package de.gematik.idp.crypto;

import de.gematik.idp.crypto.exceptions.IdpCryptoException;
import de.gematik.idp.crypto.model.CertificateExtractedFieldEnum;
import java.io.IOException;
import java.security.cert.X509Certificate;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Optional;
import java.util.stream.Stream;
import javax.security.auth.x500.X500Principal;
import lombok.Generated;
import org.bouncycastle.asn1.ASN1Encodable;
import org.bouncycastle.asn1.ASN1ObjectIdentifier;
import org.bouncycastle.asn1.DERPrintableString;
import org.bouncycastle.asn1.DLSequence;
import org.bouncycastle.asn1.isismtt.ISISMTTObjectIdentifiers;
import org.bouncycastle.asn1.x500.X500Name;
import org.bouncycastle.asn1.x500.style.RFC4519Style;
import org.bouncycastle.cert.jcajce.JcaX509ExtensionUtils;

/* loaded from: input_file:de/gematik/idp/crypto/X509ClaimExtraction.class */
public class X509ClaimExtraction {
    private static final int KVNR_LENGTH = 10;
    private static final String VAL_IN_CERT_TOO_LONG = "Value in certificate too long!";

    public static Map<String, Object> extractClaimsFromCertificate(byte[] bArr) {
        return extractClaimsFromCertificate(CryptoLoader.getCertificateFromPem(bArr));
    }

    public static Map<String, Object> extractClaimsFromCertificate(X509Certificate x509Certificate) {
        HashMap hashMap = new HashMap();
        TiCertificateType determineCertificateType = CertificateAnalysis.determineCertificateType(x509Certificate);
        hashMap.put(CertificateExtractedFieldEnum.GIVEN_NAME.getFieldname(), getNameValueFromDn(x509Certificate, determineCertificateType, RFC4519Style.givenName));
        hashMap.put(CertificateExtractedFieldEnum.FAMILY_NAME.getFieldname(), getNameValueFromDn(x509Certificate, determineCertificateType, RFC4519Style.sn));
        hashMap.put(CertificateExtractedFieldEnum.IK_NUMMER.getFieldname(), getAllValuesFromDn(x509Certificate.getSubjectX500Principal(), RFC4519Style.ou).stream().filter(str -> {
            return str.matches("\\d{9}");
        }).findFirst().orElse(null));
        if (determineCertificateType == TiCertificateType.HBA) {
            hashMap.put(CertificateExtractedFieldEnum.ORGANIZATION_NAME.getFieldname(), null);
        } else if (determineCertificateType == TiCertificateType.SMCB) {
            Optional<String> valueFromDn = getValueFromDn(x509Certificate.getSubjectX500Principal(), RFC4519Style.cn);
            if (valueFromDn.isPresent() && valueFromDn.get().length() > 64) {
                throw new IdpCryptoException(VAL_IN_CERT_TOO_LONG);
            }
            hashMap.put(CertificateExtractedFieldEnum.ORGANIZATION_NAME.getFieldname(), valueFromDn.orElse(null));
        } else if (determineCertificateType == TiCertificateType.EGK) {
            Optional<String> valueFromDn2 = getValueFromDn(x509Certificate.getSubjectX500Principal(), RFC4519Style.o);
            if (valueFromDn2.isPresent() && valueFromDn2.get().length() > 64) {
                throw new IdpCryptoException(VAL_IN_CERT_TOO_LONG);
            }
            hashMap.put(CertificateExtractedFieldEnum.ORGANIZATION_NAME.getFieldname(), valueFromDn2.orElse(null));
        }
        hashMap.put(CertificateExtractedFieldEnum.PROFESSION_OID.getFieldname(), getProfessionOid(x509Certificate).map((v0) -> {
            return v0.toString();
        }).orElse(null));
        if (determineCertificateType == TiCertificateType.HBA) {
            hashMap.put(CertificateExtractedFieldEnum.ID_NUMMER.getFieldname(), getRegistrationNumber(x509Certificate).orElse(null));
        } else if (determineCertificateType == TiCertificateType.SMCB) {
            hashMap.put(CertificateExtractedFieldEnum.ID_NUMMER.getFieldname(), getRegistrationNumber(x509Certificate).orElse(null));
        } else if (determineCertificateType == TiCertificateType.EGK) {
            hashMap.put(CertificateExtractedFieldEnum.ID_NUMMER.getFieldname(), getAllValuesFromDn(x509Certificate.getSubjectX500Principal(), RFC4519Style.ou).stream().filter(str2 -> {
                return str2.matches("[a-zA-Z]\\d{9}");
            }).findFirst().orElseThrow(() -> {
                return new IdpCryptoException("Could not find OU in EGK Subject-DN: '" + x509Certificate.getSubjectX500Principal().toString());
            }));
        }
        return hashMap;
    }

    private static String getNameValueFromDn(X509Certificate x509Certificate, TiCertificateType tiCertificateType, ASN1ObjectIdentifier aSN1ObjectIdentifier) {
        Optional<String> valueFromDn = getValueFromDn(x509Certificate.getSubjectX500Principal(), aSN1ObjectIdentifier);
        if (valueFromDn.isEmpty() && (tiCertificateType == TiCertificateType.EGK || tiCertificateType == TiCertificateType.HBA)) {
            throw new IdpCryptoException("No value found in certificate!");
        }
        if (!valueFromDn.isPresent() || valueFromDn.get().length() <= 64) {
            return valueFromDn.orElse(null);
        }
        throw new IdpCryptoException(VAL_IN_CERT_TOO_LONG);
    }

    private static Optional<String> getValueFromDn(X500Principal x500Principal, ASN1ObjectIdentifier aSN1ObjectIdentifier) {
        return getAllValuesFromDn(x500Principal, aSN1ObjectIdentifier).stream().findFirst();
    }

    private static List<String> getAllValuesFromDn(X500Principal x500Principal, ASN1ObjectIdentifier aSN1ObjectIdentifier) {
        return Stream.of((Object[]) X500Name.getInstance(x500Principal.getEncoded()).getRDNs(aSN1ObjectIdentifier)).flatMap(rdn -> {
            return Stream.of((Object[]) rdn.getTypesAndValues());
        }).filter(attributeTypeAndValue -> {
            return attributeTypeAndValue.getType().equals(aSN1ObjectIdentifier);
        }).map((v0) -> {
            return v0.getValue();
        }).map((v0) -> {
            return Objects.toString(v0);
        }).toList();
    }

    private static Optional<ASN1ObjectIdentifier> getProfessionOid(X509Certificate x509Certificate) {
        Optional<DLSequence> admissionEntry = getAdmissionEntry(x509Certificate);
        if (admissionEntry.isEmpty()) {
            throw new IdpCryptoException("No profession OID found!");
        }
        Iterator it = admissionEntry.get().iterator();
        while (it.hasNext()) {
            DLSequence dLSequence = (ASN1Encodable) it.next();
            if (dLSequence instanceof DLSequence) {
                ASN1ObjectIdentifier objectAt = dLSequence.getObjectAt(0);
                if (objectAt instanceof ASN1ObjectIdentifier) {
                    return Optional.of(objectAt);
                }
            }
        }
        throw new IdpCryptoException("No profession OID found!");
    }

    private static Optional<String> getRegistrationNumber(X509Certificate x509Certificate) {
        Optional<DLSequence> admissionEntry = getAdmissionEntry(x509Certificate);
        if (admissionEntry.isEmpty()) {
            return Optional.empty();
        }
        Iterator it = admissionEntry.get().iterator();
        while (it.hasNext()) {
            DERPrintableString dERPrintableString = (ASN1Encodable) it.next();
            if (dERPrintableString instanceof DERPrintableString) {
                return Optional.of(dERPrintableString.getString());
            }
        }
        return Optional.empty();
    }

    private static Optional<DLSequence> getAdmissionEntry(X509Certificate x509Certificate) {
        try {
            byte[] extensionValue = x509Certificate.getExtensionValue(ISISMTTObjectIdentifiers.id_isismtt_at_admission.getId());
            if (extensionValue == null) {
                return Optional.empty();
            }
            DLSequence dLSequence = null;
            Iterator it = JcaX509ExtensionUtils.parseExtensionValue(extensionValue).iterator();
            while (it.hasNext()) {
                ASN1Encodable aSN1Encodable = (ASN1Encodable) it.next();
                if (aSN1Encodable instanceof DLSequence) {
                    dLSequence = (DLSequence) aSN1Encodable;
                }
            }
            return dLSequence == null ? Optional.empty() : Optional.ofNullable(dLSequence.getObjectAt(0).getObjectAt(0).getObjectAt(0));
        } catch (IOException e) {
            throw new IdpCryptoException(e);
        }
    }

    @Generated
    private X509ClaimExtraction() {
    }
}
