package de.governikus.bea.kswtoolkit.socketactions.impl;

import de.bos_bremen.basecard.common.crypto.Algorithm;
import de.bos_bremen.basecard.common.crypto.UsageRelated;
import de.bos_bremen.gov2.jca_provider.OCFPrivateKey;
import de.governikus.bea.beaToolkit.BeaToolkitContext;
import de.governikus.bea.beaToolkit.certificateCache.CalledFromActionEnum;
import de.governikus.bea.beaToolkit.crypto.LocalCryptoInformation;
import de.governikus.bea.beaToolkit.crypto.worker.SoftTokenWorker;
import de.governikus.bea.beaToolkit.oidc.CramAuthenticationService;
import de.governikus.bea.beaToolkit.oidc.model.CramSessionData;
import de.governikus.bea.beaToolkit.oidc.model.CreateCramSessionResponse;
import de.governikus.bea.beaToolkit.ui.DialogFactory;
import de.governikus.bea.beaToolkit.ui.DialogResult;
import de.governikus.bea.kswtoolkit.exceptions.KSWToolkitErrorCode;
import de.governikus.bea.kswtoolkit.exceptions.KSWToolkitException;
import de.governikus.bea.kswtoolkit.payload.LoginUserPayload;
import de.governikus.bea.kswtoolkit.socketactions.KSWAction;
import de.governikus.signer.toolbox.BnotkContentSigner;
import java.io.FileInputStream;
import java.io.IOException;
import java.net.URI;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.Base64;
import java.util.Collections;
import java.util.Enumeration;
import java.util.List;
import java.util.Objects;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.bouncycastle.cert.jcajce.JcaCertStore;
import org.bouncycastle.cms.CMSProcessableByteArray;
import org.bouncycastle.cms.CMSSignedDataGenerator;
import org.bouncycastle.cms.jcajce.JcaSignerInfoGeneratorBuilder;
import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder;
import org.bouncycastle.operator.jcajce.JcaDigestCalculatorProviderBuilder;

/* loaded from: input_file:de/governikus/bea/kswtoolkit/socketactions/impl/LoginUserOIDC.class */
public class LoginUserOIDC extends KSWAction<LoginUserPayload, CramSessionData> {
    private static final Logger LOG = LogManager.getLogger(LoginUserOIDC.class);

    @Override // de.governikus.bea.kswtoolkit.socketactions.KSWAction
    protected Class<? extends LoginUserPayload> getPayloadClass() {
        return LoginUserPayload.class;
    }

    /* JADX WARN: Can't rename method to resolve collision */
    /* JADX WARN: Multi-variable type inference failed */
    @Override // de.governikus.bea.kswtoolkit.socketactions.KSWAction
    public CramSessionData executeAction() throws KSWToolkitException {
        LocalCryptoInformation localCryptoInformation;
        CramAuthenticationService newInstance = CramAuthenticationService.newInstance(URI.create(((LoginUserPayload) this.payload).getCramEndpoint()));
        CreateCramSessionResponse startCramAuthentication = newInstance.startCramAuthentication();
        String id = startCramAuthentication.id();
        if (!Objects.isNull(((LoginUserPayload) this.payload).getLocalCryptoInformation())) {
            localCryptoInformation = ((LoginUserPayload) this.payload).getLocalCryptoInformation();
        } else if (((LoginUserPayload) this.payload).getKeyStoreFile() == null || !((LoginUserPayload) this.payload).getKeyStoreFile().exists()) {
            localCryptoInformation = getCryptoInformationForSmartcard();
        } else {
            LOG.info("Starting CRAM using software token");
            localCryptoInformation = getCryptoInformationForSoftwareToken();
        }
        newInstance.updateCramAuthentication(id, signChallenge(Base64.getDecoder().decode(startCramAuthentication.challenge().getBytes()), localCryptoInformation));
        return new CramSessionData(id, localCryptoInformation.getCipherWorker().getCertificate(localCryptoInformation.getSignAlias()));
    }

    private LocalCryptoInformation getCryptoInformationForSmartcard() throws KSWToolkitException {
        LOG.info("Starting CRAM using smartcard/software token with dialog");
        DialogResult showCryptoSelectionDialog = DialogFactory.getInstance().showCryptoSelectionDialog(CalledFromActionEnum.LOGIN_USER, "", true);
        if (showCryptoSelectionDialog.getReason() == DialogResult.Reason.CMD_OK) {
            return (LocalCryptoInformation) showCryptoSelectionDialog.getResult();
        }
        if (showCryptoSelectionDialog.getReason() == DialogResult.Reason.CMD_CANCEL) {
            LOG.error(KSWToolkitErrorCode.CANCELLED_BY_USER.getErrorMessage());
            throw new KSWToolkitException(KSWToolkitErrorCode.CANCELLED_BY_USER);
        }
        LOG.error(KSWToolkitErrorCode.IO_EXCEPTION.getErrorMessage());
        throw new KSWToolkitException(KSWToolkitErrorCode.IO_EXCEPTION);
    }

    /* JADX WARN: Multi-variable type inference failed */
    private LocalCryptoInformation getCryptoInformationForSoftwareToken() throws KSWToolkitException {
        try {
            LocalCryptoInformation localCryptoInformation = new LocalCryptoInformation();
            SoftTokenWorker softTokenWorker = new SoftTokenWorker();
            KeyStore keyStore = KeyStore.getInstance("PKCS12");
            FileInputStream fileInputStream = new FileInputStream(((LoginUserPayload) this.payload).getKeyStoreFile());
            try {
                keyStore.load(fileInputStream, ((LoginUserPayload) this.payload).getPasswd());
                fileInputStream.close();
                softTokenWorker.setKeyStore(keyStore);
                softTokenWorker.setPassword(((LoginUserPayload) this.payload).getPasswd());
                String str = null;
                Enumeration<String> aliases = keyStore.aliases();
                while (aliases.hasMoreElements()) {
                    String nextElement = aliases.nextElement();
                    if (keyStore.isKeyEntry(nextElement)) {
                        str = nextElement;
                    }
                }
                if (str == null) {
                    LOG.info("Couldn't find key for session key decryption in given keystore");
                    throw new KSWToolkitException(KSWToolkitErrorCode.USER_TOKEN_INVALID_KEYSTORE);
                }
                LOG.info("Found alias: {}", str);
                localCryptoInformation.setCipherWorker(softTokenWorker);
                localCryptoInformation.setSmartcard(false);
                localCryptoInformation.setCryptoAlias(str);
                localCryptoInformation.setSignAlias(str);
                return localCryptoInformation;
            } finally {
            }
        } catch (IOException | KeyStoreException | NoSuchAlgorithmException | CertificateException e) {
            LOG.error(KSWToolkitErrorCode.IO_EXCEPTION.getErrorMessage(), e);
            throw new KSWToolkitException(KSWToolkitErrorCode.IO_EXCEPTION);
        }
    }

    private byte[] signChallenge(byte[] bArr, LocalCryptoInformation localCryptoInformation) throws KSWToolkitException {
        BnotkContentSigner build;
        try {
            X509Certificate certificate = localCryptoInformation.getCipherWorker().getCertificate(localCryptoInformation.getSignAlias());
            PrivateKey privateKey = (PrivateKey) localCryptoInformation.getCipherWorker().getKeyStore().getKey(localCryptoInformation.getSignAlias(), localCryptoInformation.getCipherWorker().getPassword());
            String securityProviderName = BeaToolkitContext.getSecurityProviderName();
            String digitalSignatureAlgorithmFullName = BeaToolkitContext.getInstance().getDigitalSignatureAlgorithmFullName();
            LOG.info("Calling Signature.getInstance with algorithm {}", digitalSignatureAlgorithmFullName);
            if (localCryptoInformation.isSmartcard()) {
                dump(privateKey, UsageRelated.Usage.AUTHENTICATION);
                dump(privateKey, UsageRelated.Usage.SIGNATURE);
                build = new BnotkContentSigner(privateKey, digitalSignatureAlgorithmFullName, "OCF");
            } else {
                build = new JcaContentSignerBuilder(digitalSignatureAlgorithmFullName).setProvider(securityProviderName).build(privateKey);
            }
            CMSProcessableByteArray cMSProcessableByteArray = new CMSProcessableByteArray(bArr);
            JcaCertStore jcaCertStore = new JcaCertStore(Collections.singletonList(certificate));
            CMSSignedDataGenerator cMSSignedDataGenerator = new CMSSignedDataGenerator();
            cMSSignedDataGenerator.addSignerInfoGenerator(new JcaSignerInfoGeneratorBuilder(new JcaDigestCalculatorProviderBuilder().build()).build(build, certificate));
            cMSSignedDataGenerator.addCertificates(jcaCertStore);
            byte[] encoded = cMSSignedDataGenerator.generate(cMSProcessableByteArray, false).getEncoded();
            this.logger.info("Signature creation is finished");
            return encoded;
        } catch (Exception e) {
            LOG.error("Exception signing the challenge for cram authentication", e);
            throw new KSWToolkitException(KSWToolkitErrorCode.AUTHENTICATION_EXCEPTION);
        }
    }

    private void dump(PrivateKey privateKey, UsageRelated.Usage usage) {
        List<Algorithm> algorithms = ((OCFPrivateKey) privateKey).getAlgorithms(usage);
        LOG.debug("algorithms: " + usage);
        for (Algorithm algorithm : algorithms) {
            LOG.debug("  - " + algorithm.getAlgorithmName() + ", " + algorithm.getAlternativeAlgorithmName());
        }
    }
}
