package se.swedenconnect.ca.cmc.auth.impl;

import java.io.IOException;
import java.security.cert.CertificateEncodingException;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.List;
import java.util.Map;
import lombok.Generated;
import org.bouncycastle.asn1.ASN1InputStream;
import org.bouncycastle.asn1.ASN1ObjectIdentifier;
import org.bouncycastle.asn1.cmc.CMCObjectIdentifiers;
import org.bouncycastle.asn1.cmc.PKIData;
import org.bouncycastle.cert.X509CertificateHolder;
import org.bouncycastle.cert.jcajce.JcaX509CertificateHolder;
import org.bouncycastle.cms.CMSException;
import org.bouncycastle.cms.CMSSignedData;
import org.bouncycastle.cms.SignerInformation;
import org.bouncycastle.cms.jcajce.JcaSimpleSignerInfoVerifierBuilder;
import org.bouncycastle.operator.OperatorCreationException;
import org.bouncycastle.util.Selector;
import se.swedenconnect.ca.cmc.api.CMCMessageException;
import se.swedenconnect.ca.cmc.api.data.CMCControlObject;
import se.swedenconnect.ca.cmc.auth.AuthorizedCmcOperation;
import se.swedenconnect.ca.cmc.auth.CMCAuthorizationException;
import se.swedenconnect.ca.cmc.auth.CMCUtils;
import se.swedenconnect.ca.cmc.auth.CMCValidationException;

/* loaded from: input_file:se/swedenconnect/ca/cmc/auth/impl/DefaultCMCValidator.class */
public class DefaultCMCValidator extends AbstractCMCValidator {
    private final List<X509CertificateHolder> trustedCMCSigners;
    private Map<X509CertificateHolder, List<AuthorizedCmcOperation>> clientAuthorizationMap;

    public DefaultCMCValidator(X509Certificate... x509CertificateArr) throws CertificateEncodingException {
        this.trustedCMCSigners = new ArrayList();
        for (X509Certificate x509Certificate : x509CertificateArr) {
            this.trustedCMCSigners.add(new JcaX509CertificateHolder(x509Certificate));
        }
    }

    public DefaultCMCValidator(X509CertificateHolder... x509CertificateHolderArr) {
        this.trustedCMCSigners = Arrays.asList(x509CertificateHolderArr);
    }

    @Override // se.swedenconnect.ca.cmc.auth.impl.AbstractCMCValidator
    protected List<X509CertificateHolder> verifyCMSSignature(CMSSignedData cMSSignedData) throws CMCValidationException {
        try {
            X509CertificateHolder trustedSignerCert = getTrustedSignerCert(cMSSignedData.getCertificates().getMatches((Selector) null));
            if (((SignerInformation) cMSSignedData.getSignerInfos().iterator().next()).verify(new JcaSimpleSignerInfoVerifierBuilder().build(trustedSignerCert))) {
                return Arrays.asList(trustedSignerCert);
            }
            throw new CMCValidationException("CMC Signature validation failed");
        } catch (CertificateException | OperatorCreationException | CMSException e) {
            throw new CMCValidationException("CMC signature validation failed - " + e.getMessage(), e);
        }
    }

    @Override // se.swedenconnect.ca.cmc.auth.impl.AbstractCMCValidator
    protected void verifyAuthorization(X509CertificateHolder x509CertificateHolder, ASN1ObjectIdentifier aSN1ObjectIdentifier, CMSSignedData cMSSignedData) throws CMCAuthorizationException {
        if (this.clientAuthorizationMap != null && CMCObjectIdentifiers.id_cct_PKIData.equals(aSN1ObjectIdentifier)) {
            List<AuthorizedCmcOperation> list = this.clientAuthorizationMap.get(x509CertificateHolder);
            try {
                if (!list.contains(AuthorizedCmcOperation.read)) {
                    throw new CMCAuthorizationException("CMC client not authorized to access the requested CA service");
                }
                ASN1InputStream aSN1InputStream = new ASN1InputStream((byte[]) cMSSignedData.getSignedContent().getContent());
                try {
                    PKIData pKIData = PKIData.getInstance(aSN1InputStream.readObject());
                    aSN1InputStream.close();
                    if (pKIData.getReqSequence().length > 0 && !list.contains(AuthorizedCmcOperation.issue)) {
                        throw new CMCAuthorizationException("CMC client not authorized to issue certificates");
                    }
                    CMCControlObject cMCControlObject = CMCUtils.getCMCControlObject(CMCObjectIdentifiers.id_cmc_revokeRequest, pKIData);
                    if (cMCControlObject != null && cMCControlObject.getValue() != null && !list.contains(AuthorizedCmcOperation.revoke)) {
                        throw new CMCAuthorizationException("CMC client not authorized to revoke certificates");
                    }
                } finally {
                }
            } catch (IOException | CMCMessageException e) {
                throw new CMCAuthorizationException("Failure to process CMC client authorization check", e);
            }
        }
    }

    private X509CertificateHolder getTrustedSignerCert(Collection<X509CertificateHolder> collection) throws CMCValidationException {
        if ((this.trustedCMCSigners == null) || this.trustedCMCSigners.isEmpty()) {
            throw new CMCValidationException("This CMC verifier has no trusted CMC signer certificates");
        }
        if (collection == null || collection.size() == 0) {
            throw new CMCValidationException("No signature certificates found in CMC signature");
        }
        for (X509CertificateHolder x509CertificateHolder : collection) {
            for (X509CertificateHolder x509CertificateHolder2 : this.trustedCMCSigners) {
                if (x509CertificateHolder2.equals(x509CertificateHolder)) {
                    return x509CertificateHolder2;
                }
            }
        }
        throw new CMCValidationException("No trusted certificate found in signed CMC");
    }

    @Generated
    public void setClientAuthorizationMap(Map<X509CertificateHolder, List<AuthorizedCmcOperation>> map) {
        this.clientAuthorizationMap = map;
    }
}
