package de.governikus.signer.toolbox;

import de.brak.bea.application.dto.rest.RemoteSigningBnotkDTO;
import de.governikus.mcard.jce.sig.delegate.JCEDelegateMCardBCProvider;
import de.governikus.signer.toolbox.exceptions.RemoteSignerKeysNotAvailableException;
import de.governikus.signer.toolbox.remotesigning.IdProvider;
import de.governikus.signer.toolbox.remotesigning.RemoteSignatureKey;
import de.governikus.signer.toolbox.remotesigning.RemoteSigner;
import java.io.ByteArrayInputStream;
import java.security.KeyStore;
import java.security.Provider;
import java.security.Security;
import java.security.cert.CertificateFactory;
import java.util.List;
import java.util.Objects;
import java.util.stream.Collectors;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.SSLContext;
import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.bouncycastle.jsse.provider.BouncyCastleJsseProvider;

/* loaded from: input_file:de/governikus/signer/toolbox/BnotkAuthenticator.class */
public class BnotkAuthenticator {
    private final Logger log = LogManager.getLogger(getClass());
    private final RemoteSigningBnotkDTO config;
    private final SSLContext sslContext;
    private static final Provider tlsProvider;

    public BnotkAuthenticator(RemoteSigningBnotkDTO remoteSigningBnotkDTO, KeyStore keyStore) {
        Objects.requireNonNull(remoteSigningBnotkDTO, "The parameter 'config' must not be null");
        if (!remoteSigningBnotkDTO.isEnabled()) {
            throw new AssertionError("Remote signing is disabled by configuration.");
        }
        this.config = remoteSigningBnotkDTO;
        this.sslContext = sslContext(keyStore);
    }

    public List<BnotkSigner> authenticate() {
        RemoteSigner loginForRemoteSignature = new IdProvider(this.config.getIdPUrl().toURI()).loginForRemoteSignature(this.sslContext, this.config.getSigningUrl().toURI());
        return (List) fetchSigningKeys(loginForRemoteSignature).stream().map(remoteSignatureKey -> {
            return new BnotkSigner(loginForRemoteSignature, remoteSignatureKey);
        }).collect(Collectors.toList());
    }

    private List<RemoteSignatureKey> fetchSigningKeys(RemoteSigner remoteSigner) {
        List<RemoteSignatureKey> listKeys = remoteSigner.listKeys(this.config.getKeyManagerUrl().toURI());
        if (this.log.isDebugEnabled()) {
            for (int i = 0; i < listKeys.size(); i++) {
                RemoteSignatureKey remoteSignatureKey = listKeys.get(i);
                this.log.debug("key[{}]: {}", Integer.valueOf(i), remoteSignatureKey != null ? remoteSignatureKey.getCertificate().getSubjectDN() : "null key");
            }
        }
        if (!listKeys.isEmpty()) {
            return listKeys;
        }
        this.log.warn("No remote signing keys found. Expected at least one.");
        throw new RemoteSignerKeysNotAvailableException("No remote signing keys found. Expected at least one.");
    }

    private SSLContext sslContext(KeyStore keyStore) {
        KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
        keyManagerFactory.init(keyStore, null);
        SSLContext sSLContext = SSLContext.getInstance("TLSv1.2", tlsProvider);
        sSLContext.init(keyManagerFactory.getKeyManagers(), trustManagers(), null);
        return sSLContext;
    }

    private TrustManager[] trustManagers() {
        Objects.requireNonNull(this.config.getTrustedCertificates(), "trustedCertificates must not be null");
        if (this.config.getTrustedCertificates().isEmpty()) {
            return null;
        }
        CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509");
        KeyStore keyStore = KeyStore.getInstance("PKCS12");
        keyStore.load(null, null);
        this.config.getTrustedCertificates().forEach(bArr -> {
            addCertificateToTrustStore(certificateFactory, bArr, keyStore);
        });
        TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
        trustManagerFactory.init(keyStore);
        return trustManagerFactory.getTrustManagers();
    }

    private void addCertificateToTrustStore(CertificateFactory certificateFactory, byte[] bArr, KeyStore keyStore) {
        keyStore.setCertificateEntry("trustedCertificate", certificateFactory.generateCertificate(new ByteArrayInputStream(bArr)));
    }

    static {
        JCEDelegateMCardBCProvider jCEDelegateMCardBCProvider = new JCEDelegateMCardBCProvider();
        tlsProvider = new BouncyCastleJsseProvider(false, jCEDelegateMCardBCProvider);
        Security.insertProviderAt(jCEDelegateMCardBCProvider, 1);
    }
}
