principal().getName(), Integer.valueOf(x509Certificate.hashCode()), TrustDelegation.generateSha2Hash(x509Certificate));
    }

    private ValidationResult validateTDBasic(X509CertChainValidator x509CertChainValidator, TrustDelegation trustDelegation, X509Certificate[] x509CertificateArr, String str, Integer num, String str2) {
        String custodianCertHashSha2;
        String custodianDN = trustDelegation.getCustodianDN();
        if (!X500NameUtils.equal(custodianDN, str)) {
            return new ValidationResult(false, "Wrong custodian (is " + custodianDN + " should be " + str);
        }
        if (num != null) {
            Integer custodianCertHash = trustDelegation.getCustodianCertHash();
            if (custodianCertHash == null) {
                return new ValidationResult(false, "Custodian in assertion doesn'tcontain certificate hash");
            }
            if (!custodianCertHash.equals(num)) {
                return new ValidationResult(false, "Wrong custodian (certificate hashes are different)");
            }
        }
        if (str2 != null && (custodianCertHashSha2 = trustDelegation.getCustodianCertHashSha2()) != null && !custodianCertHashSha2.equals(str2)) {
            return new ValidationResult(false, "Wrong custodian (certificate SHA2 hashes are different)");
        }
        try {
            new AssertionValidator(null, null, null, AssertionValidator.DEFAULT_VALIDITY_GRACE_PERIOD, new ETDSamlTrustChecker(x509CertChainValidator, x509CertificateArr)).validate(trustDelegation.getXMLBeanDoc());
            return new ValidationResult(true, "Validation OK");
        } catch (SAMLValidationException e) {
            return new ValidationResult(false, "Delegation assertion is invalid: " + e.getMessage());
        }
    }

    @Override // eu.unicore.security.etd.ETDApi
    public ValidationResult isTrustDelegated(List<TrustDelegation> list, String str, String str2, X509CertChainValidator x509CertChainValidator, Collection<X509Certificate> collection) {
        if (list == null || str == null || str2 == null) {
            return new ValidationResult(false, "Some of arguments are null");
        }
        if (list.size() == 0) {
            return new ValidationResult(false, "Delegation chain is empty");
        }
        TrustDelegation trustDelegation = list.get(0);
        String custodianDN = trustDelegation.getCustodianDN();
        if (!X500NameUtils.equal(str2, custodianDN)) {
            return new ValidationResult(false, "Wrong user, it is not equal to custodian, user is: " + str2 + " while custodian is: " + custodianDN);
        }
        X509Certificate[] issuerFromSignature = trustDelegation.getIssuerFromSignature();
        if (issuerFromSignature == null || issuerFromSignature.length == 0) {
            return new ValidationResult(false, "No issuer certificate at position 1.");
        }
        if (!isAmongTrusted(issuerFromSignature[0], collection)) {
            if (!X500NameUtils.equal(issuerFromSignature[0].getSubjectX500Principal(), custodianDN)) {
                return new ValidationResult(false, "The issuer's certificate of the initial trust delegation is not consistent with the declared custodian (subject) and it is not among trusted 3rd party issuers");
            }
            if (!X500NameUtils.equal(custodianDN, trustDelegation.getIssuerName())) {
                return new ValidationResult(false, "The signer's certificate of the initial trust delegation is not consistent with the declared assertion issuer and it is not among trusted 3rd party issuers");
            }
        }
        int i = 0;
        int[] iArr = new int[list.size()];
        while (i < list.size()) {
            TrustDelegation trustDelegation2 = list.get(i);
            if (i + 1 < list.size() && !X500NameUtils.equal(trustDelegation2.getSubjectName(), list.get(i + 1).getIssuerName())) {
                return new ValidationResult(false, "Chain is inconsistent at position " + i + ", subject and issuer do not match. Subject is: " + trustDelegation2.getSubjectName() + " while the issuer of the next delegation in chain is: " + list.get(i + 1).getIssuerName());
            }
            String str3 = str;
            if (i + 1 < list.size()) {
                str3 = list.get(i + 1).getIssuerName();
            }
            ValidationResult validateTD = validateTD(trustDelegation2, custodianDN, trustDelegation2.getXMLBean().getIssuer(), str3, x509CertChainValidator);
            if (!validateTD.isValid()) {
                return new ValidationResult(false, "Chain has invalid entry at position " + i + ": " + validateTD.getInvalidResaon());
            }
            iArr[i] = trustDelegation2.getProxyRestriction();
            if (X500NameUtils.equal(str, trustDelegation2.getSubjectName())) {
                break;
            }
            i++;
        }
        if (i == list.size()) {
            return new ValidationResult(false, "Wrong subject");
        }
        for (int i2 = 0; i2 < i; i2++) {
            if (iArr[i2] > 0 && iArr[i2] < (i - i2) + 1) {
                return new ValidationResult(false, "Chain length exceedes maximum proxy restriction of assertion at position " + i2);
            }
        }
        return new ValidationResult(true, "Validation OK");
    }

    @Override // eu.unicore.security.etd.ETDApi
    public ValidationResult isTrustDelegated(List<TrustDelegation> list, X509Certificate[] x509CertificateArr, X509Certificate[] x509CertificateArr2, X509CertChainValidator x509CertChainValidator, Collection<X509Certificate> collection) {
        if (list == null || x509CertificateArr == null || x509CertificateArr2 == null || x509CertificateArr2.length == 0 || x509CertificateArr.length == 0) {
            return new ValidationResult(false, "Some of arguments are null/empty");
        }
        if (list.size() == 0) {
            return new ValidationResult(false, "Delegation chain is empty");
        }
        X509Certificate[] issuerFromSignature = list.get(0).getIssuerFromSignature();
        if (!isAmongTrusted(issuerFromSignature[0], collection) && !x509CertificateArr2[0].equals(issuerFromSignature[0])) {
            return new ValidationResult(false, "The signer's certificate of the initial trust delegation is not consistent with the declared assertion issuer certificate and it is not among trusted 3rd party issuers");
        }
        int i = 0;
        int[] iArr = new int[list.size()];
        while (i < list.size()) {
            TrustDelegation trustDelegation = list.get(i);
            X509Certificate[] subjectFromConfirmation = trustDelegation.getSubjectFromConfirmation();
            if (subjectFromConfirmation == null || subjectFromConfirmation.length == 0) {
                return new ValidationResult(false, "No subject certificate at position " + i);
            }
            if (i + 1 < list.size()) {
                X509Certificate[] issuerFromSignature2 = list.get(i + 1).getIssuerFromSignature();
                if (issuerFromSignature2 == null || issuerFromSignature2.length == 0) {
                    return new ValidationResult(false, "No issuer certificate at position " + (i + 1));
                }
                if (!compareChains(subjectFromConfirmation, issuerFromSignature2)) {
                    return new ValidationResult(false, "Chain is inconsistent at position " + i + " issuer's and subject's certificates do not match");
                }
            }
            X509Certificate[] issuerFromSignature3 = trustDelegation.getIssuerFromSignature();
            if (issuerFromSignature3 == null || issuerFromSignature3.length == 0) {
                return new ValidationResult(false, "No issuer certificate at position " + i);
            }
            ValidationResult validateTD = validateTD(trustDelegation, x509CertificateArr2[0], issuerFromSignature3, subjectFromConfirmation, x509CertChainValidator);
            if (!validateTD.isValid()) {
                return new ValidationResult(false, "Chain has invalid entry at position " + i + ": " + validateTD.getInvalidResaon());
            }
            iArr[i] = trustDelegation.getProxyRestriction();
            if (compareChains(x509CertificateArr, subjectFromConfirmation)) {
                break;
            }
            i++;
        }
        if (i == list.size()) {
            return new ValidationResult(false, "Wrong subject");
        }
        for (int i2 = 0; i2 < i; i2++) {
            if (iArr[i2] > 0 && iArr[i2] < (i - i2) + 1) {
                return new ValidationResult(false, "Chain length exceedes maximum proxy restriction of assertion at position " + i2);
            }
        }
        return new ValidationResult(true, "Validation OK");
    }

    private boolean compareChains(X509Certificate[] x509CertificateArr, X509Certificate[] x509CertificateArr2) {
        if (x509CertificateArr.length != x509CertificateArr2.length) {
            return false;
        }
        for (int i = 0; i < x509CertificateArr.length; i++) {
            if (!x509CertificateArr[i].equals(x509CertificateArr2[i])) {
                return false;
            }
        }
        return true;
    }

    @Override // eu.unicore.security.etd.ETDApi
    public boolean isSubjectInChain(List<TrustDelegation> list, String str) {
        Iterator<TrustDelegation> it = list.iterator();
        while (it.hasNext()) {
            if (X500NameUtils.equal(it.next().getSubjectName(), str)) {
                return true;
            }
        }
        return false;
    }

    private boolean isAmongTrusted(X509Certificate x509Certificate, Collection<X509Certificate> collection) {
        Iterator<X509Certificate> it = collection.iterator();
        while (it.hasNext()) {
            if (it.next().equals(x509Certificate)) {
                return true;
            }
        }
        return false;
    }
}
