package de.governikus.bea.beaToolkit.crypto;

import de.bos_bremen.gov2.jca_provider.SignatureNotYetInitializedException;
import de.bos_bremen.gov2.jca_provider.SignaturePINInputCancelledException;
import de.bos_bremen.gov2.jca_provider.SignaturePINInputTimeoutException;
import de.bos_bremen.gov2.jca_provider.SignaturePINInputTooLongException;
import de.bos_bremen.gov2.jca_provider.SignaturePINInputTooShortException;
import de.bos_bremen.gov2.jca_provider.SignatureRetryCounterExpiredException;
import de.bos_bremen.gov2.jca_provider.SignatureWrongPINException;
import de.brak.bea.application.dto.rest.AuthConfigurationDTO;
import de.brak.bea.application.dto.rest.PrivilegeTypeDTO;
import de.brak.bea.application.dto.rest.SignPrivilegeRequestDTO;
import de.brak.bea.application.dto.rest.SignedPrivilegeDTO;
import de.governikus.bea.asn1.BRAKSignedPublicKey;
import de.governikus.bea.asn1.BRAKSignedPublicKeyConstants;
import de.governikus.bea.beaToolkit.BeaToolkitContext;
import de.governikus.bea.beaToolkit.certificateCache.HWTokenController;
import de.governikus.bea.beaToolkit.ui.DialogFactory;
import de.governikus.bea.beaToolkit.ui.WarningKey;
import de.governikus.bea.beaToolkit.util.McardErrorCodeUtil;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.net.MalformedURLException;
import java.security.InvalidKeyException;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.Signature;
import java.security.SignatureException;
import java.security.UnrecoverableKeyException;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import javafx.scene.control.Alert;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers;
import org.bouncycastle.asn1.pkcs.RSASSAPSSparams;
import org.bouncycastle.asn1.x509.AlgorithmIdentifier;

/* loaded from: input_file:de/governikus/bea/beaToolkit/crypto/AddSignRightHelper.class */
public class AddSignRightHelper {
    private static final Logger LOG = LogManager.getLogger(AddSignRightHelper.class);
    private static final String ADD_SIGN_RIGHT_ACTION_ALERT_NO_CARD_DETECTED_MSG_2 = "add.sign.right.action.alert.no.card.detected.msg.2";
    private static final String ADD_SIGN_RIGHT_ACTION_ALERT_NO_CARD_DETECTED_MSG_1 = "add.sign.right.action.alert.no.card.detected.msg.1";
    private static final String ADD_SIGN_RIGHT_ACTION_ALERT_NO_CARD_DETECTED_TITLE = "add.sign.right.action.alert.no.card.detected.title";

    private AddSignRightHelper() {
    }

    public static LocalCryptoInformation getLocalCryptoInformation(SignPrivilegeRequestDTO signPrivilegeRequestDTO) throws CertificateException, MalformedURLException, IOException {
        return HWTokenController.getInstance().getCrypto((X509Certificate) CertificateFactory.getInstance("x509").generateCertificate(new ByteArrayInputStream(signPrivilegeRequestDTO.getExpectedSignCertificate())));
    }

    public static SignedPrivilegeDTO getSignedPrivilegeDTO(SignPrivilegeRequestDTO signPrivilegeRequestDTO, LocalCryptoInformation localCryptoInformation, AuthConfigurationDTO authConfigurationDTO) throws CertificateException, IOException, NoSuchAlgorithmException, InvalidKeyException, UnrecoverableKeyException, KeyStoreException, SignatureException {
        boolean z;
        if (signPrivilegeRequestDTO == null) {
            LOG.error("parameter signPrivilegeRequest is null -> return");
            return null;
        }
        byte[] recipientCertificate = signPrivilegeRequestDTO.getRecipientCertificate();
        if (recipientCertificate == null) {
            LOG.error("recipientCertificate is null -> return");
            return null;
        }
        BRAKSignedPublicKey bRAKSignedPublicKey = new BRAKSignedPublicKey(((X509Certificate) CertificateFactory.getInstance("x509").generateCertificate(new ByteArrayInputStream(recipientCertificate))).getPublicKey(), signPrivilegeRequestDTO.getPrivilegeType() == PrivilegeTypeDTO.AUTH ? BRAKSignedPublicKeyConstants.Privilege.AUTHORIZATION : BRAKSignedPublicKeyConstants.Privilege.ENCRYPTION, signPrivilegeRequestDTO.getPostboxSafeId(), signPrivilegeRequestDTO.getVersion());
        do {
            try {
                String securityProviderName = BeaToolkitContext.getSecurityProviderName();
                if (localCryptoInformation.isSmartcard()) {
                    securityProviderName = "OCF";
                }
                String digitalSignatureAlgorithmFullName = BeaToolkitContext.getInstance().getDigitalSignatureAlgorithmFullName();
                LOG.debug("call Signature.getInstance with algorithm " + digitalSignatureAlgorithmFullName);
                Signature signature = Signature.getInstance(digitalSignatureAlgorithmFullName, securityProviderName);
                signature.initSign((PrivateKey) localCryptoInformation.getCipherWorker().getKeyStore().getKey(localCryptoInformation.getSignAlias(), null));
                signature.update(bRAKSignedPublicKey.getSignedDataDEREncoded());
                bRAKSignedPublicKey.setSignatureValue(signature.sign());
                bRAKSignedPublicKey.setSignatureAlgorithm(new AlgorithmIdentifier(PKCSObjectIdentifiers.id_RSASSA_PSS, RSASSAPSSparams.getInstance(Signature.getInstance(digitalSignatureAlgorithmFullName, "BC").getParameters().getEncoded())));
                bRAKSignedPublicKey.setSigningPublicKey(localCryptoInformation.getCipherWorker().getCertificate(localCryptoInformation.getSignAlias()).getPublicKey());
                SignedPrivilegeDTO signedPrivilegeDTO = new SignedPrivilegeDTO();
                signedPrivilegeDTO.setPostboxSafeId(signPrivilegeRequestDTO.getPostboxSafeId());
                signedPrivilegeDTO.setPrivilegeType(signPrivilegeRequestDTO.getPrivilegeType());
                signedPrivilegeDTO.setSignature(bRAKSignedPublicKey.getEncoded());
                signedPrivilegeDTO.setSecurityTokenId(signPrivilegeRequestDTO.getSecurityTokenId());
                return signedPrivilegeDTO;
            } catch (SignatureWrongPINException e) {
                z = true;
                DialogFactory.getInstance().popAlert(WarningKey.ADD_SIGN_RIGHT_ACTION_ALERT_WRONG_PIN_MSG, Alert.AlertType.ERROR);
            } catch (SignaturePINInputCancelledException e2) {
                DialogFactory.getInstance().popAlert(McardErrorCodeUtil.getWarningKey(e2.getErrorCode()), Alert.AlertType.ERROR);
                z = false;
            } catch (SignatureRetryCounterExpiredException e3) {
                DialogFactory.getInstance().popAlert(WarningKey.SIGN_ACTION_COUNTER_EXPIRED_MSG, Alert.AlertType.ERROR);
                z = false;
            } catch (SignaturePINInputTooLongException e4) {
                DialogFactory.getInstance().popAlert(WarningKey.SIGN_ACTION_PIN_INPUT_TOO_LONG_MSG, Alert.AlertType.ERROR);
                z = true;
            } catch (SignatureNotYetInitializedException e5) {
                LOG.warn("SignatureNotYetInitializedException", e5);
                DialogFactory.getInstance().popAlert(WarningKey.SIGN_ACTION_CARD_NOT_INITIALIZED_MSG, Alert.AlertType.ERROR);
                z = false;
            } catch (Exception e6) {
                LOG.error("could not send samlTokenRequest", e6);
                DialogFactory.getInstance().popAlert(WarningKey.SIGN_ACTION_DEFUALT_MSG, Alert.AlertType.ERROR);
                z = false;
            } catch (SignaturePINInputTooShortException e7) {
                DialogFactory.getInstance().popAlert(WarningKey.SIGN_ACTION_PIN_INPUT_TOO_SHORT_MSG, Alert.AlertType.ERROR);
                z = true;
            } catch (SignaturePINInputTimeoutException e8) {
                DialogFactory.getInstance().popAlert(WarningKey.SIGN_ACTION_PIN_INPUT_TIMEOUT_MSG, Alert.AlertType.ERROR);
                z = true;
            }
        } while (z);
        return null;
    }
}
