package de.authada.eid.core.authentication.paos.steps;

import de.authada.eid.card.api.ByteArray;
import de.authada.eid.card.asn1.CVCertificate;
import de.authada.eid.card.asn1.Extensions;
import de.authada.eid.card.asn1.ta.AuthenticatedAuxiliaryData;
import de.authada.eid.core.StopException;
import de.authada.eid.core.api.callbacks.CertificateDescriptionImpl;
import de.authada.eid.core.api.chat.AccessRights;
import de.authada.eid.core.api.chat.CHAT;
import de.authada.eid.core.api.chat.CHATImpl;
import de.authada.eid.core.authentication.ImmutableAdditionalEACInfo;
import de.authada.eid.core.authentication.paos.PAOSException;
import de.authada.eid.core.authentication.paos.PAOSUtils;
import de.authada.eid.core.authentication.paos.steps.ImmutableAdditionalEACCheckContext;
import de.authada.eid.core.http.URLUtils;
import de.authada.eid.core.support.Function;
import de.authada.eid.core.support.Optional;
import de.authada.eid.core.support.Supplier;
import de.authada.eid.paos.asn1.CertificateDescription;
import de.authada.eid.paos.models.input.EAC1InputType;
import de.authada.mobile.org.spongycastle.asn1.ASN1ObjectIdentifier;
import de.authada.mobile.org.spongycastle.crypto.Digest;
import de.authada.mobile.org.spongycastle.crypto.util.DigestFactory;
import de.authada.mobile.org.spongycastle.tls.crypto.TlsCertificate;
import de.authada.mobile.org.spongycastle.util.encoders.Hex;
import java.io.IOException;
import java.net.MalformedURLException;
import java.net.URL;
import java.text.ParseException;
import java.util.Arrays;
import java.util.Collection;
import java.util.Date;
import java.util.Iterator;
import java.util.List;
import org.immutables.value.Value;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: classes3.dex */
public class AdditionalEACCheckStep {
    private static final Logger LOGGER = LoggerFactory.getLogger((Class<?>) AdditionalEACCheckStep.class);
    private static final ASN1ObjectIdentifier CERT_DESC_EXTENSION_OID = new ASN1ObjectIdentifier("0.4.0.127.0.7.3.1.3.1");

    @Value.Style(builderVisibility = Value.Style.BuilderVisibility.PACKAGE, strictBuilder = true)
    @Value.Immutable
    /* loaded from: classes3.dex */
    public interface AdditionalEACCheckContext {
        CVCertificate getTerminalCertificate();
    }

    private ByteArray calcCertDescHash(CertificateDescription certificateDescription, Digest digest) {
        return PAOSUtils.hash(digest, certificateDescription.getAsn1Data());
    }

    private Extensions.Extension findCertDescHashExtension(Extensions extensions) throws PAOSException {
        Extensions.Extension extension = null;
        for (Extensions.Extension extension2 : extensions.getList()) {
            if (CERT_DESC_EXTENSION_OID.equals(extension2.getObjectIdentifier())) {
                if (extension != null) {
                    throw new PAOSException("Duplicate certificate description hash extension");
                }
                extension = extension2;
            }
        }
        if (extension != null) {
            return extension;
        }
        throw new PAOSException("Certificate Description Hash extension is missing");
    }

    private URL getSubjectUrl(EAC1InputType eAC1InputType) throws PAOSException {
        try {
            return new URL(eAC1InputType.getCertificateDescription().getSubjectUrl());
        } catch (MalformedURLException e) {
            throw new PAOSException("Invalid subjectURL", e);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static /* synthetic */ PAOSException lambda$validateCertificateDescription$1() {
        return new PAOSException("Terminal Certificate is missing its extensions");
    }

    private void showCertificateDescriptionAndAccessRights(PAOSContext pAOSContext, EAC1InputType eAC1InputType, CVCertificate cVCertificate, CHAT chat) throws PAOSException {
        try {
            pAOSContext.getCallbackHelper().showCertificateAndAccessRights(new CertificateDescriptionImpl(eAC1InputType.getCertificateDescription(), eAC1InputType.getTransactionInfo(), cVCertificate), chat, eAC1InputType.getAuthenticatedAuxiliaryData().map(new Function() { // from class: de.authada.eid.core.authentication.paos.steps.-$$Lambda$AdditionalEACCheckStep$GdRogKl1UeK3QznECTRxJRt7nDY
                @Override // de.authada.eid.core.support.Function
                public final Object apply(Object obj) {
                    Date orElse;
                    orElse = ((AuthenticatedAuxiliaryData) obj).getDateOfBirth().orElse(null);
                    return orElse;
                }
            }));
        } catch (ParseException e) {
            throw new PAOSException("Failed to parse validity period of terminal certificate", e);
        }
    }

    private void validateCertificateDescription(CertificateDescription certificateDescription, Digest digest, CVCertificate cVCertificate) throws PAOSException {
        if (!Arrays.equals(calcCertDescHash(certificateDescription, digest).getBytes(), findCertDescHashExtension(cVCertificate.getCvCertificateBody().getExtensions().orElseThrow(new Supplier() { // from class: de.authada.eid.core.authentication.paos.steps.-$$Lambda$AdditionalEACCheckStep$CGw9r6CECrFAHjUj0mBTJYZvs-4
            @Override // de.authada.eid.core.support.Supplier
            public final Object get() {
                return AdditionalEACCheckStep.lambda$validateCertificateDescription$1();
            }
        })).getOctetString().getOctets())) {
            throw new PAOSException("Invalid certificate description hash");
        }
    }

    private void validateServerCertificateHashes(Digest digest, CertificateDescription certificateDescription, Collection<TlsCertificate> collection, Optional<TlsCertificate> optional) throws PAOSException {
        try {
            List<ByteArray> hash = PAOSUtils.hash(digest, collection);
            if (optional.isPresent()) {
                hash.add(PAOSUtils.hash(digest, optional.get()));
            }
            if (!certificateDescription.getCertificateHashes().containsAll(hash)) {
                throw new PAOSException("Missing hashes in CertificateDescription");
            }
        } catch (IOException e) {
            throw new PAOSException("Failed to hash certificates", e);
        }
    }

    private void validateSubjectUrl(URL url, URL url2) throws PAOSException {
        if (!URLUtils.validateSameOrigin(url2, url)) {
            throw new PAOSException("Failed subject url and tctoken url same origin check");
        }
    }

    CHATImpl createCHAT(EAC1InputType eAC1InputType, CVCertificate cVCertificate) {
        List<AccessRights> requiredAccessRights = PAOSUtils.getRequiredAccessRights(eAC1InputType, cVCertificate);
        LOGGER.debug("Required Access Rights: {}", requiredAccessRights);
        List<AccessRights> optionalAccessRights = PAOSUtils.getOptionalAccessRights(eAC1InputType, cVCertificate);
        LOGGER.debug("Optional Access Rights: {}", optionalAccessRights);
        return new CHATImpl(optionalAccessRights, requiredAccessRights);
    }

    public AdditionalEACCheckContext processStep(PAOSContext pAOSContext, Optional<TlsCertificate> optional, EAC1InputType eAC1InputType) throws PAOSException, StopException {
        ImmutableAdditionalEACInfo.Builder builder = ImmutableAdditionalEACInfo.builder();
        Digest createSHA256 = DigestFactory.createSHA256();
        LOGGER.info("Executing Additional EAC Check");
        CVCertificate terminalCertificate = PAOSUtils.getTerminalCertificate(eAC1InputType.getCvCertificates());
        CertificateDescription certificateDescription = eAC1InputType.getCertificateDescription();
        LOGGER.trace("Certificate Description: {}", Hex.toHexString(certificateDescription.getAsn1Data().getBytes()));
        LOGGER.debug("Certificate Hashes from Certificate Description: ");
        Iterator<ByteArray> it = certificateDescription.getCertificateHashes().iterator();
        while (it.hasNext()) {
            LOGGER.debug(Hex.toHexString(it.next().getBytes()));
        }
        validateCertificateDescription(certificateDescription, createSHA256, terminalCertificate);
        LOGGER.info("Certificate Description is valid");
        builder.addAllCertificateHashes(certificateDescription.getCertificateHashes());
        URL subjectUrl = getSubjectUrl(eAC1InputType);
        LOGGER.debug("SubjectUrl: {}", subjectUrl);
        try {
            validateServerCertificateHashes(createSHA256, certificateDescription, pAOSContext.getEserviceCertificates(), optional);
            LOGGER.info("Certificate Hashes found");
            validateSubjectUrl(subjectUrl, pAOSContext.getTCTokenURL());
            LOGGER.info("Subject URL matches TC Token URL");
            LOGGER.info("Checking CAN Mode");
            PAOSUtils.checkCANMode(pAOSContext, terminalCertificate);
            LOGGER.info("Calculate AccessRights for PACE");
            showCertificateDescriptionAndAccessRights(pAOSContext, eAC1InputType, terminalCertificate, createCHAT(eAC1InputType, terminalCertificate));
            ImmutableAdditionalEACCheckContext.Builder builder2 = ImmutableAdditionalEACCheckContext.builder();
            builder2.terminalCertificate(terminalCertificate);
            return builder2.build();
        } finally {
            pAOSContext.getAdditionalEACInfoConsumer().accept(builder.subjectURL(subjectUrl).digest(createSHA256).build());
        }
    }
}
