package de.governikus.bea.beaToolkit.autent;

import de.bos_bremen.basecard.common.crypto.Algorithm;
import de.bos_bremen.basecard.common.crypto.UsageRelated;
import de.bos_bremen.commons.base64.Base64;
import de.bos_bremen.gov2.jca_provider.OCFPrivateKey;
import de.bos_bremen.gov2.jca_provider.SignatureNotYetInitializedException;
import de.bos_bremen.gov2.jca_provider.SignaturePINInputTimeoutException;
import de.bos_bremen.gov2.jca_provider.SignaturePINInputTooLongException;
import de.bos_bremen.gov2.jca_provider.SignaturePINInputTooShortException;
import de.bos_bremen.gov2.jca_provider.SignatureRetryCounterExpiredException;
import de.bos_bremen.gov2.jca_provider.SignatureWrongPINException;
import de.bos_bremen.gov2.server.fastsoap.XmlTagExtractor;
import de.brak.bea.application.dto.rest.AuthentConfigurationDTO;
import de.governikus.bea.beaToolkit.BeaToolkitContext;
import de.governikus.bea.beaToolkit.crypto.LocalCryptoInformation;
import de.governikus.bea.beaToolkit.exceptions.BeaConnectionException;
import de.governikus.bea.beaToolkit.ui.ConfirmKey;
import de.governikus.bea.beaToolkit.ui.DialogFactory;
import de.governikus.bea.beaToolkit.ui.DialogResult;
import de.governikus.bea.beaToolkit.ui.StartType;
import de.governikus.bea.beaToolkit.ui.WarningKey;
import de.governikus.bea.beaToolkit.util.McardErrorCodeUtil;
import java.io.IOException;
import java.security.GeneralSecurityException;
import java.security.PrivateKey;
import java.security.Signature;
import java.security.SignatureException;
import java.security.cert.X509Certificate;
import java.util.LinkedList;
import java.util.List;
import javafx.scene.control.Alert;
import javax.xml.bind.JAXBException;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;

/* loaded from: input_file:de/governikus/bea/beaToolkit/autent/AutentLoginConnection.class */
public class AutentLoginConnection {
    private static final Logger LOG = LogManager.getLogger(AutentLoginConnection.class);
    private static final int MAX_RETRIES = 3;
    private static final long RETRY_DELAY_MS = 250;
    private final ChallengeResponseConnection challengeResponse;
    private final String idProviderUrl;

    public AutentLoginConnection(ChallengeResponseConnection challengeResponseConnection, String str) {
        this.challengeResponse = challengeResponseConnection;
        this.idProviderUrl = str;
    }

    public AutentSAMLToken connect(LocalCryptoInformation localCryptoInformation, AuthentConfigurationDTO authentConfigurationDTO) throws BeaConnectionException {
        for (int i = 0; i <= MAX_RETRIES; i++) {
            try {
                byte[] challengeValue = this.challengeResponse.getChallengeValue();
                String requestedHashOID = this.challengeResponse.getRequestedHashOID();
                X509Certificate certificate = localCryptoInformation.getCipherWorker().getCertificate(localCryptoInformation.getSignAlias());
                PrivateKey privateKey = (PrivateKey) localCryptoInformation.getCipherWorker().getKeyStore().getKey(localCryptoInformation.getSignAlias(), localCryptoInformation.getCipherWorker().getPassword());
                String securityProviderName = BeaToolkitContext.getSecurityProviderName();
                if (localCryptoInformation.isSmartcard()) {
                    securityProviderName = "OCF";
                    dump(privateKey, UsageRelated.Usage.AUTHENTICATION);
                    dump(privateKey, UsageRelated.Usage.SIGNATURE);
                }
                String str = authentConfigurationDTO.getSigAlgorithm() + BeaToolkitContext.getInstance().getSignatureSchemeJCEJCA();
                LOG.debug("call Signature.getInstance with algorithm " + str);
                LOG.debug("PrivateKey.algorithm " + privateKey.getAlgorithm());
                LOG.debug("AlgorithmOID from the ChallengeResponse " + requestedHashOID);
                Signature signature = Signature.getInstance(str, securityProviderName);
                signature.initSign(privateKey);
                signature.update(challengeValue);
                LinkedList linkedList = new LinkedList();
                linkedList.add(certificate);
                if (this.challengeResponse.sendResponse(signature.sign(), requestedHashOID, linkedList, new LinkedList())) {
                    return parseSAMLTokenFromIdProviderURL();
                }
            } catch (SignaturePINInputTooShortException e) {
                DialogFactory.getInstance().popAlert(StartType.IN_NEW_THREAD, WarningKey.SIGN_ACTION_PIN_INPUT_TOO_SHORT_MSG, Alert.AlertType.ERROR);
            } catch (SignatureNotYetInitializedException e2) {
                LOG.warn("SignatureNotYetInitializedException", e2);
                DialogFactory.getInstance().popAlert(StartType.IN_NEW_THREAD, WarningKey.AUTENT_ALERT_CARD_NOT_INITIALIZED_MSG, Alert.AlertType.ERROR);
                return null;
            } catch (SignatureRetryCounterExpiredException e3) {
                DialogFactory.getInstance().popAlert(StartType.IN_NEW_THREAD, WarningKey.AUTENT_ALERT_CARD_COUNTER_EXPIRED_MSG, Alert.AlertType.ERROR);
                return null;
            } catch (SignaturePINInputTimeoutException e4) {
                DialogFactory.getInstance().popAlert(StartType.IN_NEW_THREAD, WarningKey.SIGN_ACTION_PIN_INPUT_TIMEOUT_MSG, Alert.AlertType.ERROR);
            } catch (SignaturePINInputTooLongException e5) {
                DialogFactory.getInstance().popAlert(StartType.IN_NEW_THREAD, WarningKey.SIGN_ACTION_PIN_INPUT_TOO_LONG_MSG, Alert.AlertType.ERROR);
            } catch (SignatureException e6) {
                LOG.error("generic SignatureException", e6);
                DialogFactory.getInstance().popAlert(StartType.IN_NEW_THREAD, WarningKey.SIGNATURE_EXCEPTION, Alert.AlertType.ERROR);
                return null;
            } catch (SignatureWrongPINException e7) {
                LOG.warn("wrong pin", e7);
                DialogResult popConfirmationAlertOkCancel = DialogFactory.getInstance().popConfirmationAlertOkCancel(StartType.IN_NEW_THREAD, ConfirmKey.AUTENT_ALERT_WRONG_PING_MSG, Alert.AlertType.ERROR);
                if (popConfirmationAlertOkCancel == null || popConfirmationAlertOkCancel.getReason() != DialogResult.Reason.CMD_OK) {
                    return null;
                }
            } catch (IOException | GeneralSecurityException | JAXBException e8) {
                LOG.error("could not send samlTokenRequest", e8);
                DialogFactory.getInstance().popAlert(StartType.IN_NEW_THREAD, WarningKey.AUTENT_ALERT_UNREACHABLE_MSG, Alert.AlertType.ERROR);
                return null;
            } catch (de.bos_bremen.gov2.jca_provider.SignatureException e9) {
                LOG.error("Governikus kind of SignatureException", e9);
                DialogFactory.getInstance().popAlert(StartType.IN_NEW_THREAD, McardErrorCodeUtil.getWarningKey(e9.getErrorCode()), Alert.AlertType.ERROR);
                if (e9.getErrorCode() != 26368) {
                    return null;
                }
            }
            try {
                Thread.sleep(RETRY_DELAY_MS);
            } catch (InterruptedException e10) {
                return null;
            }
        }
        return null;
    }

    private void dump(PrivateKey privateKey, UsageRelated.Usage usage) {
        List<Algorithm> algorithms = ((OCFPrivateKey) privateKey).getAlgorithms(usage);
        LOG.debug("algorithms: " + usage);
        for (Algorithm algorithm : algorithms) {
            LOG.debug("  - " + algorithm.getAlgorithmName() + ", " + algorithm.getAlternativeAlgorithmName());
        }
    }

    private AutentSAMLToken parseSAMLTokenFromIdProviderURL() throws IOException, BeaConnectionException {
        String callSSL = AutentSSLConnector.callSSL(this.idProviderUrl, ("refID=" + this.idProviderUrl.split("refID=")[1]).getBytes());
        AutentSAMLToken autentSAMLToken = new AutentSAMLToken();
        int i = 0;
        while (true) {
            XmlTagExtractor.TagDescription extract = XmlTagExtractor.extract(callSSL, "input", i);
            i = extract.pos + 1;
            if (i <= 0) {
                return autentSAMLToken;
            }
            String str = (String) extract.attributes.get("name");
            if (str != null && "SAMLResponse".equals(str)) {
                autentSAMLToken.setSamlToken(new String(Base64.toBinary((String) extract.attributes.get("value"))));
            }
        }
    }
}
